[ISN] Preparation Key to Managing Data Breaches

From: InfoSec News (alerts@private)
Date: Mon May 19 2008 - 00:06:26 PDT


By Darryl K. Taft

BALTIMORE - In this era of Internet connectivity, businesses must 
prepare for what is becoming the almost-inevitable data breach, 
according to a pair of chief privacy officers for major financial 

At the IntrusionWorld Conference and Expo co-located with the Web 
Services Security & SOA Conference here May 13, Joel Tietz, chief 
privacy officer at AXA Financial, and Michael Drobac, chief privacy 
officer at Merrill Lynch, discussed the increasing risk and costs of 
data breaches and how enterprises can better prevent and manage them.

Drobac exhorted every organization to have a plan in place for data 
breaches. "Failing to plan is planning to fail," he said, noting that 
data breaches have become almost inevitable in the connected era.

Drobac provided his own top 10 list of ways to prevent and manage a data 
breach that could cost an organization time, money, productivity and 

No. 1 on Drobac's list is to enforce a "need to know policy," so that 
only those who truly need to know certain information actually have 
access to it. He also stressed a focus on access control, such as 
role-based access control.

Other steps businesses need to make is monitoring for data leakage - 
particularly in e-mail and peer-to-peer technology - keeping an eye on 
all the various mobile devices being used by employees, such as thumb 
drives, PDAs, phones and iPods, and strengthening authentication 

Drobac also said businesses need strong oversight of vendors, examine 
data retention standards, ensure destruction policies are adequate, 
build privacy and security into the software development lifecycle and 
engage senior management in the overall process of preventing and 
managing data breaches.

Drobac said the "low-hanging fruit" are encryption data classification 
or providing different levels of security for different levels of data. 
"But it's not all about encryption and data security," he said.

One of the first steps to managing a data breach is defining exactly 
what constitutes a data breach for your organization, Drobac said. After 
that, enterprises need to establish a centralized channel for reporting 
breaches. The next step is to "identify your response team, including 
the leader," he said. The response team should include the 
organization's general counsel, media relations personnel, front office 
sales, information security staff and fraud investigators, he said.

Once those steps have been taken, the enterprise should get the facts 
about the data breach by using a forensics team, and then "conduct 
immediate triage to prevent further damage, such as shutting down the 
site; it might call for swift and hasty action," Drobac said.

"It may mean pulling down your gateway to your revenue stream," Tietz 
said. That is why "you should make sure you have an escalation mechanism 
to the highest levels of the company," Drobac said.

At this point, it is time to "involve PR [public relations], law 
enforcement and regulators," about the data breach, Drobac said. "They'd 
rather hear it from you than from the Wall Street Journal." The 
organization also must provide notice to its customer or user bases, he 

Then the enterprise must "remediate and modify existing business 
practices," he said.

Preparation is also key, they said. Enterprise should track events for 
root causes of breaches and constantly perform practice drills to be 
prepared for breaches, Drobac said.

Tietz said typical data breaches involve stolen laptops, PDAs or thumb 
drives, but also include network hacking, malware and lost backup tapes 
among other things. "But the No. 1 form of data breach is Dumpster 
diving," he said.

Tietz ran down statistics. There have been 230 million records of U.S. 
residents exposed to security breaches since 2005, and $6.3 million is 
the average cost per reported enterprise breach in 2007, up from $5 
million in 2006, he said. In addition, 20 percent of consumers have 
ended their relationship with a company after being notified of a 
security breach. Indicating how important data security has become, 
Tietz said nearly 40 percent of new security spending in 2007 was 
directed toward protecting data by reducing the network security 

Data breaches have touched on a number of companies, including Eli 
Lilly, ChoicePoint, the U.S. Department of Veterans Affairs and TJX.

He said in the commercial sector, 40 percent of data breaches is through 
stealing laptops, while errors accounted for 20 percent of breaches, 
insider theft 15 percent, fraud 15 percent and hacking 10 to 15 percent. 
In the university setting, hacking accounted for 45 percent of data 
breaches, and laptop theft, insider access, errors and fraud all 
accounted for 10 and 15 percent each, he said.

In a separate presentation here, Joe Gersch, vice president of 
engineering at Secure64 Software, spoke of how to justify spending on 
security. Gersch said enterprises need to quantify the benefits of 
security by assessing the annualized loss expectancy, which is equal to 
the single loss expectancy plus the annual rate of occurrence.

However, as a best practice, an enterprise should invest no more than 37 
percent of the expected benefits of the security. "If you have an 
expectation of losing $100,000 annually, you should not invest more than 
$37,000" on security, Gersch said.

He noted that quantifying return on investment for security technology 
is difficult. However, what Gersch referred to as "genuinely secure 
systems" can be less costly and more attractive than conventional 
security or building a security fortress, he said. Such a system "has a 
secure operating system architecture that fully utilizes the hardware to 
make applications immune to compromise from rootkits and malware and 
resistant to network attacks," he said. They also can be less expensive 
than conventional security.

Secure64's core technology is SourceT, a patent-pending, genuinely 
secure micro operating system designed to make it and any applications 
running on it immune from rootkits and malware, and resistant to network 
attacks, Gersch said. Secure64 defines a genuinely secure OS as one with 
a secure architecture that fully utilizes the hardware to make 
applications immune to compromise, unlike a hardened OS, which is 
typically manipulated to minimize exposure to its insecurities, he said.

As the technology continues to improve and emerge, "self-defending 
networks, self-defending OSes, and self-defending services will start to 
pay off," Gersch said.

Paul Lipton, a senior architect at CA, said autonomic computing - or 
self-healing-technology should become a key part of securing 
service-oriented environments.

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon May 19 2008 - 00:11:39 PDT