They can't steal data that you don't have

By Alan Brill and Jason Paroff, Kroll Ontrack

April 6, 2005 12:00 PM ET

Recommended

(4)

Digg

Twitter

Share/Email

Computerworld - Data theft has become big news in recent weeks. Between data lost or stolen from Bank of America, ChoicePoint and a unit of Reed Elsevier, the public (and more importantly, Congress) is up in arms about the protection of personal and financial data that can be the subject of massive identity thefts.
Data loss is, of course, nothing new. In our work, we are frequently called upon to investigate these incidents and to find out what happened and who was involved.
Any competent information security professional will tell you that there is no such thing as 100% incident prevention. Incidents happen and will continue to happen. But there are things an organization can do to mitigate the risks of certain types of incidents, as well as the damages if an incident should occur. Failure to examine and mitigate these risks will increasingly expose companies to bad publicity, increased regulation and perhaps costly litigation.
When you look at a lot of incidents, as we do, you can start to draw some conclusions that go beyond the specifics of a particular situation -- whether the loss involved theft of a backup tape or unauthorized intrusion into a system or whether the perpetrators had inside help in carrying out their plans.
We have observed that some of the sensitive data that gets stolen fits into one of several categories:

Data that was never needed

Data that was needed but should never have been stored

Data that was originally needed but was kept far beyond its useful life

Data that should never have been stored in an unencrypted form

When we point out these issues to the victims, it seems that they never thought about these problems. We want to take a few minutes to explore them with you.
Data that was never needed
When you look through the data that you record on customers, transactions, employees and processes, when is the last time you checked each and every data field to determine why you needed it?
If you collect information that you don't actually need, not only are you spending money needlessly, but you're also opening yourself up to the risk that the unneeded data might be stolen or misused. You should look for a specific reason for collecting everything you ask for. If you can't define a valid business need or some legal or regulatory requirement for the data, why are you collecting it?
Sometimes we're told that the current system mirrors an earlier system that collected the same information, and no one realized that some

Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Jump to comments

Security

Additional Resources

WHITE PAPER

EFD vs. HDD - What You Need to Know

Enterprise flash drives provide a new Tier 0 storage layer capable of delivering high I/O performance at a very low latency. Proper use of EFDs in an Oracle environment can deliver increased performance compared to fibre channel drives. Read the recommendations for identification of the best DB components for EFDs.

WHITE PAPER

Gartner Research Report: Magic Quadrant for Application Delivery Controllers, 2009

The market for products to improve the delivery of application software over networks remains dynamic and innovative. Vendors focused on solving enterprises' most-pressing application problems have become the top players.

WHITE PAPER

Eight Criteria for Server Load Balancing

Server load balancers are a simple yet highly effective means to scale an application environment while ensuring its availability. Today's solutions should also address application performance and security. Read about the top eight criteria you should consider when choosing a server load balancer and how Citrix NetScaler meets those requirements.