Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/15/2011
01:47 PM
50%
50%

Data Breach Avoidance Requires Copy Cops?

A U.S. senator proposes more data breach regulation, but experts say IT should be thinking data control. As one CSO recently put it, "The problem is not securing a copy of the data; it's securing data against copying."

Securing information is impossible once it escapes, whether the data goes missing accidentally or intentionally.

Witness WikiLeaks, where the discussion didn't involve whether to publish more than 200,000 leaked government cables, but when. They're now circulating freely on peer-to-peer (P2P) networks. On the apparently accidental disclosure front, meanwhile, records for 20,000 Stanford Hospital & Clinics emergency room patients appeared in a spreadsheet uploaded to--of all places--a homework help website, where they remained for almost a year before being spotted. How many copies of that spreadsheet will ultimately surface on P2P networks remains unknown.

In the Stanford Hospital case, the breach was traced to a subsidiary of a billing vendor used by the hospital. Of course, information must flow between business partners. Accordingly, many healthcare organizations contractually require their business partners to secure shared data. Nevertheless, data breach laws keep the onus on protecting data on the original information or data controller. In other words, outsourcing can't be an excuse for poor security.

That may be the law on the books, but without enforcement, no one is running scared. Many senior executives, watching the bottom line, likely see a better business case for spending less--not more--on security. (Though arguably, investing in security to prevent costly data breaches will pay handsomely in the long run.)

New legislation proposed by U.S. Senator Richard Blumenthal (D-Conn.)--the Personal Data Protection and Breach Accountability Act of 2011--could help. Notably, the bill would require any interstate business that stores information on 10,000 or more U.S. citizens to store personally identifiable information securely. The provisions also require logging and monitoring everyone who accesses that data. Businesses that failed to comply with the law could be sued by anyone whose personal information was compromised, to the tune of $10,000 per violation, per person, multiplied by every day the violation persisted, up to a maximum of $20 million.

"My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur, and by holding entities accountable when consumers' personally-identifiable information is compromised," Blumenthal said in a statement.

But security experts have questioned whether such a bill--if it were to pass--would solve today's data breach epidemic. "The underlying cause of data leakage is not that it's 'securely stored' it's that it's duplicated into too many people's hands--people who proceed to copy it to a thumb drive or laptop, which is then lost," Marcus Ranum, CSO of Tenable Security, recently wrote in SANS Newsbites. "The problem is not securing a copy of the data; it's securing data against copying."

In the same forum, William Hugh Murray, an associate professor at the Naval Postgraduate School, agreed by saying: "The pendulum needs to swing back in the direction of 'need to know' and 'least privilege.' For the same reasons that copying has become so easy, we really do not need it."

But how do you get tough on cut and paste? Classifying data to know what to restrict is both time-consuming and difficult. Modern notions of productivity--and approaches to IT--are predominantly based not on blocking people from accessing data, but delivering better and faster ways to share that information. Stories may abound of the NSA lunchroom, in which no one ever discusses their work, because no one knows who's authorized to know what. But that's life in locked-down land. Who wants to suffer that environment when revenue is the number-one priority?

One potential fix, practiced by some businesses that classify data, is putting senior managers in charge of sensitive information, such as regulated customer data, and firing them if they mess up. Of course, this often necessitates navigating political minefields, since data control equals power. Furthermore, corporate boards--historically weak on the concept of security, not to mention paying for it--would need to sharpen their security thinking. But with power should come responsibility.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MHUGHES086
50%
50%
MHUGHES086,
User Rank: Apprentice
3/14/2012 | 5:20:02 PM
re: Data Breach Avoidance Requires Copy Cops?
I know of a company that can prevent document data from being copied... WatchDox. Not just prevent it from being copied - but being forwarded, printed or edited dependent on permissions granted. Those permissions can be changed even after the document has left the control of your organization... Powerful stuff.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183
CVE-2020-16170
PUBLISHED: 2020-08-11
The Temi application 1.3.3 through 1.3.7931 for Android has hard-coded credentials.