Tag Archives: data breaches

How to determine how much money to spend on security…

A question that many organizations struggle with is how much is the appropriate money to spend annually per user, per year on information security. While balancing security, privacy, usability, profitability, compliance, and sustainability is an art organization's have a new data point to consider.

Balancing – information security and compliance operations

The ideal approach that businesses take must always be based on internal and external factors that are weighted against the risks to their assets (assets in this case is generally inclusive of customers, staff, technology, data, and physical-environmental). An annual review identifying and quantifying the importance of these assets is a key regular exercise with product leadership, and then an analysis of the factors that influence those assets can be completed.

Internal and external factors include a number of possibilities, but key ones that rise to importance for business typically include:

  1. Contractual committments to customers, partners, vendors, and operating region governments (regulation)
  2. Market demands (activities necessary to match the market expectations to be competitive)

At the aggregate and distributed based upon the quantitative analysis above, safeguards and practices may be deployed, adjusted, and removed. Understanding the economic impact of the assets and the tributary assets/business functions that enable the business to deliver services & product to market allows for a deeper analysis. I find the rate of these adjustments depend on the business industry, product cycle, and influenced by operating events. At the most relaxed cadence, these would happen over a three year cycle with annual minor analysis conducted across the business.

Mature organization's would continue a cycle of improvement (note – improvement does not mean more $$ or more security / regulation, but is improvement based on the internal and external factors and I certainly see it ebbing and flowing)

Court settlement that impacts the analysis and balance for information security & compliance:

Organization's historically had to rely on surveys and reading of the tea leaf financial reports where costs of data breaches and FTC penalties were detailed. These collections of figures showed the cost of a data breach anywhere between $90-$190 per user. Depending on the need, other organizations would baseline costing figures against peers (i.e., do we all have the same # of security on staff; how much of a % of revenue is spent, etc…).

As a result of a recent court case, I envision the below figures to be joined in the above analysis. It is important to consider a few factors here:

  1. The data was considered sensitive (which could be easily argued across general Personally Identifiable Information or PII)
  2. There was a commitment to secure the data by the provider (a common statement in many businesses today)
  3. The customers paid a fee to be with service provider (premiums, annual credit card fees, etc.. all seem very similar to this case)
  4. Those that had damages and those that did not were included within the settlement

The details of the court case:

The parties' dispute dates back to December 2010, when Curry and Moore sued AvMed in the wake of the 2009 theft of two unencrypted laptops containing the names, health information and Social Security numbers of as many as 1.2 million AvMed members.

The plaintiffs alleged the company's failure to implement and follow “basic security procedures” led to plaintiffs' sensitive information falling “in the hands of thieves.” – Law360

A settlement at the end of 2013, a new fresh input:

“Class members who bought health insurance from AvMed can make claims from the settlement fund for $10 for each year they bought insurance, up to a $30 cap, according to the motion. Those who suffered identify theft will be able to make claims to recover their losses.”

For businesses conducting their regular analysis this settlement is important as the math applied here:

$10 x (# of years a client) x client = damages .. PLUS all of the upgrades required and the actual damages impacting the customers.

Finally

Businesses should update their financial analysis with the figures and situational factors of this court case. This will in some cases reduce budgets, but others where service providers have similar models/data the need for better security will be needed.

As always, the key is regular analysis against the internal & external factors to be nimble and adaptive to the ever changing environment. While balancing these external factors, extra vigilance needs to ensure the internal asset needs are being satisfied and remain correct (as businesses shift to cloud service providers and through partnering, the asset assumption changes .. frequently .. and without any TPS memo).

Best,

James

 

What do major developments in big data, cloud, mobile, and social media mean? A CISO perspective..

Screen Shot 2013-02-26 at 6.52.56 PM

Tuesday afternoon the CISO-T18 – Mega-Trends in Information Risk Management for 2013 and Beyond: CISO Views session as presented focused on the results of a survey sponsored by RSA (link below).  It provided a back drop for some good conversation, but more so it gave me a nice environment to elaborate on some personal observations and ideas.  The first tweet I sent, hammered the main slide:

“Major developments with Big Data, Cloud, Mobile, and Social media” – the context and reality here is cavernous.. “

My analysis and near-random break down of this tweet are as follows with quotes pulled from the panel.

First off – be aware that these key phrases / buzz words mean different things to different departments and from each level (strategic executives through tactical teams). Big Data analytics may not be a backend operational pursuit, but a revenue generating front end activity (such as executed by WalMart). These different instantiations are likely happening at different levels with varied visibility across the organization.

