paulmudgett.com

Failures in Leadership, Ethics, and Security

A breach of patient personal information at University Medical Center has all the makings of a made for TV movie or at least provides an opportunity to examine issues in security, leadership, ethics, and even the knee-jerk reaction of ignorant politicians trying to use the opportunity to score some free publicity.  The story “FBI looking at UMC records leak” ran this past Saturday in the Las Vegas Sun.

Security – The Insider Threat

The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers.

The breach clearly demonstrates the difficulty in dealing with insider threats.  We hire employees and give them access to sensitive information in order to perform their job duties.  We certainly have a need to control and monitor access in order to achieve and enforce the practice of least privilege.  Even the best of controls however, can be circumvented by a trusted insider with an intent to do harm.  In this case, it is alleged that hard copy face sheets were taken outside the facility and sold to an unethical breed of attorney.  I’m not sure it would be reasonable for the organization to setup exit searches of their employees every day to make sure they weren’t sneaking out these documents.  Heck, would you look in a fellow employee’s underwear to make sure they didn’t have a face sheet stuffed in there?  The ACLU would be all over this “violation” of privacy.

While not a cure for this type of insider threat, UMC may want to consider both criminal and financial background checks of new hires.  I know it’s like profiling but when protecting consumer information, corpoarte finances and reputation, having an indicator of potential behavior issues can help.   However, in these economic times, a squeaky clean person may engage in this type of behavior out of desperation.  UMC could also consider physical controls for documents, especially those that should remain with a patient’s chart.   Having face sheets printed only in one place and logging who printed them may be useful.  Of course, using electronic records rather than paper records may prevent the physical face sheet from being used at all.

Information security is more than the bits and bytes that are transmitted and stored.  Information security also involves the printed document and how it is handled.

Leadership

Until Thursday, they doubted there had been any leak and had conducted only a cursory probe into rumors of the breach. Silver was warned by sources this summer about patient records being obtained illegally. She took a quick look at which attorneys were requesting records, and then dismissed it as a “nonissue.”

Hospital leadership just blew off reports suggesting something was terribly wrong.  A cursory probe and dismissal of something that could have major repurcussions to patients and the organization is completely unacceptable.  This is fairly common though.  This smells of the “we haven’t been breached so why worry about it” attitude that is prevalent among so-called leaders.   Chasing phantoms can be a nuisance but to do nothing is irresponsible.

Ethics

The nurse told the Sun she was taken to lunch by members of a personal injury law firm several years ago. They offered to pay her for “referrals” but she refused, saying it was illegal and a violation of her nursing license.

I’m a big fan of finding the root cause of a problem and eliminating it.  While it is easy to point a finger at UMC and their poor decisions or the employee who is alleged to have stolen the documents, essentially the problem is on the “demand” side.  Unethical attorneys who are practicing in this manner should be disbarred, period.  Eliminate the demand for sensitive information, eliminate the problem.  I’m not naive enough to believe that there won’t be others lined up to fill the spot but you have to start somewhere.  We should expect more from “professionals” and if they can’t behave ethically they shouldn’t be allowed to practice.

Politicians

Earlier Friday, Clark County Commission Chairman Rory Reid called for a Metro Police investigation, demanding that the hospital do what is necessary to stop what appeared to be a “criminal offense.”

Headline grabbing, clueless politician.  The only way to “stop” this criminal offense is to stop taking patients or don’t hire employees.  Politicians are famous for taking an incident and then causing tremendous havoc with their knee-jerk reactions.   Most politicians believe the “as seen on TV” ads or marketing slicks that claim 100% security and then they go down the path of making ridiculous comments or worse, ridiculously impossible (and thus ineffective) legislation.  There is no such thing as 100% security.  It’s a process of reducing risk while allowing the business to function.

Last Thoughts

There are several lessons from this particular story.  Take security threats seriously.  Reduce risk where possible.  Know that there are unethical professionals and other business people out there who have no problem violating the public trust in order to make a buck.  Take politician’s comments with a grain of salt.  Most are looking to make a headline splash yet have very little knowledge of the topic at hand.

Ultimately, leadership failed at UMC.   They chose to ignore a potential threat rather than investigate it.  While it wouldn’t have prevented the breach, they may have discovered it sooner or reduced the damage to both their finances and their reputation.

Learning From Someone Else’s Breach

A subsidiary of manged health care provider Health Net Inc, just reported the loss of personal information for 1.5 million customers that occurred six months ago according to a ComputerWorld article.  Without knowing all the details of the situation, I can only speculate as to some of the security controls and thoughts of the Health Net leadership during this incident so take that into account.  Hopefully there are some lessons learned for other organizations both in the management of sensitive information and the leadership response to an incident.

From the article:

The device containing the data was an external, portable hard drive. The data had not been encrypted.

