Perimeter
10/15/2012
03:03 PM
Amy DeCarlo
Amy DeCarlo
Commentary
50%
50%

A False Sense Of Security

Cutting-edge security technologies are critical to safeguarding data integrity. However, organizations need to also focus on developing effective policies and practices to fully protect crucial information assets

To say these are interesting times in IT security would be an understatement. Innovative security technologies, including some impressive advances in analytics, can help enterprises detect anomalies, fix vulnerabilities, and mitigate attacks that in the past might have crippled an organization. Yet as impressive as developments in network and data security are, an increasingly sophisticated class of attackers is finding new ways to exploit vulnerabilities and breach a business or public sector institution's IT resources.

With so many controls to detect and block threats, there is a risk of organizations developing a false sense of security in the face of an increasingly hostile threat environment. In some cases, businesses may have all of the right security technology deployed, but there may be big gaps in policy and basic data-handling practices that can expose their most critical and sensitive assets to serious risk.

This caution extends even to organizations in heavily regulated industries. TD Bank is a case in point. The Toronto-based bank is in the process of notifying 260,000 U.S. account holders that their personal information may have compromised when some of the financial institution's backup tapes went missing in transit this past March.

I have no inside information on TD Bank's policies, protections, or general security practices. I would guess that, like other institutions that suffered similar data losses, TD Bank had a myriad of security technologies in place to protect online and other sensitive data. Yet either the bank itself or a third-party provider of long-term data storage had overlooked the basics of physical security in ensuring data was properly managed during the transport to an off-site location for long-term storage.

Though the bank says there is no evidence that any of the account holders' personally identifiable information (PII) contained on those tapes has been misused yet, account holders are left to wonder about future theft and fraud. And though the exact ramifications for TD Bank are uncertain, at the very least the bank suffers a very high-profile embarrassment.

Unfortunately, there are too many similar stories to call the TD Bank tape loss an isolated incident in banking or any other industry. At the heart of the problem is an all too casual reliance on security technology to safeguard all data with too little attention paid to the fundamental safe practices that need to be in place to protect critical information.

This lack of thorough data protection security practices and contingency planning is likely even more of an issue in smaller resource-constrained organizations where regulatory compliance may be less of an urgent concern. In a recent survey of small and midsize businesses by the National Cyber Security Alliance, 59 percent admitted they have no consistent plan for addressing data losses and communicating information about such a breach.

In the context of what is an increasingly virulent threat environment, this disregard for covering the basics of data security is proof that too many organizations still don't understand the very real costs of data loss. While research organizations have tried to quantify the costs of breached records, there are some intangible losses associated with reputation, customer losses, and other factors that can be almost impossible to measure.

What is clear is organizations need to be prepared, whatever their size or business, with both the right technology and the appropriate policies and data-handling practices. Simply put, organizations that let down their guards risk losing more than just the cost of the lost records, virus clean-up, or credit monitoring for the impacted customers.

Amy DeCarlo is principal analyst for security and data center services at Current Analysis Amy brings 17 years of IT industry experience to her position as Principal Analyst, Security and Data Center Services. Amy assesses the managed IT services sector, with an emphasis on security and data center solutions delivered through the cloud including on demand ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9710
Published: 2015-05-27
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

CVE-2014-9715
Published: 2015-05-27
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

CVE-2015-2666
Published: 2015-05-27
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

CVE-2015-2830
Published: 2015-05-27
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

CVE-2015-2922
Published: 2015-05-27
The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.