Data breach avoidance begins with security basics, panel says

By Robert Westervelt, News Editor 19 Aug 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Companies can spend money fixing coding errors or invest millions in the latest and greatest security technologies, but still leave the business at risk to a major security breach if employees aren't properly trained and appropriate policies aren't set and enforced.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The biggest mistake leading to a data security breach is often pinpointed by investigators as a fundamental security error, according to a panel of experts who discussed the topic of data breaches Wednesday. The panel discussion, sponsored by security vendor, Bit9 Inc., included Bob Russo, general manager of the PCI Security Standards Council, Rich Baich, partner at Deloitte and Touche and former CISO of ChoicePoint and Tom Murphy, chief strategist of data protection vendor, Bit9.

"As an industry we look for exceptions and look for holes, but we end up focusing on holes so much that we don't pay attention to the foundation," Murphy said. "We need to build that foundation of security across all infrastructure."

Data security breaches have come back to the forefront this week with the federal grand jury indictment of a Miami man and Two Russian hackers for their alleged role in pulling off the biggest data security breach in U.S. history. More than 130 million credit and debit cards were stolen from Heartland Payment Systems Inc., Hannaford Brothers Co., 7-Eleven Inc. and two unnamed companies. While the breach, which according to the indictment, involved a SQL injection attack, the expert panelists warned that simple employee mistakes often lead to data leakage.

The ChoicePoint breach: Read about the breach that started it all... ChoicePoint damage control: ChoicePoint's Rich Baich faced the perfect storm: a huge security breach, intense media attention and a shareholder revolt.

"The weakest link in the chain is and always has been the people," Russo said. "While malware and exploits tend to get creative, the way they get introduced into the network is really not so creative."

Deloitte's Baich, who served as CISO of ChoicePoint when a breach in 2004 exposed the personal data of 145,000 people, said the apparent rise in breaches is likely associated with the increase in breach notification laws and an increased vigilance of security teams. ChoicePoint's breach may never had been known if it wasn't for California's landmark Security Breach Information Act, SB 1386.

The lesson learned from the ChoicePoint breach and many others since, is to keep an eye on how breaches are occurring, Baich said. In the case of ChoicePoint, someone beat the company's credential verification process and set up phony accounts to pilfer thousands of records.

"It's not just traditional technology and hacking," he said. "Individuals can and will circumvent the business process … No matter how much money and effort could be spent, it wasn't going to mitigate the risk associated with someone potentially being able to do the same thing in the future."

The company ended up exiting the $20 million business it created, Baich said.

Still, it was ChoicePoint's fraud detection systems that discovered an anomaly and in the case of later breaches, companies could have avoid problems and caught cybercriminals in the act if they just paid attention to their logs, Russo said.

SQL injection technique used in latest breaches: Three indicted for Hannaford, Heartland data breaches: A grand jury has charged three men for their role in stealing more than 130 million credit and debit cards from Heartland Payment Systems and several other companies. New defenses for automated SQL injection attacks: By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites. SQL injection attacks targeting Flash, JavaScript errors: Coding errors leave thousands of websites vulnerable, but attackers are starting to target Flash and JavaScript errors for exploitation, experts say.

"People are concerned with running their business and making a profit and doing what they need to do and security, unfortunately, often takes a back seat," Russo said. "All of the stuff we're seeing out there is generally captured in the logs."

Russo believes the minimum standards outlined by PCI help companies get their security programs in check, but he pointed out that compliance and security are two different things.

" I don't' think there's ever going to be a silver bullet," Russo said. "Our standards are quite prescriptive and a lot of people use it as a springboard … an opportunity to get security as the foundation of everything they do … but It's about security, not about compliance."

The panelists called on companies to tap into the wealth of security information in the form of guidance documents put together by special interest groups in specific technical areas. Don't just have a security policy and process documentation, but enforce it and educate end users about it, the y said. Murphy touted his company's application whitelisting approach, which enables IT to set clear policy on what employees can download and install on their machines. If an application is not on an approved list, then it is not allowed to run, he said.

"It takes away some of burden and ambiguity over whether something is in policy and out of policy and puts to work stuff that people struggle with – how to educate people to let them know what's allowed and what's not allowed," Murphy said.

Tags: Identity Theft and Data Security Breaches,  PCI Data Security Standard,  Security Awareness Training and Internal Threats,  Information Security Policies, Procedures and Guidelines,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail Security Awareness Training and Internal Threats Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Monitoring program data and internal controls for risk management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary