SUBSCRIBE NOW!

Vol. 22 No. 5 — May 2005

This separation of duties is one of the many policies and procedures that Decker and other security experts rely on to protect customer information. While security breaches in technology get the majority of the headlines, secure technology is only one part of the formula to protect customer information from getting into the wrong hands, according to Decker and other security experts.

“A lot of times companies start their [security plans] with the technology, but then they rely just on the technology,” Decker said. “Security plans need to include people, processes, and technology. People in the organization need to have the cultural mindset toward security.”

Indeed, technology wasn’t the culprit in the recent, well-publicized information database compromises at ChoicePoint, Bank of America, and a handful of universities.

Poor Policies Lead to Fraud

ChoicePoint reported that the personal information of 145,000 Americans may have been compromised in its breach, in which con men posing as businessmen looking to do background checks on their customers were given access to its credit information database. The company reported that about 750 of those people whose information was released were defrauded.

CEO Derek Smith and company president Douglas Curling earned $16.6 million from sales in ChoicePoint stock after the company learned of the breach and before it was made public. Soon after the ChoicePoint leak became public, Bank of America divulged that backup tapes containing the financial information of government employees were lost while being shipped to a data warehouse.

The Federal Trade Commission estimates that 10 million people were victims of identity theft in 2002, the most recent year for which it has data. According to Gartner, Inc., 9.4 million online U.S. adults were victimized between April 2003 and April 2004. The losses amounted to $11.7 billion.

Proper Database Protection

In spite of these breaches, there are a number of companies providing strong protection for their customer information systems.

Many firms are reticent to discuss their security policies and procedures because they don’t want to give potential hackers any advice. Others decline to discuss security issues, because they don’t want their companies to become targets. (Saying a company has strong security presents the type of challenge some hackers love.)

Yet Decker discussed some of EDS’s security procedures as well as what the company recommends to its clients, many of whom are financial institutions or health­care facilities with sensitive customer information. Most that are doing good jobs protecting customer information are following many of the same “best practice” precautions that security experts recommend for all companies.

In addition to the separation of security duties, the culture of the company may be one of the most important aspects in protecting sensitive information, according to Decker.

“Employees have to understand a company’s security policies and procedures, and they have to follow them,” Decker said. The security policies need to be enforced, even on seemingly trivial items, to ensure that bigger breaches are prevented. So someone who uses a badge to access a room, for example, shouldn’t hold the door open for someone behind him unless the second person has a proper badge as well. If someone needs a password to access certain parts of a company’s network (i.e., a customer information database), he shouldn’t be able to “sweet talk” an administrative assistant or other employee into giving him access to the information without the password.

Marc Strohlein, vice president of research firm Outsell, Inc., added that policies and procedures do little good if they’re not followed, and they won’t be followed if they aren’t enforced.

If security is going to be strictly enforced, then the company’s human resources department needs to have strong policies about handling security violations, said John Rostern, director of technology risk management for Jefferson Wells, a professional services firm.

Processes represent the next major layer of data information security, according to Decker. This means looking at how information flows from one point to another within and outside of the organization to determine any points of security weaknesses. This becomes more complex as companies add more wireless devices and extend their networks further outside the physical walls of the enterprise. This also means determining where technology can do the job by itself and where human intervention is needed. The company’s chief security officer is the head of EDS’s human intervention division.

Rostern added that companies need to have strict rules against allowing portable media, such as thumb drives and digital cameras, in any areas of the company where sensitive data can be accessed.

According to Decker, chief security officers typically start their days by checking the prior day’s monitoring information for the number of violations (outright attacks, mistyped passwords, etc.) that occurred while people attempted to sign into the network. The number of innocent violations, such as mistyped passwords, will stay within a certain range. So they’ll look for anything beyond the normal range, which may indicate increased security breach attempts.

By mid-morning, their attention will typically turn to national alerts, such as those from the CERT Coordination Center, located at the Software Engineering Institute, a federally funded research and development center that is operated by Carnegie Mellon University.