So, let me get this straight.  You work in an environment where the protection of information is highly regulated yet you are putting seven year’s worth of personally identifiable information on a portable hard drive unencrypted.  They may need to reconsider their processes that allow this type of information to be stored in such a manner.  If this is for backup, certainly there are better options available.  The controls surrounding the physical handling of devices with personally identifiable information appear to be too loose and need to be examined.  Securing that device when not in use and logging the device in and out of its secure storage location would be a good start.

In Nevada come January, organizations will need to pay special attention to personal information being stored on removable media, especially if the portable devices leave the confines of the facility.  See my article Nevada’s New Data Security Law for more information on this new bit of legislation.

“Protecting the privacy of our members is extremely important to us,” Health Net said. “We apologize for any inconvenience or concern this may cause our members.”

A pretty standard response for a breach but the delayed timing of this sounds like there was no incident response plan in place in the best case scenario.  In the worst case, one has to ask if their leadership were dragging their feet hoping the problem would simply go away if they ignored it long enough.  I’m going to assume the former in that they simply did not have a plan for dealing with this type of disclosure which is really not acceptable.  If you’re business maintains sensitive information about customers then you need to be prepared for the possibility of a breach.

The six-month delay in reporting this is also a huge issue.  Data breach notification laws have been in place in most states for several years and they were put there to prevent this type of “keep it quiet” behavior that had been common place in business.  The AG is attacking Health Net on this very issue and rightfully so.

“We will demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers” in Connecticut whose data is at risk.

I blogged before about the cost of a breach.  This is a great example of the cost of poor security controls surrounding personally identifiable information.  Let’s just assume the monitoring service costs $20 per person (a discount for the volume here).  In addition to the cost of notification, the loss of this hard drive with unencrypted sensitive data could cost the company just under $9 million dollars to provide the fraud and monitoring service.  That’s some real money.

While we can’t be certain what really happened or what the exact cost of this breach will be to Health Net, I think it’s certainly easy to identify some potential mistakes that are duplicated in many other organizations.  Understanding all of your business processes surrounding the use, transmission, and storage of sensitive information is hugely important.  Adopting sensible controls and finding appropriate alternatives to risky processes is essential.  Last, detailing and practicing a response to a data breach incident may seem like a lot of wasted time…. that is, until you experience a breach.

The Cloud Does Not Absolve Responsibility

Cloud computing certainly offers cost management opportunities for organizations straining to maintain server infrastructure but there is more to consider than just server management.  Security in the cloud simply has not had an opportunity to mature.  Protecting servers, which no doubt cloud providers can do pretty effectively, is different than protecting information.   Those organizations that believe they can outsource the responsibility of securing their information by shipping applications into the cloud are being naive.

There are three issues that come to mind immediately.

1. I think it is true that cloud providers can maintain the security of their systems much better than companies due to the resources available to them.  However, attackers will target web and database applications not servers.  While the servers are protected, your data can still be exposed due to poor practices and controls.
2. Cloud computing by its very nature will limit the type of security tools that can be applied in that environment.  While you could manage firewalls, intrusion detection/prevention systems, and other data leak prevention tools in an internal network, these additional layers aren’t specifically provided in the cloud.  You may be able to design them into the environment for additional costs but are you now minimizing your return on investment?
3. You may have little control over how much audit information is collected which can prevent you from being proactive.   Cloud providers are initiating contracts that give you ownership of your data but you may not own all of your log data.  To get this information may require a court order.

Ultimately, you need to be aware of how data flows inside and outside your organization whether you choose to house servers internally or move applications to the cloud.   If your business relies on highly valuable intellectual property then you may want to think twice about the types of controls available to you in the cloud.   If you wouldn’t normally apply additional controls or monitoring devices to your data, then the cloud may be a cost effective solution with good basic security measures.

If considering cloud computing consider the following:

1. Computer security is not the same as information security.  Understand the value of information to your business and what level of protection is required for that information.
2. Understand that even if you own your data, the audit log data may not be accessible to you.  Determine the consequences of not having access to audit logs and decide whether it’s important or not.
3. Once applications and data are in the cloud, you may not be able to apply compensating detective and preventive controls like you would internally.  If that raises concern then you may not want to put that type of data into the cloud environment.

Cloud computing offers incredible opportunities for business processing at lower costs but the business decision must also consider security and privacy concerns.  The responsibility and reputation consequences for a breach do not disappear into the cloud when your data goes there.  It’s important to consider the risk as well as the benefit when making decisions about cloud computing.  Remember, you are protecting information and that goes beyond just the physical location of servers.

Where Did That Come From?

Many victims of identity theft have no idea how their information was stolen.  Unfortunately, business processes may be leading to the disclosure of customer or employee personal information.  It seems obvious that hard drives that are in desktop and laptop computers need to be sanitized before being surplussed but a recent article identifies copy machines as having similar issues with the storage of personal information.  Who’d have thought!?!?

