Thursday, August 24, 2006
Privacy Predicament: How To Protect Customers' Data
Privacy Predicament: How To Protect Customers' Data
Jennifer McAdams
August 07, 2006 (Computerworld) The Philadelphia Stock Exchange flows 300 million stock quotes per day over an electronic trading system at rates that climb as high as 20,000 quotes per second during peak periods. The systems also churns out extremely sensitive trading reports packed with proprietary customer information that must be stringently guarded from outside attacks and unauthorized internal access.
And beefing up security isn't the only challenge facing IT executives at the PHLX. Stock-trading information must be accessible to customers at all times. Therefore, the PHLX streams stock quotes, a practice that requires technology officials to comb the system constantly for attacks. Security measures include alarms and triggers so sensitive that even benign cases of runaway streaming will mimic denial-of-service attacks and kick off a series of safeguards.
Like most other large organizations, the PHLX is armed with firewalls, intrusion-prevention systems (IPS) and elaborate audit trails. The goal is air-tight security -- and reaching that goal is a daunting challenge, considering the complex infrastructures that exist in most big organizations.
"We have placed layers and layers of multiple vendor products to surround our networks with so much protection that we have created a defense akin to the Castle Keep," says Bernard Donnelly, vice president of the PHLX's quality assurance group.
But those safeguards deal with only part of the threat. "Don't become so overly focused on keeping intruders out that you leave yourself vulnerable to internal threats," says Donnelly.
Employees can walk out the door with gigabytes of sensitive data on tiny removable storage devices. Often overlooked are everyday occurrences, such as loud cell-phone conversations that reveal too much in public places like airports, says Eileen Hasson, president of The Computer Company Inc., an IT services firm in West Hartford, Conn.
Sadly, there's no one-size-fits-all model for protecting private information. The good news is that IT officials can learn from people in industries on the front lines of guarding precious customer information. "There are no guidelines for enterprises, except perhaps those being adopted by financial services and health care industries," says Hasson. Those industries are leading the way on privacy protection because the stakes are so high for them.
"Failing to comply with HIPAA mandates regarding protected health information has severe penalties and would not only compromise but cripple our business," says Gary D'Amato, systems manager at Health Access Solutions, a Foster City, Calif.-based provider of IT services to the health care industry.
THE ARSENAL
Bernard Donnelly of the Philadelphia Stock Exchange says that organizations that are serious about protecting customer information should have the following technologies in place:
Automated audit logs to collect information from all platforms
--------------------------------------------------------------------------------
Software to distribute security policies electronically
--------------------------------------------------------------------------------
Tools to authenticate internal and remote users
--------------------------------------------------------------------------------
Packages to protect USB ports for LAN PCs
--------------------------------------------------------------------------------
Intrusion-prevention system capabilities
--------------------------------------------------------------------------------
Antivirus software for the LAN environment
--------------------------------------------------------------------------------
Software designed to keep internal users from sites laden with malware
--------------------------------------------------------------------------------
Patch management products
--------------------------------------------------------------------------------
Systems to compare sensitive files and track changes
--------------------------------------------------------------------------------
Encryption
Follow the Leaders
At Care New England Health System in Warwick, R.I., compliance with the Health Insurance Portability and Accountability Act centered on an exhaustive gap analysis of the organization's computer network and major penetration testing -- an elaborate exercise that often frames corporate security plans, says IT Security Manager Larry Pesce.
Gap analyses entail top-to-bottom reviews of security policies and often wrap in all rules and regulations imposed on a particular organization. In Care New England's case, the analysis started with mapping HIPAA mandates to internal security policies and procedures. It soon became evident that the organization's security mechanisms fell short of HIPAA requirements. Security audits were in order, says Pesce.
"I knew the only way to get the audit results I needed would be to start performing regular penetration testing," says Pesce. "From my experience, I knew that would give me the most accurate view of the network and provide me with the precise audit information I would need."
However, Care New England's gap-analysis efforts proved onerous. "Manual testing placed a tremendous strain on my limited budget and resources," Pesce says. "It was time-consuming to write exploits, ensure they were safe to run, perform the attack, and update and manage the process." Finally, he eased these burdens by adopting Core Impact, an automated testing framework from Core Security Technologies in Boston.
Core Impact is a series of agents and modules that scour a network for security weaknesses. A common user interface or console triggers Core Impact programs that then activate specific modules to perform operations such as packet sniffing or scanning of active ports. Core Impact modules are written in the object-oriented Python programming language to lessen the learning curve for those running the network tests. The modules dump testing data and activity logs into a centralized repository, which is able to recognize different operating systems and open ports.
"We were able to determine what security procedures and products were doing their job and protecting us. We were also able to find out what areas could be improved," Pesce explains.
