Breach Disclosure Laws are Pointless

June 10th, 2008 by Alina (0) Data Loss, Data Theft, Identity Theft, In The Spotlight, Laws & Standards

Researchers at the Carnegie Mellon University have just released data showing information security breach laws enforced in the US have failed to reduce identity theft. According to the Register, these findings come at a time when there’s an increased demand for similar laws in Europe that would oblige organizations to notify customers in cases where their personal details become exposed.

Research findings were based on a state-by-state analysis of data from the US Federal Trade Commission (FTC). They analyzed identity theft complaints made to the FTC from 2002 to 2006, trying to spot differences after states introduced data breach disclosure laws. California was the first state to introduce such regulations and 43 other states have since followed its lead.

The researchers determned that factors such as changes in average income and population in a state or overall levels of fraud had a much greater impact on fraud rates than these laws, as a Register reproduction of the abstract to the paper shows:

We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.

“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” Sasha Romanosky, a PhD student at Carnegie Mellon and one of three authors of the study, told Computerworld.

Data on 700 Children with Social and Developmental Problems Lost

April 30th, 2008 by Alina (0) Data Loss, Data Theft, IT security, endpoint security, security breach

Medical data on about 700 children and teenagers with social and developmental problems from Hong Kong have recently been lost. The data loss was admitted to by the territory’s government at the end of last week.

The records were stored on a memory card which was stolen from a Child Assessment Centre in the city’s Tuen Mun district. The government’s Department of Health, quoted by M&C News, said the memory card had been kept in an unlocked room.

The lost data included detailed records of interviews with troubled youngsters including assessments and, in some cases, their photos, identity card numbers and addresses.

Expensive Security Keeps Breaches Away

April 28th, 2008 by Alina (0) IT security, In the News, security breach

UK companies have tripled their spendings on information security defenses in the past three years, fact that has caused reported security breaches to drop by a third. That means 300% more money spent gets you to 30% less breaches.

According to the most recent edition of the UK government-sponsored Information Security Breaches Survey, quoted by the Register, the number of companies reporting a security breach is now at roughly the same level as in 2002, after reaching a peak in 2004.

Expenditure on information security has increased from two per cent to seven per cent of the IT budget on average over the last six years. But this increase in spending is uneven with a significant minority (21 per cent) of companies spending less than one per cent of their IT budget on information security.

Nonetheless, the security landscape has improved markedly over that period with 94 per cent of wireless networks now encrypted, versus only 47 per cent in 2002. More than half (55 per cent) of UK companies have a documented security policy, versus 27 per cent in 2002. Two in five businesses provide ongoing security awareness training to staff – twice as many as six years ago.

DLP on the Right Track, but not Fullproof

April 18th, 2008 by Alina (0) DLP, Data Leakage, Data Loss, Data Theft, In The Spotlight, In the News, security breach

Speakers at RSA 2008 state the Data Loss Prevention (DLP) segment of security solution is reporting impressive improvements, but it still not able to stop innovative attacks. While it might be the new hot shot of the entire security industry, DLP can fail when attempting to successfully fight off all data breaches.

In a Symantec-sponsored panel addressing DLP related issues, speakers were highly optimistic towards the future of this new technology, which, according to Dark Reading, “is designed to monitor, detect, and control the egress of sensitive enterprise data in an organization”. Yet the fact that insider-theft technology has been describes as omnipotence was acknowledged to be grossly exaggerated. Here’s a selection of the most interesting quotes Dark Reading published:

“The idea that you’re going to be able to protect every piece of data all the time is probably impossible,” said Joseph Ansanelli, former CEO of DLP pioneer Vontu and now vice president of DLP at Symantec, which bough Vontu last year. “It’s not going to happen.”

“DLP is a tool,” said Craig Shumard, CISO for CIGNA Corp., a Vontu user. “It’s one of a number of things you can use to help control the insider threat. But it’s not the whole solution.”

The key, Rich Mogull, founder of Securosis, says, is to define your “sensitive” data before deploying DLP. “You need to put all of your business people in a room and force them to choose which data is the most valuable,” he said. “Once you’ve done that, you can use DLP to start monitoring that data, to set policies for protecting it, and eventually, to enforce those policies.”