56 percent of people victims of ID theft have no idea how perpetrators got their ID,” said Sean O’Leary of Digital Copier Security, “And we can assume a portion or large part is a result of data breeches from photocopiers.”

That’s right – photocopiers.

O’Leary says he believes most companies don’t realize their copy machines have hard drives.

“We just take it for granted this little photocopier sitting in the corner of an office is safe and innocuous,” said O’Leary, “But in reality, with that hard drive it’s storing personal information.”

Today’s copy machines do a whole lot more than copy. They print. They scan. They email. They fax.

The machine has to have a way to remember all that information.

Between 1998 and 2002, companies began equipping copy machines with hard drives.

“Press Copy to have your Identity Stolen.”  Melissa Yeager, WINK News, Nov 12, 2009

Considering the type of information that is “copied”, it seems that copier hard drives may be an ideal source for the malicious person looking to steal sensitive data.   While it may seem simple to use a program like DBAN to wipe the hard drive of a desktop or laptop, removing data from a leased copy machine may create a challenge for most organizations.  Leasing companies should be warning companies about the hard drives and providing either a manner in which to sanitize the hard drive by the customer OR certifying the destruction of personal information when the copier is exchanged as part of a lease.

Sometimes the information security challenges come from unusual places.  With technology advances, we need to be mindful of where information flows throughout ALL of the organization, even in what most would consider to be rather innocuous places.

Baby Steps – Information Security Process Improvement

Organizations can quickly become overwhelmed when trying to implement a comprehensive information security program.  There are many barriers.  Cost.  Time.  Competency.   As I’ve posted before, security is an ongoing process and needs to be in order to deal with the changing business environment and evolving threat landscape.  Instead of implementing the very best (and most expensive) solutions for every security issue, I suggest a tiered approach that covers multiple areas and sets the stage for continuous improvement.

Barriers

Cost

If we buy the very top solutions for all of our security problems we will quickly run out of cash.  Throwing money at one or two issues leaves many other areas uncovered.   It may be better, especially early on in the implementation of an information security program, to spread the money around.  Provide coverage in all areas and then build up those controls that provide the most bang for the buck.

Time

The top solutions usually take more time to implement.  You need to ask yourself how great of an exposure do you have during the implementation?  Do you create a greater risk than by implementing a “lower end” solution?

Competency

I’ve seen it more than once.  An organization purchases and installs a high end and expensive solution that nobody on their staff knows how to use.  The great solution is subsequently ignored.   If nobody knows why a new process is being used or how a new product works, it’s pretty difficult to get the results you’re after.

Baby Steps

Continuous process improvement can apply to information security.  If you’re trying to implement a framework that calls for multiple controls such as ISO 27001/27002, using a multi-level approach may help reduce the paralysis that often accompanies such a large undertaking.   I suggest using a 3-tier approach.  Tier-1 is easiest to implement but is usually least effective.  Tier-3 is hardest but most effective.

It would be ideal if we could apply Tier-3 solutions to every problem right out of the chute but that simply isn’t feasible for most businesses.   Doing nothing is also a bad choice.  Applying Tier-1 and Tier-2 solutions at least gets the program moving and then process improvement can gradually improve the overall security posture of the business over time.

As an example, let’s look at dealing with security logs.

Tier-1

Administrators review server logs.  This is instituted through policy that requires the administrators to “regularly” review their logs.  We all know that manual review of logs is seldom done however, applying the policy at least sets the tone and expectation.  It can even start to adjust the administration culture toward reviewing logs if they don’t already do so.

Tier-2

Centralized log aggregation with automated reports.  This starts to automate the process.  Logs from systems and devices are pushed or pulled to a central logging system and now administrators review logs in this single location rather than across multiple servers.  Some scripting can be applied to automate reports.  This certainly increases the effectiveness of the log review process.

Tier-3

Commercial log analysis tool with near real-time alerts for anomalies.  This is a heavy-duty log aggregation, correlation, analysis, and reporting tool that has advanced capabilities.  It is much more expensive than a central log repository in Tier-2.  It is more complex to manage but the feature set allows for greater effectiveness.

Word of Warning

Implementing Tier-1 “just-for-now” solutions does not mean we can be lackadaisical in our information security practices.  Even basic security solutions need to incorporate good security principles.   If our business practices easily circumvent security controls then we can never be successful.   Starting small still has to be done right.

Information Delivery vs. Information Security

A System Administrator and an Information Security Administrator were sitting in a room.  The question was asked “When you install a new server, what is the first two things you do?”

Both of them answer, “install the latest patches and updates and remove all unnecessary services”.  Good answers but the reasoning behind these answers are entirely different.

