paulmudgett.com

Consider this:  A review of an application or database that processes and stores customer information, including personally identifiable information, has been compromised.  What are you going to do?

Many organizations fail to plan for a compromise and unfortunately, often exacerbate the damage while attempting an “on the fly” response to an incident.  The absolute worst time to figure out what you should be doing is in the middle of an incident.  Having a plan and preparation is key.

Plans often fail to include:

• Explicit authority for the primary incident handler to take decisive action to “stop the bleeding” and prevent further escalation of the incident.   Decision-by-committee with endless debate often leads to delayed action that increases financial and reputation damage.
• A backup (or more) for the primary incident handler in case they are not available.  The backup should fully understand the role and be capable of making decisions in critical situations.
• The inclusion of more than technical resources for the incident response team.  HR, Legal, and the PIO are often left out but essential.
• Templates for press releases and notifications.  Writing your first draft during an incident is a mistake.
• A communication plan for the team.  If your e-mail system is compromised, sending e-mail to your team about your response may not be the best option.
• Checklists to help keep a response on track when the heat is on.

When developing the plan, consider the potential scenarios you may face and plan for them.  Different scenarios may require different responses so it’s best to have thought some of these through before they happen.  Malware outbreak; denial of service; illegal material on an employee PC; lost or stolen laptop; compromised system; or accidental disclosure to name a few.

Last, the first time you try out the plan shouldn’t be during an actual incident.  Practice builds confidence for the incident response team and shines a light on gaps in your plan that may need to be addressed.  A calm response to an incident is more likely when you can say “yeah, we’ve practiced this… let’s get to work” versus “oh man… what do we do now”.

Prior Proper Planning Prevents Piss Poor Performance.

Be prepared and hope you never need to use your plan.

Anti-virus software is based on signatures of known viruses.  It’s a reactive product by nature and it should be known by now that these products are ineffective against new viruses and new variants.    That said, why test AV products against attacks they haven’t seen and then make a stink about it in a ComputerWorld article?  Isn’t that like standing out in a rain storm to test if you’ll get wet and then writing an article about your finding?

While the testing part of the story was silly, the real point of the story is we need to think differently about the way we defend against the changing threatscape.  We need to be “Agile Defenders” who are capable of aligning and re-aligning resources against a constantly shifting threat while maintaining a solid foundation.  It’s hard work and I don’t believe it is understood by leadership in most organizations.

That said, we can’t protect against the new threats if we fail to apply basics.   If you don’t believe that organizations get burned because of basic security failures check out this story out of New Zealand.  What is funny here is they blame a Conficker-infected USB thumb drive for shutting down the company instead of their failure to keep their systems patched.   That is misdirection worthy of a master politician.

Bottom-line:  Businesses cannot rely on AV or single layers of defenses.  Protecting information against a constantly moving adversary requires more than static thinking to be effective.  If you’re responsible for securing your organization, be an Agile Defender, not a stationary target.

CNN recently broadcast a cyber-attack simulation meant to demonstrate the potential cascading effects of a widespread attack on our nation’s infrastructure.  The exercise included former federal officials who played the role of key positions in the executive branch to show how the government would respond to the escalating incident.  They even had a flashy headline:

“Cyber Shockwave”

As much as I hoped that this would be a worthwhile simulation with good discussion, this really came across as propaganda wrapped in FUD.   It seemed like a sales pitch for more government control, especially with the catchphrase “We Warned You” included in the program.  We all should be concerned when government officials talk about “nationalizing Telco and Power”, “quarantine cell phones”, and “giving the option of unilateral disconnect”.

There is no doubt the threatscape is changing with the way we use technology.  Mobile devices certainly will see their share of malware.  Both public and private sector have lapses in their information security practices.  As we’ve seen with the latest attacks from China, there is a rise in targeted attacks.   That said, I have my doubts about a mobile botnet that wipes out cell phone communications, creates widespread power outages, and takes down Wall Street.

Cyber security is not a unilateral issue with government alone stepping in to save the day.  The private sector is particularly good at finding solutions to problems and they too have a dog in this fight.  Let’s bring the right players to the table to find a solution other than marshal law.

Bottom line:  Simulations are useful if they are appropriately scoped and are meaningful.  We could learn a lot from a good simulation that includes government and private sector participation.  In this case, CNN used the script from “Live Free or Die Hard” and wasted a lot of time and money.

