This has not been a banner year for information security.
From a stolen laptop full of Social Security numbers to a website that lost oceans of credit card data, commonsense security procedures seem in short supply. “Almost without exception we’re living in a world where no one thinks to lock the stable doors until the horses have escaped,” says David Friedlander, a senior analyst at Forrester Research.
CIOs can spend millions on firewalls, intrusion detection systems and whatever else their security vendors are selling, but when that VP of marketing decides to sync his work laptop with his unsecured home PC—and there’s no policy or training to make him think twice—your million-dollar security efforts become worthless.
With that in mind, here are 10 common security ailments and 10 practical remedies. They’re easy and inexpensive, and you can do them right now. All involve some form of user education and training. “How do you stop stupid mistakes?” asks Mark Lobel, a partner in the security practice at PricewaterhouseCoopers. “It’s education and security awareness—basic blocking and tackling—and it does not have to cost a fortune.”
The Hole | A company familiar to Adam Couture, a principal analyst at Gartner Research, searched its Exchange servers for documents called “passwords.doc.” There were 40 of them.
The Problem | Uneducated users. “Some of these [mistakes] are so obvious that you think, ‘Nobody would do that,’” Couture says. “But you give people too much credit.” Any hacker, malcontent employee or grandmother with a minimal amount of computer know-how could unlock those documents and ravage your company’s most sensitive applications (not to mention all of your employees’ personal information).
The Solution | First, CIOs need to acknowledge that there might be passwords.doc files on their networks, find them and destroy them. Then, via e-mail or a companywide meeting, they need to explain to users why keeping a file like this on the network is a really, really bad idea.
Ever Heard of “bcc:”?
The Hole | On June 13, 2005, the University of Kansas Office of Student Financial Aid sent out an e-mail to 119 students, informing them that their failing grades put them at risk of losing their financial aid. The e-mail included all 119 students’ names within the e-mail address list.
The Problem | Besides embarrassing their students, U. Kansas administrators may have violated the Department of Education’s Family Education Rights and Privacy Act, which protects the privacy of students’ grades and financial situations.
The Solution | First, companies need a policy that explicitly states what can and cannot be sent out via e-mail or IM. “A lot of companies don’t have good acceptable-use policies for e-mail,” says Michael Osterman, founder of Osterman Research. He suggests that they map out how employees should handle confidential information, offer them training and have them sign a one-page document stating that they have taken the course and understand what to do. University of Kansas officials say they have “undertaken internal measures—such as reviewing e-mail and privacy policies, and training staff—to ensure it does not happen again.”
Osterman also suggests that CIOs add an outbound scanning system to the existing e-mail system that looks for sensitive content in e-mails (such as 16-digit numbers, which could be credit card numbers). He says these systems are inexpensive and are offered by scores of messaging vendors; some vendors will even do a complimentary scan of a company’s messages to see how bad it might be. One vendor that he’s familiar with started scanning a new customer’s network and found 10 violations in 10 minutes.
No One Noticed? Really?
The Hole | Orazio Lembo, of Hackensack, N.J., made millions by purchasing account information from eight bank employees who worked at several financial institutions, including Bank of America, Commerce Bank, PNC, Wachovia and others. Lembo paid $10 for each pilfered account. Most of the felonious employees were high-level, but two bank tellers were also arrested. Lembo had approximately 676,000 accounts in his database, according to Capt. Frank Lomia of the Hackensack Police Department, an official investigating Lembo.
The Problem | Capt. Lomia says that many of Lembo’s contacts usually accessed and sold 100 to 200 accounts a week—but one managed to access 500 in one week. “What surprised me is that someone could look at 500 accounts and have no one notice,” he says.
The Solution | CIOs, with the help of the HR, security and audit functions, need to institute a clearly defined policy on who has access to what information, how they can access it and how often. After all, with HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley looking over CIOs’ shoulders, compliance and controls have to be on the top of the to-do list. “Through all the phases of information creation to maintenance and storage and destruction,” asks PwC’s Lobel, “do you have that data classification and lifecycle process, and do people know what it is?” Lobel says many of his clients have compliance controls, but employees either don’t know such controls exist or aren’t clear where they apply. “User education is not easy, but it is worth the effort,” he says.
ChoicePoint’s Bad Choice
The Hole | Criminals posing as small-business owners accessed the information—names, addresses and Social Security numbers—of 145,000 ChoicePoint customers.