Technical Protections

Though human intervention and pro­cesses are necessary, the complexity of some network attacks require technology, not only to prevent the attacks, but also to track attempts. Such tracking helps company security officers and federal officials catch hackers, who typically attack several computer networks at once, not just a single company.

Intrusion prevention/detection technology should exist at various points along the network, according to Danny Johnston, president and CEO of Gladiator Technologies in Alphretta, Ga.

The first step is a firewall that only grants access to transmissions carrying the proper coding in order to protect against known hacker methodologies or known threats, many of which are attempts to get at database information.

The next step is to perform a deep packet inspection to look for Trojan horses, vi­ruses, worms, or other anomalies in the transmission’s bits and bytes. This can be carried out via a separate device behind the firewall, or it can be a feature of the firewall itself.

Behind the firewall and deep packet inspection should be security protocols on switches and routers, according to Johnston. These measures help protect against someone knowingly or unknowingly sending a data-compromising virus, worm, or Trojan horse from one computer within the network to another host computer or to the entire network. Johnston said that 70 percent of security breaches are from internal, rather than external, sources.

As company information continues to grow, it becomes more critical that it is not only monitored, but that there is also a way to store all of the network security information, including alerts, reports, activity logs, etc., added Jim Melvin, executive vice president of marketing and business development at Network Intelligence Corp.

The next step is to test the security system that an enterprise has in place. Several enterprises hire EDS, Gladiator, or another competing company to attempt to breach security. Some of the companies providing this “intrusion-attempt” service will also provide firewalls, security monitoring, or other products and services to protect databases. Decker and other security professionals recommend that enterprises buy intrusion-attempt and monitoring services from separate companies. Johnston also recommends that enterprises use services that attempt to breach internal as well as external security.

Strohlein recommends that enterprises use periodic “fire drills” to prepare for what they would do in the event of heightened attack attempts or actual security breaches. Such drills prior to Y2K helped some companies during the 9/11 terrorist attacks.

Regardless of what policies, procedures, and technologies a company has in place to protect its databases, security professionals agreed that securing this information is a constantly evolving task. Every time a company institutes a new policy, procedure, or technology, those trying to get at the data will try to find a way around it.

Consumer Protection Laws Get Stronger

The recent breaches of consumers’ “private” information have fueled consumer advocates’ calls for federal oversight of the loosely regulated data-brokering business.

In 2002, California’s state government was the first to adopt rules requiring that companies notify individuals if their personal data had been compromised. Now, others are following suit. The Georgia House of Representatives passed similar legislation in late March that would require companies to alert people whose personal information has been leaked or stolen.

Capitol Hill hearings are also expected on the issue, although none had been slated at the time of this writing.

Though not developed as a result of the recent data breaches, Sarbanes- Oxley and the Health Insurance Portability and Accountability Act (HIPAA) are other laws that help ensure that companies secure customer information. Sarbanes-Oxley requires that publicly traded companies track the dissemination of company information. HIPAA requires that holders of a person’s healthcare information follow very strict rules when sharing that data.

Beyond making technical improvements and instituting new policies and procedures, companies can also turn to the law to further protect their data, according to Joel Greenwald, a labor and employment lawyer at Joel Greenwald & Associates PC. He recommends that firms require employees, vendors, and business partners to sign confidentiality, non-compete, and similar legal agreements.

“Companies are beginning to audit customer, pricing, and marketing information,” said Greenwald. “If someone can’t steal one of your clients, then there is a lot less risk.”

Greenwald also recommends that companies classify this type of information as trade secrets, which means they don’t have to divulge some details to business partners and others with whom they share other company information.

EDS’s Eight Steps for Businesses Impacted by Identity Theft

1. Capture the information.

2. Establish the cause of the incident.

3. Evaluate the impact of the incident.

4. Protect customers’ identities.

5. Protect your company.

6. Update procedures, systems, and tools.

7. Initiate education.

8. Prepare for the next incident.