Townsend Security Data Privacy Blog

When it comes to encrypting credit card numbers to meet PCI security regulations and prevent data breaches, point of sale (POS) vendors selling payment application software often implement encryption key management that is cobbled together and doesn’t meet best practices. For POS vendors who supply retail businesses with complete cash register systems, including POS terminals and payment application software, inadequate key management solutions leave retailers vulnerable to data breaches.

Although all POS vendors must certify their payment application software under the PA-DSS standard, many vendors skate by with poor encryption and encryption key management that has been thrown together to meet the bare minimum requirements.

Although their vendors have passed the test, retailers are still experiencing some of the largest data breaches because their POS vendors don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data.

At the end of the day, individual businesses are responsible for their own data security; however, POS vendors offering payment application software can boost their own security posture and protect their own reputation by offering better encryption key management for credit card numbers to their customers. Database administrators and information security officers in retail companies can ease their fear and anxiety about their POS solutions. They can rest easy if their POS vendor provides a FIPS-certified encryption and key management solution with these three advantages:

1. Encryption Key Management that is Easy to Use - Good encryption key management should be easy to install, configure, evaluate, license, and sell to end users. Townsend Security’s 1U server plugs right into your IT infrastructure and requires no on-site technician to install. Our cross-platform encryption key management HSM integrates seamlessly into Microsoft, IBM i, Linux and other legacy platforms. Our team provides training, OEM integration, NIST and FIPS certifications, marketing materials, and consistent back end support as well as sample code, binary libraries, applications, key retrieval and other tools you and your customers need to implement encryption and key management fast and easily.

2. Encryption Key Management that is Cost Effective - Small and mid-sized retailers are a growing target of hackers due to the fact that these companies tend to have less data security. These companies, however, need to secure their sensitive data and must meet compliance regulations just like larger businesses do. We strongly believe that cost should not be a barrier to any business. Townsend security offers cost-effective licensing and easy deployment for seamless integration in less time and at an affordable price. We also offer OEM and “white label” options to save time and pain around branding. The average data breach costs a company $5.5 million. With better encryption and key management, you can save your customers millions of dollars.

3. Encryption Key Management that Protects Your Company in the Event of a Breach - In today’s technology climate, data breaches are no longer a matter of “if,” but “when.” Even the strongest networks can be hacked. The only way to secure data is to encrypt the data itself, thereby making it unreadable and unusable to unauthorized users. However, the encrypted data is only as safe as the encryption keys! In the retail industry, the responsibility of a data breach will fall on the retail company that experienced the breach, as well as the POS and software vendors. If a breach occurs to one of your customers, encryption key management will protect your customers and protect your own organization as well.

Almost every single POS vendor offers encryption and key management for their payment applications, but not every POS vendor does the job right. In these cases, a retailer may pass a PCI audit but still be vulnerable to a data breach. With a NIST-certified OEM encryption key management solution, a POS vendor can offer retail customers the best data security available and generate new revenue with that offer.

The last thing a POS vendor wants is a data security plan that looks good on paper but doesn’t deliver when the going gets tough. The good news is that the right tools are easily available to companies who want to not only meet, but exceed compliance and prepare for evolving data security standards. “Good security breeds good compliance and not the other way around -- compliance is the low bar,” says Mark Seward, senior director of security and compliance for Splunk. With a Townsend Security partnership, POS vendors can offer their customers industry standard and NIST/FIPS certified solutions by implementing an OEM encryption key manager that is customized for their specific applications.

In Microsoft SQL Server 2008/2012 Enterprise edition users can enable Extensible Key Management (EKM) and use either TDE or cell level encryption to encrypt their sensitive data and to be selective about the data they encrypt.  EKM is an architecture that allows users to incorporate a third-party* encryption key management hardware security module (HSM) in order to truly secure their data using key management best practices and meet compliance regulations.

*Townsend Security is a Microsoft Silver partner and provider of encryption key management HSMs for Microsoft SQL Server, Microsoft SharePoint, Windows, and Microsoft Azure.

Users select from one of the two methods of SQL Server encryption available for the Microsoft SQL Server 2008/2012 Enterprise Edition and above:

1) Transparent Data Encryption (TDE): TDE encrypts the entire database and temporary files within that space with no additional programming.

