Checkbox Security Fails Again

April 4, 2012 by · Leave a Comment

Regulatory compliance is often a confusing mess.  Rattling off the alphabet of compliance can often result in dizziness, headaches, and for some, a bad case of nausea.   PCI-DSS, HIPAA, HITECH, GLB, SOX, and heck, might as well throw in some state data breach notification laws as well.  Congress doesn’t want to stop there as they continue their efforts to add even more to this list of rules to live by.

Don’t get me wrong.  The rules are there for a reason (though often they arise from knee-jerk reactions to events so that our Representatives can appear to be doing something useful).  The problem is, with so many different regulations with varying definitions and requirements attempts at compliance start to resemble the traffic signal depicted to the right.   The cure for one bout of “alphabetitis” doesn’t necessarily vaccinate you for the others.  In the meantime, while you’re running around creating paperwork for compliance and checking off boxes, your ongoing security efforts essentially fall into the “to do” bucket.

Unfortunately, it has been proven time and time again that point-in-time, checkbox security is ineffective.  Unless you live in a spider hole like a Doomsday Prepper you may have noticed a recent breach of credit card data.   If you are a “prepper”, here’s a quick catch-you-up article from ABC News, April 2 -  “Experts Say Global Payments’ Breach May Not Be Only One“.

But wait!!  How could this have happened in the era of PCI Compliance? 

To be blunt, building an information security program around compliance is an approach steeped in failure.  The desire is very strong to have a favorable audit report but once that is over, the focus tends to shift away from the continuous protection of sensitive information.   As we continue to see breaches impacting organizations that have been engaged in and satisfying compliance requirements, you have to think about where the real problem lies.

Michael Mimoso was quite clear in an article “Global Payments credit card security breach exposes PCI shortcomings” where he said:

Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.

With that in mind, how do we step away from the point-in-time compliance effort and focus strictly on security.  As is often the case, let’s look at something entirely basic.  In order to protect something you have to know what it is.  Regulators and legislators aren’t helping in this regard.  Protected information is defined differently depending on the flavor of legislation you’re working with.  Wouldn’t it make sense to have a single definition of sensitive or protected information and then set in motion the defenses necessary to protect and monitor that data on an ongoing basis? If you store, process or transmit data under this one definition then you have to protect it regardless if you’re in healthcare, finance, or any industry vertical that uses such information.

I don’t think we can rely on government to help in this regard.  So, create your own matrix of sensitive information (maybe I’ll take that on as a project and post it) and then apply the SANS 20 Critical Controls or use some other framework to build a year-round, continuous information security program that protects that data all the time rather than playing the mark and erase checkbox game of compliance.  If you have deployed a solid information security program then compliance audits should, quite frankly, be a simple verification process.

 

_________________________________

Photo Credit: Stuart Miles at Freedigitalphotos
Illustration Credit: digitalart at Freedigitalphotos

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , , , , ,

Follow-up Thought: Facebook Credentials and Hiring Process

April 2, 2012 by · Leave a Comment

Just a quick follow-up to my previous post “Before I hire you I’ll need the keys to your home…

I read a comment on LinkedIn that said there were no laws prohibiting employers from asking you to turn over your Facebook credentials so they can see your private information.  In my non-lawyerly view I think it relates to plenty of laws that declare certain questions as “off-limits” as part of the hiring process.   Age.  Sexual orientation.  Pregnancy.  Disabilities.   It is not uncommon to find details related to these personal issues shared with friends and family on Facebook but often, they are explicitly hidden from public view.

By asking a candidate for their Facebook credentials so that the employer can rummage through these personal details is no different, at least in my view, from them asking these questions directly during an interview.   If certain pre-employment questions are already prohibited by law, then requiring a candidate to turn over access to that information via another avenue seems to splashdown in the same swimming hole.

