Security

ICSA Labs, which sets standards for commercial security products, plans to announce on Monday a new program for helping corporations protect themselves from attacks and snooping via Internet-connected devices such as printers, copiers, ATMs, and security cameras.

Under the ICSA Labs Network Attached Peripheral Security Certification and Assessment program, experts will evaluate devices used in corporations and work with vendors to help them understand the inherent security risks to Internet-connected devices, said George Japak, managing director of ICSA Labs, which is an independent division of Verizon Business.

The devices targeted are not those that are part of the computing network infrastructure, like desktops, servers, and routers.

"There is a lot of functionality on those devices being centrally managed and controlled via an Internet connection, and those Internet connections can be compromised," he said. "These unsecured devices are as much of a risk as an unsecured server sitting out on your network."

Remote attackers can exploit weaknesses in software to remotely steal data that sits on the devices, such as sensitive documents that someone has printed or copied. But the devices can also be used to propagate malware across the network, he said.

At ESG, we have this concept called ubiquitous encryption. As more and more encryption technologies are baked into products and enter the enterprise, data will likely be encrypted everywhere--on hard drives, networks, database columns, file systems, tape drives, portable media, etc.

Good news for data confidentiality and integrity but all of this encryption means tons of new encryption keys to create, protect, and manage. This situation has scared me for a while. If encryption keys are stolen, they can easily unlock secret data. If encryption keys are lost, critical data can turn into useless 1s and 0s.

Of course, what's needed is enterprise class hardened key management. Several companies have early product offerings, but without key management standards, this critical security task could become a proprietary mess. There are several ongoing standards efforts, but none had the momentum necessary to drive the market.

I am quite happy to say that I am not the only one to recognize this gap. This morning, industry leaders including Brocade, EMC, HP, IBM, LSI, RSA, Seagate, and Thales announced a new standard called the Key Management Interoperability Protocol (KMIP). Rather than maintain control, the group plans to submit KMIP to OASIS (Organization for the Advancement of Structured Information Standards) for advancement through the organization's open standards process. This allows other vendors like Check Point, Entrust, McAfee, Microsoft, Network Appliance, Oracle, PGP, Symantec, Trend Micro, and Verisign to join the effort.

Yes, there is still a lot of work ahead and we can all think of plenty of standards that never saw the light of day. Nevertheless, I believe this is a significant development and one of few positive data security/privacy developments recently. I encourage other vendors as well as government agencies such as NIST and the NSA to participate aggressively before we are all buried in a sea of neglected and insecure encryption keys everywhere.

Update at 7 a.m. PST January 30: Clarification made in the final paragraph.

Every day it seems like there is a new and significant data breach in the news. In fact, organizations like ChoicePoint, TJX, the Department of Veterans Affairs, or Heartland Payment Systems have become poster children for the sorry state of information assurance.

Recognizing the risks to sensitive data, many companies have implemented full-disk encryption software from companies like PGP, PointSec, SafeBoot, and Utimaco. Still, this means purchasing, deploying, and managing add-on software on lots of PCs--a cumbersome operational task. For a number of years, I've been writing about a superior alternative, hard drive-based encryption. Fitted with self-encrypting drives, PC-based disks are encrypted from the get-go. What's more, disk-based encryption is more secure than add-on software with virtually no impact on system performance.

So why haven't PCs with encrypting hard drives become a de facto standard? Users were afraid of proprietary hardware implementations and a lack of software management support. These were valid concerns--until now. This week, the Trusted Computing Group (TCG) announced the publication of three new standards for storage encryption. One is for PC hard drives (aka Opal), one is for enterprise hard drives (aka the Enterprise Security Subsystem Class Specification), and one is for secure interoperability with other storage standards like SCSI and ATA. All of the large hard drive vendors, including Fujitsu, Hitachi, Seagate, and Toshiba, will deliver hard drives that support these standards, and management software vendors like Secude, Wave Systems, and WinMagic are also on board. Others will surely follow.

What do these new TCG standards mean?

1. Software encryption is all but dead. Soon, most business laptops will be offered with encrypting hard drives at a nominal premium over a standard system. Heck, Dell already has about 12 models available. In three to five years, every disk drive may be encryption-enabled as it rolls off the production line. Encryption software fades away--quickly.

2. CIOs and purchasing managers need to develop a plan. Many IT and security managers have no idea that TCG even exists, but this is no longer acceptable. Since laptops and desktop PCs will come with encryption "baked in," it is incumbent upon IT and endpoint management and security teams to create a plan for phasing in systems with self-encrypting drives and phase out encryption software over time.

3. Expect encrypting drives in enterprise arrays. This will take a bit more time, as demand for array-based encryption isn't nearly as high. Nevertheless, every storage system produced by EMC, Fujitsu, Hitachi, HP, and IBM may eventually follow this path.

4. Federal endpoint security initiatives must shift direction. I'm thinking specifically about the Federal Desktop Core Configuration effort and the Data at Rest SmartBuy program. Each of these efforts should be updated to emphasize disk-based encryption over software. The National Institute of Standards, the National Security Agency, and the U.S. General Service Administration must lead the effort to qualify, certify, and build procurement tools for self encrypting drive technologies soon.

There is a common IT evolution where hardware replaces software in order to offload processing, enhance performance, and lower overall system costs. This cycle is exactly what is happening here, and there is no turning back. My suggestion is that IT and security decision-makers come to terms with this ASAP. Your long-term information assurance strategy may depend on this.

