May 10 2014 05:48 PM | Stephen in Legacy Security Articles

- - - - - Tags: security windows networking scanning
By Dr. Jim Kennedy, MRP, MBCI, CBRM, CHS-IV

It seems to me that almost every day I pick up some type of IT, Information Security, or Business Continuity magazine or journal and find that there is an article or headline story on the latest data breach. These are not mom and pop shops or small businesses they are happening at major corporations and governmental organizations. The breaches involve millions of customer files, or thousands of medical records, or critical intellectual property that has either been taken for fraudulent use or simply lost and no one in authority can account for its whereabouts.

California along with many other states require companies to reveal data security breaches when they happen. The problem is that a survey taken found that as many as 10% of some 500 companies queried did not know if they had lost data due to laptop theft in the last year and only 10% could with some certainty indicate that they had not. This is because many companies do not have a really good handle on what data they have and where it resides within their organization.

When a data loss or theft occurs many innocent people enter that personal nightmare of finding their credit or debit cards are being improperly used by someone in the US or abroad or their personal information is being misused. If they are debit card holders they then have to take action to notify the companies in order to limit their personal financial liabilities. In other cases the companies themselves find that their competitive position is being compromised. That critical information about customers, secret processes, or financial data is now being used by competing companies in the US or across the globe against them.

These companies will then spend hundreds of thousands or even millions of dollars to provide credit fraud and identity theft protection for each person compromised while crafting a most apologetic communication for the press and public at large. Monies that would have been better spent to protect information before an incident occurs.

There are two important factors that seem to be exacerbating the problem. 1) There is an increasing threat of data thefts and losses occurring from inside the organizations where the data resides. 2) The increasing use and availability of portable USB memory sticks, external and flash drives.

What is most interesting to me is that today’s companies and government agencies have the technology to virtually eliminate the potential misuse of lost or stolen data. They know it exists. However, in a survey taken recently by a well respected security organization of both public and private sector organizations less than half of the respondents had utilized hardware or software technology to protect them and their constituents from the results of data loss or theft.

Simple data encryption technology would remedy the majority of the cases reported of lost or stolen data from such occurrences as:

· Lost laptop

· Lost backup tapes

· Data in transit being viewed from the network (Internet or intranet)

So if more organizations simply encrypted their data a majority of the problems could be eliminated.

So why don’t they encrypt data? Many corporations are concerned that if they lost keys to the encrypted data that the critical information could be lost for ever. So in the grander scheme of things it is easier to pay for the loss than to develop better encryption key management and administration.

There is software available today that is available from numerous sources and at varying costs that can protect against data theft where a laptop is lost or stolen. This software can be installed in a laptop which will automatically notify its owners as soon as it connects to the Internet. The laptop will look for any identifiable information such as IP address and other information about where the device is connected. That information is then transmitted once the laptop is connected via a wired or wireless network. Administrators can armed with this information (and with the aid of proper authorities) track down the device and potentially recover it. The same software can also automatically encrypt or lock access to storage if not connected to a recognizable network in a predefined period of time.

Other types of technology available today is software installed on computers that locks out the interconnection of mass storage devices to computer USB ports. When such a device is connected an alert is sent immediately to a security e-mail location notifying administrators and then the port is deactivated internally thereby disallowing the taking of any information from the computing device unless deactivated by a systems administrator with proper authority. This also protects malware from being introduced into the computer as well.

I realize that I have only provided information on a few types of technology available to protect against data loss and theft. However, my intent was to inform that there are ways to reduce and/or eliminate data loss and theft in many of the cases experienced over the last few years. The issue I want to impress upon the reader is one of due diligence. We as corporate or governmental IT security or business continuity experts need to make sure that our organizational leaders have the necessary information to make informed choices for the protection of critical and sensitive information. To allow them to decide whether they want to pay now to implement adequate controls and safeguards to protect against risks or pay later in reparations and lost confidence to those whose data we have been entrusted to protect and use.

The author
Dr. Jim Kennedy has a PhD in Technology and Operations Management and is the Business Continuity Services Practice lead and Principal Consultant for Alcatel-Lucent. Dr. Kennedy has over 30 years' experience in the information security, business continuity and disaster recovery fields and has been published nationally and internationally on those topics. He is the co-author of two books, ‘Blackbook of Corporate Security’ and ‘Disaster Recovery Planning: An Introduction’ and author of the e-book, ‘Business Continuity & Disaster Recovery – Conquering the Catastrophic’.