Lock down that data
Continued exposure of data through inside threats shows need for improved security
Another example of the insider threat to personally identifiable information has surfaced. This time it was not just a matter curious employees browsing through celebrity records but a scheme to steal identities and open fraudulent credit card accounts.
In December, an employee in the human resources department of the Library of Congress was charged with conspiring to commit wire fraud for a scheme in which he stole information on at least 10 employees from library databases. He passed the information to a relative, also charged in the case, who used it to open the accounts. Together, the two are alleged to have bought $38,000 worth of goods through the accounts.
The incident is not surprising, said Mark Bower, director of information protection solutions at Voltage Security Inc.
“Human resources [data] is the crown jewel for personally identifiable information,” Bower said. “Because this data has a monetary value these days, this type of source is going to get attacked more and more.”
HR systems contain everything you need to establish an identity — all in one location that is frequently unprotected. Because employees have legitimate reasons for accessing that data, it requires more than security technology to protect it. It requires good policy and administrative oversight. But technology is a necessary starting place, and there are tools that can help.
Format-Preserving Encryption is a potentially powerful tool that can help protect the information stored in HR databases. Developed at Voltage, it lets you encrypt specific data fields while keeping the data in the same format so that it remains usable in existing databases.
Credit card, ID and Social Security Numbers, which are considered personally identifiable information that must be protected under some laws and regulations, often are used as unique identifiers to link records within databases. Applications also use them as indexes to retrieve records, even when the actual numbers are not necessary to the application.
Format-Preserving Encryption “solves the problem of having to make changes to your back-end systems,” Bower said. “You could eliminate that threat to things like Social Security numbers very easily with this approach.”
That is not just Bower’s opinion. Morris Dworkin, a mathematician at the National Institute of Standards and Technology, said the technique could be valuable in protecting format-specific data.
“To make sense of these databases, we need to preserve the relationships that the numbers enable,” Dworkin said. “They are the keys that make the different records in the databases hang together.”
The idea of Format-Preserving Encryption goes back to at least 1997, and a number of cryptographers in this country and France continued working on the idea for a decade. Voltage cobbled together the results of that work in 2006 and 2007, building on modifications to cryptographic techniques then applying the Advanced Encryption Standard algorithm to produce a practical commercial tool. The technique is not tied to any algorithm, but Voltage uses AES with a 256-bit key, a very strong method of encryption. It cycles the field to be encrypted multiple times, disposing of some digits in each cycle until it arrives at an encrypted field in the same format as the original.
No security tool, regardless of how strong it is, should be expected to work without being backed up with the proper policies, enforcement and monitoring. But a strong first line of defense can help save you from having to respond to a breach after the fact.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.