Top 5 Data Security fallacies from the Financial Services Authority

The FSA Data Security study has revealed common misconceptions among many firms about the risk of data loss and identity fraud:

1. The management of some firms believed the customer data they held was too
limited or too piecemeal to be of value to fraudsters. This is misconceived:
skilled fraudsters can supplement a small core of data by accessing several
different public sources – telephone directories, the electoral roll and other
public records, many of which are available on the internet. They also use
impersonation, for instance during phone calls or in emails, to encourage the
victim to reveal more. Ultimately, they build up enough information to pose as
their victim and obtain credit and other advantages in the victim’s name. In
this way, a firm’s customer data might complete a set of data extensive enough
to commit fraud.

2. There is a perception that only individuals with a high net worth are attractive
targets for identity fraudsters. In fact, people of all ages, in all occupations and
in all income groups are vulnerable if their data is lost. Recent data published
by CIFAS shows the top ten postal districts affected by identity fraud are not
all in affluent areas.

3. A third fallacy is that only large firms with millions of customers are likely to
be targeted. Even a small firm’s customer database might be sold and re-sold
for a substantial sum.

4. Firms often assume the threat to data security is external – from burglars or
computer hackers, for example. However, insiders have more opportunity to
steal customer data and there are many examples of staff stealing customer data
either to commit fraud themselves, or to pass it on to organised criminals.

5. Finally, some firms’ believe that their firm is impervious to data breaches,
because no customer has ever alerted them to identity fraud. The truth may be
closer to the opposite: firms which successfully detect data loss do so because
they have effective risk management systems. Firms with weak controls or
monitoring are likely to be oblivious to any loss. Furthermore, when fraud
does occur, the source of data loss is often impossible to trace. Data is held in
so many places: by government, retailers, employers and many others besides
financial services firms. A victim of identity fraud rarely has the means to
identify where their data was lost.

So in conclusion, size or complexity of organisation makes little difference to the lack of appreciation or understanding surrounding the nature and extent of the risks facing your FSA registered business. In short, an open and honest (preferably independent review) of your data security risks, may be the single best investment your organisation ever made.

Labels: FSA's Top 5 Data Security fallacies

Here are the seven dirty secrets of the security industry and practical ways to command honesty from your trusted security providers.

1. Antivirus certification omissions. The dirtiest secret in the industry is that, while antivirus tools detect replicating malicious code like worms, they do not identify malcode such as nonreplicating Trojans. So, even though Trojans have been around since the beginning of malicious code, there is no accountability in antivirus certification tests. Today Trojans and other forms on nonreplicating malcode constitute 80% or more of the threats businesses are likely to face. Antivirus accountability metrics are simply no longer reflective of the true state of threat.

2. There is no perimeter. If you still believe in the perimeter, you may as well believe in Santa Claus. That isn't to say there is no perimeter. But we need to define what the perimeter is. The endpoint is the perimeter, the user is the perimeter. It's more likely that the business process is the perimeter, or the information itself is the perimeter too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn't be more wrong.

3. Risk management threatens vendors. Risk management really helps an organisation understand its business and its highest level of risk. However, your priorities don't always map to what the vendors are selling. Vendors focus on individual issues so you will continue to buy their individual products. If you don't have a clear picture of your risk priorities, vendors are more than happy to set them for you.

4. There is more to risk than weak software. The lion's share of the security market is focused on software vulnerabilities. But software represents only one of the three ways to be compromised, the other two being weak configurations and people. The latter is the largest uncovered area of risk. This is malicious code that doesn't leverage a vulnerability but rather leverages the person.

5. Compliance threatens security. Compliance in and of itself is not a bad thing. But, compliance in and of itself does not equal security. At the very least it's a resource and budget conflict, and it splits our focus. Compliance is supposed to raise the minimum standard of security, but it just gets us to do what we are required to do and nothing else.

6. Vendor blind spots allowed for Storm. Storm is being copied and improved. The Storm era of botnets is alive and well, nearly two years from when it first appeared.

7. Security has grown well past "do it yourself." Technology without strategy is chaos. The security market is often far too focused on the latest hot box or technology. The shear volume of security products and the rate of change has super-saturated most organisations and exceeded their ability to keep up. Organisations realize only a fraction of the capabilities of their existing investments. Furthermore, the cost of the product is often a fraction of the cost of ownership. There was a time when you could "do it yourself." But the simple days of Virus meets Antivirus are long gone. Highly effective organisations are embracing professional and managed security services to extend and augment their in-house expertise. By focusing your in-house expertise on what you know best -- your business -- scale comes from teaming with third-party expertise. This will be increasingly necessary in these tough economic times.

The primary goals for senior executives over the next few years is to cut cost and reduce complexity. Today we are seeing a massive convergence in the security market. There are only going to be a few large players left and a bunch of smaller players. Will consolidation lead to better efficiency, or will it lead to vendor lock-in?

