The Cyber Maginot Line

On 01.28.10, In Business and Security, By Paul

Between 1930 and 1940, France built a massive system  of defenses known as the Maginot Line.  Designed to stop a German invasion, history illustrates its failure.  The 1940 German invasion of France skirted the defensive Maginot Line as they swiftly penetrated through the Ardennes by way of Belgium.  I’m not a historian and there are many facts that played into this but clearly the fate of France was at least partly determined by a false sense of security rooted in the Maginot Line.

Have modern day corporations and public entities created their own version of Maginot Line when it comes to the protection of sensitive information?  I think the answer is clearly yes.  William J. Lynn III, the deputy defense secretary who oversaw a recent attack simulation pointed this out in “In Digital Combat, U.S. Finds No Easy Deterrent“.  An over-reliance on firewalls and anti-virus programs has created a false sense of security among those who store, transmit, and process sensitive information in the normal course of business.  The changing threatscape, such as the new complex zero-day exploits and state-sponsored targeted attacks, are sometimes ignored much like the French failed to take action when Belgium declared itself a neutral country severing their previous alliance with France.

Consider this comment made in a recent story:

“The new type of attack involves custom-made spyware that is virtually undetectable by antivirus and other electronic defenses traditionally used by corporations.”  US oil industry hit by cyberattacks:  Was China Involved? CS Monitor, January 25, 2010

We are not prepared.  The attackers have become more nimble, motivated, and tenacious while we have become slow moving and complacent.  Many organizations have been lulled to sleep.  We’ve already seen changes in the way attacks are organized and the creativity being designed into their exploits.  Collectively, we need to examine the new threatscape and actively develop new tactics that match the agility being demonstrated by the “bad guys”.

Let’s learn from the Maginot Line.  Let’s not get caught sitting behind our old walls hoping that we can sustain a direct assault when the real threat is making an end run.

Tagged with:
 
0 Comments
Leave A Response

Don’t Let FUD Trump Value

On 01.22.10, In Awareness and Education, Business and Security, By Paul

The Google “Aurora” incident illustrates an ongoing problem with the “media motivated” approach many organization take in regards to information security.  A major event happens and there is a short-lived window of opportunity to ride the “it can happen to us” wave to secure some funding for the latest toy or gadget.  Unfortunately, some executives are unable to step out of the headline grabbing world of FUD (Fear, Uncertainty, and Doubt) and that is the only way security efforts ever show up on their radar.  That is unfortunate but shouldn’t convince information security professionals to operate entirely in that realm.

Threats are constantly evolving.  “Aurora’ today will be something else tomorrow.  Constantly jumping from one fire to the next unfortunately takes us out of the process improvement mode of operation.  Certainly there is some lessons learned from this incident that should be applied but ultimately, information security should be an evolving proactive process, not a panic stricken FUD game.

  1. Vulnerability management is a process that requires checks and balances.  How do you know that all your systems are patched?  This goes beyond O/S patches but applications as well.
  2. Do you know what your users are installing?  Software deployment and management is part of an overall strategy to protect your systems.
  3. How do you know your systems have the latest anti-virus updates and signatures?  Obviously, anti-virus is a reactionary tool that typically fares poorly in detecting new malware but keeping out the old stuff is important too.
  4. Do you actively look for compromised systems?  How do you manage event information?  Do logs come in to a centralized location that can be indexed and analyzed or do you really believe an analyst is manually looking through millions of log events each day?
  5. Understand where your attacks are coming from and take action.  Look for weaknesses in your defenses and fix them or provide some type of compensating controls.  Learn from compromised systems and the information already available to you from IDS, SEIM, logs, etc.

Show that information security provides value without resorting to scare tactics else you become the “boy who cried wolf” and ineffective in your long term efforts.

Tagged with:
 
0 Comments
Leave A Response

Lawsuit, breaches and bashing… oh my!

On 01.19.10, In Business and Security, National and State Privacy/Security Law, Should Have Known Better, By Paul

Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive.  Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations.  That is kind of sad.  Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.

As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients.  The information was stored on a portable disk drive that “disappeared” from an office.   The information on that drive wasn’t encrypted.  Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised.  This is a failure on many levels but certainly a failure in leadership and crisis management.

What should we be asking ourselves?