System Administrator: By applying the latest patches and removing unnecessary services, I  make sure that any known problems are fixed and improve the performance of the system by not tying up system resources on things I’m not using.

Information Security Administrator: By applying the latest patches I close known vulnerabilities that could potentially lead to a compromise.  By shutting off unnecessary services, I reduce the number of potential openings to my system, again, reducing the potential for compromise.

Why is this difference important as long as the work is getting done?

It’s about a mindset.   In mid-sized or large organizations where information security sits underneath the IT umbrella, the differences are usually very apparent.  The need to deliver information to customers and staff more often than not trumps the need to secure that information.  In an environment where resources compete with each other in the IT organization, when push comes to shove, delivery almost always wins even if it increases the risk.

This is why I believe the information security function has to be independent of IT, much like internal audit is independent of finance.   Information security needs to be positioned to provide unfiltered advice and recommendations.  When information security is funneled through an information delivery point of view, the message may unintentionally be diminished or lost.

Additionally, the acceptance of risk and the responsibility for consequences should rest with the data owner, not with IT or Information Security.  These are recommending bodies that should be working together to develop solutions that clearly describe functionality and risk so that data owners can make informed decisions.  The way information is used is a business decision, not a technology decision.  Information security leadership requires the ability to identify and clearly communicate risk.  Information technology leadership requires the ability to clearly communicate the functional delivery of information.   Both need to be able to provide this advice unobstructed by the different missions of these departments.

Both are distinct.  Both are important.  Being independent allows both functions to leverage their expertise by creating an information-intensive environment that leads to informed decision making.   Doesn’t your business deserve at least that much?

A Good Profession

CSOOnline ran a recent article entitled “7 Ways to Stay Happy in a Miserable Profession” which listed items from a Mike Rothman presentation “The Pursuit of Security Happyness.”    No doubt the information security profession requires a certain level of mental toughness but I just can’t buy into some of the suggestions made in the article.

Accepting that we can’t win

I’m not sure a defeatist attitude is all that apprpriate for information security professionals.  You’ll always run into difficult budgets, management and staff that are trying to buck the system, and a threat from bad guys who communicate better than the good guys.  Part of being happy and successful in the information security profession is having passion for what you do.  It is up to the information security leader to share that passion, to be the evangelist of information protection, and to “sell” information security by demonstrating how it enables business.   The article certainly is right in stating that “YOU define personal success”, however, your attitude goes a long way.  Nobody will buy into your security agenda if you start off with a sulk in the corner attitude.

Focus only on what you CAN control

Absolutely.  However, you can’t ignore senior management, budget, user stupidity, DBA “dimwits”, office politics and the host of other issues listed in the article that are part of the environment we work in.  The security leader needs to shape and influence these areas, not just shrug the shoulders and say “I can’t do anything about it anyway”.  We need to excel at the things we control while working to influence behavior and decisions outside the coverage of our umbrella.

Look for NOT normal

Information is essential to successful security programs.  The concept of looking for unusual activity isn’t anything new but it is something that isn’t done very well in many organizations.  The better you get at looking for the unusual events, the better you get at stopping unauthorized disclosure and data theft.

Communicate the good and the bad

It’s all about setting expectations and Rothman hits the nail on the head with this one.  Openness and clarity are fundamental components of a good information security program.  It builds credibility with senior management and helps influence decisions when done properly.

Roll with the punches

Good days and bad days are part of the deal in any field, not just this one.  Information security is a tough field to play in and if you can’t maintain a professional attitude during the tough times, you’re probably in the wrong field anyway.  It’s not about being addicted to controlling what you can’t control as Rothman suggests.  It’s about doing the right thing.   At the end of the day, that’s what matters if you are intrinsically motivated.

Cover thy behind

Documenting everything is usually a good practice anyway.  If you build relationships rather than throwing your arms up in defeat then this simply becomes part of doing business.  It’s never personal.  It’s providing professional service to the business and keeping track of decisions so that everyone is on the same page.   If you can’t operate professionally and find yourself having to CYA on everything you do, it’s time to find a new job anyway.

Know thyself

I’ve never seen a headstone with these word:  “If I’d only spent more time at work”.   I’m not a believer in the separate work life, home life, play life, school life.   It’s all life and it’s yours.  Decide what is important to you and maintain a healthy balance.

————————-

The bottom line is information security is a difficult profession that constantly changes but that is what makes it challenging and fun.   It’s never going to be filled with glory and the only headlines tend to be negative.   The quickest way to make this profession miserable is to become a defeatist and apologist, hunkering down in a corner with an attitude of “I can’t do anything anyway”.  You don’t fight cynics and grouches by being cynical and grouchy.

An information security leader and a good information security program becomes fun when it is based around passion, humility, openness, clarity and agility.   We don’t need more negative security professionals.   Have fun.  Share your knowledge and keep trying to influence others to build a positive security culture.