Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/12/2014
12:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Into The Breach: The Limits Of Data Security Technology

When it comes to cyberdefense spending, the smart money should bet on people and compliance as much as on machines.

The relentless assault on American business by cyberthieves has at least two groups spotting a silver lining:  entrepreneurs developing new security technologies, and the smart-money folks backing them. 

A Wall Street Journal commentary reported recently that investors injected $1.4 billion into cyber security over the past two years, birthing innovative systems that traditional anti-virus software and other passive safeguards can’t duplicate.

Companies now have access to new cyberdefense tools deploying shadow networks, virtualization, emulation technology, and other advanced methodologies. But those who deal with data breaches on a regular basis will tell you that technology can only go so far in protecting an organization from intrusion, given the countless human links in the chain of responsibility. To be truly prepared, businesses need to commit to upgrading culture as well as hardware and software. That includes moving away from blind reliance on embedded technology, and doing a better job of managing the unique and changing risks across the enterprise.

A breach is stressful and expensive and only gets worse as word of the attack spreads to employees, customers, shareholders, competitors, and regulators. Today’s hackers -- many with global networks and substantial financial resources -- have proven remarkably deft in getting around cyber security. To be properly on alert  (as well as compliant with federal and state privacy laws) companies need to conduct periodic cyberrisk assessments, prepare risk management protocols, and educate employees about best-practices for safekeeping sensitive information. A business that doesn’t fully understand its risks can’t know which new security system to acquire, or who should be charged with overseeing its privacy function.

Many security breaches are actually the result of low-tech missteps such as improper disposal of sensitive data. In 2009 and 2010, pharmacy chains Rite Aid and CVS were subject to enforcement actions by the Federal Trade Commission when investigations uncovered job applications and prescription labels in publicly accessible dumpsters. In a similar action against American United Mortgage, the FTC found personal loan documents in a dumpster, violating the Gramm-Leach-Bliley Disposal and Safeguards Rule. No big-data program would have saved those companies had identity thieves simply scoured their trash.

Every industry is rushing to elevate standards for storing and disposing of personal information, and for responding to data theft. Chief among those is healthcare, which has seen numerous examples of leaked or stolen patient data. In 2009, a breach notification requirement was added to HIPAA rules governing healthcare providers, requiring them to create internal education programs to raise privacy awareness. Where previously hospitals voluntarily notified patients, now in most circumstances patients must be informed of any data spillage.

Any consumer-facing business is subject to investigations from state attorneys general and the FTC. Financial institutions -- from banks and insurance companies to investment advisors -- must follow practices set forth under Gramm-Leach-Bliley. Universities and schools are governed by the Family Educational Rights & Privacy Act, protecting privacy of student records.  Most states now have their own comprehensive privacy laws.

There are numerous steps businesses can take when introducing new products and services, including use of company software that defaults to greater data storage than is required, a review of vulnerabilities in web applications, or elimination of default passwords that are easily penetrated.

Criminals will likely find new ways to circumvent even the smartest systems. Companies should continue their investment in automated tools but mustn’t lose sight of the importance of building a strong culture of compliance that focuses on understanding enterprise-wide risks and devising strategies for limiting them.

The FTC remains the primary national regulator of privacy and data security; its settlement agreements and consent decrees are advancing a common law of privacy jurisprudence and also promote codification of best-practices. In a statement marking its 50th Data Security Settlement, the Commission noted that the touchstone of its approach is reasonable security practices by companies, with a focus on compliance and education. 

The FTC offers the following principles for implementing reasonable data protection measures:

  • Identify what consumer information is collected and which employees or third parties have access to it. Knowing how information moves in and out of an organization is critical to assessing security weaknesses.
  • Eliminate needless data storage and unnecessary risk by limiting information collected and retained to legitimate business needs.
  • Implement strong employee training and oversight of all service providers.
  • Properly dispose of information no longer needed; require vendors to do the same.
  • Have a clear plan in place to respond to security incidents.

Corporations have a legal responsibility to demonstrate data security. The law in this area is unsettled and involves different standards, making it difficult to predict liability. Best-practices include raising the level of employee awareness around Internet use, data security, and disposal procedures, and being mindful that unwarranted use of employee or customer information affects every aspect of a company’s business. When it comes to shoring up cyberdefenses, the smart money should bet on people and practices as much as on machines.

Ted Kobus focuses his practice in the areas of privacy, data security, and intellectual property. He advises clients, trade groups, and organizations regarding data security and privacy risks, including compliance, developing breach response strategies, defense of regulatory ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jeffrub1
50%
50%
Jeffrub1,
User Rank: Apprentice
5/16/2014 | 9:42:36 AM
What about thumb drives?
Another really easy to use and lose item is the ubiquitous thumb drive. These unencrypted sticks are often used on a BYOD basis and contain absolutely no encryption or security of any type, yet they can now be downloaded with remarkably large volumes of sensitive data and are often outside the control (or awareness) of the company. Security training should clearly include removable media, and some technology should probably also be used to protect the company. Blocking USB ports on corporate laptops is a start, as could be the use of specialized software which encrypts the "corporate side" of the drive and then requires passwords or Internet-enabled authentication to reopen the files.
Tkobus
50%
50%
Tkobus,
User Rank: Apprentice
5/13/2014 | 1:54:45 PM
Re: Prevent yourself
Just don't carry the encryption key in your laptop bag and don't tape it onto the laptop!
SaraJ828
50%
50%
SaraJ828,
User Rank: Apprentice
5/13/2014 | 11:50:51 AM
Prevent yourself
One of the common causes of losing data is laptop or mobile theft. I lost two laptops in a year and unfortunately lost data with it too. Since then i have moved towards the encryption. I use Data Protecto to encrypt my files and then share it or upload it on clouds. This way i am able to keeo my data and best part is i dont have to worry about carrying laptop anywhere. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/13/2014 | 11:49:50 AM
Re: Defining the culture of compliance
Simple, low tech suggestions, but I can see how they would be effective. Especially the anonymous post-it notes!Thanks, Ted.
Tkobus
50%
50%
Tkobus,
User Rank: Apprentice
5/13/2014 | 11:37:56 AM
Re: Defining the culture of compliance
We see good examples of this at healthcare organizations. I have one client who utilizes post-it notes that can be used by employees to warn other employees that they may be violating policies by leaving protected health information exposed. They refer to the post-its as HIPAA hot spots. They allow employees to heighten awareness around common mistakes without fear of retribution. We also see companies hanging posters about privacy issues or including compliance tidbits in routine newsletters circulated within a company.
Tkobus
50%
50%
Tkobus,
User Rank: Apprentice
5/13/2014 | 11:33:48 AM
Re: security solution
Education and security awareness around properly handling mobile devices is critical. However, even the most careful person can misplace a device. Therefore, encryption should at least be considered as additional protection and if there are reasons encryption is not a viable option, those reasons should be documented.
BobH088
50%
50%
BobH088,
User Rank: Apprentice
5/13/2014 | 10:45:07 AM
security solution
One of the most common causes of data getting in the wrong hands is the loss of mobile devices that often contain a frightening amount of private information. I want to share a protection option that worked for me. Tracer tags (mystufflostandfound.com) let someone who finds your lost stuff contact you directly without exposing your private information.  I use them on almost everything I take when I travel like my phone, passport and luggage after one of the tags was responsible for getting my lost laptop returned to me in Rome one time.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 3:02:59 PM
Defining the culture of compliance
Ted & Pamela, 

You raise many interesting points and also some difficult questions. I've read many articles that call for the creation of a culture of compliance. But can you give us an example of an organization that has actually succeeded at doing that?
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.