paulmudgett.com

Funny how the anonymous nature of the Internet continues to mock us all.   Back on September 8th, a fake FBI profile was distributed via Twitter as shown in a recent post on Naked Security – Fake FBI Anonymous psychological profile – a lesson to all Internet users.

It takes me back to an old New Yorker cartoon that ran when the Internet was still an infant.  Enjoying the nostalgia.

Photo credit:  Ben Larson

It never fails. Information security controls are immediately put into place AFTER a significant security incident has happened.  This is true even when these controls are reasonable to have in place and could have prevented the incident from happening at all.   Often, decisions made after an incident are knee-jerk reactions rather than business-minded protections.

As a case in point, the Department of Defense issued a new ban on removable media being used on classified machines in response to the WikiLeaks release of diplomatic cables.  Completely reactive.  The point here isn’t the effectiveness of the control but the timing.

For those who haven’t followed the WikiLeaks drama, here is a tidbit taken from a December 10, 2010 CNN article that can be applied to many organizations.

“Pfc. Bradley Manning says he downloaded hundreds of thousands of files from SIPRNET to a CD marked “Lady Gaga” before giving the files to WikiLeaks.”

Do you have a Private Manning in your organization who has access to sensitive information?  Can he easily take that information out of your environment and sell it to the highest bidder?  Why not consider that risk and address it before it becomes an issue?

The culprit often lies in the attitude of executive leadership.   How often have you heard the following?

• “We’ve been doing things this way for years and haven’t had a breach.”  (that you know of)

• “Show me the hard dollar return on investment before I sign off on these security thingies.”  (BTW, since most security implementations aren’t revenue generating, a ROI will always be zero.)

• “It’s not convenient.”

These excuses need to be replaced with a desire to take ownership of information you have.  The focus needs to be on protecting your intellectual property and maintaining competitive advantage.  It should examine the risks to information and appropriate measures to reduce risk without impacting the functions of the business.

Controls don’t have to be expensive or fancy.  They just need to be effective.  Understand and take control of your information before an incident forces rushed decisions that impact your ability to conduct business.

One of the deficiencies that came to light in the aftermath of the 9/11 terrorist attacks was the communication failure between competing intelligence agencies.  A report released this past Monday from the Government Accountability Office shows that the same failure to communicate is happening in the cybersecurity arena.  The breakdown in this arena is between the government who has the cyberthreat information and the private sector that manages critical infrastructure that is susceptible to cyber attack.   Ah yes… history repeats itself… at least that appears to be the direction.

“Auditors pointed to recent reports of cyberattacks — such as a denial-of-service attack in Estonia in May 2007, which created mass outages of government and commercial websites in that country, as well as breaches at technology companies, many in California, in January — as examples of the debilitating impact a cybersecurity breach could have on national and economic security.”

- Kalish, Brian, “Spotty coordination on cyberthreats is recipe for disaster:  GAO Study“, NextGov, August 18, 2010

The planets are coming into alignment when considering the quality of attacks, the advanced persistent threat, and the unstable world climate identified easily by reading recent headlines.  The failure to leverage lessons learned in communicating threats to those in position to take action seems to be lost.  Unless the so-called public-private partnership learns how to talk to each other our cyber-connected critical infrastructure may be primed for a rude awakening .

By the way…. where is the CyberSecurity Coordinator Howard Schmidt and all his talk about private sector solutions?

Anti-virus software is based on signatures of known viruses.  It’s a reactive product by nature and it should be known by now that these products are ineffective against new viruses and new variants.    That said, why test AV products against attacks they haven’t seen and then make a stink about it in a ComputerWorld article?  Isn’t that like standing out in a rain storm to test if you’ll get wet and then writing an article about your finding?

While the testing part of the story was silly, the real point of the story is we need to think differently about the way we defend against the changing threatscape.  We need to be “Agile Defenders” who are capable of aligning and re-aligning resources against a constantly shifting threat while maintaining a solid foundation.  It’s hard work and I don’t believe it is understood by leadership in most organizations.