The U.S. House of Representatives has passed HR 2221, the Data Accountability and Trust Act.  This sets nationwide breach notification requirements that trump the patchwork of State laws that have been in effect with California leading the way in 2002.   The passage was written about in a Federal Computer Week article “House passes bill to require data breach notifications“.

Overall, standardizing the definition of Personally Identifiable Information will help in protecting the data.  This is a good thing as some states have more stringent definitions than others.   Data brokers have greater requirements.  Also a good thing.

The problem I see comes from the FTC having jurisdiction over the new law.  The FTC does not have authority to enforce regulations on government, banks, savings and loans, insurance industry and non-profits which would include higher education and some healthcare environments.  These industries are often the victims of data breaches yet they aren’t covered by this new federal law.

We’ve seen the FTC extend its reach with the Red Flags rule and perhaps they will follow suit with the new data breach notification legislation.  If they let some industries with known disclosure issues slip through the cracks then the overall effectiveness of the legislation is diminished.

An article by Kim Zetter on Wired.com caught my attention:  “Restaurants Sue Vendor for Unsecured Card Processor”.

The gist is that several restaurants purchased Point-of-Sale (POS) systems from a particular vendor.  These POS systems that were sold were apparently not Payment Card Industry – Data Security Standard (PCI-DSS) compliant and that resulted in a breach costing the restaurants a hefty sum.

One issue comes from unpatched, poorly configured remote access and the other alleged problem came from default login administrator userID and passwords.  From the article:

Visa also sent out a bulletin in November 2006 warning that one of the most frequent vectors for hackers to penetrate POS systems was through poorly configured or unpatched remote-access software (.pdf) and default passwords. Nonetheless, the restaurants say, Radiant and Computer World sold them a product that was neither PCI-compliant nor secured against a known attack.

So, the vendor sold them the product that was known to have these flaws but on the flip side, the restaurants bought these systems that are known to have these flaws.   I can certainly see the case here but from a security perspective there are some lessons learned when it comes to due diligence and basic security practices.

1.  If you blindly believe marketing slicks about the “state-of-the-art” product you’re purchasing that can do everything including cooking your dinner and washing dishes…well… you get the point.   Visa had produced a bulletin regarding the flaws with the product a year before one of the restaurants bought the product.   A little due diligence in the selection process would have gone a long way.

2.  So, you buy a product and install it.  It has remote access capabilities.  You leave the default administrator ID and password that is well known to anybody who can grab an online manual.  You’re breached.   If you install a new software product for Pete’s sake, change the default account passwords.  If your bank gives everybody a password of “password” to their online banking, would you change yours or just leave it?  (BTW, they don’t do that… just an illustration).

3.  Implementing a system with known flaws and not updating it is pretty bad.  It’s like installing a Microsoft server and not applying security patches for a year.  You get breached because of a vulnerability that should have been fixed a year ago.  Good luck blaming Microsoft for that one.   Patch management is essential.

By no means am I blaming the victim in this case.  They are chefs and restaurant managers, not IT or InfoSec people.  They relied on the vendor to provide them a product that was up to snuff with PCI requirements and trusted them to sell a product that protected their customer’s information.  When we examine and extended this into our own business and technology implementations, their experience provides some lessons for all of us.  Hopefully we can learn from this and apply due diligence to all of our vendor interactions and purchases.

A breach of patient personal information at University Medical Center has all the makings of a made for TV movie or at least provides an opportunity to examine issues in security, leadership, ethics, and even the knee-jerk reaction of ignorant politicians trying to use the opportunity to score some free publicity.  The story “FBI looking at UMC records leak” ran this past Saturday in the Las Vegas Sun.

Security – The Insider Threat

The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers.

The breach clearly demonstrates the difficulty in dealing with insider threats.  We hire employees and give them access to sensitive information in order to perform their job duties.  We certainly have a need to control and monitor access in order to achieve and enforce the practice of least privilege.  Even the best of controls however, can be circumvented by a trusted insider with an intent to do harm.  In this case, it is alleged that hard copy face sheets were taken outside the facility and sold to an unethical breed of attorney.  I’m not sure it would be reasonable for the organization to setup exit searches of their employees every day to make sure they weren’t sneaking out these documents.  Heck, would you look in a fellow employee’s underwear to make sure they didn’t have a face sheet stuffed in there?  The ACLU would be all over this “violation” of privacy.

