Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/30/2006
02:28 PM
50%
50%

Our Data Isn't Secure, So What Are We Going To Do About It?

One of the great things about my job is that there's never a shortage of things to do. This is especially the case when it comes to covering data security. Before the ink is dry on one story about a stolen laptop or breached database, I find another one to cover. But this troubling trend isn't just a case of "good-for-me-bad-for-you." I, too, have been ensnared in the web of identity theft and data breaches. Where is all this going, and what have we learned?

One of the great things about my job is that there's never a shortage of things to do. This is especially the case when it comes to covering data security. Before the ink is dry on one story about a stolen laptop or breached database, I find another one to cover. But this troubling trend isn't just a case of "good-for-me-bad-for-you." I, too, have been ensnared in the web of identity theft and data breaches. Where is all this going, and what have we learned?In my inaugural podcast, I speak with Ted Julian, VP of marketing for Application Security Inc., and Jon Oltsik, senior analyst for information security with IT analyst firm Enterprise Strategy Group, about the growing problem of data insecurity that really kicked into high gear with the October 2004 fraud committed against data broker ChoicePoint.

The guests on my podcast were very insightful into the problems that both the private and public sector face regarding data protection. Julian was a co-founder of network security provider Arbor Networks and has worked as an industry analyst for IDC and Forrester Research. Oltsik founded Enterprise Strategy's information security group in 2003.

In the few days since the podcast was completed, I had the misfortune of receiving a letter in the mail from a company with the dubious name of Medical Excess LLC. Although I had no idea such a company existed, it turns out Medical Excess works with my company's insurance carrier to provide "excess" insurance coverage for myself and my colleagues. I don't recall asking for this, but OK. Well, not OK. Medical Excess recently had a camera, two laptops, and a file server stolen from one of its offices that, as they phrased it, "might concern personal information about you." Apparently, my info was included in a database with the equivalent of "one hundred million typewritten pages," and I'm now being granted 12 months of free service that will alert me of any unusual financial activity.

As it turns out, Medical Excess is part of a company that goes by the oxymoronic name American International Group Inc. That's right, the very same AIG that my colleague Charles Babcock and I had the pleasure of writing about in the June 26 issue. AIG made news recently when it announced that information about 970,000 individuals was stolen (in MARCH!). Three months later, I and my colleagues at United Business Media, InformationWeek's parent company, were notified. Gee, thanks. I wonder who's been having fun with my personal information in the meantime.

Here we go again. It hasn't even been a year since I sorted out my last problem with ripped-off data and fraud. I think it's safe to say I've dropped any "couldn't happen to me" attitude I might have had. Problem is, I don't see things getting better. Data breaches, identity theft, and fraud have been around almost as long as human beings, but the pervasiveness of the Internet and the market for stolen data have grown such that these crimes now affect thousands, if not millions, of people at a time.

From the look of things, we'll continue to see more data lost or stolen at an alarming rate until companies and the government make it a priority to inventory and protect important data. Support for this will have to come from the top down within companies, since it's the people at the top who have the power to set policy and spend the money needed to improve the situation.

So check out my podcast this holiday weekend while you're grilling up the burgers and the hot dogs. Julian and Oltsik have some interesting things to say about the state of data insecurity and what you can do to protect your company. Have a safe and happy Fourth of July.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...