• Home
• Articles Archive
• Features List

• Media Pack
• Contact Us
• Subscribe

THE THIEVES INSIDE THE GATES

From STORAGE Magazine Vol 7, Issue 3 - May 2007

Data theft is on the rise and, while it is not directly concerned with storage, it is alarming enough for this magazine to report on some of the more recent incidents

Having the most comprehensive storage solution to manage your data is to little avail, if that data is vulnerable to theft - the new 'invisible' crime that is spreading its tentacles into more and more business operations.

The fact that this felony is 'faceless' makes it extremely appealing to those criminals with the technical know-how to exploit its many possibilities. "Long gone are the days of over-the-counter theft, with virtually all 'bank robberies' now being committed over the internet or telephone, using data and information stolen from elsewhere," says UK Information Security.

The degree to which the UK has been affected by data theft can be seen from the number of high-profile companies that have succumbed of late. Last year, there were rich pickings to be had. Security vendor McAfee, for example, saw a CD containing sensitive data on current and former employees go missing while in the hands of an external auditor. Then back-up specialist Iron Mountain lost tapes that contained employee data concerning one of its customers. And a number of laptops were stolen from LogicaCMG, this time home to employee data on Metropolitan Police force staff.

Meanwhile, in the US, there has been a stream of high-profile incidents, such as the massive theft of credit and debit card data from discount fashion chain T.K. MAXX. The store's American owner, retail group TJX, has revealed that the information from around 45.7 million credit and debit cards was stolen after hackers tapped in to the company's data, making this the biggest security breach in the world and one that took place across an 18-month period.

Clearly, the appropriate levels of security are still not in place within many organisations when it comes to protecting data.

Proprietary information and intellectual property are two of the main targets when it comes to the theft of highly sensitive data. Customer lists, research and development, financial data and personal information are all highly lucrative and, more importantly, very private. With this information in hand, data theft criminals can adopt new identities or use this to their own financial benefit.

Data theft is alarmingly easy when computers are left vulnerable to attack. "Trojan viruses offer a simple method of entering a private computer unauthorised and stealing information. Open ports and insecure information transactions over the internet also offer convenient methods for criminals to hijack or leapfrog the system into passing them replicated data," says UK Information Security. "These methods of data theft are all moderately easy to use and access on a newly installed or unprotected system. It is therefore essential that businesses secure themselves against these methods, ensuring that they have the latest in anti-virus software and use secure payment servers, if they are involved in e-commerce."

Firewalls, in either software or hardware form, will help to alleviate and improve the issues surrounding open and vulnerable ports, commonly used to compromise data security.

Any internet transactions performed by businesses over websites or email should be assuredly secure, using one of the most reputable methods:

w SSL (secure socket layer)
w MD5 (message digest)
w PGP (pretty good privacy)

"These all encrypt data, using unique keys or IDs, leaving them to be decrypted only if the recipient provides the corresponding key," adds UK Information Security.
"Businesses also need to secure themselves against viruses, which can openly infect computer systems, and allow hackers to enter and steal information. Data theft is a serious threat to any business and protection against it must become one of their main priorities."

So where are the perpetrators most likely to attack? According to the latest Information Security Breaches Survey1, published by the DTI, large businesses are more likely to have security incidents (experienced by 87% of companies in this category). They also tend to have more of them (median 19 incidents per year) and their breaches are inclined to be more expensive (£90,000 on average for the worst incident).

The report also says that, although on average UK companies now spend 4-5% of their IT budget on information security, many are still a long way from having a security-aware culture and their expenditure is not targeted at the areas of greatest risk.

Meanwhile, Migration Solutions says that, in its experience, around 65% of data centre security incidents are driven by malicious intent, rather than economic gain. Of these, the top two categories of perpetrators are disgruntled current employees and ex-employees.

The root cause of this may well be found in the DTI's survey, which reports that a quarter of companies do not carry out any background checks when they recruit staff. Furthermore, only 1% has a comprehensive approach to identity management procedures, such as authentification, access control and user provisioning.

The absence of staff checks and identity management coincides with changing business practices. Web-based services, outsourcing and 'just in time' logistics have all had the effect of more and more customers, suppliers and staff categories being given direct access to corporate systems. The result has been a widespread increase in exposure and risk.

Since 1991, the Department of Trade and Industry has sponsored research into information security breaches to help UK businesses understand better the risks they face. The Information Security Breaches Survey 2006 (ISBS 2006), is the eighth such survey, managed by Pricewaterhouse- Coopers. The survey results show that, while the number of companies affected has dropped slightly in the past two years, it is still twice the level seen a decade ago. Also, the total cost of security incidents is up on two years ago, with small businesses particularly hard hit.

"IT systems in general, and the Internet in particular, are increasingly important to business operations," states the DTI. "Given this, the priority attached to information security remains high. The priority given to security has translated into action. Security controls have improved and confidence in those controls is high. The improved controls appear to be having an effect; the number of companies affected by security incidents appears to have stabilised.

"The cost, however, remains considerable. Many UK businesses are a long way from having a security-aware culture. Security expenditure is either low or not targeted at key risks. New technologies pose a particular security threat for the future. Despite the high levels of confidence about current security, UK companies are more concerned about tomorrow's security than ever."

Jay Heiser, research VP at Gartner, believes professional outsiders and motivated insiders will pose the greatest threat to companies during 2007, with both intent on stealing valuable data. "For approximately five years, we've been experiencing a steady increase in the professional- isation of cybercrime," he says, warning that this trend is likely to continue to grow at a worrying rate as criminals within and outside the organisation tear strips off many companies.

"For many organisations, the biggest risk will be insiders, not outsiders. The fact is that a significant amount of proprietary and regulated data walks out the door every day."

External attackers are also showing far greater targeting of specific corporate data and problems such as spear-phishing - highly targeted email frauds - are likely to increase. Wi-fi is also likely to become more of a target for attackers during 2007 as wireless internet access becomes increasigly prevalent amongst users. ST

1DTI Information Security Breaches Survey, April 2006