Strategic Security: Identity Theft Protection

The statistics are a horror show: ID theft cost U.S. businesses and consumers $56.6 billion in 2005, according to the Javelin 2006 Identity Fraud Report. And phishing schemes are becoming more rampant and more sophisticated. The Anti-Phishing Working Group identified 11,976 unique phishing Web sites in May 2006, up from 3,326 in May 2005 and the highest number ever recorded by the group. Of course, politicians are tripping over one another to introduce legislation--based on a perusal of proposed bills, we wouldn't be surprised to hear a state mandate public tarring and feathering of any CEO whose company leaks personal ID information.

What does all this mean to enterprise IT? Plenty. You must address the problem from two angles: First, tightly control sensitive data to ensure your organization doesn't improperly release personally identifiable information about customers or employees; more on how to implement these controls later. IT also has a legitimate role educating employees on how to keep customer data safe. Work with business groups to define how this information may be used. Maybe you allow only scrubbed data to leave the building, for example.

IT also can help educate employees on how to keep their own identities safe. Suggest that workers turn the phishing knob all the way up on the spam filter--or better yet, default it to maximum and provide instructions on how to turn it down. A victim may spend many hours during the business day filing reports and talking to creditors to clean up after an identity theft, so even a modest investment in prevention can pay off in employee productivity. The FTC's ID Theft education site is a good resource for educational materials.

The biggest challenge in protecting sensitive information is that most organizations don't know the precise amount of data in their systems, how many copies of a given piece of data exist, who is using the data, what they're doing with it, even whether their users are authorized. Let's be clear from the outset: There is no magic bullet, no comprehensive "identity theft protection solution." But a combination of training, best practices and new technologies can minimize exposure.

In "Can the Encryption Exemption Save Your Job?" (page SS5), we discuss some legal liabilities your organization may face if you suffer a security breach that discloses sensitive data. Must you always report incidents that may have exposed personally identifiable information? Depends on where you do business. Should you? We say yes. Even if you're unmoved by the potential for human misery, if the loss is made public the media may smell cover-up--the equivalent of blood in the water.

Protect Us From Ourselves

Keeping authorized users with rights to access data from accidentally disclosing it has historically been seen by infosec professionals as a training issue. We know well-meaning employees regularly do dumb things, such as e-mailing customer data or taking home customer records. But few companies will discourage employees from taking work home, so attempting to strengthen training policies with punitive measures would be a waste of time.

Self-preservation dictates, then, that IT be able to raise a flag over potential leaks, even those generated from inside the building by authorized users. To set up such a warning system, you must first rank data sets based on their sensitivity, then learn exactly where every copy of confidential data resides--easier said than done. You may know who accesses what in your core databases, but do you know how many copies of a customer record are floating around your organization in Excel spreadsheets and Access databases? Are you aware of the number of SQL Server databases running in your company (it's generally more than security folks expect) and what's in them? Not likely.

Next you'll need to track data movement. Although there is no single über tracking product available, there are some excellent tools that cover the range of possibilities. We've divided them into three categories: those that work where the data is extracted from the database; those that work with data leaving the building; and those that work with data stored outside the building.

Where the data is extracted from the database: There's no foolproof way to stop a determined insider with technical savvy. You can't depend on database logs to track data access, for example. They're too easy to manipulate both before and after the fact. At some point, you must be able to trust your IT staff and leave that small group of people out of the equation. Where possible, however, the products we recommend minimize the pool of employees able to bypass controls.

Several excellent products are available from Application Security, Imperva, NetContinuum and Tizor Systems that will notify you of large or aberrant extractions. We classify this product category as "database extrusion prevention." These products can be configured to track data by user and profile each user's "normal" activity to give you a blueprint of what they're supposed to be doing--and raise a flag when abnormal activity is spotted.

Database extrusion-prevention products could catch, for instance, an unscrupulous salesperson before he culls your top 10,000 customers from the database, gives his notice and defects to a competitor. These products also will help you understand the "well-meaning" portion of your data users' activities. By turning the monitors on in detection mode, you can track which systems are pulling large amounts of customer data out of your core databases and where that data is going, giving you insight on potential sources of data loss. It's possible, for instance, that users are running systems and/or queries that are no longer necessary, but no one bothered to turn them off. The fewer copies of sensitive data loose on the network the better, so use these systems to find and kill defunct or redundant data-copy routines. If you install desktop agents, some of these products will even notify you when data is taken to removable media. If you have the database login--or with some systems, the network login--of the user accessing the data, you have the information needed to close a hole in your infrastructure.

At least one product we know of, Application Security's AppRadar, will search the network for all instances of commonly known databases to help you understand where your data resides on the network and what data is in each of these instances. This functionality alone is worth the price of admission because divisions and departments often implement systems that core IT and security staffs know nothing about. We're working on a comparative review of database extrusion-prevention products; watch for it in a future issue.

Where the data leaves the building: Authorized users may lose data accidentally. E-mailing personal data is frowned on, for example, but CSRs (customer service representatives) are often authorized to mail and/or IM personal data to customers. But what if an e-mail or IM containing sensitive data is directed to the wrong individual? Or, what if company policy prohibits CSRs using e-mail and IM to send sensitive data but they're doing so anyway?

