Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/15/2011
01:47 PM
50%
50%

Data Breach Avoidance Requires Copy Cops?

A U.S. senator proposes more data breach regulation, but experts say IT should be thinking data control. As one CSO recently put it, "The problem is not securing a copy of the data; it's securing data against copying."

Securing information is impossible once it escapes, whether the data goes missing accidentally or intentionally.

Witness WikiLeaks, where the discussion didn't involve whether to publish more than 200,000 leaked government cables, but when. They're now circulating freely on peer-to-peer (P2P) networks. On the apparently accidental disclosure front, meanwhile, records for 20,000 Stanford Hospital & Clinics emergency room patients appeared in a spreadsheet uploaded to--of all places--a homework help website, where they remained for almost a year before being spotted. How many copies of that spreadsheet will ultimately surface on P2P networks remains unknown.

In the Stanford Hospital case, the breach was traced to a subsidiary of a billing vendor used by the hospital. Of course, information must flow between business partners. Accordingly, many healthcare organizations contractually require their business partners to secure shared data. Nevertheless, data breach laws keep the onus on protecting data on the original information or data controller. In other words, outsourcing can't be an excuse for poor security.

That may be the law on the books, but without enforcement, no one is running scared. Many senior executives, watching the bottom line, likely see a better business case for spending less--not more--on security. (Though arguably, investing in security to prevent costly data breaches will pay handsomely in the long run.)

New legislation proposed by U.S. Senator Richard Blumenthal (D-Conn.)--the Personal Data Protection and Breach Accountability Act of 2011--could help. Notably, the bill would require any interstate business that stores information on 10,000 or more U.S. citizens to store personally identifiable information securely. The provisions also require logging and monitoring everyone who accesses that data. Businesses that failed to comply with the law could be sued by anyone whose personal information was compromised, to the tune of $10,000 per violation, per person, multiplied by every day the violation persisted, up to a maximum of $20 million.

"My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur, and by holding entities accountable when consumers' personally-identifiable information is compromised," Blumenthal said in a statement.

But security experts have questioned whether such a bill--if it were to pass--would solve today's data breach epidemic. "The underlying cause of data leakage is not that it's 'securely stored' it's that it's duplicated into too many people's hands--people who proceed to copy it to a thumb drive or laptop, which is then lost," Marcus Ranum, CSO of Tenable Security, recently wrote in SANS Newsbites. "The problem is not securing a copy of the data; it's securing data against copying."

In the same forum, William Hugh Murray, an associate professor at the Naval Postgraduate School, agreed by saying: "The pendulum needs to swing back in the direction of 'need to know' and 'least privilege.' For the same reasons that copying has become so easy, we really do not need it."

But how do you get tough on cut and paste? Classifying data to know what to restrict is both time-consuming and difficult. Modern notions of productivity--and approaches to IT--are predominantly based not on blocking people from accessing data, but delivering better and faster ways to share that information. Stories may abound of the NSA lunchroom, in which no one ever discusses their work, because no one knows who's authorized to know what. But that's life in locked-down land. Who wants to suffer that environment when revenue is the number-one priority?

One potential fix, practiced by some businesses that classify data, is putting senior managers in charge of sensitive information, such as regulated customer data, and firing them if they mess up. Of course, this often necessitates navigating political minefields, since data control equals power. Furthermore, corporate boards--historically weak on the concept of security, not to mention paying for it--would need to sharpen their security thinking. But with power should come responsibility.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MHUGHES086
50%
50%
MHUGHES086,
User Rank: Apprentice
3/14/2012 | 5:20:02 PM
re: Data Breach Avoidance Requires Copy Cops?
I know of a company that can prevent document data from being copied... WatchDox. Not just prevent it from being copied - but being forwarded, printed or edited dependent on permissions granted. Those permissions can be changed even after the document has left the control of your organization... Powerful stuff.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.