For laptops that contain sensitive data, a tracking device such as an RFID tag should be adhered to the device’s hard drive, vendors say.
Bill Hancock, chief security officer at Savvis, an IT services provider, is an ardent advocate of tagging mobile computers. “I see a lot of laptops, and most of them don’t have any type of identification on them. So if they do get lost, how are they going to get back to the owner?” The investment in some tags for laptops is a quick and relatively cheap security measure, Hancock says.
Shore up password security
LexisNexis, a top-tier content aggregator, fell prey to a more invisible, malevolent threat. In March, company officials went public about internal review of data-search activity, which revealed that passwords issued to Seisint customers were used to steal Social Security numbers, driver’s license numbers, names, and addresses of some 30,000 customers. A short time later, officials upped the number to 280,000 clients whose personal information may have been compromised. Ultimately, LexisNexis said its databases had been fraudulently breached 59 times using stolen passwords.
Massive datacenters such as those maintained by LexisNexis are a favored target of hackers because the information provides potential combinations to financial vaults elsewhere, BindView’s Loveless says. “As someone who breached companies like this in my youth, I know it can be done.” He says it’s likely the hackers found passwords that hadn’t been purged from the system.
LexisNexis concedes that its problems were indeed aggravated by customers’ ex-employees who maintained access to the service using passwords no-one bothered to cancel.
Savvis’s Hancock cites an unacceptable breakdown in password protection and authentication policies. “Companies have a process that works up to a point, but then it breaks down because of human error,” he says. Automation, he asserts, can avert such mishaps.
TraceSecurity’s Stickley says his job is secure as long as he can walk into a building, “wait for the lunch hour and ... round up a bunch of passwords from sticky notes on desks.” The remedies, of course, are simpler in theory than in practice: Be sure no one keeps passwords in plain sight, and automate the password-revocation process for ex-employees with blinding speed.
Ravi Ganesan, founder and CEO at TriCipher, an authentication system provider, sees three vulnerable areas within the enterprise infrastructure. “Someone can steal identity data from the user’s PC, in the middle between the users and the genuine Web site, and in the back-end infrastructure. All three points will always be the subject of attacks,” Ganesan says.
Ganesan recommends that companies use hardened passwords, thereby ensuring that a user’s password travels first to the SSL-protected Web server, where the authentication occurs in conjunction with an identity appliance. The plus here is the ease with which these passwords can typically be used with existing identity management products, directories, or stand-alone systems.
In addition to hardened passwords, Ganesan urges IT to reassess its policies regarding encryption, authentication, privilege management systems, hardened OSes, honest employees, and so on. “We need all of the above and more."