Data Thefts Show Need for Comprehensive Security

Hackers alleged to have accessed more than 40 million credit and debit card numbers

On Tuesday, the U.S. Department of Justice charged 11 hackers with allegedly accessing the computer records of as many as nine major retail companies and selling more than 40 million credit and debit card numbers. The indictment was delivered at the U.S. Federal District Court in Boston.

Feds described a sophisticated conspiracy in which a team of hackers accessed the wireless computer networks of major retailers, including TJX Companies, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW.

Once inside the networks, the hackers installed data mining malware or sniffer programs used to capture card numbers and other customer information such as passwords and account information.

The indictment comes just days after the beleaguered mortgage giant Countrywide Financial Corp. announced that a former employee and another co-conspirator allegedly schemed to steal and sell sensitive personal information, including Social Security numbers, of as many as two million mortgage applicants. The breach in security happened over a two-year time span through last month.

"Organizations need to implement both data protection policy and enforcement," said Don Leatham, director of strategy at the Scottsdale, Ariz.-based security software consultancy Lumension Security. "One [measure] is insufficient. Blind enforcement, without a well-thought-out policy, can lead to decreases in productivity and outright rebellion against IT controls. Policy without enforcement does little to deter the well-motivated insider."

Personal Info Security: A Pressing Issue
The debate on data theft has been heating up at the standards level on how to protect customer data held by companies.

According to a report released on Tuesday by the Information Systems Audit and Control Association (ISACA), securing personally identifiable information (PII) is "a top concern" facing business and technology executives this year. The ISACA, known for overseeing CobIT (Control Objectives for IT framework), had surveyed more than 3,173 IT pros in some 95 countries.

"The cost of losing or compromising the integrity of PII is also leading to a renewed focus on information security," said Greg Grocholski, chair of ISACA's Assurance Committee and senior finance director at Dow Chemical. "The survey shows that 81 percent of the 1,600 respondents who named information security management as a number 3 concern said that security risks are not fully known or are only partially assessed using technology."

IT pros, CIOs and other C-level managers need to realize that tough economic times can significantly increase insider threats, security experts say. Bad economics can also create an environment where low morale fosters an apathetic approach to securing IT systems.

Security needs to be comprehensive to be effective, Leatham explained.

"Universal deployment of enforcement technology is critical," he said. "If just one machine with access to critical data is left outside the enforcement domain, the outsider threat and the insider threat and associated risks remain."

Anthony Noble, vice president of IT audit at Viacom said that "IT functions and projects still lack alignment with business objectives at many organizations." As a result, he said, IT functions are often unable to realize the "business benefits" of a secure and compliant processing environment.

Stepped-Up Measures Needed

IT experts agree that from the inside, workstations and devices should be locked with a comprehensive policy for managing insider access to USB drives, CD/DVD-writers, Bluetooth-based devices, and the like. Data should also be partitioned and tagged, with fields hidden so that the information appears unintelligible to an outsider.

Thus, depending on the specific strategic market, business goals or data structure of a given business, companies should look at deploying a combination of firewall protection, data encryption and automated access monitoring technologies. Manual oversight of all of these processes is important as well.

In both the Countrywide and TJX cases, Leatham said, enterprise content monitoring and filtering was most likely absent, if not lax to the extent of allowing the breaches to happen.

"The ability to monitor system activity as well as inspect the content of files being transmitted or sitting at rest in storage devices for sensitive information or foreign applications is very important in mitigating these types of threats."

-- Jabulani Leffall