“You Have My Word On It”

May 11, 2012 by · Leave a Comment

Over the years I’ve had the privilege to hire and work with some talented information security consultants.  Whether they came on to perform a 3rd party assessment necessary to drive remediation efforts (or satisfy compliance obligations), helped troubleshoot an issue or perform initial configuration on new tools, I’ve been fortunate, in most cases, to separate the wheat from the chaff.  I’ve gotten better over time at recognizing the real deal from Joe Isuzu but some small businesses don’t have those hard learned lessons to fall back on.  So…. here’s a few tips.

1.   There is no such thing as 100% security.  If someone is promising “complete security and protection” of your data find out what they are smoking because it’s probably really good stuff.

2.  Do they throw around buzzwords and technical jargon OR do they talk about your business and how security controls not only fit within your business model but benefit your customers as well?

3.  Do they spend the time to understand your needs or do they  “already know” what you need (assumptions… bah!).  If they don’t want to know about your business and how they can help YOU then you probably don’t want to hire them.

4.  Do they up-sell unrelated services BEFORE delivering excellent results for the project you hired them for?  If you’re looking for a point-in-time assessment, then pressuring you to buy long term managed services is pretty lame.  If they deliver good work, THEN I want to know what other services they might offer… not before.

Big or small, there may come a time when you need a little help in protecting your business and your customers.  A good consultant places your business success at the very top of any work they are doing.  If they don’t care about your business, you shouldn’t care about theirs.

 

Photo credit:  Master isolated images at FreeDigitalPhotos.net

Filed Under: Business and Security · Tagged With: , , ,

“We Don’t Need Security.. We Collect Taxes”

March 21, 2012 by · Leave a Comment

If looking for a gold mine of sensitive information, the IRS appears to be the place to find it.  When individuals file their returns, the expectation is that it is well protected by the United States Government.  Unfortunately, the Government Accountability Office (GAO) has found a pattern of weakness in how the IRS protects our sensitive information.

Try this on for size.

“Around tax time in 2007, 2008, 2009, 2010, 2011 and now this year, the Government Accountability Office has identified similar, recurring weaknesses that could expose sensitive taxpayer information and agency financial data, according to archived GAO reports.”  – Aliya Sternstein, “IRS plagued by computer vulnerabilities five consecutive years” 3/19/2012 Nextgov

It seems the IRS doesn’t want to play by the same rules as other federal agencies who are required to institute mandatory information security programs.  They not only have failed to properly train personnel but have failed miserably in testing technical controls.  AND… this is the same problem year after year after year.

It’s even more disheartening to see continued patterns of security failings and still have IRS officials say they have “fully implemented a comprehensive security program.”   That just doesn’t jive.

I hope they fix these problems before they take on the enforcement of Obamacare.  That’s a disaster waiting to happen.

Photo credit:  Arvind Balaraman and freedigitalphotos.net

Filed Under: National InfoSec, Should Have Known Better · Tagged With: , , , , ,

A Shame for InfoSec Transparency

March 13, 2010 by · Leave a Comment

The CISO of Pennsylvania was apparently fired after discussing a breach while serving on a panel at the recent RSA conference.  The removal appeared in several articles including this SCMagazine report.   The information provided by Bob Maley was a clear description of a threat that some states may face, an appropriate discussion for this panel.  However, it seems Maley didn’t get explicit permission to talk about this issue and was terminated for this breach of protocol.

There may be other personnel issues involved but the timing of this is certainly suspect.  While Maley should have been disciplined for violating communication protocol, the end result appears to be disproportionate to the offense.

The RSA panel was a great opportunity to share information and lessons learned.  Instead of embracing that level of transparency, we see a SCMagazine CISO of the Year finalist losing his job by trying to help others learn from his experience.  If others fear such action for sharing sanitized lessons learned then our field has taken a step backward in transparency and communication.  That’s a shame.

Filed Under: Awareness and Education · Tagged With: , ,

The Cyber Maginot Line

January 28, 2010 by · 3 Comments

Between 1930 and 1940, France built a massive system  of defenses known as the Maginot Line.  Designed to stop a German invasion, history illustrates its failure.  The 1940 German invasion of France skirted the defensive Maginot Line as they swiftly penetrated through the Ardennes by way of Belgium.  I’m not a historian and there are many facts that played into this but clearly the fate of France was at least partly determined by a false sense of security rooted in the Maginot Line.

