Patching Up the Leaky Corporation

Is the information stored by your company secure? Here's how to make sure your confidential data remains top secret.

By Kevin Poulsen, Business 2.0 Magazine

(Business 2.0 Magazine) -- You're savvy. You've read lots of network security horror stories, so you've taken all the usual precautions. You've installed firewalls, password-protected your gear, and created offsite backups. But is that enough?

Probably not, because "information security" has practically become an oxymoron. The technologies that make today's corporations more efficient and effective also make them more vulnerable to attack. Leakages tend to occur at the seams of an organization's defenses: A backup tape falls off a truck on its way to storage, or a laptop loaded with private data vanishes from the trunk of a car.

Targeted threats are evolving as well. The glory days of the lone hacker toiling away in his bedroom are a thing of the past; today's more sophisticated intruders have organized themselves into syndicates to conduct Mission Impossible-style "ops" - they actually call them that - to pilfer information from your network.

Don't count on your shiny new firewall to shield you, because it can't protect all your critical information, and data spills are very costly. On top of the expense of investigating and cleaning up after a breach, your company may face potential Federal Trade Commission fines, civil liability, state action, and punishment in a competitive marketplace that frowns on sloppy information management.

The cost of alerting customers that you've lost their private information - a procedural requirement in many states - is itself nothing to sneeze at. After a hacker accessed records on 1.4 million state residents, California's Department of Health and Human Services spent $700,000 on mailing costs alone to alert the victims. Add to that the expense of offering your customers free credit monitoring and replacing the ones who flee to competitors, and a breach that exposes a mere 100,000 consumers can cost a company $23 million, according to security vendor Vontu.

The case for preventive medicine is strong. But how can you begin to defuse the threat? Read on for a detailed look at the information security hazards found within a typical office workplace.

USB Key Fobs

THE PROBLEM: Want to buy U.S. military secrets? Try outside the Bagram Air Base in Afghanistan, where thumb drives pilfered from the facility have been sold in open-air markets. Back at home, corporate civilians often use tiny flash devices to shuttle documents between home and office. Losing 4 gigabytes of proprietary data is now as easy as misplacing your car keys.

THE SOLUTION: Look for USB drives with encryption based on AES - the government's official cryptography algorithm. Kanguru's AES fob costs $50 for 128 megabytes, while Keynesis's Lockngo Professional is a software-based AES implementation that works with conventional USB drives.

PDAs and Smartphones

THE PROBLEM: In 2004 the Secret Service captured an elusive California hacker who'd long stayed one step ahead of the agency's best sleuths. The hacker's secret? One of the agents had been receiving information about the probe on his Sidekick PDA, and the Secret Service didn't realize that T-Mobile's servers were easily penetrated. Paris Hilton learned the same lesson a few months later.

THE SOLUTION: If you're unsure about your service provider's security procedures, bring your mobile e-mail server in-house. Research in Motion (Charts) sells an enterprise server for its BlackBerry handhelds, and Windows Mobile 5-based devices can integrate directly with your Exchange server. Urban pickpockets are also a danger, so encrypt sensitive data stored on the device itself.

Garbage and Dumpsters

THE PROBLEM: Recycling bins make life more pleasant for thieves by eliminating the messy job of separating office paper from the remnants of today's lunch. Single-cut shredders aren't much help; they simply create jigsaw puzzles that occupy the obsessive, meth-addled brains of desperate criminals.

THE SOLUTION: Padlock dumpsters and recycling bins, and outsource document destruction to a specialized company like Iron Mountain or Shred-It. Train employees to recognize sensitive data and dispose of it properly.

Corporate Intranets

THE PROBLEM: Internal websites are a great place to park company data, but a special kind of Web gateway called a proxy server can act as a revolving door for sensitive information. Several years ago an Internet prankster used an open proxy to tinker with a wire service story on Yahoo News and to access the New York Times's database of op-ed contributors.

THE SOLUTION: Configure all Web proxies as one-way doors so that Web requests can pass from your intranet to the Internet, but not vice versa. Use a security scanning program like the open-source Nmap to probe for open ports and unprotected servers.

