paulmudgett.com

A company has a PC infected with malware that steals the User ID and password for their bank account.  The bad guys proceed to steal a large sum of money from the company bank account.  The bank won’t refund the money and the FDIC doesn’t insure commercial accounts.   This sums up a recent case described at Krebs on Security where an Escrow company had $440,000 stolen from it’s bank account and is now suing the bank claiming inadequate controls for the movement of funds.

The bank probably shouldn’t be offering a single password to govern the approval and release of a wire transfer but are they responsible for protecting an endpoint they had no control over?  That’s quite a leap.   As a business owner you have to take responsibility for protecting your assets.

Krebs suggests two alternatives for small businesses.  I agree with both which I’ll summarize here.

1.  Separate your banking PC from your general purpose PC.   In other words, don’t access your online bank accounts from the same PC you use to check E-mail, open attachments, browse the Internet, perform work for your clients, etc.

2.  Use a Live CD that boots your computer into a version of Linux that is used only to access your online bank accounts.

A third option is to use a virtual guest machine that is purposed specifically for online banking and appropriately configured/updated.  (Not a bad idea for personal banking too)

Hopefully, this incident doesn’t lead to a knee-jerk legislative mandate that requires banks to implement vague “effective security measures”, especially those that would require them to effectively manage the endpoint systems of other businesses.  Banks could, however, provide option 2 above to their commercial customers to access online banking using a secure, bank branded Linux distribution.

Bottom line – personal responsibility.  Don’t rely on other parties to protect your information.

Five 2011 small business/entrepreneur resolutions to protect you and your customers and make for a safer new year!

1.  Install and maintain an  anti-malware product on your PC and/or laptop.  No matter what vendor you choose to use, look for one that works like a broad spectrum antibiotic.  Trojans, viruses, worms, and other nasty little beasts that can infect your computer through e-mail attachments or simply surfing to a compromised web site will continue to be prevalent in 2011.  While most AV products do a poor job of protecting you against zero-day attacks, you can all but eliminate the known little buggers.

2.  Setup a non-administrator level account on your laptop/PC and use it for your daily work.  By setting up an account that cannot install software (and therefore cannot install malware) you offer yourself a level of protection that is effective and cheap (is free cheap enough for you?)  Login to your administrator account anytime you need to install new applications.

3.  If you carry any sensitive information on your laptop, especially personally identifiable information of your customers (or yourself for that matter), invest in an encryption product and keep your keys safe.  Consider encrypting thumb drives and other removable media.  Laptops, at least in Nevada, are considered “removable media” under state law (check the  requirements in your state).  Whether you choose to use a commercial product or open source, encrypting PII on your laptop is a good practice and is becoming law in many states.

4.  Backup your data.   Portable hard drives are cheap!  So are CD/DVD’s.  Even online services are offered at a reasonable rate.  There is no reason not to backup your business data so you can quickly recover in case of a system crash, compromise, or other “disaster”.

5.  Use social media sites safely. While a great avenue for connecting with customers (or “fans”), don’t play games and download all the “for fun” applications.  Attackers go where the people are therefore,  social media sites are great places for the bad guys to play.

Best wishes for a prosperous and cyber-safe new year!

Today in the Los Angeles Times – “Nearly 12 Million in U.S. were victims of identity theft, report says”

Not a surprising headline quite frankly.  Many people recognize that identity theft is a real problem in the U.S. and abroad but have the banks created a situation of moral hazard by covering losses?

From the article:

Three-quarters of victims said they suffered no out-of-pocket financial loss, presumably because their banks covered the loss, the report said.

Moral hazard, by definition, occurs when a party behaves differently because they are insulated from the risks.  In this case, identity theft victims are insulated from the risk of out-of-pocket financial loss.   So, are people more likely to engage in risky behavior with their personal information because the financial risk is mitigated?

I wonder if people would be more likely to practice behaviors that protects their personal information if the out-of-pocket risks were higher?  Would people think twice about responding to e-mail requesting bank account, social security number, and online userID and password if they knew they wouldn’t be reimbursed for losses?  What if businesses covered losses only if you could verify your PC was up to date with patches, anti-malware, and personal firewall protection?

I’m all for insulating those who take efforts to protect themselves and become true victims of identity theft through no fault of their own.  I become a bit skeptical when people engage in risky behavior merely because they know the consequences of their behavior will be covered by someone else.

It never fails. Information security controls are immediately put into place AFTER a significant security incident has happened.  This is true even when these controls are reasonable to have in place and could have prevented the incident from happening at all.   Often, decisions made after an incident are knee-jerk reactions rather than business-minded protections.

As a case in point, the Department of Defense issued a new ban on removable media being used on classified machines in response to the WikiLeaks release of diplomatic cables.  Completely reactive.  The point here isn’t the effectiveness of the control but the timing.

For those who haven’t followed the WikiLeaks drama, here is a tidbit taken from a December 10, 2010 CNN article that can be applied to many organizations.

