Perimeter
10/15/2012
03:03 PM
Amy DeCarlo
Amy DeCarlo
Commentary
50%
50%

A False Sense Of Security

Cutting-edge security technologies are critical to safeguarding data integrity. However, organizations need to also focus on developing effective policies and practices to fully protect crucial information assets

To say these are interesting times in IT security would be an understatement. Innovative security technologies, including some impressive advances in analytics, can help enterprises detect anomalies, fix vulnerabilities, and mitigate attacks that in the past might have crippled an organization. Yet as impressive as developments in network and data security are, an increasingly sophisticated class of attackers is finding new ways to exploit vulnerabilities and breach a business or public sector institution's IT resources.

With so many controls to detect and block threats, there is a risk of organizations developing a false sense of security in the face of an increasingly hostile threat environment. In some cases, businesses may have all of the right security technology deployed, but there may be big gaps in policy and basic data-handling practices that can expose their most critical and sensitive assets to serious risk.

This caution extends even to organizations in heavily regulated industries. TD Bank is a case in point. The Toronto-based bank is in the process of notifying 260,000 U.S. account holders that their personal information may have compromised when some of the financial institution's backup tapes went missing in transit this past March.

I have no inside information on TD Bank's policies, protections, or general security practices. I would guess that, like other institutions that suffered similar data losses, TD Bank had a myriad of security technologies in place to protect online and other sensitive data. Yet either the bank itself or a third-party provider of long-term data storage had overlooked the basics of physical security in ensuring data was properly managed during the transport to an off-site location for long-term storage.

Though the bank says there is no evidence that any of the account holders' personally identifiable information (PII) contained on those tapes has been misused yet, account holders are left to wonder about future theft and fraud. And though the exact ramifications for TD Bank are uncertain, at the very least the bank suffers a very high-profile embarrassment.

Unfortunately, there are too many similar stories to call the TD Bank tape loss an isolated incident in banking or any other industry. At the heart of the problem is an all too casual reliance on security technology to safeguard all data with too little attention paid to the fundamental safe practices that need to be in place to protect critical information.

This lack of thorough data protection security practices and contingency planning is likely even more of an issue in smaller resource-constrained organizations where regulatory compliance may be less of an urgent concern. In a recent survey of small and midsize businesses by the National Cyber Security Alliance, 59 percent admitted they have no consistent plan for addressing data losses and communicating information about such a breach.

In the context of what is an increasingly virulent threat environment, this disregard for covering the basics of data security is proof that too many organizations still don't understand the very real costs of data loss. While research organizations have tried to quantify the costs of breached records, there are some intangible losses associated with reputation, customer losses, and other factors that can be almost impossible to measure.

What is clear is organizations need to be prepared, whatever their size or business, with both the right technology and the appropriate policies and data-handling practices. Simply put, organizations that let down their guards risk losing more than just the cost of the lost records, virus clean-up, or credit monitoring for the impacted customers.

Amy DeCarlo is principal analyst for security and data center services at Current Analysis Amy brings 17 years of IT industry experience to her position as Principal Analyst, Security and Data Center Services. Amy assesses the managed IT services sector, with an emphasis on security and data center solutions delivered through the cloud including on demand ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.