http://www.eweek.com/c/a/Security/Preparation-Key-to-Managing-Data-Breaches/
By Darryl K. Taft
eWEEK.com
2008-05-14
BALTIMORE - In this era of Internet connectivity, businesses must
prepare for what is becoming the almost-inevitable data breach,
according to a pair of chief privacy officers for major financial
institutions.
At the IntrusionWorld Conference and Expo co-located with the Web
Services Security & SOA Conference here May 13, Joel Tietz, chief
privacy officer at AXA Financial, and Michael Drobac, chief privacy
officer at Merrill Lynch, discussed the increasing risk and costs of
data breaches and how enterprises can better prevent and manage them.
Drobac exhorted every organization to have a plan in place for data
breaches. "Failing to plan is planning to fail," he said, noting that
data breaches have become almost inevitable in the connected era.
Drobac provided his own top 10 list of ways to prevent and manage a data
breach that could cost an organization time, money, productivity and
reputation.
No. 1 on Drobac's list is to enforce a "need to know policy," so that
only those who truly need to know certain information actually have
access to it. He also stressed a focus on access control, such as
role-based access control.
Other steps businesses need to make is monitoring for data leakage -
particularly in e-mail and peer-to-peer technology - keeping an eye on
all the various mobile devices being used by employees, such as thumb
drives, PDAs, phones and iPods, and strengthening authentication
protocols.
Drobac also said businesses need strong oversight of vendors, examine
data retention standards, ensure destruction policies are adequate,
build privacy and security into the software development lifecycle and
engage senior management in the overall process of preventing and
managing data breaches.
Drobac said the "low-hanging fruit" are encryption data classification
or providing different levels of security for different levels of data.
"But it's not all about encryption and data security," he said.
One of the first steps to managing a data breach is defining exactly
what constitutes a data breach for your organization, Drobac said. After
that, enterprises need to establish a centralized channel for reporting
breaches. The next step is to "identify your response team, including
the leader," he said. The response team should include the
organization's general counsel, media relations personnel, front office
sales, information security staff and fraud investigators, he said.
Once those steps have been taken, the enterprise should get the facts
about the data breach by using a forensics team, and then "conduct
immediate triage to prevent further damage, such as shutting down the
site; it might call for swift and hasty action," Drobac said.
"It may mean pulling down your gateway to your revenue stream," Tietz
said. That is why "you should make sure you have an escalation mechanism
to the highest levels of the company," Drobac said.
At this point, it is time to "involve PR [public relations], law
enforcement and regulators," about the data breach, Drobac said. "They'd
rather hear it from you than from the Wall Street Journal." The
organization also must provide notice to its customer or user bases, he
said.
Then the enterprise must "remediate and modify existing business
practices," he said.
Preparation is also key, they said. Enterprise should track events for
root causes of breaches and constantly perform practice drills to be
prepared for breaches, Drobac said.
Tietz said typical data breaches involve stolen laptops, PDAs or thumb
drives, but also include network hacking, malware and lost backup tapes
among other things. "But the No. 1 form of data breach is Dumpster
diving," he said.
Tietz ran down statistics. There have been 230 million records of U.S.
residents exposed to security breaches since 2005, and $6.3 million is
the average cost per reported enterprise breach in 2007, up from $5
million in 2006, he said. In addition, 20 percent of consumers have
ended their relationship with a company after being notified of a
security breach. Indicating how important data security has become,
Tietz said nearly 40 percent of new security spending in 2007 was
directed toward protecting data by reducing the network security
expenditures.
Data breaches have touched on a number of companies, including Eli
Lilly, ChoicePoint, the U.S. Department of Veterans Affairs and TJX.
He said in the commercial sector, 40 percent of data breaches is through
stealing laptops, while errors accounted for 20 percent of breaches,
insider theft 15 percent, fraud 15 percent and hacking 10 to 15 percent.
In the university setting, hacking accounted for 45 percent of data
breaches, and laptop theft, insider access, errors and fraud all
accounted for 10 and 15 percent each, he said.
In a separate presentation here, Joe Gersch, vice president of
engineering at Secure64 Software, spoke of how to justify spending on
security. Gersch said enterprises need to quantify the benefits of
security by assessing the annualized loss expectancy, which is equal to
the single loss expectancy plus the annual rate of occurrence.
However, as a best practice, an enterprise should invest no more than 37
percent of the expected benefits of the security. "If you have an
expectation of losing $100,000 annually, you should not invest more than
$37,000" on security, Gersch said.
He noted that quantifying return on investment for security technology
is difficult. However, what Gersch referred to as "genuinely secure
systems" can be less costly and more attractive than conventional
security or building a security fortress, he said. Such a system "has a
secure operating system architecture that fully utilizes the hardware to
make applications immune to compromise from rootkits and malware and
resistant to network attacks," he said. They also can be less expensive
than conventional security.
Secure64's core technology is SourceT, a patent-pending, genuinely
secure micro operating system designed to make it and any applications
running on it immune from rootkits and malware, and resistant to network
attacks, Gersch said. Secure64 defines a genuinely secure OS as one with
a secure architecture that fully utilizes the hardware to make
applications immune to compromise, unlike a hardened OS, which is
typically manipulated to minimize exposure to its insecurities, he said.
As the technology continues to improve and emerge, "self-defending
networks, self-defending OSes, and self-defending services will start to
pay off," Gersch said.
Paul Lipton, a senior architect at CA, said autonomic computing - or
self-healing-technology should become a key part of securing
service-oriented environments.
_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
Comments