Let me play a scenario:

A candidate had a pretty good interview.  A few days later an HR rep from the company calls him up and says there is just one more step in the process.  Since their Facebook page isn’t public, they’ll need the userID and password “just as routine”. He gives it and within a week receives a letter that he was not selected for the job.

On his Facebook page, it’s pretty clear he’s gay.  Many of his posts and those of his friends refer to him and his partner.  He believes that is the only reason he didn’t get the job.  He thinks that asking for his userID and password wasn’t “routine” at all but merely an excuse to find out information they were prohibited from asking him directly.

His next two calls are to an attorney and the media….

Now, it may be that the company had a legitimate reason to hire someone else but the perception here is what matters.  Imagine your company being dragged through the media and labeled as discriminatory.   We’ve all seen what happens when the media plants an idea into the minds of its audience.  The truth is often pushed to the back burner while the sensational, ratings-grabbing story rules the day.  There may or may not be any legal ground but it sure makes good publicity for a hard hitting lawyer.

If this came to pass, would you reconsider asking for those Facebook credentials?  Maybe sticking with traditional background checks, interview questions, reference checks, and looking at publicly available profile information with social media sites is the better choice.

 

Filed Under: Business and Security, Ethics · Tagged With: , , ,

Hacker Motivation – Does it Matter?

March 22, 2012 by · Leave a Comment

Motivation according to Dictionary.com is “the act or an instance of motivating, or providing with a reason to act in a certain way.”   While stealing data from organizations continues to be financially motivated the 2012 Verizon Data Breach Report indicated an increase in data theft as a result of hacktivism (data breaches aimed at advancing political and social objectives).  Who cares?

It’s interesting to see shifts in the motivation behind attacks on computer infrastructure but from a security perspective, a thief is a thief is a thief.  Whether motivated by fame, money, or political causes, the need to protect sensitive information in transit and at rest is still the same.

Bill Brenner blogged about this in his Salted Hash blog while referencing hacktivists and cybercriminals.

True, when it comes to motivation, there is a difference.  Hactivists are trying to advance a cause and target those they believe are against that cause.  Obviously, a different motivation from the simple pursuit of other people’s money.  But the tactics and results are the same.  – Bill Brenner “Hacktivists and cybercriminals:  Is there really a difference“, Salted Hash – IT Security News, March 22, 2012

I couldn’t agree more.  While the motivation behind an attack is certainly interesting, the type of information and method of attack is much more important.   If you’re stuck doing mandatory reporting of a breach I doubt those affected care who stole their information, only that it was stolen.

The bottom line here is somebody wants to steal your information and you must defend against that reality.  Figuring out why they want it doesn’t really change that.

 

Photo credit:  Salvatore Vuono and Freedigitalphotos.net

Filed Under: Business and Security · Tagged With: , , , , ,

“We Don’t Need Security.. We Collect Taxes”

March 21, 2012 by · Leave a Comment

If looking for a gold mine of sensitive information, the IRS appears to be the place to find it.  When individuals file their returns, the expectation is that it is well protected by the United States Government.  Unfortunately, the Government Accountability Office (GAO) has found a pattern of weakness in how the IRS protects our sensitive information.

Try this on for size.

“Around tax time in 2007, 2008, 2009, 2010, 2011 and now this year, the Government Accountability Office has identified similar, recurring weaknesses that could expose sensitive taxpayer information and agency financial data, according to archived GAO reports.”  – Aliya Sternstein, “IRS plagued by computer vulnerabilities five consecutive years” 3/19/2012 Nextgov

It seems the IRS doesn’t want to play by the same rules as other federal agencies who are required to institute mandatory information security programs.  They not only have failed to properly train personnel but have failed miserably in testing technical controls.  AND… this is the same problem year after year after year.

It’s even more disheartening to see continued patterns of security failings and still have IRS officials say they have “fully implemented a comprehensive security program.”   That just doesn’t jive.

I hope they fix these problems before they take on the enforcement of Obamacare.  That’s a disaster waiting to happen.

