Tag Archives: data breaches

How to determine how much money to spend on security…

A question that many organizations struggle with is how much is the appropriate money to spend annually per user, per year on information security. While balancing security, privacy, usability, profitability, compliance, and sustainability is an art organization's have a new data point to consider.

Balancing – information security and compliance operations

The ideal approach that businesses take must always be based on internal and external factors that are weighted against the risks to their assets (assets in this case is generally inclusive of customers, staff, technology, data, and physical-environmental). An annual review identifying and quantifying the importance of these assets is a key regular exercise with product leadership, and then an analysis of the factors that influence those assets can be completed.

Internal and external factors include a number of possibilities, but key ones that rise to importance for business typically include:

  1. Contractual committments to customers, partners, vendors, and operating region governments (regulation)
  2. Market demands (activities necessary to match the market expectations to be competitive)

At the aggregate and distributed based upon the quantitative analysis above, safeguards and practices may be deployed, adjusted, and removed. Understanding the economic impact of the assets and the tributary assets/business functions that enable the business to deliver services & product to market allows for a deeper analysis. I find the rate of these adjustments depend on the business industry, product cycle, and influenced by operating events. At the most relaxed cadence, these would happen over a three year cycle with annual minor analysis conducted across the business.

Mature organization's would continue a cycle of improvement (note – improvement does not mean more $$ or more security / regulation, but is improvement based on the internal and external factors and I certainly see it ebbing and flowing)

Court settlement that impacts the analysis and balance for information security & compliance:

Organization's historically had to rely on surveys and reading of the tea leaf financial reports where costs of data breaches and FTC penalties were detailed. These collections of figures showed the cost of a data breach anywhere between $90-$190 per user. Depending on the need, other organizations would baseline costing figures against peers (i.e., do we all have the same # of security on staff; how much of a % of revenue is spent, etc…).

As a result of a recent court case, I envision the below figures to be joined in the above analysis. It is important to consider a few factors here:

  1. The data was considered sensitive (which could be easily argued across general Personally Identifiable Information or PII)
  2. There was a commitment to secure the data by the provider (a common statement in many businesses today)
  3. The customers paid a fee to be with service provider (premiums, annual credit card fees, etc.. all seem very similar to this case)
  4. Those that had damages and those that did not were included within the settlement

The details of the court case:

The parties' dispute dates back to December 2010, when Curry and Moore sued AvMed in the wake of the 2009 theft of two unencrypted laptops containing the names, health information and Social Security numbers of as many as 1.2 million AvMed members.

The plaintiffs alleged the company's failure to implement and follow “basic security procedures” led to plaintiffs' sensitive information falling “in the hands of thieves.” – Law360

A settlement at the end of 2013, a new fresh input:

“Class members who bought health insurance from AvMed can make claims from the settlement fund for $10 for each year they bought insurance, up to a $30 cap, according to the motion. Those who suffered identify theft will be able to make claims to recover their losses.”

For businesses conducting their regular analysis this settlement is important as the math applied here:

$10 x (# of years a client) x client = damages .. PLUS all of the upgrades required and the actual damages impacting the customers.

Finally

Businesses should update their financial analysis with the figures and situational factors of this court case. This will in some cases reduce budgets, but others where service providers have similar models/data the need for better security will be needed.

As always, the key is regular analysis against the internal & external factors to be nimble and adaptive to the ever changing environment. While balancing these external factors, extra vigilance needs to ensure the internal asset needs are being satisfied and remain correct (as businesses shift to cloud service providers and through partnering, the asset assumption changes .. frequently .. and without any TPS memo).

Best,

James

 

Advertisements

What do major developments in big data, cloud, mobile, and social media mean? A CISO perspective..

Screen Shot 2013-02-26 at 6.52.56 PM

Tuesday afternoon the CISO-T18 – Mega-Trends in Information Risk Management for 2013 and Beyond: CISO Views session as presented focused on the results of a survey sponsored by RSA (link below).  It provided a back drop for some good conversation, but more so it gave me a nice environment to elaborate on some personal observations and ideas.  The first tweet I sent, hammered the main slide:

“Major developments with Big Data, Cloud, Mobile, and Social media” – the context and reality here is cavernous.. “

My analysis and near-random break down of this tweet are as follows with quotes pulled from the panel.

First off – be aware that these key phrases / buzz words mean different things to different departments and from each level (strategic executives through tactical teams). Big Data analytics may not be a backend operational pursuit, but a revenue generating front end activity (such as executed by WalMart). These different instantiations are likely happening at different levels with varied visibility across the organization.

Owning” the IT infrastructure is not a control to prevent the different groups from launching to these other ‘Major developments’.

The cost effectiveness of the platforms designed to serve businesses (i.e., Heroku, Puppet Labs, AWS, etc…) is what is defining the new cost structure. CIO and CISO must

>The cloud is not cheaper if it does have any controls. This creates a risk of the data being lost due to “no controls” – highlighted by Melanie from the panel.  <– I don’t believe this statement is generally true and generally FUD.

