Simon Says – Musings of a Technology CTO

I was speaking last week at a panel of CISO’s when someone asked me the very reasonable question “What’s the most important thing we should do to protect our data?” – What the audience member wanted to know really was, given that he had no budget, and a state mandate impressing on him the need to protect PII (personally identifiable information), what’s the minimum he could do to comply with the regulations?

Of course, as an individual who’s had his identity compromised more than once in the last 12 months I was righteously outraged. “You should do EVERYTHING possible to protect my data” was the answer I wanted to give, stuff-and-nonsense to shareholder value and dividends-be-dammed, etc. Obviously as an individual you don’t want your PII compromised to anyone under any circumstances, and we put a high value on that, but, commercially there has to be a risk vs. reward equation, something my esteemed colleague George Kurtz can comment further on.

To help with deciding where to spend the zero budget though, it might be interesting to see what kind of exploits are being reported – Using the excellent DataLossDB.org site and some funky Excel, for 2008 we can see that the top exploits which lead to published PII disclosures, in terms of number of people affected are:

• Lost Tape 13185751
• Hack 11253695
• Lost Media 11108588
• Stolen Tape 4396396
• Fraud 2291941
• Stolen Laptop 1909402
• Stolen Drive 1086938
• Stolen Computer 1051736
• Drive Disposal 1000000

In terms of absolute number of reported exploits the list looks a little different:

• Hack 50
• Stolen Laptop 48
• Web 33
• Stolen Computer 16
• Lost Document 13
• Snail Mail 10
• Lost Drive 10
• Lost Media 10
• Fraud 9

So, if your aim is to keep your name out of the press, the latter (number of incidents reported) table is probably the most appropriate. If you’re serious about not loosing customer PII, the former.

So, my advice is to consider the above – if you ship tapes around and deal with a lot of people’s PII, it’s an obvious thing to look to secure them while in transit. Don’t just your local courier company, use someone who specializes in moving high value items about. Make sure you have patched, up to date AV, HIPS, Spyware protection etc, and perhaps consider the services of someone like McAfee Foundstone to do a proper audit of your environment. Consider implementing a DLP (Data Loss Prevention)/Data in Motion encryption solution so even if your environment is compromised, data access doesn’t necessarily mean that the hacker got anything useful. Finally, take a look at the McAfee/Reconnex appliances which will give you visibility of all your sensitive data as it moves around your network, and of course, as it moves out into the cloud.