“Pfc. Bradley Manning says he downloaded hundreds of thousands of files from SIPRNET to a CD marked “Lady Gaga” before giving the files to WikiLeaks.”

Do you have a Private Manning in your organization who has access to sensitive information?  Can he easily take that information out of your environment and sell it to the highest bidder?  Why not consider that risk and address it before it becomes an issue?

The culprit often lies in the attitude of executive leadership.   How often have you heard the following?

• “We’ve been doing things this way for years and haven’t had a breach.”  (that you know of)

• “Show me the hard dollar return on investment before I sign off on these security thingies.”  (BTW, since most security implementations aren’t revenue generating, a ROI will always be zero.)

• “It’s not convenient.”

These excuses need to be replaced with a desire to take ownership of information you have.  The focus needs to be on protecting your intellectual property and maintaining competitive advantage.  It should examine the risks to information and appropriate measures to reduce risk without impacting the functions of the business.

Controls don’t have to be expensive or fancy.  They just need to be effective.  Understand and take control of your information before an incident forces rushed decisions that impact your ability to conduct business.

Where is your sensitive information?

Many times the answer I hear is… “it’s stored in our database” but that unfortunately is only a partial answer.   If you look at the business process surrounding access to information, you may be surprised at where sensitive information ends up.   Have you considered:

Printed documents – Hard copy printouts of reports, spreadsheets, e-mail or other documents containing sensitive information have a way of being thrown in the trash without being shredded.  They get left out on desks for anybody to see, including enlightened janitorial staff.  What about the printer or copy machine hard drive that may be storing information that slips outside the walls of your facility when this equipment gets surplussed.

Forwarded E-mail – Ever hear this?  “It’s easier to work from home if I just send these spreadsheets with social security numbers as an attachment to my home e-mail account.”

Laptops -  The portability of laptops also carries with it the problem of portability of information.  Without encryption, the ease of stealing information from a “smash and grab” attack from the backseat of your car becomes quite an issue.  Some State laws, like Nevada, require the encryption of personally identifiable information on removable media… this includes laptops.

Removable Media -  It’s so easy to just move this information from point to point using a thumb drive.  The large storage capacity of these devices, not to mention USB hard drives, makes it a considerable risk point for sensitive information sneaking out of an otherwise controlled environment.

There are probably many other examples but the point is to not develop tunnel vision when considering strategies to protect sensitive information.  Getting fixated on the most obvious point of data storage is a bad move.  Think about how information is used in your organization.  Who needs and has access to it?  How are they sending the information to coworkers and business partners?

It’s important to consider ALL the possible ways information can be compromised.  You can bet the bad guys have already considered it.

It amazes me that I still hear executive level IT people say that information security is a technology problem.  Sure, technology has a vital role in the building blocks of a solid information security program but even the best technology can be circumvented by unknowing or malicious people.  Getting people to understand their role in protecting a customer’s information or heck, even their own, continues to be a challenge.

In a recent CSO online article, “Security Awareness:  Helping employees really “get” company policy“, security consultant Michael Santacangelo explained the problem in the most succinct way I’ve seen.

When people are disconnected from the consequences of their actions, they do not take responsibility and are not held accountable, he said.

The link between behavior and outcomes is accountability.  Unfortunately, it seems as though most awareness programs stop with the behavior and potential outcome duo, leaving out the accountability piece of the triad.  That is, awareness programs will list out the unacceptable behaviors and highlight the potential financial and reputation costs for the organization but fail to link that back to individual accountability of staff members.

Once you have established that everyone plays a role in protecting sensitive information and clearly set the expectation for behavior, it MUST be followed up with accountability.  It’s not “mean” to enforce policy AS LONG as the expectation for proper behavior is established and well communicated to all staff.   There should be consequences for those engaging in behaviors that place an organization and its customers at risk as long as everyone knows the behaviors and the consequences up front.

In an effort to be a focal point of “cybersecurity”, legislation was introduced that would allow the DHS to levy fines and other civil penalties against any companies the government decides is “critical”.  I agree that the need to protect critical infrastructure is important, but this effort by legislators creates a slippery slope and a recipe for internal conflict.

First, what is “critical”?  The use of this broad term makes me nervous.   It’s an open-ended path to abuse in my opinion.

Second, this is nothing more than an added layer of bureaucracy that adds no value to information security other than the costs associated with complying with yet one more check box.  In the long run, more money will be dumped into information security but the large bureaucracy will negate the benefits.  The last thing that should be done is inserting a slow moving beast into an environment that requires agile response to defend against new attacks.

Third, what becomes of Howard Schmidt, the Presidential appointed U.S. Cybersecurity Coordinator.  Does this role go away?  If not, what type of conflict does the appointing of a DHS Cybersecurity guru create?

This is simply a bad idea.