Stolen Hardware - Most Common Cause for Data Breaches

April 12th, 2008 by Alina (1) Data Loss, Data Theft, IT security, In the News, endpoint security, security breach

Stolen or lost hardware, from laptops to USB sticks and portable hard drives, were the most common cause of data breaches in 2007, outranking malicious software. These findings have been recently released by Symantec in its latest Internet Security Threat Report. As SecurityFocus shows, this is a significant conclusion, given that the number of unique variants of malicious software more than quadrupled in 2007.

the theft of computers and storage devices, not malicious code, accounted for the majority of lost data. In the latter half of the year, such physical theft accounted for 57 percent of data breaches, up from 46 percent in the first half of 2007, the report stated. While the government had only the second highest number of breaches — 20 percent of the total compared to 24 percent for the education sector — those breaches accounted for 60 percent of identity theft, the report stated.

Security - Necessary Evil for Businesses

April 10th, 2008 by Alina (0) IT security, In the News, endpoint security, security breach

Discussions taking place at the RSA 2008 Conference held in San Francisco point out that security concerns are more and more of a drag on business innovations. According to RSA president Art Coviello, quoted by Dark Reading, this results in holding back companies’ creative thinking.

Coviello backed his opinion with statistics from research conducted by IDG and commissioned by RSA:

“More than 80 percent of IT, security, and business executives surveyed admit that their organizations have shied away from business innovation opportunities because of information security concerns,” he told the RSA audience in a keynote address Tuesday morning.”

Security policies place quite a significant pressure on users who are always told one click can lead to disaster and are always faced with cryptic dialogs boxes that aren’t at all helpful.

Worse, in most organizations security is viewed at best as a necessary evil, due to IT’s primary focus on trying to constrain behavior and prevent some desktop mishap, “Although well-intentioned, the inevitable result is that security practitioners are not viewed as enablers but people preventing the business from doing what it needs to do,” said Bill Boni, corporate vice president of information security and protection for Motorola, and one of the IDG survey respondents quoted by the RSA exec.

After identifying the negative effects of security on business innovation, Coviello also came with a solution. The best way to address downsides is a change in security mentality, a switch from saying “no” to potentially harmful actions to showing how they should be safely performed.

“The next time a new idea comes up, don’t start by saying it isn’t secure — start by evaluating exposures, the probability of the exposures being exploited, and the materiality of the consequences. Then put forth a plan to reduce risk in all three areas. Nothing should be done unless it is in the context of risk.”

This situation fully applies to Endpoint Security. There’s been a lot of buzz on how portable storage devices, such as USB sticks, smart phones and iPods can cause the ugliest virus infections, how they enable data theft and how loosing one with sensitive data can endanger the identities of millions. This leads to restrictive measures such as cutting all access to these devices. The negative result is less mobility of employees, less space for them to work and innovate, less effectiveness on their side.

The actual response to ongoing threats is learning how to handle portable storage devices safely, so as to benefit from all their advantages without overlooking their embedded threats.

Hannaford - An Inside Job

April 1st, 2008 by Alina (0) Data Leakage, Data Theft, IT security, In The Spotlight, In the News, security breach

Recent details on the Hannaford security breach point to an inside job. It appears Hannaford employees are most likely to have planned and then infected over 300 servers of the grocery chain.

Experts said the breach should serve as a big lesson for retailers: It’s as important to limit the network access of employees and regularly monitor system activity as it is to purchase security technology to block attacks from the outside. Furthermore, it’s foolish for a company to consider itself bulletproof because they achieved PCI DSS compliance, as Hannaford’s claims it did.

“The overarching conclusion I have that keeps getting reinforced is that the low-hanging fruit is inside the company and insiders are always getting more network privileges,” said Mark MacAuley, a York, Maine-based IT security consultant who shops at Hannaford’s regularly. “I don’t see how anyone at Hannaford could get that level of access unless they were a very well-known entity.”

The Hannaford data breach has exposed over 4 million credit card accounts, thus being the second largest breach ever reported.

