Thursday, September 24, 2009

GTC East 2009: data security

Yesterday afternoon, I attended the “Security: Protecting All That Data” session, in which Simon Hunt of McAfee outlined how to implement a range of data security initiatives. Although it didn’t focus directly on records issues, it highlighted the overlapping interests of information security officers and records professionals.

Hunt began by furnishing an interesting overview of the current data security climate, which is characterized by increasingly stringent and complicated patchwork of laws specifying how governments and corporations must respond to actual or potential data breaches, proliferation of mobile data devices such as laptops, cell phones, and USB sticks, increasingly sophisticated forms of criminality. People used to write malware because they wanted to have fun and prove their intelligence, but now they do it to make money. There are gangs throughout the world that specialize in data theft, and others that specialize in leveraging stolen data. Moreover, toolkits that enable users to create or modify Trojan horse applications and viruses are now sold online; a good one costs approximately $1000.

Of the major data breaches that have happened in 2009, 31 percent were inadvertent, 50 percent were caused by some sort of outside action, 9 percent were the result of malicious action by staff, 2 percent the result of other staff actions, and 9 percent by unknown factors. Laptops, which were at the center of 17 percent of breaches, are the fattest target for thieves. Other breaches were the result of hacking (12 percent), Web attacks (11 percent), fraud-SE (11 percent), lost media (5 percent), e-mail (4 percent), and viruses (2 percent).

However, what I found most startling was that paper records account for a significant percentage of 2009 data breaches to date. Documents that were not disposed of properly comprise a whopping 11 percent of breaches, “snail mail” 6 percent, and stolen documents 3 percent. Moreover, a quick review of DataLossDB, which provided Hunt with his figures, indicates that 2009 has seen an unusually large percentage of breaches associated with improper disposal; in 2008, improper disposal accounted for only 4 percent of the breaches. My takeaway: archivists, records managers, CIO’s, and information security officers must stress the importance of safeguarding all types of records and information.

Noting that most organizations don’t focus on data security until they suffer some sort of breach and that insider theft increases when times are bad, Hunt emphasized that data security is a lot easier then many people think. He then outlined a series of proactive steps that can improve data security; although he mentioned several McAfee products that might help, most of his remarks seemed generally applicable.
  • Understand the risks you face: sit down and think about how data moves within your organization and identify stakeholders, potential allies (like records managers?) and possible barriers. You should figure out what’s valuable and how it might be attacked, and how much time and effort you’re prepared to devote to protecting it. Data at rest (e.g., on desktops, laptops, etc.) is easiest to protect, but data in motion (e.g., Web 2.0, file sharing, blogs) and data in use (e.g., USB sticks, DVDs) also need attention. Remember that data protection must be tightly woven into your business, that technology is not the hard part -- training and policy are the big challenges -- and that data protection is constantly evolving.
  • Encrypt your data. Non-encrypted data on laptops is a soft target, and governments and corporations that can’t account for a missing laptop are legally obligated to inform anyone whose information might have been on the laptop that their data has been stolen or exposed. Deploying hard drive encryption on all laptops and desktops is the easy fix. However, you need to manage it and to be able to prove that a lost device was encrypted. Encryption will take care of about 60 percent of the typical organization’s security issues and can be done in 2-4 man-weeks.
  • Manage your removable media. Portable media can also be encrypted and policies mandating use of encrypted USB sticks can help. Port control software that limits use of USB media is also an option. Encrypting USB sticks and other portable media will address about 20 percent of the typical organization’s security needs.
  • Identify your confidential data. Focus on the risk drivers specific to your organization, define the most critical vectors, and determine stakeholders’ needs. Too many security initiatives fail because people were stopped from doing what they saw as legitimate and necessary actions, so make sure you take their needs into account and provide training.
  • Deploy McAfee’s Data Loss Prevention. This software finds data, indexes it, determines who has access, implements prevention techniques (e.g., blocking or monitoring users who try to copy or print sensitive information) as dictated, and monitors the flow and use of data throughout an organization. According to Hunt, DLP will take care of an additional 18 percent of the typical organization’s data security needs.
Nice, succinct presentation. Hunt emphasized solutions more than products. He also drew our attention to an awesome image of a physical security failure, courtesy of FailBlog. I have the feeling that this image is going to make its way into lots of other presentations on security.

2 comments:

Anonymous said...

Thanks for the kind words regarding my presentation. I hope you found it educational. I enjoyed speaking to the group and although the session was quiet, there was some good questions and positive feedback.

Simon Hunt.

http://simonhunt.wordpress.com

data protection said...

Nice post!!!
good thoughts and a nice blog.Thanks for the great information ...