How to avoid 5 common storage mishaps

Blindsided! These companies thought they had their stored data locked tight, but they were wrong. Here's how you can avoid a similar fate.

Think you can guess the No. 1 threat to the security of your stored data? If you said hackers, or even trouble-making insiders, you'd be wrong. While malicious threats are an ongoing concern, it's your well-meaning employees who are more likely to unknowingly expose your company's stored data through, say, a file-sharing network or a misplaced laptop.

In fact, a recent Ponemon Institute study found that negligent insiders are by far the biggest threat to data security, accounting for 78 percent of all breaches.

In this special report, you'll learn the latest techniques for protecting stored data within company walls as well as stored data that flows freely in and out of your organization on laptops, tapes and other movable media.

And don't forget to take the Storage Networking Industry Association's storage security self-assessment quiz and test how well your stored data is protected. Plus, brush up on storage terms with SNIA's online glossary and resource guide.

Data breaches, unfortunately, have become a way of life for the corporate world. According to the Identity Theft Resource Center (ITRC), 2008 saw a 47 percent increase in documented data breaches from the year before. And those are just the ones that made the news, says Craig Muller, an identity theft expert and founder of Identity Doctor. "I get e-mails constantly telling me of breaches," he says.

The public is definitely feeling the pain. In a 2008 study by the Ponemon Institute, over half (55 percent) of 1,795 adult respondents across the US said they'd been notified of two or more data breaches in the previous 24 months, and 8 percent said that they'd received four or more notifications.

But companies are still not sure how to protect themselves. In a Ponemon survey released last month, only 16 percent of the 577 security professionals who responded said that they were confident or very confident that current security practices could prevent the loss or theft of customer or employee data.

One way to gain confidence is to examine actual breaches and learn from them. Here's a look at five common types of breaches, with advice about how to avoid similar mishaps.

1. Stolen Equipment

In May 2006, personal data on 26.5 million veterans was compromised when a laptop and a storage disk were stolen from the home of a subcontractor working for the US Department of Veterans Affairs. Both items were recovered, and arrests were made. The FBI claimed that no data had been stolen, but the incident prompted sweeping reform at the VA. However, in January 2007, another breach occurred when a laptop was stolen from an Alabama medical facility, exposing personal data on 535,000 veterans and more than 1.3 million physicians.

Costs: By June 2006, the VA was burning through US$200,000 a day to operate a call center to answer questions about the breach. It also spent US$1 million to print and mail notification letters. It was given permission to reallocate up to US$25 million to pay for those costs. Class-action lawsuits were also filed, including one demanding US$1,000 in damages for each person affected. After the 2007 breach, the VA set aside an additional US$20 million for breach-related costs. And the department recently agreed to pay US$20 million to current and former military personnel to settle a class-action lawsuit.

Page Break

Blinders: Lost or stolen equipment accounts for the largest portion of breaches -- about 20 percent in 2008, says the ITRC. According to Bart Lazar, a partner in the Chicago office of law firm Seyfarth Shaw, incidents involving lost or stolen laptops make up the majority of data-breach cases he works on.

Eye-openers: Lazar recommends restricting the placement of personal identifying information on laptops. For instance, don't tie customer or employee names to other identifiers, such as Social Security or credit card numbers; alternatively, you can truncate those numbers. Also, consider creating your own unique identifiers by, for example, combining letters from an individual's last name with the last four digits of his Social Security number.

Second, require personal information on laptops to be encrypted, despite the potential cost (US$50 to $100 per laptop) and performance hit that involves, says Lazar. This needs to be accompanied by consciousness-raising, says Blair Semple, storage security evangelist at NetApp and vice chairman at the Storage Networking Industry Association's Storage Security Industry Forum. "I've seen situations where people had the capability to encrypt but didn't," he says. "Scrambling the bits is the easy part; it's the management and deployment that's hard."

Third, Lazar recommends policies requiring very strong passwords to protect data on stolen devices.

2. Insider Theft

In November 2007, a senior database administrator at Certegy Check Services, a subsidiary of Fidelity National Information Services, used his privileged access to steal records belonging to more than 8.5 million customers. He then sold the data to a broker for US$500,000, and the broker resold it to direct marketers. The employee was sentenced to over four years in jail and fined US$3.2 million. According to company officials, no identity theft occurred, although affected consumers received marketing solicitations from the companies that bought the data.

