The history of viruses. Pretty cool actually to look back at where we’ve been and the advances made in nefarious code. Courtesy of Bitdefender.
Senator Richard Blumenthal, D-Conn, introduced new legislation aimed to prevent data breaches. The proposed legislation includes federal requirements for customer notification in the event of a breach (something most States have been requiring for years) and requiring companies to provide two years of credit monitoring service. There are fines and program requirements for regularly testing controls and protecting information while stored.
SC Magazine Article: New Senate Bill Aims To Prevent, Deter Data Breaches
Here’s just a few issues with this:
1. We’re assuming the federal government can successfully patch together the existing state privacy and security requirements to make this helpful to businesses. I’m not sure our federal government can successfully tie a pair of shoes without creating extensive knots.
2. While requiring secure storage of sensitive information is certainly a valid idea, it doesn’t do a bit of good when sensitive information is readily copied to flash drives, laptops and other removable media. Regaining focus on “least privilege” and reducing the ability to copy data to media that is easily lost or stolen is at least as important as storing data securely on servers.
3. The alphabet soup of security/privacy legislation and compliance is mind boggling. Personally Identifiable Information (PII) is defined differently depending on what piece of legislation or industry standard you’re applying. PCI-DSS, HIPAA/HITECH, FERPA, GLB, SOX, state legislation, etc. How about one definition to rule them all?
I’m encouraged that the government takes privacy and security seriously, but as too often the case, federal legislation is based on knee-jerk reactions to events and create such complexity that security and privacy are seldom improved. I don’t disagree with the attempt, just wary of another set of regulations that may create more complexity without really improving the security and privacy of personal information.
Governor Sandoval signed Senate Bill 43 to move forward with the State Health Information Technology Strategic and Operational Plan using federal stimulus funds. This essentially gets the ball rolling for the development of a statewide system for the electronic exchange of health information. The intent is to improve health care quality, prevent medical errors and reduce medical costs.
The new law appears to pull from HIPAA and HITECH in regards to data security and privacy. Interesting that Texas, also driving forward on stimulus funding for electronic health records, just enacted tougher protections because of the perceived weakness and lack of enforcement in the federal laws. From the June 28, 2011 article “Texas Enacts Health Privacy Law” at govinfosecurity.com:
“…she was frustrated by the lack of HIPAA enforcement at the federal level and wanted to pave the way for ramped up enforcement of healthcare privacy rights at the state level.” – Sponsor of the Texas law Lois Kolkhorst.
” The federal attempt to stop the sale of protected health information without consent in the HITECH Act appears to have been weakened so much that it’s not going to have any noticeable effect.” – Privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights.
While Texas has defined broader protections, Nevada seems much more in line with HIPAA and places the design of standards in the hands of the Director of Health and Human Services. Two different approaches with hopefully good results in relation to protected health information. Time will tell if the expected outcome of of privacy and security required in this new electronic health information exchange will match the desired benefits to quality of care and reduced costs.
Photo credit: Tabitha Kaylee Hawk
Mobile devices, use of social networking sites, and consumer cloud services are quickly becoming, if they aren’t already, a part of your business environment. As is often the case, the ability and tools to securely manage new technologies lags behind the flood of use in organizations leaving a gap in the protection of sensitive information.
Quite frankly, we should have seen this coming. The “new” workforce communicates differently and often more efficiently (not necessarily more effectively). Text messages, tweets, IM, oh my! There is a different, and often reduced, perspective on risk even while regulatory requirements for privacy and security become more stringent.
Now here we are. Playing catch up in order to enable business to keep up with the times while preventing the unauthorized release of protected information (and the associated costs). It’s not enough to deploy the “hope” method of information security but when the cat is out of the bag, it’s often hard to reign in perceived freedom without suffering a blow to the new work culture and reputation of information security. To do nothing isn’t an option as quoted from a recent CSO Online article:
Organizations that have no control over unauthorized use of technologies on their networks are in “serious peril,” says David Knight, executive vice president of product management and marketing at Proofpoint. Sooner or later an unprotected device, social media site or IM platform will provide unauthorized access to regulated information, he says. - “Security concerns aside, consumer devices, services take over the enterprise” CSOOnline article by Bob Violino
Can you sandbox work applications and data on mobile devices to separate it from “personal” use? Can you require connections to business functions and data over secure channels? Can you remotely wipe a “lost” phone? Can we provide the services and functionality required for the “new” workforce to be efficient and effective without sacrificing security and compliance?