That said, we can’t protect against the new threats if we fail to apply basics.   If you don’t believe that organizations get burned because of basic security failures check out this story out of New Zealand.  What is funny here is they blame a Conficker-infected USB thumb drive for shutting down the company instead of their failure to keep their systems patched.   That is misdirection worthy of a master politician.

Bottom-line:  Businesses cannot rely on AV or single layers of defenses.  Protecting information against a constantly moving adversary requires more than static thinking to be effective.  If you’re responsible for securing your organization, be an Agile Defender, not a stationary target.

Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive.  Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations.  That is kind of sad.  Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.

As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients.  The information was stored on a portable disk drive that “disappeared” from an office.   The information on that drive wasn’t encrypted.  Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised.  This is a failure on many levels but certainly a failure in leadership and crisis management.

What should we be asking ourselves?

1. We need to understand the information that we use and how we use it.  How is information accessed, transmitted and stored?  What is our legal (and moral) obligation to protect this information?
2. There is no such thing as 100% security.  If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
3. Do we have a communication plan in place so that we can effectively provide notification internally and externally?
4. When examining other breaches, do we practice the same way?  Are we at risk of compromise?  How do we change this?

Part of information security isn’t just applying best practices and being vigilent.  Unfortunately, there is a need to be prepared for an incident or crisis.  I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982.  Another example would be the handling of a Southwest airlines crash at Midway airport in 2005.  Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied.  Just do a search and look at the response from a corporate point of view.  It’s really quite educational.

I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans.  I’m afraid I may be waiting for awhile.

A breach of patient personal information at University Medical Center has all the makings of a made for TV movie or at least provides an opportunity to examine issues in security, leadership, ethics, and even the knee-jerk reaction of ignorant politicians trying to use the opportunity to score some free publicity.  The story “FBI looking at UMC records leak” ran this past Saturday in the Las Vegas Sun.

Security – The Insider Threat

The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers.

The breach clearly demonstrates the difficulty in dealing with insider threats.  We hire employees and give them access to sensitive information in order to perform their job duties.  We certainly have a need to control and monitor access in order to achieve and enforce the practice of least privilege.  Even the best of controls however, can be circumvented by a trusted insider with an intent to do harm.  In this case, it is alleged that hard copy face sheets were taken outside the facility and sold to an unethical breed of attorney.  I’m not sure it would be reasonable for the organization to setup exit searches of their employees every day to make sure they weren’t sneaking out these documents.  Heck, would you look in a fellow employee’s underwear to make sure they didn’t have a face sheet stuffed in there?  The ACLU would be all over this “violation” of privacy.

While not a cure for this type of insider threat, UMC may want to consider both criminal and financial background checks of new hires.  I know it’s like profiling but when protecting consumer information, corpoarte finances and reputation, having an indicator of potential behavior issues can help.   However, in these economic times, a squeaky clean person may engage in this type of behavior out of desperation.  UMC could also consider physical controls for documents, especially those that should remain with a patient’s chart.   Having face sheets printed only in one place and logging who printed them may be useful.  Of course, using electronic records rather than paper records may prevent the physical face sheet from being used at all.

Information security is more than the bits and bytes that are transmitted and stored.  Information security also involves the printed document and how it is handled.

Leadership

Until Thursday, they doubted there had been any leak and had conducted only a cursory probe into rumors of the breach. Silver was warned by sources this summer about patient records being obtained illegally. She took a quick look at which attorneys were requesting records, and then dismissed it as a “nonissue.”

Hospital leadership just blew off reports suggesting something was terribly wrong.  A cursory probe and dismissal of something that could have major repurcussions to patients and the organization is completely unacceptable.  This is fairly common though.  This smells of the “we haven’t been breached so why worry about it” attitude that is prevalent among so-called leaders.   Chasing phantoms can be a nuisance but to do nothing is irresponsible.