Company Websites

THE PROBLEM: In 2004 the Hamilton County Court in Cincinnati discovered that the Social Security numbers of drivers who'd received speeding tickets were posted on its website. Elsewhere, private data has been cloaked - but easily revealed - in the HTML code embedded in companies' customer service pages. Worse, a common security hole called an SQL injection vulnerability enables hackers to slice into your back-end database. Resulting security breaches have triggered FTC actions against firms such as Petco and Guess Jeans.

THE SOLUTION: Know your site - how it works, how it manipulates data, and how it displays it. If it's too big to traverse in a day, hire experts to audit your exposure to security holes like cross-site-scripting vulnerabilities and SQL injection attacks.

PDF and Word Files

THE PROBLEM: In digital documents, "hidden" information may not be truly secure. In 2003 the U.S. Department of Justice released a PDF file of a workplace diversity report with heavy redactions - black blobs that covered sensitive portions of the text. The secrets didn't stay secret for long: The censored text was easily recovered by editing the file in Adobe Acrobat.

THE SOLUTION: Wise use of your word processor settings can limit the release of compromising document metadata, while PDF redaction software such as Appligent's Redax can keep you from inadvertently publishing a tell-all. The National Security Agency (which knows all about hiding secrets) has created a detailed how-to on cleaning files. Search Google for "Redacting With Confidence."

Snail-Mail

THE PROBLEM: Both Blue Cross and H&R Block (Charts) have made the mistake of sending out mass mailings with customers' Social Security numbers printed right on the mailing labels. Inside your office, if your mail room and mailboxes aren't secure, neither are the sensitive documents that flow through them.

THE SOLUTION: Never use Social Security numbers as customer ID codes. Mail-room employees should be screened with the same diligence applied to IT hires, and mail rooms should be secured with locks. Consider replacing employee mail slots with lockable boxes from a company like Postal Products Unlimited.

Wi-Fi Access Points

THE PROBLEM: Some companies still leave their wireless LANs wide open to any user. That's fine for a coffee shop, but less so if you're concerned about broadcasting sensitive information to anyone within laptop range.

THE SOLUTION: New Wi-Fi gear is far more secure than the older stuff. Look for equipment with the Wi-Fi protected access (WPA) protocol, which uses stronger encryption and generates a different encryption key for each airborne packet. The best security is found in the sequel, WPA2, which has been included in all new Wi-Fi products since March.

Bulk E-Mail and Phishing

THE PROBLEM: The FTC's first computer-security action targeted Eli Lilly (Charts) in 2002 after the pharmaceutical firm sent an e-mail to more than 600 consumers who'd expressed interest in the antidepressant Prozac. The problem? The company listed all the recipients in a single, unmasked "To:" line, allowing every recipient to see the entire list of their fellow depressives.

THE SOLUTION: Mass e-mails should be managed with considerable care. Combat phishing (fake e-mails designed to look as if they came from legitimate businesses) by requiring customers to visit your website to retrieve sensitive information. (Don't provide clickable URLs.) The Anti-Phishing Working Group, an industry coalition, maintains an updated list of the latest phishing techniques; check it frequently and adapt accordingly.

Laptops

THE PROBLEM: Petty thieves love laptops. They're valuable, lightweight, and easy to sell. In one widely reported incident in May, the burglary of a Veterans Affairs employee's home resulted in the disappearance of a laptop and external hard drive containing personal information about more than 25 million veterans and active-duty military personnel.

THE SOLUTION: Microsoft's (Charts) new Vista operating system will offer an AES-based hard-drive encryption scheme called BitLocker to protect stored files. Software from Pointsec will encrypt an entire hard drive, changing the Windows or Linux login screen to demand a password each time the machine is awakened or rebooted.

Backup Storage

THE PROBLEM: What could be safer than shipping your backup tapes to an offsite storage firm? That's what Time Warner (Charts) (the corporate parent of Business 2.0 magazine) thought until an offsite data-security vendor lost a tape containing the names and Social Security numbers of 600,000 current and former employees. Backup tapes routinely disappear in transit - when they're not stolen outright from corporate offices.