Thieves Planted Malware on 300 Hannaford Servers

March 31st, 2008 by Alina (0) Data Theft, IT security, In The Spotlight, In the News, security breach

Since it made security magazines’ headlines, the Hannaford data breach that exposed 4.2 million credit card accounts still ranks high in the news. The question on everyone’s mind is how it could all happen. According to the latest article published by The Register on the topic, the thieves behind the breach installed a sophisticated malicious software on over 300 servers in at least 6 states belonging to the Hannaford grocery chain.

What the malware did was to intercept credit card data while customers paid for purchases using plastic and then transmit the information overseas. While Hannaford has disclosed the number of servers on which the malware has been detected, they are yet to disclose how it got there. Security experts are quite puzzled by this incident, as they regard Hannaford as a legal and standard compliant company.

Security experts have been eager to figure out how thieves siphoned the data out of Hannaford Brothers Cos. network because the company is believed to have been following payment card industry (PCI) rules. If the east coast chain’s systems were vulnerable, plenty of other retailers may be open to the same attack, the experts have warned.

How to Secure Thumb Drives

March 29th, 2008 by Alina (0) DLP, Data Loss, Data Theft, IT security, endpoint security, security breach

DarkReading has recently published an article exploring the methods and reasons why company should secure their thumb drives. The first issue they bring into our attention is whether stolen or lost USB are less often reported (when compared to laptops for example) because companies have learned to protect them or because they are so hard to track, no one has any idea of how many have been lost or ever used within a certain network.

I’d have to say that unless companies cut access to their USB ports or implement a comprehensive endpoint security application, no one will ever be able to tell how many employees have ever used flash drives to carry data to and fro the office and how often they have misplaced them.

Here are a few of the security methods presented by DarkReadeing that a company is presented with and has to choose from when trying to prevent the damages thumb drives entail:

blocking all USB ports on all network computers – I would say that’s impracticle as instead of benefiting from all advantages of easy portability and storage, a company would force employees to use other methods to carry their project between work and home. And to my mind, it’s harder to secure an entire laptop than it is for a thumb drive.
Relying on the security software USB producers advertise – could work, given the security is not a marketing scam only. If it’s not, what is offered, points out DarkReading, can be quite limited
A hybrid approach mixing advanced data encryption with a system to allow only certain pre-aproved USB drives.
Using cheap drives and open source encryption technology, but only when you really trust your employees. I’d say this is a bit futile, as if trust is what you base the security policy on, why implement it in the first place? Security is not a matter of trusting or not trusting personnel. It’s a matter of noticing breaches can happen to anybody and that all employees are human and can easily err. Or get really mad at you and hurt your business on purpose.

CareFirst Dental HMO Exposes Data of 75,000 Members

March 28th, 2008 by Alina (0) Data Loss, IT security, In the News, endpoint security, security breach

One of the purposes of Endpoint Security is to actively prevent damages caused by inside threats. Such threats don’t always refer to malevolent employees waiting around the corners to steal proprietary technology or private records. It also refers to members of your organization being mugged or simply loosing their laptop, PDA, iPhone or flash drive with sensitive information. Moreover, it aims to prevent human errors. Though uncommon, personnel transferring the wrong data and exposing it to wrong doers does happen.

One of the most recent cases has been covered by The Baltimore Sun. A CareFirst BlueCross BlueShield dental HMO called Dental Network accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public Web site last month and didn’t notify them until about three weeks later.

Experts say security breaches such as The Dental Network’s - where the company itself inadvertently posts the information - are uncommon. More often, experts say, information is compromised when hackers break into a computer system or when computers are stolen - as happened with the theft of a National Institutes of Health laptop last month.

Although state laws impose timely notifications being sent to all those involved, The Dental Network discovered the security breach on February 20 and informed members through a letter letter send on March 10.

A state law passed last year requires businesses to promptly notify those potentially affected by a security breach or theft, according to the Maryland attorney general’s office. Approval followed the loss of computer tapes containing information on more than 135,000 Johns Hopkins employees and patients in early 2007.

The Dental Networks representative stated however that they did their best and announced their members as soon as they could. Still, drafting and editing a letter, printing it and mailing it should take a lot less than 3 weeks.