In another high-profile case, a 10-year veteran scientist at DuPont downloaded trade secrets valued at US$400 million before leaving the company in late 2005 to join a competitor in Asia. According to court records, he used his privileged access to download about 22,000 document abstracts and view about 16,700 full-text PDF files. The documents covered most of DuPont's major product lines, including some emerging technologies. The scientist did this while in discussions with the competitor and for two months after accepting the job. He was sentenced to 18 months in federal prison, fined US$30,000 and ordered to pay US$14,500 in restitution.

Costs: In DuPont's case, the estimated value of the trade secrets was more than US$400 million, although the government pegged the company's loss at about US$180,500 in out-of-pocket expenses. There was no evidence that the confidential information was transferred to the competitor, which cooperated in the case.

According to Semple, theft of customer information is nearly always more costly than theft of intellectual property. In Certegy's case, a 2008 settlement provided compensation of up to $20,000 for certain unreimbursed identity theft losses for all class-action plaintiffs whose personal or financial information was stolen.

Page Break

Blinders: Nearly 16 percent of documented breaches in 2008 were attributed to insiders, says the ITRC; that's double the rate of the year before. One reason for this increase is that employees are being recruited by outsiders with ties to crime -- a trend that accounts for half the insider crimes committed between 1996 and 2007, according to the CERT Coordination Center at Carnegie Mellon University.

Insiders commit crimes for two reasons, CERT says: financial gain (as in the Certegy case) and business advantage (as in the DuPont case). In the latter, criminal activities usually start when the employee resigns, CERT says, but the thefts typically occur after they depart, having left secret access paths to the data they want.

Insider threats are among the hardest to manage, Semple says, especially when the workers use privileged access.

Eye-openers: A good precaution is to monitor database and network access for unusual activity and set thresholds representing acceptable use for different users, CERT says. That makes it easier to detect when an employee with a particular job designation does something beyond his normal duties. For instance, DuPont discovered the illegal activity because of the scientist's unusually heavy usage of its electronic data library server.

If you suspect that a breach has occurred, CERT says it's important to act quickly in order to minimize the chance of information being disseminated and to give law enforcement agencies a chance to start investigating the case.

Companies should also implement role-based access-control tools to maintain a high level of accountability over who is accessing valuable assets, Lazar says. Databases containing customer or employee information should allow very limited access. "How many people, on a daily basis, need to review Social Security numbers and addresses without permission?" he says. "Personal information should be protected at the same level as trade secrets."

Muller recommends using data loss prevention tools to restrict personal data from being e-mailed, printed or copied onto laptops or external storage devices. Some of these tools provide alerts that inform administrators when someone tries to copy personal data and create a log file of such an event. "In a lot of cases, companies don't have proper audit trails in place," he says.

It's also important to strengthen internal controls and audit measures by, for example, implementing iterative checks on network and database activity logs, Semple says. It's not enough to keep detailed logs; you also need audit measures in place to see if anyone has modified a log or illegally accessed it. "Unless there's some way to verify the log information wasn't tampered with, it's hard to know it's of value," he says.

But in the end, technology isn't enough. "You need to find a way to ensure users you trust are worthy of that trust," Semple says.

Page Break

3. External Intrusion

In January 2007, retailer The TJX Companies reported that its customer transaction systems had been hacked. The intrusions -- which occurred between 2003 and December 2006 -- gave hackers access to 94 million customer accounts. Stolen information was found to have been used in an US$8 million gift-card scheme and in a counterfeit credit card scheme. In mid 2008, 11 people were indicted on charges related to the incident, which was the largest hacking and identity theft case the US Department of Justice has ever prosecuted.

Costs: TJX has estimated the cost of the breach at US$256 million. That includes the cost of fixing computer systems and dealing with litigation, investigations, fines and more. It also includes payments to Visa (US$41 million) and MasterCard (US$24 million) for losses they incurred. The Federal Trade Commission has mandated that the company undergo independent third-party security audits every other year for the next 20 years.