Network extrusion-prevention products, available from Cisco Systems, Fidelis Security Systems, Port Authority Technologies, Symantec and others, can notify you that sensitive information has left the building or been copied to removable media without stopping the data copy. These products also provide a log of user activity. This arena is still maturing, so it's possible for a determined insider to circumvent these systems through the use of encryption, certain file formats or by distributing bits of the data across varying ports. And not all products are equal; some cannot detect output to printers or USB devices, for example. Ask your vendor about its breadth of support for different data formats and architectural issues.

Prevention is paramount. Critical customer data, for instance, should not be going out an undocumented port to a server somewhere in Romania, and tracking that kind of extrusion does you no good once the data has left the building. The same is true of an e-mail with information regarding 1,000 customers sent to an account outside the company. Network extrusion-prevention tools attempt to fingerprint your critical data so they can identify it while it's traveling about your network. Some of these products can cut off connections in midstream, saving you from the embarrassing loss of substantial amounts of data. Some let you set limits, such as "the personal data of one person to a single e-mail address is OK, stop all attempts to e-mail entire sets of multiple customers." Some will even peek inside .zip files to ensure that the easy routes around extrusion prevention are blocked. All these products come with reporting, and most offer incident-level notifications based on violations of set policies. This reduces the hours required to maintain the system by limiting what you have to review, but your policies must be intelligently implemented to ensure that inventive ways to get around incident reporting aren't manipulated--sending a single record an hour to a valid e-mail address might circumvent a policy that allows a small amount of data, for example.

One side benefit of these systems is that they can help segregate access between units in your organization. If you have two separate businesses that require strict tracking of data exchange--for-profit and nonprofit sides of a business, for instance--these devices can be configured to track the exchange of information among internal users or even inform IT when customer data is sent to a network printer, plugging one more possible hole. Many products also sound an alarm when data is copied to removable media, a benefit we think is key in an age of 4-GB USB fobs.

Like all security, this protection comes with a price, specifically complex installation and maintenance. IT must go through logs and ensure that the configuration is up-to-date, for example, but we consider extrusion-prevention systems well worth the investment if you can spare the time to make proper use of them.

Where the data is stored while outside the building: The age of laptop encryption--true encryption that cannot be undermined by plugging disks into a different box and brute-forcing keys--is finally here. Vendors like Intel and PGP, among others, are putting together pieces to protect your data in and out of its home environment. Several products make it much harder to get information off of disks, and further strides in the development of motherboards and controllers mean you can say, "Encrypt this disk so that it can only be used on this PC and with a password." Two-factor authentication is a significant benefit, because when half of that two-factor authentication is tied to the hardware in question, thieves must crack authentication in the machine on which it was created.

We're also seeing new USB technologies from companies like Kingston that encrypt right on the USB storage device. This is a useful way to allow salespeople to take their information out of the building but still maintain a level of protection. They're more expensive than conventional USB storage devices, but they're a worthwhile investment if data must leave the building but you don't want to completely encrypt every laptop hard disk. When using these keys, the holder of a lost laptop may enable an information leak through temp files and such, but an attacker who's that determined has other venues to pursue. It's all about limiting your risk--as we discussed in our last issue of Strategic Security, eliminating risk is only possible by going out of business. As for off-site encryption, in "Avoid a Data Debacle," at , we discuss tape encryption. And we explore the pros and cons of three security technologies--host-based storage encryption, inline appliance storage encryption and auto-encrypting tape drives.

Realize that once a tape leaves the building, it's fair game: Even if it makes it to its destination, there's no way to be certain it wasn't copied en route. Tape encryption systems from Cisco, Imation, NetApp/Decru and many others at least provide some level of protection--they will make it harder on ID thieves, and that's the best you can hope for, for now. Ask your tape-encryption vendor about the location of keys (some vendors store keys encrypted on the tape, which we think is a bad idea) and discuss long-term key management. If you have tapes that you must decrypt in five or 50 years, you need to know that your vendor has a manageable system for ensuring the keys are available to do so.

Endgame

The Federal Trade Commission recently reached a settlement with ChoicePoint, which allegedly allowed identity thieves to gain access to files of 160,000 consumers. The price for that negligence? A whopping $10 million in civil penalties and $5 million in consumer redress for identity theft victims--$93.75 for each person affected. So which do you spend more time and money on: specific initiatives to keep customer data safe from prying eyes or ensuring immunity from viruses? Information theft prevention will become an increasingly critical portion of a security administrator's job versus system protection. We have to do both, of course, but the reality is, a reinstall and restore can fix an infected system. Nothing can verifiably retract lost data once it's in the wild.

Don MacVittie is a senior technology editor at Network Computing. Write to him at dmacvittie@ nwc.com.

Protect Data By Protecting Apps V.I. Laboratories, one vendor in a growing data-protection field, has developed a product that will take an existing executable, encrypt it and sign the entire executable. When the executable is running, the current method or function is pulled into memory and decrypted, then executed. The result? Protection from Trojans and viruses that infect applications: If the code for an application is electronically modified, it will no longer run correctly because the application is encrypted, converting the unencrypted modifications into gibberish. To completely protect your data, V.I. Laboratories also has implemented VMM and ICE checks to ensure that attackers aren't using virtual machines or in-circuit emulators to watch code as it executes, to pull data out of it.

The product, code named Viper, does cause a 2 percent to 5 percent slowdown, but if you encrypt all applications that retrieve data from your database and have a separate system in place to detect key loggers, you'll have less to worry about. If research continues in this as-yet-unnamed arena, we could see it as a viable option to protect the applications that access your data, particularly applications used by remote employees who are unprotected by your corporate firewall and IPS.