Perimeter
10/15/2012
03:03 PM
Amy DeCarlo
Amy DeCarlo
Commentary
50%
50%

A False Sense Of Security

Cutting-edge security technologies are critical to safeguarding data integrity. However, organizations need to also focus on developing effective policies and practices to fully protect crucial information assets

To say these are interesting times in IT security would be an understatement. Innovative security technologies, including some impressive advances in analytics, can help enterprises detect anomalies, fix vulnerabilities, and mitigate attacks that in the past might have crippled an organization. Yet as impressive as developments in network and data security are, an increasingly sophisticated class of attackers is finding new ways to exploit vulnerabilities and breach a business or public sector institution's IT resources.

With so many controls to detect and block threats, there is a risk of organizations developing a false sense of security in the face of an increasingly hostile threat environment. In some cases, businesses may have all of the right security technology deployed, but there may be big gaps in policy and basic data-handling practices that can expose their most critical and sensitive assets to serious risk.

This caution extends even to organizations in heavily regulated industries. TD Bank is a case in point. The Toronto-based bank is in the process of notifying 260,000 U.S. account holders that their personal information may have compromised when some of the financial institution's backup tapes went missing in transit this past March.

I have no inside information on TD Bank's policies, protections, or general security practices. I would guess that, like other institutions that suffered similar data losses, TD Bank had a myriad of security technologies in place to protect online and other sensitive data. Yet either the bank itself or a third-party provider of long-term data storage had overlooked the basics of physical security in ensuring data was properly managed during the transport to an off-site location for long-term storage.

Though the bank says there is no evidence that any of the account holders' personally identifiable information (PII) contained on those tapes has been misused yet, account holders are left to wonder about future theft and fraud. And though the exact ramifications for TD Bank are uncertain, at the very least the bank suffers a very high-profile embarrassment.

Unfortunately, there are too many similar stories to call the TD Bank tape loss an isolated incident in banking or any other industry. At the heart of the problem is an all too casual reliance on security technology to safeguard all data with too little attention paid to the fundamental safe practices that need to be in place to protect critical information.

This lack of thorough data protection security practices and contingency planning is likely even more of an issue in smaller resource-constrained organizations where regulatory compliance may be less of an urgent concern. In a recent survey of small and midsize businesses by the National Cyber Security Alliance, 59 percent admitted they have no consistent plan for addressing data losses and communicating information about such a breach.

In the context of what is an increasingly virulent threat environment, this disregard for covering the basics of data security is proof that too many organizations still don't understand the very real costs of data loss. While research organizations have tried to quantify the costs of breached records, there are some intangible losses associated with reputation, customer losses, and other factors that can be almost impossible to measure.

What is clear is organizations need to be prepared, whatever their size or business, with both the right technology and the appropriate policies and data-handling practices. Simply put, organizations that let down their guards risk losing more than just the cost of the lost records, virus clean-up, or credit monitoring for the impacted customers.

Amy DeCarlo is principal analyst for security and data center services at Current Analysis Amy brings 17 years of IT industry experience to her position as Principal Analyst, Security and Data Center Services. Amy assesses the managed IT services sector, with an emphasis on security and data center solutions delivered through the cloud including on demand ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.