Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.


Getting the Point | Turning Points | Nefarious Numbers | SOX Appeal | Evolution of a Hacker | Digital Pickpockets | The Toughest Battle: 10 Years, 10 Attacks | We Hardly Knew Ye

Getting the Point
by Mark Baard
ChoicePoint put data breaches on the front page of The Wall Street Journal, into corporate boardrooms and the consciousness of Americans.

ChoicePoint CISO Richard Baich's protestations in 2005 that his company was the victim of fraud, not a hack, sound almost archaic now.

"This is not an information security issue," Baich told Information Security shortly after ChoicePoint disclosed 163,000 customer records had been accessed. "My biggest concern is the impact this has on the industry from the standpoint that people are saying ChoicePoint was hacked. No we weren't. This type of fraud happens every day."

In fact, the incident underscored the vulnerability of sensitive data to many attack vectors, from classic computer hacks to trusted insiders to thieves like the ChoicePoint fraudsters. They posed as legitimate business customers and set up accounts to obtain the type of information that ChoicePoint typically sold third parties.

It's not that ChoicePoint was the first or the worst data breach, but it was spectacular, driving countless companies to take steps to avoid Choice-Point's miserable--and very public--experience, which was resolved when it paid $10 million in fines and $5 million compensation to consumers after it reported the breach to California regulators and consumers. ChoicePoint executives got a good tongue-lashing before Congress for good measure.

"The message to ChoicePoint and others should be clear: Consumers' private data must be protected from thieves," FTC Chairman Deborah Platt Majoras said in a statement. "Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business."

But data owners still have a long way to go to secure critical information and prevent fraud, says Gartner analyst Avivah Litan.

"[Data breaches are] still happening," Litan says. Since ChoicePoint was breached, more than 215 million personal records have been lost by entities responsible for them. TJX, Gap Inc., and TD Ameritrade this year alone have joined ChoicePoint, the VA and many others as standard-bearers for shoddy data security.

Getting the Point

SB 1386
If any positive changes have taken place in the data brokerage industry, it was not due to ChoicePoint's admission of carelessness, says Litan, but rather California's SB 1386 regulation, which compels data owners to reveal breaches to victims. Any company that does business in California must notify those affected by a data breach. Prior to SB 1386 and the 38 other state data breach notification acts, few companies would be compelled to inform customers of a breach and data loss.

Litan says that while laws ensure the accuracy of personally identifiable information, not enough carry harsh punishments for companies that fail to protect consumers against fraud.

"I'm not saying that regulation is the answer to everything," Litan says, "but it will take a stick approach to get (data brokers) to make changes."

Businesses and U.S. government agencies--which also keep millions of consumer files--are typically guarded about the steps they take to prevent identity theft. Consumer businesses such as Target and eBay, for example, declined to be interviewed for this article. Litan says it can be difficult to convince CISOs that they need to do more to vet their potential clients.

"Data brokers make their money saying 'yes' to their customers," she says.

They may be saying yes to more punitive damages if the torrent of data breaches doesn't subside. In addition to TJX reporting it has spent more than $250 million in cleaning up after its breach, class-action suits have been filed against the retailer, which was hacked out of more than 45 million customer records, including credit card numbers, this year. In September, TJX announced a settlement with those affected, offering credit monitoring to 455,000 of the 45 million whose identities are at risk, the Privacy Rights Clearinghouse reports.

The Ponemon Institute in 2006 estimated data breach cleanup costs to be $182 per lost record in a data breach. TJX, however, hasn't come near that total, leading many to wonder how much damage companies suffer. Brand name damage, as well as harm to the corporate reputation, is almost impossible to quantify, but a July 2007 Information Security article reported that TJX's stock price remained flat throughout the crisis. Others such as Boeing and Bank of America actually saw their stock rise over a period of time following a breach.

Adam Sills, lead underwriter for Darwin Professional Under- writers, says TJX and others may really suffer when third-party costs are passed to the retailer.

"Private liability is the big unknown but it's a critical element," he says. "This is where you can probably end up seeing serious costs."

