http://www.eweek.com/article2/0,1895,2211531,00.asp By Lisa Vaas eWeek November 2, 2007 A sizable chunk of business data is being lost electronically in simple misconfiguration mistakes. Since January 2005, there have been 167.7 million records containing sensitive personal information exposed by security breaches, according to a running total kept by the Privacy Rights Clearinghouse. The question is, How does this information get out there? Loss or theft of a physical object forms by far the largest hole in data security. According to an analysis (PDF) done recently by David Litchfield of Next Generation Security Software, based in Surrey, England, 43 percent of records lost since Jan. 1 slipped out of organizations on paper, computers, laptops, disks or backup media. Other researchers put the figure higher for records that were exposed due to lost or stolen computers or mediasecurity expert Chris Walsh has analyzed New York data sets and puts the figure closer to 99 percent. Either way, that's a lot of gear growing legs and walking off. But Litchfield, like other database security experts, is of course primarily concerned with electronic data breaches and how they can be stopped. And many electronic breaches can certainly be stopped, he maintains: He's found that since Jan. 1, the single largest contributing cause to electronic data breaches is not cyber-thievery or insider malice but simple goof-ups, that is, inadvertent exposure. According to Litchfield, Word documents and spreadsheets mistakenly left on a Web server or indexed by a search engine account for 20.6 percent of the 276 breaches, both physical and digital, recorded up until Oct. 23 in 2007 by the Privacy Clearinghouse and by Attrition.org, a data security site run by volunteers. "This means that a fifth of the breach problem could be solved if companies actively and regularly hunted out such relic documents themselves," Litchfield said in a Nov. 1 posting. Another thing to note, Litchfield said, is that while the number of security breaches tracked by groups like Privacy Clearinghouse is nothing to sneeze at, it also vastly underreports the true amount of data exposed in breaches. "It seems many of the discoveries were made by well-meaning members of the public who found them by accident," Litchfield said in his posting. "This indicates that the real number of breaches is considerably higher: Criminals, who we know are actively seeking out such information, aren't going to inform anyone about what they find. The same is true of breaches due to compromisethe number must be higher." __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Sun Nov 04 2007 - 22:26:00 PST