Ethics

The nurse told the Sun she was taken to lunch by members of a personal injury law firm several years ago. They offered to pay her for “referrals” but she refused, saying it was illegal and a violation of her nursing license.

I’m a big fan of finding the root cause of a problem and eliminating it.  While it is easy to point a finger at UMC and their poor decisions or the employee who is alleged to have stolen the documents, essentially the problem is on the “demand” side.  Unethical attorneys who are practicing in this manner should be disbarred, period.  Eliminate the demand for sensitive information, eliminate the problem.  I’m not naive enough to believe that there won’t be others lined up to fill the spot but you have to start somewhere.  We should expect more from “professionals” and if they can’t behave ethically they shouldn’t be allowed to practice.

Politicians

Earlier Friday, Clark County Commission Chairman Rory Reid called for a Metro Police investigation, demanding that the hospital do what is necessary to stop what appeared to be a “criminal offense.”

Headline grabbing, clueless politician.  The only way to “stop” this criminal offense is to stop taking patients or don’t hire employees.  Politicians are famous for taking an incident and then causing tremendous havoc with their knee-jerk reactions.   Most politicians believe the “as seen on TV” ads or marketing slicks that claim 100% security and then they go down the path of making ridiculous comments or worse, ridiculously impossible (and thus ineffective) legislation.  There is no such thing as 100% security.  It’s a process of reducing risk while allowing the business to function.

Last Thoughts

There are several lessons from this particular story.  Take security threats seriously.  Reduce risk where possible.  Know that there are unethical professionals and other business people out there who have no problem violating the public trust in order to make a buck.  Take politician’s comments with a grain of salt.  Most are looking to make a headline splash yet have very little knowledge of the topic at hand.

Ultimately, leadership failed at UMC.   They chose to ignore a potential threat rather than investigate it.  While it wouldn’t have prevented the breach, they may have discovered it sooner or reduced the damage to both their finances and their reputation.

A subsidiary of manged health care provider Health Net Inc, just reported the loss of personal information for 1.5 million customers that occurred six months ago according to a ComputerWorld article.  Without knowing all the details of the situation, I can only speculate as to some of the security controls and thoughts of the Health Net leadership during this incident so take that into account.  Hopefully there are some lessons learned for other organizations both in the management of sensitive information and the leadership response to an incident.

From the article:

The device containing the data was an external, portable hard drive. The data had not been encrypted.

So, let me get this straight.  You work in an environment where the protection of information is highly regulated yet you are putting seven year’s worth of personally identifiable information on a portable hard drive unencrypted.  They may need to reconsider their processes that allow this type of information to be stored in such a manner.  If this is for backup, certainly there are better options available.  The controls surrounding the physical handling of devices with personally identifiable information appear to be too loose and need to be examined.  Securing that device when not in use and logging the device in and out of its secure storage location would be a good start.

In Nevada come January, organizations will need to pay special attention to personal information being stored on removable media, especially if the portable devices leave the confines of the facility.  See my article Nevada’s New Data Security Law for more information on this new bit of legislation.

“Protecting the privacy of our members is extremely important to us,” Health Net said. “We apologize for any inconvenience or concern this may cause our members.”

A pretty standard response for a breach but the delayed timing of this sounds like there was no incident response plan in place in the best case scenario.  In the worst case, one has to ask if their leadership were dragging their feet hoping the problem would simply go away if they ignored it long enough.  I’m going to assume the former in that they simply did not have a plan for dealing with this type of disclosure which is really not acceptable.  If you’re business maintains sensitive information about customers then you need to be prepared for the possibility of a breach.

The six-month delay in reporting this is also a huge issue.  Data breach notification laws have been in place in most states for several years and they were put there to prevent this type of “keep it quiet” behavior that had been common place in business.  The AG is attacking Health Net on this very issue and rightfully so.

“We will demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers” in Connecticut whose data is at risk.

