Security Chiefs See Changes in ID Theft

Why is it so hard to secure a laptop? Where are the green fields for identity thieves? What are the security threats that IT professionals are ignoring? IDG News Services recently invited the heads of three security businesses—Barracuda Networks CEO Dean Drako, Sana Security CEO John Zicker, and Jay Kidd, who runs Network Appliance’s emerging products group—to a roundtable discussion of the trends they see on the horizon and the threats they think IT executives may be missing.

Following is an edited transcript of that discussion.

IDG: The U.S. Department of Veterans Affairs recently lost a laptop containing information on more than 26.5 million veterans; Ernst & Young GIobal lost a laptop containing sensitive information on nearly 250,000 Hotels.com customers. Why do we keep hearing about these missing laptops?

Dean Drako: I think people just did what was easy and convenient and didn’t really think about it. Ernst & Young guys used to go in and audit, and they’d have paper and pencil. Then they started getting laptops and they started carrying them in, so they’d create little spreadsheets. And then USB keys appeared, and they could say, “Oh, let’s just transfer that data to a laptop.”

Nobody ever really thought about the repercussions of the fact that these laptops were scooting out of the building every night.

John Zicker: Most people don’t buy fire insurance until their neighbor’s house burns down, or the mortgage companies require you to have it to buy the house. Laptops and desktops have been one of the last things in the security industry for people to worry about. They worried about perimeters and about central storage, and now they’re worried about desktops and laptops because it’s not been a big issue before.

Jay Kidd: Security’s always a balance between safety and inconvenience. So there’s some level of inconvenience with any security. Companies are figuring out: Where is the right balance? And every time you have one of these disclosures, it shifts a little bit more toward safety. But the bias is toward convenience.

IDG: How much should we be worrying about laptop theft, really? There must be more efficient ways to steal somebody’s identity.

Kidd: That’s not the efficient way to get identity. The bigger concern has actually been in the public sector, because it’s targeted. You can target everybody in the Pentagon, everybody in the State Department. I know that there’s a higher incident of that theft than there is of just general corporate theft. In general, corporate theft is about walking through the office and grabbing a few laptops and selling them for the hardware. It’s not identity theft.

IDG: What are the new threats that people aren’t thinking about?

Drako: There has been a market change over the last five to six years, primarily due to Sarbanes-Oxley. It used to be that you actually trusted your employees. What’s changed—and which is really kind of morally and socially depressing—is that now, the way the auditors approach the problem, the way Sarbanes-Oxley approaches the problem, is you actually put in systems assuming that you can’t trust anyone. Everything has to be double-signoff or a double-check in the process of how you organize all of the financials of the company.

That is really the major shift, which has created a huge burden on how we operate any [publicly traded] organization. Part of it you can attribute to folks like Enron and CA, where the guys at the top were crooks.

Jay Kidd: The SEC [Securities and Exchange Commission] positions themselves as the protector of the public in terms of investors. They were having to trust the CEOs and the CFOs that the results that they reported were accurate. Enough examples showed that they couldn’t, so they had to put in some sort of double-check to make that provable.

I think the same thing will probably happen in IT organizations. Stealing identities one at a time by snooping Internet traffic is not the most efficient way to do it. You want to go to the accounts that have a large number of customer records with credit cards and Social Security numbers, and you figure out a way to grab that database. The probability of finding some employee somewhere in the process who is willing to be corrupted, it can happen. Or you take the backup tapes as they’re in transit …

Zicker: The simple way: Pay the cleaning lady $1,000.

Kidd: … that’s almost untraceable. I think it’s the intentional attacks, as opposed to the accidental or opportunistic, that are the threat that people are starting to worry about.

IDG: Backup and laptop encryption is one way to respond to these threats, but what other things leave people exposed?

Drako: There’s a lot of traffic that goes over the Internet in the clear.

Kidd: The amount of data that’s encrypted versus the amount of data—it’s a tiny fraction.

Drako: I probably shouldn’t say this, but we have e-mail that goes back and forth between people in our company and it’s not encrypted. And some of the data is stuff that we wouldn’t want other people to see.

But it’s a probability game. I know that the probability is one in 10 trillion that somebody’s going to be snooping the traffic, so it’s like the risk is OK. But there are other people who I am sure have a lot of Internet traffic in the clear, who it’s probably more of a risk to.

Zicker: One of the things that we see a lot with identity theft is mass distribution of malware that’s bundled with good things, typically ads. You’re browsing the Web through what look like perfectly good websites, and you drive by an ad—you don’t even have to touch it—and you can have malicious software installed on your machine.

And what’s fascinating about it is you take it at the macro-economic level and you can see why they do it. You buy excess ad inventory—keywords off of Google of known good ads—bundle something bad with it, pay a good website 50 cents per ad impression instead of the going rate of 10 cents. Everybody kind of wins along the way, and then malware is on the box.

There’s no way for me as a website person to check ads to see if something malicious is bundled with them. And you can’t tell by looking at an ad whether there’s something malicious going on.

-Robert McMillan, IDG News Service (San Francisco Bureau)

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.