Turning to IPS
After gap-analysis exercises, many large organizations first turn to an IPS to block sneak attacks, says Ted Demopoulos, a security consultant who works with institutions such as investment firm T. Rowe Price Group Inc.
When considering IPS technology, however, it's wise to check out many options and to think about the reams of information such systems will churn out.
"A lot of people are looking at IPS because it is a hot technology, and a lot of other people are adopting it," says Demopoulos. "But you have to keep in mind that these systems will generate large log files of all the things that might have been intrusions. The problem many times is that there is no one there to look at all the data these systems are creating."
Choosing an IPS that's easy to put in place and begin using is crucial, according to Howard Scott, IT director at Merscorp Inc., a mortgage processing company in Vienna, Va. Merscorp picked NitroGuard IPS, a system offered by NitroSecurity in Portsmouth, N.H.
NitroGuard is designed to examine and protect enterprise networks from viruses, worms, spyware, denial-of-service attacks and other threats. The system depends heavily on a large library of behavioral anomalies. It includes technology called a security event aggregation and correlation engine that's designed to sift through a multitude of events every second. It supports encrypted in-band secure management channels in order to slip into a configured network without customization.
"I've modified the rules and switched back to the default configuration with no problems. I can quickly turn on blocking, once the traffic-monitoring phase is complete," says Scott.
Many general-use hardware and software systems are already bundled with security features, but they are often underused by systems administrators. "I highly recommend that corporations make sure they are configuring their equipment to make the most of the features that come free with the stuff," says Hasson.
When it comes to proper configuration, what you don't know can hurt you, says Tim O'Pry, chief technology officer at The Henssler Financial Group in Kennesaw, Ga. When Henssler IT personnel asked users whose systems were exploited why they hadn't patched or configured their systems to prevent an attack, the most common response was, "I didn't know," he says.
There is plenty of blame to go around when patches prove outdated or improperly configured, says Dan Lukas, lead security architect at Aurora Health Care in Milwaukee. "Patches and updates are usually not maintained, as no one from the enterprise wants to take on the extra task of managing these devices," he says. "Many times, the vendor won't even allow anyone else to touch these devices, which poses an increasing security risk."
PHLX's Donnelly recommends a patch management tool and says the exchange uses HFNetChkPro from Shavlik Technologies LLC in Roseville, Minn. HFNetChkPro pushes patches necessary to secure a variety of Windows systems, as well as automatically patching products such as WinZip and Apache.
Keeping outsiders at bay with up-to-date patches, IPSs, antivirus software and other protections, however, is not enough, Donnelly says. Internal users can pose lethal security threats. As many as 80% of security breaches can be traced to insiders, if you count incidents involving staffers, consultants or vendors, says Christopher Paidhrin, a senior security engineer at ACS Healthcare Solutions, a unit of Affiliated Computer Services Inc. in Dallas. "Auditing for abuse by legitimate workers is the challenge," he says.
There's a slew of products designed to map changes to crucial documents and provide detailed logs on the activities of workers who have access to corporate information. For instance, Alameda Hospital in Alameda, Calif., traces access to user credentials, rather than IP addresses or other equipment identifiers, using the Identiforce appliance from Applied Identity Inc. in San Francisco, says Robert Lundy-Paine, the hospital's systems administrator.
"Since we base access on the user, we can be sure that this user accessed this protected resource at a specific time," Lundy-Paine explains. Identiforce cranks out detailed event logs, making it easier to put together compliance reports and analyze incidents. "The appliance allows us to capture activity through the device to a log file based on easy-to-configure parameters," he says.
Auditing tools designed to trace internal activity abound, but few instances of data compromised by employees turn out to be malicious. "Fifty-nine percent of the organizations we surveyed recently indicated that their last security breach was due to human error alone," observes Brian McCarthy, chief operating officer at the Computing Technology Industry Association, reporting the results of a recent poll of 574 organizations by Chicago-based CompTIA.
Human errors also mark incidental mistakes, such as those surrounding efforts to dispose of unwanted IT assets. "Consider that even a fax machine ink roll is a potential risk," says Vera Lewis vice president of SoCal Computer Recyclers Inc., an e-waste removal company in Harbor City, Calif. Most companies are not even aware of regulations for the disposal of sensitive data, such as those contained in the Fair and Accurate Credit Transactions Act, she says.
In the end, it's the corporate IT team that has consciously examined its security risks from top to bottom that stands to lose the least, says Ira Winkler, president of Internet Security Advisors Group and a Computerworld.com columnist. "Most corporate intelligence losses are not the result of high-tech crime," he says. "They are the result of human errors or system loopholes that can be easily and cost-effectively remedied."
