Your server crashed. You dropped your storage device. Your computer drive failed. And there’s no back-up in sight. Who ya gonna call? A data recovery vendor, of course.

Not so fast. Before you madly dial for help, beware of unscrupulous providers who turn data recovery services into data breach scams. According to a recent report from the Ponemon Institute, organizations are overlooking security precautions when turning to third-party data recovery services, prioritizing speed over safety at their own peril. And that peril can come in the form of a major disruption in business, financial loss, and in some cases the closure of the affected company.

Ponemon’s recent “Trends in Security of Data Recovery Operations,” which surveyed 769 IT professionals, noted that 87% of respondents had experienced a data breach in the past two years. Of these respondents, 21% admitted that the breach occurred while the drive containing the data was with a third-party data recovery service.

The report also found that:

• 85% of respondents report that their organizations have used or will continue to use a third-party data recovery service provider to recover lost data, with 39% saying they use third parties at least once each week or more.

• 54% of respondents confirmed that IT security is excluded from selecting third-party data recovery providers, which could play a role in IT support’s placement of speed over security. 81% of respondents said that speed of recovery was the most important factor in choosing a vendor, with 75% stating that the ability to successfully recover data was the paramount concern.

• 54% of respondents do not require third-party data recovery vendors to comply with leading security guidelines.

• 83% of respondents agreed that third-party vendors should be required to ensure that data is securely and permanently destroyed from their systems after the information has been recovered, but only 9% actually do so.

The report recommends that organizations institute policy and guidelines for selecting and using a data recovery service provider. This includes precautions such as agreements for cloud storage providers that outline the need for notification should a data loss occur and a data recovery service provider is hired. If third-party recovery service providers don’t adhere to the strictest data security guidelines, the healthcare, government and financial organizations that hire them could be in breach of the laws that bind them to the highest security standards.

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

Continual testing is one of the main tenants of data breach prevention. Your network has to remain secure to ward off attacks. The typical security test, known as a penetration test, provides a point-in-time view of your security, limiting your scope of analysis.

To broaden that scope, today security and risk professionals are taking a cue from software engineers and using a type of testing known as attack surface analysis. Rather than focusing on a specific point in time like the penetration test, this test views the network as a fluid system.

Attack surface analysis uses an entry and exit point framework to identify the full extent of a system’s attack surface.  This analysis is done on either computing or business process resources. In either instance, the entry/exit points of a system are the ways through which data (or hackers) enters or leaves a system and are the basis for attacks.

Some attacks may even use both computing process and business process entry/exit points. For example, a hacker goes to a department store and applies for a job. While there, he inserts a USB thumb drive loaded with malware or auto-execute code into an unprotected USB slot on a nearby computer.

The malicious code executes and gives him a foothold into the enterprise systems that he can then exploit remotely. In this scenario, the hacker has essentially completed an attack surface analysis on the store’s business process and located an unprotected USB slot. He has also done the same for the computing process though, in this scenario, he has created a new attack surface rather than using part of the existing one.

As a CISO, I identify the most important data sets and map the attack surfaces to those data sets. For example, the personally identifiable information (PII) of your employees may be of primary concern to your enterprise. To conduct an attack surface analysis, I would look at the systems that contain this data AND how and by whom that data is used. Is the data static or does it move between enterprise systems? If so, what are the business processes that require this data movement and what are the pipelines through which it moves? Viewed in this fashion I see a more fluid attack surface with connected entry and exit points – not just a single one at a time.

Fortunately there are tools to assist with the process. As more and more enterprises use cloud-based or Web-based services, we can take advantage of the Open Web Application Security Project (OWASP) framework for Web applications. OWASP is highly respected in the information security space. Its open source tools identify all entry points into a program but do so in a well-structured manner that encourages analysis. It maps both roles and resources to each entry point. It is designed to be used throughout the lifecycle of the system under review. I use the concepts of OWASP to map roles and resources for the supporting business processes of these same applications.

For a more risk-based view of attack surface analysis, I use the Open Source Security Testing Methodologies Manual (OSSTMM) tool, run by Pete Herzog and his team in Spain. It is exactly what it states – an open source community providing an entire security testing framework. OSSTMM is the tool created and maintained by the Institute for Security and Open Methodologies (ISECOM). I’ve personally used this framework for many years in a wide range of enterprises. Its beauty is the completeness of the OSSTMM with framework, templates worksheets and Risk Assessment Value (RAV) spreadsheet.

The RAV is what assists us in attack surface analysis. The RAV provides a mechanism where you can place risk values for all of the computing and business process attack entry/exit points. The RAV spreadsheet then provides an overall risk score that aids in prioritizing your attack surface resolution action plan. While the risk scores may not be perfect at times, it is an excellent tool to guide your actions and give you a more holistic view of your system and its weaknesses.