Security’s weakest links

It’s been a lousy year for computer security, but there’s still time to learn from the mistakes of others

Not a month has gone by in 2005 without a far-reaching computer security breach making the nightly news hour. Headliners compelled to walk the plank of shame include Bank of America — the nation’s second-largest bank — Ameritrade, Polo Ralph Lauren, and LexisNexis.

Going, going, gone are the days when gross security breaches can be shielded from public scrutiny. The California Security Breach Information Act, for example, requires state agencies and businesses that collect personal information from Californians to promptly disclose certain security lapses or face severe penalties. Is it out of bounds to call it a sad state of affairs when politicians have to move in to protect what sterling IT outfits can’t seem to stay on top of?

The speed the situation improves will depend largely upon how much IT can watch and learn from the mistakes of others. In the spirit of minimizing your company’s risk and sparing you the awkwardness of pulling executives aside to darken their day, here are a few of the nastier moments in this year’s computer security journal, and expert advice on what you have to do to get a better night’s sleep.

Encrypt your data for backup
At press time neither Bank of America nor Ameritrade could account for data backup tapes that recently went missing while being shipped to data storage-and-recovery facilities.

Bank of America fessed up that tapes containing customer and account information of nearly 1.2 million federal workers went missing in February. “A small number of computer data tapes were lost during shipment to a backup datacenter” via commercial airliner, a bank spokeswoman said. She added that there was no evidence the tapes have been misused and that the tapes are presumed lost. Bank officials would not say whether the data on the tapes was encrypted. Interestingly, the California data security law exempts companies from having to notify customers of a data loss if the data lost is encrypted.

Ameritrade had a similar tale to tell in April. The company informed more than 200,000 clients nationwide that their private account information was on four data backup tapes missing from a box damaged during shipment between two secure facilities in Salt Lake City. Officials there likewise said they have no indication that client information was compromised by thieves. They did, however, divulge that the data on its tapes was not encrypted, but that it was compressed and would be difficult to extract.

Click for larger view.

Security experts are at no loss to step in with some simple advice: Encrypt your data when backing it up.

Mark Loveless, a senior security analyst at BindView, a provider of IT security and directory management software, has questions about the missing Bank of American tapes. “Was the information encrypted? The answer is ‘probably not,’ because most backup tapes are not encrypted.” A recent survey by Enterprise Strategy Group bears out his assertion: A staggering 60 percent of storage professionals said they never encrypt backup tapes; only 7 percent said they do so routinely; the rest said they do so occasionally or don’t know one way or the other.

“If you encrypt your data ... you are making it much more difficult for someone to take advantage of that data,” Loveless says. 

Encryption is not hassle-free, Loveless notes, but organizations that build encryption into their security plan will see benefits. “It’s a very good habit to get into,” Loveless says.

There’s no shortage of companies working to make encryption easier when storing files, among them NeoScale and Decru. Both make appliances that encrypt data before it reaches the storage medium.

“Encryption is one obvious solution” to the Bank of America and Ameritrade incidents, says Dore Rosenblum, vice president of marketing at NeoScale. “If the data had been encrypted, we probably wouldn’t even know about it.”

Frank Slootman, CEO of Data Domain, a disk backup company that also builds storage appliances, thinks the entire backup process should be re-engineered. “Companies should begin looking at replacing tape storage, compressing and encrypting the data, and sending it on the network,” he says. “Companies should get out of the business of making and handling tapes and then shipping them to different facilities…. The technology is there to reduce the risk of lost or stolen tapes to a minimum,” he says.

Lock down physical security
In March the University of California, Berkeley, notified more than 98,000 graduate students and applicants that their names, Social Security numbers, and other personal information fell into the wrong hands when a laptop was stolen from a “restricted area” of the graduate division offices. Not long after that incident, a San Jose, Calif., medical group reported stolen two computers that contained confidential medical information on about 185,000 people.

Ken Dunham, director of malicious code at iDefense, a security intelligence firm, asserts that keeping a grip on physical security has become much more difficult with the growth of mobile computing, adding that “the number of laptops left in taxis and airports is very high.”

According to BindView’s Loveless, thieves are most likely to steal computers for resale value. “Laptops are so powerful these days that they bring a good price and they’re easier to carry than a DVD player.”

Jim Stickley knows all about computer theft. To him, notebooks are child’s play. “I’ve carried entire servers out the front door,” he says. Stickley is not a computer thief; in fact, he is co-founder and CTO of Trace Security, a security software and consulting firm.

Companies hire Trace Security to perform vulnerability audits, using guise and subterfuge to gain access to banks and company offices.

