Leaving No Escape

IT, physical security need to develop joint solutions to plug vulnerable escape holes

• By Patrick Peterson
• May 02, 2007

TODAY’S biggest security risk is loss of corporate data. This vulnerability originates from two unrecognized paradigm shifts—dissolution of the corporation’s physical and network perimeter and spyware-based data theft.

These two paradigm shifts can be examined by looking at four data security incidents. The incidents will help to provide two solutions to minimize the risk of data loss: a new unified approach to IT and physical security and the need for advanced defenses against spyware.

Data Beyond the Perimeter
On July 9, 2005, Iron Mountain reports the second loss of backup tapes in two months. Time Warner revealed tapes containing data, including names and Social Security numbers, on 600,000 current and former employees disappeared in March while being shipped to an offsite storage facility operated by Iron Mountain.

The incident is a clear indictment of segmented IT and physical security. IT security was doing its job—policies and access controls limited access to the data on the corporate network. Physical security restricted access to physical records and had systems in place to prevent theft of hundreds of boxes of employee records. But when the data was written to tape, the gap between the two groups left the data vulnerable.

IT and physical security failed to recognize the data needed to be protected beyond the physical and network perimeter of the corporation. The two groups must share responsibility for the full lifecycle of corporate data, inside and outside of the corporate perimeter. IT security needs to understand the risks, even when the data becomes a physical item, and physical security needs to understand the real risk to the company of a particular physical media, and put appropriate safeguards in place based on business risk.

Employees Beyond the Perimeter
In May 2006, the Veterans Administration reported a second data security incident in four months. A VA employee took home a laptop computer that included personally identifiable information on millions of veterans. The employee's home was burglarized, and the computer equipment, along with various other items, was stolen. This employee’s actions violated VA policies.

While IT had policies against taking the laptop home, officials allowed the data to be unencrypted on a portable device and had no means to detect the missing laptop. Meanwhile, physical security had no way to treat this employee and his laptop differently from thousands of others without valuable data that leave the facility every day. Both groups must realize the necessity for IT and physical security to work together in identifying high-value data sets and protecting against data loss together.

Spotlight on Spyware
IT security has spent many years securing the network perimeter with firewalls, intrusion detection, intrustion prevention and other perimeter-centric solutions. But a new breed of innovative, profit-seeking criminals have developed advanced attacks that infiltrate the perimeter, take over a personal computer and steal data from within the network. Most corporations’ defenses against these type of attacks are non-existent.

Spyware is software that infects the corporate PC and allows the criminal to use it for malicious purposes. The spyware software can be contained in a virus-laden e-mail or downloaded from a Web site. Since users are constantly browsing the Web, downloading executables and running active content, such as ActiveX and JavaScript, they are vulnerable to social engineering attacks that trick them into intentionally downloading spyware disguised as a free game, screensaver, performance enhancer or even free anti-spyware software. Criminals also attack weaknesses in legitimate Web sites, install spyware and then infect visitors who visit the legitimate site. This occurred recently when criminals hacked the NFL’s Miami Dolphins Web site and used it to infect visitors to the site immediately before the Super Bowl.

This problem is often underestimated by security professionals. Analysis by IronPort’s threat operations center revealed more than 48 percent of corporate PCs were infected with some type of malware. While the less-damaging adware and tracking cookies were most prevalent, Trojans, keyloggers and system monitors represented 7 percent of the infections. Spyware with Trojans, keyloggers and system monitors are extremely dangerous because the technology steals corporate data, including files, keystrokes and passwords. These corporate secrets are often transferred using standard HTTP communication virtually indistinguishable from normal Web browsing. Company officials are only beginning to realize they can have widespread infections without symptoms appearing in anti-virus systems, PC reliability or IDS.

Corporate Espionage in Israel
In May 2005, top executives of Israel’s leading companies were arrested for corporate espionage. Engineer Michael Haephrati developed spyware that would log keystrokes and allow remote users to control an infected PC. Leading Israeli private investigation agencies purchased this spyware, infected corporations, obtained corporate secrets and sold them to competitors. The spyware was delivered to victims via e-mail or via CDs sent through mail. When the victim clicked on the e-mail attachment or inserted the CD, their PC would become controlled by the private investigator.

Of special note is how the spyware-laden CD attacks physical security. Physical security wouldn’t allow a stranger to access an employee’s PC, but anonymously shipped CDs can enter corporations without restriction. Also note the targeted nature of the attack. The spyware was not distributed to everyone, but only to specific employees at targeted companies. Third is the fact the widespread attack was not detected by corporate security departments. It was only detected when Haephrati used the same technique to steal data from his father-in-law and post it online. His father-in-law’s law enforcement tip was the key to detecting the espionage.

Business Destroyed by Spyware
In September 2005, CardSystems was sold to CyberSource after hackers compromised servers with data on 40 million customers. In the largest security breach in history, spyware at CardSystems led directly to the destruction of the business. CardSystems was processing more than $18 billion worth of transactions annually when cybercriminals installed spyware that secretly captured consumers’ credit card information. The data breach was not detected by CardSystems, but rather by Australian banks during fraud investigations. It took almost nine months for CardSystems to fix the problem, and subsequent press coverage destroyed the business.

Corporations must address critical data security risks by forcing IT and physical security to take a holistic approach and develop joint solutions. IT security needs to understand the spyware problem and identify the technical solution to detect data theft and stop spyware infections.