THE SOLUTION: Encrypt sensitive data before sending it off to storage. To avoid having something "fall off the truck," transmit encrypted backups electronically, over a virtual-private-network link, to an offsite data center.

Cell Phones

THE PROBLEM: Today's cell phones are tiny computers with increasingly vast storage capabilities. The first generation of viruses and sneaky "Trojan horse" programs is just beginning to emerge. The Cabir virus, for example, targets phones that use the Symbian operating system, beaming itself to nearby devices via the Bluetooth link.

THE SOLUTION: Simpler is better: Disable features (such as Bluetooth or software downloads) that create extra vulnerabilities. Otherwise, get ready for a world where mobile phones require antivirus and anti-spyware programs.

Rogue Employees

THE PROBLEM: A 2006 survey by the FBI and the Computer Security Institute, an industry group, found that corporate security breaches originate inside organizations about as often as outside. Larcenous employees earn extra spending money by peddling company secrets and customer data, and newly terminated workers may be tempted to gorge on corporate secrets before they walk out the door for the final time.

THE SOLUTION: Keep sensitive customer information off intranet "common areas" - like promiscuously shared network drives - and behind access-control mechanisms that log every visit. Install an intrusion-detection system, like the open-source Snort software that sniffs your LAN for attack signatures inside the firewall. Seed databases with "honey tokens," false data entries that can be used to trace a theft back to the source.

Third-Party Contractors

THE PROBLEM In late 2005 a Deloitte & Touche auditor left a CD-ROM on his airline seat. The disc contained the names, Social Security numbers, and investment details of more than 9,000 current and former employees of security vendor McAfee, a Deloitte (Charts) client. Poor McAfee. If you can't trust a Big Four accounting firm, who can you trust?

THE SOLUTION: Handing off data to a contractor will always be a leap of faith. Limit the information you share, review security policies before doing business, and make contractors agree in writing to indemnify you if they're responsible for a security breach.

Fraudulent Customers

THE PROBLEM: Last year information broker ChoicePoint (Charts) inadvertently made consumer dossiers available to a Nigerian identity thief living in Los Angeles who obtained files on 145,000 fraud targets before being busted by police. No computer hacking was involved - the crook simply posed as a legitimate small business.

THE SOLUTION: Know your clients. Verify that they possess requisite licenses or credentials (particularly for fields such as legal research, debt collection, or private investigations), and when possible, conduct corporate background checks and site visits.

Fax Machines

THE PROBLEM: In 2003, Mike Dosskey got so sick of receiving misfaxed medical records from nearby Providence Everett Medical Center outside Seattle that he complained to the local newspaper. In 2005 the hospital added fuel to the fire by mistakenly faxing confidential patient data directly to the Everett Herald. It happens: Transpose a couple of digits and your fax machine becomes a whirring, paper-spewing violation of federal patient privacy-protection laws.

THE SOLUTION: Fax machines are so 20th century. Enact policies that strictly govern any faxing of confidential data and appoint responsible employees in each department to act as fax masters. Computer-based fax servers make it easier to track transmissions and reduce the risk of mistyped phone numbers.

THOU SHALT NOT LEAK DATA!

Read "The 10 Commandments of Information Security."

Kevin Poulsen is a senior editor at Wired News. Top of page

To send a letter to the editor about this story, click here.

Sponsors
Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.
Market indexes are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer LIBOR Warning: Neither BBA Enterprises Limited, nor the BBA LIBOR Contributor Banks, nor Reuters, can be held liable for any irregularity or inaccuracy of BBA LIBOR. Disclaimer. Morningstar: © 2014 Morningstar, Inc. All Rights Reserved. Disclaimer The Dow Jones IndexesSM are proprietary to and distributed by Dow Jones & Company, Inc. and have been licensed for use. All content of the Dow Jones IndexesSM © 2014 is proprietary to Dow Jones & Company, Inc. Chicago Mercantile Association. The market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. FactSet Research Systems Inc. 2014. All rights reserved. Most stock quote data provided by BATS.