We’ll see.
Photo credit: David Fisher
A company has a PC infected with malware that steals the User ID and password for their bank account. The bad guys proceed to steal a large sum of money from the company bank account. The bank won’t refund the money and the FDIC doesn’t insure commercial accounts. This sums up a recent case described at Krebs on Security where an Escrow company had $440,000 stolen from it’s bank account and is now suing the bank claiming inadequate controls for the movement of funds.
The bank probably shouldn’t be offering a single password to govern the approval and release of a wire transfer but are they responsible for protecting an endpoint they had no control over? That’s quite a leap. As a business owner you have to take responsibility for protecting your assets.
Krebs suggests two alternatives for small businesses. I agree with both which I’ll summarize here.
1. Separate your banking PC from your general purpose PC. In other words, don’t access your online bank accounts from the same PC you use to check E-mail, open attachments, browse the Internet, perform work for your clients, etc.
2. Use a Live CD that boots your computer into a version of Linux that is used only to access your online bank accounts.
A third option is to use a virtual guest machine that is purposed specifically for online banking and appropriately configured/updated. (Not a bad idea for personal banking too)
Hopefully, this incident doesn’t lead to a knee-jerk legislative mandate that requires banks to implement vague “effective security measures”, especially those that would require them to effectively manage the endpoint systems of other businesses. Banks could, however, provide option 2 above to their commercial customers to access online banking using a secure, bank branded Linux distribution.
Bottom line – personal responsibility. Don’t rely on other parties to protect your information.
Five 2011 small business/entrepreneur resolutions to protect you and your customers and make for a safer new year!
1. Install and maintain an anti-malware product on your PC and/or laptop. No matter what vendor you choose to use, look for one that works like a broad spectrum antibiotic. Trojans, viruses, worms, and other nasty little beasts that can infect your computer through e-mail attachments or simply surfing to a compromised web site will continue to be prevalent in 2011. While most AV products do a poor job of protecting you against zero-day attacks, you can all but eliminate the known little buggers.
2. Setup a non-administrator level account on your laptop/PC and use it for your daily work. By setting up an account that cannot install software (and therefore cannot install malware) you offer yourself a level of protection that is effective and cheap (is free cheap enough for you?) Login to your administrator account anytime you need to install new applications.
3. If you carry any sensitive information on your laptop, especially personally identifiable information of your customers (or yourself for that matter), invest in an encryption product and keep your keys safe. Consider encrypting thumb drives and other removable media. Laptops, at least in Nevada, are considered “removable media” under state law (check the requirements in your state). Whether you choose to use a commercial product or open source, encrypting PII on your laptop is a good practice and is becoming law in many states.
4. Backup your data. Portable hard drives are cheap! So are CD/DVD’s. Even online services are offered at a reasonable rate. There is no reason not to backup your business data so you can quickly recover in case of a system crash, compromise, or other “disaster”.
5. Use social media sites safely. While a great avenue for connecting with customers (or “fans”), don’t play games and download all the “for fun” applications. Attackers go where the people are therefore, social media sites are great places for the bad guys to play.
Best wishes for a prosperous and cyber-safe new year!
Many times the answer I hear is… “it’s stored in our database” but that unfortunately is only a partial answer. If you look at the business process surrounding access to information, you may be surprised at where sensitive information ends up. Have you considered:
Printed documents – Hard copy printouts of reports, spreadsheets, e-mail or other documents containing sensitive information have a way of being thrown in the trash without being shredded. They get left out on desks for anybody to see, including enlightened janitorial staff. What about the printer or copy machine hard drive that may be storing information that slips outside the walls of your facility when this equipment gets surplussed.
Forwarded E-mail – Ever hear this? “It’s easier to work from home if I just send these spreadsheets with social security numbers as an attachment to my home e-mail account.”
Laptops - The portability of laptops also carries with it the problem of portability of information. Without encryption, the ease of stealing information from a “smash and grab” attack from the backseat of your car becomes quite an issue. Some State laws, like Nevada, require the encryption of personally identifiable information on removable media… this includes laptops.
