Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/30/2006
02:28 PM
50%
50%

Our Data Isn't Secure, So What Are We Going To Do About It?

One of the great things about my job is that there's never a shortage of things to do. This is especially the case when it comes to covering data security. Before the ink is dry on one story about a stolen laptop or breached database, I find another one to cover. But this troubling trend isn't just a case of "good-for-me-bad-for-you." I, too, have been ensnared in the web of identity theft and data breaches. Where is all this going, and what have we learned?

One of the great things about my job is that there's never a shortage of things to do. This is especially the case when it comes to covering data security. Before the ink is dry on one story about a stolen laptop or breached database, I find another one to cover. But this troubling trend isn't just a case of "good-for-me-bad-for-you." I, too, have been ensnared in the web of identity theft and data breaches. Where is all this going, and what have we learned?In my inaugural podcast, I speak with Ted Julian, VP of marketing for Application Security Inc., and Jon Oltsik, senior analyst for information security with IT analyst firm Enterprise Strategy Group, about the growing problem of data insecurity that really kicked into high gear with the October 2004 fraud committed against data broker ChoicePoint.

The guests on my podcast were very insightful into the problems that both the private and public sector face regarding data protection. Julian was a co-founder of network security provider Arbor Networks and has worked as an industry analyst for IDC and Forrester Research. Oltsik founded Enterprise Strategy's information security group in 2003.

In the few days since the podcast was completed, I had the misfortune of receiving a letter in the mail from a company with the dubious name of Medical Excess LLC. Although I had no idea such a company existed, it turns out Medical Excess works with my company's insurance carrier to provide "excess" insurance coverage for myself and my colleagues. I don't recall asking for this, but OK. Well, not OK. Medical Excess recently had a camera, two laptops, and a file server stolen from one of its offices that, as they phrased it, "might concern personal information about you." Apparently, my info was included in a database with the equivalent of "one hundred million typewritten pages," and I'm now being granted 12 months of free service that will alert me of any unusual financial activity.

As it turns out, Medical Excess is part of a company that goes by the oxymoronic name American International Group Inc. That's right, the very same AIG that my colleague Charles Babcock and I had the pleasure of writing about in the June 26 issue. AIG made news recently when it announced that information about 970,000 individuals was stolen (in MARCH!). Three months later, I and my colleagues at United Business Media, InformationWeek's parent company, were notified. Gee, thanks. I wonder who's been having fun with my personal information in the meantime.

Here we go again. It hasn't even been a year since I sorted out my last problem with ripped-off data and fraud. I think it's safe to say I've dropped any "couldn't happen to me" attitude I might have had. Problem is, I don't see things getting better. Data breaches, identity theft, and fraud have been around almost as long as human beings, but the pervasiveness of the Internet and the market for stolen data have grown such that these crimes now affect thousands, if not millions, of people at a time.

From the look of things, we'll continue to see more data lost or stolen at an alarming rate until companies and the government make it a priority to inventory and protect important data. Support for this will have to come from the top down within companies, since it's the people at the top who have the power to set policy and spend the money needed to improve the situation.

So check out my podcast this holiday weekend while you're grilling up the burgers and the hot dogs. Julian and Oltsik have some interesting things to say about the state of data insecurity and what you can do to protect your company. Have a safe and happy Fourth of July.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.