|
DIGITAL INFORMATION SECURITY
Our society has spent hundreds of billions of dollars in the last
few decades to convert data and images into digital form. And we
have continued to pour money into this in the last 10 years as the
popularity of the Internet and other computer technologies increase.
By now, everything and anything with the least bit of important is
available in digital form — or will be if it isn’t already.
Gone are the days of cancelled checks since most banks now scan and
store them as digital images. Gone, too, are most paper bank
statements, which have increasingly become converted into electronic
statements that are just as good as paper ones.
On June 30, 2000, former President Bill Clinton signed the
e-signature bill into law. The bill recognizes online “electronic”
signatures as legitimate to complete legal agreements and commercial
transactions. Many similar developments have occurred since the
signing of this bill.
Today’s digital information has become the backbone of hundreds of
billions of dollars worldwide spent annually on the digital economy.
In fact, the command and control centers for the United States armed
forces would fall apart if mission-critical digital information
wasn’t available or compromised. Corporations and organizations
worldwide, large and small would cease to function if we took away
their digital information.
But how secure is our digital information? Is our digital
information protected from natural disasters, computer hackers and
human errors?
The answer is a resounding “no.” Almost everyone knows someone who
lost data on a Personal Computer (PC) because of a virus, hacker,
hardware issues, Internet-related faults or identity theft.
So what about those organizations whom we trust to store our most
intimate information digitally? You would think they at least would
have the resources to protect our information. Well, think again!
Below are just a few hacks that occurred between February 15
and September 19 of this year, according to
Privacy Rights Clearinghouse in San Diego, California.
|
Date
|
Organization |
Type of
Breach |
Number of
Records |
|
15-Feb-05 |
ChoicePoint |
ID thieves
accessed |
145,000 |
|
25-Feb-05 |
Bank of America |
Lost backup tape |
1,200,000 |
|
25-Feb-05 |
PayMaxx |
Exposed online |
25,000 |
|
8-Mar-05 |
DSW/Retail
Ventures |
Hacking |
100,000 |
|
10-Mar-05 |
LexisNexis |
Passwords
compromised |
32,000 |
|
11-Mar-05 |
Univ. of CA, Berkeley |
Stolen laptop |
98,400 |
|
11-Mar-05 |
Boston College |
Hacking |
120,000 |
|
12-Mar-05 |
NV Dept. of Motor
Vehicle |
Stolen computer |
8,900 |
|
20-Mar-05 |
Northwestern
Univ. |
Hacking |
21,000 |
|
20-Mar-05 |
Univ. of NV., Las Vegas |
Hacking |
5,000 |
|
22-Mar-05 |
Calif. State
Univ., Chico |
Hacking |
59,000 |
|
23-Mar-05 |
Univ. of CA, San Francisco |
Hacking |
7,000 |
|
28-Mar-05 |
Univ. of Chicago
Hospital |
Dishonest insider |
unknown |
|
?-Apr-05 |
Georgia DMV |
Dishonest insider |
100s of 1000s |
|
5-Apr-05 |
MCI |
Stolen laptop |
16,500 |
|
8-Apr-05 |
Eastern National |
Hacker |
15,000 |
|
8-Apr-05 |
San Jose Med.
Group |
Stolen computer |
185,000 |
|
11-Apr-05 |
Tufts University |
Hacking |
106,000 |
|
12-Apr-05 |
LexisNexis |
Passwords
compromised |
280,000 |
|
14-Apr-05 |
Polo Ralph
Lauren/HSBC |
Hacking |
180,000 |
|
14-Apr-05 |
Calif. Fastrack |
Dishonest Insider |
4,500 |
|
15-Apr-05 |
CA Dept. of
Health Services |
Stolen laptop |
21,600 |
|
18-Apr-05 |
DSW/ Retail
Ventures |
Hacking |
1,300,000 |
|
20-Apr-05 |
Ameritrade |
Lost backup tape |
200,000 |
|
21-Apr-05 |
Carnegie Mellon
Univ. |
Hacking |
19,000 |
|
26-Apr-05 |
Mich. State Univ's Wharton Center |
Hacking |
40,000 |
|
26-Apr-05 |
Christus St.