The Problem | Call it what you will—fraud, “social engineering,” the Kevin Mitnick effect—this was one really glaring example of how these kinds of attacks are plaguing companies. Lobel says commercial enterprises could improve when it comes to training users about social engineering—hackers targeting well-meaning users over the phone or Internet to obtain private information such as passwords. “We’re always going to find somebody who doesn’t know what they shouldn’t be doing,” he says.
The Solution | CIOs should make sure that both users and customers are adequately trained in how to recognize and respond to phishing and other related attacks—especially before they go out and hire a company such as PwC to audit their user base. “[CIOs] should spend their money on a [training] program rather than on testing,” Lobel says. ChoicePoint claims that it has strengthened its customer-credentialing procedures and is re-credentialing broad segments of its customer base, including its small-business customers.
The Hole | On April 5, MCI said that an MCI financial analyst’s laptop had been stolen from his car, which was parked in his home garage. That laptop contained the names and Social Security numbers of 16,500 current and former employees.
The Problem | In many recent cases involving laptops, the computer’s security was handled by a Windows log-on password. “It’s getting easier for even the more casual criminal to find out how to break into the laptop,” says Forrester’s Friedlander. “There’s more awareness that the information is valuable.” Plus, the data in many of these recent incidents wasn’t encrypted. (MCI won’t say whether the stolen laptop was encrypted, just that it had password protection). According to Friedlander, encryption adoption is much lower than firewall adoption because encryption historically has had performance issues (it slows the computer down) as well as usability issues (users are often confused about how to encrypt the right data). In a recent Forrester survey, 38 percent of respondents said they have no plans to deploy encryption tools. Ouch.
The Solution | CIOs need to do some classic risk management, says Friedlander, and ask themselves: What is the information on the system that I care about the most? Who’s connected to a network where I might be exposed? And then they should create or revise their security policies based on that assessment. For example, if a laptop has customer information on it that would kill the company if it got into a competitor’s hands, then the CIO should ensure that encryption was turned on. Users need to understand “why these policies and technologies are in place that may seem inconvenient, but why they do matter,” says Friedlander. “If they realize the implications, most people will want to act.” If the information on another laptop is less critical, then more basic security measures, such as strong passwords, can be used, he says.
Tales of the Tapes
The Hole | Let’s not forget the good ole data tape—in particular, CitiFinancial’s now-infamous UPS shipment of unencrypted computer tapes that were lost in transit to a credit bureau. A whopping 3.9 million CitiFinancial customers’ data was on those tapes, including their names, Social Security numbers, account numbers and payment histories.
The Problem | CitiFinancial has stated it “[has] no reason to believe that this information has been used inappropriately.” But on the other hand, there’s no reason to believe that it won’t be.
There are companies that specialize in handling data tapes, Iron Mountain for one. But even Iron Mountain is not impervious to security snafus. In May, Time Warner announced that Iron Mountain had lost 40 backup tapes that had the names and Social Security numbers for 600,000 of its current and former U.S.-based employees and for some of their dependents and beneficiaries. Iron Mountain says it has recently suffered three other “events of human error” that resulted in the loss of customers’ backup tapes—and these are the guys who supposedly are all about security and nothing else.
The Solution | In July, Citigroup said it will start shipping customer information via direct, encrypted electronic transmissions. Though “you can squeeze a lot more data into a truck than you can over the wire,” Couture of Gartner Research says, “[sending data electronically] could be cost-effective for smaller companies with small amounts of data.” Citigroup’s new shipping method will also take much of the people part out of the equation. “Any time you have to touch that tape and add a human element in the process, there’s the potential [for] incompetence, malfeasance, and pure and simple stupidity,” Couture says. (For more on solutions to identity theft, see “New Locks, New Keys” on Page 88.)
How Much for a BlackBerry?
The Hole | This tale has been told so often that it is teetering on the brink of urban legend status: Back in 2003, a former Morgan Stanley executive, apparently with no more use for his BlackBerry, sold the device on eBay for a whopping $15.50.
The Problem | The surprised buyer soon found out that the BlackBerry still contained hundreds of confidential Morgan Stanley e-mails, according to a Forrester report.
The Solution | First, users with handhelds, laptops and other devices need to be made to understand what’s really at stake. “It’s not the laptops that are the issue; it’s what’s on them,” says For-rester’s Friedlander. Second, CIOs need to institute a repeatable and enforceable policy for device and access management—even for high-powered executives. When someone leaves the company, he should have to turn in all of his corporate-issued devices, and IS should lock him out of all applications to which he had access. “If you have 1,000 users, there should be 1,000 accounts,” says the CISO of a large Midwestern financial services company. “So why are there 1,400? Because people who have left still have authority to log in.” According to the Forrester report, Morgan Stanley did have a policy that stated that mobile devices should be returned to IS for “data cleansing,” but this exec must have slipped through the front door.
