Thursday, March 15, 2007

dynamic security or IDentiWall wouldn't help in these cases

Forget hackers; companies responsible for most data breaches, study says

More than 1.9B records compromised in the past 26 years

Jaikumar Vijayan   

 March 14, 2007 (Computerworld) -- In the five minutes it might take to read this article, about 672 electronic records containing confidential information will be compromised. By year's end, more than 72 million records with Social Security numbers, credit card numbers, birth dates and other personal data will have been exposed. That rate is about 200,000 more records per month than last year.

And the main culprit is not the oft-vilified rogue hacker, but corporate America, according to a new study by the University of Washington, Seattle.

That conclusion is based on a review of 550 security breaches reported in major U.S. news media outlets from 1980 to 2006. The goal of the study was to examine the role of organizational behavior in privacy violations. It showed that internal foul-ups such as putting personally identifiable information accidentally online, missing equipment, lost backup tapes or other administrative errors were responsible for 61% of the incidents.

In contrast, just 31% of the incidents were perpetrated by external hackers; 9% had unspecified causes.

"What this shows is that a surprising number of incidents actually involve corporate mismanagement more than hackers," said Philip Howard, assistant professor of communication at the University of Washington and co-author of the report. "I think it is easier when your company loses a lot of client data to put an immediate spin on it and blame it on a hacker or some external guy using some ingenious hacking technique."

The reality, though, is that in more cases than not, internal errors caused the data breach, he said.

Howard's study reinforces similar findings from other research. A report released last week by the IT Policy Compliance Group showed that human error is the overwhelming cause of losses of sensitive data -- contributing to 75% of all occurrences, while malicious hacking activity contributed to just 20% of data losses. According to that report, the primary channels for data loss involve laptops and mobile devices as well as e-mail and instant messages.

Similarly, in an informal survey of attendees at last week's Computerworld Premier 100 IT Leaders Conference, respondents picked "activities by internal staffers" as the biggest source of security breaches, followed by "ineffective policies" and "sloppy mobile workers." External hackers were fingered as the source in just 11% of the cases.

Even in incidents that were publicly blamed on external hackers, the reality is a bit more nuanced, Howard said. One example was the huge data breach at Acxiom Corp. in 2003, when an external data broker stole 1.6 billion customer records containing names, addresses and e-mail addresses belonging to millions of Americans. In that case, the hacker was able to get at the records largely because of a failure by Acxiom to establish proper access controls, Howard said. Though the incident was recorded as an external hack, in reality, it was enabled by an internal error, he said.

When it comes to just the volume of compromised records, though, external hackers accounted for some 45% of breached records, while 27% came from internal errors and 28% remained unattributed, Howard said. A total of about 1.9 billion records were compromised in the incidents that were studied.

The university study also showed that there were more reported incidents in 2005 and 2006 -- 424 -- than the previous 25 years combined, when there were 126. But that's likely because of breach-disclosure laws in California and several other states that require companies to notify consumers of incidents involving the potential compromise of their data, he said.

Another key finding of the report is the fact that colleges and universities account for an increasing percentage of all reported incidents, while the health sector by far reported the fewest incidents, he said.

"Certainly, we find that data breaches are often the result of negligence" on the part of companies managing the data, said Avivah Litan, an analyst at Stamford, Conn.-based Gartner Inc. Examples include not changing passwords or using weak passwords, along with a tendency on the part of individuals to leave log files or sensitive data lying around in unprotected fashion, she said.

 

yet another story of Identity Theft without Dynamic Security or even without IDentiWall

Experts warn of identity theft risk

Story Highlights

• Experts: Copiers could be used to steal personal data
• Copiers with disk drives store scanned information
• Identity thieves could potentially access stored data
• Encryption can prevent data from getting into the wrong hands

SAN JOSE, California (AP) -- Consumers are bombarded with warnings about identity theft. Publicized threats range from mailbox thieves and lost laptops to the higher-tech methods of e-mail scams and corporate data invasions.

Now, experts are warning that photocopiers could be a culprit as well.

That's because most digital copiers manufactured in the past five years have disk drives -- the same kind of data-storage mechanism found in computers -- to reproduce documents.

As a result, the seemingly innocuous machines that are commonly used to spit out copies of tax returns for millions of Americans can retain the data being scanned.

If the data on the copier's disk aren't protected with encryption or an overwrite mechanism, and if someone with malicious motives gets access to the machine, industry experts say sensitive information from original documents could get into the wrong hands.

Some copier makers are now adding security features, but many of the digital machines already found in public venues or business offices are likely still open targets, said Ed McLaughlin, president of Sharp Document Solutions Company of America.

"You actually have a better chance at winning 10 straight rolls of roulette than getting those hard drives on copiers rewritten," he said.

Sharp issued a warning about photocopier vulnerabilities Wednesday -- just ahead of tax time.

The company, one of the leading makers of photocopiers, commissioned a consumer survey that indicated more than half of Americans did not know copiers carried this data security risk. The telephone survey of 1,005 adults, conducted in January, also showed that 55 percent of Americans plan to make photocopies and printouts of their tax returns and related documents.

Of that segment, half planned to make the copies outside their homes -- at offices, libraries and copy shops. An additional 13 percent said they plan to have their tax preparers make copies.

Although industry and security experts were unable to point to any known incidents of identity thieves using copiers to steal information, they said the potential was very real.

"It is a valid concern and most people don't know about it," said Keith Kmetz, analyst at market researcher IDC. "Copying wasn't like this before."

Added Paul DeMatteis, a security consultant and teacher at the John Jay College of Criminal Justice at the City University of New York: "We know there are bad people out there. Just because this is difficult to detect doesn't mean it isn't being exploited."

Daniel Katz-Braunschweig, a chief consultant at DataIXL, a business consulting firm, includes digital copiers among his list of data holes corporations should try to protect. He couldn't specify names but said a few of his company clients did learn about the vulnerability after their copiers were resold and the new owners -- in good faith -- notified them of the data residing on the disks.

Sharp was among the first to begin offering, a few years ago, a security kit for its machines to encrypt and overwrite the images being scanned, so that data aren't stored on the hard disks indefinitely. Xerox Corp. said in October it would start making a similar security feature standard across all of its digital copiers.

Randy Cusick, a technical marketing manager at Xerox, said many entities dealing with sensitive information, such as government agencies, financial institutions, and defense contractors, already have policies to make sure copier disks themselves or the data stored on them are secured or not unwittingly passed along in a machine resale.

Smaller businesses and everyday consumers are less likely to know about the risk, but should, he said.

Sharp recommends that consumers take precautions, such as asking their tax preparers or the copy shops they are using about whether their copier machines have data security installed.

Copyright 2007 The Associated Press. All rights reserved.This material may not be published, broadcast, rewritten, or redistributed.

 

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc