Perspective: Why we still invite data breaches

If you followed the news this summer, you doubtless read about a spate of data breaches reaching across corporate America.

After a massive security compromise at TJX earlier in the year (still the largest on record), some hoped it might signal the end of large-scale data breaches. That turned out to be not the case. Breaches later were reported at Disney, Western Union, Fidelity Information Services, Monster.com and TD Ameritrade. Millions of personal identifiable information records were pilfered, and then used to facilitate spamming, malicious software and spyware distribution, credit card fraud, and identity theft.

The authorities have begun to take measures designed to stanch the outbreaks. Some 39 states have enacted privacy breach notification laws. These regulations mandate that the organization where the suspected breach occurs must notify all affected individuals. But the rise in the profile and severity of breaches nonetheless continues.

That's because companies are being actively targeted for data theft. Personal information gets stored in too many places, creating opportunities to steal. At the same time, the nature of "hacking" has also changed. Organized crime now targets information that can realize financial gain for its perpetrators. The means at their disposal are substantial. If previously, unprotected data had a low risk of being spotted by the wrong people, gaps in data protection nowadays are constantly being probed and exploited.

If the data gets exposed, it will be stolen. If criminals cannot get to the data from the outside, they try to find an insider to do the job for them. Many of the recent breaches followed such a scenario, with insiders selling stolen data to spammers and criminal elements.

Most enterprises are ill-quipped to handle this threat, and until they upgrade their security procedures and tools, breaches will continue. While it is impossible to hermetically seal the enterprise, there are measures that can be taken to improve the situation, and leading companies are taking them.

First, databases, the systems that hold the bulk of sensitive data, have been neglected in terms of security. While the network is protected by firewalls and other systems, databases remain vulnerable to outside as well as inside threats. Last year, according to the annual survey by the CSI/FBI, financial loss from data theft outgrew losses from viruses, but IT budgets do not reflect that.

Moreover, while insiders originate the majority of attacks and breaches, few companies have the right procedures and systems to cope with this. Enterprises have focused on securing the perimeter--preventing intruders from coming in--and only now are starting to focus on securing internal systems as well.

An additional, obvious and easy way to prevent large-scale damage from data breaches is to avoid storing unnecessary data in the first place. Many educational institutions, for instance, used to assign Social Security numbers as ID numbers for students, and even kept them in their alumni records. This is risky and utterly unnecessary.

It may be impossible to secure enterprise data completely, but as the threat landscape changes, enterprise security has been slow to catch up. For some, new standards such as the credit card industry's PCI-DSS served as a wakeup call. Yet many companies that have gone through the process of complying with new security standards still remain far from securing themselves.

Biography
Dan Sarel is the vice president of products at Sentrigo, a database software security company.

More Perspectives

[jbmartin6]

What is 'private' data

One point - the reason all these 'private' data are stored all over the place is the merchants, etc. have to collect it. For instance: every employer, bank, hospital, has to collect your SSN. From there it goes to billing subcontractors, mortgages are resold, corporate headquarters, no doubt dozens of other places. It is unrealistic to think that every link in this chain, including every consultant's laptop, is going to be secured against data loss. There's an old saying 'information wants to be free'. We either have to prevent the mass proliferation of these data, or remove the value from the data. Preventing proliferation is unlikely since they need multiple pieces of information to tell all the John Smiths from each other. Removing the value from the data is a better solution. It is silly that a few pieces of widely available information can be used as the basis for an identity check. It seems to me that some sort of identity verification system is the only answer to this problem. Look at the success of services that put fraud alerts on credit reports. All this does is force the credit agencies, and thereby the lenders, to perform a 'live' verification rather than say 'OK, you know an address and an SSN so you must be So-and-so'. Guess what, a thousand people know my SSN and address even if every database and laptop is encrypted and requires fingerprint verification to read data fields.

[godlyfrog]

Last four digits of SSN

What makes this even worse is that all a criminal really needs nowadays is the last four digits of your SSN because practically everyone uses it for verification, so if someone is trying to break into your account, that's all they need for security most of the time.

[whmurray]

Insiders v. Outsiders

The relationship between the risk of insiders v outsiders is often mis-stated. Outsiders account for the largest number of attacks while insiders account for the losses. We are attacked by outsiders every day. Most attacks are not successful; while those that are may damage the brand, they never bring down the business. Insider attacks are more rare but successful ones may bring down the business.

[whmurray]

Errors, accidents, and omissions

We generally use the term insider attack to refer to deliberate acts by insiders. However, more damage is done by insiders by accidents, errors, and ommissions than is done deliberately or maliciously.
"The dummies have it hands down now and forever."

