Are Data Leaks Bleeding Your
Company Dry?Businesses are starting to respond to the
rising threat levels posed by data leakage from pocket-sized
storage devices. The push to react is not coming from the fear
of lost data as much as it is fear of losing money. Negative
publicity became a primary driver last year in influencing
corporations to address data leakage with new endpoint security
measures.
The data drip is here. Computer security experts are worried
that corporate data leaking from networks onto small mobile
storage devices will worsen into a flood of stolen customer and
company information.
Over half of all information leaks travel to personal data
storage devices such as USB drives, MP3 players and PDAs ,
according to recent industry surveys. These surveys suggest that
portable storage devices are contributing to a staggering rise
in ID theft and loss of sensitive data on the corporate level.
Every 79 seconds, someone in the United States becomes a victim
of such thefts. Even a single incident of data loss can cost a
company millions of dollars in lost revenue, lost opportunity,
lost competitive advantage and costly penalties for regulatory
non-compliance, warn security experts.
"The cost of remediating lost data can be (US)$100 per record,
so it makes economic sense to invest in data loss prevention
technology," Chip Hay, vice president of marketing for security
firm Code Green Networks, told TechNewsWorld.
Alarming Record
A glimpse into the staggering number of people affected by the
top five information leaks of 2006 shows how serious the data
leakage problem is becoming, according to Code Green Networks.
Lost or stolen data from mobile devices affected a total of
nearly 50 million people combined.
Gratis Internet Company collected the personal data of 7 million
Americans via the Internet and later resold it to third parties
in March 2006.
Leak of personal data of U.S. Army veterans and servicemen in
May of last year impacted 28.7 million people.
That same month, a laptop with personal details of Texas
Guaranteed customers was lost by an outsourced contractor
touched 1.3 million people.
Also last year, a laptop belonging to an employee of the
Nationwide Building Society was stolen. It contained the
personal information of 11 million society members.
Later, an employee's mobile computer containing personal details
of 1.4 million people was stolen from the office of Affiliated
Computer Services (NYSE: ACS) (ACS).
Top USB Hacks
With the popularity and convenience of USB and MP3 storage
drives, it should be no surprise that hackers are now using this
same technology to squeeze data from portable storage drives.
Several malware hacks are particularly effective at sneaking
onto portable storage units to steal their content, according to
Paul Henry, Secure Computing's vice president of technology
evangelism.
USBDumper is a software program that runs on a laptop. It copies
everything from the USB drive. It is very popular in
circumstances where multiple users share the same USB drive.
Slurp is a malware program that runs on the USB device itself.
Slurp makes a copy of every document as a list. A second version
of Slurp actually copies all the documents.
Pod Slurping is one of the biggest new items. All somebody has
to do is slip a USB drive into a slot on an unattended computer
and drag and drop the My Documents folder onto the device,
explained Bob Egner, vice president of product and global
markets for PointSec.
Other hacks are capable of wringing even more data from USB
drives. They can create virtual instances on any USB drive. When
the infected portable device is inserted into any PC, the
malware installs dozens of hidden activities on the computer.
"Eighty percent of all data on a USB disk finds its way to a
PC," said Secure Computing's Henry. Once that data makes its way
to a compromised PC, or a hacker's own computer, the stolen data
is irretrievable.
Perhaps even more damaging than losing the data is the loss of
control after it falls into others' hands. It takes only four
hours to lose control of information once it is posted on the
Internet, said Code Green Networks' Hay.
Driving Factors
Businesses are starting to respond to the rising threat levels
posed by data leakage from pocket-sized storage devices. The
push to react is not coming from the fear of lost data as much
as it is in fear of costly penalties, noted Egner.
"Information theft is required to be reported in 34 states so
CIOs are under pressure to lock down their networks," he said.
Negative publicity became a primary driver last year in
influencing corporations to address data leakage with new
endpoint security measures. CIOs now have to worry about network
security concerns on the board level.
"The form factor in mobile devices employees bring to the
workplace is getting smaller, and their capacity is getting
greater. These small storage devices are creeping into the work
space," Egner noted.
Smarter Thieves
With all of the different drive locations where data is stored
today, mobility is a potential leakage point. However, that is
only part of the problem. The other part is the greater
sophistication of the thieves, according to Egner.
Previously, the bad guys stole laptops to make a quick buck
reselling them. Now, increased sophistication of thieves lets
them pull user IDs and personal data from the hard drives and
portable storage devices.
Therefore, instead of just committing a "smash and grab" style
robbery and selling the equipment quickly, thieves can make more
money selling the stolen data at $1 per record, explained Egner.
Plugging the Leak
More data leakage problems will come in the near future,
according to Secure Computing's Henry. This situation will not
change, he believes, until regulatory agencies impose high
penalties on companies that fail to improve their network
security.
"It's not a matter of the technology not being here. It's a
matter of cost incentive," Henry said.
Various technologies and methodologies are available to turn off
the data leakage problem, noted Code Green Networks officials.
These include enterprise rights management (ERM) systems,
traditional secure content management (SCM) systems and
next-generation advanced secure content management (aSCM)
products.
This latest technology has the ability to eliminate the
administrative burden of traditional SCM.
No Data to Go
Code Green Networks offers a content inspection appliance. IT
workers can configure the device to look for sensitive
information. The product knows the data container and monitors
all the TPTC channels. IT can then write polices for how to
handle sensitive data going out of storage.
Code Green Networks in February released a content inspection
agent which pushes down to mobile devices attached to the
network. It can take inventory of all endpoint devices and
monitor them from a central panel. It can turn on and off the
release of information.
Also, it records the names of files copied or forwarded
elsewhere. It can require encryption of anything written to the
USB device.
PointSec's security products focus on encryption without user
interaction, according to Egner. Most products require users to
change behavior; therefore, when they are in a hurry these
security procedures slow them down so they forget to use them.
Secure Computing offers a variety of software and hardware
solutions for network security. The Sidewinder Security
Appliance, for instance, consolidates all major Internet
security functions into a single system.
By Jack M. Germain
TechNewsWorld
Part of the ECT News Network