Have modern day corporations and public entities created their own version of Maginot Line when it comes to the protection of sensitive information?  I think the answer is clearly yes.  William J. Lynn III, the deputy defense secretary who oversaw a recent attack simulation pointed this out in “In Digital Combat, U.S. Finds No Easy Deterrent“.  An over-reliance on firewalls and anti-virus programs has created a false sense of security among those who store, transmit, and process sensitive information in the normal course of business.  The changing threatscape, such as the new complex zero-day exploits and state-sponsored targeted attacks, are sometimes ignored much like the French failed to take action when Belgium declared itself a neutral country severing their previous alliance with France.

Consider this comment made in a recent story:

“The new type of attack involves custom-made spyware that is virtually undetectable by antivirus and other electronic defenses traditionally used by corporations.”  US oil industry hit by cyberattacks:  Was China Involved? CS Monitor, January 25, 2010

We are not prepared.  The attackers have become more nimble, motivated, and tenacious while we have become slow moving and complacent.  Many organizations have been lulled to sleep.  We’ve already seen changes in the way attacks are organized and the creativity being designed into their exploits.  Collectively, we need to examine the new threatscape and actively develop new tactics that match the agility being demonstrated by the “bad guys”.

Let’s learn from the Maginot Line.  Let’s not get caught sitting behind our old walls hoping that we can sustain a direct assault when the real threat is making an end run.

Filed Under: Business and Security · Tagged With: , , , ,

Lawsuit, breaches and bashing… oh my!

January 19, 2010 by · Leave a Comment

Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive.  Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations.  That is kind of sad.  Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.

As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients.  The information was stored on a portable disk drive that “disappeared” from an office.   The information on that drive wasn’t encrypted.  Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised.  This is a failure on many levels but certainly a failure in leadership and crisis management.

What should we be asking ourselves?

  1. We need to understand the information that we use and how we use it.  How is information accessed, transmitted and stored?  What is our legal (and moral) obligation to protect this information?
  2. There is no such thing as 100% security.  If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
  3. Do we have a communication plan in place so that we can effectively provide notification internally and externally?
  4. When examining other breaches, do we practice the same way?  Are we at risk of compromise?  How do we change this?

Part of information security isn’t just applying best practices and being vigilent.  Unfortunately, there is a need to be prepared for an incident or crisis.  I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982.  Another example would be the handling of a Southwest airlines crash at Midway airport in 2005.  Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied.  Just do a search and look at the response from a corporate point of view.  It’s really quite educational.

I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans.  I’m afraid I may be waiting for awhile.

Filed Under: Business and Security, National and State Privacy/Security Law, Should Have Known Better · Tagged With: , , , , , ,

Lessons in Due Diligence

December 2, 2009 by · Leave a Comment

An article by Kim Zetter on Wired.com caught my attention:  “Restaurants Sue Vendor for Unsecured Card Processor”.

The gist is that several restaurants purchased Point-of-Sale (POS) systems from a particular vendor.  These POS systems that were sold were apparently not Payment Card Industry – Data Security Standard (PCI-DSS) compliant and that resulted in a breach costing the restaurants a hefty sum.

One issue comes from unpatched, poorly configured remote access and the other alleged problem came from default login administrator userID and passwords.  From the article:

Visa also sent out a bulletin in November 2006 warning that one of the most frequent vectors for hackers to penetrate POS systems was through poorly configured or unpatched remote-access software (.pdf) and default passwords. Nonetheless, the restaurants say, Radiant and Computer World sold them a product that was neither PCI-compliant nor secured against a known attack.

So, the vendor sold them the product that was known to have these flaws but on the flip side, the restaurants bought these systems that are known to have these flaws.   I can certainly see the case here but from a security perspective there are some lessons learned when it comes to due diligence and basic security practices.

1.  If you blindly believe marketing slicks about the “state-of-the-art” product you’re purchasing that can do everything including cooking your dinner and washing dishes…well… you get the point.   Visa had produced a bulletin regarding the flaws with the product a year before one of the restaurants bought the product.   A little due diligence in the selection process would have gone a long way.

2.  So, you buy a product and install it.  It has remote access capabilities.  You leave the default administrator ID and password that is well known to anybody who can grab an online manual.  You’re breached.   If you install a new software product for Pete’s sake, change the default account passwords.  If your bank gives everybody a password of “password” to their online banking, would you change yours or just leave it?  (BTW, they don’t do that… just an illustration).

