Version: 2008
  • On BNET: Make cool hacks for Google Maps
advertisement
Click Here
Security Watch : Dude, where's my perimeter?
Dude, where's my perimeter?

By Robert Vamosi 
Senior editor, CNET Reviews
March 24, 2008

At one time, IT departments concerned themselves with hardening the perimeter. The idea was Medieval: build a fortress around yourself and don't let outsiders in. Then came remote workers. Then chat apps. Then Web mail. And then mobile devices. And suddenly you have more exceptions than the rule. Desktops inside the corporation, which at one time weren't as well secured, needed to be so. Within the past week, both Harvard University and Hannaford, a supermarket chain, reported significant data breaches. How they broke in, says Dan Geer, vice president and chief scientist for Verdasys, isn't as significant as what they took. Geer is part of a growing number of security experts who feel that the perimeter, as we knew it, is long gone, and that IT departments should instead be focused more on data-loss protection than intrusion protection. But this paradigm shift is still long in coming.

Recent data breaches
On March 13, 2008, Harvard officials said a database containing summaries of GSAS applicant data for entry to the Fall 2007 academic year, summaries of GSAS housing applicant data for the 2007-08 and 2006-07 academic years, and administrator information had been compromised. Most troubling are the 6,600 summaries from admissions candidates from the United States that were copied. Harvard officials said the data includes the applicant's name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and academic records. To add insult to injury, the files were placed on the BitTorrent file-sharing network and are still available today.

Focusing on data security is the right thing for most companies; in other words, not antivirus, not network firewalls, not a long list of things that I'm sure you're well familiar with.

On March 17, 2008, a Maine-based supermarket chain report the exposure of 4.2 million credit card and debit cards. The intrusion affected the Hannaford stores, Sweetbay stores in Florida, and certain independently owned retail locations in the Northeast that carry Hannaford products. Of the credit card accounts exposed, the Associated Press reported that 1,800 cases of identity fraud have been reported so far.

TJX still the worst
These two recent examples pale, however, in comparison to the breach at TJX, first reported last March. The TJX company announced that 45.7 million accounts had been compromised over a two-year period in a data breach of customer records at T.J. Maxx and Marshalls retail chains.

Clearly, the servers hosting the data in these breaches were soft; vulnerable to outside attacks. In the case of TJX, it is known that thieves used wireless as their point of entry. But Geer is arguing that shoring up the perimeter is futile. "Focusing on data security is the right thing for most companies; in other words, not antivirus, not network firewalls, not a long list of things that I'm sure you're well familiar with." In other words, even if you gain access to the file, the file itself should not give you access.

What if you lose a laptop?" Geer argues. "That's one thousand dollars, two thousand, or three. That sort of doesn't matter. What matters is what's on it.

New book
To argue the point, Geer has written a book, Economics and Strategies of Data Security, available directly from Verdasys. It's a slim volume, designed for CIOs and managers to assess the risks and costs of potential data loss. Although Verdasys does make systems that monitor data in the enterprise, the book is remarkably vendor neutral in its presentation.

Geer explained that the book is an attempt to "organize your thoughts, in thinking of data as that which is to be protected and the rest as, at best, mechanisms. What if you lose a laptop?" he argues. "That's one thousand dollars, two thousand, or three. That sort of doesn't matter. What matters is what's on it." And so he advocates encrypting the drives and setting rights permissions on individual documents. For example, Microsoft Office 2007 will let you determine who should read, to print, or even to copy the document to another storage medium.

Not light reading
Geer admits to being a bit of a wonk. "Anybody my age in the security field grew up doing something else. I was actually trained as a statistician, and my daddy was a bookkeeper, so you can imagine I like numbers." Full of detail, the book is still very readable.

Verdasys does plan other books in this series. Geer's book offers the "why" of data protection. Later books will address the "how" and the "what happens when you implement some of these ideas in the workplace" parts of the discussion.

Will there be a major (and I mean major) data breach that forces the U.S. to regulate how data is handled by corporations and government agencies alike? TalkBack to me.
Security Bites Podcast
CNET.com's Robert Vamosi tells you about the latest security threats, what's coming, and how to protect your system. Listen now


CNET's free newsletters
Rob Vamosi's
award-winning
column on Internet threats and how to counter them 
Delivered Mondays
Sign up now        
All free newsletters



3/13/08
Getting political

3/3/08
Why spam isn't going away soon

2/25/08
Why software still sucks

More commentary


Reviews & advice
Site map
Editorial policies
Meet the editors
How we test
Forums
Internet speed test
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET
sponsored