Exfilitration Hurts

Last month, at a US Secret Service Electronic Crimes Task Force meeting, I heard Dr. Ron Ross, of NIST speak. Ron gets what is significantly wrong with IT Security today. In Ron’s words, “Exfiltration is killing the private sector.” I agree. We only need to read the newspapers to find significant breaches of important design information for the F-35, the US’s next generation jet fighter, and the VH-71, the next version of the US’s presidential helicopter. The leaks are pervasive, significant and potentially a critical injury to the safety and security of the US.

McAfee’s report: Unsecured Economies: Protecting Vital Information, January 2009 was cited in the Whitehouse’s Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, May 2009, and summarized as “losses from intellectual property to data theft in 2008 range as high as $1 trillion.” Wow! With all the focus on protecting PII or credit card information, there is an even larger issue that dwarfs them all. This issue is the core essence of any firm — it’s intellectual property, its competitive edge, what makes it different from any of its competitors.

One area firms repeatedly overlook as they converge networks, services and devices onto a single network is VoIP. Because VoIP traffic bypasses firewalls, VoIP is a prime exit path from an enterprise. The VoIP firewalls simply tunneling voice media on through without any security treatment even though the media traffic accounts for more than 97% of the network traffic through a VoIP System. Additionally, though VoIP media gateway’s long were considered a security control to prevent embedded data transmissions they almost always pass media channel information through intact. And, these media gateways are pervasively spread through the IT infrastructure in places when IT security equipment simply does not reach. There simply can’t can’t be a more dangerous place in an enterprise network today.