Comments on: Why we still invite data breaches

Sentrigo's Dan Sarel writes that enterprise security has been slow to realize the evolving nature of for-profit cyber hack attacks.

[jbmartin6]

What is 'private' data

One point - the reason all these 'private' data are stored all over the place is the merchants, etc. have to collect it. For instance: every employer, bank, hospital, has to collect your SSN. From there it goes to billing subcontractors, mortgages are resold, corporate headquarters, no doubt dozens of other places. It is unrealistic to think that every link in this chain, including every consultant's laptop, is going to be secured against data loss. There's an old saying 'information wants to be free'. We either have to prevent the mass proliferation of these data, or remove the value from the data. Preventing proliferation is unlikely since they need multiple pieces of information to tell all the John Smiths from each other. Removing the value from the data is a better solution. It is silly that a few pieces of widely available information can be used as the basis for an identity check. It seems to me that some sort of identity verification system is the only answer to this problem. Look at the success of services that put fraud alerts on credit reports. All this does is force the credit agencies, and thereby the lenders, to perform a 'live' verification rather than say 'OK, you know an address and an SSN so you must be So-and-so'. Guess what, a thousand people know my SSN and address even if every database and laptop is encrypted and requires fingerprint verification to read data fields.

[godlyfrog]

Last four digits of SSN

What makes this even worse is that all a criminal really needs nowadays is the last four digits of your SSN because practically everyone uses it for verification, so if someone is trying to break into your account, that's all they need for security most of the time.

[whmurray]

Insiders v. Outsiders

The relationship between the risk of insiders v outsiders is often mis-stated. Outsiders account for the largest number of attacks while insiders account for the losses. We are attacked by outsiders every day. Most attacks are not successful; while those that are may damage the brand, they never bring down the business. Insider attacks are more rare but successful ones may bring down the business.

[whmurray]

Errors, accidents, and omissions

We generally use the term insider attack to refer to deliberate acts by insiders. However, more damage is done by insiders by accidents, errors, and ommissions than is done deliberately or maliciously.
"The dummies have it hands down now and forever."

[zanely]

Customer data will never be secure...

....until the officers and management of firms entrusted with the information are held criminally liable for failing to adequately secure and safeguard it against unauthorized access. All the laws in the world mandating disclosure are after the fact, feel-good remedies that do nothing to establish adequate safeguards. The reason is obvious. The companies that collect and store sensitive customer information have absolutely no incentive to protect it. Corporate officers would be found criminally liable if it was proved that they knowingly left the company's information (bank account numbers, trade secrets, access codes, etc.) at risk. No such penalties exist for leaving their customers? names, addresses, credit card information, passwords, etc. vulnerable to abuse. This problem will be solved when the first CEO goes to jail for criminal negligence.

[birdtford]

Officers and managers held liable?

How can you hold officers and management of a firm criminally liable for not adequately securing and safegarding data from unauthorized access when you have a 20 year trusted employee. That for whatever reason suddenly decides to download sensitive personal data of credit card information and sell it. You can't watch every employee 24/7. You figure someone that has been at a firm for 20 years must be trusted. Now someone that has been there 6 months, you probably want to keep an eye on. Or what about the employee that down loads sensitive data to their laptop, and then leaves that laptop in a car where people can see it and it gets stolen. For one that data should not have been down loaded. It could have been acessed from the servers and never removed from them. I work in IT and if I have to access a program or data from the server, I don't down load it. I just work with it on the server and leave it there.

[wbenton]

Total Undershoot of the Problem

>>>The authorities have begun to take measures designed to stanch the outbreaks.<<<

They have begun... but the data piracy begun back in 1999.

Bottom Line: 8 years after they were warned, and millions of data stolen along the line... most of it in the last 3 years... they're finally getting the idea that they need to do more than what they thought was enough!

THAT IS THE PROBLEM!

THAT is what this story SHOULD have been about!

Why are they only beginning to move 8 years after they were warned?

Who was responsible? Who's the irresponsible party? Why haven't they moved quicker?

Now that would be NEWS WORTHY from my stand-point!

Walt

[Beej27]

Core Problem Goes Beyond Security Tools

I heard this expression awhile back befitting the problem. At the risk of over simplification, one might say "You can't put the cat back in the bag." Our data is EVERYWHERE globally.

The organization CSI and the FBI freely admit the thieves are 3 steps ahead of any technology they can develop. Frightening... But I truly believe the core problem is "education." I am President/CEO of IDTEL (www.idteli.com) and I also lecture and teach workshops. When I began to meet students in a face-to-face environment, in 1.5 years, only ONE person said they actively research identity theft. Even though news reports on ID theft is in the news daily, most I've encountered have little knowledge of how it happens which further compounds the problem which puts companies at risk.

There are tools that are great in the protection of network and data security. However, as you pointed out, insiders are a contributing problem, and I would venture to guess, employees sit right next to the perpetrators and are totally unaware.

Workforce education is key and there are laws that require training yet few companies see this as a priority. Why? Because the laws and corporate responsibility carry little enforcement. As I see it, if you aren't part of the solution, you are part of the problem. If you don't recognize educating your employees so they are more AWARE, you cannot hope to enlist them in your prevention efforts.

No one can stop identity theft yet you hear companies claiming they can do so. The best we can do is improve our "best practice" and ENGAGE managers in creating a positive environment conducive to awareness and not fear within their respective organizations.

If employees are left to believe that identity theft is prevented at the IT level within the workplace, companies will continue to experience problems. Employees cannot do their part if no one provides them with comprehensive education and training.

[birdtford]

I agree 100%

And most of it is common sense. There is very little need to down load data to your laptop or personal PC these days with all the means we have to access the dat from the servers, and leave it there.

[chlegrand]

We must fully deploy available tools

We have a lot more tools than we use. Tools are available to find and track sensitive data in the structured and unstructured environments. I agree it is not going to be easy to regain control of data and access privileges previously neglected to the extent that many now believe trust is all we have. Trust me, trust does not work. Until potential perpetrators know they can and will be identified and punished, they will continue to yield to temptations to reward themselves at the expense of others (or as my esteemed colleague notes, just be careless).

We can and must implement tools to enforce accountability (track access back to individuals), and those who propose and approve security budgets must learn they can and will be held accountable for underestimating the need for security resources to protect valuable information under their authority. SOX says they are accountable, but the accountability profession is still wrestling with understanding what that means and how to make it work.

Start with matching the toolset in place and available with the known threats. Then start filling the gaps.
My $.02. CHL