  1. We need to understand the information that we use and how we use it.  How is information accessed, transmitted and stored?  What is our legal (and moral) obligation to protect this information?
  2. There is no such thing as 100% security.  If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
  3. Do we have a communication plan in place so that we can effectively provide notification internally and externally?
  4. When examining other breaches, do we practice the same way?  Are we at risk of compromise?  How do we change this?

Part of information security isn’t just applying best practices and being vigilent.  Unfortunately, there is a need to be prepared for an incident or crisis.  I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982.  Another example would be the handling of a Southwest airlines crash at Midway airport in 2005.  Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied.  Just do a search and look at the response from a corporate point of view.  It’s really quite educational.

I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans.  I’m afraid I may be waiting for awhile.

Tagged with:
 
0 Comments
Leave A Response

2010 Information Security Predictions

On 01.03.10, In Awareness and Education, Business and Security, National InfoSec, By Paul

I may as well get on the 2010 prediction bandwagon.

1.  With the rush to get into the “cloud” businesses will sacrifice security for the promise of efficiencies.  Attacks will be focused on the applications placed in the cloud, not necessarily the underlying OS infrastructure.  I predict there will be a large compromise of information stored in the cloud this year that will disrupt business processes for several businesses.

2.  The big talk about “cybersecurity” that comes from the Obama administration will be nothing more than talk.  Action taken will have little impact as the new Cybersecurity Czar/Coordinator has little authority to implement necessary changes in national information security.  This is most likely because of the pure volume of important “initiatives” being taken on by this Administration that will result in some areas, cybersecurity in this case, receiving less attention than required.  This isn’t a dig on the Administration, merely an observation that issues in terrorism, healthcare, economy, etc. will take precedence over fixing the cybersecurity issues facing the U.S.

3.  I predict there will be an even larger breach than what we saw with Heartland Payment Systems last year.  The financial motivations and organization surrounding cybercrime makes this type of criminal activity very profitable.  Attacks are being perfected while the resources to defend against such attacks continue to be too thin in most organizations.

4.  Mobile platforms will be the target of attacks this year.  The proliferation of iPhone/Blackberry and availability of mobile applications will prove a fertile environment for malware writers.  As more of these mobile devices are integrated into both business and personal worlds, the target will simply get too big to pass up.  Expect 2010 to be a big year for mobile attacks.

5.    With major attacks taking place in 2010 and hopefully and improving economy, the investment in information security will improve.  Specifically, there will be some growth in the need for both skilled technical staff and leadership positions where the ability to understand the business environment are emphasized.

I’ll be interested in seeing the twists and turns that are inevitable in the cybersecurity world and how organizations adapt to such a dynamic environment to protect sensitive information.  Good luck in 2010.

Tagged with:
 
2 Comments
Leave A Response

Cybersecurity Coordinator – new man, same ol’ position

On 12.29.09, In National InfoSec, By Paul

I’ve been mulling on the appointment of Howard Schmidt as U.S. Cybersecurity Coordinator for several days.  This is the appointment that has been 10-months in the coming since President Obama vowed to create the post.   This is the role that was previously filled (at least functionally) by Melissa Hathaway who left over frustration with the way the U.S. government works.  Before her, it was Amit Yoran who was the cybersecurity czar for DHS.  He was dessimated by bureaucrats and lasted only a year.

Schmidt had a previous run as a cybersecurity advisor for the G.W. Bush presidency.  From all accounts he is a skilled man with an impressive resume.  Unfortunately, the position itself has been designed with so many obstacles that success is unlikely.  Though he is supposed to have access to the President, the position is several steps down the organization ladder.  As I’ve seen in the private sector, when you place security out-of-sight it quickly becomes out-of-mind.

The mission of the position has been set by President Obama but with executive-level focus on so many different arenas, I’m afraid the cyber-security talk will be just that… talk.  This position is one with a lot of responsibility without the authority needed to accomplish the goals.  A recipe for failure in any organization.  This nation needs information security leadership.  Howard Schmidt is the right man but the position will limit his ability to succeed.   Best of luck!  I hope I’m wrong.

Articles regarding this appointment:

Rotella, Sebastian.  “Howard Schmidt named cyber-security czar“.  LA Times, 12/23/2009

Nakashima, Ellen.  “Obama to name Howard Schmidt as cybersecurity coordinator“.  Washington Post, 12/22/2009

Tagged with:
 
0 Comments
Leave A Response

Risk-based Information Security

On 12.28.09, In Business and Security, By Paul

How do you even start protecting your information assets if you don’t have an understanding of the risk to them?  I would venture to say… you don’t.  It’s difficult for some to get started down this path because they quickly get overwhelmed with the task at hand.  Many times, a good effort gets set aside because the level of detail gets too cumbersome to reach the finish line.  Perhaps this can help.

