Software // Enterprise Applications
11:32 AM
Connect Directly

Breach Of Trust

Data breaches are a constant threat and put companies in danger of losing their most valuable asset: customer trust

Yet new software vulnerabilities surfaced at a rate of more than seven per day last year, for a total of 2,636 documented vulnerabilities, according to Internet security vendor Symantec Corp. What's more, Symantec's Internet Security Threat Report, published in March, says software vulnerabilities are getting easier to exploit, and hackers are attacking them more quickly.

To slow the rising threat of customer-data breaches, companies must become more diligent about security basics: Lock down networks with firewalls and application-security and intrusion-detection systems, and patch newfound vulnerabilities before hackers develop exploits. Sloppy business practices, such as cramming hard drives and notebooks with unencrypted customer data, could be prevented through updated, stringently enforced security policies.


Internet-based customer transactions and electronic storage of customer data provide speed and efficiency but also create opportunities for criminals

Reports of computer thefts and hacking incidents that expose customers' personal data and leave them vulnerable to fraud and identify theft are on the rise

Business-technology managers can turn to a number of security technologies that provide safeguards, such as data encryption and intrusion-prevention systems

Companies need to review and stringently enforce policies for customer-data security

To help thwart hackers who attack application vulnerabilities before companies have had time to patch them or to protect against the possibility of a "zero-day" vulnerability--a flaw hackers discover before a software vendor knows about it and can issue a patch--some businesses install application firewalls and intrusion-prevention systems from companies such as Kavado, NetContinuum, Network Associates, Sanctum, Teros, and TippingPoint Technologies.

Another threat comes from viruses and worms specifically designed to steal financial or personal information. Many virus writers are no longer satisfied with ego boosts from causing problems with malicious code--they want to make money. For example, a version of the BugBear virus surfaced last June that targeted about 1,200 financial institutions around the globe. When the virus penetrated a bank, it attempted to install a backdoor to allow intruders access. BugBear reportedly infected hundreds of thousands of systems.

Symantec's most recent Internet Security Threat Report says that in the second half of 2003, it was alerted to three times as many serious viruses and worms that threatened privacy and confidentiality--the number rose an alarming 519%--since the previous report.

While viruses are difficult and worrisome, security breaches that involve computer, hard-drive, and notebook thefts also are common. Data encryption might sound like an easy answer, but it's controversial, even among information-security professionals. "Encryption can greatly hinder system performance, and it's not always necessary if other security controls are in place," says one security executive at a financial-services firm, who asked not to be named.

John Pescatore, research director at research firm Gartner, says resistance to encryption is common. There are many problems associated with encrypting stored data, including managing encryption keys so that they're easily accessible to those who need them without putting the systems at a security risk. And if encryption slows performance by making the retrieving and managing of encrypted information more difficult, companies won't endear themselves to customers.

Encryption vendors Decru, Ingrian, NeoScale, and Vormetric are making some progress working around these problems. Provident Funding Associates LP installed Ingrian Networks Inc.'s DataSecure Platform, which encrypts and protects data while it rests in storage; when it's in transit between servers, databases, and storage devices; and while it's processed by applications and databases. DataSecure Platform helps boost encryption speed by off-loading computing-intensive cryptographic functions, says Tom Rabaut, systems administrator for Provident Funding. "It's really difficult to implement security that doesn't hinder the speed at which companies move," he says.

Even the best electronic security isn't a guarantee. Thieves still can rummage through a company's or individual's trash, trick customer-service representatives to turn over passwords, and bribe (or blackmail) employees to get the information they seek. And sometimes the threat exists on the inside of a company's firewall. In November 2002, federal agents arrested Philip Cummings, who once worked on the IT help-desk staff at Teledata Communications Inc., for allegedly using his insider knowledge to garner access codes that companies used to run credit reports. Federal authorities claim that Cummings stole credit information on more than 30,000 people, resulting in more than $2.7 million in losses. He has been indicted on more than 20 counts of fraud conspiracy in connection with the scheme.

2 of 4
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.