By Andy Greenberg
The data breach that occurred at Fidelity National Information Services
last week was a security professional's nightmare. And not just because
of the amount of raw consumer data spilled onto the black market. By
that measure, the 2.3 million users' files that were leaked can't
compare with the 45 million customers' account information lost by
retailer T.J. Maxx (nyse: TJX - news - people ) just last January.
In Fidelity's case, the volume of the theft was less troubling than the
source: one of the company's own staff. After the breach, Fidelity
revealed that the culprit was an employee at the payment processing
company, one whose job granted him access to the company's database.
In fact, data breaches that come from internal issues arent unusual.
According to Attrition.org's Data Loss Database, 104 of the 327 data
breaches last year started inside companies, not in the hands of
And Martin Carmichael, chief security officer at McAfee Software (nyse:
MFE - news - people ), says that internal data breaches are more likely
than external attacks to reveal key private information. But how to
protect servers when every employee is a potential data thief?
Carmichael spoke with Forbes.com about Fidelity's data debacle, how that
company and other breach victims can recover, and the problem of
controlling employees' access to data without paralyzing their
Forbes.com: How should a company like Fidelity have protected itself
from a data breach?
Martin Carmichael: When we look at Fidelity, it's a common situation:
Companies are focusing on the perimeter between the company network and
the external network. In the press you read cases about hackers and
Trojans that come in from the outside and devastate companies. But if
you look at the statistics, that's not where the biggest losses occur.
More often they happen when an inside person takes assets or
So many companies are focused on perimeter security, when they should be
asking, "What does our infrastructure look like? What are we doing to
assure compliance within the boundaries of our firewall?", looking at
that internal structure as well as that external structure.
Is this problem of data loss from internal leaks a new threat?
Not at all.
Then why are companies primarily focused on the security perimeter?
There's this mindset that "the people we hire, we can have confidence
in." That isn't the case. Statistics tells us that criminals are hired
at companies everyday, but there's this assumption of ethics and honor.
We've built this mythos that people on the inside of companies are more
trustworthy than those on the outside.
On top of that, external hacks have been sensationalized. Inside jobs
haven't gotten nearly as much visibility in the press.
So how can a company protect itself from internal data breaches?
Every internal station needs to be protected. Take a look at our
antivirus or other prevention software: It runs on each individual
platform, rather than in a firewall construct. Each individual computer
or server within your internal network has to be evaluated for security
individually. Creating a terrific perimeter isnt enough. The internals
have to also be hardened and capable of withstanding attack from
But at some point, don't you have to give your employees access to data
they need to work?
Sure. But from a security standpoint, one of the things that we need to
do more effectively is balance risk and productivity. We need to define
characteristics about what is risked and gained in every security
Think about how software is designed. We should be thinking about the
underlying characteristics of the software, not just fixing certain
bugs. Take for example a piece of software that can change the
background of your computer screen, like a Web browser. To do that, it
has to run as a privileged entity with more access, and someone could
use that to compromise your system. So how important is it to change
your screen background? And what's the risk involved?
Similarly, you have to ask what kind of controls you give to a database
administrator and what kinds of access they have. In many companies,
people get broad privileges in order to increase their functionality.
And you can end up with a database administrator who has control over
everything, with no controls on that administrator himself.
How should a business like Fidelity recover from a big data breach?
You need to have a recovery plan before something even occurs. How does
the news get presented? What is the effect on the company's stock? How
do you manage the interface with shareholders? What's the overall
impact? Your public relations, your CIO and your CEO will all be
involved and each needs to know their role in a strategic plan.
Above all, you have to maintain integrity with the customers. You have
to tell them just how their data has been compromised, and give them
clear steps that you and the customers will each take to address the
issue. Then you can take a financial look at the business and assess how
the breach, like any disaster, will affect the bottom line.
Aside from the business and the public relations angle, how do you
recover from a security standpoint?
There's no one size fits all answer. You have to look at the events and
ask, "Was this anomalous? Could it have been prevented?" There has to be
fault resolution. You need to really look at the underlying
characteristics, and in most cases you can make specific changes. But
often the temptation after a breach is to make security overwhelmingly
burdensome. And in terms of the balance of risk and productivity, that's
not the best solution either. Risk is never zero.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com