Security’s weakest links

Much of that lack of security can be chalked up to changes in the working environment in the past decade, Stickley says. “There are so many new employees and temporary employees in companies that it is very easy to get into an office and have free reign.”

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Return to special report DOWNLOAD PDF Click here to download InfoWorld's special report Hard-won security lessons

To prevent thefts similar to those at the University of California, Stickley recommends strict monitoring of everyone who enters and leaves a building. “Chaperone [guests]. If people come in pairs, don’t let them split up. If they complain, just say it’s corporate policy,” Stickley says.

For laptops that contain sensitive data, a tracking device such as an RFID tag should be adhered to the device’s hard drive, vendors say.

Bill Hancock, chief security officer at Savvis, an IT services provider, is an ardent advocate of tagging mobile computers. “I see a lot of laptops, and most of them don’t have any type of identification on them. So if they do get lost, how are they going to get back to the owner?” The investment in some tags for laptops is a quick and relatively cheap security measure, Hancock says.

Shore up password security
LexisNexis, a top-tier content aggregator, fell prey to a more invisible, malevolent threat. In March, company officials went public about internal review of data-search activity, which revealed that passwords issued to Seisint customers were used to steal Social Security numbers, driver’s license numbers, names, and addresses of some 30,000 customers. A short time later, officials upped the number to 280,000 clients whose personal information may have been compromised. Ultimately, LexisNexis said its databases had been fraudulently breached 59 times using stolen passwords.

Massive datacenters such as those maintained by LexisNexis are a favored target of hackers because the information provides potential combinations to financial vaults elsewhere, BindView’s Loveless says. “As someone who breached companies like this in my youth, I know it can be done.” He says it’s likely the hackers found passwords that hadn’t been purged from the system.

LexisNexis concedes that its problems were indeed aggravated by customers’ ex-employees who maintained access to the service using passwords no-one bothered to cancel.

Savvis’s Hancock cites an unacceptable breakdown in password protection and authentication policies. “Companies have a process that works up to a point, but then it breaks down because of human error,” he says. Automation, he asserts, can avert such mishaps.