The past year has set new records for information security breaches in the United States. The California Security Breach Act (SB-1386), which requires California businesses to notify customers of a security breach involving their customer information, has caught on across the country. Companies are now voluntarily complying with the terms of this law nationwide, likely contributing to the number of breaches publicized in recent months. Financial institutions are now required under FDIC FIL-27-2005 to notify customers whose information falls victim to a data breach. As a result of these incidents being made public, the information technology industry is being scrutinized for its inability to prevent security breaches. Yet a look back at some of the headline-grabbing information security incidents reported in 2005 reveals one striking anomaly: many of the high-profile incidents had nothing to do with technical controls.
A recent USA Today article declaring 2005 as the “Worst Year for Breaches of Computer Security” unknowingly highlights this issue. The article identifies some of the more notable information security incidents of the year. It also suggests that more government resources should be aimed at preventing cyber attacks. Ironically, most of the so-called cybercrimes it cites were not caused by technology failures. They resulted from lapses in ordinary, uncomplicated controls such as physical security or media handling procedures. This seems to be in direct contrast with the usual connotations of cybercrime. With all the talk in the mainstream media about the dangers that hackers present to our personal information, it seems that a key element of security is being overlooked.
Okay, so sound offsite storage rotation procedures will never be as intriguing as zero-day exploits. Does that mean we simply keep pretending that a kid with a laptop and too much time on his hands is our biggest threat to corporate security? This does not suggest that we ignore the risk of external intrusion through multi-layered perimeter defenses. Rather, the amount of attention given to this threat should be equivalent to the risk it presents. Focusing all of our efforts on new strategies to prevent hackers from exploiting our complex security perimeters while customer information is being carried out the front door is not an effective use of limited resources. It’s time that we destroy the mythical connotations of information security breaches so they can be dealt with in an appropriate context.
Let’s take a look at some of these “cybercrimes” and the attack vectors employed by the “hackers”.
|Company||Data Lost/Compromised||Attack Vector|
|Marriott||206,000 customer and employee records compromised.||Backup tapes disappeared from an Orlando office.|
|Ford Motor Co||70,000 former employee records compromised.||Computer with employee records stolen from a computer facility.|
|CitiFinancial||3,900,000 customer records compromised.||Backup tapes lost while in transit.|
|ABN AMRO||2,000,000 customer records compromised.||Backup tapes disappeared while in transit.|
|ChoicePoint||145,000 customer records compromised.||Failure to perform proper identification of clients before granting access to customer information allows identity thieves to freely and openly access private information.|
Clearly this is not a comprehensive list of security breaches in 2005. Hacking did claim its fair share of the reported incidents. However, security breaches continue to be construed as simply a technology problem. Technical controls had little, if any, impact on the incidents identified above. These breaches resulted from physical and administrative failures. These controls are outside the scope of most tools designed to prevent network intrusions. They are core components of information security which should be addressed in a company’s policies and procedures. Without the full participation and support of top management, policies and procedures can never be an effective means of controlling information security.
Information security is a process that addresses risk to the entire organization. The controls, effects, and responsibility for managing the risks of security breaches are all under the control of corporate management. Hacking is only one threat to information security. Too often this threat is considered to be the only risk that must be actively managed. A layered security approach is vital to manage the risks involved in information security; however, businesses do not need to allocate more resources to address risks that are already being sufficiently managed. The most effective use of additional resources for many businesses would be conducting a comprehensive assessment of the risks to the organization and developing a sound risk management program. An effective risk management program could identify gaps in administrative, physical, and technical security controls. This would allow organizations to identify the areas that are truly vulnerable to an information security breach. If the companies in the examples above had sufficiently addressed risk in this manner, these incidents most likely would have been prevented. Until information security is understood to be a business issue, technology will continue to be ineffectively used as a replacement for good security management.