EXPERT ADVICE
With Great Amounts of Data Comes Great Responsibility

Data loss prevention: It's come to be one of the terms that we have become unusually familiar with. Data loss prevention isn't about the outright cessation of the loss of personal records; it's about reducing the risk to an acceptable level. There isn't a quadrant in health, finance, construction or any other sector that doesn't have some measure of risk. When the frequency and cost of data breaches outweigh other security concerns, it is time to reassess the risks.

If we take a look at 2008, we can clearly see that it was a year of unprecedented events. From a security perspective, let's look at data breaches. The amount of records containing sensitive personal information that were involved in data breaches (in the U.S.) in the last three years also falls under the "unprecedented" category -- approximately 250 million records. Last year alone, 38 million records accounted for part of that number. In 2007, there were over 127 million records involved in data breaches.

A point to keep in mind is that the number of records involved in data breaches are either underreported or, in some cases, not reported at all. A trend that I've seen is that corporations are facing greater financial risk from insufficient controls and unclear policies. Problems also arise when controls are put in place before the policies are written or completed -- the controls are designed to be put in place to enforce policies.

With respect to data loss, increasing penalties as well as increased transparency, or at least opaqueness (limited transparency), are two paths that have been cited time and again in regard to increasing corporate responsibility.

An Ounce of Prevention

Another topic to consider is preventing breaches. Even in corporations that have well-written policies and effective controls, the percentage of data breaches that occur due to human error is still above 80 percent.

I'd like to take some time to dissect a data breach that occurred in 2008 which involved the exposure/release of 4.2 million records. As in the aviation world, when there is an accident, it is referred to as a "chain of events," or the "error chain." These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents such as data leakage. Take, for instance, the case of the Maine-based Hannaford Brothers grocery stores. Let's look at this chain of events:

1. The supermarket chain reported to Massachusetts regulators that the scope of the malware infections appears to be larger than anything that is remotely possible. It is Hannaford's belief that a "trusted" source had physical access to the servers.
2. A trusted source with administrative remote or physical access to one or more servers installed malicious software (malware) onto those servers.
3. The malware intercepts customer card data and transmits that data outside of the network to remote servers.
4. Web Sphere MQ, which is a popular network messaging carrier for ATM and credit card transactions, does not encrypt this data by default. Since the traffic is sent in clear text, it is easy to "sniff" and capture or transmit this information.

These are just a few points, but if you add them up, you will see the chain of events that led to a data breach which revealed up to 4.2 million customer records. Keep in mind that at the time of the breach, Hannaford Brothers was, in fact, PCI compliant. This reinforces the fact that companies must stay vigilant and look for anomalous behavior as well as correlate disparate pieces of information to draw larger pictures and determine the probability of attacks from various vectors.

According to the ITRC (Identity Theft Resource Center), data loss associated with insider theft doubled from 2007 to 2008. The economic climate and resultant desperation doesn't help things either -- the latest figures show a 7.2 percent domestic unemployment rate in December. According to the Bureau of Labor Statistics, we haven't seen unemployment rates this high since 1993. What's alarming is the rate at which this number grew -- from 4.9 percent in January to 7.2 percent in December. With these numbers, there's a good chance that we'll be seeing more people engaging in insider-theft tactics as the jobless rates continue to climb.

While most would directly attribute penalties and fines per record involved in data breaches, there are additional consequences, some of which are:

• Loss of sales
• Investigation and notification costs
• Fines and litigation
• The cost of credit monitoring services for each customer
• Interruption of operations
• Last, but definitely not least: brand erosion (reputation, customer trust, etc.)

Best Practices

Before I end this article, I'd like to offer some thoughts and best practices on data security:

1. Know that there is not a 100 percent guaranteed "silver-bullet" for network security; companies must maintain constant vigilance of their security -- from physical security to network configuration/security. A "set it and forget it" attitude in the security world sets false expectations of ongoing security.
2. Leverage network traffic anomaly detection -- get a clear picture of what is traversing the network.
3. Use software to correlate various security logs (e.g. firewall, Web server, remote access) to spot trends.
4. Be proactive -- use heuristic detection to protect against malicious software on every computer possible; from critical systems that are connected to a company's network to the terminals that handle simple tasks such as email and other day-to-day functions.
5. Implement layered security so that if one defense fails, the others have a chance of stopping the attack.
6. Stay on top of patches and updates. A good patch management system is a key security measure.
7. Encrypt sensitive data. Encryption makes lost/stolen data worthless to those that come into possession of the data.
8. Behavior modification -- individuals are often unknowingly involved in data breaches due to improper or inadequate information handling procedures. There is often very little consideration given to regulatory compliance directives in the daily handling of personal records.

A final thought: With the retention of great amounts of personal information comes great responsibility -- and risk.