“You Have My Word On It”

May 11, 2012 by · Leave a Comment

Over the years I’ve had the privilege to hire and work with some talented information security consultants.  Whether they came on to perform a 3rd party assessment necessary to drive remediation efforts (or satisfy compliance obligations), helped troubleshoot an issue or perform initial configuration on new tools, I’ve been fortunate, in most cases, to separate the wheat from the chaff.  I’ve gotten better over time at recognizing the real deal from Joe Isuzu but some small businesses don’t have those hard learned lessons to fall back on.  So…. here’s a few tips.

1.   There is no such thing as 100% security.  If someone is promising “complete security and protection” of your data find out what they are smoking because it’s probably really good stuff.

2.  Do they throw around buzzwords and technical jargon OR do they talk about your business and how security controls not only fit within your business model but benefit your customers as well?

3.  Do they spend the time to understand your needs or do they  “already know” what you need (assumptions… bah!).  If they don’t want to know about your business and how they can help YOU then you probably don’t want to hire them.

4.  Do they up-sell unrelated services BEFORE delivering excellent results for the project you hired them for?  If you’re looking for a point-in-time assessment, then pressuring you to buy long term managed services is pretty lame.  If they deliver good work, THEN I want to know what other services they might offer… not before.

Big or small, there may come a time when you need a little help in protecting your business and your customers.  A good consultant places your business success at the very top of any work they are doing.  If they don’t care about your business, you shouldn’t care about theirs.

 

Photo credit:  Master isolated images at FreeDigitalPhotos.net

Filed Under: Business and Security · Tagged With: , , ,

Occam’s Razor for Information Security

April 10, 2012 by · Leave a Comment

What if the principle of Occam’s Razor was applied to information security controls?

“All things being equal, a simpler explanation is better than a more complex one”

In other words, if we spent more time applying simple controls rather than chasing buzzwords and “big stories”, would we see an overall reduction in data breaches?  According to the recent  Verizon Communications report (pdf)  we would.  The report indicates that 97-percent of data breaches were the result of bad guys using simple techniques that could have been countered by applying “simple or intermediate” controls.  Have we been running in circles for this long when the “simple” solution has been staring right at us?

I think this is the case because “simple” things are boring and mundane.  As such, people become complacent and start to believe that effort placed on simple tasks is a waste of time since the “real” threat is going to be much more sophisticated.  If the reported facts of data breaches are true, then that belief isn’t supported.

A variation of Pareto’s Principle (the 80/20 rule) seems to come into play.  Perhaps if we are diligent in applying simple controls (the 20%) then maybe 80% of breaches can be avoided.  Maybe instead of focusing on complex systems that require massive amounts of human resource overhead, a focus on simple controls would yield greater security results.  Applying the principle of least privilege to limit access to sensitive information or replacing local administrator rights on workstations with user or power user may just have a bigger payoff than a $100k SEIM solution that is never fully deployed.

If most breaches are due to a failure in applying simple security measures, then doesn’t it make sense to apply our efforts in improving simple controls?

———————————————————-
Photo Credit:  ddpavumba at freedigitalphotos.net

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , , ,

Checkbox Security Fails Again

April 4, 2012 by · Leave a Comment

Regulatory compliance is often a confusing mess.  Rattling off the alphabet of compliance can often result in dizziness, headaches, and for some, a bad case of nausea.   PCI-DSS, HIPAA, HITECH, GLB, SOX, and heck, might as well throw in some state data breach notification laws as well.  Congress doesn’t want to stop there as they continue their efforts to add even more to this list of rules to live by.

Don’t get me wrong.  The rules are there for a reason (though often they arise from knee-jerk reactions to events so that our Representatives can appear to be doing something useful).  The problem is, with so many different regulations with varying definitions and requirements attempts at compliance start to resemble the traffic signal depicted to the right.   The cure for one bout of “alphabetitis” doesn’t necessarily vaccinate you for the others.  In the meantime, while you’re running around creating paperwork for compliance and checking off boxes, your ongoing security efforts essentially fall into the “to do” bucket.

