Perimeter
10/15/2012
03:03 PM
Amy DeCarlo
Amy DeCarlo
Commentary
Connect Directly
RSS
E-Mail
50%
50%

A False Sense Of Security

Cutting-edge security technologies are critical to safeguarding data integrity. However, organizations need to also focus on developing effective policies and practices to fully protect crucial information assets

To say these are interesting times in IT security would be an understatement. Innovative security technologies, including some impressive advances in analytics, can help enterprises detect anomalies, fix vulnerabilities, and mitigate attacks that in the past might have crippled an organization. Yet as impressive as developments in network and data security are, an increasingly sophisticated class of attackers is finding new ways to exploit vulnerabilities and breach a business or public sector institution's IT resources.

With so many controls to detect and block threats, there is a risk of organizations developing a false sense of security in the face of an increasingly hostile threat environment. In some cases, businesses may have all of the right security technology deployed, but there may be big gaps in policy and basic data-handling practices that can expose their most critical and sensitive assets to serious risk.

This caution extends even to organizations in heavily regulated industries. TD Bank is a case in point. The Toronto-based bank is in the process of notifying 260,000 U.S. account holders that their personal information may have compromised when some of the financial institution's backup tapes went missing in transit this past March.

I have no inside information on TD Bank's policies, protections, or general security practices. I would guess that, like other institutions that suffered similar data losses, TD Bank had a myriad of security technologies in place to protect online and other sensitive data. Yet either the bank itself or a third-party provider of long-term data storage had overlooked the basics of physical security in ensuring data was properly managed during the transport to an off-site location for long-term storage.

Though the bank says there is no evidence that any of the account holders' personally identifiable information (PII) contained on those tapes has been misused yet, account holders are left to wonder about future theft and fraud. And though the exact ramifications for TD Bank are uncertain, at the very least the bank suffers a very high-profile embarrassment.

Unfortunately, there are too many similar stories to call the TD Bank tape loss an isolated incident in banking or any other industry. At the heart of the problem is an all too casual reliance on security technology to safeguard all data with too little attention paid to the fundamental safe practices that need to be in place to protect critical information.

This lack of thorough data protection security practices and contingency planning is likely even more of an issue in smaller resource-constrained organizations where regulatory compliance may be less of an urgent concern. In a recent survey of small and midsize businesses by the National Cyber Security Alliance, 59 percent admitted they have no consistent plan for addressing data losses and communicating information about such a breach.

In the context of what is an increasingly virulent threat environment, this disregard for covering the basics of data security is proof that too many organizations still don't understand the very real costs of data loss. While research organizations have tried to quantify the costs of breached records, there are some intangible losses associated with reputation, customer losses, and other factors that can be almost impossible to measure.

What is clear is organizations need to be prepared, whatever their size or business, with both the right technology and the appropriate policies and data-handling practices. Simply put, organizations that let down their guards risk losing more than just the cost of the lost records, virus clean-up, or credit monitoring for the impacted customers.

Amy DeCarlo is principal analyst for security and data center services at Current Analysis Amy brings 17 years of IT industry experience to her position as Principal Analyst, Security and Data Center Services. Amy assesses the managed IT services sector, with an emphasis on security and data center solutions delivered through the cloud including on demand ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2363
Published: 2014-07-26
Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request.

CVE-2014-3071
Published: 2014-07-26
Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection.

CVE-2014-3301
Published: 2014-07-26
The ProfileAction controller in Cisco WebEx Meetings Server (CWMS) 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned messages, aka Bug ID CSCuj81700.

CVE-2014-3305
Published: 2014-07-26
Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCuj81735.

CVE-2014-3324
Published: 2014-07-26
Multiple cross-site scripting (XSS) vulnerabilities in the login page in the administrative web interface in Cisco TelePresence Server Software 4.0(2.8) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCup90060.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.