On earlier versions of SQL Server deploying encryption had been a much larger and more complicated programming project.  With 2008/2012 Enterprise edition, TDE can be implemented fully without any programing at all. Once your administrator has DBA administrative rights, he or she can implement TDE through a straightforward process that requires no changes to coding, queries, or applications. TDE is a favored way to rapidly encrypt data and works well for small or medium sized databases because of its speed and ease of deployment.

2) Cell Level Encryption: Cell Level Encryption allows database administrators to select the columns they wish to encrypt in a database - a benefit for many administrators with larger databases; however, this process takes a little bit more effort to set up.

If you are leveraging EKM and using an external encryption key manager, the database administrator can encrypt data in the column (cell level) by adding a modifier on a particular fetch or update to the database. However, administrators will need to make small changes to their databases to enable their encryption key manager to do this. This is not a complicated step, however, and your encryption key management vendor should be able to help you through this. Cell level encryption works well for large databases where performance impacts must be kept to a minimum and only certain data needs to be encrypted.

Here is a very straightforward YouTube demonstration video where you can see just how easily TDE is set up.

Setting Up TDE & EKM on SQL Server 2008 / 2012 for Compliance

For a more in-depth look, we have compiled a selection of resources (webinar, white paper, podcast) that can provide additional information:

When protecting your data in SQL Server, you need to be as informed as the hackers!

Whether you are the CEO or the database administrator of your company, you need to be aware of what data you are storing and the different compliance regulations that require encryption and key management.

Having a data breach can often go undetected for quite some time, but when it happens (and these days it is “when” not “if”) it can cause some serious issues for your company and your customers!

While “the bad guys” get more creative every day, being aware of their tactics and following security best practices can slow them down and hopefully thwart their attempts from being successful.  Research and “post-data breach” studies have shown that 80% of data breaches happen with a fairly low-tech “old school” type of attack known as SQL injection.  In fact, Injection is #1 on the “2013 Top 10 List” of simple security problems from OWASP (the Open Web Application Security Project).

While not the only method, SQL injections are still one of the most common ways of attacking web services by sending malicious SQL code in parameter fields, with the intent that the server will execute the code. When designing web applications or internal applications you need to remain aware of SQL injection opportunities beyond just the systems securing credit card data. So many people think “we don’t have that problem.” However, if your application is on the internet… you do. Features such as login pages, support or product request forms, shopping carts are all examples of web applications that can make your databases vulnerable. Hackers can gain entry through these other areas of your company website and navigate their way to more valuable data. Once inside your database, they can retrieve or delete sensitive information such as credit card numbers, clients personal information, or company records.  Safeguards such as encryption and key management can help prevent those losses only if they are in place.

Good practices to prevent or mitigate attacks like SQL injection and the loss of unencrypted data :

• Analyze your website and web applications for vulnerabilities.
• Look for it in your system logs, make monitoring a priority.
• and remember,  internal apps are just as susceptible as public apps.

From a best practice point of view, as well as a regulatory compliance view, encrypting your data is a fundamental security step for any system. So even if the information is “retrieved”, it isn’t in a readable format and the hackers won’t be able to use it! While data encryption used to seem like a daunting task, that is no longer the case.  SQL Server 2008/2012 Enterprise Edition and above includes TDE offerings that allows for encryption without application changes.  You can now deploy key management that is easy to use and affordable with Alliance Key Manager, our FIPS 140-2 certified encryption key management HSM. 

Just keep in mind that the single biggest data security issue is failure to protect the encryption key. Always keep your keys off the server and out of the system that holds your encrypted data.  Think of it like the lock on your front door…  you wouldn’t lock up your house and then tape the key next to the handle… would you?

We would like to offer you a complimentary copy of our eBook: “Encryption Key Management Simplified”, which is a fundamentals guide for both IT administrators and business executives alike.  

As always, your comments and questions are welcome!

In a world where data breaches are occurring nearly every day, and data security in many organizations looks more like a sieve than a safeguard, using a strong encryption and key management solution is a must. Protecting sensitive data using encryption and protecting encryption keys using a strong encryption key management hardware security module (HSM) is so important today that it is required, if not strongly recommended, by most data security industry regulations such as PCI-DSS, HIPAA/HITECH, and GLBA/FFIEC.

If encryption and key management are so critical to protecting data, why are so many data breaches occurring every week? This is especially an important question to ask merchants and retail companies whose encryption and key management strategy has already passed a PCI test in order to operate their POS systems. Although they’ve passed the test, many are still the easiest targets for hackers and seem to be the most susceptible to data loss in general.