Unfortunately, it has been proven time and time again that point-in-time, checkbox security is ineffective.  Unless you live in a spider hole like a Doomsday Prepper you may have noticed a recent breach of credit card data.   If you are a “prepper”, here’s a quick catch-you-up article from ABC News, April 2 -  “Experts Say Global Payments’ Breach May Not Be Only One“.

But wait!!  How could this have happened in the era of PCI Compliance? 

To be blunt, building an information security program around compliance is an approach steeped in failure.  The desire is very strong to have a favorable audit report but once that is over, the focus tends to shift away from the continuous protection of sensitive information.   As we continue to see breaches impacting organizations that have been engaged in and satisfying compliance requirements, you have to think about where the real problem lies.

Michael Mimoso was quite clear in an article “Global Payments credit card security breach exposes PCI shortcomings” where he said:

Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.

With that in mind, how do we step away from the point-in-time compliance effort and focus strictly on security.  As is often the case, let’s look at something entirely basic.  In order to protect something you have to know what it is.  Regulators and legislators aren’t helping in this regard.  Protected information is defined differently depending on the flavor of legislation you’re working with.  Wouldn’t it make sense to have a single definition of sensitive or protected information and then set in motion the defenses necessary to protect and monitor that data on an ongoing basis? If you store, process or transmit data under this one definition then you have to protect it regardless if you’re in healthcare, finance, or any industry vertical that uses such information.

I don’t think we can rely on government to help in this regard.  So, create your own matrix of sensitive information (maybe I’ll take that on as a project and post it) and then apply the SANS 20 Critical Controls or use some other framework to build a year-round, continuous information security program that protects that data all the time rather than playing the mark and erase checkbox game of compliance.  If you have deployed a solid information security program then compliance audits should, quite frankly, be a simple verification process.

 

_________________________________

Photo Credit: Stuart Miles at Freedigitalphotos
Illustration Credit: digitalart at Freedigitalphotos

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , , , , ,

They did WHAT with my data?

March 29, 2012 by · Leave a Comment

What are your employees doing with your data?

I know… they are all doing their jobs and not doing anything out of the ordinary.  Unfortunately, that isn’t always the case.  Time and time again, we see individuals inside an organization abusing their access to inappropriately view, or in the worst case steal, sensitive information.

Take for example this recently reported case in Hawaii – “HCFCU admits member information breached“.   Almost a year ago some “trusted” employees accessed information to fill up petitions for the credit union board nomination process.  Another employee thought this was messed up and reported it.   The credit union is putting employees through “new training” to reinforce policies.   I hope they have other tools to detect inappropriate access other than relying on the “just tell us” approach.

This is just one of many example of insiders breaching confidentiality.  This happens quite frequently whether it is the budding entrepreneur stealing your customer lists to go into business on his own or the hospital employee swiping medical records of celebrities to sell to the paparazzi.    The insider threat appears in just about any industry vertical.

Ask yourself:

  1. Who has access to what information?  Do they need that access to perform their job?
  2. When someone changes jobs internally, do you just tack on their new permissions to their old OR do you remove previous access and give them what they need for their new position?
  3. Do you have generic user accounts or does each person have a user account that identifies them and their access?
  4. Can you tell who has accessed your most sensitive information and when?   Is access times or number of records accessed outside of the norm?   Do you know what to do when that happens?
  5. Do you have incident response procedures in place that direct you on how to handle a breach should it occur?

Based on your answers, you may be at greater risk of a breach.   There is no such thing as 100% security but taking appropriate measures to safeguard sensitive information from external and internal threats, being able to detect abnormal behavior, and having a plan “just in case” all fit within the practice of due diligence.

In information security, you can’t assume that everyone will do the right thing.  Too many organizations have experienced the results of such assumptions in terms of dollars and cents, tarnished reputation, lost customers, and for some..they shut their doors.   It simply isn’t worth the risk.

