There is currently no commonly accepted, standard, vendor-neutral methodology and security metrics available to quantify and valuate potential impact of internal threats and vulnerabilities and generate a financial justification for an extrusion prevention/data leakage prevention system.  This is a symptom of a much larger problem in the entire computer security industry that relies on fear, uncertainty and doubt to sell security products.

This article discusses the threats that drive the business makers to buy and the industry players that provide the solutions. The shoppers guide will hopefully help you choose the solution that best fits your business and your threat profile.

Take a  leadership role in the board room instead of waiting for vendor proposals in your office

Learn how to make that happen at our online workshops on data security  starting this Thursday September 17, 2009,
10:00 EST 14:00 GMT, 16:00 CEST 17:00 IST 18:00 MT.
 

The IRS is not the only ones after your money. A new e-mail phishing scam poses as a message from the U.S Internal Revenue Service (IRS) and notifies recipients of a refund waiting for them at the IRS website. According to Sophos security, this scam exploits the vulnerable security configuration of a secondary government website. A link provided in the deceptive e-mail redirects surfers to a legitimate looking website where any personal information entered, such as credit card details and social security numbers, will be completely exposed.

Data loss prevention is not just about trusted insiders blowing the whistle on their employer or stealing valuable chip design documents.

A data loss event is any unauthorized network transfer of sensitive information - information like Paris Hilton's T-Moble Sidekick cell phone address book.

SQL injection has turned out to play a central role in the extrusion of Hilton's T-Mobile Sidekick account, which resulted in her star-studded address book, photos, e-mail messages, and voice mail being posted for public consumption on the Internet. SQL injection enabled a password reset; a hole that is just one of hundreds, or even thousands, of similar SQL injection flaws in the mobile provider's Web site that could provide easy access to hackers and a wide-open door for future customer record extrusion exploits.

Despite the vulnerabilities in T-Mobile's Web site, the company is not complaining - verifying the old saying that bad publicity is better than no publicity - T-Mobile Sidekicks are flying off the shelves.

For the full story - Click here

"Corporate networks are like candy bars: hard on the outside, soft and chewy on the inside," says Rich Mogull, a security analyst at Gartner Research.

After having spent billions on defenses against external threats of virii and hackers - Internal Security is now taking off after years of neglect following a series of well publicized data leakage events over the past 4 years and increasing pressure for compliance from laws like Sarbanes-Oxley and GLBH. Gartner's lead analyst Rich Mogull and others say that 2008 is the year of data leakage prevention technology and no one wants to make headlines for extrusion of sensitive data. You may be required by law to disclose a data leakage event, but it certainly isn't something you're proud of. In many cases, the attitude of the company management is that the less eyeballs looking at the problem - the better off they are.

• Sep '04 - credit-software company Teledata employee pleads guilty to federal fraud charges of stealing the financial identities of over 30,000 people
• June '04 AOL - An employee was arrested for allegedly stealing 92 million screen names and selling them.
• Feb '04 - 4.5 million subscriber names, phone numbers, postal addresses, email addresses and 4.5 million subscriber names, phone numbers, postal addresses, email addresses and Yahoo Japan IDs were leaked from Softbank Corp., the largest provider of broadband access in Japan. Toyko police arrested four insiders suspected of stealing the confidential data and demanding a payment from Softbank to avoid it being leaked. Softbank's CEO Masayoshi Son accepted responsibility, apologized and took a 50% salary cut for 6 months.

   

This article discusses how to comply with PCI DSS 1.1 and how to sustain consistent ongoing enforcement using extrusion detection technologies.

This opinion piece was published by Danny Lieberman in Computer World Online, March 17, 2005.