Data Breach « SecureThinking

Posts tagged Data Breach

Monday, August 30, 2010

Amazon, Starbucks and Information Security Data – Part #1

By Ben Rothke, Senior Security Consultant, BT Global Services, CISSP CISA

What do Amazon and Starbucks have to do with information security data? They seem to be the mechanism being used to obtain data and metrics from security practitioners.

On any given week, I, like many other information security professionals, receive a number of emails, presented under the guise of gift certificates to Amazon and Starbucks, which request completion of various surveys and questionnaires.

Often that data is used to create global security metrics, vendor statistics and reports. The question is — how effective is that data?

Many times, the results and underlying data are unqualified. Using a more technical term, it is worthless — worthless in the sense that the recipients may not be qualified to answer the questions, there is no verification of the data, and the information can be biased due to the underlying desire to get the gift cards.

The truth is that good infosec data is quite difficult to find. Part of the issue is that the people who create the surveys, often from the marketing department of an organization, may themselves not be qualified to do so. Often questions asked are vague and the terms ambiguous. Terms such as data breach and hacking attack mean different things to different people.

An often asked question is — “How many losses have you suffered due to data breaches in the past year?” When attempting to quantify data losses, it is often more of an art than a science. Take this scenario: an Arkansas-based retail firm has an encrypted backup tape that goes missing in transit that contains the credit card numbers of 10 million customers. What is the loss? An aggressive litigator may opine that the damages should be calculated as the number of victimized customers multiplied by the average cost to recover from such an identity theft attack.

On average, it costs $8,000 for a person to recover from identity theft, according to Northwestern University. So the litigator will sue for $80 billion in losses. The defense attorney will note that the $80 backup tape was encrypted with AES-256, and therefore the losses should be limited to incidental costs and a replacement backup tape. So is the loss in this case $80 or $80 billion? Same survey question, very different answers.

What this means is that before you make any information security decisions, understand the underlying data. Dust off your statistics books, and see how conclusions in the report were determined. Ask basic questions, such as how large their sample size was? Were all those who answered from qualified companies and/or individuals?

One of the tricky things here is that there are so many different types of data that it’s often difficult to obtain effective data from a generalized on-line survey. For example, there is a huge difference between opinions (stated preference) and more objective data (revealed preference).

The big question always centers around “bias.” Vendors have a particular incentive to connect the data to the solution they are proposing. Often, the questions they create will be tilted to their solution. Not that data from vendors can’t be trusted – it’s just that when they supply data, use extra scrutiny.

Pete Lindstrom, Research Director at Spire Security, astutely observed that, “There are many problems with data, but if you look a little closer, you will find the same problems and more with the everyday, qualitative information we base our decisions on. Our goal should be to get better with the data, not bash it and use that as justification to return to the ways of the medicine man.”

One can get a great cappuccino at Starbucks, but someone’s desire to get a $50 Starbucks gift by entering spurious results should not affect your ability to make an educated decision regarding information security.

So where can you find good information security data? Stay tuned for Part 2 of this piece in which I’ll provide details on some excellent sources.

Wednesday, May 5, 2010

The States Take Action: Washington Becomes the 5th State to Give Data Privacy Some Legislative Teeth

By Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

In 2005, California’s Assembly Bill 1950 (AB 1950) became active, requiring a business that owns personal information about a California resident to “implement and maintain reasonable security procedures and practices to protect personal information from unauthorized access, destruction, use, modification or disclosure.” Since then, this law has been used as a basis for private and class action lawsuits and, it would seem, a model for other states’ legislation.

Similar legislation has been passed in other states, including Massachusetts, Minnesota, Nevada and, most recently, Washington state. HB 1149, which takes effect on July 1, 2010, provides issuing banks a legal mechanism to collect the costs to reissue payment cards after a payment card security breach. While there is no explicit requirement for organizations to take reasonable care to avoid a breach, companies that fail to do so may be liable to pay for re-issuance costs after a breach.

Of all these laws, the Massachusetts law is regarded as being the most comprehensive and, not surprisingly, implementation has been delayed many times; currently, the deadline for compliance to Mass. 201 CMR 17 has been extended to May 1. The law clearly calls for the need to discover and protect sensitive data in a manner that is absent from other laws that are being passed; but it no doubt will become a template for similar legislation elsewhere.

A federal law mandating security controls is missing, but it’s worth noting that in the case of a large scale security breach, the FTC has taken action by claiming that organizations have engaged in “unfair practices” in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a). The FTC said it was unfair for the company, TJX, to collect private credit card information from consumers and fail to use adequate security procedures to protect it. TJX must obtain audits by independent third-party security professionals every other year for 20 years as a result of the FTC’s action. The definition of “adequate security” is, however, not clearly defined by the FTC, but it is fair to assume that PCI DSS forms a framework which can be used to measure an organization against.

With different states mandating various forms of security controls on storing sensitive information, organizations will obviously be required to comply with multiple sets of “reasonable security” requirements for each state where they have customers, a factor that will be confusing and expensive. The focus will center on one set of security controls and, love it or hate it, PCI DSS undoubtedly is being focused on as providing this framework.