At the end of the day, individual businesses are responsible for their own data security, but POS vendors can boost their own security posture and industry leadership by offering better encryption and better encryption key management solutions to their customers. Since encryption and key management are necessary components of POS systems, providing customers with third-party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give a POS vendor these critical advantages:

1. Competitive Advantage - As we have seen over the past few years, industry regulations such as PCI-DSS and HIPAA/HITECH continue to become more stringent. POS vendors offering NIST-certified encryption key management will only retain customers if they can offer encryption key management solutions that fall in line with these regulations.
2. Protect Customers to Protect Yourself - When a data breach occurs, two parties take the most heat: the CEO and the software vendor whose solution was inadequately protecting the data. Retailers who experience data breaches due to poor encryption and key management techniques employed in their POS systems will likely blame their vendor and are more likely to migrate to a competitor.
3. Offer a Higher Quality Product and Generate New Revenue - Almost every single POS vendor offers encryption and key management on their devices, but not every POS vendor does the job right. In these cases, a retailer may pass a PCI audit but still be vulnerable to a data breach. With a NIST-certified OEM encryption key management solution, a POS vendor can offer retail customers the best data security available and generate new revenue with that offer.

In our opinion, POS vendors should absolutely offer their customers the best encryption and encryption key management solutions that are out there. It is clear that many POS vendors are not offering their customers the best data security tools, and the evidence is in the data breaches that happen nearly every week. POS vendors can offer their customers industry standard and certified solutions by implementing an affordable OEM encryption key management solution that is customized for their specific applications.

It was revealed earlier this month that the St. Louis-based supermarket chain, Schnucks, had a data breach that exposed at least 2.4 million customer credit and debit card numbers to an outside hacker. Schnucks is currently involved in a class action lawsuit over the breach and possible leak of credit card info by its card processing company.

Currently the news reports that this breach occured because:

1. Leaders in the company don’t think that anything is wrong with their data security. According to a survey by CORE Security only 15% of CEOs are very concerned about network vulnerability; however, 65% of security officers “admitted to not having the sufficient data needed to interpret how security threats translate to overall business risk.”
2. The point of sale (POS) and retail management software that retail companies use to process their customer’s card information often use inadequate security tools and minimal security best practices.

Data breaches caused by faulty security in credit card processing machines and software are surprising to most people because we expect credit card processing companies to protect our card information and personal data. In fact, credit card processing companies are mandated by the Payment Card Industry Data Security Standards (PCI-DSS) council to use encryption and encryption key management in order to sell their point of sales (POS) devices and retail management software to businesses such as Schnucks.

Despite the regulations, however, many POS and retail management vendors pass PCI-DSS audits by the skin of their teeth with data security solutions that have been cobbled together with the bare minimum requirements. If asked if they still felt exposed with their current data security solution, many database administrators will respond with a resounding, “YES.”  As we have seen over and over again, these piecemeal solutions are not good enough to prevent a data breach!

This has revealed a truth that is becoming more and more evident:

Just because a merchant or a POS vendor has passed a PCI-DSS audit does not necessarily mean they are protected from a data breach! Even though PCI-DSS is supposed to protect customers and prevent data breaches of this kind, loose interpretations by auditors of PCI-DSS and poor encryption and key management techniques leave businesses open and exposed to hackers.

Schnucks could have most likely prevented this data breach by having chosen a POS vendor and retail management software ISV who offered these guarantees:

1. Encryption - Always use industry standard encryption such as AES encryption.
2. Encryption key management - Companies encrypting data should always protect their encryption keys using an encryption key management hardware security module (HSM). This is a critical component to securing sensitive data.
3. System logging - A good system logging solution can help you catch and prevent changes to your network in real-time in order to prevent a data breach.
4. Certifications - Your POS and retail management software provider should have encryption and key management with NIST and FIPS certifications. These certifications ensure that your encryption and key management solution are up-to-date with the highest standards.

Unfortunately, these days passing a PCI-DSS audit is not enough. Merchants and retail software vendors need to stay ahead of the game by using data security tools that are going to protect their customers and protect themselves in the event of a data breach. The bare minimum will not cut it.

Townsend Security is a leading provider of encryption, key management, and system logging solutions. We partner with POS and retail management ISVs to help these companies protect and secure sensitive data fast, easily, and at a competative price. Here at Townsend Security our team works with our partners by providing hardware, training, marketing materials, and thorough back end support to help our partners and their customers achieve peace of mind.

