Subscribe to
Computerworld Assessing the risks and cost of encryption
What does that frozen-chip hardware hack really mean to you?
Active Comments
 The Security Zone
With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones
|
April 9, 2008 (CIO) With major data breaches occurring on a regular basis, encryption vendors are going into hyperdrive, touting the need for their products. However, encryption is only one aspect of protecting your sensitive data, and a new attack shows that it may not be enough.
Recently, the security research group at Princeton University published a report on its success at recovering data from an encrypted disk image on a laptop. This caused a good bit of consternation and some breathless coverage in the press (as with this New York Times story that got the headline " Researchers Find Way to Steal Encrypted Data"), leading to some speculation that this meant on-disk encryption was simply not worth the effort. (Read more on Laptop Encryption Strategies.)
The next morning, having read the New York Times, your CEO stops you in the coffee room and asks, "Is it worth using this disk encryption? It's a pain, and from this article it sounds like someone could get my data anyway."
The security community gets excited about any cool hack that can be exploited to get something you're not supposed to get, and we know that sometimes it's really an important issue. On the other hand, sometimes it isn't. How is a nonspecialist to know the difference, and how can a CIO answer the CEO's questions in the coffee room the morning after a story like this appears?
It turns out that we can answer this sort of question quickly with some good expectation of accuracy, using ideas from that half-remembered Finance 101 class we took years ago. What we're concerned with is the risk posed by this new attack, risk as defined in finance as the probability of the undesired event multiplied by the cost of the undesired event (which is called the hazard). We can manage security issues, first of all, by considering the risk.
Risk = probability x hazard
An easy way to see how this is applied is to think about the PIN on your ATM card. Most banks have simple policies for ATM cards: You have a four-digit PIN; there is a limit on how much cash can be taken out of the account every day, say $500; and there is a policy that says after three wrong PIN attempts, the ATM annoyingly eats your card, usually on Friday afternoon just before you leave for that weekend in Vegas.
Now, assume the card is lost, and someone is attempting to get money from it illicitly. The chances of guessing the PIN correctly with no extra information (you didn't write the PIN on the back of the card, right?) are 1 in 10,000 for one try, or about 1 in 3,333 for the three tries you get. The hazard is $500, so the risk is about 15 cents. In other words, the bank can be pretty confident that over many thousands of depositors and ATM cards, the cost of this kind of fraud per card is about 15 cents each.
Reprinted with permission from
This story is reprinted from CIO.com, an online resource for information executives.Story Copyright CXO Media Inc., 2008. All rights reserved.
Today's Top Stories
Resource Alerts
Webcasts
Web Threats Don't Discriminate
The Secure Web Gateway. Mission Critical For Business
Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare
Editor's Picks
Clues point to Jan. 13 release of Windows 7 beta
Microsoft releases Vista SP2 beta
Obama's DHS pick may find support for raising H-1B cap at confirmation hearing
IBM wants info from Apple execs in Papermaster case
License server glitch exposes SonicWall users to e-mail security threats
Report: Former AOL chief exec tries to raise funds to buy Yahoo
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
|
 |
|
Patrick Thibodeau: Satellite images of U.S military bases Which is more important? Helping terrorists or protecting military bases? Answer: protecting Web 2.0 ... [more] |
| White Papers  Read up on the latest ideas and technologies from companies that sell hardware, software and services. | ||||||
|