Mark Baard is a freelance writer for Information Security.
Send comments on this article to

Turning Points

ChoicePoint, Sarbanes-Oxley and the advent of crimeware had company. Here are seven more information security signposts of the last decade.

DDoS Attacks Compared to today's targeted incursions on companies, MafiaBoy's February 2000 DDoS attacks on major ecommerce sites like Yahoo,, eBay, E*Trade, CNN and Amazon seem like high-profile Internet pranks. Yet they paved the way for a rash of extortion schemes based on DDoS attacks and shook consumer confidence in online buying. One-third of those surveyed following the attacks said they were less likely to make a purchase on the Internet, and three out of five were more concerned about their privacy than before.

Code Red, NIMDA, Slammer Truly the evil trinity of early malware, Code Red, NIMDA and SQL Slammer made Windows and network administrators shiver. Code Red struck first in July 2001, exploiting a buffer overflow vulnerability in Microsoft's IIS Web server that had been patched weeks earlier. NIMDA, meanwhile, arrived a week after the Sept. 11 terrorist attacks, leading some to speculate the worm could be a follow-up attack against an already shaken nation. NIMDA spread not only via email as Code Red did, but through open network shares or infected Web sites. It also exploited a hole in IIS. Slammer may go down as the most prolific and efficient worm in history. Hitting in January 2003, Slammer spread incredibly quickly through a buffer overflow bug in SQL Servers worldwide. Within 10 minutes, 90 percent of vulnerable machines had been infected (a patch for the vulnerability had been available for six months). Slammer weighed in at less than 400 bits of code, but delivered a nasty denial of service payload, slowing down Internet backbones in countries all over the world.

9/11 The Sept. 11 terrorist attacks had an enduring impact on the economic, psychological and social fabric of the United States, but was it a turning point in information security? Not to a great degree, but it did increase awareness of security, and focus attention on contingency planning and business continuity.

Spam Spam has exploded as a security and operational problem, making up 87 percent of global email by the end of 2006, according to email security vendor Commtouch. That volume spiked precipitously late last year, fueled by the use of botnets, largely replacing the buying and selling of address lists, and new evasion techniques delivering not only unwanted junk email, but a litany of phishing attacks and spyware.

Turning Points

Bill Gates' First RSA Keynote Two years into Microsoft's Trustworthy Computing initiative, Bill Gates put his mouth where his money was, delivering the first of his four RSA Conference keynote addresses. It was not so much what he said on Feb. 24, 2004, but where he said it in front of an audience weary of endless patching and malware hitting Windows systems. For the record, Gates primarily previewed security in XP Service Pack 2.

Spyware Adware vs. spyware debates abated in 2004 when it became clear spyware was a security issue and machines were infected with more than just annoying pop-ups. The market was initially slow to respond. Eventually, antivirus transitioned to integrated, comprehensive antimalware tools, featuring combinations of signature- and behavior-based detection, host-based intrusion prevention, host firewalls and more. Hackers have also built business models around spyware, with large botnets spewing Trojans or hijacking machines used in everything from DDoS attacks to money-laundering schemes.

Wireless Wi-Fi liberated us, changing the way we work, making us mobile, enabling us to connect to the Internet and corporate assets at home, on the road and roaming throughout the workplace without the restrictions of wired Ethernet connections. Like most new enabling technologies, security has been playing catch-up to functionality. Wi-Fi was particularly vulnerable with a rash of insecure rogue access points and the use of hotspots to connect to corporate assets. Even reasonable precautions often weren't enough, as WEP, the first security standard, suffered from weak encryption and static keys. WPA and WPA2 standards eventually corrected WEP's weaknesses.

SOX Appeal
by Amy Rogers Nazarov
Sarbanes-Oxley Act helped put information security on the map.

The Sarbanes-Oxley Act of 2002 (SOX), enacted in the wake of the accounting fraud that made Enron, WorldCom and others synonyms for financial scandal, wrought a profound change in the way businesses secure their enterprises.

Specifically, section 404--which refers to the im-plementation of "controls that pertain to the preparation of financial statements for external purposes that are fairly presented in conformity with generally accepted accounting principles"--has pushed countless information security professionals at thousands of publicly traded companies to consider how to deploy security practices in the service of accurate financial data. It also gave them new clout.