“Once you are inside a facility, once you get past the front line, the security seems to fall apart. Once you get inside, you are just as trusted as any employee,” Stickley says.

Much of that lack of security can be chalked up to changes in the working environment in the past decade, Stickley says. “There are so many new employees and temporary employees in companies that it is very easy to get into an office and have free reign.”

To prevent thefts similar to those at the University of California, Stickley recommends strict monitoring of everyone who enters and leaves a building. “Chaperone [guests]. If people come in pairs, don’t let them split up. If they complain, just say it’s corporate policy,” Stickley says.

For laptops that contain sensitive data, a tracking device such as an RFID tag should be adhered to the device’s hard drive, vendors say.

Bill Hancock, chief security officer at Savvis, an IT services provider, is an ardent advocate of tagging mobile computers. “I see a lot of laptops, and most of them don’t have any type of identification on them. So if they do get lost, how are they going to get back to the owner?” The investment in some tags for laptops is a quick and relatively cheap security measure, Hancock says.

Shore up password security
LexisNexis, a top-tier content aggregator, fell prey to a more invisible, malevolent threat. In March, company officials went public about internal review of data-search activity, which revealed that passwords issued to Seisint customers were used to steal Social Security numbers, driver’s license numbers, names, and addresses of some 30,000 customers. A short time later, officials upped the number to 280,000 clients whose personal information may have been compromised. Ultimately, LexisNexis said its databases had been fraudulently breached 59 times using stolen passwords.

Massive datacenters such as those maintained by LexisNexis are a favored target of hackers because the information provides potential combinations to financial vaults elsewhere, BindView’s Loveless says. “As someone who breached companies like this in my youth, I know it can be done.” He says it’s likely the hackers found passwords that hadn’t been purged from the system.

LexisNexis concedes that its problems were indeed aggravated by customers’ ex-employees who maintained access to the service using passwords no-one bothered to cancel.

Savvis’s Hancock cites an unacceptable breakdown in password protection and authentication policies. “Companies have a process that works up to a point, but then it breaks down because of human error,” he says. Automation, he asserts, can avert such mishaps.

TraceSecurity’s Stickley says his job is secure as long as he can walk into a building, “wait for the lunch hour and ... round up a bunch of passwords from sticky notes on desks.” The remedies, of course, are simpler in theory than in practice: Be sure no one keeps passwords in plain sight, and automate the password-revocation process for ex-employees with blinding speed.

Ravi Ganesan, founder and CEO at TriCipher, an authentication system provider, sees three vulnerable areas within the enterprise infrastructure. “Someone can steal identity data from the user’s PC, in the middle between the users and the genuine Web site, and in the back-end infrastructure. All three points will always be the subject of attacks,” Ganesan says.

Ganesan recommends that companies use hardened passwords, thereby ensuring that a user’s password travels first to the SSL-protected Web server, where the authentication occurs in conjunction with an identity appliance. The plus here is the ease with which these passwords can typically be used with existing identity management products, directories, or stand-alone systems.

In addition to hardened passwords, Ganesan urges IT to reassess its policies regarding encryption, authentication, privilege management systems, hardened OSes, honest employees, and so on. “We need all of the above and more."

iDefense’s Dunham agrees that a stringent security mind-set on the part of top management goes a long way toward preventing situations similar to the one at LexisNexis. “There is no magic bullet for security. It’s complicated, but it’s all about lowering risk from a managerial perspective. Once CEOs realize that they are at risk for violating laws, losing consumer confidence, getting involved in costly litigation, a drop in stock price — suddenly security is not a soft cost anymore. It’s the cost of doing business,” Dunham says.

Limit data lifecycles and retention
Is your enterprise retaining data that is no longer useful and just sits around as a liability waiting to happen?

The security breach at fashion outlet Polo Ralph Lauren in April involved the company’s credit card processing or point-of-sale system. Polo apparently kept too much of the credit card data and kept it longer than required, leaving the information open to hacking. Polo has had no indication of illegal access to the information, according to the company.

The Polo incident shines a light on data life cycle management, BindView’s Loveless says. “With data retention you have to ask, ‘How long do I retain it,’ and with this kind of data you really don’t want to keep it around for no reason at all. It becomes a liability,” Loveless says.

“Dead-in-place storage” is how Savvis’ Hancock sums up Polo’s problem.

Trace Security’s Stickley may be speaking off the cuff when he says, “No one has ever created a patch for human stupidity,” but let’s keep an eye on the news. After all, there’s no substitute for experience, bad or otherwise.

Copyright © 2005 IDG Communications, Inc.