Industry View
What I Learned From the Top Five Security Events of 2007
Prat Moghe of Tizor Systems draws five key lessons from five data breaches.
By Prat Moghe
Assume that your proactive, perimeter defensives will be compromised at some point and have something in place that let’s you know when data is being (or about to be) compromised. In other words, put a security camera in the vault, in case the locks, guards and security badges fail. Once the TJX (or Ameritrade or DuPont or…) data thieves had access credentials, they pretty much had free run of the data. If any of these organizations had the ability to “see” what was actually happening to the data at the core data servers, there’s a good chance that they would have been alerted to suspicious behavior.
The insider threat is still a tough and open problem. It’s even tougher now that data thieves are finding more and better ways to masquerade as authorized users. The Dupont breach helped illustrate that there are information theft signals--unusually large downloads of corporate information is one example. It’s likely that, if we had a window into the TJX breach, we would have seen signs of potential data theft. For instance, data being accessed: at unusual times, data being accessed by users who don’t typically access it or access from unusual IPs. The same is most likely true of the Ameritrade incident.
What is universal among the breaches discussed above is the fact that theses organizations did not know what was going on with their data--they didn’t know who was actually accessing it when, from where, etc. If they had, it could have potentially stopped any one of the aforementioned incidents before major damage was done. Worst case, if the thief/hacker/malicious insider had made away with some (definitely not the large amounts of data loss reported in these breaches) sensitive data; knowing which data was touched, would have allowed, for example, Ameritrade to notify the potential victims immediately and in a meaningful way—and look like they had control over their customer data environment. The sub-lesson here is: think very carefully about your breach disclosure strategy.
In response to data security threats, data jail is one option. This sounds funny, but one way to secure sensitive data assets is to severely limit access to them. Unfortunately, for most companies, this would be the fast track to business failure. Access to data by the employees or partners who need it when they need it adds up to competitive advantage in today’s business environment. You can’t fault a company that wants to maximize the use of data assets for all stakeholders—availability is one of the main benefits of electronic data. Data security needs to be viewed as an ‘assets in motion’ issue, a balance of access and oversight. It’s a tough problem, but solvable.
data security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