"SOX was a major driver at putting IT security on the map," says Constantine Photopoulos, a partner in The SOX Group, a New York-based consulting firm.

"Business knew that IT was important, but the relationship between the controls in IT and business processes became more apparent," says Sean Ballington, systems and process assurance leader, PricewaterhouseCoopers.

Consider one of those business/IT links--the requirement to archive relevant instant messages--and the steps one company is taking to demonstrate the "reasonable effort" SOX requires.

"We intend to reduce [IM] issues by using Micro-soft Live Communications Server 2005 and federating with MSN, Yahoo and AOL," says Jonathan Wynn, manager of advanced technology and collaborative services at Del Monte Foods' Pittsburgh site. "We're blocking clients so traffic is going through LCS."

SOX also requires that companies assess the effectiveness of their controls, then use an outside auditor to attest to the veracity of that assessment. That role is morphing, observers say.

SOX Appeal

"After seeing what happened with Enron and Arthur Andersen, consulting firms were a little gun-shy about taking any semblance of a risk-based approach to audit," says Mike Nelson, president of SecureNet Technologies, an information security consulting shop in San Ramon, Calif. "They wanted to audit every single control to the nth degree. But, in the last year or two, the Public Company Accounting Oversight Board (PCAOB)"--the nonprofit created by the passage of SOX to oversee auditors--"has focused more on the areas of the enterprise that represent the highest risk of threat."

Subsequent SOX audits have made companies more savvy. "We have reduced our key controls by one-third, from 75 to about 50," cutting audit fees in half, says Hamid Mashouf, vice president of technology at bebe, the San Francisco-based women's clothing company, which has completed three audits. "We ratcheted back because some were not needed."

Even as SOX implementation work has waned, assessment is going strong.

"We think there are more than 6,000 non-accelerated filers out there, so the bulk of the marketplace for SOX compliance is in front of us," says Rick Dakin, president and founder of Coalfire Systems, a Louisville, Colo.-based auditor.

Ultimately, SOX set the stage for organizations to meet more federal requirements. "My FISMA business is heating up," says Nelson. "SOX is cooling down."

Amy Rogers Nazarov is a freelance writer based in Washington, D.C.
Send comments on this article to

Evolution of a Hacker
by Adam Stone
Internet pranks give way to crime.

Like kids playing with a pointy stick, the perpetrators of Internet-based malfeasance keep raising the stakes. "Can-you-top-this" hackers have given way to criminals stealing identities and committing fraud for profit. The chronology is clear, but the real interest lies in the causes.

The game, if it is a game, starts in the early 1990s with students and whiz kids breaking into corporate and government systems just to show it can be done. They leave calling cards, tokens of their presence: a bit of harmless nose-thumbing.

So much for the fun.

By the end of the decade, hackers begin tampering with systems as a means of humiliating corporate know-it-alls. The temperature rises as black hats leave systems hanging, stop traffic, destroy files and deface Web sites. Worms self-propagate throughout systems, delivering payloads that grow steadily more malicious.

By 2001 and 2002, password stealers, keyloggers and other crimeware enter the scene, harvesting personal data from users' computers. Trojans commandeer online banking and other secure services.

By 2004, the rapid rise of phishing schemes shows there is money to be made, at least in theory, but initially there is no market for this data, no infrastructure to convert scams into cash. "It was analogous to stealing a Picasso or a van Gogh and then saying, 'OK, now where do I sell this thing?'" says Jose Nazario, a senior security researcher at Arbor Networks.

But by 2005, organized criminals geared up for lucrative profits. Today, complex international criminal interests scrub cash gained through diverse schemes and move it across borders, while underground organizations sell and lease do-it-yourself kits with all the code you need to commit your own online fraud.

Welcome to the world of professional crimeware.

Evolution of a Hacker

How did playful malice blossom into corporate crime?

Asked, "Why do you rob banks?" Willie Sutton replied, "Because that's where they keep the money." Today, not just banks but also investment houses, insurers and a host of other financial services organizations all "keep" their money online.

