Checkbox Security Fails Again

April 4, 2012 by · Leave a Comment

Regulatory compliance is often a confusing mess.  Rattling off the alphabet of compliance can often result in dizziness, headaches, and for some, a bad case of nausea.   PCI-DSS, HIPAA, HITECH, GLB, SOX, and heck, might as well throw in some state data breach notification laws as well.  Congress doesn’t want to stop there as they continue their efforts to add even more to this list of rules to live by.

Don’t get me wrong.  The rules are there for a reason (though often they arise from knee-jerk reactions to events so that our Representatives can appear to be doing something useful).  The problem is, with so many different regulations with varying definitions and requirements attempts at compliance start to resemble the traffic signal depicted to the right.   The cure for one bout of “alphabetitis” doesn’t necessarily vaccinate you for the others.  In the meantime, while you’re running around creating paperwork for compliance and checking off boxes, your ongoing security efforts essentially fall into the “to do” bucket.

Unfortunately, it has been proven time and time again that point-in-time, checkbox security is ineffective.  Unless you live in a spider hole like a Doomsday Prepper you may have noticed a recent breach of credit card data.   If you are a “prepper”, here’s a quick catch-you-up article from ABC News, April 2 -  “Experts Say Global Payments’ Breach May Not Be Only One“.

But wait!!  How could this have happened in the era of PCI Compliance? 

To be blunt, building an information security program around compliance is an approach steeped in failure.  The desire is very strong to have a favorable audit report but once that is over, the focus tends to shift away from the continuous protection of sensitive information.   As we continue to see breaches impacting organizations that have been engaged in and satisfying compliance requirements, you have to think about where the real problem lies.

Michael Mimoso was quite clear in an article “Global Payments credit card security breach exposes PCI shortcomings” where he said:

Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.

With that in mind, how do we step away from the point-in-time compliance effort and focus strictly on security.  As is often the case, let’s look at something entirely basic.  In order to protect something you have to know what it is.  Regulators and legislators aren’t helping in this regard.  Protected information is defined differently depending on the flavor of legislation you’re working with.  Wouldn’t it make sense to have a single definition of sensitive or protected information and then set in motion the defenses necessary to protect and monitor that data on an ongoing basis? If you store, process or transmit data under this one definition then you have to protect it regardless if you’re in healthcare, finance, or any industry vertical that uses such information.

I don’t think we can rely on government to help in this regard.  So, create your own matrix of sensitive information (maybe I’ll take that on as a project and post it) and then apply the SANS 20 Critical Controls or use some other framework to build a year-round, continuous information security program that protects that data all the time rather than playing the mark and erase checkbox game of compliance.  If you have deployed a solid information security program then compliance audits should, quite frankly, be a simple verification process.

 

_________________________________

Photo Credit: Stuart Miles at Freedigitalphotos
Illustration Credit: digitalart at Freedigitalphotos

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , , , , ,

Cybersecurity Act of 2012 – Uh oh!

February 22, 2012 by · Leave a Comment

The US Government appears serious about passing The Cybersecurity Act of 2012 but it does little more than grab additional power while placing additional burden on the private sector.  While there are a few provisions that may create opportunities for improved protection of critical assets this bill essentially takes us down the path of “check mark security” which is a failing proposition.   If the goal is to eventually create state-controlled infrastructure, this is a step in that direction.

I’m inclined to agree with Gartner’s John Pascatore in his comments in a recent CSO article,  that the government already has a mechanism in place that could be used to vastly improve the ability to defend against cyber attacks.   Purchasing.   By demanding tighter security controls from software and product manufacturers as part of the US government purchasing program we tackle a major issue when it comes to securing our infrastructure.

Check mark compliance usually means an organization will do the least amount necessary in order to satisfy their regulatory compliance obligations.  That simply does not equate to applying the right security mechanism to deal with current and trending threats.  Static regulatory requirements are not agile enough to keep up with a rapidly changing and evolving cyber ecosystem.

So where does government fit in?

  • Support for education efforts and a salary schedule that attracts talent into federal agencies and the general workforce is a good thing.  As outlined in the proposed legislation, scholarship-for-service, internships, funding competitions (that should be administered through a private sector partnership), and additional training opportunities for current federal employees are all good things.
  • Improve mechanisms for information sharing among the private and public sector.

