Printed from BusinessInsurance.com

Simple yet overlooked IT security path: Make sure 'mundane' fixes are made

Posted On: May. 20, 2007 12:00 AM CST

In an interview with Business Insurance Associate Editor Gloria Gonzalez, Alan Brill, Secaucus, N.J.-based senior managing director for technology services at information security firm Kroll Inc., a unit of Marsh & McLennan Cos. Inc., discussed both common and unusual security breaches that corporations face and the importance of taking basic precautions to protect sensitive corporate and customer data.

Q: What are the most common types of security breaches you've seen?

A: Typically, the things that go wrong are common, easy to understand and very often easy to fix. We find time and time again that companies that have suffered losses--maybe a loss of highly proprietary information, maybe a loss of sensitive personal information--that when we do a root-cause analysis to figure how it could have happened, we'll discover something like failure to update patches on all the systems. Now that seems like something that's extremely mundane...but it turns out that things like that are very, very important.

Q: Are there basic steps companies should be taking to safeguard their data?

A: The first is to assume that it can happen to you. You need to do the basics. We were dealing with one organization, a financial services company, and we talked to them about surveying their headquarters building to determine if they had any wireless security problems. Well, they assured us that that was a waste of time because they didn't run any wireless systems. We decided to check anyway and we found a very, very strong unsecured wireless signal. And we were able, in fact, using our analytics software to intercept the packets that were going across that circuit and determined that it was very confidential corporate data.

One of their executives decided to reposition the desk in the office. He did not want to have wires running across the carpet...went to a local store, bought a $20 access point, plugged it into the wall and suddenly opened up the company's network to anybody within about a three-block radius. It's that kind of thing that goes wrong.

Q: What are the key elements of a security breach that companies should watch out for?

A: The first thing to watch out for is how you store and protect data. You should be asking yourselves why you collect every piece of information you collect. Do you really need it for a business operational purpose? If you're not using it, don't collect it. If you do use it and you do need it, make sure that you're using it for an appropriate purpose, that you're using it accurately and effectively, and that you only keep it as long as it's needed.

Once information is no longer needed, particularly sensitive information, keeping it represents 100% risk and 0% reward.

Q: Have there been any unusual security breaches that you've seen that are or could become a little more common?

A: Certainly, the thing that we're seeing more than anything else is the breaches of sensitive personal information. We had a case recently in which we were called by a financial services company and they told us that they had reason to believe that a laptop had been stolen that had over a quarter of a million sensitive personal financial records on it. We went in and looked at the actual electronic evidence and we determined that they had jumped to a conclusion.

They thought that the machine that was stolen had the data. When you looked at the records, it turned out that that data had been placed on a different machine that was still there and the incident never occurred.

Similarly, we had a company that called us that thought it had an information loss of 250,000 credit cards. They assumed that the company that provided their software had encrypted everything and it came as something of an unpleasant surprise when their IT people discovered that it was not encrypted.

Q: Have you found that companies have had problems--either correcting the breaches or trying to compensate for the fact that there have been breaches--criminally or civilly?

A: We had one client, a financial services company, that had...a hacker get through their firewall. They thought that the firewall had closed off certain holes that a hacker could get into, but because of the way their code was written, the hole had been reopened. And we showed them how to fix it.

About four months later, we get another call from the same organization and we go there and discover they had another breach, a lot more serious this time. When we do the root-cause analysis, we discovered they never fixed the hole and the next hacker came through the same well-documented, well-understood and very fixable hole.

Q: Describe some of the more unusual security breaches you've seen.

A: We get some that actually make you shake your head--people who believe what they're told even when it doesn't make sense. Somebody is told that a visitor has shown up and is picking up the laptop of a vacationing executive. They give it to them. They walk out the door and you later discover that the executive didn't expect anybody to be picking up their laptop. It just got stolen with all of the company's information on it.