While not a cure for this type of insider threat, UMC may want to consider both criminal and financial background checks of new hires.  I know it’s like profiling but when protecting consumer information, corpoarte finances and reputation, having an indicator of potential behavior issues can help.   However, in these economic times, a squeaky clean person may engage in this type of behavior out of desperation.  UMC could also consider physical controls for documents, especially those that should remain with a patient’s chart.   Having face sheets printed only in one place and logging who printed them may be useful.  Of course, using electronic records rather than paper records may prevent the physical face sheet from being used at all.

Information security is more than the bits and bytes that are transmitted and stored.  Information security also involves the printed document and how it is handled.

Leadership

Until Thursday, they doubted there had been any leak and had conducted only a cursory probe into rumors of the breach. Silver was warned by sources this summer about patient records being obtained illegally. She took a quick look at which attorneys were requesting records, and then dismissed it as a “nonissue.”

Hospital leadership just blew off reports suggesting something was terribly wrong.  A cursory probe and dismissal of something that could have major repurcussions to patients and the organization is completely unacceptable.  This is fairly common though.  This smells of the “we haven’t been breached so why worry about it” attitude that is prevalent among so-called leaders.   Chasing phantoms can be a nuisance but to do nothing is irresponsible.

Ethics

The nurse told the Sun she was taken to lunch by members of a personal injury law firm several years ago. They offered to pay her for “referrals” but she refused, saying it was illegal and a violation of her nursing license.

I’m a big fan of finding the root cause of a problem and eliminating it.  While it is easy to point a finger at UMC and their poor decisions or the employee who is alleged to have stolen the documents, essentially the problem is on the “demand” side.  Unethical attorneys who are practicing in this manner should be disbarred, period.  Eliminate the demand for sensitive information, eliminate the problem.  I’m not naive enough to believe that there won’t be others lined up to fill the spot but you have to start somewhere.  We should expect more from “professionals” and if they can’t behave ethically they shouldn’t be allowed to practice.

Politicians

Earlier Friday, Clark County Commission Chairman Rory Reid called for a Metro Police investigation, demanding that the hospital do what is necessary to stop what appeared to be a “criminal offense.”

Headline grabbing, clueless politician.  The only way to “stop” this criminal offense is to stop taking patients or don’t hire employees.  Politicians are famous for taking an incident and then causing tremendous havoc with their knee-jerk reactions.   Most politicians believe the “as seen on TV” ads or marketing slicks that claim 100% security and then they go down the path of making ridiculous comments or worse, ridiculously impossible (and thus ineffective) legislation.  There is no such thing as 100% security.  It’s a process of reducing risk while allowing the business to function.

Last Thoughts

There are several lessons from this particular story.  Take security threats seriously.  Reduce risk where possible.  Know that there are unethical professionals and other business people out there who have no problem violating the public trust in order to make a buck.  Take politician’s comments with a grain of salt.  Most are looking to make a headline splash yet have very little knowledge of the topic at hand.

Ultimately, leadership failed at UMC.   They chose to ignore a potential threat rather than investigate it.  While it wouldn’t have prevented the breach, they may have discovered it sooner or reduced the damage to both their finances and their reputation.

A subsidiary of manged health care provider Health Net Inc, just reported the loss of personal information for 1.5 million customers that occurred six months ago according to a ComputerWorld article.  Without knowing all the details of the situation, I can only speculate as to some of the security controls and thoughts of the Health Net leadership during this incident so take that into account.  Hopefully there are some lessons learned for other organizations both in the management of sensitive information and the leadership response to an incident.

From the article:

The device containing the data was an external, portable hard drive. The data had not been encrypted.

So, let me get this straight.  You work in an environment where the protection of information is highly regulated yet you are putting seven year’s worth of personally identifiable information on a portable hard drive unencrypted.  They may need to reconsider their processes that allow this type of information to be stored in such a manner.  If this is for backup, certainly there are better options available.  The controls surrounding the physical handling of devices with personally identifiable information appear to be too loose and need to be examined.  Securing that device when not in use and logging the device in and out of its secure storage location would be a good start.

