Today, the Ponemon Institute revealed that 67 percent of French organizations have been hit by a data breach incident over the past year, with 18 percent having more than five incidents. If this seems high, it is with reason. According to Ponemon, only 8 percent of these breaches were reported, so we never heard about the other 92 percent because there was no legal or regulatory mandate for reporting them.
The issue of reporting and disclosure is hotly contested, oftentimes pitting the rights of individuals against corporations that want to distance themselves from the bad publicity and associated liabilities. The United States, which has seen some of the largest data breaches in history, still does not have a single standard for data breach reporting or regulatory data protection requirements.
We can’t expect companies to willingly disclose data breach information – the consequences are too severe, even though the full disclosure will work to their benefit over time. What needs to happen is the same focus on transparency that is being heralded in the financial services industry should be applied to data breaches, with the primary goals being catching those responsible and informing those affected as soon as possible. This transparency will come, at the very least because certain industries will require it. In the meantime, we take solace in the 71 percent of the Ponemon respondents in France, who placed data protection as a critical component to their overall protection plan. These companies are not completely overlooking data protection but they are playing catch up (as are most companies these days) to very sophisticated hackers.
French cuisine may be famous for rich sauces. It is clear from this report that they are a rich data source too!
Showing posts with label Data Protection. Show all posts
Showing posts with label Data Protection. Show all posts
Wednesday, 9 September 2009
Saturday, 15 August 2009
The University Data Breach Blues
This week brought news of another successful breach at UC Berkeley, in which almost 500 records of applicants were stolen by hackers. This is the second such reported hack at UC Berkeley in less than five months, with the earlier hack exposing 160,000 records. These two attacks point to the attraction that universities hold for hackers. Every university requires personal data as part of the application process, and hackers know that these locations guarantee some amount of valuable data. Unlike financial services companies or many retailers, universities lack the most sophisticated data protection measures. They also do not have compliance standards for data housing, making them uniquely attractive to hackers.
The Open Security Foundation, a nonprofit that tracks data breaches, estimates more than 11 million records stored at US colleges and universities have been compromised. Many times, these breaches are not discovered until well after the data is lost. UC Berkeley, for example, found out about this current breach from an alleged hacker’s website.
We have entered a world in which personal data is always at risk from hackers who will grab and sell it for profit. Retailers and financial institutions have felt the pain of protection in this environment, and they have the latest technology as well as compliance measures for protection. What will universities do, since they do not have the same financial resources?
The answer could come in part from compliance guidelines, with government and the private sector working together to suggest best practices and protection measures. Doing so should allow graduates to enter the post-university world with their data -- and credit reports -- uncompromised.
The Open Security Foundation, a nonprofit that tracks data breaches, estimates more than 11 million records stored at US colleges and universities have been compromised. Many times, these breaches are not discovered until well after the data is lost. UC Berkeley, for example, found out about this current breach from an alleged hacker’s website.
We have entered a world in which personal data is always at risk from hackers who will grab and sell it for profit. Retailers and financial institutions have felt the pain of protection in this environment, and they have the latest technology as well as compliance measures for protection. What will universities do, since they do not have the same financial resources?
The answer could come in part from compliance guidelines, with government and the private sector working together to suggest best practices and protection measures. Doing so should allow graduates to enter the post-university world with their data -- and credit reports -- uncompromised.
Wednesday, 1 April 2009
Protecting the April Fool
This year's April Fool's day has had concerns about whether the Conflicker worm will trigger or not. I am keen to go beyond malware and consider a more general security question: How do we distinguish between the fool that only wants to comply with the law and the diligent person that wants to protect their precious assets?
When it comes to physical systems we have all seen it. Take the wearing of helmets for motorcyclists for example. We can only presume that the head is precious enough to protect, but it has taken legislation and policing to get riders to wear helmets. There is a great range of motorcycle helmets on the market with varying features and price.
It is easy to spot those riders that are not interested in true protection – the chopper riders that choose to wear a helmet that is a skimpy fashion item – like the small open face cap that sits on top of the skull. It looks really cool, complies with the minimum standard of the law – but what level of protection does it offer in even the mildest collision? The alternative full-face helmet will truly protect and prevent a visit to the dentist.
Don’t be a data security fool – go beyond compliance and place a full-face security device around your precious data assets.
When it comes to physical systems we have all seen it. Take the wearing of helmets for motorcyclists for example. We can only presume that the head is precious enough to protect, but it has taken legislation and policing to get riders to wear helmets. There is a great range of motorcycle helmets on the market with varying features and price.
It is easy to spot those riders that are not interested in true protection – the chopper riders that choose to wear a helmet that is a skimpy fashion item – like the small open face cap that sits on top of the skull. It looks really cool, complies with the minimum standard of the law – but what level of protection does it offer in even the mildest collision? The alternative full-face helmet will truly protect and prevent a visit to the dentist.
Don’t be a data security fool – go beyond compliance and place a full-face security device around your precious data assets.
Friday, 6 March 2009
Data Capture Protection
There has been a great deal of publicity in the UK today about the authorities finally establishing the existence of a database holding information about itinerant workers in the UK building industry. This information was syndicated to potential employers for vetting of “trouble makers”. This is not a database attack. The data held about the individuals’ breaks data protection regulations – this sort of human resources information is highly regulated.
This is not the first time that sensitive information is assembled by a trusted third party so that other organizations can utilize it. Consider the credit industry – individual banks are unwilling to share information about their customers to competitors, but they are willing to share to a trusted third party who can combine others’ information and then provide a central credit reference check.
