Privacy is a hot button issue. Companies scramble to protect it, criminals scramble to violate it, and consumers panic over it. Protection comes in various shapes and designs. It comes in the form of policy, software, hardware, government law, and last but not least, humans. Are all these protections and solutions working?
Does the human factor mean the end to security? Maybe, Maybe not. Humans! You are the weakest link! Goodbye! (IMG: J.Anderson)
After a few emails, TechHerald recently had the chance to speak to various experts on the topic of IT security and privacy. The conversations covered trends, recent events and the future of security. What was surprising is that while each expert had a different approach, most agreed that IT security is solid if implemented properly, but there is plenty of room to grow.
The first person that responded to The Herald’s request for comment was Eric Wolbrom, CEO and owner of a privacy focused company, aptly named Information Survival. Eric is also the co-owner of KeepYouSafe.com, another privacy based company. Next, was Mark Bower, Director of Information Protection Solutions, for Voltage Security, and finally Dr. Taher Elgamal, Chief Technology Officer, of Tumbleweed Communications Corp. (The name is familiar because he is recognized as the inventor of SSL.)
Without pushing one company over the other, each of the three experts offered The Tech Herald very frank opinions and ideas on security. The first topic was IT security overall. Security is fickle, as an IT admin if you over secure your network you restrict workflow and employees, under secure the network and you place the company, its employees, and customers at risk.
There are two recent examples of privacy violations involving the loss of personal data. The first is TJX, and the second is Hannaford. Last year, TJX reported that data from 45.7 million credit and debit cards was stolen by hackers, who hijacked an insecure wireless network, over a period of 18 months. In terms of personal information, such as social security numbers and driver's license numbers, TJX said that they lost personal information for 451,000 people. The total affected in court, later denied by TJX, was close to 94 million.
Parallel to the TJX issue is Hannaford, who just this month said that 4.2 million customer accounts containing credit and debit card information were compromised. Like TJX, Hannaford knew about the network breach long before they reported it. The outcome was the same, personal privacy was breached as the result of a breakdown in IT security on some level.
“It’s time to make security both a company and a personal priority,” Wolbrom said. He then used an old example with me, one that many IT people have heard before. You know, the old “Why would someone want to hack my computer?”
“We need to get people to realize that if their computer is insecure they are putting others at risk as well. The corporate world needs to spend time and money on education! People are our weakest links and they have to be made to care and be involved. I think this would go along way in taking care of many security issues,” Wolbrom adds.
Security, as mentioned, is fickle. It is also multi-layered. There is hardware security, software security, physical security, and as Eric Wolbrom mentioned, personal security. People are truly the weakest link in some points. It was a person who worked for the US State Department and who opted to violate the privacy of all three US Presidential candidates by accessing their passport information.
Speaking on the topic of the passport issue, all three experts had something to say. “It was reported that this particular data leak was detected after the fact; obviously, by then it’s too late to do anything about it. Also, casual curiosity should not ever constitute a case for being able to access the data,” Mark Bower said. “The most common problem today is that sensitive information is not being protected at the data level, and persistently. Simply put, the very data itself needs to be protected, and all the time—as it’s collected, while it’s in the database, while being accessed and used by applications, while stored.”
“The contractors they hired got curious and got fired... That is the way it is supposed to be, but I go back to what I was saying earlier; it comes down to educating people,” added Wolbrom.
The breach at the US State Department, while disappointing, did prove some part of the system worked. The technical side of the security did issue alerts for unauthorized access. However, the human aspect failed miserably.
So what about the technical aspect, what should companies be thinking when planning for security? “Organizations seeking to ensure data security for their own sensitive files should do three things. First, organizations should start by truly understanding what data is important, what is even more critical, and what is absolutely sensitive,” Dr. Elgamal said. Once that is established they should then, “…deploy the data security technologies that grant access only to users who absolutely need to access sensitive information. Lastly, organizations must always provide the appropriate training for users so they understand how to work with sensitive data,” he adds.
Dr. Elgmal, an expert in information security himself, focuses on the data exactly as one expects any security manager to do. The problem is, while there are many methods to secure things, serious security often takes place after the fact. “It is, perhaps unfortunately, normal that security measures are only deployed after a sequence of bad events have happened. The technical community expected and still expects that more security breaches will continue to happen until the appropriate technologies and awareness programs are fully deployed to mitigate the risk of data breaches,” he says.
Is there an underlying pattern to the data thefts? Are we, as an IT community, seeing the beginning of a trend? As recently as this week, there are more reports of lost data. On Monday, the NIH (National Institutes of Health) issued a statement confirming that a laptop with patient information was stolen out of the trunk of a locked car. The positive to this loss of hardware, is that no personal information such as names or social security numbers were lost.
“The laptop contained no additional medical information on participants beyond the MRI reports and no additional information such as social security numbers, addresses, phone numbers, or any financial information," Elizabeth G. Nabel, M.D., said in a statement. “Although the laptop was turned off and password protected, so that retrieving the confidential information would require considerable computer sophistication, the NHLBI recognizes that such information should not have been stored in an unencrypted form on a laptop computer.”
So is this a trend? “The truth is that this has been a problem since the dawn of the IT age,” Mark Bower said. “However, with data breaches disclosures mandated by laws, organizations must take action and comply. [In addition,] there’s the more sinister dimension that personal information has a dollar value on the street, so it’s now a target. So, whilst accidental breaches continue to occur, there is also the rising trend of specific attacks on systems to extract valuable personal content.”
Almost mirroring Dr. Elgmal, Mark goes on to explain some of the hardcore technology that is available to help secure data. There have been breakthroughs in cryptographic technology, specific solutions designed for protecting information in the back room. “The solutions protect data throughout its lifecycle right back to the data field itself in a data centric fashion; and, more importantly, these new ways of protecting data can be deployed extremely quickly… So, these days, these problems are finally solvable, even for environments containing legacy systems and aging but still valuable data.”
Security isn’t easy, nor should it be for that matter, nothing worth anything ever is. The human aspect of security is ultimately what has to change. Until the human aspect of security is controlled somewhat, all the money and technology in the world will not save a network breached by an attacker who was given access simply by asking for it.
Already people in the security field are realizing the human element, and working to strengthen its weaknesses. Winn Schwartau, a well-known author and speaker founded a non-profit in 2006, which aims to do just this. SCIPP International was formed to develop and maintain the SCIPP Generally Accepted Practices (SCIPP GAP), a common body of knowledge of security awareness best practices, and expand the role and influence of security awareness training and certificate programs for end-users.
“Studies have shown that up to 60 percent of all computer security breaches stem from basic user errors, more than any other single factor,” said Schwartau. “We formed SCIPP to gather security awareness best practices in a single repository and incorporate them into educational and certificate services for end users and their organizations.
Let’s just hope that instead of new hardware, or new twists to the same marketing spin, that 2008 is the year of user training in IT security.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story