Photo Credit:  photostock at freedigitalphotos.net

Filed Under: Business and Security · Tagged With: , , , ,

I Was Just Trying To Help…

March 23, 2012 by · Leave a Comment

“I don’t have access to that budget file.  Can you give it to me?”

As easy as that security controls meant to provide access to information to only those who need it to do their job (the practice of least privilege) is bypassed by well intentioned employees.  They only want to help but their behavior puts your organization at risk.

Jamie Bodley-Scott wrote in March 23, 2012 Help Net Security piece “Securing SharePoint“:

For example – two colleagues sitting next to each other will have access to data.  However, this doesn’t mean that they both need, or in fact should, be able to access the same information.

In their quest for being a “team player” an employee may simply copy the file to a shared directory, a flash drive, or may even e-mail it to their team member in need.  The article refers to SharePoint as another tool to share information that may not be meant to be shared with others.

This is a common problem.  Most people are programmed to be helpful.  Saying “no” to another team member isn’t a natural response so it’s important to educate employees that their access to information is linked to their particular role in the organization.  Others may not have the same access but if they need it, there are proper channels to make the request. Bypassing security controls may have consequences for the “helpful” employee and such consequences need be enforced fairly and consistently to develop new patterns of behavior.

 

Photo credit:  sscreation at freedigitalphotos.net

Filed Under: Awareness and Education, Business and Security · Tagged With: , , ,

Hacker Motivation – Does it Matter?

March 22, 2012 by · Leave a Comment

Motivation according to Dictionary.com is “the act or an instance of motivating, or providing with a reason to act in a certain way.”   While stealing data from organizations continues to be financially motivated the 2012 Verizon Data Breach Report indicated an increase in data theft as a result of hacktivism (data breaches aimed at advancing political and social objectives).  Who cares?

It’s interesting to see shifts in the motivation behind attacks on computer infrastructure but from a security perspective, a thief is a thief is a thief.  Whether motivated by fame, money, or political causes, the need to protect sensitive information in transit and at rest is still the same.

Bill Brenner blogged about this in his Salted Hash blog while referencing hacktivists and cybercriminals.

True, when it comes to motivation, there is a difference.  Hactivists are trying to advance a cause and target those they believe are against that cause.  Obviously, a different motivation from the simple pursuit of other people’s money.  But the tactics and results are the same.  – Bill Brenner “Hacktivists and cybercriminals:  Is there really a difference“, Salted Hash – IT Security News, March 22, 2012

I couldn’t agree more.  While the motivation behind an attack is certainly interesting, the type of information and method of attack is much more important.   If you’re stuck doing mandatory reporting of a breach I doubt those affected care who stole their information, only that it was stolen.

The bottom line here is somebody wants to steal your information and you must defend against that reality.  Figuring out why they want it doesn’t really change that.

 

Photo credit:  Salvatore Vuono and Freedigitalphotos.net

Filed Under: Business and Security · Tagged With: , , , , ,

“We Don’t Need Security.. We Collect Taxes”

March 21, 2012 by · Leave a Comment

If looking for a gold mine of sensitive information, the IRS appears to be the place to find it.  When individuals file their returns, the expectation is that it is well protected by the United States Government.  Unfortunately, the Government Accountability Office (GAO) has found a pattern of weakness in how the IRS protects our sensitive information.

Try this on for size.

“Around tax time in 2007, 2008, 2009, 2010, 2011 and now this year, the Government Accountability Office has identified similar, recurring weaknesses that could expose sensitive taxpayer information and agency financial data, according to archived GAO reports.”  – Aliya Sternstein, “IRS plagued by computer vulnerabilities five consecutive years” 3/19/2012 Nextgov

It seems the IRS doesn’t want to play by the same rules as other federal agencies who are required to institute mandatory information security programs.  They not only have failed to properly train personnel but have failed miserably in testing technical controls.  AND… this is the same problem year after year after year.