Photo credit:  Arvind Balaraman and freedigitalphotos.net

Filed Under: National InfoSec, Should Have Known Better · Tagged With: , , , , ,

More Legislation? Hmmm.

September 13, 2011 by · Leave a Comment

Senator Richard Blumenthal, D-Conn, introduced new legislation aimed to prevent data breaches.   The proposed legislation includes federal requirements for customer notification in the event of a breach (something most States have been requiring for years) and requiring companies to provide two years of credit monitoring service.  There are fines and program requirements for regularly testing controls and protecting information while stored.

SC Magazine Article:  New Senate Bill Aims To Prevent, Deter Data Breaches

Here’s just a few issues with this:

1.  We’re assuming the federal government can successfully patch together the existing state privacy and security requirements to make this helpful to businesses.  I’m not sure our federal government can successfully tie a pair of shoes without creating extensive knots.

2.  While requiring secure storage of sensitive information is certainly a valid idea, it doesn’t do a bit of good when sensitive information is readily copied to flash drives, laptops and other removable media.   Regaining focus on “least privilege” and reducing the ability to copy data to media that is easily lost or stolen is at least as important as storing data securely on servers.

3.  The alphabet soup of security/privacy legislation and compliance is mind boggling.  Personally Identifiable Information (PII) is defined differently depending on what piece of legislation or industry standard you’re applying.  PCI-DSS, HIPAA/HITECH, FERPA, GLB, SOX, state legislation, etc.   How about one definition to rule them all?

I’m encouraged that the government takes privacy and security seriously, but as too often the case, federal legislation is based on knee-jerk reactions to events and create such complexity that security and privacy are seldom improved.   I don’t disagree with the attempt, just wary of another set of regulations that may create more complexity without really improving the security and privacy of personal information.

Filed Under: National and State Privacy/Security Law · Tagged With: , ,

Do you know where your data is?

December 3, 2010 by · Leave a Comment

Where is your sensitive information?

Many times the answer I hear is… “it’s stored in our database” but that unfortunately is only a partial answer.   If you look at the business process surrounding access to information, you may be surprised at where sensitive information ends up.   Have you considered:

Printed documents – Hard copy printouts of reports, spreadsheets, e-mail or other documents containing sensitive information have a way of being thrown in the trash without being shredded.  They get left out on desks for anybody to see, including enlightened janitorial staff.  What about the printer or copy machine hard drive that may be storing information that slips outside the walls of your facility when this equipment gets surplussed.

Forwarded E-mail – Ever hear this?  “It’s easier to work from home if I just send these spreadsheets with social security numbers as an attachment to my home e-mail account.”

Laptops -  The portability of laptops also carries with it the problem of portability of information.  Without encryption, the ease of stealing information from a “smash and grab” attack from the backseat of your car becomes quite an issue.  Some State laws, like Nevada, require the encryption of personally identifiable information on removable media… this includes laptops.

Removable Media -  It’s so easy to just move this information from point to point using a thumb drive.  The large storage capacity of these devices, not to mention USB hard drives, makes it a considerable risk point for sensitive information sneaking out of an otherwise controlled environment.

There are probably many other examples but the point is to not develop tunnel vision when considering strategies to protect sensitive information.  Getting fixated on the most obvious point of data storage is a bad move.  Think about how information is used in your organization.  Who needs and has access to it?  How are they sending the information to coworkers and business partners?

It’s important to consider ALL the possible ways information can be compromised.  You can bet the bad guys have already considered it.

Filed Under: Business and Security · Tagged With: , , ,

NJ Supreme Court impacts privacy expectation

April 5, 2010 by · Leave a Comment

The New Jersey Supreme Court recently ruled that a company shouldn’t have read an ex-staffer’s private e-mails even though they were sent from her employer’s computer.    NorthJersey.com article.