What becomes an interesting part of this debate is whether or not this is the right direction for the United States to be taking for credit card security. Elsewhere in the world, the focus has been on increasing the security of credit cards by introducing smart cards and requiring secondary authentication for online banking. Half the world’s credit card transactions occur in the U.S., and while smart cards do not reduce card fraud, it’s a step in the right direction to introduce security into payment systems that were never really designed with security in mind.

As we struggle to get companies to introduce more effective controls around the storage and transmission of personal data, the question becomes — should we also be focusing on strengthening the processes that use that data to prevent it from being used without additional authentication. It is likely that banking regulators will revise their guidelines and start to issue stricter guidance, which in turn will prompt banks to offer better authentication mechanisms to protect consumers. But that needs to follow through to online merchants and the login behind credit card transactions — because let’s face it, the entire process seems to be quite broken.

Friday, March 5, 2010

Past the Point of PCI

By: Sushila Nair, Product Manager, Managed Security Solutions Group,

BT MSSG &

Sanjay Mehta, Senior Vice President, Breach Security

The nirvana of that moment in time when you are completely secure without a single vulnerability in sight is unfeasible and, even if it were possible, it would be fleeting. Despite our fondest wishes for this moment, we accept the fact that our networks are vulnerable and are in a constant state of flux, causing the vulnerabilities to alter and the risks to change. Organizations struggle with how to continue to develop their core business while managing their risk and doing it all with fewer people and resources than they had last year. The only way this is possible is to work smarter – but how does that translate into practice?

We accept that our security is flawed, so it becomes critical that we place security devices wherever we have high or unacceptable risk. It is essential that the security alerts from security products like WAFS, firewalls, IDS/IPS as well as host information and application logs are centralized. The devices we select are critical and should be chosen in line with risk. It is worth bearing in mind that web applications are one of our largest areas of risk and were one of the key areas of focus in PCI DSS 1.2 which was based on the forensics of card breaches.

Once the devices are selected, then the complexity of managing this new technology comes into place and again, outsourcing is a serious option for companies that are constrained by head count. The footprints of what has happened on our network is in our log files, and it’s impossible to check the multitude of consoles for the vast array of product that we have, so it is critical we centralize our log files and have the capability to correlate and look for patterns of attacks. Unfortunately, security breaches are not limited to 9 to 5 or business hours, so our security monitoring framework must be built to take this intelligence, look for patterns of attacks and be manned 24×7.

This week’s RSA Conference pinpointed the problem of treating compliance as a single point in time.

Most companies breathe a sigh of relief once PCI compliance is “achieved” via an audit or code review. IT professionals move on to the next priority, and often, compliance “maintenance” is forgotten. In doing so, they fail to understand that audits and code reviews are outdated the moment they are completed. Web applications continue to be developed and altered, and as a result, continued compliance can’t be ensured with the “one-time look” that occurs with audits and code reviews. And it would certainly be cost-prohibitive to conduct an audit or review with each application change.

Fortunately, continuous PCI compliance can be achieved using a web application security solution that provides real-time, continuous security for all protected web applications.

In today’s compliance landscape, it’s simply not enough to know that a problem exists. Sophisticated web application security solutions help companies mitigate problems. Organizations need to have a real-time solution – not just a single look in time – to be truly secure and PCI compliant.

Here is more information on how vulnerability scans and code reviews compare to web application firewalls:

Vulnerability Scans and
Code Reviews

VS.

Web Application Firewalls

Looks at one web application at a single point in time.

Provides real-time, continuous security for all protected web applications.

Must be repeated for each application change.

Profiles each application’s acceptable behavior and automatically learns changes.

May not cover every line of code.

Secures the entire web application.

Can result in inconsistent findings due to vendor interpretations.

Provides factual information on vulnerabilities.

Does not fix vulnerabilities that are found.

Serves as a “virtual patch” that protects each application’s vulnerabilities.

Is expensive.

Offers immediate ROI.

Tuesday, January 26, 2010

Heartland Ruling Raises More Questions than it Answers

By Pete Russo, Senior Marketing Manager, BT Global Services

There was an interesting development in the case of Heartland and its 2007/2008 data breach in a New Jersey court last month. Evan Schuman reported in a storefrontbacktalk.com article about the suit brought against the company that alleged its executives failed to provide sufficient protection of data and timely notification to those affected by the theft of credit card data. While ruling on what it means for a company, in particular, a retailer, to have taken adequate precautions, this case is also noteworthy as it was driven by Heartland’s shareholders who bore the brunt of the 80% decline in the company’s stock price once the full extent of the violation was revealed.

Judge Thompson, who presided over the case and dismissed the lawsuit, ruled that “that a retailer can say it has strong security without meaning that it is invulnerable to any attack. “The fact that a company has suffered a security breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security.”

With this ruling providing a precedent for victims of retail data breaches –

What does it mean for a retailer to take computer security seriously? Should Heartland have looked more closely at its entire system once the original payroll breach was discovered?
Does emerging legislation from the states, including Massachusetts 201CMR 17.00, need to become more comprehensive to include shareholders?
Should companies be required to reveal all data breaches and not just those related to the violation of consumers’ personal information?

Leave us a comment and let us know your thoughts.