Another huge problem is those longtime employees who move around the company and retain access to data associated with their previous jobs even though it’s unrelated to their new position, says Jeffrey Margolies, lead for Accenture’s security services and identity management practice. “They accumulate access over time, and they are an audit nightmare.”
A solution is to set up one place (whether it’s a website or paper form) where employees can request access to applications, Margolies says. CIOs need a policy that states who has access to what systems and why, with IT, HR and security getting to make the decisions. “Over the last 10 years, we have built hundreds of applications, and every single application has its own way of [determining] access and managing that access,” he says. “But just [giving people] one place to go and [saying] just fill out this form—even if it’s paper—the level of confusion is reduced.”
IM Not OK
The Hole | One of your top sales guys is a huge believer in instant messaging. In fact, he’s been using a consumer-grade IM client (probably AOL Instant Messenger) to communicate with his customers for years. And this hypothetical salesman’s IM name fits his personality perfectly: Big Bad Texan.
The Problem | There are three, says Osterman of Osterman Research. First, security: A consumer-grade IM client used on a corporate system will bypass all antivirus and spam software. Second, compliance: Consumer-grade IM clients don’t have auditing and logging capabilities for regulatory compliance. And third, name-space control: If Big Bad Texan takes a job at your competitor, rest assured he’s taking his IM name—and your key customers—with him. “There’s no clue to the outside world that he left,” Osterman says.
The Solution | The first step is for CIOs to admit to themselves that consumer-grade IM could be running rampant in their organizations. Osterman estimates that 30 percent of all e-mail users are instant messaging these days. Like e-mail, CIOs need to develop an acceptable-use policy and make sure everyone understands it. Then CIOs have two options: Allow consumer-grade IM to remain in place and deploy a system that will provide any number of security functions, such as blocking file transfers or mapping IM screen names to corporate identities, says Osterman. Alternatively, CIOs can replace consumer-grade IM tools with an enterprise-grade system. “This can be a more expensive and disruptive option, but it’s one that many organizations are choosing,” Osterman says.
Unwired and Unsafe Workers
The Hole | The CISO of the Midwestern financial services company shares this nightmare: An executive decides she wants to put a wireless access point in her house so she can work at home from anywhere in her house. Her son gets her up and running. She wirelessly logs into the network, and she uses the default password for the connection that came straight out of the box.
The Problem | “Go to every single hacker site, and you can find every default password and user ID [for wireless routers],” says the CISO. “Home PCs are one of the greatest vulnerabilities.” And once this executive authenticates, others can see how she did it, “then people are in,” the CISO says.
The Solution | Back to the basics with this one. CIOs need to make sure all employees who work from home know that they have to change all the default settings, and they can’t forget about firewall, VPN, antivirus patching and authentication tools. That all takes an omnipresent security education program, but to this CISO, it’s the cost of doing business today. “The struggle with security education is getting it so it becomes like breathing,” the CISO says. “Users have to become smarter about how they do things.”
40 Million “Served”
The Hole | In June, MasterCard announced that CardSystems Solutions, a third-party processor of credit card transactions for MasterCard, Visa, American Express and Discover, allowed an unauthorized individual to infiltrate its network and access cardholder data.
The Problem | Up to 40 million cardholders’ information could have been exposed. It turns out CardSystems had violated its agreement with the credit card companies: It was not allowed to store cardholders’ account information on its systems, and yet it did just that.
The Solution | If a company has an agreement not to store another company’s data on its systems, it shouldn’t. And if for some strange reason it becomes necessary, the company had better ensure that it has the necessary controls. “All of those cases of breaches speak to the need for a good, old-fashioned defense, in-depth, with multiple layers of control,” says PwC’s Lobel. For example, he says, instead of just having a firewall, companies should have multiple layers of controls on their network. Or rather than just using SSL, companies need to use authentication too. “You get into the security versus ease-of-use trade-off and cost,” he says. “That’s the decision that businesses have to make with their eyes wide open.”
In the end, how a company views security and protects its customers’ and employees’ data will have a direct correlation to its longevity. In the case of CardSystems, in July both Visa and American Express said they no longer wanted to do business with the company.