Owning” the IT infrastructure is not a control to prevent the different groups from launching to these other ‘Major developments’.

The cost effectiveness of the platforms designed to serve businesses (i.e., Heroku, Puppet Labs, AWS, etc…) is what is defining the new cost structure. CIO and CISO must

>The cloud is not cheaper if it does have any controls. This creates a risk of the data being lost due to “no controls” – highlighted by Melanie from the panel.  <– I don’t believe this statement is generally true and generally FUD.

Specifically – There is a service level expectation by cloud service providers to compensate for the lack of audit ability those “controls”. There are motions to provide a level of assurance to these cloud providers beyond the ancient method established through ‘right to audit‘.

A method of approaching these challenging trends, specifically Big Data, below as highlighted by one of the CISO (apologies missed his name) w/ my additions:

  • Data flow mapping is a key to providing efficient and positive ‘build it’ product development. It helps understand what matters (to support and have it operational), but also see if anything is breaking as a result.
  • Breaking = violating a contract, breaking a compliance requirement, or negatively effecting other systems and user requirements.

Getting things Done – the CISO 

Two observations impacting the CISO and information technology organization include:

  1. The Board is starting to become aware and seeking to see how information security is woven within ERM
  2. Budgets are not getting bigger, and likely shrinking due to expectations of productivity gains / efficiency / cloud / etc…

Rationalization on direction, controls, security responses, must be be fast for making decisions and executing…

Your ability to get things done has little do with YOU doing things, but getting others to do things. Enabling, partnering, and teaming is what makes the business move. CIO and CISO must create positive build-it inertia.

Support and partner with the “middle management” the API of the business if you will.

  • We to often focus on “getting to the board” and deploying / securing the “end points” .. Those end points are the USERS and between them and the Board are your API to achieving your personal objectives.

Vendor Management vs procurement of yester-year

Acquiring the technology and services must be done through a renewed and redeveloped vendor management program. The current procurement team’s competencies are inadequate and lacking the toolsets to ensure these providers are meeting the existing threats. To be a risk adaptive organization you must tackle these vendors with renewed. Buying the cheapest parts and service today does not mean what it meant 10 years ago. Today the copied Cisco router alternative that was reverse engineered lacks an impressive amount of problems immediately after acquisition. Buying is easy – it is the operational continuance that is difficult. This is highlighted by the 10,000+ vulnerabilities that exist with networked devices that will never be updated within corporations that must have their risks mitigated, at a very high and constant cost.

Panel referenced the following report:
http://www.emc.com/microsites/rsa/security-for-business-innovation-council.htm

Thank you to the panel for helping create a space to think and seek answers, or at least more questions!

James DeLuccia IV

A call to reflect on your Risk Management & Security Program: UPnP vulnerabilities identified by Rapid7

The Rapid7 folks ran scans for 5+ months searching for and finding systems vulnerable to 3 different types of vulnerabilities that relate to UPnP.  The sheer volume, accessibility, diversity of vendor, and age of some of these systems is most interesting from an operational business standpoint.  First a few statistics from the report:

  • 23 million IPs are vulnerable to remote code execution through a single UDP packet
  • At least 6,900 product versions vulnerable through UPnP.
  • List encompasses over 1,500 vendors
  • 1 UDP packet can exploit any one of 8 vulnerabilities to libupnp
  • Some vulnerabilities were 2+ years old, yet 300+ products still are using insecure version 

A great write-up is available here by Darlene at ComputerWorld (chock full of links to additional facts & CERT) and of course all comments and feedback should be directed to HD Moore’s blog.  The report was worth the read, and while the technical details are important, I would challenge the executives reading this paper to consider operationally how they would seek to manage the vulnerable systems in their organizations and how their internal processes are designed to ensure such similar technical (symptoms) vulnerabilities across different types of products do no recur.  Or at least, devising a methodology to mitigate the risk to technology such as this that cannot be patched (vendor is gone; management tools non-existent, etc…) or addressed directly on the same system.

As our business processes further rely on network connected devices, the age and velocity of the industry is a risk that we must manage.  Acquisitions, businesses going under, kickstarters coming & going, and simply protocols losing support in the dev environments ALL are mitigated by governance and risk assessment methodologies.

