|
|
|
Learning from Data breaches |
|
THE VICTIMS TJX TJX, the parent company of TJ Maxx, Marshall’s and other retail chains, was attacked by criminal hackers over a period spanning several years. The hackers’ target was customer credit card data stored on TJX’s servers. According to the company’s estimates, customer data for 47 million individuals was compromised, making it the largest reported data breach in history. The intruders and other criminals who bought data from them subsequently used the credit card numbers for fraudulent purchases from various retailers that added up to millions of dollars. TJX recently settled a number of claims resulting from the incident, with more pending. TJX’s costs for this have surpassed $100 million and are still growing. The indirect costs, including the loss of customer confidence in the company, are difficult to measure, but are probably even higher.
· So, what went wrong? The details are still unclear, as TJX has been tight-lipped about what exactly happened. However, some elements of the case are slowly emerging. It appears that the hackers used several methods to get to the data and InformationWeek Magazine recently reported some of the details. First, TJX apparently neglected to properly secure its wireless network, allowing hackers to get access to the corporate network. This allowed them to install software that captured customer information. TJX apparently also placed computers kiosks on store floors to let job applicants could fill out application on them. These computers were directly connected to the corporate network and hackers simply plugged flash drives into the back of them to introduce malicious software into TJX’s network. TJX could have easily prevented both of these attack methods by doing the following:
· Properly secure wireless networks. All wireless communications should be encrypted and authenticated. Among the available encryption mechanisms, WEP (Wired Equivalency Protocol), which TJX reportedly used, is inherently insecure. Even WPA (WiFi Protected Access) can be broken by a determined hacker. A newer version, WPA2, provides much better security and should be used whenever possible.
· Prevent bridging of wireless networks. While there is no indication that this played a role in the TJX case, wireless security should also ensure that client computers such as laptops don’t connect to a wireless network while they are simultaneously connected to the wired corporate network. Such a Learning from Data Breaches bridged network connection could allow a hacker sitting in a car outside the office building to use a wireless connection to a client computer to get access to the entire corporate network. Administrators can use DriveLock™ from CenterTools to control to automatically disable wireless connections while a wired connection is active, or even to control which networks users can connect to.
· Use internal firewalls. When the hackers broke into the kiosk computers they had direct access to TJX’s internal network. An internal firewall should have been used to separate kiosk computers from servers that store sensitive data and other sections of the internal network. When data needs to be exchanged between different internal networks, firewalls can tightly filter the information flowing between them.
· Control the use of peripheral devices. There is no legitimate reason for anyone to connect a flash drive to a kiosk computer. Enclosures and other physical security measures can be used to prevent anyone from getting to the USB ports. A software solution, such as DriveLock™, can control access to all ports and even monitor this access. This provides more flexibility and possibly even better protection than physical barriers. Good device software control still allows access to ports for maintenance but can distinguish between legitimate and malicious use of all external ports. It also alerts administrators when someone attempts any unauthorized access.
· Control the use of applications. Intruders at TJX were able to introduce unauthorized software into the network, With DriveLock™ you can control who is allowed to run which programs on any computer in your organization.
CERTERGY Certegy, a subsidiary of Fidelity National Information Services, processes check approvals for a large number of retailers. As a result, it has access to financial information about millions of customers. Earlier this year one of the company’s database administrators was arrested for stealing and selling the records of over 8.5 million customers. The perpetrator copied the data to a portable disk, apparently to avoid detection and to not leave any evidence of his actions. Certegy reportedly only became aware of the incident after customers reported suspicious transactions. Today Certegy has to defend itself in a number of class-action suits. The company also faces decreased revenues due to lost customer confidence. There are several lessons to be learned from Certegy’s experience: There are several lessons to be learned from Certegy’s experience: • Don’t trust insiders. The person who stole the data had worked for the company for several years and had legitimate business reasons to access the data. As in this case, often data theft is committed by trusted insiders. While we all want to trust the people we work with, it is a good practice to not let your guard down and to be on the lookout for suspicious activity. • Monitor where your data is going. The data theft initially went undetected because nobody monitored which data was copied from a server to mobile storage devices. DriveLock™ can be used to control what data users can copy to and from mobile devices. Just as important, DriveLock™ can monitor such data transfers and alert security personnel to unauthorized activity before it’s too late.
BOEING A Boeing employee, who had been working for the company for 18 years, allegedly stole 320,000 confidential documents, which he took with in on removable storage devices. Boeing claims that he was prepared to share this data with its competitors and that the potential damage could have been as high as $5 billion. What makes this case unusual is the magnitude of the damage, but at the same time it is only one of many cases of data theft by insiders. With effective device control Boeing could have prevented the data from being copied to a mobile storage device. The company could also have been alerted to the employee’s actions much earlier and taken action to prevent further damage. DriveLock™ can provide granular control over what’s copied to mobile devices and lets administrators create detailed reports that can alert them to unauthorized activity.
GEORGIA DEPARTMENT OF HEALTH SERVICES A disk containing sensitive data on approximately 3 million individuals was sent by a contractor for the Georgia Department of Health Services to the Centers for Disease Control. This disk was lost in transit. There is no evidence that the disk was stolen or that anyone has misused the information on it. Nonetheless, because of the risk of unauthorized data disclosure, the agency had to notify all affected individuals, informing them about the risk of identity due to the lost disk. In addition to the measurable costs, both the state agency and the contractor suffered from a serious lack in public confidence There are several lessons to be learned from this: · Encrypt all data that leaves the organization. The data on the lost disk was unencrypted. A variety of tools could have been used to encrypt the data before it was mailed. If the data had been encrypted, there would have been no risk of information disclosure and no need to notify the individuals whose data was on the disk. · Make encryption easy to use. Most encryption mechanisms that are available today can be very effective. However, employees often don’t encrypt data it’s cumbersome or complicated to do. To get employees to use encryption it needs to be easy to use. Even better, make encryption automatic. For example, DriveLock™ can automatically and transparently encrypt all data that’s copied to mobile storage devices. This ensures that data that leaves the organization is always encrypted. Users don’t need to perform any special steps or even think about encryption. · Monitor data leaving the organization. When a disk containing personal data is lost you may have to notify everyone affected unless the lost data was encrypted. Before you can decide whether to initiate a notification process or not you need to be completely sure that the data was indeed encrypted. To assess the situation it’s essential that you have auditing logs that show whether encryption did take place. DriveLock’s reporting can show you not only what data was copied to which device, but also by whom and whether the data was encrypted or not. |
|
TJX, Certegy, Boeing and the Georgia Department of Health Services have each become a victim of some of the largest incidents of information theft or disclosure of customer data. This whitepaper describes some of the details of each of these cases and highlights what security professionals and IT management can do to avoid making the same mistakes. |
|
How to Buy |
|
|
|
|
|
|
|
|