PowerNews: December 2011
Security Breaches—When, Not If
by Robin Tatam, Director of Security Technologies
“When it comes to breaches of security, it’s not a matter of ‘if’ but rather ‘when’.”
—Frank Abagnale
I’ve spoken to many audiences in my security career about how nothing good comes of the mindset that “it’ll never happen to me.” Unfortunately, I was reminded of my own vulnerability recently when I discovered that my beloved road bicycle had been “removed” from my (supposedly) secured underground garage. It’s not just the financial loss; it’s the lost confidence that I have in the security of the garage, and the guarded suspicion with which I now eye the other residents of my fairly small community. Although this type of crime is purely for material or financial gain, it tends to make you question the overall level of security, including your personal safety and that of your family.
I prefer to believe that the vast majority of people are good and honest, and the exceptions are those more driven by greed and selfishness. This personal event served as a good, albeit painful, reminder that it’s naive to assume that people won’t take advantage of a situation from which they might profit. Sometimes that situation might arise from an easy temptation; sometimes from a deliberate and planned act. But, we need to assume that, sooner or later, it will happen to all of us.
Costs of a Security Breach
Data theft typically is harder to detect than traditional theft because stolen data continues to reside on the server it was taken from. The latest PowerTech “State of IBM i Security” study reports that more than 10% of IBM i systems still don’t use the auditing functionality included in the operating system. These companies have zero visibility to security-related events. Many of the others are collecting events—but for purposes other than security forensics; and many have no procedures or training on how to interpret the data they collect. This leaves only a small contingent that is proactively reviewing the logs and knows how to recognize and escalate a critical event.
When a corporate breach occurs, you experience many of the same emotions as in a personal loss. The initial panic of discovery can lead to confusion and, unfortunately, sometimes to blame. This can result in recrimination and even job loss. There are costs associated with the remediation and, according to the renowned Ponemon Institute, these costs now exceed $200 per record breached. If the breach requires disclosure to the affected parties, there’s likely to be an accompanying loss of confidence in the corporate brand and it’s tough to put an exact value on that. Sadly, we don’t put much credence on the costs to prevent, nor the costs to remediate and litigate, until we are in the unenviable position of paying for them.
How a Breach Occurs
A common misconception is that all breaches are initiated from outside the perimeter firewall, and are the result of a user operating with malicious intent.
The reality is that an estimated 60 to 70% of lost, stolen, or damaged data is caused by a user inside the network. After all, if a user profile and password are your primary security control, you probably have a large number of users who are able to access data—and not all via the approved application mechanism. Many data issues are the result of legitimate functions where the user was unaware they were causing an issue; for example, uploading a spreadsheet of data directly to a production file without realizing that the spreadsheet was a filtered view.
You should be aware that your regular business insurance may not cover losses incurred as a result of a data breach; especially if it’s determined that the root cause was inadequate security controls. This forces the organization to shoulder the full burden of the cost, which can run into millions of dollars.
The Best Defense
While no security infrastructure is ever 100% safe, you can remove the IBM i data from residing on the “low hanging branch” and make it more viable for someone to pick a different target. A defense-in-layers approach makes it easier to detect and shut down events before they cause serious harm. This can include object-level security, network exit programs, application controls, and alerting and reporting tools. The more layers you deploy, the more you increase the likelihood that you will prevent—or at least detect—unauthorized activity before an unauthorized user gets at, or away with, the asset. Sure, it’s not free to implement a good security infrastructure, but I think it’s safe to say that, in the long run, it’s cheaper that the alternative.
We acknowledge:
It WILL happen to us eventually.
Oh, and if you’re wondering “Who is Frank Abagnale?,” you can see a dramatization of his life in the 2002 movie “Catch Me If You Can,” starring Leonardo DiCaprio and Tom Hanks. His life as a confidence trickster led to him becoming one of the world’s authorities on fraud.
—————————————————————————————-
IBM i Solution Edition for Help/Systems
Purchase any software solution from Help/Systems (Robot Automated Operations Solution); PowerTech (IBM i security solutions); SEQUEL Software (data access/analysis and productivity software); Bytware (anti-virus and monitoring solutions for IBM i) and enjoy big discounts on training, services, and IBM POWER7 systems.
For details, contact your local IBM Business Partner, or Doug Fulmer at dougfulmer@helpsystems.com, or visit our IBM i Solution Edition web page.
—————————————————————————————-