Jennifer McAdams
August 07, 2006 (Computerworld) The Philadelphia Stock Exchange flows 300 million stock quotes per day over an electronic trading system at rates that climb as high as 20,000 quotes per second during peak periods. The systems also churns out extremely sensitive trading reports packed with proprietary customer information that must be stringently guarded from outside attacks and unauthorized internal access.
And beefing up security isn't the only challenge facing IT executives at the PHLX. Stock-trading information must be accessible to customers at all times. Therefore, the PHLX streams stock quotes, a practice that requires technology officials to comb the system constantly for attacks. Security measures include alarms and triggers so sensitive that even benign cases of runaway streaming will mimic denial-of-service attacks and kick off a series of safeguards.
Like most other large organizations, the PHLX is armed with firewalls, intrusion-prevention systems (IPS) and elaborate audit trails. The goal is air-tight security -- and reaching that goal is a daunting challenge, considering the complex infrastructures that exist in most big organizations.
"We have placed layers and layers of multiple vendor products to surround our networks with so much protection that we have created a defense akin to the Castle Keep," says Bernard Donnelly, vice president of the PHLX's quality assurance group.
But those safeguards deal with only part of the threat. "Don't become so overly focused on keeping intruders out that you leave yourself vulnerable to internal threats," says Donnelly.
Employees can walk out the door with gigabytes of sensitive data on tiny removable storage devices. Often overlooked are everyday occurrences, such as loud cell-phone conversations that reveal too much in public places like airports, says Eileen Hasson, president of The Computer Company Inc., an IT services firm in West Hartford, Conn.
Sadly, there's no one-size-fits-all model for protecting private information. The good news is that IT officials can learn from people in industries on the front lines of guarding precious customer information. "There are no guidelines for enterprises, except perhaps those being adopted by financial services and health care industries," says Hasson. Those industries are leading the way on privacy protection because the stakes are so high for them.
"Failing to comply with HIPAA mandates regarding protected health information has severe penalties and would not only compromise but cripple our business," says Gary D'Amato, systems manager at Health Access Solutions, a Foster City, Calif.-based provider of IT services to the health care industry.
THE ARSENAL
Bernard Donnelly of the Philadelphia Stock Exchange says that organizations that are serious about protecting customer information should have the following technologies in place:
Automated audit logs to collect information from all platforms
--------------------------------------------------------------------------------
Software to distribute security policies electronically
--------------------------------------------------------------------------------
Tools to authenticate internal and remote users
--------------------------------------------------------------------------------
Packages to protect USB ports for LAN PCs
--------------------------------------------------------------------------------
Intrusion-prevention system capabilities
--------------------------------------------------------------------------------
Antivirus software for the LAN environment
--------------------------------------------------------------------------------
Software designed to keep internal users from sites laden with malware
--------------------------------------------------------------------------------
Patch management products
--------------------------------------------------------------------------------
Systems to compare sensitive files and track changes
--------------------------------------------------------------------------------
Encryption
Follow the Leaders
At Care New England Health System in Warwick, R.I., compliance with the Health Insurance Portability and Accountability Act centered on an exhaustive gap analysis of the organization's computer network and major penetration testing -- an elaborate exercise that often frames corporate security plans, says IT Security Manager Larry Pesce.
Gap analyses entail top-to-bottom reviews of security policies and often wrap in all rules and regulations imposed on a particular organization. In Care New England's case, the analysis started with mapping HIPAA mandates to internal security policies and procedures. It soon became evident that the organization's security mechanisms fell short of HIPAA requirements. Security audits were in order, says Pesce.
"I knew the only way to get the audit results I needed would be to start performing regular penetration testing," says Pesce. "From my experience, I knew that would give me the most accurate view of the network and provide me with the precise audit information I would need."
However, Care New England's gap-analysis efforts proved onerous. "Manual testing placed a tremendous strain on my limited budget and resources," Pesce says. "It was time-consuming to write exploits, ensure they were safe to run, perform the attack, and update and manage the process." Finally, he eased these burdens by adopting Core Impact, an automated testing framework from Core Security Technologies in Boston.
Core Impact is a series of agents and modules that scour a network for security weaknesses. A common user interface or console triggers Core Impact programs that then activate specific modules to perform operations such as packet sniffing or scanning of active ports. Core Impact modules are written in the object-oriented Python programming language to lessen the learning curve for those running the network tests. The modules dump testing data and activity logs into a centralized repository, which is able to recognize different operating systems and open ports.
"We were able to determine what security procedures and products were doing their job and protecting us. We were also able to find out what areas could be improved," Pesce explains.