Over the past couple years we have seen many instances of online companies experiencing major data breaches due to poor or non-existent password hashing techniques. Organizations such as eHarmony, LinkedIn, LivingSocial, Last.fm, have collectively had millions of user passwords stolen. Despite widespread publicity around these breaches, and many reporters  calling out the mistakes these companies have made around their hashing techniques, these types of breaches are only becoming more common.

Fortunately, for companies who want to prevent a data breach of their users’ passwords and and other personal information, and keep their names out of the headlines, it is fairly easy to do hashing right. 

Four things you should do to get password hashing right:

1. Choose a good quality hash algorithm. Do NOT use MD5 or SHA-1. These are known to be weak and you should just never use them. Use one of the SHA-2 family of hashes such as SHA-256 or SHA-512. Yes, I know about the theoretical weaknesses of the SHA-2 family and that we will soon have a replacement for SHA-2. But use the best you can for now.
2. Always use Salt with your hashes. A Salt is some extra data that you add to your password (or any other field that you are hashing) to avoid a rainbow table or brute force attack on the hashed value. Adding Salt can make cracking a hashed value much more difficult.
3. Use a strong Salt value. Using a few characters such as a GUID or short hex string won’t really give you that much additional protection. I would recommend adding a minimum of 128-bits of cryptographically strong Salt to the password you are hashing. We use a 256-bit value in our applications. Using an encryption key might be an excellent choice for your Salt value if it is provably cryptographically strong.
4. Protect your Salt. Leaving the Salt value lying around in a user file or in the clear is a really bad idea. An attacker who has easy access to the Salt value can efficiently attack the hashed value. You must protect the Salt value as you would an encryption key by using an external key management hardware security module (HSM).

If you take these four steps you will have a much more secure and defensible strategy for hashed passwords, will take you a long way down the road to better security of users’ sensitive information.

Patrick

Townsend Security recently asked founder and CEO Patrick Townsend to contribute his expertise and thought leadership on data security and executive risk management to our most most recently published eBook, Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs).

In his article, Patrick Townsend discusses:

• 5 misconceptions business executives have about data security
• 5 steps to take to reduce security risk
• And what tools to invest in to protect your company's future

Read an excerpt from his article below:

"Many business executives are aware that hackers and data breaches pose a risk to their organizations, but they aren’t sure how much risk they really bear, or even how to assess the risk from a business point of View. Let’s look at some of the misconceptions executives have, and what steps they can take to minimize the risk.

5 Misconceptions About Data Security Risk:

1) If we have a breach, we’ll just pay the fine
In many cases there will be fines for a data breach, but it is only a small part of the total cost. The cost of a breach also typically includes a forensics investigation, credit monitoring for customers, lost sales due to brand damage, and litigation costs.

2) We’ve never had a problem, so things are probably OK
This type of thinking is not a form of risk assessment. Since data breaches often take months to discover, you may not know that a breach has already occurred. Wishful thinking won’t help you prevent a breach.

3) My software vendors and consultants say they have everything under control
Today, many software vendors have not moved quickly enough to add encryption to their core products. It is not wise to rely on vague statements about data security from vendors and consultants...

Steps to Take to Reduce Security Risk:

1) Talk About It
Discuss the importance of data security with all members of the organization’s leadership team. Then talk to your IT department. Data security is an ongoing process that involves every member of the organization, and will extend beyond your organization’s boundaries to vendors and service providers. Responsibility for data security belongs to everyone.

2) Assess Your Current Data Security Posture
If you have not had an external audit and assessment of your organization’s data security practices by a qualified security professional, now is the time to start. First, perform a data security assessment with an in-house consultant, security audit firm, or platform vendor to evaluate your current security posture. Find the location of all sensitive data. Lastly, evaluate the security of your backup tapes. The right security assessor will help you identify the most urgent problems, and help you prioritize your efforts. This process can also help you overcome any internal resistance to addressing the problem.
Invest in Encryption and Key Management

3) When you have located sensitive data that is not encrypted, start a project to encrypt it now. Don’t forget to invest in the necessary encryption key management devices to protect the encryption keys. If your risk assessment warrants, provide budgetary exceptions to address the problem. Invest where you need to, as soon as you can. When choosing an encryption and key management solution, you should also ask: Is our encryption industry standard and NIST certified, is our key management FIPS 140-2 compliant, is our key management device an external hardware security module (HSM), and are we using dual control and separation of duties to reduce points of failure...”

Read all the points in the rest of the article in your free copy of the eBook HERE.