I blogged before about the cost of a breach.  This is a great example of the cost of poor security controls surrounding personally identifiable information.  Let’s just assume the monitoring service costs $20 per person (a discount for the volume here).  In addition to the cost of notification, the loss of this hard drive with unencrypted sensitive data could cost the company just under $9 million dollars to provide the fraud and monitoring service.  That’s some real money.

While we can’t be certain what really happened or what the exact cost of this breach will be to Health Net, I think it’s certainly easy to identify some potential mistakes that are duplicated in many other organizations.  Understanding all of your business processes surrounding the use, transmission, and storage of sensitive information is hugely important.  Adopting sensible controls and finding appropriate alternatives to risky processes is essential.  Last, detailing and practicing a response to a data breach incident may seem like a lot of wasted time…. that is, until you experience a breach.

An audit of cybersecurity for DHS’ nine most frequently visited Web sites found that although general security protocols were followed, there were still a number of vulnerabilities and gaps in security, including inconsistent management of security patching and security assessments.  Lipowicz, Alice.  “DHS Web sites vulnerable to hackers, IG says”, Federal Computer Week, 09Oct2009.

It is almost hard to comprehend that even after years of pounding the message of “patch your systems” that unpatched systems are still making headlines.   I can picture some internal servers running legacy applications that fail if the latest O/S patches are applied being kept off of a patch management system but simple internet facing web servers?  This report is especially egregious considering these systems are managed through DHS.

Beyond the issue of patch management is the use of regular vulnerability assessments as part of an overall risk management program.  The two questions I like to ask are 1) Are your systems up to date?  and 2) How do you know?   Just like there are a number of patch management programs available there are also a number of vulnerability scanning tools.   I’ve used several and many do a good job at pointing out glaring (and not so glaring) problems.

The real trick to vulnerability scanning tools is using the information to fix problems when they are found.  If you aren’t going to do anything with the information then why even bother.  If available, use the help desk and log a ticket.  Notify the department head and schedule a meeting to discuss the timeline for remediation.  If the system is incapable of supporting a patch due to application incompatibilities, look at compensating controls to at least reduce the exposure.  The very worst thing that can be done is to sit on the information.  Information is only valuable if it drives action.  So, take action but do so as a partner, not as a dictator.

A 38-year-old Avon Lake, Ohio man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he’d had a relationship with ended up infecting computers at Akron Children’s Hospital.   (Misdirected spyware infects Ohio hospital.  McMillan, Robert. 17 September 2009. ComputerWorld.)

Graham certainly gets what is coming to him.  Sending spyware to your ex is more than a little creepy.  However, it seems to me the hospital is culpable in the release of protected health information (PHI) due to poor security practices.   The hospital has an obligation to protect this information yet they allow an employee to not only access personal e-mail but also download and install an application.  In this case it turns out to be spyware.

Unfortunately, this is a common occurance.  Employees use business assets as their personal playground, downloading and installing all types of applications that have no business being on the PC.  I’m not talking about pictures of Grandma Edith and the new puppy, rather peer-to-peer file sharing and communication applications, games, and other programs of amusement.  This places companies at risk for the accidental release of personal information or compromise of systems.

With more regulatory pressure being placed on organizations to protect personally identifiable information, companies are going to need to make a decision if they are running a business or a playpen.  It may be safer (and less expensive) to put in a foosball table and pinball machine than suffer the consequences of a breach.

Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation’s largest financial institutions.

European Cyber-Gangs Target Small U.S. Firms”  Washington Post August 25th

Launching these attacks from “safe havens” against organizations that tend to have limited information security postures is a cash cow for these criminal outfits.  This should be a wake up call to small and mid-size businesses who may not have the knowledge to adequately protect themselves, that some information security help may be needed if they want to stay in business.

If you think this can’t happen to you then understand these attacks are simple and ignoring the threat doesn’t make it go away.  Ask yourself if your company can survive if if its ability to process credit cards is taken away?  If the answer no then perhaps an evaluation of your security posture is in order.