January 2009

You are currently browsing the monthly archive for January 2009.

Data Breach Trends

January 18, 2009 in Identity Theft, Legal

breach

Recently, several organizations have released data on security breaches for 2008. As you would expect, there were more reported breaches in 2008 than in 2007. Based on information from the , the trend is summarized below:

  • 2008 – 656 breaches with 35.6 million records exposed
  • 2007 – 446 breaches with 127 million records exposed
  • 2006 – 315 breaches with 20 million records exposed
  • 2005 – 158 breaches with 64.8 million records exposed

Clearly the trend indicates that more breaches are being reported with a more than 4X increase in the last four years. The question is whether this indicates an actual increase in compromised systems or an increase in the number of organizations reporting breaches.

In 2003, California became the first state to pass a data breach disclosure law. Since then, at least 43 other states have passed similar legislation requiring organizations to notify their customers in the event that their personal information is disclosed. And the federal government is considering passing similar legislation. Thus, enterprises are now required to report data breach incidents, whereas in the past this was not the case. Therefore, it would be a mistake to assume that the rise in the incident of reported data disclosure incidents is strictly due to a greater number of such incidents. It is difficult to know whether the rise is due to greater reporting requirements or an actual increase in the number of incidents.

One thing is certain; state laws requiring notification of data disclosures have lead to a wealth of information on such incidents. And organizations such as the have built web sites that track and publish information on data loss incidents. This is a positive outcome of state breach notification laws, as it will force companies to take proactive measures to secure their customers’ personal information which will help make us all more secure.

Looking Into the Future

January 1, 2009 in General Information Security

crystal_ball

This is the time of year when information security professionals like to make prognostications about future trends in the industry.  The soothsayers who pen these prophecies rarely provide any information that could be considered earth shattering or even mildly prescient.  I am not gifted with the ability to see into the future, and even if I was it is likely I would suffer the same fate as Cassandra and no one would believe me.  Thus, I will not attempt to make any predictions about the future.  I will however, make a statement of fact about the future.  And since this is a truism, it is not a prediction:

Those who use computing resources for nefarious purposes, including phishers, spammers, virus writers, crackers, organized crime units and any other group or individual who sees an opportunity to make money by obtaining information illegally or using computing resources without authorization, will continue to stay 2 or 3 steps ahead of those attempting to secure systems against such people.

I have been involved with information security for over 10 years and I can honestly say that the state of information security has never been worse.  There are more threats now than at any time in the past.  There are more vulnerabilities now than at any time in the past.  Any the job of the information security professional is more demanding and complex than ever.

To some extent, this is to be expected.  Information systems are pervasive in every aspect of our lives.  And moreover, these systems are all interconnected.  Our appliances can communicate with their manufacturers.  Our phones have morphed into miniature computers with all the power and vulnerabilities common in desktop PCs.  Our cars have computers that are capable of determining faults and sending this information to dealers who can resolve the issue.  And our national infrastructure, such as electrical grids, dams, nuclear power stations and stop lights, are all controlled by computers and often are connected to the Internet.

Information systems are more complex than ever.  The bad guys have ever more opportunities to attack those systems and make money from using them illegally.  The threats are real and protecting against them is difficult.  Unfortunately, I don’t see anything that will change this scenario in 2009.  Happy New Year.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved