Are Data Leaks Bleeding Your Company Dry?

The data drip is here. Computer security experts are worried that corporate data leaking from networks onto small mobile storage devices will worsen into a flood of stolen customer and company information.

Over half of all information leaks travel to personal data storage devices such as USB drives, MP3 players and PDAs, according to recent industry surveys. These surveys suggest that portable storage devices are contributing to a staggering rise in ID theft and loss of sensitive data on the corporate level.

Every 79 seconds, someone in the United States becomes a victim of such thefts. Even a single incident of data loss can cost a company millions of dollars in lost revenue, lost opportunity, lost competitive advantage and costly penalties for regulatory non-compliance, warn security experts.

"The cost of remediating lost data can be (US)$100 per record, so it makes economic sense to invest in data loss prevention technology," Chip Hay, vice president of marketing for security firm Code Green Networks, told TechNewsWorld.

Alarming Record

A glimpse into the staggering number of people affected by the top five information leaks of 2006 shows how serious the data leakage problem is becoming, according to Code Green Networks. Lost or stolen data from mobile devices affected a total of nearly 50 million people combined.

Gratis Internet Company collected the personal data of 7 million Americans via the Internet and later resold it to third parties in March 2006.

Leak of personal data of U.S. Army veterans and servicemen in May of last year impacted 28.7 million people.

That same month, a laptop with personal details of Texas Guaranteed customers was lost by an outsourced contractor touched 1.3 million people.

Also last year, a laptop belonging to an employee of the Nationwide Building Society was stolen. It contained the personal information of 11 million society members.

Later, an employee's mobile computer containing personal details of 1.4 million people was stolen from the office of Affiliated Computer Services (NYSE: ACS) (ACS).

Top USB Hacks

With the popularity and convenience of USB and MP3 storage drives, it should be no surprise that hackers are now using this same technology to squeeze data from portable storage drives.

Several malware hacks are particularly effective at sneaking onto portable storage units to steal their content, according to Paul Henry, Secure Computing's vice president of technology evangelism.

USBDumper is a software program that runs on a laptop. It copies everything from the USB drive. It is very popular in circumstances where multiple users share the same USB drive.

Slurp is a malware program that runs on the USB device itself. Slurp makes a copy of every document as a list. A second version of Slurp actually copies all the documents.

Pod Slurping is one of the biggest new items. All somebody has to do is slip a USB drive into a slot on an unattended computer and drag and drop the My Documents folder onto the device, explained Bob Egner, vice president of product and global markets for PointSec.

Other hacks are capable of wringing even more data from USB drives. They can create virtual instances on any USB drive. When the infected portable device is inserted into any PC, the malware installs dozens of hidden activities on the computer.

"Eighty percent of all data on a USB disk finds its way to a PC," said Secure Computing's Henry. Once that data makes its way to a compromised PC, or a hacker's own computer, the stolen data is irretrievable.

Perhaps even more damaging than losing the data is the loss of control after it falls into others' hands. It takes only four hours to lose control of information once it is posted on the Internet, said Code Green Networks' Hay.

Driving Factors

Businesses are starting to respond to the rising threat levels posed by data leakage from pocket-sized storage devices. The push to react is not coming from the fear of lost data as much as it is in fear of costly penalties, noted Egner.

"Information theft is required to be reported in 34 states so CIOs are under pressure to lock down their networks," he said.

Negative publicity became a primary driver last year in influencing corporations to address data leakage with new endpoint security measures. CIOs now have to worry about network security concerns on the board level.

"The form factor in mobile devices employees bring to the workplace is getting smaller, and their capacity is getting greater. These small storage devices are creeping into the work space," Egner noted.

Smarter Thieves

With all of the different drive locations where data is stored today, mobility is a potential leakage point. However, that is only part of the problem. The other part is the greater sophistication of the thieves, according to Egner.

Previously, the bad guys stole laptops to make a quick buck reselling them. Now, increased sophistication of thieves lets them pull user IDs and personal data from the hard drives and portable storage devices.

Therefore, instead of just committing a "smash and grab" style robbery and selling the equipment quickly, thieves can make more money selling the stolen data at $1 per record, explained Egner.

Plugging the Leak

More data leakage problems will come in the near future, according to Secure Computing's Henry. This situation will not change, he believes, until regulatory agencies impose high penalties on companies that fail to improve their network security.

"It's not a matter of the technology not being here. It's a matter of cost incentive," Henry said.

Various technologies and methodologies are available to turn off the data leakage problem, noted Code Green Networks officials. These include enterprise rights management (ERM) systems, traditional secure content management (SCM) systems and next-generation advanced secure content management (aSCM) products.

This latest technology has the ability to eliminate the administrative burden of traditional SCM.

No Data to Go

Code Green Networks offers a content inspection appliance. IT workers can configure the device to look for sensitive information. The product knows the data container and monitors all the TPTC channels. IT can then write polices for how to handle sensitive data going out of storage.

Code Green Networks in February released a content inspection agent which pushes down to mobile devices attached to the network. It can take inventory of all endpoint devices and monitor them from a central panel. It can turn on and off the release of information.

Also, it records the names of files copied or forwarded elsewhere. It can require encryption of anything written to the USB device.

PointSec's security products focus on encryption without user interaction, according to Egner. Most products require users to change behavior; therefore, when they are in a hurry these security procedures slow them down so they forget to use them.

Secure Computing offers a variety of software and hardware solutions for network security. The Sidewinder Security Appliance, for instance, consolidates all major Internet security functions into a single system.