Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Corporate data vulnerability testing.

Core Security Technologies : 15 April, 2008  (Technical Article)
Core Security Technologies examines the risks associated with corporate data loss and emphasises the need not only to implement preventive measures but also to test that they are effective.
Today, highly interconnected corporate information systems open the door to significant threats to customer records, financial data, critical infrastructure and other sensitive assets. Once the territory of innocuous outcasts seeking bragging rights, cybercrime is now a big business that brings severe costs to US organisations and consumers alike. Consider the following statistics:.

* Over 223 million records containing sensitive personal information have been exposed by security breaches since January 2005. (Privacy Rights Clearinghouse, April 10, 2008).

* In 2007, organizations reported an average annual loss of $350,000 due to data breaches - a 108% increase over 2006. (2007 CSI/FBI Computer Crime and Security Survey).

* Compromised bank account credentials and credit card numbers are now so prevalent that they are selling on the black market for as little as $10 and $0.40, respectively. (Symantec's Internet Security Threat Report (ISTR), Volume XIII).

All you need to do is pick up the morning paper to witness the fallout from latest data breach - and compromised organizations are increasingly being held liable. According to the Ponemon Institute's "2007 Annual Study: US Cost of a Data Breach," the percentage of data breach costs expended for legal defense grew from 4% in 2005 to 8% in 2007, indicating increased legal action in response to information security incidents.

Nowhere are the legal ramifications more evident than in the case of TJX Stores, which experienced the largest data breach in history, affecting over 100 million credit and debit card accounts. In a recent settlement with VISA USA, TJX will pay a maximum of $40.9 million to fund an alternative recovery payments program for customers affected by the breach. At least 19 lawsuits have been filed, and there are investigations underway by the Federal Trade Commission and 37 state Attorneys General.

In January, data broker ChoicePoint agreed to by $10 million to settle a class-action suit over the theft of 163,000 personal information records in 2004. This was on top of $15 million in civil and consumer penalties and $500,000 to settle lawsuits brought by 44 state Attorneys General. Other data breach cases against Sears, Hannaford Bros. and other organizations are still pending.

High-profile breaches like these have spurred many corporate leaders into action. In attempt to hedge their information security risks, many organizations are piling on defensive technologies and rolling out awareness policies to email users. However, despite all this, the frequency and cost of data breaches continues to mount. It's clear that something isn't working, and many organizations have hard time identifying what that "something" is. In fact, some don't even try.

As recently as a few years ago, organizations could effectively bury their heads in the sand when it came to security assurance, since there were few efficient ways to test security against real-world threats. As long as companies put up a few virtual fences and published email usage guidelines for employees, they were "secure enough" - and many still believe this.

The 2007 CSI/FBI Computer Crime and Security Survey reports that 12% of respondents don't make any effort to evaluate the effectiveness of their security technologies, and 35% do nothing to measure the effectiveness of their awareness training. Short of experiencing an actual breach, many organizations still aren't clear on whether their information is actually secure in the face of real-world risks. Unfortunately, when it comes to information security, what you don't know can indeed hurt you.

The success of the TJX suit and others like it represents the death toll for plausible deniability as a defense for succumbing to a data breach. It's no longer enough to deploy security measures and then simply hope that they work. Today, corporate leaders must always be prepared to answer questions about their information security postures, such as:.

* "If we were targeted with an attack, would be able to prevent it? Could we even detect it?"

* "Are our employees following email security policies and procedures?"

* "Do our defences really work? How do we know that we're truly secure?"

In addition to getting clear visibility into their overall security postures, organisations need a way to get actionable data for identifying and addressing the specific security weaknesses that can pose immediate risks to their operations.

Tools are now available that can give you critical insights into your organisation's readiness to detect, prevent and respond to actual data breach attempts. These security testing or "vulnerability management" products include vulnerability scanners, patch management applications and penetration testing applications.

* Vulnerability scanners allow your security department to get an idea of which known security holes might exist on the systems making up your IT infrastructure.

* Patch management applications automate the process of acquiring, testing and applying software updates to fix vulnerabilities.

* Penetration testing applications test your organisation's servers, end-users and web applications against real-world threats using the same techniques as attackers - but in a safe and secure manner. Penetration test results identify specific, exploitable security weaknesses and provide critical data that assist with remediation. The applications give you the closest thing to a final word on whether your organisation is secure - or not.

Other types of testing applications exist, but these three represent the cornerstones of a complete security assurance program.

Security testing products are most effective when they are used on a regular, consistent basis, since the threat environment is constantly evolving and new vulnerabilities are discovered every day. For instance, Symantec detected over 700,000 new malicious code threats in 2007 alone (up from 125,000 in 2006). Therefore, bringing testing in-house makes sense - even for those organizations that utilize quarterly or annual tests by third-party consultants. Data breaches are a 24x7 threat, and in-house testing helps you to maintain visibility into your security posture at all times.

By proactively testing your security on a regular basis, you practice a level of due diligence that will be increasingly required by the courts and is now mandated by many industry and government regulations, including PCI, SOX, HIPPA and GLBA. Not only does security testing help you maintain compliance and avoid negligence, it also makes sense for the overall stability of your organisation and the financial safety of your customers.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo