PC Data Security Blog

The Illusion of Security by M.T. Thrett

Best I can tell, IT data security expenditures buy compliance, piece-of-mind and sometimes, little else.  But are they buying real, bona fide security? Not really. Hook these buyers to a lie detector and I’ll bet you find that you’d find that most know this to be true. We know for example that antivirus services are always behind the eight ball. The leading antivirus tools are ineffective at combating the latest and greatest viruses.

            IT also throws money into encryption. Don’t misunderstand – encryption is necessary but it alone is not true security. After authentication, encryption is ineffective. IT often reasons it prudent to mandate a policy of strong passwords as a first-level barrier to a breach. This policy is parallel to Superman’s kryptonite. Users will write down these complex passwords for fear of forgetting them.

            Security products and services offer piece-of-mind but shouldn’t kid themselves – it is not usually true security. As long as computers are operated by humans (even honest ones) this is our greatest security threat. No antivirus or encryption software will eliminate that reality.

You’re responsible for your data – wherever it may be

Data breach: ATF = Another Total Failure?

In September, the Washington Post reported on a five-year study of the ATF’s handling of government computers and firearms and found that the agency had misplaced over 400 laptops, many of which had sensitive information. While this study focuses on the ATF, the sad truth is that the loss of computers and the often confidential information that they contain has become commonplace in both the public and private sectors. To a great degree, as a reading public we’ve become anesthetized to this news, at least until it impacts us - or our networks….

Of even more concern in the article was that in most cases, the ATF had absolutely no idea of what data might have been compromised and as a result, who the loss might directly impact. Since employees often don’t comply with stated data security policy, it is inevitable that data will find its way to the network’s edge - and be mobile.

It is insufficient that an organization set a data security policy without putting in place the instrumentation and systems to ensure its compliance. Furthermore, that compliance can not depend upon the end-user’s conscious adherence to manual process - it just does not work. Managed solutions must be put in place that can ensure the end user’s compliance with corporate data security policy, without requiring their active participation.

It is critical that data be encrypted - at a minimum - only then can we be assured that data losses will not easily put ourselves and others at unnecessary risk. However, encryption by itself that is not enough.
When the inevitable loss occurs, it is equally necessary to be able to ascertain the risk associated with the loss and to determine the necessary corrective action. Some may feel that plausible deniability is an effective approach to addressing this problem. “If you don’t understand the impact of the loss, you don’t need to consider it as serious.”

I think this is both wrong, and short-sighted. Assuming you have the ability to respond wouldn’t it be better to fully understand your risk so that an appropriate counteraction could be chosen? File and folder cataloging on devices within control of an organization’s IT department should be an integral part of an effective PC data security solution. This feature can be used in many ways, including:

• risk assessment, by identifying the devices that contain particular sensitive data
• risk amelioration, by surgically destroying data that is found on unauthorized devices
• policy management, by identifying and establishing policies on the retention of sensitive data throughout an organization
• data forensics, by understanding the full extent of the impact of any data losses

Tools that can both assess and eliminate risk represent a much better data security strategy than either ignorance or hope.

What’s scarier than a hacker? Your employees.

In a study recently released by Compuware, results showed most data breaches are caused by employees, not hackers. The survey of 1,112 IT workers found that only one percent of data losses this year were the result of hackers. Here’s a breakdown of the results:

Negligent insiders were overwhelmingly cited as the cause of data breaches in the survey. What does this mean for company security policies? Will we soon see a shift towards tying up the internal loose ends that compromise company data?

It might be a good idea. Especially when you add to the equation the data from other security studies showing the impact of a data breach on a small company. One-third of companies in one survey said that a major security breach could put their company out of business. Additionally, a data breach that exposed personal information would cost companies an average of $268,000 to inform their customers–even if the lost data is never used. Or, to break it down further, which a Forrester survey did, a breach will cost a company between $90 and $305 per exposed record.

In today’s economy, every dollar spent in a security budget has to get scrutinized. A better strategy for security professionals is to put those dollars toward preventitive measures that combat insider negligence instead of throwing money at an outside threat.

I lost my USB flash drive!

Security News Brief: 10-03-08

• New federal law targets ID theft and cybercrime. The bill lowers the bar prosecutors need to clear before bringing hacking and other cybercrime charges against an individual. (Security Fix, October 1, 2008.)
• Laptop stolen in break-in at McCain campaign office in St. Louis. Campaign officials said the laptop contained information about areas that Republicans are targeting for support. (STLToday.com, October 2, 2008.)
• October is Cyber Security Awareness Month. (Network World, October 3, 2008.)