Joseph's Hospital |
Stolen computer |
19,000 |
|
28-Apr-05 |
Georgia Southern
Univ. |
Hacking |
10s of 1000s |
|
28-Apr-05 |
Wachovia, Bank of
America, |
Dishonest
insiders |
676,000 |
|
PNC Financial
Services Group and Commerce Bancorp |
|
29-Apr-05 |
Oklahoma State
Univ. |
Missing laptop |
37,000 |
|
2-May-05 |
Time Warner |
Lost backup tapes |
600,000 |
|
4-May-05 |
CO. Health
Dept. |
Stolen laptop |
1,600 (families) |
|
5-May-05 |
Purdue Univ. |
Hacking |
11,360 |
|
7-May-05 |
Dept. of Justice |
Stolen laptop |
80,000 |
|
11-May-05 |
Stanford Univ. |
Hacking |
9,900 |
|
12-May-05 |
Hinsdale Central
High School |
Hacking |
2,400 |
|
16-May-05 |
Westborough Bank |
Dishonest insider |
750 |
|
18-May-05 |
Jackson Comm.
College, Michigan |
Hacking |
8,000 |
|
18-May-05 |
Univ. of Iowa |
Hacking |
30,000 |
|
19-May-05 |
Valdosta State Univ., GA |
Hacking |
40,000 |
|
20-May-05 |
Purdue Univ. |
Hacking |
11,000 |
|
26-May-05 |
Duke Univ. |
Hacking |
5,500 |
|
27-May-05 |
Cleveland State
Univ. |
Stolen laptop |
44,420 |
|
28-May-05 |
Merlin Data
Services |
Bogus acct. set
up |
9,000 |
|
30-May-05 |
Motorola |
Computers stolen |
unknown |
|
6-Jun-05 |
CitiFinancial |
Lost backup tapes |
3,900,000 |
|
10-Jun-05 |
Fed. Deposit
Insurance Corp. (FDIC) |
Not disclosed |
6,000 |
|
16-Jun-05 |
CardSystems |
Hacking |
40,000,000 |
|
17-Jun-05 |
Kent State Univ. |
Stolen laptop |
1,400 |
|
18-Jun-05 |
Univ. of Hawaii |
Dishonest Insider |
150,000 |
|
22-Jun-05 |
Eastman Kodak |
Stolen laptop |
5,800 |
|
22-Jun-05 |
East Carolina
Univ. |
Hacking |
250 |
|
25-Jun-05 |
Univ. of CT (UCONN) |
Hacking |
72,000 |
|
28-Jun-05 |
Lucas Cty.
Children Services (OH) |
Exposed by email |
900 |
|
29-Jun-05 |
Bank of America |
Stolen laptop |
18,000 |
|
30-Jun-05 |
Ohio State Univ.
Med. Ctr. |
Stolen laptop |
15,000 |
|
1-Jul-05 |
Univ. of CA, San Diego |
Hacking |
3,300 |
|
6-Jul-05 |
City National
Bank |
Lost backup tapes |
unknown |
|
7-Jul-05 |
Mich. State Univ. |
Hacking |
27,000 |
|
19-Jul-05 |
Univ. of Southern
Calif. (USC) |
Hacking |
270,000 possibly
accessed; “dozens" exposed |
|
21-Jul-05 |
Univ. of
Colorado-Boulder |
Hacking |
42,000 |
|
30-Jul-05 |
San Diego Co.
