http://www.forbes.com/business/2007/07/10/computer-security-internal-biz-biztech-cx_ag_0710mcafee.html By Andy Greenberg Forbes.com 07.10.07 The data breach that occurred at Fidelity National Information Services last week was a security professional's nightmare. And not just because of the amount of raw consumer data spilled onto the black market. By that measure, the 2.3 million users' files that were leaked can't compare with the 45 million customers' account information lost by retailer T.J. Maxx (nyse: TJX - news - people ) just last January. In Fidelity's case, the volume of the theft was less troubling than the source: one of the company's own staff. After the breach, Fidelity revealed that the culprit was an employee at the payment processing company, one whose job granted him access to the company's database. In fact, data breaches that come from internal issues arent unusual. According to Attrition.org's Data Loss Database, 104 of the 327 data breaches last year started inside companies, not in the hands of hackers. And Martin Carmichael, chief security officer at McAfee Software (nyse: MFE - news - people ), says that internal data breaches are more likely than external attacks to reveal key private information. But how to protect servers when every employee is a potential data thief? Carmichael spoke with Forbes.com about Fidelity's data debacle, how that company and other breach victims can recover, and the problem of controlling employees' access to data without paralyzing their performance altogether. Forbes.com: How should a company like Fidelity have protected itself from a data breach? Martin Carmichael: When we look at Fidelity, it's a common situation: Companies are focusing on the perimeter between the company network and the external network. In the press you read cases about hackers and Trojans that come in from the outside and devastate companies. But if you look at the statistics, that's not where the biggest losses occur. More often they happen when an inside person takes assets or information. So many companies are focused on perimeter security, when they should be asking, "What does our infrastructure look like? What are we doing to assure compliance within the boundaries of our firewall?", looking at that internal structure as well as that external structure. Is this problem of data loss from internal leaks a new threat? Not at all. Then why are companies primarily focused on the security perimeter? There's this mindset that "the people we hire, we can have confidence in." That isn't the case. Statistics tells us that criminals are hired at companies everyday, but there's this assumption of ethics and honor. We've built this mythos that people on the inside of companies are more trustworthy than those on the outside. On top of that, external hacks have been sensationalized. Inside jobs haven't gotten nearly as much visibility in the press. So how can a company protect itself from internal data breaches? Every internal station needs to be protected. Take a look at our antivirus or other prevention software: It runs on each individual platform, rather than in a firewall construct. Each individual computer or server within your internal network has to be evaluated for security individually. Creating a terrific perimeter isnt enough. The internals have to also be hardened and capable of withstanding attack from internal staff. But at some point, don't you have to give your employees access to data they need to work? Sure. But from a security standpoint, one of the things that we need to do more effectively is balance risk and productivity. We need to define characteristics about what is risked and gained in every security decision. Think about how software is designed. We should be thinking about the underlying characteristics of the software, not just fixing certain bugs. Take for example a piece of software that can change the background of your computer screen, like a Web browser. To do that, it has to run as a privileged entity with more access, and someone could use that to compromise your system. So how important is it to change your screen background? And what's the risk involved? Similarly, you have to ask what kind of controls you give to a database administrator and what kinds of access they have. In many companies, people get broad privileges in order to increase their functionality. And you can end up with a database administrator who has control over everything, with no controls on that administrator himself. How should a business like Fidelity recover from a big data breach? You need to have a recovery plan before something even occurs. How does the news get presented? What is the effect on the company's stock? How do you manage the interface with shareholders? What's the overall impact? Your public relations, your CIO and your CEO will all be involved and each needs to know their role in a strategic plan. Above all, you have to maintain integrity with the customers. You have to tell them just how their data has been compromised, and give them clear steps that you and the customers will each take to address the issue. Then you can take a financial look at the business and assess how the breach, like any disaster, will affect the bottom line. Aside from the business and the public relations angle, how do you recover from a security standpoint? There's no one size fits all answer. You have to look at the events and ask, "Was this anomalous? Could it have been prevented?" There has to be fault resolution. You need to really look at the underlying characteristics, and in most cases you can make specific changes. But often the temptation after a breach is to make security overwhelmingly burdensome. And in terms of the balance of risk and productivity, that's not the best solution either. Risk is never zero. _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jul 10 2007 - 22:23:09 PDT