Patrick Townsend has more than 25 years of experience in the data security industry and brings both a deep well of knowledge and a unique perspective to the subject. He speaks regularly on data protection and encryption key management topics.  He has produced a series of educational videos available on YouTube, records podcasts on data privacy, and is a regular contributor to the company's blog.

With the emergence of data security standards, encryption and key management have become a necessity for most companies storing or transferring sensitive data such as credit card numbers, patient data, social security numbers, and other personally identifiable information (PII). 

Transparent Data Encryption (TDE) on Microsoft SQL Server 2008, 2008 R2, and 2012, allows automatic encryption on these editions of SQL Server without application changes. With newly available SQL Server encryption capabilities, encryption key management--a critical step to securing your data--is done easily on SQL Server with extensible key management (EKM). EKM allows customers to choose a third-party encryption key management hardware security module (HSM) and integrate that HSM easily into their SQL database.

Without an encryption key management HSM, SQL Server users are essentially leaving the keys to their data underneath their welcome mat!

Three things to remember for following security best practices:

# 3 – SQL Server Encryption isn’t as imposing as it sounds…

• Compliance regulations drive the need for encryption and require that you protect the encryption keys apart from the encrypted data storage.  
• An encryption algorithm is simply a mathematical formula that protects data. The critical element is the way the “Key” to that formula (the encryption key) is managed. 
• HSMs like Alliance Key Manager create, manage, and protect encryption keys through the entire lifecycle and deliver them securely when they are needed.
• Alliance Key Manager is a quick, efficient, and compliant solution that is easy to implement with our “Key Connection for SQL Server” EKM provider software. Based on FIPS (Federal Information Processing Standard) 140-2 certified technology, it is easy to implement, deploy, and configure with “out of the box” integration with SQL Server.
• Townsend Security is Microsoft Silver partner and Alliance Key Manager works with all versions of Microsoft SQL Server including SQL Server 2005. Additionally, Alliance Key Manager allows you to protect sensitive data stored in Microsoft SharePoint and Microsoft Azure.

#2 - You are required to protect data by government and industry created regulations…

• PCI-DSS (Payment Card Industry – Data Security Standard) for merchants
• HIPAA/HITECH  (Health Insurance Portability and Accountability Act)/(Health Information Technology for Economic and Clinical Health) for medical providers
• GLBA/FFIEC (Gramm-Leach-Bliley Act)/(Federal Financial Institutions Examination Council) for the financial industry
• FISMA (Federal Information Security Management Act) for US Government agencies

#1 - Customers expect their data to be protected!

• PCI-DSS is required for anyone who takes credit cards.
• While expectations for data protection in the medical and financial industries are wide-spread, and easily understood, compliance regulations affect business and organizations of all sizes. 
• Beyond the expectations for privacy, and the laws that require it, the consequences of a data breach or data loss can be substantial. 
• Small to mid-sized companies can be an easy target for data thieves, resulting in costly losses to their business and reputation.

We have resources to share with you about SQL Server Encryption and how to best secure your data.  Please click the button below to access these informative downloads! 
 

As always, we welcome your comments and questions!

Almost every organization has at least one application built on Microsoft’s SQL Server database. Whether you build an application in-house using Microsoft’s development tools or you deploy a software package from a software vendor, chances are that your organizations has one or more SQL Server databases to help you manage information.

The Challenge: Protect Data with SQL Server’s Encryption

Today it is almost impossible to run a business without handling sensitive information and storing storing data such as customer names, credit card numbers, bank account numbers, passwords, email addresses, or other personally identifiable information (PII) or private health information (PHI) in your SQL Server database. If your organization must meet data security regulations such as PCI-DSS, HIPAA/HITECH, GLBA/FFIEC, or GDPR, you probably already know that this data must be encrypted in order to protect your customers and prevent data loss in the event of a data breach.

What you may not know is that in order to truly protect your data, you must manage your encryption keys in adherence to key management best practices such as dual control and separation of duties using an external encryption key manager (key managers are available in VMware, Cloud, as a traditional hardware security module or HSM). Your company will only be able to avoid data breach notification if you are using these best practices.

The good news is that Microsoft SQL Server comes equipped with transparent data encryption (TDE) and extensible key management (EKM) to make encryption and key management using a third-party key manager easier than ever. Older versions of SQL Server can also be easily encrypted using different tactics, and you can manage those encryption keys just as easily with an encryption key manager as well.

