Richard Clarke: Don't ignore data risks, deploy encryption

By Bill Brenner, Senior News Writer 12 Jun 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Many companies assume they are safe from data breaches simply because there is no evidence of an attack. As a result they are going without such vital defenses as encryption, former White House cybersecurity czar Richard Clarke told a gathering of IT security professionals at a recent breakfast.

Stop worrying about protecting the network and worry instead about protecting what's on the network. Richard Clarke former White House cybersecurity czar

The growing data breach risk and need for encryption was the main focus of the breakfast, hosted by Waltham, Mass.-based vendor Liquid Machines during last week's Gartner IT Security Summit in Washington D.C. Michael Ruffolo, CEO of Liquid Machines, said in his opening remarks that his customers live in constant fear that they will lose data and become the focus of a TJX-style media firestorm.

"They tell me they're afraid to push send because when they push send, they lose control" of the information, he said. "If your business is such that you have to share information, you're in a difficult position because of the data loss epidemic. There's constant concern about information getting out because of insiders -- not necessarily malicious insiders."

Clarke, who has kept a high profile as a writer and security consultant since his well-documented falling out with the Bush Administration a few years back, said that while many companies fear the prospect of a data breach, not all are doing what's necessary to prevent one.

"It typically costs someone 100 hours of time to deal with the theft of their identity," said Clarke, who is currently chairman of Arlington, Va.-based Good Harbor Consulting. "Companies need to remember that identities are stolen every day and no network is 100% secure."

Data security: Did TJX take the right steps after data breach? Security experts are mixed on whether TJX acted properly following a massive data breach last month. One expert says potential victims should have been notified sooner. There's no excuse to skip data encryption: Companies complain that database encryption products are too expensive and difficult to manage, but customer loss and breach notification costs outweigh encryption expenses. Federal government pushes full-disk encryption: Businesses need to follow the federal government's lead in reducing data breaches by holding employees responsible and examining full-disk encryption (FDE) products.

Clarke compared the attitude of some corporate executives today to that of U.S. Defense Department officials 10 years ago when White House cybersecurity officials pushed the Pentagon to adopt intrusion defense systems (IDS). The Pentagon added the IDS and the service chiefs came back annoyed because, as they put it, the IDS technology had caused them "a hell of a problem." They ranted that they were being attacked all the time and that they weren't being attacked before IDS was deployed, Clarke said.

"That illustrates the problem," he said. "It's about what you don't know, or what you don't see or can't prove. Industrial and national espionage is happening daily on a massive scale. Your databases are being stolen and copied, and just because the evidence isn't in front of you doesn't mean it's not a problem."

There may never be 100% security, he said, but companies can minimize the damage with encryption. If data is encrypted, it's of no use to the person who steals it. Unfortunately, he said, some companies fail to take encryption seriously until after they've been compromised.

"You have enormous companies like DuPont where an insider is able to copy information and commit industrial espionage," Clarke said, referring to the case of former DuPont senior chemist Gary Min, who stole approximately $400 million worth of information from the company and attempted to leak it to a third party. Min joined DuPont in 1995 but began exploring a new job opportunity in Asia in 2005 with Victrex, a DuPont competitor. Shortly after opening the dialog with Victrex, Min reportedly proceeded to download approximately 22,000 abstracts from DuPont's data library and accessed about 16,700 documents. After Min gave his notice, DuPont discovered what he was up to and brought in the FBI. He eventually acknowledged his guilt in the matter.

Clarke said companies must find ways to detect where data is sitting on the network and establish rules for who can or can't access certain documents.

"Stop worrying about protecting the network and worry instead about protecting what's on the network," Clarke advised the breakfast attendees. "Putting a barrier around that information -- credit card numbers, designs, customer lists and the like -- will help prevent a compromise."

Also at the breakfast was Michael Sheehan, former deputy commissioner of counterterrorism for the New York Police Department. During his tenure, he said the department investigated an attack against a cyber institution that to this day has not been disclosed. Investigators ultimately found that the attack came from six to eight countries and was exceptionally sophisticated and coordinated.

Clarke said people think the catastrophic event will never happen. Sheehan and other investigators told Clarke the company would have been brought to its knees if the attack had been 5-10% more sophisticated.

"The bad guys are a little bit behind the good guys, but they're catching up," he said. "People think the catastrophic event will never happen, but we've seen that it does."

Tags: Disk Encryption and File Encryption,  Identity Theft and Data Security Breaches,  Database Security Management,  Enterprise Data Governance,  Data Loss Prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disk Encryption and File Encryption Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Should developers create libraries of common cryptographic algorithms? What is an encryption collision? Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection Voltage, RSA spar over tokenization, data protection Truth, lies and fiction about encryption What are new and commonly used public-key cryptography algorithms? What are the export limitations for AES data encryption? Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Advanced Encryption Standard  (SearchSecurity.com) data key  (SearchSecurity.com) Encrypting File System  (SearchSecurity.com) encryption  (SearchSecurity.com) Escrowed Encryption Standard  (SearchSecurity.com) network encryption  (SearchSecurity.com) output feedback  (SearchSecurity.com) Quiz: Cryptography  (SearchSecurity.com) Rijndael  (SearchSecurity.com) Twofish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary