Want to prevent ID theft? Get back to basics

First it was a security breach that left ChoicePoint's treasure chest of personal information (145,000 accounts) vulnerable to prying eyes. Less than a fortnight later, Bank of America backup tapes containing data on 1.2 million accounts went missing. More recently, someone hacked into a confidential database containing as many as 32,000 records at Seisint, a company owned by LexisNexis.

Bad guys are targeting corporate databases because, obviously, that's where the money is. But the bigger concern is that many of these confidential "bet the business" databases (and other critical systems) still remain woefully insecure.

The Enterprise Strategy Group recently surveyed 229 U.S.-based security professionals from organizations with more than 1,000 employees. The majority of respondents (52 percent) came from organizations with more than $1 billion in annual revenue. Our goal was to get an objective metric of just how bad the internal security threat really is.

The results paint a frightening picture. For example, 23 percent of respondents reported their organization had suffered an internal security breach in the past 12 months, while 27 percent didn't know if it had or not. Note to self: Make sure the people you do business with know whether they've been hacked or not.

Regarding the damage caused by these internal security events, 40 percent of respondents said that an internal breach led to an interruption of a critical system or service, 38 percent indicated that an internal breach led to data corruption or loss, and 17 percent said that the internal breach led to the theft of intellectual property.

Are you ready to cut up your credit cards yet? It gets worse.

To understand the scope of the problem, we asked respondents to identify the types of network vulnerabilities they'd discovered in the past year. The list is too long to go through, but suffice it to say that a number of users reported many security no-no's, including active accounts for ex-employees, equipment configured with default passwords, rogue servers or devices, and unauthorized personnel with root (or administrator) access to critical systems.

Perhaps the most worrisome data point: 16 percent of respondents believed they had some of these network vulnerabilities, but hadn't taken the time to do an audit.

Finding an angle
This unacceptable situation is fueling a new type of zeal about data security. U.S. citizens are rightfully upset and demand action. Of course, politicians can't resist a passionate topic, so calls for new regulations can be heard all over. Security technology companies are licking their chops, hoping to turn privacy phobia and bad publicity into product sales. Everyone has an angle.

So here's the problem with all of this activity: The downside of security becoming more mainstream is that everyone has an agenda or opinion, and the default behavior is overt overreaction. Yes, something must be done, but it's important to get back to basics first.

Most bad guys aren't mad scientists looking for a technical challenge. A more accurate profile might be that of a con artist who scams country bumpkins and foreign tourists. Smart cybercriminals "case the joint," looking for the equivalent of open doors and windows.

Sometimes these doors and windows are technology-based. At LexisNexis, for example, the hackers got into the system by stealing passwords from legitimate users. This is the technical equivalent of buying liquor with your older brother's ID. With Bank of America, a box of tapes was stolen from the cargo bay of a commercial airplane. See the pattern?

Before anyone panics, the logical first step in any security process is an audit. No sexy technology here, just smart security professionals looking for weaknesses in every component of a technology system and every step of a process.

Take the aforementioned list of network vulnerabilities, for example. If the customer database server is configured with a default password and contains active user accounts of terminated employees, it's a sitting duck. Companies need to take the time to discover these types of vulnerabilities, rank and order them by priority and fix the riskiest ones first. It is truly as simple as that.

The other elementary security action item is user training. Employees need to know how to recognize and report threats, not act as a patsy. If I want to break into the payroll system, the easiest way to proceed is simply to ask someone in finance for their password. With a bit of "social engineering"--that is, flim-flam--you'd be surprised how many people will volunteer confidential information. Only 25 percent of companies provide employees with security training; I'd say this is a fundamental problem.

I'm not dismissing regulations and security technology. These are important steps to safeguard privacy and protect against identity theft. But we need to address this problem with good old-fashioned common sense rather than panic.

In life, you decrease personal risks with simple prevention techniques like locking doors or staying away from dark alleys. Before we sound the security alarms, we ought to do the same thing in our work environments.