[zanely]

Customer data will never be secure...

....until the officers and management of firms entrusted with the information are held criminally liable for failing to adequately secure and safeguard it against unauthorized access. All the laws in the world mandating disclosure are after the fact, feel-good remedies that do nothing to establish adequate safeguards. The reason is obvious. The companies that collect and store sensitive customer information have absolutely no incentive to protect it. Corporate officers would be found criminally liable if it was proved that they knowingly left the company's information (bank account numbers, trade secrets, access codes, etc.) at risk. No such penalties exist for leaving their customers? names, addresses, credit card information, passwords, etc. vulnerable to abuse. This problem will be solved when the first CEO goes to jail for criminal negligence.

[birdtford]

Officers and managers held liable?

How can you hold officers and management of a firm criminally liable for not adequately securing and safegarding data from unauthorized access when you have a 20 year trusted employee. That for whatever reason suddenly decides to download sensitive personal data of credit card information and sell it. You can't watch every employee 24/7. You figure someone that has been at a firm for 20 years must be trusted. Now someone that has been there 6 months, you probably want to keep an eye on. Or what about the employee that down loads sensitive data to their laptop, and then leaves that laptop in a car where people can see it and it gets stolen. For one that data should not have been down loaded. It could have been acessed from the servers and never removed from them. I work in IT and if I have to access a program or data from the server, I don't down load it. I just work with it on the server and leave it there.

[wbenton]

Total Undershoot of the Problem

>>>The authorities have begun to take measures designed to stanch the outbreaks.<<<

They have begun... but the data piracy begun back in 1999.

Bottom Line: 8 years after they were warned, and millions of data stolen along the line... most of it in the last 3 years... they're finally getting the idea that they need to do more than what they thought was enough!

THAT IS THE PROBLEM!

THAT is what this story SHOULD have been about!

Why are they only beginning to move 8 years after they were warned?

Who was responsible? Who's the irresponsible party? Why haven't they moved quicker?

Now that would be NEWS WORTHY from my stand-point!

Walt

[Beej27]

Core Problem Goes Beyond Security Tools

I heard this expression awhile back befitting the problem. At the risk of over simplification, one might say "You can't put the cat back in the bag." Our data is EVERYWHERE globally.

The organization CSI and the FBI freely admit the thieves are 3 steps ahead of any technology they can develop. Frightening... But I truly believe the core problem is "education." I am President/CEO of IDTEL (www.idteli.com) and I also lecture and teach workshops. When I began to meet students in a face-to-face environment, in 1.5 years, only ONE person said they actively research identity theft. Even though news reports on ID theft is in the news daily, most I've encountered have little knowledge of how it happens which further compounds the problem which puts companies at risk.

There are tools that are great in the protection of network and data security. However, as you pointed out, insiders are a contributing problem, and I would venture to guess, employees sit right next to the perpetrators and are totally unaware.

Workforce education is key and there are laws that require training yet few companies see this as a priority. Why? Because the laws and corporate responsibility carry little enforcement. As I see it, if you aren't part of the solution, you are part of the problem. If you don't recognize educating your employees so they are more AWARE, you cannot hope to enlist them in your prevention efforts.

No one can stop identity theft yet you hear companies claiming they can do so. The best we can do is improve our "best practice" and ENGAGE managers in creating a positive environment conducive to awareness and not fear within their respective organizations.

If employees are left to believe that identity theft is prevented at the IT level within the workplace, companies will continue to experience problems. Employees cannot do their part if no one provides them with comprehensive education and training.

[birdtford]

I agree 100%

And most of it is common sense. There is very little need to down load data to your laptop or personal PC these days with all the means we have to access the dat from the servers, and leave it there.

[chlegrand]

We must fully deploy available tools

We have a lot more tools than we use. Tools are available to find and track sensitive data in the structured and unstructured environments. I agree it is not going to be easy to regain control of data and access privileges previously neglected to the extent that many now believe trust is all we have. Trust me, trust does not work. Until potential perpetrators know they can and will be identified and punished, they will continue to yield to temptations to reward themselves at the expense of others (or as my esteemed colleague notes, just be careless).

We can and must implement tools to enforce accountability (track access back to individuals), and those who propose and approve security budgets must learn they can and will be held accountable for underestimating the need for security resources to protect valuable information under their authority. SOX says they are accountable, but the accountability profession is still wrestling with understanding what that means and how to make it work.

Start with matching the toolset in place and available with the known threats. Then start filling the gaps.
My $.02. CHL