In Nevada come January, organizations will need to pay special attention to personal information being stored on removable media, especially if the portable devices leave the confines of the facility.  See my article Nevada’s New Data Security Law for more information on this new bit of legislation.

“Protecting the privacy of our members is extremely important to us,” Health Net said. “We apologize for any inconvenience or concern this may cause our members.”

A pretty standard response for a breach but the delayed timing of this sounds like there was no incident response plan in place in the best case scenario.  In the worst case, one has to ask if their leadership were dragging their feet hoping the problem would simply go away if they ignored it long enough.  I’m going to assume the former in that they simply did not have a plan for dealing with this type of disclosure which is really not acceptable.  If you’re business maintains sensitive information about customers then you need to be prepared for the possibility of a breach.

The six-month delay in reporting this is also a huge issue.  Data breach notification laws have been in place in most states for several years and they were put there to prevent this type of “keep it quiet” behavior that had been common place in business.  The AG is attacking Health Net on this very issue and rightfully so.

“We will demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers” in Connecticut whose data is at risk.

I blogged before about the cost of a breach.  This is a great example of the cost of poor security controls surrounding personally identifiable information.  Let’s just assume the monitoring service costs $20 per person (a discount for the volume here).  In addition to the cost of notification, the loss of this hard drive with unencrypted sensitive data could cost the company just under $9 million dollars to provide the fraud and monitoring service.  That’s some real money.

While we can’t be certain what really happened or what the exact cost of this breach will be to Health Net, I think it’s certainly easy to identify some potential mistakes that are duplicated in many other organizations.  Understanding all of your business processes surrounding the use, transmission, and storage of sensitive information is hugely important.  Adopting sensible controls and finding appropriate alternatives to risky processes is essential.  Last, detailing and practicing a response to a data breach incident may seem like a lot of wasted time…. that is, until you experience a breach.

Cloud computing certainly offers cost management opportunities for organizations straining to maintain server infrastructure but there is more to consider than just server management.  Security in the cloud simply has not had an opportunity to mature.  Protecting servers, which no doubt cloud providers can do pretty effectively, is different than protecting information.   Those organizations that believe they can outsource the responsibility of securing their information by shipping applications into the cloud are being naive.

There are three issues that come to mind immediately.

1. I think it is true that cloud providers can maintain the security of their systems much better than companies due to the resources available to them.  However, attackers will target web and database applications not servers.  While the servers are protected, your data can still be exposed due to poor practices and controls.
2. Cloud computing by its very nature will limit the type of security tools that can be applied in that environment.  While you could manage firewalls, intrusion detection/prevention systems, and other data leak prevention tools in an internal network, these additional layers aren’t specifically provided in the cloud.  You may be able to design them into the environment for additional costs but are you now minimizing your return on investment?
3. You may have little control over how much audit information is collected which can prevent you from being proactive.   Cloud providers are initiating contracts that give you ownership of your data but you may not own all of your log data.  To get this information may require a court order.

Ultimately, you need to be aware of how data flows inside and outside your organization whether you choose to house servers internally or move applications to the cloud.   If your business relies on highly valuable intellectual property then you may want to think twice about the types of controls available to you in the cloud.   If you wouldn’t normally apply additional controls or monitoring devices to your data, then the cloud may be a cost effective solution with good basic security measures.

If considering cloud computing consider the following:

1. Computer security is not the same as information security.  Understand the value of information to your business and what level of protection is required for that information.
2. Understand that even if you own your data, the audit log data may not be accessible to you.  Determine the consequences of not having access to audit logs and decide whether it’s important or not.
3. Once applications and data are in the cloud, you may not be able to apply compensating detective and preventive controls like you would internally.  If that raises concern then you may not want to put that type of data into the cloud environment.

Cloud computing offers incredible opportunities for business processing at lower costs but the business decision must also consider security and privacy concerns.  The responsibility and reputation consequences for a breach do not disappear into the cloud when your data goes there.  It’s important to consider the risk as well as the benefit when making decisions about cloud computing.  Remember, you are protecting information and that goes beyond just the physical location of servers.

Many victims of identity theft have no idea how their information was stolen.  Unfortunately, business processes may be leading to the disclosure of customer or employee personal information.  It seems obvious that hard drives that are in desktop and laptop computers need to be sanitized before being surplussed but a recent article identifies copy machines as having similar issues with the storage of personal information.  Who’d have thought!?!?