  • How is your strategic program designed; is it effective to these shifts in business; how can it be enhanced?
  • How is the partnership with procurement, M&A, and business relations teams?   >> Consider the inputs as well as enhancing your program.

Thanks to Rapid7 for the research and raising this broader risk.

James DeLuccia

*See me at RSA 2013 speaking on – Passwords are Dead

Having a ROC does not make an organization secure or compliant – a view into the risks of PCI and periphery events

Why should an organization address and comply at least with industry supported practices?  A question of compliance versus driving business value, and one often raised in the Payment Card space is important to understand and convey at every level of an organization.  The importance is building an organization’s security and compliance program in a manner that cohesively manages the demands of client requirements, government cares, and general competitiveness.  In an era where competitiveness includes thwarting attackers focused on poisoning your supply chains with misinformation or directly seeking to “acquire” the Intellectual Property that makes the business competitive.  The executive and board of directors within an organization are acutely seeking demonstration of focus and effectiveness.

So what are the risks to an organization not managing the risks of an industry standard?

To answer that below I will speak directly to PCI (to eliminate the obnoxious “it depends” statements) and about a Fortune 500 company that has other intellectual property.

Ultimate risk to an organization out of compliance with PCI is well documented (on the Card Brand sites themselves and breach news sites), but stems from a violation of contractual agreements with the business’ banks and ultimately the card brands.  This contractual obligation (and violation) can be determined without a breach.  The violation (profiled in a public court case out West) can be identified when a QSA / Forensics team from the Card Brands / or any of their team members conduct an assessment of compliance to the organization.  The court case referenced is of a restaurant that had been suspected of a Common Point of Fraud; proven to not have been breached, but in violation of PCI DSS based on forensics report issued to Bank & Card Brands).  So, the risk and associated damages can result from a breach (classic) or simply by confirmation that the business violated the contract established with the Card Brands.

The highlight here is being compliant means addressing the threat vectors to the business and the assets requiring protection.  Failure to achieve those results from either path can result in a number of business and financial negative events.  These, in part, are described below:

  • Financial punitive fines by the Card Brands ($500k is a number published by the Card Brands)
  • Per account # breached associated costs & fines – this number is a hard figure to lock down .. $100-$170 per card in some cases
  • Higher interchange fees per card transaction for the entire legal entity – this is very costly and most damaging
  • FTC and public government actions, that may include recurring privacy audits (such as 20 years of third party audits)
  • Automatic level 1 status for the company (which requires annual onsite attestation)
  • If you look at TJX and the other public breaches they have published hose expenses around $130M+
  • Civil / class action lawsuits likely

There are also reputation and periphery risks to the business:

  • The company possesses additional data protected and considered sensitive by industry and governments around the world, PCI Data is one element but it is likely that these systems share networks, applications, and permissions.  The breach of one could inadvertently result in the breach of the other (PII)
  • Not at least complying / deploying operational security controls broadly considered baseline practice would be damaging in an era when security of data and confidence is so important

The highlight here is that the risk is not addressed by the issuance of a ROC by a QSA or having run assessments, but that the security and risk programs are operational and effective.  These ROC and assessments are simply attestations of a program that is mature and functioning.  Compliance is not deemed by a ROC nor does it provide safe-harbor in the common sense of the term.  A long standing statement by the PCI SSC is that “no compliant organization has had a breach” <– including TJX, Heartland Payments, and Global Payments all breached with current ROCs signed by TrustWave.

The success of the PCI program is the ultimate reduction of risk and adequate security controls of the organization.  The risks addressed through a cohesive integration with the operational elements of the business are the critical success factors.

Other thoughts?

James DeLuccia IV

Rapid and proper response to data breach fundamental to defending against $75M lawsuit, in Oregon

In Oregon, the courts have upheld an important ruling related to a business that was breached, and responded by rapidly and proactively tackling the impacts to the business itself and the consumers put at risk.  This resulted in winning a $75 million civil law suit.  Below is a quick overview and straight link to the details.  Highly applicable to all data breaches, and specifically for sensitive data (such as PCI data):

The Oregon Supreme Court last week affirmed the dismissal of a class action lawsuit against Providence Health & Services-Oregon arising out of the theft of patient data on backup media that were stolen from an employee’s car in late 2005.

The case underscores the importance of taking prompt and effective action to protect patients after a data breach. The Supreme Court noted approvingly the substantial—and costly—steps Providence took to protect its patients in the wake of the theft.

See the full write up here “Rapid Response to data breach pays off