More Notification Laws Not Reducing Identity Theft

A recent report published by Carnegie Mellon University showed that additional legislation for increasing the visibility of identity theft have not decreased its occurrence. In other news, researchers announced the development of new weapons against network worms, while Microsoft Corp. left a critical security update out of Windows XP service pack 3.

Focal Points:

• Researchers at Carnegie Mellon found that instances of identity theft have not decreased, even though 43 states have enacted laws for data breach notification. Researchers looked at data supplied by the Federal Trade Commission on a state-by-state basis, noting that the presence of the new data breach notification laws has not reduced incidences of identity theft in the states where these laws were passed. However, researches did find that fraud rate, gross domestic product, and population did correlate to increases in the rates of identity theft.
• New research from Ohio State University has uncovered a method that can be proven to stop Internet worms from propagating within minutes of being detected. Researches said the key was to monitor the number of scans that each machine on a network sends out. Once the number of scans exceeds a threshold, it can be assumed to be infected and then immediately taken off line for remediation. While scans are common for all computers to do, viruses scan many different destinations in a very short period of time. This activity can be detected with behavior analysis. Researchers said the number of scans allowed before a computer was assumed to have a virus can be quite large, so as not to interfere with "normal" network traffic. Researchers tested against both the Code Red and SQL Slammer and found they were able to limit the spread of the virus to fewer than 150 hosts 95 percent of the time.
• Officials from Microsoft recently verified that a critical security update is missing from Service Pack 3 (SP3) for Windows XP. SP3 was issued in November of 2006. The bug exists in Flash Player, which was updated via security update MS06-069 on 14 Nov 06. This update was listed at the time as "critical" by Microsoft. Typically, the service pack releases contain all previously released updates. This has drawn attention since hackers has recently been shown to have active exploits for the version of flash included in the SP3 update, as opposed to shipping with the more secure version of Flash Player that was released several weeks before SP3 was finalized. If users had previously installed MS06-069, then installation of SP3 should not have any adverse effect on this installation.

Experton Group believes security managers will start shifting their emphasis from compliance auditing to security analytics, in an effort to try and get in front of the increasingly successful penetration of hackers into corporate networks and data. IT executives should shift their focus from network-oriented to data-oriented security, in order to increase their ability to protect critical enterprise IP. In addition, security managers should add behavior-based detection algorithms to their security suites.