6 posts • joined Wednesday 21st October 2009 15:30 GMT
Orgs need to better understand source or risks
Once again, UK data breach costs are rising, to an average of £71 per record. Data breaches can create catastrophic bad press and can have a painful impact on the bottom line. Coupled with the new powers of the Information Commissioner’s Office to fine companies in the UK upwards of £500,000 for each instance of a data protection failing, the final overall cost of a breach or loss could very quickly dwarf the £1.9 million revealed by this. The fact that policy failures accounted for the biggest proportion, 37%, indicates that while companies are heavily investing in intrusion prevention, they are not properly managing access by their own employees to critical data such as customer information or patient records. Organisations need to better understand where their greatest sources of risk reside as well as who is accessing sensitive data, how and why. It is the organisation’s responsibility to stringently manage policy and track activity to make sure that access to the most sensitive data is only granted to those for whom it is necessary to do their jobs.
Marc Lee, EMEA Sales Director, Courion
Virtual commodities need security as much as real commodities
The data breach at Zynga underlines the importance of a strong identity management system and clear policies for creating and protecting access credentials. Of particular concern in this instance was that the infiltrator was able to gain unfettered access by impersonating and using the credentials of a legitimate systems administrator.
Were it not for the fact the individual stole a considerable amount of valuable data, in the form of virtual poker chips, then got caught trying to sell the data for a fraction of its face value, this breach may never have been noticed. Clearly there is room for improvement in Zynga’s identity and access management (IAM) regime. Any company trading in highly valuable data and virtual commodities such as online credits must ensure their systems are as tightly secured as any other financial institution.
What a load of old Fannie
When a security incident of this nature occurs, we tend to file it away as an example of an ‘employee gone bad’. In reality, it constitutes a failure of the organisation to uphold its responsibility on behalf of the business to manage, control and monitor the power it provides to its employees and systems.
It is also important to consider that in the case of Fannie Mae, this was not a direct employee, but rather a third-party contractor. Many companies treat non-employees (subcontractors, partners, customers etc) with different levels of trust compared to known and vetted direct employees. As such external parties are usually afforded differing levels of control and access as they are often more difficult to manage, sitting outside the traditional chain of company HR and administrative controls.
At a basic level, an organisation and its management has a financial responsibility as well as an administrative responsibility to ensure that access to critical information and applications is authorised and that it is continually monitored for all users, be they direct or indirect employees, to make sure the resulting activity is appropriate and permitted. The failure stems from the ‘perception of control’ an organisation has over their most sensitive networks, systems and devices.
Failure to control privileged identities and high-level access to systems has led to several instances of critical security failures in blue-chip companies in the past two years. In addition to the incident at Fannie Mae, the city of San Francisco was brought to its knees in 2008 because an employee locked down the city’s IT system through a privileged account. The former employee responsible for that, Terry Childs, was convicted and jailed for four years, but not before his actions cost San Francisco millions in lost productivity and court costs.
The conclusion of the Fannie Mae incident once again highlights the need for an integrated and managed view of what is appropriate user access and activity across the IT estate.
Companies must keep on top of all user accounts, not just current users
The data theft experienced by Shell illustrates the importance of access control and ensuring that only authorised users can access networks and the systems attached to them.
As with the TK Maxx/TJ Maxx data loss in 2007 and the Cotton Traders data loss in 2008, weak network access controls ultimately lead to sensitive customer data being compromised. This latest incident could have been avoided by implementing and maintaining tight access controls and using strong authentication techniques.
Networks – both wired and wireless – must be as secure as current technology allows and inactive ‘zombie’ users should have their IT access deactivated, to avoid disgruntled former workers accessing systems, as well as reducing the number of entry points a criminal could use to gain access to back-office systems.
Protecting sensitive corporate and customer data means more than just having a good password policy. Limiting user access to just the applications and repositories they actually need are an important tool to combat unauthorised and malicious data access. By limiting user access privileges, a compromised login will pose less of a threat to the business and limit the damage to mission-critical systems.
Stuart Hodkinson, UK general manager for Courion
Data Breaches Happen Far Too Often
Companies need to have a strong access management strategy in place to protect all critical applications and data – especially customer databases – and further need to ensure that the access strategy and corporate policies are being adhered to across the business. Insider data breaches like these rear their ugly heads far too often, and it’s important for enterprises to ensure that they aren’t simply trusting their employees to do the right thing, but also utilising automated preventative and detective controls to keep everyone honest.
Stuart Hodkinson, General Manager, Courion
Paying the fine doesn't solve the problem
The FTC is obviously cracking down on organisations that fail to recognise the severity of consumer data breaches. It’s not enough simply knowing where sensitive information, like consumer data is kept, but also who has access to it. As this incident clearly shows, automated access management policies and controls are vital to ensuring that only the right people are accessing data for the right reasons, and organisations are slowly learning that through these painful examples.
Stuart Hodkinson, UK General Manager, Courion
- Xmas Round-up Ten top tech toys to interface with a techie’s Christmas stocking
- Exploits no more! Firefox 26 blocks all Java plugins by default
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- NSFW Oz couple get jiggy in pharmacy in 'banned' condom ad