Malice, misuse, mistake - security dangers pile up

Putting a ring of steel around corporate data is only part of the answer. The real security threats may actually lie uncomfortably close to home, argues Stewart Baines.

Hardly a week passes without another big data breach - typically from laptops left in pubs and disks that go missing in the post. Most recently it was the news that government departments had lost more than 1,000 laptops over the past 10 years.

Countless more sensitive files must be lost every day on USB drives when someone downloads accounts records to work from home but mislays the flash drive en route or emails it to the wrong address. Storage is so cheap that it is almost disposable yet the cost of data breaches is rising significantly.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

A study by the Ponemon Institute, sponsored by PGP Corporation and Symantec, examined the costs incurred by 21 UK businesses after experiencing a data breach. The breaches varied from 2,500 records to more than 125,000 records from eight different industry sectors.

The study found that total average cost of a breach reached £47 per record. Detection and escalation account for £15 per record, ex-post response for another £15 and the largest cost is loss of business - £17 per record. The cost of notifying customers - on average £1 - was the least significant because of a lack of legally required notification.

Because of this, we don't know how many corporate data breaches there really are. Companies in the UK are not typically required to disclose a data breach and are disinclined to do so if it impacts customer confidence.

The massive breach that retailer TK Maxx suffered was a good example. Thieves hacked into the company's wi-fi network regularly between 2005 and 2007, stealing 45 million credit card details, many of which were UK customers.

This only made news in the UK because the US parent TJX was obliged to disclose. The Privacy Rights Clearinghouse tracks US security breaches and makes for interesting reading.

Even if breaches were discovered and disclosed, half of companies would not be able to find the culprit. Of 482 large businesses surveyed by Computer Associates, 62 per cent were holding sensitive, regulated data such as credit card details or health records. Only 32 per cent had a record of who accessed this data. Just 40 per cent even knew who had access rights.

Finding the cause

So what are the typical causes of these breaches? In Symantec's study about one-third are lost laptops and USB drives and one-quarter is paper records. Most of these are mistakes but that does not preclude an opportunist exploiting the breach if the data falls into the wrong hands.

Michael Small, director of security management strategy at Computer Associates, says: "Malice, misuse and mistake. We always read about malice but breaches are just as likely to be misuse or mistake. Look at the HMRC case, for example."

Twenty-five million child benefit records were lost in the post between HMRC and the National Audit Office. Not only was the data not encrypted on the CDs, the National Audit Office had only requested three pieces of information - the names of the children, their addresses and their National Insurance codes.

But because the HRMC decided it would be too costly to get the contractor to create a new field for the databases, it sent the entire claimants file over, including the bank account details of seven million parents and guardians. The CDs are still missing.

Small says: "An awful lot of what went wrong was misuse compounded by mistake. Data should only ever be available to people who have a need to access it - the principle of least privilege. That did not happen in the HRMC case. In general, companies tend to keep more data than they need or they store it inappropriately."

Another internal threat is that of exploitation, warns Small. People with access to confidential data can be encouraged through blackmail or a con trick to divulge it to outsiders.

Or they may not even be aware they are giving out confidential data - social engineering has evolved into an art form in recent years. Small says: "The most fallible part of any security system is always the person, not the technology. PCs do what they are asked to do."

The Symantec report shows that data breaches may often be accidental but increasingly malice plays a part. Twelve per cent of breaches it investigated had some form of malicious intent - an insider, code, hacked systems. These breaches will inevitably lead to the data being abused and thus costing the company far more than if genuinely lost.

The enemy outside

Among all the spam and spyware inveigling its way onto the hundreds of millions of internet connected PCs, there is an array of nasty code that is intent on comprising machines in increasingly complex ways to extract sensitive company data. What's different about the internet threats - rather than internal ones - is that they tend to be indiscriminate.

Greg Day, security analyst at McAfee, says: "Most companies don't know how they will be attacked. And anyone can do it by using tools like MPack. They are tried and tested and very successful."

Toolkits like MPack are democratising malware. First appearing in 2006, it is now updated with new vulnerabilities and scripts most months by its Russian creators and is sold commercially along with technical support. Day says: "It's very smart and has an extremely simple-to-use interface. MPack contains everything you need to set up a spoof website or hack an existing one and send out phishing emails extremely quickly."

MPack can deliver a payload like a keylogger or compromise a machine without the user knowing. You don't need to be a qualified programmer to use it. Consequently these toolkits are opening the threat market up to more people, and perhaps to those less discriminating about how they conduct their nefarious behaviour.

Vulnerable

There have never been so many ways to penetrate systems. Vulnerabilities in common applications are easily found on the web at sites like Milw0rm. Among ethical hackers there is a process of responsible disclosure. If a vulnerability is discovered, the application developer is notified and only when a patch is ready does the discoverer publish the vulnerability.

Ethical hacker Tony Fogarty, a principal IT consultant at DNV IT Global Services, says: "If you want to hack a company, you can target a specific person for spearphishing. Maybe you find their LinkedIn profile. You send them an email from what looks like one of their contacts and they are more likely to click the link to a spoofed website or open the file that delivers a payload that compromises their machine."

According to brand protection firm MarkMonitor, in 2007 there were 323,079 reported phishing attacks, four times the number in 2005. And network security company eSoft reports that the number of sites seeking to install malicious software on an end user's computer has doubled in the past year.

So companies not only face a problem from breaches within the organisation, they face untraceable threats from without. Often, unwittingly, the two combine as social engineering encourages internal staff to install the payload that opens up a breach in data security. But whether it is malice, misuse or mistake, data security is under constant threat.