3.  Implementing a system with known flaws and not updating it is pretty bad.  It’s like installing a Microsoft server and not applying security patches for a year.  You get breached because of a vulnerability that should have been fixed a year ago.  Good luck blaming Microsoft for that one.   Patch management is essential.

By no means am I blaming the victim in this case.  They are chefs and restaurant managers, not IT or InfoSec people.  They relied on the vendor to provide them a product that was up to snuff with PCI requirements and trusted them to sell a product that protected their customer’s information.  When we examine and extended this into our own business and technology implementations, their experience provides some lessons for all of us.  Hopefully we can learn from this and apply due diligence to all of our vendor interactions and purchases.

Filed Under: Business and Security, PCI · Tagged With: , , , , , ,

Learning From Someone Else’s Breach

November 20, 2009 by · Leave a Comment

A subsidiary of manged health care provider Health Net Inc, just reported the loss of personal information for 1.5 million customers that occurred six months ago according to a ComputerWorld article.  Without knowing all the details of the situation, I can only speculate as to some of the security controls and thoughts of the Health Net leadership during this incident so take that into account.  Hopefully there are some lessons learned for other organizations both in the management of sensitive information and the leadership response to an incident.

From the article:

The device containing the data was an external, portable hard drive. The data had not been encrypted.

So, let me get this straight.  You work in an environment where the protection of information is highly regulated yet you are putting seven year’s worth of personally identifiable information on a portable hard drive unencrypted.  They may need to reconsider their processes that allow this type of information to be stored in such a manner.  If this is for backup, certainly there are better options available.  The controls surrounding the physical handling of devices with personally identifiable information appear to be too loose and need to be examined.  Securing that device when not in use and logging the device in and out of its secure storage location would be a good start.

In Nevada come January, organizations will need to pay special attention to personal information being stored on removable media, especially if the portable devices leave the confines of the facility.  See my article Nevada’s New Data Security Law for more information on this new bit of legislation.

“Protecting the privacy of our members is extremely important to us,” Health Net said. “We apologize for any inconvenience or concern this may cause our members.”

A pretty standard response for a breach but the delayed timing of this sounds like there was no incident response plan in place in the best case scenario.  In the worst case, one has to ask if their leadership were dragging their feet hoping the problem would simply go away if they ignored it long enough.  I’m going to assume the former in that they simply did not have a plan for dealing with this type of disclosure which is really not acceptable.  If you’re business maintains sensitive information about customers then you need to be prepared for the possibility of a breach.

The six-month delay in reporting this is also a huge issue.  Data breach notification laws have been in place in most states for several years and they were put there to prevent this type of “keep it quiet” behavior that had been common place in business.  The AG is attacking Health Net on this very issue and rightfully so.

“We will demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers” in Connecticut whose data is at risk.

I blogged before about the cost of a breach.  This is a great example of the cost of poor security controls surrounding personally identifiable information.  Let’s just assume the monitoring service costs $20 per person (a discount for the volume here).  In addition to the cost of notification, the loss of this hard drive with unencrypted sensitive data could cost the company just under $9 million dollars to provide the fraud and monitoring service.  That’s some real money.

While we can’t be certain what really happened or what the exact cost of this breach will be to Health Net, I think it’s certainly easy to identify some potential mistakes that are duplicated in many other organizations.  Understanding all of your business processes surrounding the use, transmission, and storage of sensitive information is hugely important.  Adopting sensible controls and finding appropriate alternatives to risky processes is essential.  Last, detailing and practicing a response to a data breach incident may seem like a lot of wasted time…. that is, until you experience a breach.

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , , , , ,

The Cloud Does Not Absolve Responsibility

November 17, 2009 by · 1 Comment

Cloud computing certainly offers cost management opportunities for organizations straining to maintain server infrastructure but there is more to consider than just server management.  Security in the cloud simply has not had an opportunity to mature.  Protecting servers, which no doubt cloud providers can do pretty effectively, is different than protecting information.   Those organizations that believe they can outsource the responsibility of securing their information by shipping applications into the cloud are being naive.

There are three issues that come to mind immediately.