What will it take to get businesses to care about your privacy?

In a recent blog post on WSJ.com, Why All the Data Breaches? Businesses Just Don’t Care, Bruce Schneier, chief security technology officer at BT Group, weighed in on the staggering number of data breaches we’ve seen this year. “For the most part a company doesn’t lose its data, they lose your data,” Schneier said. The victims of the breach, Schneier went on to say in his interview, “are often powerless to punish the business that exposed the record because they can’t link the fraud to a cause.”

Indeed, the legal precedents in this type of case support Schneier’s statement. In recent years, several class action suits have been brought against companies who lost consumer data. According to The New York Law Journal, in Randolph v. ING Life Insurance & Annuity Co., plaintiffs brought a consumer class action in District of Columbia federal court for invasion of privacy, gross negligence and negligence against ING following an announcement of the theft of an employee laptop from that employee’s home containing the personal information of 13,000 government workers and retirees. In Guin v. Brazos Higher Education Service Corporation Inc., plaintiff brought a negligence suit against Brazos after it announced the theft of a laptop containing personal information for 550,000 customers.

Both judgments ruled in favor of the defendant, citing that the plaintiff “proved no actual damages and, thus, no ‘recognized injury.’”

But is this enough reason for companies to simply ignore the security protocols that protect consumer data? And do you really think consumers experienced no “recognized injury” knowing their social security numbers and private information were in the hands of criminals? Anyone who has ever been the victim of identity theft will probably tell you, it’s not something you just “move on” from. The effects can last for years.

“Schneier says that what is happening in the tech-security world is a market failure similar in nature to what has happened with global warming: There is a problem that everyone is contributing to, but individual businesses don’t have a reason to do anything about it,” according to the WSJ.com article.

In the comments on this post,  reader Steve Muck suggests “a better approach is the adoption of national technology standards applied to IT systems and networks designed to safeguard PII. This approach recognizes that human error will always be problematic so why not leverage technology to reduce the likelihood of human error associated with PII handling. As an example and following the Federal Government lead, require encryption of all data used by industry. This action alone will signifcantly reduce the risk of harm.”

And another reader adds, “It is one thing to impose criminal and civil penalties on businesses, but what do you do with the federal government?”

Indeed. What about the breach at the Veterans Administration that exposed the personal information millions of American veterans? There is an ongoing case against the VA that could change the precedent. With claims of $1,000 per veteran (or $26.5 billion,) a settlement in favor of the plaintiffs might very well inspire government–and businesses–to “care.”

The Big Security Stall

The PC Data Security Blog offers the opportunity for professionals to post on topics important to those within the IT Security community. This week, Rob Weber, Product Specialist at Beachhead Solutions, brings us this post.

Has your company or organization secured its laptop and desktop data yet? Maybe they have and now they can rest easy. If they have not secured the data yet, the number of reasons and excuses is mind-boggling. Security isn’t sexy, doesn’t increase the productivity of employees, and can be a drain on those charged with implementing the solution. Nobody wants to own the security solution or take on the work it involves, yet it is a necessary evil. Thus it becomes an internal battle in many organizations between the economic buyer / product champion and the IT staff that must implement the solution. The product champion pushes for their chosen solution and the IT staff puts up barriers to the encroachment of their ‘turf’. Why does IT balk? The following reasons are commonly heard:

- IT had little or no say in the selection of the solution
- IT is not staffed properly to manage the solution
- The solution creates more work for the IT staff since the end user experience has changed
- While acknowledging a solution is needed, it just isn’t seen as high on the list of priorities

Whether these reasons are spoken or implied, the solution is blocked using one or more of the following ploys:

- Utopian product requirements are put in place to block any worthwhile solution
- Other, sexier IT initiatives are elevated ahead of the security solution
- Solution inquiries are simply met with radio silence by IT

What could happen to change this behavior? It hasn’t happened yet, but it will soon . . . a real data loss followed by a real penalty charged to the offending company or organization. As soon as this happens, the world will change. A security solution will be pushed through at many organizations due to fear and anxiety. The fact that the solution is not sexy, not properly staffed, or simply annoying won’t matter anymore. Those will be smaller pain points on the path to fulfilling a company necessity. CEOs will get involved and make it uncomfortable for anyone standing in the way or delaying a solution. Why? It will be embarrassing to be caught with unsecured data, but more importantly, it may prove to be the end of the company or organization if real penalties are applied.