Unfortunately, creating a compliance culture leads to building incentives to do the minimal amount necessary to satisfy requirements.  It does not necessarily improve the security of critical infrastructure or information.   Using the threat of a “catastrophic cyber attack” as a guise to power-grab is irresponsible and does not solve the issue at hand.   Our legislators need to take a step back, understand what they want to accomplish and consider the unintended consequences that often accompanies their actions.

 

Photo credit:  Jeroen van Oostrom / FreeDigitalPhotos.net

Filed Under: National and State Privacy/Security Law · Tagged With: , , ,

More Legislation? Hmmm.

September 13, 2011 by · Leave a Comment

Senator Richard Blumenthal, D-Conn, introduced new legislation aimed to prevent data breaches.   The proposed legislation includes federal requirements for customer notification in the event of a breach (something most States have been requiring for years) and requiring companies to provide two years of credit monitoring service.  There are fines and program requirements for regularly testing controls and protecting information while stored.

SC Magazine Article:  New Senate Bill Aims To Prevent, Deter Data Breaches

Here’s just a few issues with this:

1.  We’re assuming the federal government can successfully patch together the existing state privacy and security requirements to make this helpful to businesses.  I’m not sure our federal government can successfully tie a pair of shoes without creating extensive knots.

2.  While requiring secure storage of sensitive information is certainly a valid idea, it doesn’t do a bit of good when sensitive information is readily copied to flash drives, laptops and other removable media.   Regaining focus on “least privilege” and reducing the ability to copy data to media that is easily lost or stolen is at least as important as storing data securely on servers.

3.  The alphabet soup of security/privacy legislation and compliance is mind boggling.  Personally Identifiable Information (PII) is defined differently depending on what piece of legislation or industry standard you’re applying.  PCI-DSS, HIPAA/HITECH, FERPA, GLB, SOX, state legislation, etc.   How about one definition to rule them all?

I’m encouraged that the government takes privacy and security seriously, but as too often the case, federal legislation is based on knee-jerk reactions to events and create such complexity that security and privacy are seldom improved.   I don’t disagree with the attempt, just wary of another set of regulations that may create more complexity without really improving the security and privacy of personal information.

Filed Under: National and State Privacy/Security Law · Tagged With: , ,

Nevada’s step into electronic health information exchange

June 29, 2011 by · Leave a Comment

Governor Sandoval signed Senate Bill 43 to move forward with the State Health Information Technology Strategic and Operational Plan using federal stimulus funds.  This essentially gets the ball rolling for the development of a statewide system for the electronic exchange of health information.  The intent is to improve health care quality, prevent medical errors and reduce medical costs.

The new law appears to pull from HIPAA and HITECH in regards to data security and privacy.  Interesting that Texas, also driving forward on stimulus funding for electronic health records,  just enacted tougher protections because of the perceived weakness and lack of enforcement in the federal laws.   From the June 28, 2011 article “Texas Enacts Health Privacy Law” at govinfosecurity.com:

“…she was frustrated by the lack of HIPAA enforcement at the federal level and wanted to pave the way for ramped up enforcement of healthcare privacy rights at the state level.”  – Sponsor of the Texas law Lois Kolkhorst.

” The federal attempt to stop the sale of protected health information without consent in the HITECH Act appears to have been weakened so much that it’s not going to have any noticeable effect.”   – Privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights.

While Texas has defined broader protections, Nevada seems much more in line with HIPAA and places the design of standards in the hands of the Director of Health and Human Services.   Two different approaches with hopefully good results in relation to protected health information.  Time will tell if the expected outcome of of privacy and security required in this new electronic health information exchange will match the desired benefits to quality of care and reduced costs.

 

Photo credit: Tabitha Kaylee Hawk

Filed Under: National and State Privacy/Security Law · Tagged With: , , ,

“Do Not Track” – Will it really help?

March 17, 2011 by · Leave a Comment

The FTC and White House are once again throwing their support behind a “Do Not Track” tool meant to protect user privacy on the Internet.   I think it’s easy to jump on board the good ship Privacy but anytime the federal government engages in such rule enforcement and legislation, you have to wonder what the unintended consequences might be.  Will it really make a difference?