Employees Retirement Assoc. |
Hacking |
33,000 |
|
30-Jul-05 |
Calif. State
Univ., Dominguez Hills |
Hacking |
9,613 |
|
31-Jul-05 |
Cal Poly-Pomona |
Hacking |
31,077 |
|
2-Aug-05 |
Univ. of Colorado |
Hacking |
36,000 |
|
9-Aug-05 |
Sonoma State
Univ. |
Hacking |
61,709 |
|
10-Aug-05 |
Univ. of North
Texas |
Hacking |
39,000 |
|
17-Aug-05 |
Calif. State
University, Stanislaus |
Hacking |
900 |
|
19-Aug-05 |
Univ. of Colorado |
Hacking |
49,000 |
|
22-Aug-05 |
Air Force |
Hacking |
33,300 |
|
27-Aug-05 |
Univ. of Florida,
Health Sciences Center/ChartOne |
Stolen Laptop |
3,851 |
|
30-Aug-05 |
J.P. Morgan,
Dallas |
Stolen Laptop |
Unknown |
|
30-Aug-05 |
Calif. State
University, Chancellor's Office |
Hacking |
154 |
|
10-Sep-05 |
Kent State Univ. |
Stolen Computers |
100,000 |
|
15-Sep-05 |
Miami Univ. |
Exposed Online |
21,762 |
|
16-Sep-05 |
ChoicePoint |
ID thieves
accessed; misuse of IDs & passwords. |
9,903 |
|
(2nd notice, see 2/15/05 for 145,000) |
|
19-Sep-05 |
Children's Health
Council, San Jose CA |
Stolen backup
tape |
5,000 - 6,000 |
|
TOTAL |
|
|
50,721,749 |
Just to complicate matters even more, many organizations are now
required by laws to keep all of their digital information, including
all electronic e-mails, for five or more years. The obvious burden
is the immediate Information Technology (IT) operations required to
keep all of this digital information secured and backed up while
keeping the vulnerabilities down in an increasingly dangerous
environment.
Meanwhile, numerous laws worldwide have been enacted during the
last several years aimed at holding corporations and organizations
more responsible for protecting the integrity of digital
information. But as we’ve seen from the above, these laws have had
little effect.
Below are the key laws in the United States regarding the
protection of digital information:
|
Region
|
Law |
Digital Information
Implications |
Who's Impacted |
|
US |
The
Sarbanes-Oxley Act (SOX) |
SOX
mandates that organizations ensure the accuracy of financial
information and the reliability of systems that generate it.
Section 404 of SOX requires management to perform an
assessment of internal controls over financial reporting and
obtain attestation from external auditors on an annual
basis. IT systems are inextricably linked with financial
reporting, and information security is essential in ensuring
the reliability of these systems. |
All
companies publicly traded in the United States and regulated
by the Securities and Exchange Commission (SEC), including
US-based companies as well as all international companies
that have shares traded on a US exchange. |
|
US |
Gramm-Leach-Bliley
(GLB) |
GLB
includes provisions to establishing administrative,
physical, and technical safeguards to protect the security,
confidentiality, and integrity of consumer financial
information. |
GLB
applies to financial institutions in the US, such as banks,
securities firms, insurance companies, and other companies
selling financial products. |
|
US |
Health Insurance Portability and Accountability Act (HIPAA) |
There
are two rules in particular that affect information
security: |
HIPAA
applies to all healthcare providers, payers, and
clearinghouses in the US. |
|
· The
HIPAA Privacy Rule covers privacy rights, including uses and
disclosures of Protected Health Information (PHI); |
|
· The
HIPAA Privacy Rule requires covered entities to ensure the
confidentiality, integrity, and availability of all
electronic PHI and requires them to protect information
against any reasonably anticipated threats, hazards, uses,
or disclosures; |
|
US |
California Assembly Bill 1950 (AB 1950) |
California’s Assembly Bill 1950 expands on the privacy
requirements of Senate Bill 1386 and requires that
organizations take "reasonable precautions" to protect
California residents’ personal data from modification,
deletion, disclosure and misuse rather than just report on
its disclosure. |
State
Agencies, persons, or businesses conducting business in
California that own or license computerized data containing
personal information. |
|
US |
Title
21 of the Federal Regulations Part 11 (21 CFR Part 11) |
21 CFR
Part 11 outlines the US Food and Drug Administration’s
requirements for electronic records and electronic
signatures. It is designed to prevent fraud while permitting
the widest possible use of electronic technology within the
pharmaceutical industry. |
All
organizations regulated by the FDA, which includes
pharmaceutical, biotech, medical device, food, and cosmetic
companies. |
|
Organizations must implement controls to ensure
authenticity, integrity, confidentiality, and
non-repudiation of electronic records. In some cases,
organizations must also implement measures such as
encryption and digital signatures. |
|
US |
California Information Practice Act or Senate Bill 1386 |
This
regulation requires organizations conducting business in
California to disclose any security breach that occurs to
any California resident whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. Since the law requires
notification of security breaches involving “unencrypted”
sensitive data, there is a safe harbor for those
organizations which have encrypted the data. |
State
Agencies, persons, or businesses conducting business in
California, that own or license computerized data containing
personal information. |
|
US |
Federal Information Security Management Act (FISMA) |
FISMA
requires federal agencies to develop, document and implement
agency-wide programs to secure data and information systems
supporting agency operations and assets, including those
managed by other agencies or contractors. |
Federal
agencies, state, local, and tribal governments, as well as
private sector organizations composing the critical
infrastructure of the United States. |
So what is the answer? How can we protect the very digital
information that we depend on so much. There is not an easy answer. However, we can look at the key
elements that are required to protect our digital information.
