Bear with me, I'll circle this back around to SharePoint security, compliance and encryption for sensitive information protection..

The state of information security in many organizations is, let's face it, woeful. For determined hackers and attackers, it really is like shooting fish in a barrel. Retrospectively, 2011 continued the escalation of publicly visible security breaches, with big new breaches and attacks constantly in the news. Just off the top, the headlines in 2011 included Stuxnet, Visa, Paypal, Sony, HBGary, Epsilon, Capital One, Citibank, Disney, EMC/RSA. For a look at all publicly disclosed (or known about) breaches, check out DataLossDB.org.



The recent spate of Anonymous attacks on Stratfor and now on Specialforces.com demonstrate vividly the need to encrypt sensitive information.

In the case of Stratfor, the hackers were able to obtain:

- 50,277 unique credit card numbers, of which 9,651 are not expired.
- 86,594 e-mail addresses, of which 47,680 are unique.
- 27,537 phone numbers, of which 25,680 are unique.
- 44,188 encrypted passwords, of which roughly 50 percent could be easily cracked.

In the case of Specialforces.com, 14,000 user passwords and 8,000 credit card numbers were obtained.

At CipherPoint, we can state two things with absolute certainty.

First, encryption for sensitive data is a key security control that would greatly help to reduce the impact of hacking attacks. If your sensitive information is encrypted using standard AES encryption and 256 bit keys, your information is protected, even if it is lost or stolen. In addition, most of the state data breach laws provide a safe harbor provision for information that is lost or stoled, and which was encrypted. This means that you don't have to go through the pain and expense of notifying individuals. The average cost per security breach is now over $7M, and the average cost per record lost is over $200, and much of this cost relates to the cost of identifying which records were lost, notifying the individuals, and offering identity theft notification/prevention services to the affected individuals. When you start to consider the significant costs that Stratfor and Specialforces.com are likely now incurring (certainly in the millions) to recover from these breaches, encryption all of a sudden seems like a low cost insurance policy.

Second, fully preventing the attacks requires a defense in depth approach including network security controls, data security controls including encryption for the data where it is stored, as well as people and process controls. There are no silver bullets in information security. We believe, and most security professionals will agree, that encryption is a fundamental control for securing information.

Bringing this back to SharePoint, encryption, and security, to the extent you are using the platform to store sensitive or regulated content, you really need to think through the right security controls to put in place. SharePoint architecturally is, after all, a file server with a web front end. As an internet accessible platform it requires a risk-based approach to security that starts with understanding the information being stored and processed on it, and the threats to this information. At CipherPoint, we're seeing organizations starting to wake up to the fact that their SharePoint implementation is being used to store sensitive and regulated information, and looking for solutions to securing this data.

Links to articles on Stratfor and Specialforces.com attacks are here and here.

JD