Turning to IPS
After gap-analysis exercises, many large organizations first turn to an IPS to block sneak attacks, says Ted Demopoulos, a security consultant who works with institutions such as investment firm T. Rowe Price Group Inc.
When considering IPS technology, however, it's wise to check out many options and to think about the reams of information such systems will churn out.
"A lot of people are looking at IPS because it is a hot technology, and a lot of other people are adopting it," says Demopoulos. "But you have to keep in mind that these systems will generate large log files of all the things that might have been intrusions. The problem many times is that there is no one there to look at all the data these systems are creating."
Choosing an IPS that's easy to put in place and begin using is crucial, according to Howard Scott, IT director at Merscorp Inc., a mortgage processing company in Vienna, Va. Merscorp picked NitroGuard IPS, a system offered by NitroSecurity in Portsmouth, N.H.
NitroGuard is designed to examine and protect enterprise networks from viruses, worms, spyware, denial-of-service attacks and other threats. The system depends heavily on a large library of behavioral anomalies. It includes technology called a security event aggregation and correlation engine that's designed to sift through a multitude of events every second. It supports encrypted in-band secure management channels in order to slip into a configured network without customization.
"I've modified the rules and switched back to the default configuration with no problems. I can quickly turn on blocking, once the traffic-monitoring phase is complete," says Scott.
Many general-use hardware and software systems are already bundled with security features, but they are often underused by systems administrators. "I highly recommend that corporations make sure they are configuring their equipment to make the most of the features that come free with the stuff," says Hasson.
When it comes to proper configuration, what you don't know can hurt you, says Tim O'Pry, chief technology officer at The Henssler Financial Group in Kennesaw, Ga. When Henssler IT personnel asked users whose systems were exploited why they hadn't patched or configured their systems to prevent an attack, the most common response was, "I didn't know," he says.
There is plenty of blame to go around when patches prove outdated or improperly configured, says Dan Lukas, lead security architect at Aurora Health Care in Milwaukee. "Patches and updates are usually not maintained, as no one from the enterprise wants to take on the extra task of managing these devices," he says. "Many times, the vendor won't even allow anyone else to touch these devices, which poses an increasing security risk."
PHLX's Donnelly recommends a patch management tool and says the exchange uses HFNetChkPro from Shavlik Technologies LLC in Roseville, Minn. HFNetChkPro pushes patches necessary to secure a variety of Windows systems, as well as automatically patching products such as WinZip and Apache.
Keeping outsiders at bay with up-to-date patches, IPSs, antivirus software and other protections, however, is not enough, Donnelly says. Internal users can pose lethal security threats. As many as 80% of security breaches can be traced to insiders, if you count incidents involving staffers, consultants or vendors, says Christopher Paidhrin, a senior security engineer at ACS Healthcare Solutions, a unit of Affiliated Computer Services Inc. in Dallas. "Auditing for abuse by legitimate workers is the challenge," he says.
There's a slew of products designed to map changes to crucial documents and provide detailed logs on the activities of workers who have access to corporate information. For instance, Alameda Hospital in Alameda, Calif., traces access to user credentials, rather than IP addresses or other equipment identifiers, using the Identiforce appliance from Applied Identity Inc. in San Francisco, says Robert Lundy-Paine, the hospital's systems administrator.
"Since we base access on the user, we can be sure that this user accessed this protected resource at a specific time," Lundy-Paine explains. Identiforce cranks out detailed event logs, making it easier to put together compliance reports and analyze incidents. "The appliance allows us to capture activity through the device to a log file based on easy-to-configure parameters," he says.
Auditing tools designed to trace internal activity abound, but few instances of data compromised by employees turn out to be malicious. "Fifty-nine percent of the organizations we surveyed recently indicated that their last security breach was due to human error alone," observes Brian McCarthy, chief operating officer at the Computing Technology Industry Association, reporting the results of a recent poll of 574 organizations by Chicago-based CompTIA.
Human errors also mark incidental mistakes, such as those surrounding efforts to dispose of unwanted IT assets. "Consider that even a fax machine ink roll is a potential risk," says Vera Lewis vice president of SoCal Computer Recyclers Inc., an e-waste removal company in Harbor City, Calif. Most companies are not even aware of regulations for the disposal of sensitive data, such as those contained in the Fair and Accurate Credit Transactions Act, she says.
In the end, it's the corporate IT team that has consciously examined its security risks from top to bottom that stands to lose the least, says Ira Winkler, president of Internet Security Advisors Group and a Computerworld.com columnist. "Most corporate intelligence losses are not the result of high-tech crime," he says. "They are the result of human errors or system loopholes that can be easily and cost-effectively remedied."
# posted by raveneye @ 10:25 AM 
