As new data breach reports pile up by the day, IT shops are desperately searching for tools to help ensure their organization doesn't become the next big headline. Though a chronology of data breaches kept by the Privacy Rights Clearinghouse keeps getting longer, some IT administrators report some success in the fight to protect their own customer data. They attribute that success to finding the right vendors and heeding government regulations.
As of Tuesday, the Privacy Rights Clearinghouse estimated that 166,036,453 records containing sensitive personal information have been compromised to date. Seventeen security breaches were disclosed this month alone, including compromises at TD Ameritrade, Johns Hopkins Hospital, Pfizer and several academic institutions such as the Brevard Public Schools District in Florida and the University of South Carolina. And on Wednesday came word that the credit card data of eBay users had been compromised.
Meanwhile, the most notorious data breach disclosure so far this year was back in the news Tuesday, when Canadian officials released the results of an investigation into the massive data security breach at TJX Cos. Attackers reportedly began their assault on TJX by exploiting Wi-Fi weaknesses at a Marshalls clothing store near St. Paul, Minn. Investigators believe the thieves aimed a telescope-shaped antenna at the store and used a laptop to snatch data transmitted between hand-held price-checking devices, cash registers and the store's computers. The exploit eventually led them into the central database of TJX, where they would repeatedly rob the system of sensitive customer data.
The breach ultimately exposed 45 million customers to potential identity fraud. TJX also announced a proposed settlement this week in which affected customers would have access to three years of credit monitoring services and identity theft insurance.
One security professional who's acutely aware of the data breach threat is Craig Shumard, chief security information officer for CIGNA, a large Philadelphia, Pa.-based health insurance company. The company has more than 9 million members and 23,000 employees internationally, and the information in its database would be a tempting prize for attackers.
"We see ourselves as a risk-based organization and our main focus is protecting member and customer information so there isn't an inappropriate use of information that breaches trust," he said. It's no easy task because CIGNA's IT environment has grown increasingly complex, with business-to-business arrangements that often require third parties to access the network. "We need to ensure partners are handling data as carefully as we handle it," he said. "We need to make sure they adhere to our policies and also the regulations we are bound by." Those regulations include HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley, and 34 state privacy laws.
For Shumard, one of the biggest headaches is that there are no recognized and agreed-upon standards third-party audits can be based on. Some partners may be audited by different parties, but it would be better if there was one standard those audits could be based on, he said. "If an agreed-upon third party like Price Waterhouse could be sent in to do an audit of third-party processes, that would also make life better," he said. In turn, the likelihood of a data breach would be further reduced.
Until a more uniform auditing process comes about, Shumard is relying on several vendors to help defend CIGNA from a data breach, including IBM, Symantec, Verdasys, Vontu and Aveksa for a more automated network access control. "We're using about 25 different security vendors in all," he said, adding that Aveksa has proven especially useful for monitoring, reporting and certification of user entitlements and roles across the network.
While an increasing number of state and federal regulations has made life difficult for IT shops, many readily admit the compliance work has forced them to improve security in ways that greatly reduce the chances of a data breach.
Ann Auerbach, IT and compliance manager for Denver-based Cimarex Energy Co., acknowledges that the biggest concern for the oil and gas exploration company is that it is able to adequately respond to auditors examining its security controls. She manages a security program designed to protect a Windows-based environment used by some 800 employees.
"Because we're public we fall under Sarbanes-Oxley and one thing we need to do is prove our IT folks aren't changing financial data," she said, noting that the company employs 40 IT professionals to support six offices with 50 or more employees each, plus 30 additional field offices. "In the oil and gas business, the ownership of a well and royalty distribution are the keys to the kingdom, so we need to be sure insiders aren't trying to change information in the data."
To that end, the company must provide auditors with reports proving that only authorized users are making changes to data. "We need alerts when anyone outside that small list tries to make a change," she said.
For that, she chose technology from database security vendor Guardium. She said version 6 of Guardium provides her, among other things, with regular reports auditors can study to see who is doing what on the network.
Cimarex's focus on documenting data changes made from within is wise, if the results of a recent study from auditing and accounting firm Deloitte Touche Tohmatsu is any indication. After interviewing senior IT executives from 169 global institutions, the firm found that almost two-thirds of respondents had reported repeated external security breaches, and the top three breaches this year were viruses and worms, email attacks, and phishing/pharming-- all unwittingly perpetrated via the customer.
The survey also showed a shift in priorities from protecting sensitive data from attack by outsiders to addressing internal threats. Ninety-one percent of respondents said they are most concerned about employees, while nearly 80% cited the human factor as the root cause of data security breaches.
This isn't the first time IT professionals have cited insiders as their biggest security concern. A vast majority of IT executives interviewed by SearchSecurity.com for a series on the merging physical-cyber threat two years ago showed that insiders were a major cause for concern.
Indeed, many of the data breaches reported since early 2005 have been rooted in the actions of insiders. In the case of DuPont, a malicious insider was caught giving proprietary information to a DuPont competitor. But in a security breach at the U.S. Department of Veterans Affairs last year, the damaging actions of an insider were more careless than malicious. The employee had been storing data on millions of veterans at home. The data was compromised when burglars broke into the home and stole computer hardware housing the data.