Get Rid of Data to Help Secure It

Last week I spent some time chatting with Mike Dahn who is the co-founder of the BSides information security conferences globally. He’s also organizer of BSides San Francisco and is well known and respected in information security circles.

We had a really informative chat and I’ve posted the video interview below. You know you’re chatting with someone who spends a lot of time thinking about a subject when they’re able to provide insights that are concise and are highly effective – ideas that can have a significant impact if overlooked or implemented.

During our conversation I asked Mike how “we can all be more secure”. We stopped filming for a few minutes and agreed….that is a really big question. He told me he knew what many vendors could do to be more secure – and so I filmed his response.

What Mike said is that “the best way to secure data is to get rid of it“. If you’re new to systems administration, security or WordPress administration, you may not understand the value of this advice. So I’m going to expand on what Mike said because I think it’s something that is overlooked by many of us and can be a major risk reducer when trying to secure your website or your systems.

Anything you store needs to be protected. Storing data you don’t absolutely need is a potential liability and a source of risk. Here are a few things that you may currently store on your WordPress site or in other areas of your organization that you may be able to get rid of or take offline, reducing risk:

Backups

We’ve seen many customers use WordPress plugins that store backup files on the server. Sometimes, catastrophically, the backups even end up in publicly accessible web directories. These should be backed up to an external storage system that is secure, or ideally taken completely offline. You don’t need your backups online until you need to perform a disaster recovery and that is (hopefully) a rare occurrence.

One compelling reason to take your backups offline is the rise in ransomware which encrypts both your web server (or workstation) and your backups. If your backups are offline, ransomware can’t encrypt it and your backups remain safe.

Credit Card Data

Never, ever store any data related to credit cards. In the interview Mike mentions “tokenization”. If you want to give your customers the ability to “store” their card information with you so they can perform repeat transactions, the way to do this securely is to pass the card data to a processor like Authorize.net (owned by Visa) and have them store the card data. They give you a unique ID or token which you can use to perform future transactions.

By tokenizing credit card data, you avoid having to store it and there is no card data on your site for an attacker to steal.

User Personally Identifiable Information (PII)

Only store what you absolutely must. Don’t collect information you only think you “might” use. Collect the data you have to and discard everything else.

For example, I’ve seen many online forms that ask for physical address information. Leave this out if you can because it’s one more piece of sensitive PII that you need to protect and it introduces additional liability into your organization if you are hacked.

Leave it to the (real) experts

While it’s tempting to store data on your own servers, companies like Visa in the credit card example above have much more stringent compliance requirements and have a larger team of security professionals than you do. So if you are able to outsource storage of data to a company that has a proven track record of excellence in data security, do that rather than reinventing secure data storage as a small team.

Delete old data

Another way to get rid of data so that you don’t have to protect it is to remove old data you no longer need. This may include:

  • Inactive user accounts
  • Old backups
  • Archived copies of your site stored on the server
  • Draft posts and pages
  • Inactive plugins and themes on your WordPress site
  • Websites that are still active but don’t receive any traffic or aren’t used
  • Old database instances that aren’t used anymore
  • Old database tables no longer used
  • Backup files or old files – for example if you made a copy of wp-config.php for WordPress and called it wp-config.php.old you definitely need to delete that because it contains your database credentials and is publicly visible on your site!

The Interview with Mike

This was filmed outside the BSides security conference in San Francisco. As always we welcome your feedback and insights in the comments below. Please share this to help promote good security practices in the WordPress community.



 

Did you enjoy this post? Share it!

Comments

5 Comments
  • "So much to do, and so little time to do it". Thanks for being so thorough though. I can see that I may have to reconsider a couple of my strategies regarding backups and inactive stuff. Thumbs up!

  • In Ireland, laws dictate that businesses must keep records for up to 5 years of all transactions, including customer details etc.

    So, its not so easy for Irish businesses to simply delete old data, and many business owners simply don't know how to back up the data to an offline location. Its simply easier for them to use, say, the back end of an eCommerce platform for record keeping. They don't always have the time to try and figure out how to backup data, let along take the time to actually make the backups. Using the admin section of their website is a quick and easy way to manage their records.

    With so many new businesses setting up as an online business, mixed with Irish business laws, simply deleting old data could get a business fined if audited. Irish laws or so out of date, its actually laughable. Maybe one day they will see that needs to change.

    • I understand where Eoin is coming from - in Australia, we need to keep business records for 7 years to substantiate our income / expenses. The article is really talking about old data that is no longer required, or protecting the data that is required to be kept. Saying that, what are the consequences Eoin if data is hacked and PII data is captured and used fraudulently and it is found that the Irish business didn't take all reasonable steps to protect the information (i.e. it is found in a publicly accessible folder on the web)?

    • Surely the answer is to store your used data in accordance with your legal requirements, but to do so offline, such as on CD-ROM or DVD, having at least two copies kept at separate secure locations. Then, to regularly clear such data from your site.

  • Yet another really informative especially with regards to keeping backups off your server. Also intersting about deleting as much pii data as possible. I need to think about what to do with the data people enter when they make a purchase through my online shop, yes its needed to fulfill orders but I think I should look at deleting as much of this data as possible after the order has been dispatched. This also brings into question the validity of allowing customers to create accounts to store orders and personal data on the shop. I don't process payments, pay pal does that so thats one headache taken care of.