Encrypting Data in SQL Server Depends on Your Version

If you’re currently looking into encrypting your SQL Server database or deploying a key management system, you may be concerned about how to protect your data depending on the version, code, and language used to build your database. To help ease your worries, here are 4 ways to encrypt your SQL Server database and protect your encryption keys:

1. Since SQL Server 2008 Enterprise and SQL Server 2019 Standard, Microsoft has supported automatic encryption with TDE and column-level encryption for Enterprise Edition users and above. Without any programming you can encrypt the SQL Server database or an individual column, and store the keys on an encryption key manager (commonly available as an HSM and in VMware or Cloud).
2. If you have an older version of SQL Server, or you have SQL Server Standard Edition or Web Edition, you don’t have access to TDE. But you can still automate encryption: Through the strategic use of SQL Views and Triggers, you can automate encryption of sensitive data on your SQL Server without extensive program modifications, and still use a secure key manager to protect the encryption keys.
3. Your developers might have written custom application code to implement your SQL Server database. But SQL Server encryption and key management is still within your reach. A good key management vendor should supply you with software libraries that easily add into your applications and implement SQL Server encryption.
4. You might have a SQL Server database, but not be using Microsoft programming languages. Perhaps your applications are written in Java, Perl, or PHP. Again, it is simple to deploy software libraries that encrypt the SQL Server data and which store the encryption keys on an external centralized key manager.

SQL Server encryption and good key management is not difficult to achieve. Although key management has a reputation for being difficult and costly, today key management for SQL Server is cost-effective, easy, has little to no performance impact, will get your company in compliance, and will keep your organization out of the headlines by helping to prevent a data breach.  Townsend Security's Alliance Key Manager is FIPS 140-2 compliant and in use by over 3,000 customers worldwide.

To learn more about key management for SQL Server, download the White Paper, “Encryption Key Management for Microsoft SQL Server.”

Lack of security around passwords, emails, usernames, and other personal information leads to another easily preventable, massive data breach.

Last week we saw another major data breach of personal information due to a hacker who gained access to names, email addresses, dates of birth, and passwords protected using hashes and salt. When this story started to pop up in the news we were pretty surprised by what happened. Didn’t this exact same breach happen to LinkedIn nine months ago?

In June of last year LinkedIn suffered a similarly huge data breach and lost 6.5 million hashed passwords. The passwords were posted online and within a few hours over 60% of the passwords had been exposed. Why were these passwords so easy to crack? Because LinkedIn had been “protecting” user passwords using the hash algorithm SHA-1. SHA-1 is a known weak algorithm that is no longer recommended by the National Institute of Standards and Technology (NIST). Today it is a basic industry standard to use the stronger hash algorithm SHA-256 or SHA-512.

In the end, however, LinkedIn’s breach was really more of a headache than a disaster. A class action lawsuit brought against LinkedIn was thrown out due to lack of clear evidence that any real damage was caused by the breach. Where many consumers and data security experts had probably hoped that their breach had been a wake-up call to the e-commerce community, and anyone still using SHA-1 should have upgraded their data security practices immediately, it seems that many organizations have done nothing.

This is so surprising to us, not only because today using better data security such as strong hashing algorithms is considered to be trivially simple, but because in many states personal information such as first and last names, birthdates, and email addresses are considered to be personally identifiable information (PII) under state data security law. Most of these laws provide safe-harbor from data breach notification if a companies protect this information using industry standard tools.

In the end we hope that other businesses take note from this series of data breaches and update their data security.

How can you prevent a data breach of passwords and emails from happening to you?

1. Use only an up-to-date hash method such as SHA-256 or SHA-512
2. Use a hash based on industry standards - NIST publishes recommendations and standards. Always follow the most up-to-date standards.
3. Use salt for an additional layer of security
4. Protect the salt from loss or disclosure
5. Use two-factor authentication

How can you prevent a data breach that compromises your customers very sensitive data such as credit card information, social security numbers, and private health information (PHI)?

1. Use AES Standard Encryption to protect critical sensitive data such as credit card information and social security numbers.
2. Use a FIPS 140-2 compliant key management system that implements key management best practices such as dual control, split knowledge, and separation of duties.
3. Use a system monitoring tool that will alert you to important changes in your database such as unauthorized access in real time in order to stop suspicious activity before it’s too late.

To learn more about how companies such as LivingSocial and LinkedIn could have avoided a data breach, download the Podcast: How LinkedIn Could Have Avoided a Data Breach.