Monday, June 30, 2008

Data breaches and gas prices..

Seems like the growth rate is the same - IRTC (Identity Theft Resource Center) just released some interesting stats. Apparently number of breaches in the first half of 2008 have risen 69% over the same period in 2007. Maybe gas prices have increased a bit more, but not by much...

Also other interesting nuggets -

  • Almost 40% have not disclosed the number of records breached.
  • Theft, either internal or external, have been the primary reason for the breach.
Wonder why we are not hearing this on the presidential campaign? A unified and national policy approach to this epidemic would be welcome (as would lower gas prices!)

Wednesday, June 25, 2008

Share, but share insecurely?

In all the hoopla about IT admins getting into your stuff, (from the recent Cyber-Ark survey) most folks might have missed this interesting nugget...

"Majority are sloppy at handling and exchanging sensitive data Seven out of 10 companies rely on out-dated and insecure methods to exchange sensitive data when it comes to passing it between themselves and their business partners with 35% choosing to email sensitive data, 35% sending it via a courier, 22% using FTP and 4% still relying on the postal system. This shouldn’t be any big surprise when you learn that 12% of these senior IT personnel who were interviewed also choose to send cash in the post!"

Over 70% of companies share sensitive information within and without in an insecure way! Here we are, locking down data at rest within the company. However, as it leaves the safe haven - it is sent out in the clear!

This is where I think a more information-centric approach can help - protect the data rather than the devices and wherever the data goes, the protection follows. A bit like Mary's little lamb, if you get my drift...

Monday, June 23, 2008

The "IT admin bad guy"? Not sure I buy it much..

The recent survey on IT Admins misusing privileges might be accurate - but am not sure I buy it much. I'd like to see some of the questions as well :)

Most of the IT admins I have met with have a sense of the responsibility that comes with their power. True, there might be some bad eggs or apples in the bunch, but overall I think they are ethically sound people.

This is like implying that since the guard to the safe has access to it, he/she might be taking advantage of that ability. My view is that the state of technology is (or was) such that there is no way around it - there had to be someone who has access.

However, to get this monkey off the back of IT admins, all they have to do it install technology that creates isolation between content and infrastructure. IT admins don't lose anything - they get their work done, and they wont be scapegoats for leaked data or bear the burden because of a few rotten apples.

I spy - employees snooping around?

Apparently many employees ( nearly half ) have the habit of snooping around within the company. This according to a new research study by Cyber-Ark. Many gain access using privileged accounts such as administrator or root passwords, which the research found were not changed that often.

"Cyber-Ark said privileged passwords get changed far less frequently than user passwords, with 30 percent being changed every quarter and 9 percent never changed at all, meaning that IT staff who have left an organization could still gain access."

This is a bit unnerving - most organizations should be following compliance mandates such as SOX to isolate administrator access from content. And using technology to enforce this..

Medical records - the new frontier in data theft?

Looks like supply and demand and the good old laws of economics are catching up to data breaches as well. Seems like medical records is the new black - more criminals are focusing on getting access to this rather than boring credit card numbers, bank accounts etc.

There is a related scary part to this story - (other than the fact that medical records are under active threat)

The scary part is the huge numbers of available stolen credit card, bank account information out there - this is depressing prices all over the world for this data! The laws of supply/demand are taking over and making this a commodity. For example, not too long ago, prices for a valid credit card/bank card with a pin was $100 and now with the flood of such products, the prices have come down to $10-20 range.

The logical conclusion follows that criminals are becoming so good at getting access to sensitive data - this is causing flooding in the market! They are therefore now moving up the value chain to get to even more valuable data. Presumably, stuff they can sell for more than $100!

Friday, June 20, 2008

Medical records under threat

Just saw a disturbing article on how folks are targeting medical records. Apparently Finjan (a security vendor) was trolling for malware and came across a large chunk of data with patient information etc - and get this, it was available for purchase for the highest bidder!

By now all of us are aware that hackers are no longer kids looking for laughs or thrills - they are the new criminal organizations. These organizations make it a business buying and selling data - be it credit cards, bank account information etc.

I suspect medical information can be used for many things - identity theft, blackmail, maybe even insurance fraud. Who knows?

But the main point here is this - it does appear that medical and patient information has value to criminal organizations and this is something to worry about. They will do anything to get their hands on this...

Tuesday, June 17, 2008

Data security and the "chasm of protection"

I was thinking a bit more about the notion of data-centric or information-centric security and why this is absolutely the future of data protection...

Say you are a retailer. You have data in your POS devices, encrypted with the POS application as cards are read in. As this data is required by another application, it has to be first decrypted so this in-store application can read it. It may then encrypt it again as it stores on in-store servers. Now assume you have another application in the data centers that is used for card settlement. Another decrypt-encrypt cycle from the store to the data-center!

This scenario is not limited to a retail environment. Consider a similar cycle repeating itself in most companies as data is moved from location to location, analyzed and processed by multiple applications and on multiple devices and multiple internal and external networks - each time being decrypted, stored or transfered in the clear till it gets encrypted again. Each time this cycle repeats, there is a weakness that can be exploited - since there is a gap in the consistent protection of data.

Being data-centric however, brings in persistence and consistency in the protection of that data element, thereby removing this "chasm".

Monday, June 9, 2008

Adaptive security from the Gartner IT Security Summit

I was at the Gartner IT Security Summit in DC last week - very interesting sessions.

Liked the Neil MacDonald keynote on the second day. He talked a lot about the current challenges or point products, silos and the decreasing importance of the perimeter. He also talked about how security would evolve and his vision on model based security, proactive approaches to security and how we could learn from the adaptive mechanisms of a biological system. Very interesting.

Most of it made sense - however, it seemed hard to see how we could build adaptive/proactive security systems just yet. We are still figuring out security based on signatures and we cant build them fast enough - adaptive might mean too many gray areas in the short term. And it necessitates learning from mistakes - I think it will take a bit of time before we will fully trust this, seemingly AI models, for security.

The one topic that did intrigue me was his statement on protecting the information and not focusing on devices - near and dear to my heart this information-centric security view! This trend does seem clear - more on this soon...