As I wrote above, despite the media attention, this I not a database attack. This incident was not caused by inappropriate use or release or leakage of data, but simply by the inappropriate data being collected in the first place.
Now if only we could find a Data Capture Protection system that was compliant with all possible data protection laws …
This is not the first time that sensitive information is assembled by a trusted third party so that other organizations can utilize it. Consider the credit industry – individual banks are unwilling to share information about their customers to competitors, but they are willing to share to a trusted third party who can combine others’ information and then provide a central credit reference check.
As I wrote above, despite the media attention, this I not a database attack. This incident was not caused by inappropriate use or release or leakage of data, but simply by the inappropriate data being collected in the first place.
Now if only we could find a Data Capture Protection system that was compliant with all possible data protection laws …
Saturday, 1 November 2008
Steve’s musings from RSA Europe 2008
RSA Europe was held again at ExCel at the outskirts of London Docklands. Great venue – but the location is not really London and can disappoint some who travel from abroad. Also the timing was not great for UK-based InfoSec professionals with families –the show was held in school vacation time (half-term).
There were many familiar faces at the show: both at the exhibition and fronting many of the keynotes and other sessions. Art Coviello, President and CEO, RSA Security was pushing for “Thinking Systems”. This is quite close to my heart as my academic heritage links directly back to Alan Turing (who was the “motif” for the show) who spent much of his time contemplating thinking machines. Indeed, some core of these ideas can be found in the core of Secerno’s symbolic machine learning techniques.
RSA was a busy time for me – I was involved in three sessions and manning the Secerno stand along with the great networking that was provided in the evenings. My presentation “Regular expressions as a basis for security products are dead” went down well and even though it was reclassified as “Advance Technical” it did not deter an interesting audience. Some lively debate ensued after the talk. Although I could not make it, another talk mentioning SQL Injection was given – this was the talk on “SQL Smuggling”. I was not able to get to the talk, but the slides looked interesting. I know that the failures, pointed out by the presenter Avi Douglen, in outdated technologies does not apply to the Secerno SynoptiQ new generation technology.
My second “gig” was on Paul Fisher’s (Editor of SC magazine) CTO Panel. Although we were supposed to be blue-skying about “Beyond Tomorrow” it turned out that I was sat in the middle of two Malware CTOs who only wanted to think about malware AV and delivering this as a service. There were times when we were able to get the time horizons of the topics a bit further out. I did like Paul’s question about the Art’s “Thinking System”. I believe – and built that belief into our products - that security (and everything else in life) is a battle for knowledge. Thinking machines need to turn information into knowledge and then we can use that knowledge as a form of defence.
The final role for me was leading a special interest group “Securing Virtualised Assets”. Virtualisation drives down operating cost, but what does it do for security? The SIGs were a far more intimate affair with only 10 seats available around a table. It was pleasing to find security professionals who were being proactive in their company’s virtualisation efforts. It seems that there is confidence in how to tackle the security of back-office virtualisation projects. What was more edgy was how to do the same for the desktop. Interestingly, one of the attendees of my SIG was from Dell who had just announced that they were offering outsourced virtualised desktops.
Bruce Schneier’s address was as thought provoking as usual. He, like me, clearly sees that we are still the pioneers of computing as the field is still less than a century old. He drew analogies with industrialisation where output was important and pollution was seen as a necessary side effect. In the Internet era he likes to think of the massive data collection and the lack of care in its production and storage as being analogous to industrial pollution. One day, society will be forced to stop information pollution, and possibly need to go back and clean the information litter landscapes.
I chatted to Bruce after his book signing queues had died down. Last year, he left a message in the front of his book that he signed for me– and his message was “encrypted”. When I got home last year I gave it to my then 12 year old daughter to crack – “she got it in 5 minutes – right” said Bruce this year, in his rapid fire sentences. “Of course ...” was my reply.
Confession time...I did not tell him I had failed to crack it myself J.
No books for Bruce to sign from me this year. But Wiley, the publisher, did sell me Petzhold’s 2008 book “The Annotated Turing” on Turing’s famous 1936 paper on Computability and the Turing Machine. It is a good read – beautifully written – making the mathematics truly graspable.
At the exhibition the interesting new technologies were few and far between. I did quite like the concept behind the Yubico USB key fob providing one-time-authentication keys from a small USB device with a cute button. I chatted to the CEO of the Swedish company BehavioSec who provide behaviour “biometric” information making it possible to detect when keyboard activity is coming from a different user. I did manage to meet up with the MD of DISUK, Paul Howard who has a really neat solution to encrypting tape backups – put one of their SCSII encryption devices in the SCSII device chain –job done! Paul is a passionate gliding instructor which allows him to see the world from a different perspective at times.
The final keynote I saw was that from the UK's Information Commissioner, Richard Thomas. He seems to be getting traction and a larger budge to fulfil his mission to support both Data Protection and Freedom of information which is good. His view is that breach legislation needs to be risk based, not simply for every breach. His argument is that we should not worry about low volume, low impact breaches. Tell that to the individual that has to reclaim their stolen identities and refill their bank accounts – that they don’t need to be notified that their very identity is at risk.
Finally, the conference organizers were promoting Alan Turing as the “brand” for the conference. I wonder what Dr Turing would have made of his image and the promotional videos about the place. They even had a display of encryption devices including the Enigma that Turing played a part in breaking. In reality, the successes at code breaking were massive team efforts. No single person “cracked” the Enigma code. Oh – by the way – there were many other codes than Enigma that needed cracking during WWII – and they were! Turing, rightfully, is one of the very few fundamental computer scientists – but we should remember that he was not the only code breaker.
Subscribe to:
Posts (Atom)