While no one can predict what will happen to the economy over the next 12 to 18 months, you can bet your bottom dollar that threats to confidential data will increase substantially in that time frame. Why? Malicious code threats are growing exponentially while the cyberunderground becomes ever more sophisticated.

Fortunately, industry players are starting to team up to lower the cost, complexity, and integration effort needed for data-centric security. Last week, EMC's RSA and Microsoft got together to announce that the software giant will integrate RSA's Data Loss Prevention (DLP) into the Windows infrastructure in order to discover and classify data (Word documents, Excel spreadsheets, and so on). Microsoft will also tightly integrate DLP with its Enterprise Rights Management (ERM) Server. Not to be outdone, security bigwig McAfee on Monday announced that it will integrate its DLP data discovery and policy management solutions with a leading ERM solution from Liquid Machines.

Why the activity?

1. DLP solutions need to become more mainstream
While every company that conducts business over the Web needs DLP capabilities, software solutions require customization, sophisticated skills, and lots of dough. Microsoft's data classification integration into Windows should help alleviate this by providing baked-in DLP basics.

2. DLP and ERM are complementary
DLP technology assumes you don't know where sensitive data is so you want to find it, classify it, and keep it confidential. ERM, on the other hand, assumes you know exactly where the data lives and you want granular protection at the user and file level. These announcements demonstrate that the debate between DLP and ERM was misguided--large organizations need both solutions to safeguard known and unknown sensitive data across the network.

3. Entitlement management is the next challenge
While we figured out how to centralize user authentication pretty well, we still leave entitlement management (i.e., user privileges) to each individual application. This method doesn't scale, is full of security vulnerabilities, and is nearly impossible to audit. Liquid Machines, McAfee, Microsoft, and RSA get this as do others like Cisco Systems (through its Securent acquisition) and Rohati. Clearly, these vendors are positioning themselves for this next moneymaking opportunity.

So what's next? While other DLP vendors will form their own cozy relationships, my hope is that the industry comes together in a group hug and defines some meta data standards for classification, policy definition, and enforcement. I know this isn't likely but it would sure go a long way to help us all protect our sensitive data.

This week, the Massachusetts Office of Consumer Affairs and Regulations pushed back the deadline to comply with a new state law mandating encryption of sensitive consumer data. The law, passed in September 2008, was supposed to take effect on January 1, 2008. Instead, the deadline will now be pushed back to May 1.

Why the change? The extension was driven by the current economic crisis in order to give companies a bit more leeway.

OK, I read the papers and see what's going on. Yes, the economy is a mess and it ain't gonna get much better between now and May. While I understand why my state government blinked, I don't like the precedent this sets at all. May I point out that:

1. There were over 300 publicly disclosed breaches last year, according to the Privacy Rights Clearinghouse. These breaches exposed private data of more than 150 million people.

2. The number of malicious code variants is exploding. According to the latest version of the Symantec Internet Security Threat Report, the company identified approximately 74,000 malicious code threats in the second half of 2006, 212,000 threats in the first half of 2007, and nearly 500,000 threats in the second half of 2007.

3. The British National High-Tech Crime Unit estimates that cybercrime costs $4.7 billion per year.

Hey, I get it. Times are tough so we have to prioritize initiatives and cut back where we can. Fine, but it's important that we realize that cyberspace is a dangerous neighborhood and it isn't getting any better. In fact, this situation will only get worse as more IT and security staffers find that December brings pink slips rather than holiday bonuses.

Note to legislators and IT professionals: Delay IT purchases, cancel new projects, outsource some IT operations, but don't cut corners on IT security. If you do, we are all likely to suffer the consequences.

Over 1 million American Express, Royal Bank of Scotland, and NatWest customers' details have been sold on eBay.

The details were stored on a server, bought for just over 35 British pounds ($64) by Andrew Chapman, an IT manager from Oxford, England, last week. Chapman told CNET News sister site ZDNet UK on Tuesday that the server, a network attached storage (NAS) box, contained unencrypted backups of CDs.

"A professional organization holding this kind of data should have tested the disks to make sure (the information) was destroyed," said Chapman.

The computer had been used by data-archiving firm Graphic Data to store the details on behalf of RBS, of which NatWest is a subsidiary. Details included names, addresses, bank account numbers, telephone numbers and customer signatures.

RBS said on Tuesday that it was in the process of investigating the incident.

Sophos, a U.S. provider of Internet security software, said Monday it has offered $340 million to buy Utimaco Safeware AG, a German software specialist in the field of data loss and encryption.

The Boston-based Sophos said Monday that it plans to launch a takeover bid for the company, offering $23.11 for all outstanding Utimaco shares, or a 92 percent premium on the company's latest closing price. To that end, the company also said it entered into an agreement with Investcorp Technology Partners, the largest shareholder of Utimaco, to acquire its 24.99 percent stake in Utimaco for cash and stock.

Steve Munford, Sophos CEO, characterized the deal as a "friendly takeover."

"Utimaco will be the cornerstone of our data protection strategy," Munford said.

Utimaco is listed on the Frankfurt Stock Exchange. Sophos expects the deal to close in October, and the companies to be fully integrated by the first quarter of 2009. Utimaco will operate as a division of Sophos.

CNET News' Dawn Kawamoto contributed to this report.