Organizational assets

You have to know what you have but it doesn’t have to be a lonely road to get the information.  Start with a network scanning tool to detect the systems on your network and try to understand the type of data being stored on each.  However, don’t try to perform a risk assessment on each individual system.  Group them into sensible categories based on type of data (customer, HR, financial), application type (web, database, app) or business function (web, e-mail, accounting/finance).

Find out who “owns” this data.  A department head, Director, VP, whoever is ultimately responsible for the data.  Remember, determining risk is a business responsibility and it is up to Information Security to adequately illustrate the risk and controls so that informed decisions can be made.

The Risk Rating Matrix

There are many ways that this can be done and even sample matrices you can use online.  Take your pick.   Some assign rankings for Threats, Vulnerabilities, and Impacts for each part of the security triad (Confidentiality, Integrity, Availability).  Some take into account compensating controls.    Some use liklihood of an event happening.  Some multiply their risk rating by how easy it is to detect an issue to get an overall score.

Regardless of what method works for you any method should take these suggestions into consideration:

  • If you are assigning scores in your rankings of threats, vulnerabilities, impact, etc. make sure you use an even numbered scale like 1-6.  This eliminates the “middle of the road” pick and forces one to fall on the high side or the low side.
  • Make sure each ranking number is labeled so that it is easy to understand what a 2 means versus a 5.
  • Provide an overall ranking that can be used to compare risks and prioritize them for clearer decision making.
  • Doing something is better than doing nothing.  Don’t expect perfection the first time out.

Take Action

With your rankings and priorities established in collaboration with the data owner you are in a better position to implement controls that provide value.  The acceptance of risk should be firmly in the hands of the data owner (and signed off on).   When budgets are tight, you now have the opportunity to address the biggest risks because you have taken the time to identify them.

There is no such thing as 100% security.  Reducing your risk profile by applying a measured approach to risk management is however, entirely possible.  Doing nothing is a bad choice.  Where do you want to be?

Tagged with:
 
0 Comments
Leave A Response

House passes Data Breach legislation… jury still out

On 12.14.09, In National and State Privacy/Security Law, By Paul

The U.S. House of Representatives has passed HR 2221, the Data Accountability and Trust Act.  This sets nationwide breach notification requirements that trump the patchwork of State laws that have been in effect with California leading the way in 2002.   The passage was written about in a Federal Computer Week article “House passes bill to require data breach notifications“.

Overall, standardizing the definition of Personally Identifiable Information will help in protecting the data.  This is a good thing as some states have more stringent definitions than others.   Data brokers have greater requirements.  Also a good thing.

The problem I see comes from the FTC having jurisdiction over the new law.  The FTC does not have authority to enforce regulations on government, banks, savings and loans, insurance industry and non-profits which would include higher education and some healthcare environments.  These industries are often the victims of data breaches yet they aren’t covered by this new federal law.

We’ve seen the FTC extend its reach with the Red Flags rule and perhaps they will follow suit with the new data breach notification legislation.  If they let some industries with known disclosure issues slip through the cracks then the overall effectiveness of the legislation is diminished.

Tagged with:
 
0 Comments
Leave A Response

Lessons in Due Diligence

On 12.02.09, In Business and Security, PCI, By Paul

An article by Kim Zetter on Wired.com caught my attention:  “Restaurants Sue Vendor for Unsecured Card Processor”.

The gist is that several restaurants purchased Point-of-Sale (POS) systems from a particular vendor.  These POS systems that were sold were apparently not Payment Card Industry – Data Security Standard (PCI-DSS) compliant and that resulted in a breach costing the restaurants a hefty sum.

One issue comes from unpatched, poorly configured remote access and the other alleged problem came from default login administrator userID and passwords.  From the article:

Visa also sent out a bulletin in November 2006 warning that one of the most frequent vectors for hackers to penetrate POS systems was through poorly configured or unpatched remote-access software (.pdf) and default passwords. Nonetheless, the restaurants say, Radiant and Computer World sold them a product that was neither PCI-compliant nor secured against a known attack.

So, the vendor sold them the product that was known to have these flaws but on the flip side, the restaurants bought these systems that are known to have these flaws.   I can certainly see the case here but from a security perspective there are some lessons learned when it comes to due diligence and basic security practices.