Interesting ruling which will certainly change some thoughts as to personal use of work computers.  While I’m a proponent of privacy rights, I’m torn on this particular ruling.   The company had a policy in place that warned e-mails “are not to be considered private or personal to any individual employee”.  That’s a fairly common policy statement but the usual intent is the use of company e-mail not a personal Yahoo account.  I tend to side with the court that the attorney-client privilege applied because there was an attempt to keep the personal e-mail secure.  Personal e-mail accounts, especially with an attorney seems to be reasonably outside the reach of an employer in my non-legal opinion.

That said, I think the issue here revolves around the personal use of company-owned computers rather than specific e-mail.  In this case the employee was absolutely out of her mind to be exchanging communications with her attorney in preparation for a lawsuit against her company using a company issued laptop.  Stupidity aside, the question is if the company had a right to “monitor, audit, intercept, access and disclose” any information that was sent using, or stored on company-owned equipment.  This is where things get a little fuzzy for me.

Since businesses are responsible for the protection of PII that is transmitted from or stored on their equipment, there is certainly an obligation to monitor and audit their equipment to assure compliance.    While I don’t think that extends into people’s personal e-mail accounts let’s create a scenario based on the patient privacy breach at University Medical Center I blogged about in November.

What if the employee was “hired” by a dubious attorney to provide them with face sheets as part of an unethical “referral gathering” scheme.  Now, instead of taking the hard copy face sheet as was done in this case that employee used a personal Yahoo account to send this information to their “attorney”.    I doubt this hits the same measure of attorney-client privilege identified in the New Jersey case but certainly this illustrates a point regarding potential misuse of employer-owned computer assets that can be quite damaging to both business reputation and finances.

As this New Jersey ruling resonates it will be interesting to see how organizations shift their policies, if they do at all.  With the proliferation of social media and smart phones, it may not be an unreasonable time to revisit policies anyway.

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , ,

2010 Information Security Predictions

January 3, 2010 by · 2 Comments

I may as well get on the 2010 prediction bandwagon.

1.  With the rush to get into the “cloud” businesses will sacrifice security for the promise of efficiencies.  Attacks will be focused on the applications placed in the cloud, not necessarily the underlying OS infrastructure.  I predict there will be a large compromise of information stored in the cloud this year that will disrupt business processes for several businesses.

2.  The big talk about “cybersecurity” that comes from the Obama administration will be nothing more than talk.  Action taken will have little impact as the new Cybersecurity Czar/Coordinator has little authority to implement necessary changes in national information security.  This is most likely because of the pure volume of important “initiatives” being taken on by this Administration that will result in some areas, cybersecurity in this case, receiving less attention than required.  This isn’t a dig on the Administration, merely an observation that issues in terrorism, healthcare, economy, etc. will take precedence over fixing the cybersecurity issues facing the U.S.

3.  I predict there will be an even larger breach than what we saw with Heartland Payment Systems last year.  The financial motivations and organization surrounding cybercrime makes this type of criminal activity very profitable.  Attacks are being perfected while the resources to defend against such attacks continue to be too thin in most organizations.

4.  Mobile platforms will be the target of attacks this year.  The proliferation of iPhone/Blackberry and availability of mobile applications will prove a fertile environment for malware writers.  As more of these mobile devices are integrated into both business and personal worlds, the target will simply get too big to pass up.  Expect 2010 to be a big year for mobile attacks.

5.    With major attacks taking place in 2010 and hopefully and improving economy, the investment in information security will improve.  Specifically, there will be some growth in the need for both skilled technical staff and leadership positions where the ability to understand the business environment are emphasized.

I’ll be interested in seeing the twists and turns that are inevitable in the cybersecurity world and how organizations adapt to such a dynamic environment to protect sensitive information.  Good luck in 2010.

