Research during 2006 from CSI and others has indicated
that financial gain has become the dominant motive for computer crime and
abuse. There have also been indications that financially motivated attacks
are increasingly being undertaken by teams rather than by isolated
individuals. The teams consist of talent in spam, malicious code, phishing,
and criminal orchestration. Research such as the Symantec Internet Security
Threat Report released in September 2006 has shown that attacks are more
targeted then ever before. There is also reason to believe that many attacks
are designed to extract personal data because it is easy to monetize this
data through a number of sources.
Recognizing the significance of the threat and the
potential harm to its citizens, California
passed the California Security Breach Information Act (SB 1386). This law
requires any organization that maintains personal data and experiences a
known breach or believes the information was compromised to notify the
consumer. “Personal data” is defined as a last name paired with a first name
or first initial and one of the following: a social security number, a
driver's license or California Identification Card number, or a number from a
bank account, credit card, or debit card, along with a password or security
code that would give access to the account. Other jurisdictions have passed
similar laws and it is reasonable to assume that U.S.
government will get on the data protection bandwagon as well.
In addition to personal financial information, other
information is regarded as sensitive and must be protected as well. The UK
Data Protection Act of 1998 provides a very clear definition of personal
data:
In this Act "sensitive personal data" means personal data
consisting of information as to-
(a) the racial or ethnic origin
of the data subject, (b) his political opinions, (c) his religious beliefs or
other beliefs of a similar nature, (d) whether he is a member of a trade
union (within the meaning of the Trade Union and Labour
Relations (Consolidation) Act 1992), (e) his physical or mental health or
condition, (f) his sexual life, (g) the commission or alleged commission by
him of any offence, or (h) any proceedings for any offence committed or alleged
to have been committed by him, the disposal of such proceedings or the
sentence of any court in such proceedings.*
While these descriptions have not necessarily been
codified in U.S.
law, they have gained general international acceptance and the prudent
information security practitioner will take heed.
Know that the information is sensitive; it makes sense to
increase the protection in place around this data with increased precautions
such as higher levels of authentication and access control, host intrusion
prevention, etc. As with compliance, it’s necessary to document and test in
line with stated policies and procedures.
|