It’s even more disheartening to see continued patterns of security failings and still have IRS officials say they have “fully implemented a comprehensive security program.”   That just doesn’t jive.

I hope they fix these problems before they take on the enforcement of Obamacare.  That’s a disaster waiting to happen.

Photo credit:  Arvind Balaraman and freedigitalphotos.net

Filed Under: National InfoSec, Should Have Known Better · Tagged With: , , , , ,

History of Malware

January 5, 2012 by · Leave a Comment

The history of viruses.  Pretty cool actually to look back at where we’ve been and the advances made in nefarious code. Courtesy of Bitdefender.

Filed Under: Awareness and Education · Tagged With: ,

More Legislation? Hmmm.

September 13, 2011 by · Leave a Comment

Senator Richard Blumenthal, D-Conn, introduced new legislation aimed to prevent data breaches.   The proposed legislation includes federal requirements for customer notification in the event of a breach (something most States have been requiring for years) and requiring companies to provide two years of credit monitoring service.  There are fines and program requirements for regularly testing controls and protecting information while stored.

SC Magazine Article:  New Senate Bill Aims To Prevent, Deter Data Breaches

Here’s just a few issues with this:

1.  We’re assuming the federal government can successfully patch together the existing state privacy and security requirements to make this helpful to businesses.  I’m not sure our federal government can successfully tie a pair of shoes without creating extensive knots.

2.  While requiring secure storage of sensitive information is certainly a valid idea, it doesn’t do a bit of good when sensitive information is readily copied to flash drives, laptops and other removable media.   Regaining focus on “least privilege” and reducing the ability to copy data to media that is easily lost or stolen is at least as important as storing data securely on servers.

3.  The alphabet soup of security/privacy legislation and compliance is mind boggling.  Personally Identifiable Information (PII) is defined differently depending on what piece of legislation or industry standard you’re applying.  PCI-DSS, HIPAA/HITECH, FERPA, GLB, SOX, state legislation, etc.   How about one definition to rule them all?

I’m encouraged that the government takes privacy and security seriously, but as too often the case, federal legislation is based on knee-jerk reactions to events and create such complexity that security and privacy are seldom improved.   I don’t disagree with the attempt, just wary of another set of regulations that may create more complexity without really improving the security and privacy of personal information.

Filed Under: National and State Privacy/Security Law · Tagged With: , ,

Nevada’s step into electronic health information exchange

June 29, 2011 by · Leave a Comment

Governor Sandoval signed Senate Bill 43 to move forward with the State Health Information Technology Strategic and Operational Plan using federal stimulus funds.  This essentially gets the ball rolling for the development of a statewide system for the electronic exchange of health information.  The intent is to improve health care quality, prevent medical errors and reduce medical costs.

The new law appears to pull from HIPAA and HITECH in regards to data security and privacy.  Interesting that Texas, also driving forward on stimulus funding for electronic health records,  just enacted tougher protections because of the perceived weakness and lack of enforcement in the federal laws.   From the June 28, 2011 article “Texas Enacts Health Privacy Law” at govinfosecurity.com:

“…she was frustrated by the lack of HIPAA enforcement at the federal level and wanted to pave the way for ramped up enforcement of healthcare privacy rights at the state level.”  – Sponsor of the Texas law Lois Kolkhorst.

” The federal attempt to stop the sale of protected health information without consent in the HITECH Act appears to have been weakened so much that it’s not going to have any noticeable effect.”   – Privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights.

While Texas has defined broader protections, Nevada seems much more in line with HIPAA and places the design of standards in the hands of the Director of Health and Human Services.   Two different approaches with hopefully good results in relation to protected health information.  Time will tell if the expected outcome of of privacy and security required in this new electronic health information exchange will match the desired benefits to quality of care and reduced costs.

 

Photo credit: Tabitha Kaylee Hawk

Filed Under: National and State Privacy/Security Law · Tagged With: , , ,
« Older Posts