Further, online crime looks easy.

"A lot of it has to do with the low-hanging fruit. If it requires fewer skills and has a high probability of success, that is where the crime is going to go," says Gunter Ollmann, director of security strategy for IBM.

In reality, cybercrime isn't easy. The white hats throw up new defenses all the time. New laws check the flow of ill-gotten gains. Yet, criminals sense a fundamental vulnerability inherent in how the mechanism has been set up.

"In order to make the ordinary people want to sign up for the Internet, we had to make it very easy for people to use it," says David Perry, global director of security education at Trend Micro. Users resent the slightest intrusion to seamless browsing, even if it's a security measure designed for their protection.

"People have demanded that everything be open to the world, and then they plug in without any thought," says Perry.

All of which potentially leaves the criminals in charge. Professional thieves work in teams, reaching across international borders to steal, launder and cheerfully spend their Internet-gained lucre. No longer a hobby, cybercrime has become a lucrative career.

The future? Watch the cocaine market for hints.

"We are going to see more specialization, more specific roles," Nazario says. "People who don't know how to code, but know how to commit crime. People who do know how to code and who become suppliers or authors. Sort of like the drug trade."

Adam Stone is a freelance writer based in Annapolis, Md.
Send comments on this article to

We Hardly Knew Ye

10 companies or markets that succumbed to consolidation.

Some companies vanish without a trace; others leave their mark on a product line long after corporate entities are gone; still others maintain an identity within a new parent company. We recall 10 of the many information security companies, in some cases groups of companies, that in large part defined their markets and have come and gone:

@stake Symantec's acquisition of @stake for its professional services and talent sent shivers through the service provider's customers. Symantec seized the SmartRisk analyzer service, whose effectiveness at finding and closing network vulnerabilities drew raves from customers.

Baltimore Technologies Remember the Year of PKI? You should, because there were several. Ireland's Baltimore was one of the big names in the often rocky PKI market, but failed to endure where competitors like Entrust, RSA and VeriSign thrived. Baltimore succumbed in 2004, bought out by beTrusted at a fraction of the valuation it enjoyed at the height of the dot-com boom.

BindView A leader in risk management, its products have been integrated into the Symantec portfolio.

Brightmail The popular email security service provider is now the backbone of Symantec's services and products.

Lost Identity Netegrity, one of a handful of Web access control vendors, was snapped up by CA, while competitor Oblix was acquired by Oracle, as those heavyweights sought to compete with RSA Security and IBM in the increasingly important Web identity management market.

Okena/Entercept These companies may have been ahead of their time, when host-based intrusion prevention systems (HIPS) were an interesting technology with very limited deployment. Now, some sort of HIPS is a required component of the new comprehensive endpoint security products, and the Okena and Entercept technologies formed the foundation for offerings from Cisco and McAfee, respectively.

We Hardly Knew Ye

Poor Service The fragile confidence in managed security service providers (MSSPs) was shaken by the abrupt failures in April 2001 of Salinas Group, which shut down without giving customers passwords to access their systems, and Pilot Network Services, which shut down without notifying customers, some of whom sent engineers to the vendor's SOC.

Provisional Market User provisioning was a market unto itself within the broadly and vaguely defined identity management market, but that changed as Waveset (Sun Microsystems), Thor Technologies (Oracle), Business Layers (Netegrity) and Access 360 (IBM) were acquired to become part of more comprehensive IDM offerings.

TruSecure/Ubizen/beTrusted Remember beTrusted, the company that bought Baltimore? Well, it bought controlling interest in managed service provider Ubizen, then merged with services provider TruSecure (after it sold Information Security to TechTarget) to form CyberTrust, which, in turn, was recently acquired by Verizon Business.

Web App Firewalls Get Hot The startups in this market are fast disappearing, as interest in Web application security intensifies. Teros (formerly Stratum8) sold to Citrix; Sanctum to Watchfire, which, in turn, sold AppShield to F5; KaVaDo was acquired by Protegrity and Barracuda Networks bought NetContinuum in September.

Article 3 of 7

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All