Removable Media - It’s so easy to just move this information from point to point using a thumb drive. The large storage capacity of these devices, not to mention USB hard drives, makes it a considerable risk point for sensitive information sneaking out of an otherwise controlled environment.
There are probably many other examples but the point is to not develop tunnel vision when considering strategies to protect sensitive information. Getting fixated on the most obvious point of data storage is a bad move. Think about how information is used in your organization. Who needs and has access to it? How are they sending the information to coworkers and business partners?
It’s important to consider ALL the possible ways information can be compromised. You can bet the bad guys have already considered it.
A June 8 Bloomberg Businessweek article noted that publicly traded companies have started including the “material risk” of computer attacks in their SEC filings. It’s interesting to see the admission of some major companies that the threat of targeted attacks can impact the bottom line.
In what will undoubtedly become the trend in risk reporting to shareholders in annual reports there should be a corresponding effort to take actions to counter the threat. Perhaps the increased visibility into the advanced persistent threat will spur organizations out from behind their Cyber-Maginot lines and into more agile defenses.
I guess that headline wouldn’t sell too many papers but in most cases this is the reality that drives many decisions related to information security investment. For most executives, the sky isn’t always falling and a security team that tries to operate under that premise is soon thought of as the Boy Who Cried Wolf. This is exactly why pushing security investment through FUD (Fear, Uncertainty and Doubt) is ineffective as a strategy.
There is a fine line between being vigilant defenders of information and being alarmists. The need for information security has never been more important. Surveys suggest that executives understand this so now is not the time to be lighting the warning beacons of Gondor. Keep the focus on the business when proposing new security investments.
I’m not a fan of using predictive models such as “Annualized Loss Expectancy” (ALE), which pretty much takes a guess and multiplies it by another guess, to make a case for security investment. ROI? What is your return on something that doesn’t generate revenue? Again, using this type of tool in a security sense leaves too much guesswork to provide any real benefit.
It’s important to take the time to build a case using solid metrics and be able to clearly articulate the need from a business perspective. Some points to remember:
Remember, information security is driven by the needs of the business, the value of information, and the validity of the threat to both. Being able to articulate the message in these terms helps make the case for security investments when things are otherwise uneventful.
The New Jersey Supreme Court recently ruled that a company shouldn’t have read an ex-staffer’s private e-mails even though they were sent from her employer’s computer. NorthJersey.com article.
Interesting ruling which will certainly change some thoughts as to personal use of work computers. While I’m a proponent of privacy rights, I’m torn on this particular ruling. The company had a policy in place that warned e-mails “are not to be considered private or personal to any individual employee”. That’s a fairly common policy statement but the usual intent is the use of company e-mail not a personal Yahoo account. I tend to side with the court that the attorney-client privilege applied because there was an attempt to keep the personal e-mail secure. Personal e-mail accounts, especially with an attorney seems to be reasonably outside the reach of an employer in my non-legal opinion.
That said, I think the issue here revolves around the personal use of company-owned computers rather than specific e-mail. In this case the employee was absolutely out of her mind to be exchanging communications with her attorney in preparation for a lawsuit against her company using a company issued laptop. Stupidity aside, the question is if the company had a right to “monitor, audit, intercept, access and disclose” any information that was sent using, or stored on company-owned equipment. This is where things get a little fuzzy for me.
Since businesses are responsible for the protection of PII that is transmitted from or stored on their equipment, there is certainly an obligation to monitor and audit their equipment to assure compliance. While I don’t think that extends into people’s personal e-mail accounts let’s create a scenario based on the patient privacy breach at University Medical Center I blogged about in November.
What if the employee was “hired” by a dubious attorney to provide them with face sheets as part of an unethical “referral gathering” scheme. Now, instead of taking the hard copy face sheet as was done in this case that employee used a personal Yahoo account to send this information to their “attorney”. I doubt this hits the same measure of attorney-client privilege identified in the New Jersey case but certainly this illustrates a point regarding potential misuse of employer-owned computer assets that can be quite damaging to both business reputation and finances.
As this New Jersey ruling resonates it will be interesting to see how organizations shift their policies, if they do at all. With the proliferation of social media and smart phones, it may not be an unreasonable time to revisit policies anyway.
PaulMudgett Twitter Feed SANS Institute Newsbites ThreatLevel – Wired.com