Filed Under: Awareness and Education, Business and Security, National InfoSec · Tagged With: , , , ,

House passes Data Breach legislation… jury still out

December 14, 2009 by · Leave a Comment

The U.S. House of Representatives has passed HR 2221, the Data Accountability and Trust Act.  This sets nationwide breach notification requirements that trump the patchwork of State laws that have been in effect with California leading the way in 2002.   The passage was written about in a Federal Computer Week article “House passes bill to require data breach notifications“.

Overall, standardizing the definition of Personally Identifiable Information will help in protecting the data.  This is a good thing as some states have more stringent definitions than others.   Data brokers have greater requirements.  Also a good thing.

The problem I see comes from the FTC having jurisdiction over the new law.  The FTC does not have authority to enforce regulations on government, banks, savings and loans, insurance industry and non-profits which would include higher education and some healthcare environments.  These industries are often the victims of data breaches yet they aren’t covered by this new federal law.

We’ve seen the FTC extend its reach with the Red Flags rule and perhaps they will follow suit with the new data breach notification legislation.  If they let some industries with known disclosure issues slip through the cracks then the overall effectiveness of the legislation is diminished.

Filed Under: National and State Privacy/Security Law · Tagged With: , , ,

Learning From Someone Else’s Breach

November 20, 2009 by · Leave a Comment

A subsidiary of manged health care provider Health Net Inc, just reported the loss of personal information for 1.5 million customers that occurred six months ago according to a ComputerWorld article.  Without knowing all the details of the situation, I can only speculate as to some of the security controls and thoughts of the Health Net leadership during this incident so take that into account.  Hopefully there are some lessons learned for other organizations both in the management of sensitive information and the leadership response to an incident.

From the article:

The device containing the data was an external, portable hard drive. The data had not been encrypted.

So, let me get this straight.  You work in an environment where the protection of information is highly regulated yet you are putting seven year’s worth of personally identifiable information on a portable hard drive unencrypted.  They may need to reconsider their processes that allow this type of information to be stored in such a manner.  If this is for backup, certainly there are better options available.  The controls surrounding the physical handling of devices with personally identifiable information appear to be too loose and need to be examined.  Securing that device when not in use and logging the device in and out of its secure storage location would be a good start.

In Nevada come January, organizations will need to pay special attention to personal information being stored on removable media, especially if the portable devices leave the confines of the facility.  See my article Nevada’s New Data Security Law for more information on this new bit of legislation.

“Protecting the privacy of our members is extremely important to us,” Health Net said. “We apologize for any inconvenience or concern this may cause our members.”

A pretty standard response for a breach but the delayed timing of this sounds like there was no incident response plan in place in the best case scenario.  In the worst case, one has to ask if their leadership were dragging their feet hoping the problem would simply go away if they ignored it long enough.  I’m going to assume the former in that they simply did not have a plan for dealing with this type of disclosure which is really not acceptable.  If you’re business maintains sensitive information about customers then you need to be prepared for the possibility of a breach.

The six-month delay in reporting this is also a huge issue.  Data breach notification laws have been in place in most states for several years and they were put there to prevent this type of “keep it quiet” behavior that had been common place in business.  The AG is attacking Health Net on this very issue and rightfully so.

“We will demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers” in Connecticut whose data is at risk.

I blogged before about the cost of a breach.  This is a great example of the cost of poor security controls surrounding personally identifiable information.  Let’s just assume the monitoring service costs $20 per person (a discount for the volume here).  In addition to the cost of notification, the loss of this hard drive with unencrypted sensitive data could cost the company just under $9 million dollars to provide the fraud and monitoring service.  That’s some real money.

While we can’t be certain what really happened or what the exact cost of this breach will be to Health Net, I think it’s certainly easy to identify some potential mistakes that are duplicated in many other organizations.  Understanding all of your business processes surrounding the use, transmission, and storage of sensitive information is hugely important.  Adopting sensible controls and finding appropriate alternatives to risky processes is essential.  Last, detailing and practicing a response to a data breach incident may seem like a lot of wasted time…. that is, until you experience a breach.

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , , , , ,
« Older Posts