COLUMN

Health Net breach failure of security policy, technology

By Eric Ogren 27 Nov 2009 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The recent Health Net data breach—affecting some 1.5 million users—is a failure of all aspects of IT security, including the ability to set appropriate policy, communicate that policy to employees and deploy the relevant security technology.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Health Net announced last week that unencrypted records, and the portable external hard drive containing those records, were lost. A loss of this magnitude from normal business practice suggests that either sensitive data accumulated over a long period of time and was not systematically erased when no longer needed, or the user worked on extremely large chunks of data without proper security controls. IT should have been aware of both possibilities and acted to protect the business.

One of the lessons of Health Net is that corporate use of mobility products, including laptops, phones, and removable media, require special attention as they can carry sensitive data beyond the reach of security teams. For example, mobility products (which include notebook computers and mobile workstations) represent 32% of Dell's net revenue—the largest segment in Dell's reported product mix. The use of devices by mobile and remote users is a trend that is likely to increase, requiring protection beyond that planned for desktops and virtual desktops.

Eric Ogren's weekly security columns: Secure your remote users in 2010: As companies shave operational costs by hiring more remote workers, IT security teams should plan to protect sensitive data being used by a highly mobile workforce in 2010. How to use Internet security threat reports: Security threat reports help drive security vendor business, but they can also provide some useful information for IT security pros. Two-factor authentication, vigilance foil password theft:Password stealing Trojans, keyloggers and other malware are reaping account credentials by the thousands forcing some to rethink password policies and develop new defenses.

Spot check mobile and remote users need to understand what applications are commonly used, and how these applications treat sensitive data. In particular, audit for temporary files that are created in application or system folders and not erased upon termination of the session. There are tools, such as that offered by Liquidware Labs Inc. that can automate application profiles to help in the investigation. The goal is to render regulated data on mobile devices as unreadable, either by deletion or encryption, as soon as the business session expires.

Evaluate data masking software for applications that require large amounts of data to be processed remotely. For instance, Camouflage Software Inc. allows organizations to mask sensitive identity data when extracting information from the data center. Data masking can minimize the risk of data loss by reducing the number of copies of production data that must be secured. Development organizations can write applications on masked production data and remote users can conduct database research without exposing regulated data to loss.

SearchSecurity radio:

Transparent full disk encryption of the endpoint removes chances of regulated data being exposed to loss. It is always better to understand the application profiles and use of sensitive data, however IT resource constraints may force a more comprehensive encryption program. Automatically encrypting all business data on mobile devices avoids possible exposure when the device is lost and can save considerable expenses required to meet disclosure requirements. Companies such as Check Point Software, Lumension and SafeNet can help enforce transparent full disk endpoint encryption policies.

Security teams should extend data protection policies to mobile phones with the same considerations as mobile laptops due to their extensive storage capability. For instance, a standard Samsung Galaxy Android-based phone includes 8Gb of storage. Applications accessed via browsers on handhelds can leave sensitive data in temporary buffers and files which IT needs to proactively remove or encrypt.

These breaches are bound to happen again, unless IT security professionals deploy the right technologies to protect company data.

Tags: Information Security Policies, Procedures and Guidelines,  Data Loss Prevention,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Policies, Procedures and Guidelines Schneier-Ranum face-off part 6: Audience questions Editor's Desk: Apathy and the Cybersecurity Coordinator Writing security policies using a taxonomy-based approach How to detect and respond to money laundering How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Data Loss Prevention Information Security magazine February 2010 issue download Disaster recovery plans and DLP solutions top 2010 priorities Endpoint DLP fills data protection gap Fact or fiction: Inside extrusion detection and prevention technology Health Net healthcare data breach affects1.5 million Layoffs prompt insider threat fears, cybersecurity survey finds Breach prevention: How to keep track of data and applications Trend Micro to address DLP after analyst report criticizes strategy How to secure USB ports on Windows machines DLP technology challenges security costs Security Awareness Training and Internal Threats Information security book excerpts and reviews Schneier-Ranum face-off, part 2: Social networking Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary