July 4th, 2007
As goes Ohio, so goes the country
* Ryan Naraine is on vacation.
Guest Editorial by Paul F. Roberts
What do 225,000 Ohio taxpayers, 64,000 state employees and 600 lucky holders of winning lottery tickets have in common? They were all unlucky enough to have some of their personal information — names, social security numbers, and bank account numbers — stored on a “data backup device” in the back seat of 22 year old Jared Ilovar’s Chevy Cobalt, on the evening of June 10th. An unidentified passerby noticed the tape (and Mr. Ilovar’s radar detector), and decided to help him or herself to both.
The news from Ohio was depressingly similar to prior data leak mishaps: the misplaced storage device — magnetic tape, CD, DVD or laptop — a stock character. Then there’s confused murmurings from the aggrieved organization about what data is and isn’t on the device, and whether it will be accessible to the thieves. (Ohio’s take on this was novel: the data’s probably safe because it was contained on a “specialized medium” that couldn’t be accessed without “knowledge” and “special equipment.” Translation: ‘The data’s in the clear.’) Then there’s the rube - in this case, poor Mr. Ilovar, a 22-year-old intern stuck with the job of lugging home a sensitive backup of information on hundreds of thousands of state residents. Such is the sorry state of data security in 2007.
One detail worth noting is the “rolling” nature of the bad news. After initially disclosing that the backup device in question contained personal data on more than 64,000 state employees on June 15, Governor Ted Strickland was forced to correct himself not once, not twice, but three times, on June 16th, 17th and 20th, telling reporters that, in fact, the device contained information that hadn’t been properly accounted for previously, and that an additional 346,000 sensitive records were exposed. All this after the Strickland said the state had reviewed 338,634 files to figure out what was on the tape. I guess those were the wrong 338,000 files?
So what’s going on? One conclusion is that the State of Ohio, like many organizations, doesn’t have a clue what kinds of sensitive data are on its network, nor does it know where that sensitive data resides. That puts the state in good company with leading departments of the federal government and a Who’s Who of U.S. corporations (WalMart, Boeing, Ford Motor Company), all of which have contributed to the approximately 155 million records lost or stolen in data breaches in the last two year, according to the Privacy Rights Clearinghouse’s Chronology of Data Breaches.
As with previous security threats — computer viruses, denial of service attacks, spam — security lemons have become lemonade for a cadre of new technology firms — in this case “anti data leakage” companies. To date, there are 42 of them, by our count, with names like Fidelis, Provilla, Code Green Networks, Vontu, Verdasys, Safend and Check Point - which bought Pointsec, which had bought Reflex Magnetics. Each, in its own way, promises to keep track of sensitive data, block it from leaving a company’s network, or at least to tell organizations when their sensitive data has gone AWOL.
What these companies don’t want you to know is that there’s very little consensus about where and how to actually stop data leaks. As an example, on a recent panel discussion I moderated, executives from no fewer than five “enterprise data protection” companies talked about their solutions to data leaks. Each had a different take on the problem. There was the enterprise storage encryption guy, the network access control guy, the desktop security guy, the traffic monitoring guy, and the data encryption guy. However, there was no easy way to join these products together, and only a couple of partnered with each other, meaning that companies who wanted to use these products would have to layer them on top of other point security products that they already had.
Next –>
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
