http://www.networkworld.com/news/2006/051506-ge-security.html By Bob Brown NetworkWorld.com 05/15/06 When it comes to putting data and identity thieves in their place, Peter Costa says there's no room for being Mr. Nice Guy. "Have a public hanging - they have to know you'll go after them," says Costa, who heads up enterprise security at GE Consumer Finance - Americas. Companies need to be "fanatical about prosecution," he says. Costa outlined his views (which he stressed are not all necessarily those of GE as well) for dealing with data and identity theft during a presentation at last week's CIO Forum (more from the conference [1]). The unique annual conference brings together IT suppliers and potential buyers on a cruise ship sailing out of New York City. GE will actually call the parole board when a thief's hearing is coming up to discourage the person's release, Costa says. Before prosecution, GE will wrap up a case as tightly as it can to ensure that law enforcement takes identity and data theft seriously. "You've got to make it easy, you've got to make a point," he says. Costa maintains that there hasn't been an explosion of data theft of late, but rather, we're just hearing about it now as a result of laws that require companies to fess up when their data systems have been breached. Nevertheless, data and identify theft are huge problems that companies need to address by assessing risks and reducing them, he says. The first thing companies need to recognize, Costa says, is that theft or loss takes place in two primary ways: via intentional schemes, such as phishing or even dumpster diving, and unintentional means, such as a tape falling off a truck or a laptop being left behind at an airport. Data is at high risk in the former example, while it is at low risk of being comprised in the latter, he says. "You have to have two different strategies to attack these two types of problems," Costa says. Assessing the risk For starters, companies should figure out which information they hold is most important to them. Examples might be an employee's Social Security number, direct deposit account numbers and passwords. Information relating to partners and customers also needs to be examined. "Now comes the hard part. You have to say: Where does it exist?" Costa says. "You'll be amazed when you start peeling the onion back… You need to understand where the physical borders are, where the electronic borders are and where all that data is going back and forth." The next step is looking at high-level risks, which Costa lists as forced entries, such as hacking; interception of transmissions, including "snail mail" and faxes; and the insider threat. On the insider threat, he suggests companies should take a very hard look at their human resources groups, where low-level people can have access to lots of sensitive employee data. "We're far too trusting of insiders," Costa says. Companies also need to examine how they think people might steal data. Underestimated are techniques such as people just walking into supposedly secure areas of a building on the tails of others, Costa says. Companies tend to spend more energy protecting themselves against new or sensational risks (He relates this to people fearing sharks more than pigs even though the farm animals kill more people yearly. "There's no 'Jaws' about pigs. There's no 'Snout.'") Process management tools can help companies get organized in addressing much of this, but companies also need to bring in a wide cross-section of people, from IT to HR to business process owners, Costa says. Reducing the risk The most important step is getting rid of sensitive data that you don't need at your company. "I'm shocked and amazed at how many organizations still use Social Security numbers for employee numbers," Costa says. "It means you're putting your Social Security number everywhere." Companies should also consolidate high-risk vendors, such as marketing or mail firms and institute a layered but uncomplicated security system that includes access controls through identity management, Costa says. Encryption is key, too. "Encryption is important here not [just] because it lets you protect the data, but [also because] it allows you to say, 'We lost the backup tape but it's encrypted so there's no damage' - even though some states will still require you to make an announcement about it," he says. The best thing to come out of all the attention brought to this issue of late is that companies are addressing problems more quickly, which greatly lessens the threat of damage, Costa says. [1] http://www.networkworld.com/news/2006/051206-cio-forum-biometrics-grid-voip.html _________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 29 - August 3 2,500+ international security experts from 40 nations, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue May 16 2006 - 02:15:08 PDT