  1. I think it is true that cloud providers can maintain the security of their systems much better than companies due to the resources available to them.  However, attackers will target web and database applications not servers.  While the servers are protected, your data can still be exposed due to poor practices and controls.
  2. Cloud computing by its very nature will limit the type of security tools that can be applied in that environment.  While you could manage firewalls, intrusion detection/prevention systems, and other data leak prevention tools in an internal network, these additional layers aren’t specifically provided in the cloud.  You may be able to design them into the environment for additional costs but are you now minimizing your return on investment?
  3. You may have little control over how much audit information is collected which can prevent you from being proactive.   Cloud providers are initiating contracts that give you ownership of your data but you may not own all of your log data.  To get this information may require a court order.

Ultimately, you need to be aware of how data flows inside and outside your organization whether you choose to house servers internally or move applications to the cloud.   If your business relies on highly valuable intellectual property then you may want to think twice about the types of controls available to you in the cloud.   If you wouldn’t normally apply additional controls or monitoring devices to your data, then the cloud may be a cost effective solution with good basic security measures.

If considering cloud computing consider the following:

  1. Computer security is not the same as information security.  Understand the value of information to your business and what level of protection is required for that information.
  2. Understand that even if you own your data, the audit log data may not be accessible to you.  Determine the consequences of not having access to audit logs and decide whether it’s important or not.
  3. Once applications and data are in the cloud, you may not be able to apply compensating detective and preventive controls like you would internally.  If that raises concern then you may not want to put that type of data into the cloud environment.

Cloud computing offers incredible opportunities for business processing at lower costs but the business decision must also consider security and privacy concerns.  The responsibility and reputation consequences for a breach do not disappear into the cloud when your data goes there.  It’s important to consider the risk as well as the benefit when making decisions about cloud computing.  Remember, you are protecting information and that goes beyond just the physical location of servers.

Filed Under: Business and Security · Tagged With: , , , , ,

It’s Just One Little E-mail…

August 6, 2009 by · Leave a Comment

How often is e-mail used to send documents and information that contains sensitive information?  I’ve seen consultants share sensitive information about clients this way as well as staff members just “trying to be helpful”.  I’m sure this happens all the time and it can be mitigated through training and providing staff the tools necessary to send information securely.   While it is fair to say the majority of these incidents never make the news, the Commerce Department wasn’t quite so lucky:

The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed to a risk of identity theft following an inappropriate transfer of the personal information in mid-July, according to a letter sent to department employees last week.

An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form on July 13, according to the letter. The employee informed supervisors of the oversight almost immediately, and there is no indication thus far that information has been compromised, according to the letter.

Federal Eye: Personal Data Mishandled at Commerce Dept.“.   Ed O’Keefe.  Washington Post, August 3, 2009

As another case in point, a friend of mine filled out an online appointment request for his physician.  He included all types of PII including social security number, date of birth, as well as the reason for his visit.  The online form was secure however, whatever program the office used was sending the “got your schedule request” e-mail with all of the information he had put in, including the PII.  The steps the physician took to secure the request were thrown out the window because the same information was sent via e-mail in the clear.  Oops!

I’m not sure how much more the concept of not sending PII over e-mail can be hammered home.   Mistakes happen but when it’s done as part of a business practice then perhaps there needs to be some financial penalty involved to make the point.

Filed Under: Should Have Known Better · Tagged With: , , , ,

When Will They Ever Learn…

June 3, 2009 by · 1 Comment

When an employee leaves a company either voluntarily or involuntary, the business must have the processes and procedures in place to immediately revoke access to information resources.   This isn’t a new concept in the information security realm but it is something that is often applied lackadaisically in organizations.  With the cost of breaches rising, leaving doors open for potentially disgruntled ex-employees can be a costly mistake for your business.  Just as you provide access to new employees, you must be ready to remove access when an employee separates.

The article snip below is a recent addition to the “should have known better” club:

The ex-employee, Dong Chul Shin, was fired from the company March 3 for performance reasons, and escorted off the premises, according to court records.  But the company failed to immediately shut off his VPN access.  That afternoon, someone using Shin’s account began logging onto the corporate network, e-mailing out proprietary data to a personal Yahoo account linked to Shin, and modifying and deleting files, according to a search warrant affidavit by the Dallas FBI agent Robert Smith.

Poulsen, Keven.  “Ex-Employee Fingered in Texas Power Company Hack.” WIRED 29 May 2009.

http://www.wired.com/threatlevel/2009/05/efh/

Filed Under: Should Have Known Better · Tagged With: , ,