Once again we see more evidence of negligence on behalf of this organisation with our data.

I for one am becoming increasingly frusted by organisations that fail to understand the basic principles of security - defence in depth.

So what's the answer, we all know there is no 'silver bullet', but there are things we can do to help reduce the treat being exploited.

I'm working with a client on their data governance strategy, and at least they are recognising the complex and dynamic nature of data - and doing something about it - before they become the next headline....

http://news.bbc.co.uk/1/hi/technology/6956349.stm

Labels: http://news.bbc.co.uk/1/hi/technology/6956349.stm

New research by Ponemon Institute shows some worrying (but unsurprising) security trends that will continue into 2009 and beyond. The survey demonstrates how some of these trends will potentially become worse, and how we should be updating our organisations integrated defense plans to ensure we are not the next victim.

Ponemon consulted with 577 IT security practitioners to consider how 10 Security trends affect organisations today; and to predict their impact during the next 12 to 24 months.

This survey demonstrates some of the more helpful tips for organisations that are struggling to understand how they should allocate resources and budgets in 2009, the top ten security trends include:

1. Cloud computing
2. Virtualization
3. Mobility
4. Mobile Devices
5. Outsourcing to third parties
6. Cyber crime (in the UK rose by more than 9%)
7. Data breaches
8. Identity Theft
9. Peer-to-peer file sharing
10. Web 2.0


The study examined the risks posed by the top ten security trends that exist today and how the risks will change over the next 12 to 24 months. According to an overwhelming 77 percent of individuals responding to the survey, cyber crime will become a high or very high risk over the next 12 to 24 months. The selection of cyber crime as the most significant trend most likely to be a high, or very high risk in the next 12 to 24 months can be partly based on the fact that 92 percent of respondents in the study, reported that their organisations have had a cyber attack. The biggest security risk associated with cyber crime is that such an attack will cause significant business interruption (make sure your business continuity plans are tested), followed by the theft of customer and employee data.

Other mega trends becoming more risky are cloud computing, malware, web 2.0 and mobile devices. In the case of cloud computing, it is the inability to assess or verify the security of data centers in the cloud and protect sensitive and confidential information. IT security practitioners see the risk of malware and Web 2.0 as resulting in the loss of sensitive or confidential business information including trade secrets.

It is interesting to note that the study respondents perceive the risk of a mobile workforce as decreasing, but mobile devices remaining a high or very high risk for many oeganisations. According to respondents, the most risky mobile device is the laptop computer and the number one concern is the inability to properly identify and authenticate remote users.

Data Breaches and Outsourcing Risks

Data breaches and outsourcing are forecast to remain at the same level of risk. IT security practitioners continue to worry about data breaches, because according to the Ponemon study only 16 percent are very confident or confident that current security practices are able to prevent customer and employee data from being lost or stolen. Therefore, it is understandable why the majority of respondents in IT security believe data breaches will continue to pose a high and very high security threat to their organisations.

Because IT security professionals don't see the outsourcing of sensitive and confidential information to third parties as decreasing, it will remain a serious risk to an organisation's information assets. The concern expressed by IT security practitioners in the study is about the difficulty in protecting sensitive or confidential information when unauthorized parties might be able to access private files.

Certain Risks Are Considered more Manageable

Becoming less of a concern are risks associated with a mobile work force, virtualization and P2P file sharing. Although it seems that the mobile work force will pose less of a risk, respondents believe the most significant security threat is the inability to properly identify and authenticate remote users. With respect to P2P, it is the concern that inadvertent transfers and disclosures of documents that reside on an organisations computers and laptops will occur. The most significant risk associated with virtualization technology is the inability to properly identify and authenticate users to multiple systems and third party access to private files without authorisation.

Organisations are faced with a plethora of security threats to their confidential and sensitive data assets. Forecasting the areas that pose the highest risk will help organisations create an IT security strategy that is as cost effective as possible in times of tightening budgets.

Dr. Larry Ponemon is the chairman and founder of The Ponemon Institute . For a copy of the 2009 Security Mega Trends Survey report, please contact email Larry at: research@ponemon.org. or visit his website www.ponemon.org

Debate is under way in Massachusetts regarding a tough new data protection law designed to prevent security breaches and identity theft. Specifically, discussion is centered around whether the new law is too tough, just right or too little, too late.
Some security experts say Massachusetts' new data protection law (Mass. 201 CMR 17) is among the toughest they've seen, what's your opinion?

The security industry is set to grow by a further 16% in 2009, despite the economic downturn, what's your thoughts?

Good news, VISA are globally aligning PCI DSS compliance requirements for Service Providers and requiring a validation deadline for Level 1 merchants by September 30, 2010. This appears to be set in stone, but we all know in reality the industry might once again push back, what's your thoughts?