Digital information loses its integrity when it is stolen,
altered by mistake or altered intentionally for malicious
purposes, lost by accident or due to natural disasters.
Stolen
Digital Information is most often stolen by insiders, governmental
or commercial spies, despite the fact that hackers claim most of the
glory and publicity when caught or not. Stealing is also the
hardest to prevent because the infiltrators are usually
well-disguised, trusted and/or well-funded with an array of
resources. The thefts originate from all corners of the web and are
typically well-planned and executed.
Altered by mistake or
intentionally for malicious purposes
There are many reasons digital information may be altered. Users
can themselves make mistakes and alter or erase information by
accident. Hackers, insiders, governmental and commercial spies, and
malicious codes can also do the same for malicious purposes.
Please also read our related white papers: “The
Convergence of Virus & Spam Threats” and “Public
Enemy Number One of the Internet.”
Lost by accident or due to
natural disaster
Hardware failures, misplacements and all possible natural
disasters, including earthquake, fires, floods and hurricanes, can
also contribute the loss of digital information. In contrast to
what most may believe, this type of loss is by far the most
preventable.
Digital Information
Protection
There are many resources on the Internet that detail how digital
information protection should be done, and we have written numerous
white papers covering the topic, such as our
Air-Tight, Multi-Layer IT Security Defense Systems™ white paper, so I’m not
going to cover the details. However, until someone understands the
high-level issues, details are often ignored and misunderstood. Even
worse, the protection is completed in a half-hearted fashion and it
is not equipped for all possible losses.
Digital Information
Protection Matrix
|
|
Security
|
Backup |
Remark |
|
Digital
|
ü |
û |
Firewall,
Authentication, Encryption & Ongoing Audit |
|
Physical |
ü |
û |
Human
Resources Screening, Physical Access Protection & Ongoing
Audit |
|
Local (Hot)
|
û |
ü |
Local Hot
Backup Resource For Immediate Recovery |
|
Local (Worm)
|
û |
ü |
Local Worm
Backup Resource For Quick Recovery |
|
Local (Cold)
|
û |
ü |
Local Cold
Backup Resource For Recovery |
|
Remote (Hot)
|
û |
ü |
Remote Hot
Backup Resource For Immediate Recovery |
|
Remote (Worm)
|
û |
ü |
Remote Worm
Backup Resource For Quick Recovery |
|
Remote (Hot)
|
û |
ü |
Remote Cold
Backup Resource For Recovery |
|
Hard Copy
(Local & Remote) |
û
|
ü |
Local & Remote
Hard Copy Resource For Recovery |
In the Information Technology business, we must always be prepared
for the worst. And our Information Technology architecture, design
and procedures should reflect the same, relative to our day-to-day
needs, regulatory compliance and resources. There is no perfect
security, nor is there perfect digital information protection. But
we should give ourselves the best chance we have of surviving small
and large-scale disasters, manmade or natural.
The question is no longer if it will happen but when it will
happen. And the answer is: when we’re least prepared. Just ask the
Federal Emergency Management Agency (FEMA). FEMA has predicted three
types of disasters that would hit the United States: (1) A terrorist
attack in a major US city, (2) A Category 4 or 5 hurricane hitting
New Orleans, and (3) A major earthquake hitting California. FEMA
even ran simulations on some of the scenarios, including the
hurricane in New Orleans. So far, two of the scenarios have proven
true, and we have all seen the same results. We’ve all heard the
reports of lives lost and properties destroyed. But what is less
visible and underreported is all of the digital information lost
during Hurricane Katrina.
Now, consider a major terrorist attack on the Internet or another
technical breakdown in the Internet infrastructure. This may be more
likely to occur at some point than other disasters.
So, are we ready?
By
Benson Yeung, Senior Partner
Benson Yeung Biography
Back to Top
Information Request Form
|
|