1.  If you blindly believe marketing slicks about the “state-of-the-art” product you’re purchasing that can do everything including cooking your dinner and washing dishes…well… you get the point.   Visa had produced a bulletin regarding the flaws with the product a year before one of the restaurants bought the product.   A little due diligence in the selection process would have gone a long way.

2.  So, you buy a product and install it.  It has remote access capabilities.  You leave the default administrator ID and password that is well known to anybody who can grab an online manual.  You’re breached.   If you install a new software product for Pete’s sake, change the default account passwords.  If your bank gives everybody a password of “password” to their online banking, would you change yours or just leave it?  (BTW, they don’t do that… just an illustration).

3.  Implementing a system with known flaws and not updating it is pretty bad.  It’s like installing a Microsoft server and not applying security patches for a year.  You get breached because of a vulnerability that should have been fixed a year ago.  Good luck blaming Microsoft for that one.   Patch management is essential.

By no means am I blaming the victim in this case.  They are chefs and restaurant managers, not IT or InfoSec people.  They relied on the vendor to provide them a product that was up to snuff with PCI requirements and trusted them to sell a product that protected their customer’s information.  When we examine and extended this into our own business and technology implementations, their experience provides some lessons for all of us.  Hopefully we can learn from this and apply due diligence to all of our vendor interactions and purchases.

Tagged with:
 
0 Comments
Leave A Response

Failures in Leadership, Ethics, and Security

On 11.25.09, In Business and Security, Ethics, Should Have Known Better, By Paul

A breach of patient personal information at University Medical Center has all the makings of a made for TV movie or at least provides an opportunity to examine issues in security, leadership, ethics, and even the knee-jerk reaction of ignorant politicians trying to use the opportunity to score some free publicity.  The story “FBI looking at UMC records leak” ran this past Saturday in the Las Vegas Sun.

Security – The Insider Threat

The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers.

The breach clearly demonstrates the difficulty in dealing with insider threats.  We hire employees and give them access to sensitive information in order to perform their job duties.  We certainly have a need to control and monitor access in order to achieve and enforce the practice of least privilege.  Even the best of controls however, can be circumvented by a trusted insider with an intent to do harm.  In this case, it is alleged that hard copy face sheets were taken outside the facility and sold to an unethical breed of attorney.  I’m not sure it would be reasonable for the organization to setup exit searches of their employees every day to make sure they weren’t sneaking out these documents.  Heck, would you look in a fellow employee’s underwear to make sure they didn’t have a face sheet stuffed in there?  The ACLU would be all over this “violation” of privacy.

While not a cure for this type of insider threat, UMC may want to consider both criminal and financial background checks of new hires.  I know it’s like profiling but when protecting consumer information, corpoarte finances and reputation, having an indicator of potential behavior issues can help.   However, in these economic times, a squeaky clean person may engage in this type of behavior out of desperation.  UMC could also consider physical controls for documents, especially those that should remain with a patient’s chart.   Having face sheets printed only in one place and logging who printed them may be useful.  Of course, using electronic records rather than paper records may prevent the physical face sheet from being used at all.

Information security is more than the bits and bytes that are transmitted and stored.  Information security also involves the printed document and how it is handled.

Leadership

Until Thursday, they doubted there had been any leak and had conducted only a cursory probe into rumors of the breach. Silver was warned by sources this summer about patient records being obtained illegally. She took a quick look at which attorneys were requesting records, and then dismissed it as a “nonissue.”

Hospital leadership just blew off reports suggesting something was terribly wrong.  A cursory probe and dismissal of something that could have major repurcussions to patients and the organization is completely unacceptable.  This is fairly common though.  This smells of the “we haven’t been breached so why worry about it” attitude that is prevalent among so-called leaders.   Chasing phantoms can be a nuisance but to do nothing is irresponsible.

Ethics

The nurse told the Sun she was taken to lunch by members of a personal injury law firm several years ago. They offered to pay her for “referrals” but she refused, saying it was illegal and a violation of her nursing license.

I’m a big fan of finding the root cause of a problem and eliminating it.  While it is easy to point a finger at UMC and their poor decisions or the employee who is alleged to have stolen the documents, essentially the problem is on the “demand” side.  Unethical attorneys who are practicing in this manner should be disbarred, period.  Eliminate the demand for sensitive information, eliminate the problem.  I’m not naive enough to believe that there won’t be others lined up to fill the spot but you have to start somewhere.  We should expect more from “professionals” and if they can’t behave ethically they shouldn’t be allowed to practice.

