Data leakage and the end of the world
Most of the time when IT folk talk about data leakage they mean employees emailing sensitive documents to Gmail accounts or exposing the company through peer-to-peer networks or the burgeoning use of social networking services. CNet News reports “Nearly 40 percent of IT staff at mid to large companies in North America said they believed that unintentional leaks by employees are a bigger threat to the security of their data than spyware or malicious software…” A Government Technology article quote “According to research 70 percent of businesses are concerned about sensitive material falling into the wrong hands as a result of data leakage via e-mail. ”
These concerns are serious and far reaching in impact. Consider all the firms that had to notify clients that names, birth dates, and social security numbers were potentially exposed in one way or another. In a recent article, ComputerWorld reported “the emergence of several data aggregators whose sole purpose seems to be collecting information on P2P networks for their own illegal uses or to resell to other miscreants.” As a consumer of multiple online services, I’m not exactly encouraged by these stories, but I’ll sign up for credit monitoring and hope for the best.
As an industry analyst in the IT management space, I have a sneaking suspicion that the data leakage situation is on the verge of becoming a much broader-based IT issue. The reason is IT’s logging, auditing and reporting processes creates the potential for data leakage as well.
Think about all the sensitive technical information that is routinely captured in computing logs. Database passwords, data schemas, system configuration information are the most obvious – and the easiest to leverage in malicious ways by those with the technical know-how, be they external criminals or unstable employees. Yet most non-technical people with ‘incidental’ access to this information, probably buried in the details of automatically generated audit reports, would have no clue that this information is either useful or sensitive. I can just see this information flitting about an enterprise because people need to see a summary chart but it’s easier to just forward the original email with the whole file. Ninety-nine percent of the time nothing comes of this, but then there is that one bad apple that takes advantages of weak controls over good processes.
Another thing that bothers me is that the public disclosure of our judicial system to try and punish these bad apples can actually add to the problem. Consider the current case against Terry Childs who locked up the San Francisco networks. According to an InfoWorld article a list of VPN group names, passwords, and associated subnets was entered into evidence without editing or redaction. Having this information is the first step towards gaining illicit network access. While the network may not in immediate danger it, will create a ton of extra work for the remaining network administrators as they will have to reconfigure their VPN clients. While this reconfiguration is happening, all VPN access will probably be suspended, which means thousands of people will not be able to work from home, which is thousands of more cars on the road every day, which means longer traffic jams, which means more greenhouse gases released into the air, which will hasten global warming and bring about the destruction of life on earth!!!!!
Obviously I’m diving into the deep end of the crazy pool to make a point. Let me get back to reality.
The reality is that non-technical people with the best intentions can open gaping security and privacy holes by releasing technical data discovered through investigative auditing into the public domain. Those holes have consequences that businesses, organizations and individuals would be best off avoiding. Avoiding these consequences after this technical data is public generates a lot of extra work for IT staff, who are already overworked and worried about looming budget cuts.
We are just at the beginning of this trend. A wider range of non-technical people are going to make use of IT data for a variety of different tasks beyond compliance auditing and legal investigation. As more business services and business models include online strategies the more IT data will be used for decision making, product development, marketing and so on. For example, there are business intelligence analysis solutions that directly interface with and leverage IT log data and other IT-based data sources. The users of these solutions are marketing analysts and business managers who wouldn’t intentionally put the company in harm’s way, but could if their laptops are lost or stolen.
As the use of IT-based data becomes more pervasive it becomes important to think about how to proactively prevent IT data leakage. What you can do now is make sure to cover some basics, starting with your auditing processes. For example, if IT data (logs, events, analysis, etc) is continually collected in a central repository for an extended period of time for compliance reasons, then it must also be securely stored for that time. This means the data must be protected with layered administrative controls and encryption. The next step could be integration with external authentication systems that allow centralized management of users and privileges according to corporate policies from outside of the compliance tool. Similarly, if IT data will be leveraged by multiple business analysis tools, then log scraping capabilities may be essential. Log scraping would automatically identify sensitive content, such as system passwords that are output to logs during audited provisioning and patching jobs, and remove the content from centrally-stored logs. Auditors would still be able to identify who did what and when to the target systems, however, there will be no leaking of plain-text system passwords or database schemas into the public domain.
And while you’re at it, consider using your analysis solution to set up automatic action that finds those pesky P2P file-sharing programs, uninstalls them, and emails the installer a P2P data leakage horror story. After all, isn’t teaching by repetition is a time honored practice.
Jasmine Noel is founder and partner of Ptak, Noel & Associates. With more than 10 years experience in helping clients understand how adoption of new technologies affects IT management, she tries to bring pragmatism (and hopefully some humor) to the business-IT alignment discussion. Send any comments, questions or rants to firstname.lastname@example.org
Wider implications of the redhat breach
Reports of data losses and system breaches are almost becoming passé but from time to time events happen that take on a life of their own and have effects far beyond what the initial breach would normally represent. Late last week there was an announcement that key servers belonging to both the Fedora and Red Hat Linux distributions were compromised. With this breach they join the ranks of Ubuntu, Debian and Gentoo as Linux distributions that have suffered severe server breaches.
Infamous Phishing gang joins stealthy botnet
The infamous Rock Phish gang appears to have moved its operations to a notoriously stealthy botnet in an effort to more aggressively spread and expand its phishing attacks.
Did you know?EventTracker helps companies change their security strategy from reactive to proactive to withstand the explosion of emerging threats and new attack vectors.
Sound compliance policies, practices reduce legal costs
How much you spend on legal costs does not depend so much on the size of your organization, but, rather, on the policies, processes and practices you have in place, according to results of a survey of 235 U.S. firms released today by the IT Policy Compliance Group.
Did you know? SIEM (Security Information and Event Log Management) is a best practice for satisfying multiple regulatory standards while improving security.
Cool Tools and Tips
How to detect the 5 code-red security threats to Windows Servers
This document identifies and describes the 5 most significant security threats to Windows servers, so they can be addressed and corrected by IT personnel in the most efficient manner. Critical alert notifications and an effective resolution strategy will reduce IT costs, while increasing service availability and enhancing the security of your enterprise.
Managing USB Mass Storage Devices – Best Practices
In the last few years, portable, high capacity USB storage devices like thumb/flash drives have become increasingly prevalent in corporations, and devices such as cell phones, PDA’s, iPods all can serve as USB storage devices. These devices are incredible productivity aids – large files can be moved from computer to computer without the need to maintain shared drives, or even worry about file sizes preventing email. Personnel are also able to take files home to work on home computers off hours. The issue is that all these advantages introduce significant security vulnerabilities at the same time.
This White Paper discusses how you can take advantage of the power of these devices without leaving your operation wide open to critical company information being misappropriated. Until now the choice has been to either shut down USB devices – either in Active Directory or through more extreme methods (the “glue in the USB port” trick comes to mind) – or simply trust every user to do the right thing. This paper introduces a third way that Prism Microsystems calls “Trust but Verify” which is made possible by EventTracker’s advanced USB monitoring capability.
Watch this webinar that demonstrates how EventTracker provides advanced monitoring and analysis of the usage of USB devices including:
- Track Insert/Removal
- Record all Activity (file writes to)
- Disable according to predefined policy