Identity theft: What have we learned?

Short memories or complacency? ask Ray Binnion, non-Executive Chairman, Defend-IT Limited and James Colby, Vice President Marketing, Insightix.

Short memories or complacency? ask Ray Binnion, non-Executive Chairman, Defend-IT Limited and James Colby, Vice President Marketing, Insightix.

Every time a major data security breach comes to light or a successful prosecution is brought against the perpetrators of identity theft, the press deluges us with stories about piggybacking, sniffing, evil twins and theories about shady international crime organisations. But the stories about people snooping on unsecured wireless networks are not new. In a technological world where two years seems like a lifetime, exposés about wardriving can be found from the beginning of the decade. If we look back at the past few years, innovation by the IT security industry, advancements in governmental and industry regulation and the investment in enterprise security infrastructure has continued unabated. But still, data security - or the lack of it - seems to be headline news.

So what conclusions should we draw? Yes, after several years of publicity, vast swathes of the business world still do not have adequate security to protect their networks and confidential information. However, the responsible majority of companies - certainly those in the retail and financial sectors - now have policies that secure their operations. The problem is often that these policies can be too difficult to enforce and appear as these regular stories in the press. Although wardriving and accessing corporate networks via unsecured wireless access points have captured the public's imagination, this is just part of the network security jigsaw puzzle. Insight into the world's largest credit card data theft from the TJX group, owners of TKMaxx, revealed that, although the initial security breach took place via a secured wireless access point - albeit one with outdated, hackable WEP technology - other factors and vulnerabilities in the company were also exploited.

So the real story is the same old story: security breaches often have a "human dimension" to them. Vulnerabilities stem from ill-conceived security plans, a failure to adhere to security policies, a lack of employee common sense, or a business can simply fall prey to a good old-fashioned "inside job".

If one looks for security similes between the physical and information technology worlds, a significant proportion of vulnerabilities stem from poor employee judgment. The executive connected an unsecured wireless access point to the LAN port in his office to improve his productivity. Would he have acted differently had he appreciated that connecting his personal WAP to the corporate network was like leaving the building unlocked every night? The store manager who had her laptop containing customer data stolen from her car would probably consider taking the days cash takings home with her an irresponsible act. Security exposure often stems from the fact that people do not appreciate that their acts result in risk exposure they have a different perspective about IT security compared to physical security.

So what can a business do to completely secure its operations? Is it enough if best practices have been studied, policies implemented and a multi-tiered set of security technologies deployed? The realistic answer is "no". Humans - employees - represent the weak chink in a business' armour. Unless there is a fundamental and rapid change in perspectives about security (and let's face it, this is unlikely), employee's behaviour will continue as a critical source of vulnerabilities for the foreseeable future.

So even with the best laid defences in place, businesses still need to be ready for the inevitable security breach or employee actions that expose the operation to risk, whether those actions are inadvertent or not. Fortunately tools exist that help organizations remain vigilant to changes in the network, tools that can alert administrators to the presence of unauthorised devices and even safeguard against the connection of rogue elements that contravene security policies.

With the advantage of real-time network visibility solutions, network security managers can react instantly to threats as they occur. Security breaches caused by connecting an unapproved wireless access point to the LAN can be identified and dealt with before any wardriver has the chance exploit it. Prior to the availability of real-time visibility tools, network managers were oblivious to the holes in their defences and the ramifications were made clear to all by the world's media. Network visibility tools are the IT world's equivalent of a team of security guards constantly patrolling to ensure that all doors are securely bolted.

Alternative approaches to data protection:

Securing your network without firewalls>>

Who needs network security?

European firms ahead of the US on network deperimeterisation>>

Read more on IT governance