[ISN] When Data Goes Missing: Will You Even Know?

From: InfoSec News (isn@private)
Date: Tue Jan 24 2006 - 22:33:49 PST


Advice by Jack Gold
JANUARY 23, 2006

Recent reports of company-compiled personal data gone missing (such as
Marriott losing many thousands of vacation club records), while
clearly important, is really just the tip of the iceberg. What
customers really need to ask of companies is, What other data has been
lost? And in all likelihood, there is absolutely no way for the
companies to know. The truth of the matter is, reported cases of
massive data loss are just the ones they know about. And this problem
will only grow with the proliferation of tiny personal mass-storage
devices of dramatically increasing capacity.

How many people currently own flash memory drives? Tens of millions.  
And how many companies control the use of flash drives? You can count
them on one hand. I travel a lot, and on a recent trek through airport
security, I found a flash drive that had fallen under the security
table. This lost drive had no distinguishing characteristics -- no
labels to tell me who owned it or where he worked. With some time to
kill before my flight, I decided to see if I could track down the
owner. I had to invade the owner's privacy to see what I could
discover from the content of the files. Turns out the files contained
fairly innocuous content -- some project plans and a short PowerPoint
in draft form -- but no way to identify the owner. (As a result of
this experience, I have put a small .txt file on my devices with my
name and address, and I figure an address label on the outside can't
hurt either.)

Why is this an issue? Well, for starters, the storage capacity of
these devices is growing at the "silicon curve" rate. Within the next
two to three years, instead of the 500MB or 1GB drives commonly
available today, you'll be able to purchase for about the same money a
stick-like drive of 10GB or greater capacity. What if an employee
decided to download a customer database to one of these devices (say,
to transfer the data to another machine) and then proceeded to lose
it? Is the data protected from loss? Probably not, even though there
are many devices now available that include encryption capability
(which is rarely used). And what if a competitor picks it up?

The potential to lose data on portable devices is a massive hole in
most companies' security plans. The laws being passed in a number of
states that require data loss to be reported to affected consumers
work only if the company actually discovers the loss. With more and
more employees using flash drives, smart phones with Secure Digital
memory cards, portable hard drives, etc., the likelihood of companies
actually knowing about all instances of data loss is declining
rapidly. And as a result, the possibility of companies breaking laws,
whether for data-loss disclosure or regulatory compliance, is growing
dramatically. Most companies attempting to come to terms with this
problem are still aiming at technologies that are at least 10 years
old (e.g., loss of data backup tapes), when an even greater potential
mechanism for loss is increasingly appearing in their organizations
with virtually no control and no disclosure, nor for that matter
internal discovery.

So what should companies do? Certainly I wouldn't suggest eliminating
external memory devices, since they provide real benefit to many
users. But companies must take steps, starting with user education on
what is and is not appropriate use. Further, companies should track
sensitive data with trails of user access. Finally, companies should
employ techniques that can discover when devices are connected and by
whom, and make sure such devices have protection enabled (or better
yet, provide users who need them enterprise-class, protection-enhanced
storage devices).

It is highly likely that within the next year, we will see at least
one publicized major case of unencrypted data loss from a portable
device. Afterward, a lot of companies will ban such devices. But it
would be better for them to formulate a proactive strategy now.  
Educate users, and deploy technology that will prevent data loss even
if portable devices are lost. Educated users will be more aware of the
ramifications of losing the valuable data that has become so easy to
carry around.

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Tue Jan 24 2006 - 22:48:02 PST