However, others expect that costs may rise to US$1 billion, which would include the costs of legal settlements and lost customers. According to an April 2008 Ponemon study, 31 percent of a company's customer base and revenue source terminates its relationship with an organization following a data breach. And in its recently released annual "Cost of a Data Breach" study, Ponemon found that breaches cost companies US$202 per compromised customer record last year, compared with US$197 in 2007. Costs associated with lost business opportunities represented the most significant component of the increase. The average cost of a data breach in 2008 was US$6.6 million, compared with US$6.3 million in 2007.

Blinders: According to a 2008 Ponemon study, data breaches by hackers rank a distant fifth in terms of security threats. Indeed, about 14 percent of documented breaches in 2008 involved hacking, according to the ITRC. That doesn't mean companies shouldn't be wary, however. In TJX's case, hackers infiltrated the system by "war driving" and hacking into the company's wireless network. TJX was using subpar encryption, and it had failed to install firewalls and data encryption on computers using the wireless network. This enabled the thieves to install software on the network to access older customer data stored on the system and intercept data streaming between handheld price-checking devices, cash registers and the store's computers.

Eye-openers: According to Muller, the WEP encryption that TJX used on its wireless network was insufficient -- weaker even than what many home users have. "If from the parking lot you can gain access to the database, you need a higher level of data security and data encryption," he says. TJX had also stored old account information instead of permanently deleting it, Muller says.

Page Break

4. Negligent Employees

The spouse of a telecommuting Pfizer employee installed unauthorized file-sharing software on the worker's company laptop, enabling outsiders to gain access to files containing the names, Social Security numbers, addresses and bonus information of about 17,000 current and former Pfizer employees. An investigation revealed that about 15,700 people had their data accessed and copied by people on a peer-to-peer network, and another 1,250 may have had their data exposed. Because the system was being used to access the Internet from outside of Pfizer's network, no other data was compromised.

Costs: Pfizer contracted for a "support and protection" package from a credit-reporting agency, which includes a year's worth of free credit-monitoring service for those affected and a US$25,000 insurance policy covering costs that individuals might incur as a result of the breach.

Blinders: Careless insiders -- not malicious ones -- are the No. 1 threat to data security, according to a recent Ponemon study, in which IT professionals said 88 percent of all breaches involved negligent insiders. "If there were more employee awareness about security, the number of breaches would come way down," Muller says. In Pfizer's case, the employee's spouse had configured the software so that other users of the file-sharing network could access files the spouse had stored on the laptop, but that gave people access to Pfizer files, too.

Combine negligent users and file-sharing software, and you've got a dangerous mix. Although most companies have outlawed P2P file sharing on their corporate networks, according to a 2007 study by Dartmouth College, many employees install it on their remote and home PCs. The study found, for example, that employees at 30 U.S. banks were sharing music and other files on peer-to-peer systems and inadvertently exposing bank account data to potential criminals on the network. Once business data is exposed, it can spread to dozens of computers around the world.

Eye-openers: First off, IT needs to either ban P2P software entirely or set policies for P2P usage and implement tools to enforce those policies. "[Pfizer] should have done a better audit of their systems to stop employees from loading any software," Muller says. "You can take away their admin rights so they can't install anything." Also important is training, he says, so users understand the dangers of P2P, what makes a good password and other standard security practices.

"There's a huge need for education so employees understand we're not trying to make things difficult but that bad things could happen," Semple notes. "It's having them understand, 'I can't do this, and here's why.' "

Page Break

5. Subcontractor Breaches

In November 2008, the Arizona Department of Economic Security had to notify families of about 40,000 children that their personal data may have been compromised following the theft of several hard drives from a commercial storage facility. The drives were password-protected but not encrypted. The agency says no information was used to commit fraud.

Costs: Subcontractor breaches are more costly than internal incidents, averaging US$231 per record compared with US$171, according to Ponemon.

Blinders: According to Ponemon's annual cost study, breaches by outsourcers, contractors, consultants and business partners are on the rise, accounting for 44 percent of all cases reported by respondents last year. That's up from 40 percent in 2007. In the ITRC study, 10 percent of breaches were associated with subcontractors in 2008.

Eye-openers: Companies need to create service-level agreements that are airtight and specific, and then ensure that subcontractors are in compliance and penalize them if they aren't. In cases that involve the use of backup tapes or disks, Semple says, insist on encryption and password protection.