For instance, if this models the Do Not Call list, does the collection of internet activity not apply to politicians and their election campaigns?  Or do they get a pass again?

Will it change the business model that provides free content and services?

If legislation is created and passed, will it also include funding for ant farms in Alabama or other items that have no business being in a privacy bill?

More importantly, will it really change people’s behavior? I’m not sure.  People have been giving away information about themselves for a long time whether it’s to get 3 cents off a loaf of bread or to win money in a lottery they’ve never entered.  Can you really legislate personal responsibility anyway?

I think providing a choice is a good thing.  I think it’s reasonable to inform people how their information will be used.  I’m just not sure the end result of this effort will resemble the good intentions.

Photo credit:  Mikey G. Ottawa

 

Filed Under: National and State Privacy/Security Law · Tagged With: ,

Cybersecurity Bill – DHS as Punisher

November 23, 2010 by · Leave a Comment

In an effort to be a focal point of “cybersecurity”, legislation was introduced that would allow the DHS to levy fines and other civil penalties against any companies the government decides is “critical”.  I agree that the need to protect critical infrastructure is important, but this effort by legislators creates a slippery slope and a recipe for internal conflict.

First, what is “critical”?  The use of this broad term makes me nervous.   It’s an open-ended path to abuse in my opinion.

Second, this is nothing more than an added layer of bureaucracy that adds no value to information security other than the costs associated with complying with yet one more check box.  In the long run, more money will be dumped into information security but the large bureaucracy will negate the benefits.  The last thing that should be done is inserting a slow moving beast into an environment that requires agile response to defend against new attacks.

Third, what becomes of Howard Schmidt, the Presidential appointed U.S. Cybersecurity Coordinator.  Does this role go away?  If not, what type of conflict does the appointing of a DHS Cybersecurity guru create?

This is simply a bad idea.

Filed Under: National and State Privacy/Security Law, National InfoSec · Tagged With: , , ,

Lessons Not Learned – Public-Private non-communication in CyberSecurity

August 20, 2010 by · Leave a Comment

One of the deficiencies that came to light in the aftermath of the 9/11 terrorist attacks was the communication failure between competing intelligence agencies.  A report released this past Monday from the Government Accountability Office shows that the same failure to communicate is happening in the cybersecurity arena.  The breakdown in this arena is between the government who has the cyberthreat information and the private sector that manages critical infrastructure that is susceptible to cyber attack.   Ah yes… history repeats itself… at least that appears to be the direction.

“Auditors pointed to recent reports of cyberattacks — such as a denial-of-service attack in Estonia in May 2007, which created mass outages of government and commercial websites in that country, as well as breaches at technology companies, many in California, in January — as examples of the debilitating impact a cybersecurity breach could have on national and economic security.”

- Kalish, Brian, “Spotty coordination on cyberthreats is recipe for disaster:  GAO Study“, NextGov, August 18, 2010

The planets are coming into alignment when considering the quality of attacks, the advanced persistent threat, and the unstable world climate identified easily by reading recent headlines.  The failure to leverage lessons learned in communicating threats to those in position to take action seems to be lost.  Unless the so-called public-private partnership learns how to talk to each other our cyber-connected critical infrastructure may be primed for a rude awakening .

By the way…. where is the CyberSecurity Coordinator Howard Schmidt and all his talk about private sector solutions?

Filed Under: National and State Privacy/Security Law, Should Have Known Better · Tagged With: , ,

NJ Supreme Court impacts privacy expectation

April 5, 2010 by · Leave a Comment

The New Jersey Supreme Court recently ruled that a company shouldn’t have read an ex-staffer’s private e-mails even though they were sent from her employer’s computer.    NorthJersey.com article.

Interesting ruling which will certainly change some thoughts as to personal use of work computers.  While I’m a proponent of privacy rights, I’m torn on this particular ruling.   The company had a policy in place that warned e-mails “are not to be considered private or personal to any individual employee”.  That’s a fairly common policy statement but the usual intent is the use of company e-mail not a personal Yahoo account.  I tend to side with the court that the attorney-client privilege applied because there was an attempt to keep the personal e-mail secure.  Personal e-mail accounts, especially with an attorney seems to be reasonably outside the reach of an employer in my non-legal opinion.

