Theft of information and improper access to information can result in loss of intellectual property, compromised customer privacy, loss of company reputation, and exposure to regulatory violations.
It is important to remember that electronic information is vulnerable to theft by intruders as well as insiders, whose motivations may include industrial espionage, extortion, organized crime, vandalism, revenge, or bragging rights.
The risks are high. In 2005, information theft ranked in the top four causes of reported financial losses in the United States alone, according the 2006 CSI/FBI survey: 41% of companies in the survey reported incidents of information theft or improper information access.
Data is vulnerable to theft whether at rest, in transit, or being processed:
- To steal data at rest, attackers can copy it onto removable media, transmit it to other insecure devices, or compromise host systems and penetrate them when they are most vulnerable.
- To steal data in transit, intruders can use "man-in-the-middle" tools to intercept sensitive information such as passwords, customer credit-card information, or voice conversations.
- To steal data being processed, attackers can use spyware installed surreptitiously on the desktop to collect information as it is entered.
Protect Your Information
The first step is to identify the risk associated with different types of information you intend to protect. The next step is to define and implement a security policy that includes administrative, physical, and technical controls, and that is mapped appropriately to those risk classes.
Because of the variety of exploits used to steal information, there is no single prevention solution, nor a single point to protect. Rather, organizations need a multilayered strategy to protect information at all times, keeping in mind that the "perimeter" is only one point of vulnerability.
Develop a Risk Management Strategy
When developing or refining their IT risk management strategy, IT groups should focus on the following three important security enforcement points in particular:
Internet Use Protection
- Protect resources from the spread and execution of viruses, worms, and Trojans.
- Verify user credentials and system security posture.
- Control user access to specific applications or other system resources.
- Prevent the introduction of threats to the infrastructure from trusted computers by enforcing endpoint security policies.
Attack and Intrusion Protection
- Control access to servers and applications containing sensitive information.
- Assure application and user data transmissions are in conformance with application access rules and protocols.
- Monitor transmissions for end system vulnerability exploitation attempts.
- Prevent intrusions to servers, databases, and applications.
Remote Access
- Control access to corporate assets from remote users, branch sites, partners, and contractors.
- Assure a VPN with strong authentication and encryption is used to verify credentials and assure transmissions are protected.
- Limit access through trusted sites by trusted users and devices only, making sure improper access over the gateway VPN is not obtained by unauthorized users.
Special Considerations
Companies must take special protection precautions in three instances: wireless networks, storage-area networks, and IP telephony.
- Wireless Networks: Protect against unauthorized access, intruders, and network attacks. Failure to deploy both WPA and WPA2 security protocols on all enterprise-class WLANs puts both wired and wireless networks at risk.
- Storage-area Networks: Implement both management access controls and server and storage-array access controls; limit SAN access to trusted devices; and encrypt data in transit to preserve its integrity and confidentiality.
- IP Telephony: Prevent conversation snooping, revealing internal IP addresses of IP phones or servers, and theft of IP phone passwords.
