SYNOPSIS

Information theft is a growing threat to individuals and organizations. The Definitive Guide to Information Theft Prevention describes the evolving threat of information theft and its financial, legal, and brand impact on organizations. The book addresses information protection and privacy regulations, the increasing threats from unmanaged devices as well as challenges to securing managed devices, and the role of on-demand security in minimizing these threats. This guide also includes extensive discussions on risk management, incident responses and emerging best practices for leveraging on-demand security.

CHAPTER PREVIEWS

Chapter 1: Evolving Threat of Information Theft

The famed American bank robber Willie Sutton once said he robbed banks because that is where the money was. Today’s thieves do not have to leave their desk chair; they steal from computers because that is where the information is and some of that information is quite valuable. Consider the types of information available in compromised systems:

• Personally identifying information, such as Social Security numbers, credit card numbers, and bank account numbers
• Intellectual property, including product designs and copyrighted material
• Strategic business plans with details about product launches, marketing campaigns, and mergers
• Protected personal information such as healthcare histories

The inadvertent release of proprietary and confidential information can have costly and immediate consequences, ranging from regulatory fines and lost business opportunities to damage to brand and loss of customer confidence. A host of factors are resulting in an increasing threat of information theft, including:

• Increased amounts of sensitive data
• The changing economics of hacking and cybercrime
• Increased systems complexity and accompanying vulnerabilities
• Increased use of devices outside the control of a business’ IT department, such as customer PCs and business partners' mobile devices

When an incident of information theft occurs, the impact is not limited to IT operations but can affect a company’s brand and its financial and market position as well as bring on unwanted legal consequences. This chapter examines the changes in information technology (IT) use that have given rise to a new form of hacking and information theft and concludes with an introduction to the security industry’s response to these new threats—on-demand security.

Chapter 2: Understanding Information Protection and Privacy Regulations

Information technology (IT) providers, both those within companies and those providing IT services, are expected to provide for information protection and privacy well beyond what was expected less than a decade ago. Although regulation is new to many in IT, businesses at large have worked within well-established regulatory frameworks and shareholder oversight for decades to the benefit of all. Some regulations—such as Securities Exchange Commission (SEC) rules for publicly traded companies and Occupational Health and Safety Administration (OSHA) requirements for worker safety—apply to a broad range of companies. Others are more targeted—for example, the Environmental Protection Agency (EPA) regulations on water quality are more relevant to manufacturers than to financial service providers. Changes in the regulatory environment have expanded the scope of coverage from traditional business areas, such as financial reporting and manufacturing processes, to include IT. In particular, preserving the integrity of data and protecting the confidentiality of personal information have driven several regulations that either directly or indirectly impact IT operations.

This chapter will examine the some of the broader information protection regulations that exist today as well as best practices for effectively and efficiently meeting those requirements. The first section of the chapter will examine financial integrity regulations and the recent business history that provided the motivation for passage of these types of regulations. The second section of the chapter shifts attention from businesses to individuals and looks into privacy regulations that are emerging from state, federal, and trans-national governments. The chapter closes with a discussion of best practices and frameworks that provide a broad structure for addressing requirements defined in a range of regulations (rather than attempting an ad hoc approach to individual regulations).

Chapter 3: Overview of Key Technologies to Prevent Information Theft

A common practice in information security is to implement security in-depth, that is, with multiple layers using a mix of technologies. This practice has been adopted because, as is often the case in information technology (IT), there is no single solution that solves all problems in this domain. This chapter examines the major technologies that have a role in supporting information security and on-demand security in particular. The technologies are grouped according to the following high-level security objectives:

• Preventing information theft by preserving confidentiality
• Preserving data integrity by controlling access
• Maintaining availability and integrity by protecting the infrastructure
• Handling special issues in managing client security

Each of these areas presents particular challenges that must be addressed to maintain a secure infrastructure.

Chapter 4: Protecting Information During Transmission

Data can be well protected within a controlled infrastructure but is especially vulnerable to theft or tampering when it is transmitted. Consider what a thief would have to do to retrieve data stored on a secure server: infiltrate the network boundary protected by a firewall, authenticate to an access control system with a user identity authorized to access the information, gain access to an application—such as a database—that would allow the thief to find the information, transmit the data back to the thief’s storage device, and finally avoid detection by tampering with highly secured audit logs that record details of such information access transactions. When that same data is transmitted outside the secure network, the thief’s job gets easier.

Chapter 5: Protecting Information Use on Unmanaged Devices

The widespread adoption of the Internet has changed many aspects of information service delivery. When mainframes were the predominate computing resources, users would employ terminals directly connected to the computer. The advent of mini-computers in the 1970s and even the early adoption of personal computing did not change the model; serial connections from a terminal or the PC was the most common means of communication between the computing service and the client device. This method was a highly restrictive means of communications. Access to information resources was limited to those who could work in a computing center or a building wired to the computing center. The precursors of the Internet were the beginning of what would become a radical shift in computing communications.

Research into networking began in the early 1960s, and the first wide area network (WAN), albeit slow and primitive, was built in 1965. Work on the ARPANET, the predecessor of the Internet, began in 1968. By the late 1990s, the Internet was widely deployed and access to computing resources was no longer limited to direct connection terminals and PCs. This shift introduced another new concept to systems administration, the unmanaged device.

Chapter 6: Protecting Information Use on Managed Devices

By definition, managed devices are under the control of IT management, and security and systems management professionals have more options at their disposal for preventing information theft. Previous chapters have described methods for protecting information during transmission and when in use on unmanaged devices. This chapter will examine the varying security needs within a managed perimeter. The topics will include:

• The nature of different client devices and their security requirements
• The security needs of servers and applications
• Securing network infrastructure

Throughout, the chapter will examine common threats to protecting the confidentiality and integrity of information and countermeasures to those threats.

Chapter 7: Risk Analysis and Incident Response

As an IT professional, you have many options at your disposal for countering security threats and protecting information assets. You can block network traffic at firewalls, monitor variations in system activity patterns with intrusion protection systems (IPSs), filter content for malware and offensive material, encrypt information during transmission, and limit access to applications and services. With so many options, how can you choose? Should you implement them all? Even if you had the budget and resources to deploy and manage all the countermeasures available would you want to? How do you know when you are “secure enough?” One way to answer that question is to use risk analysis, the first topic of this chapter.

Risk analysis helps identify priorities and determine the appropriate level of investment for particular assets. The objective of a risk analysis is to determine business risks and countermeasures that should be deployed to mitigate those risks; it cannot, however, guarantee that threats will not be realized. The second section of this chapter will examine examples of monitoring techniques to help prevent information theft.

Even in organizations with well-formulated risk analysis studies, professionally implemented countermeasures and monitoring programs, security incidents can still occur. When that happens, it is essential that the organization respond in such a way to minimize the damage, expedite the recovery, and learn as much as possible from the incident to prevent future damage. Incident response planning is discussed in the third section of this chapter.

Chapter 8: Best Practices to Prevent Information Theft

Information security is often understood as having three objectives: protecting the confidentiality of information, preserving information integrity, and ensuring information availability; security measures often help to address more than one objective. However, as a result of changes in the way organizations use and deploy information, there is a growing need for additional security measures directed at protecting the confidentiality of information.

• This chapter concludes the examination of information theft prevention by exploring
• The need for a refined security paradigm to prevent information theft
• Organizational issues that influence the success of information theft prevention programs
• Technical responses to the threat of information theft

As information assets are used in new and more flexible ways, you must accompany those new uses with appropriate security to ensure confidentiality and privacy are not compromised.