[ISN] Handling Goofs Cause Many Data Leaks

From: InfoSec News (alerts@private)
Date: Sun Nov 04 2007 - 22:14:28 PST


http://www.eweek.com/article2/0,1895,2211531,00.asp

By Lisa Vaas
eWeek
November 2, 2007

A sizable chunk of business data is being lost electronically in simple 
misconfiguration mistakes.

Since January 2005, there have been 167.7 million records containing 
sensitive personal information exposed by security breaches, according 
to a running total kept by the Privacy Rights Clearinghouse.

The question is, How does this information get out there?

Loss or theft of a physical object forms by far the largest hole in data 
security. According to an analysis (PDF) done recently by David 
Litchfield of Next Generation Security Software, based in Surrey, 
England, 43 percent of records lost since Jan. 1 slipped out of 
organizations on paper, computers, laptops, disks or backup media.

Other researchers put the figure higher for records that were exposed 
due to lost or stolen computers or mediasecurity expert Chris Walsh has 
analyzed New York data sets and puts the figure closer to 99 percent.

Either way, that's a lot of gear growing legs and walking off. But 
Litchfield, like other database security experts, is of course primarily 
concerned with electronic data breaches and how they can be stopped. And 
many electronic breaches can certainly be stopped, he maintains: He's 
found that since Jan. 1, the single largest contributing cause to 
electronic data breaches is not cyber-thievery or insider malice but 
simple goof-ups, that is, inadvertent exposure.

According to Litchfield, Word documents and spreadsheets mistakenly left 
on a Web server or indexed by a search engine account for 20.6 percent 
of the 276 breaches, both physical and digital, recorded up until Oct.
23 in 2007 by the Privacy Clearinghouse and by Attrition.org, a data 
security site run by volunteers.

"This means that a fifth of the breach problem could be solved if 
companies actively and regularly hunted out such relic documents 
themselves," Litchfield said in a Nov. 1 posting.

Another thing to note, Litchfield said, is that while the number of 
security breaches tracked by groups like Privacy Clearinghouse is 
nothing to sneeze at, it also vastly underreports the true amount of 
data exposed in breaches.

"It seems many of the discoveries were made by well-meaning members of 
the public who found them by accident," Litchfield said in his posting.

"This indicates that the real number of breaches is considerably higher: 
Criminals, who we know are actively seeking out such information, aren't 
going to inform anyone about what they find. The same is true of 
breaches due to compromisethe number must be higher."


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Sun Nov 04 2007 - 22:26:00 PST