56 percent of people victims of ID theft have no idea how perpetrators got their ID,” said Sean O’Leary of Digital Copier Security, “And we can assume a portion or large part is a result of data breeches from photocopiers.”

That’s right – photocopiers.

O’Leary says he believes most companies don’t realize their copy machines have hard drives.

“We just take it for granted this little photocopier sitting in the corner of an office is safe and innocuous,” said O’Leary, “But in reality, with that hard drive it’s storing personal information.”

Today’s copy machines do a whole lot more than copy. They print. They scan. They email. They fax.

The machine has to have a way to remember all that information.

Between 1998 and 2002, companies began equipping copy machines with hard drives.

“Press Copy to have your Identity Stolen.”  Melissa Yeager, WINK News, Nov 12, 2009

Considering the type of information that is “copied”, it seems that copier hard drives may be an ideal source for the malicious person looking to steal sensitive data.   While it may seem simple to use a program like DBAN to wipe the hard drive of a desktop or laptop, removing data from a leased copy machine may create a challenge for most organizations.  Leasing companies should be warning companies about the hard drives and providing either a manner in which to sanitize the hard drive by the customer OR certifying the destruction of personal information when the copier is exchanged as part of a lease.

Sometimes the information security challenges come from unusual places.  With technology advances, we need to be mindful of where information flows throughout ALL of the organization, even in what most would consider to be rather innocuous places.

Organizations can quickly become overwhelmed when trying to implement a comprehensive information security program.  There are many barriers.  Cost.  Time.  Competency.   As I’ve posted before, security is an ongoing process and needs to be in order to deal with the changing business environment and evolving threat landscape.  Instead of implementing the very best (and most expensive) solutions for every security issue, I suggest a tiered approach that covers multiple areas and sets the stage for continuous improvement.

Barriers

Cost

If we buy the very top solutions for all of our security problems we will quickly run out of cash.  Throwing money at one or two issues leaves many other areas uncovered.   It may be better, especially early on in the implementation of an information security program, to spread the money around.  Provide coverage in all areas and then build up those controls that provide the most bang for the buck.

Time

The top solutions usually take more time to implement.  You need to ask yourself how great of an exposure do you have during the implementation?  Do you create a greater risk than by implementing a “lower end” solution?

Competency

I’ve seen it more than once.  An organization purchases and installs a high end and expensive solution that nobody on their staff knows how to use.  The great solution is subsequently ignored.   If nobody knows why a new process is being used or how a new product works, it’s pretty difficult to get the results you’re after.

Baby Steps

Continuous process improvement can apply to information security.  If you’re trying to implement a framework that calls for multiple controls such as ISO 27001/27002, using a multi-level approach may help reduce the paralysis that often accompanies such a large undertaking.   I suggest using a 3-tier approach.  Tier-1 is easiest to implement but is usually least effective.  Tier-3 is hardest but most effective.

It would be ideal if we could apply Tier-3 solutions to every problem right out of the chute but that simply isn’t feasible for most businesses.   Doing nothing is also a bad choice.  Applying Tier-1 and Tier-2 solutions at least gets the program moving and then process improvement can gradually improve the overall security posture of the business over time.

As an example, let’s look at dealing with security logs.

Tier-1

Administrators review server logs.  This is instituted through policy that requires the administrators to “regularly” review their logs.  We all know that manual review of logs is seldom done however, applying the policy at least sets the tone and expectation.  It can even start to adjust the administration culture toward reviewing logs if they don’t already do so.

Tier-2

Centralized log aggregation with automated reports.  This starts to automate the process.  Logs from systems and devices are pushed or pulled to a central logging system and now administrators review logs in this single location rather than across multiple servers.  Some scripting can be applied to automate reports.  This certainly increases the effectiveness of the log review process.

Tier-3

Commercial log analysis tool with near real-time alerts for anomalies.  This is a heavy-duty log aggregation, correlation, analysis, and reporting tool that has advanced capabilities.  It is much more expensive than a central log repository in Tier-2.  It is more complex to manage but the feature set allows for greater effectiveness.

Word of Warning

Implementing Tier-1 “just-for-now” solutions does not mean we can be lackadaisical in our information security practices.  Even basic security solutions need to incorporate good security principles.   If our business practices easily circumvent security controls then we can never be successful.   Starting small still has to be done right.