Features

Peering at Identity Fraud as Hackers Break into AT&T Systems

By Priya George

Are businesses consumed by security threats? According to Ken Low, Security Lead / Marketing Director, Asia Pacific TippingPoint, security is a moving battlefield where new digital attacks and vulnerabilities are constantly emerging from anytime and anywhere. The biggest challenge for security vendors and customers is to protect their system vulnerabilities targeted by new attacks. In the last two to three years, security vendors and customers have moved their emphasis from passive technologies such as firewalls, intrusion detection systems (IDS), antivirus systems and patch management systems to more proactive intrusion prevention systems (IPS), which protect system/application vulnerabilities before exploits are launched to target these vulnerabilities. A zero day attack is the successful exploit of network or application vulnerability before a software patch or anti-virus signature for that targeted vulnerability is available. A zero day attack can be a new computer virus, spyware, trojan, worm, rootkit, denial of service (DoS) attack or a previously unknown method of attack.

Having a Global View

According to Michael Burling, not only does identity management help institutions solve immediate compliance issues, but it also allows corporations to spearhead international compliance challenges as they look to expand. The Internet and technological advances have provided companies including financial services organisations with the ability to develop a mobile workforce. Globalisation has also spurred a new set of potential identity threats that must be addressed. Identity management allows a company to confidently go beyond securing its traditional physical network domains in multiple business locations. This in turn enables the company to create new business models via the security that identity and access management best practices and integrated security architectures provide.

Mobile workers run the risk of inadvertently introducing malware into corporate networks. This is yet another problem identity management can solve. Well-architectured identity management solutions can manage not only the rights that users have across digital assets, but also the lifecycle of users’ assignment to physical assets, in response to routine, or unexpected business events.

For example, consider a securities firm that has constituted a syndicate with other firms, providing advisory and underwriting services to a client considering an acquisition. For the duration of this exploratory exercise, users who legitimately belong to the ‘deal team’ (whether or not they are employees of the lead securities firm) require access to select digital assets (for example, the deal document management and market research repositories) and physical assets (a personalised smartcard for access to the ‘clean room’, for instance). At the end of this exercise, all of these assets need to be revoked from users who no longer require them, in accordance to corporate policy. The securities firm’s identity management solution can automate these processes, ensuring the client can efficiently receive services from the syndicate, at no additional risk to the lead member of the syndicate.

With the growth of globalisation comes a mobile workforce that increasingly uses portable devices. Unmanaged portable devices like smart phones, laptops, memory sticks and removable media, which are commonly used in enterprises, pose significant liabilities for organisations. Since companies do not have visibility into these devices, they are prime targets for information theft and data leaks.

Data consolidation becomes a crucial weapon for an organisation in the compliance war. Data fragmentation is more than just the enemy of efficiency—it is almost impossible to effect compliance if you have 58 places to manage users and at least as many places where the critical data they access lives. While data consolidation is not a cure-all, being able to centrally manage users, what they can access and where the information is that they are accessing enables far greater control over corporate assets subject to regulation. Furthermore, being able to verify compliance is simplified by data consolidation.

Identity management and unstructured data management are two critical areas where 'putting all your eggs in one basket' makes it much easier to prove they are Grade AAA eggs that have not been tampered with.

AT&T announced that hackers broke into a computer system and accessed personal data, including credit card information, from thousands of customers who had purchased DSL equipment from the company's Web store.

"Fewer than 19,000 customers" were affected, the company said, adding that it has notified customers by email, phone and letter.

AT&T also said that it has alerted the major credit card companies whose customer accounts were involved.
"We deeply regret this incident and we intend to pay for credit monitoring services for customers whose accounts have been impacted, said AT&T chief privacy officer Priscilla Hill-Ardoin. "We will work closely with law enforcement to bring these data thieves to account."

AT&T said that is committed to protecting customers' privacy and punishing the violators. "We're taking this action on behalf of our customers," Priscilla Hill-Ardoin, AT&T's chief privacy officer, wrote in a press release. "We intend to vigorously pursue these individuals who, through fraud, have attempted to obtain unauthorized access to customer information."

According to the 3Com Asia Pacific Cyber Threat Research, a total of 1757 web server intrusions have been reported from January 2001 to May 2006. 342 of such incidents were reported in the first 5 months of 2006 alone is higher than the yearly average. Many organizations rely on network firewalls, antivirus and IDS to stop such attacks. Unfortunately, the hackers have proven that they can frequently circumvent these passive security technologies as our research has shown. On the other hand, with IPS, a wide range of known system and application vulnerabilities can be protected, in many instances before system/application patches and antivirus signatures are available. In this way, attacks targeting protected vulnerabilities can be detected and blocked by the IPS.

According to Ken, around the turn of this century, there has been excessive interest in intrusion detection and security management. Millions of dollars have been poured into these technologies but not only do these technologies not stop attacks at all, they also waste precious human, financial and material resources of an organization. My advice to all decision makers is to focus on proactive security technologies (e.g. IPS), which protect their networks against new digital threats and Auto-Protecting Networks to maximize the return on security investment (ROSI).

While IT security budgets are slated to rise in 2006, it still will not be enough to adequately protect a company from security threats. One can even argue that no amount of money will ever be enough to address the full array of security concerns we face in the 21st century. However, the additional budget will allow IT managers to explore security solutions that can streamline identity and password management and protect against internal (employee) or external (hacker) data breaches. IT managers should continually monitor enterprise need and the latest security challenges. The executive team must be consistently updated on potential risks and lobbied for additional IT budget as new needs and challenges aris, writes Michael.

The review and introduction of regulatory guidelines will continue to spur the entry of new, and thus, relatively inexperienced vendors to the identity management space. When choosing an identity management partner, look for a company with a history of successful, enterprise-wide identity management deployments.

Additionally, seek a vendor that offers a flexible solution, a strong workflow engine, a customizable user interface, responsive support and a strong record of customer confidence and satisfaction. You can also ask for and check references. Enterprises will face the same IT security challenges that they did in 2005 and then some. Finding an appropriate vendor to address today’s current security problems, being vigilant against new threats and efficiently protecting critical data will be instrumental to a company’s success in the compliance and security war, Michael concludes.


print	save	email	comment