Author: admini

Global Data Leakage Survey 2006

Posted on by admini

The goal was to analyze all leaks of confidential or personal data, cases of employee sabotage or negligence, and any other breach of internal IS which had received at least one mention in the mass media during 2006. The survey is truly global since the analysis includes all internal violations regardless of the geographical location of particular company or government structures affected by insider sabotage. Thus, all patterns and tendencies revealed in the survey can be equally applied to companies of all industries and countries. This survey is the first global project targeted at the study of breaches of internal IS. In 2004, the InfoWatch analytical center began keeping a database of breach occurrences. This database provided the initial information for the survey.

In addition to financial loss, a company’s reputation is ruined and hundreds of thousands of people face having their identities stolen.

On average, 785,000 people suffered from every leak of private information in 2006. Organizations which allow their employees to use mobile devices are in a high-risk group. The use of mobile devices led to information leaks in half of all breaches (50%); meanwhile, the Internet was used as a medium for leaks in only 12% of cases.

The main threat for a business is a lack of discipline among employees. Negligence led to the overwhelming majority of all leaks (77%) in 2006.

The sources of information leaks A survey of 145 breaches of internal IS shows that information leaks have a global character.

One cannot point to any area of business or any particular geographical region where companies have rarely or never suffered from the activities of insiders. Small business and giant corporations, commercial organizations and governmental establishments all experienced cases of information leakage in 2006.

Insiders managed to jeopardize the security of such strong and well-protected structures as military and special services. Again, such cases involved mobile devices and the Internet. Often, as a result, top secret information became freely available on the Internet, or ended up in the hands of journalists or foreign states.

It is clear that private companies suffer from twice as many data leaks, cases of sabotage and other breaches than government structures. It often happens that the controlling body is responsible for a breach of internal IS. Thus, we have the problem of lack of control over the controller.

Meanwhile, some cases of information theft from government structures become public. This happens when it is simply impossible to hide the incident, or when it becomes necessary to make public example of the offender. For instance, for many years the US government kept quiet about breaches of internal IS. But today, news about information leaks and gaps in security systems is commonplace. One of the latest cases reached the news when the US Tax Inspectorate announced in November 2006 that almost 500 laptops had been stolen over the preceding 4 years.

Commercial organizations, on the other hand, do not just experience a lot of data leaks, but also suffer from the huge losses they cause. The company’s reputation and brand image are significantly damaged by such leaks. This problem is as vital for government organizations. In a competitive market, customers can easily switch to a more reliable supplier, but one has no alternative but to engage with one’s own state and its governmental ministries. An example which immediately comes to mind in this regard is the information leak from the US Department of Veterans’ Affairs which occurred in May of that year. Whereas IS specialists may need time to identify such channels, insiders — in most cases — already know exactly what they need to do to steal data.

For instance, laptops with unencrypted data are quite often lost, despite the fact that company security policy requires all information on mobile computers be encrypted.

The biggest information leaks of the year. The five most notorious information leaks of 2006 (see table 1) make 2006 the year with the largest volume of information leaks in history. Burglars got into the house of an employee of the Nationwide Building Society and stole a laptop with the company’s clients’ personal information in unencrypted form.

http://www.viruslist.com/en/analysis?pubid=204791919

Read more

Tool Uncovers Inadvertent ‘Chatter’

Posted on by admini

Data seepage — not to be confused with data leakage — is where seemingly innocuous data gets exposed by your chatty client applications over public WiFi connections, or even inside the enterprise network.

Robert Graham, Errata Security’s CEO and David Maynor, its CTO, will use this Windows- and Linux-based tool to demonstrate just how much danger data seepage can pose, during their Black Hat presentation on March 1.If your users are working from an airport or Panera Bread WiFi connection, their machines are announcing themselves to anyone else on those machines, which makes your corporate network a target.

The Oracle client, for instance, will try to connect to its server if you have cached credentials on your laptop.

“And Apple is even more chatty than Windows.”

Next, Errata will develop a proof of concept showing how an attacker could set up a trojan server that could respond to the client’s requests, posing as an Oracle database, Web server, or a wireless access point, says Graham.

http://www.darkreading.com/document.asp?doc_id=117636&f_src=darkreading_section_296

Read more

Ensuring a Successful Partnership with Your MSSP

Posted on by admini

Organizations that select an MSSP as a security partner should be prepared to integrate the MSSP’s people, processes, and technology with their own to effectively improve their security posture.

Ensuring the long-term success of a security partnership is based on four key areas of focus: trust, operational extension, service reviews, and parallel roadmaps.

Managed security service providers that have earned certification under a widely recognized standard such as BS7799 have demonstrated their expertise in establishing, implementing, and documenting effective information management systems. Another certification, the Statement of Auditing Standard No. 70 (SAS 70) Type II, also provides client organizations assurances regarding specific control objectives that the MSSP has designed to meet customers’ unique needs.

Many companies, particularly financial services and other highly regulated organizations, require credible proof that an MSSP has processes and controls in place to provide a consistent, stable, and secure environment to safely monitor and manage customer data throughout the organization.

This requires an MSSP to have the depth and breadth of expertise to meet an organization’s current security needs.

http://www.it-observer.com/articles/1306/ensuring_successful_partnership_with_your_mssp/

Read more

3G Card Secures Laptops

Posted on by admini

But Dimitri Stiliadis, chief of architecture for Project Evros at Alcatel-Lucent Ventures, says the goal of the mobile project wasn’t just about the laptop theft epidemic. “It’s more about device management and remote control to handle the increasing population of laptops” in enterprises, he says. “It’s for patch management, backups, configuration managements, end-point security, and for [tracking and protecting] lost and stolen laptops.”

Still, Project Evros’ security features are the most compelling in this day of patch management woes and slippery laptops. “Project Evros does tackle a lot of the mobile security and device management issues that are plaguing enterprises that have a large mobile workforce,” says Sandra Palumbo, program manager for enterprise IT and communications services at The Yankee Group.

A thief would have to break the encryption algorithm and session key to get to the data, though.

The nonprofit Visiting Nurse Association of Northern N.J. will begin testing Project Evros cards sometime in the next week or so, says Michael Landsittel, manager of information technology for the association.

Project Evros is still only a prototype, and Alcatel-Lucent Ventures won’t give too much detail as of yet on its final product form, nor just how it will be distributed and marketed. But the plan is for release sometime this year, and the company also is considering this technology for PDA devices as well, says Alcatel-Lucent’s Skuler. The company is currently working with PatchLink to integrate with its patch management software, as well as with other patch management, backup, and configuration management application developers.

http://www.darkreading.com/document.asp?doc_id=117452&f_src=darkreading_section_296

Read more

Breach Insurance

Posted on by admini

For an annual premium as low as $1,500 a year — or as high as several hundred thousand — enterprises can buy policies that will reimburse them in the event of unauthorized system access, stored data losses, customer privacy violations, cyber extortion, and cyber terrorism. Depending on the coverage, your company could receive reimbursements not only for downtime caused by a hack, but for lost business or legal settlements with complaining customers. If you work in a company that’s a high-risk target, and maintains shoddy security systems and practices, you can expect to pay a high premium for insurance.

A site like MySpace has to concern itself with liability costs associated with libel or other offenses that might be committed via the site.

There are many types of coverage — AIG’s NetAdvantage plan alone has 10 different offerings — but they can all be divided into “first party” or “third party” coverage, experts explain. “To get this type of coverage, you have to go through a broker,” Davis says.

http://www.darkreading.com/document.asp?doc_id=117536&f_src=darkreading_section_296

Read more