That said, I think the issue here revolves around the personal use of company-owned computers rather than specific e-mail.  In this case the employee was absolutely out of her mind to be exchanging communications with her attorney in preparation for a lawsuit against her company using a company issued laptop.  Stupidity aside, the question is if the company had a right to “monitor, audit, intercept, access and disclose” any information that was sent using, or stored on company-owned equipment.  This is where things get a little fuzzy for me.

Since businesses are responsible for the protection of PII that is transmitted from or stored on their equipment, there is certainly an obligation to monitor and audit their equipment to assure compliance.    While I don’t think that extends into people’s personal e-mail accounts let’s create a scenario based on the patient privacy breach at University Medical Center I blogged about in November.

What if the employee was “hired” by a dubious attorney to provide them with face sheets as part of an unethical “referral gathering” scheme.  Now, instead of taking the hard copy face sheet as was done in this case that employee used a personal Yahoo account to send this information to their “attorney”.    I doubt this hits the same measure of attorney-client privilege identified in the New Jersey case but certainly this illustrates a point regarding potential misuse of employer-owned computer assets that can be quite damaging to both business reputation and finances.

As this New Jersey ruling resonates it will be interesting to see how organizations shift their policies, if they do at all.  With the proliferation of social media and smart phones, it may not be an unreasonable time to revisit policies anyway.

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , ,

Cyber Shockwave – A Bust

February 23, 2010 by · 1 Comment

CNN recently broadcast a cyber-attack simulation meant to demonstrate the potential cascading effects of a widespread attack on our nation’s infrastructure.  The exercise included former federal officials who played the role of key positions in the executive branch to show how the government would respond to the escalating incident.  They even had a flashy headline:

“Cyber Shockwave”


As much as I hoped that this would be a worthwhile simulation with good discussion, this really came across as propaganda wrapped in FUD.   It seemed like a sales pitch for more government control, especially with the catchphrase “We Warned You” included in the program.  We all should be concerned when government officials talk about “nationalizing Telco and Power”, “quarantine cell phones”, and “giving the option of unilateral disconnect”.

There is no doubt the threatscape is changing with the way we use technology.  Mobile devices certainly will see their share of malware.  Both public and private sector have lapses in their information security practices.  As we’ve seen with the latest attacks from China, there is a rise in targeted attacks.   That said, I have my doubts about a mobile botnet that wipes out cell phone communications, creates widespread power outages, and takes down Wall Street.

Cyber security is not a unilateral issue with government alone stepping in to save the day.  The private sector is particularly good at finding solutions to problems and they too have a dog in this fight.  Let’s bring the right players to the table to find a solution other than marshal law.

Bottom line:  Simulations are useful if they are appropriately scoped and are meaningful.  We could learn a lot from a good simulation that includes government and private sector participation.  In this case, CNN used the script from “Live Free or Die Hard” and wasted a lot of time and money.

Filed Under: Awareness and Education, National and State Privacy/Security Law, National InfoSec · Tagged With: , , , , ,

Lawsuit, breaches and bashing… oh my!

January 19, 2010 by · Leave a Comment

Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive.  Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations.  That is kind of sad.  Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.

As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients.  The information was stored on a portable disk drive that “disappeared” from an office.   The information on that drive wasn’t encrypted.  Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised.  This is a failure on many levels but certainly a failure in leadership and crisis management.

What should we be asking ourselves?

  1. We need to understand the information that we use and how we use it.  How is information accessed, transmitted and stored?  What is our legal (and moral) obligation to protect this information?
  2. There is no such thing as 100% security.  If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
  3. Do we have a communication plan in place so that we can effectively provide notification internally and externally?
  4. When examining other breaches, do we practice the same way?  Are we at risk of compromise?  How do we change this?

Part of information security isn’t just applying best practices and being vigilent.  Unfortunately, there is a need to be prepared for an incident or crisis.  I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982.  Another example would be the handling of a Southwest airlines crash at Midway airport in 2005.  Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied.  Just do a search and look at the response from a corporate point of view.  It’s really quite educational.

I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans.  I’m afraid I may be waiting for awhile.

Filed Under: Business and Security, National and State Privacy/Security Law, Should Have Known Better · Tagged With: , , , , , ,
« Older Posts