Price tag shock syndrome hits security managers

Security managers suffer 'price tag shock' when attempting to implement more stringent measures to protect sensitive information, according to distinguished Gartner analyst Avivah Litan.

Speaking at the company's IT security summit in Sydney yesterday, Litan said a company with at least 100,000 accounts to protect can spend, in the first year, as little as $8 per customer account just on data encryption. Or, the organization may spend as much as $20 per customer account for data encryption, host-based intrusion prevention and strong security audits.

"This compares with an expenditure of at least $120 per customer account when data is compromised or exposed during a breach," she said.

Encrypting stored data can provide the most robust data protection, Litan said, but if that is not feasible due to cost and complexity, organizations should deploy comprehensive, host-based intrusion prevention systems (HIPS).

However, Litan said successful deployment of HIPS requires strong server configuration control and additional administrative cost and complexity.

"Another option is a strong security audit to validate the organization's deployment of satisfactory mitigating controls, reducing the need for data encryption or HIPS," she said.

"None of these options is mutually exclusive, but implementing all three will still be less expensive than having to respond to a large-scale data breach."

Litan's presentation comes at a time when scammers have found a way around new, token-based authentication systems, which are typically used by banks.

Over the past few weeks, about 35 phishing Web sites have been set up that use the new attack mode. They attempt to trick users into divulging the temporary passwords created by the security token devices banks such as Citigroup use, according to Rich Miller, an analyst with Internet research company Netcraft.

Phishers have only recently begun looking for ways around token authentication, using what is known as a "man-in-the-middle" attack.

Token devices are used to create a temporary second password for online banking customers.

Under an ongoing attack against Citibank customers, phishers have set up a fake Web site where victims are tricked into entering their passwords.

The fake site instantly forwards the password information to Citibank's real Web site, allowing the criminals to sign on before the victim.

With a total of 35 such phishing sites now spotted, it seems that the attack is becoming widespread, Miller said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about CitigroupCitigroupGartnerNetcraft

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Sandra Rossi

Latest Videos

More videos

Blog Posts