Home » Data Protection » Application Security

In Depth

Lessons of ChoicePoint, 4 Years Later

Four years after the ChoicePoint fiasco brought data insecurity to the forefront, we still have much to learn.

By Bill Brenner, Senior Editor

Page 2

Woefully ignorant
That may be the case to a large extent, but other security experts see specific areas where organizations are simply asleep at the switch.

"All the improvements have come from SB 1386 and other disclosure laws, and as far as I can tell awareness to data risks hasn't increased significantly," says security industry veteran Richard Stiennon.

Business owners are still "woefully ignorant" of the threat to their data, he says, adding that while they've fumbled along trying to reach certain compliance requirements, the threat has gone from what it was four years ago to a full-scale economy of people stealing and selling credit card information.

Stiennon points to several ongoing weaknesses in how organizations conduct their security. Access control and stronger authentication remain elusive in many companies, for example.

"I can't point to one sterling example of where government agencies are getting it right, including the Pentagon," he says. "I'd say the security in these organizations remains at 1995 levels."

If this story were written for the fifth anniversary of Choicepoint, there might be a better story to tell, says Paul Roberts, senior analyst for enterprise security at the 451 Group. "There's at least improvement when you look at the attention paid to data security," he says. "There's more awareness to the reputational and legal dangers in corporate boardrooms."

But there's still much room for improvement, he says.

Not nearly enough
Regulations and industry standards may have helped raise awareness and force companies to make security improvements they wouldn't have made otherwise. But, says Kevin Riggins, senior information security analyst at Des Moines, Iowa-based Principal Financial Group, regulations alone are not nearly enough.

"I can't say that I have seen a significant response from the business world other than the disclosures themselves," he says. "There has been literally no impact, through disclosure, on breach levels since the ChoicePoint incident. Last year saw a significant increase in the exposure of personally identity information through breaches over the year before."

This has Riggins concluding that the breach notification laws by themselves are not sufficient to make companies introduce controls -- technology and process oriented -- that effectively protect customer information.

Seeking a better way
The data breach trend has at least prompted IT security pros to seek out better training, according to Stephen Northcutt, president of the SANS Technology Institute.

After ChoicePoint, he says, "A number of people wrote asking what kind of training we had to get a handle on data loss. We decided to put most of our efforts behind our Payment Card Industry course and STAR certificate. We got that into the field to equip auditors with the knowledge, process, and technology to not only ensure PCI DSS 1.2 compliance, but also take a look at the controls across the entire lifecycle of sensitive customer data."