A recent eWeek article “Cyber-security Hurts Federal Government Productivity, Survey Says” clearly demonstrates the significant security issues related to perception and communication.   There seems to be a significant disconnect between what is thought to be needed to perform an agency’s mission and doing so without compromising computer systems.

“Surveyed federal executives believe that cyber-security policies and procedures should be modified to provide more emphasis on the importance of allowing federal managers to achieve their agency’s mission,” said Bryan Klopack, GBC’s director of research.

I get a two-for-one with this comment.  First, it is apparent that federal managers don’t understand that a compromise of their agency’s computer systems will prevent them from delivering or performing their mission.  Second, it seems as though policies and procedures are written in a vacuum without discussion with those the policy impacts.

There is no doubt that over-restrictive policies exist when it comes to web-site and e-mail access.  Knee-jerk reaction usually leads to common sense being thrown out the window.   That said, the threatscape has changed and there is real potential for systems to be compromised because of “choice failure” with e-mail and website use.   Some system-wide protections simply need to be in place and inconvenience, by itself, is not a good enough reason to abandon good security practices.

In an editors note in SANS NewsBites, John Pescatore put it into perspective:

The blade guard on my power saw hampers my productivity in cutting wood, but chopping off my hand or even just a few fingers tends to also have an impact on my productivity.

The problem seems to stem from an over-reaction to a Presidential “mandate”.

President Obama signaled early in his administration that cyber-security in the federal government, especially in communications, and coordination, was a priority. “This status quo is no longer acceptable—not when there’s so much at stake. We can and we must do better,” he said.

Various agencies have responded to Obama’s mandate with their own rules.

Unilateral response to a “do better” mandate usually generates bad outcomes for everybody.   This is what appears to have happened here.  No communication.  No requirements definition.  Just a policy that is enforced through technology.  Damn the torpedoes… full speed ahead!

What should be happening here?

First, business leaders (aka management) need to step up and gain some understanding that the threats they face could essentially grind productivity, and subsequently their mission, to a halt.   It is no longer okay to say “this is the security group’s problem” and then walk away.  Participation, horizontally and vertically throughout an organization, is required.  Second, the security team needs to understand how people work, what they need to get their job done, and then work with them to find solutions.

It’s easier said than done but the status quo is indeed unacceptable.  There is no such thing as 100% secure.  There is, however, the potential to reduce risk while providing for business (or agency) needs.   Without business, there is no need for security.  Without security, business will fall victim to attack and fail.   Contribution and collaboration is required to bridge this gap.

Based on this survey, I’m afraid we’re trying to cross Alaska’s Bridge to Nowhere.

The recent VBMania virus (Trojan Horse)  is simple proof that education and awareness programs are not sufficient to overcome human curiosity and stupidity.  For years computer users have heard the same message:  “Don’t open attachments or click on links in unsolicited e-mails.”    Yet, they still do!

Yesterday’s simple spam attack  infected servers at ABC, NASA, and likely other federal agencies and clearly shows that the message delivered ad nauseum has essentially fallen on deaf ears.  This unfortunate impact to services was caused by the three biggest risks in information security:   Man, woman and child.

Two things are infinite:  the universe and human stupidity; and I’m not sure about the universe.  ~Albert Einstein.

I’m afraid awareness and education will not be able to overcome the gullible, curious, and greedy nature of humans.  We can only keep trying but it’s a tall order when faced with people who:  believe they have won a lottery they never entered; will pay an unknown person in Nigeria their entire savings account to receive their fortune; or believe that their luck hinges on sending an e-mail to all their friends.

It seems that exploiting humans is much easier than exploiting technology.  Without a clear defense against poor choices, it’s only a matter of time before a similar attack targets something a bit more critical.

One of the deficiencies that came to light in the aftermath of the 9/11 terrorist attacks was the communication failure between competing intelligence agencies.  A report released this past Monday from the Government Accountability Office shows that the same failure to communicate is happening in the cybersecurity arena.  The breakdown in this arena is between the government who has the cyberthreat information and the private sector that manages critical infrastructure that is susceptible to cyber attack.   Ah yes… history repeats itself… at least that appears to be the direction.

“Auditors pointed to recent reports of cyberattacks — such as a denial-of-service attack in Estonia in May 2007, which created mass outages of government and commercial websites in that country, as well as breaches at technology companies, many in California, in January — as examples of the debilitating impact a cybersecurity breach could have on national and economic security.”

- Kalish, Brian, “Spotty coordination on cyberthreats is recipe for disaster:  GAO Study“, NextGov, August 18, 2010

The planets are coming into alignment when considering the quality of attacks, the advanced persistent threat, and the unstable world climate identified easily by reading recent headlines.  The failure to leverage lessons learned in communicating threats to those in position to take action seems to be lost.  Unless the so-called public-private partnership learns how to talk to each other our cyber-connected critical infrastructure may be primed for a rude awakening .

By the way…. where is the CyberSecurity Coordinator Howard Schmidt and all his talk about private sector solutions?