Politicians

Earlier Friday, Clark County Commission Chairman Rory Reid called for a Metro Police investigation, demanding that the hospital do what is necessary to stop what appeared to be a “criminal offense.”

Headline grabbing, clueless politician.  The only way to “stop” this criminal offense is to stop taking patients or don’t hire employees.  Politicians are famous for taking an incident and then causing tremendous havoc with their knee-jerk reactions.   Most politicians believe the “as seen on TV” ads or marketing slicks that claim 100% security and then they go down the path of making ridiculous comments or worse, ridiculously impossible (and thus ineffective) legislation.  There is no such thing as 100% security.  It’s a process of reducing risk while allowing the business to function.

Last Thoughts

There are several lessons from this particular story.  Take security threats seriously.  Reduce risk where possible.  Know that there are unethical professionals and other business people out there who have no problem violating the public trust in order to make a buck.  Take politician’s comments with a grain of salt.  Most are looking to make a headline splash yet have very little knowledge of the topic at hand.

Ultimately, leadership failed at UMC.   They chose to ignore a potential threat rather than investigate it.  While it wouldn’t have prevented the breach, they may have discovered it sooner or reduced the damage to both their finances and their reputation.

Tagged with:
 
0 Comments
Leave A Response

Learning From Someone Else’s Breach

On 11.20.09, In Business and Security, Should Have Known Better, By Paul

A subsidiary of manged health care provider Health Net Inc, just reported the loss of personal information for 1.5 million customers that occurred six months ago according to a ComputerWorld article.  Without knowing all the details of the situation, I can only speculate as to some of the security controls and thoughts of the Health Net leadership during this incident so take that into account.  Hopefully there are some lessons learned for other organizations both in the management of sensitive information and the leadership response to an incident.

From the article:

The device containing the data was an external, portable hard drive. The data had not been encrypted.

So, let me get this straight.  You work in an environment where the protection of information is highly regulated yet you are putting seven year’s worth of personally identifiable information on a portable hard drive unencrypted.  They may need to reconsider their processes that allow this type of information to be stored in such a manner.  If this is for backup, certainly there are better options available.  The controls surrounding the physical handling of devices with personally identifiable information appear to be too loose and need to be examined.  Securing that device when not in use and logging the device in and out of its secure storage location would be a good start.

In Nevada come January, organizations will need to pay special attention to personal information being stored on removable media, especially if the portable devices leave the confines of the facility.  See my article Nevada’s New Data Security Law for more information on this new bit of legislation.

“Protecting the privacy of our members is extremely important to us,” Health Net said. “We apologize for any inconvenience or concern this may cause our members.”

A pretty standard response for a breach but the delayed timing of this sounds like there was no incident response plan in place in the best case scenario.  In the worst case, one has to ask if their leadership were dragging their feet hoping the problem would simply go away if they ignored it long enough.  I’m going to assume the former in that they simply did not have a plan for dealing with this type of disclosure which is really not acceptable.  If you’re business maintains sensitive information about customers then you need to be prepared for the possibility of a breach.

The six-month delay in reporting this is also a huge issue.  Data breach notification laws have been in place in most states for several years and they were put there to prevent this type of “keep it quiet” behavior that had been common place in business.  The AG is attacking Health Net on this very issue and rightfully so.

“We will demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers” in Connecticut whose data is at risk.

I blogged before about the cost of a breach.  This is a great example of the cost of poor security controls surrounding personally identifiable information.  Let’s just assume the monitoring service costs $20 per person (a discount for the volume here).  In addition to the cost of notification, the loss of this hard drive with unencrypted sensitive data could cost the company just under $9 million dollars to provide the fraud and monitoring service.  That’s some real money.

While we can’t be certain what really happened or what the exact cost of this breach will be to Health Net, I think it’s certainly easy to identify some potential mistakes that are duplicated in many other organizations.  Understanding all of your business processes surrounding the use, transmission, and storage of sensitive information is hugely important.  Adopting sensible controls and finding appropriate alternatives to risky processes is essential.  Last, detailing and practicing a response to a data breach incident may seem like a lot of wasted time…. that is, until you experience a breach.

Tagged with:
 
0 Comments
Leave A Response
« Previous Entries
Go To Top »