Specifically – There is a service level expectation by cloud service providers to compensate for the lack of audit ability those “controls”. There are motions to provide a level of assurance to these cloud providers beyond the ancient method established through ‘right to audit‘.

A method of approaching these challenging trends, specifically Big Data, below as highlighted by one of the CISO (apologies missed his name) w/ my additions:

  • Data flow mapping is a key to providing efficient and positive ‘build it’ product development. It helps understand what matters (to support and have it operational), but also see if anything is breaking as a result.
  • Breaking = violating a contract, breaking a compliance requirement, or negatively effecting other systems and user requirements.

Getting things Done – the CISO 

Two observations impacting the CISO and information technology organization include:

  1. The Board is starting to become aware and seeking to see how information security is woven within ERM
  2. Budgets are not getting bigger, and likely shrinking due to expectations of productivity gains / efficiency / cloud / etc…

Rationalization on direction, controls, security responses, must be be fast for making decisions and executing…

Your ability to get things done has little do with YOU doing things, but getting others to do things. Enabling, partnering, and teaming is what makes the business move. CIO and CISO must create positive build-it inertia.

Support and partner with the “middle management” the API of the business if you will.

  • We to often focus on “getting to the board” and deploying / securing the “end points” .. Those end points are the USERS and between them and the Board are your API to achieving your personal objectives.

Vendor Management vs procurement of yester-year

Acquiring the technology and services must be done through a renewed and redeveloped vendor management program. The current procurement team’s competencies are inadequate and lacking the toolsets to ensure these providers are meeting the existing threats. To be a risk adaptive organization you must tackle these vendors with renewed. Buying the cheapest parts and service today does not mean what it meant 10 years ago. Today the copied Cisco router alternative that was reverse engineered lacks an impressive amount of problems immediately after acquisition. Buying is easy – it is the operational continuance that is difficult. This is highlighted by the 10,000+ vulnerabilities that exist with networked devices that will never be updated within corporations that must have their risks mitigated, at a very high and constant cost.

Panel referenced the following report:
http://www.emc.com/microsites/rsa/security-for-business-innovation-council.htm

Thank you to the panel for helping create a space to think and seek answers, or at least more questions!

James DeLuccia IV

A call to reflect on your Risk Management & Security Program: UPnP vulnerabilities identified by Rapid7

The Rapid7 folks ran scans for 5+ months searching for and finding systems vulnerable to 3 different types of vulnerabilities that relate to UPnP.  The sheer volume, accessibility, diversity of vendor, and age of some of these systems is most interesting from an operational business standpoint.  First a few statistics from the report:

  • 23 million IPs are vulnerable to remote code execution through a single UDP packet
  • At least 6,900 product versions vulnerable through UPnP.
  • List encompasses over 1,500 vendors
  • 1 UDP packet can exploit any one of 8 vulnerabilities to libupnp
  • Some vulnerabilities were 2+ years old, yet 300+ products still are using insecure version 

A great write-up is available here by Darlene at ComputerWorld (chock full of links to additional facts & CERT) and of course all comments and feedback should be directed to HD Moore’s blog.  The report was worth the read, and while the technical details are important, I would challenge the executives reading this paper to consider operationally how they would seek to manage the vulnerable systems in their organizations and how their internal processes are designed to ensure such similar technical (symptoms) vulnerabilities across different types of products do no recur.  Or at least, devising a methodology to mitigate the risk to technology such as this that cannot be patched (vendor is gone; management tools non-existent, etc…) or addressed directly on the same system.

As our business processes further rely on network connected devices, the age and velocity of the industry is a risk that we must manage.  Acquisitions, businesses going under, kickstarters coming & going, and simply protocols losing support in the dev environments ALL are mitigated by governance and risk assessment methodologies.

  • How is your strategic program designed; is it effective to these shifts in business; how can it be enhanced?
  • How is the partnership with procurement, M&A, and business relations teams?   >> Consider the inputs as well as enhancing your program.

Thanks to Rapid7 for the research and raising this broader risk.

James DeLuccia

*See me at RSA 2013 speaking on – Passwords are Dead

Having a ROC does not make an organization secure or compliant – a view into the risks of PCI and periphery events

Why should an organization address and comply at least with industry supported practices?  A question of compliance versus driving business value, and one often raised in the Payment Card space is important to understand and convey at every level of an organization.  The importance is building an organization’s security and compliance program in a manner that cohesively manages the demands of client requirements, government cares, and general competitiveness.  In an era where competitiveness includes thwarting attackers focused on poisoning your supply chains with misinformation or directly seeking to “acquire” the Intellectual Property that makes the business competitive.  The executive and board of directors within an organization are acutely seeking demonstration of focus and effectiveness.

So what are the risks to an organization not managing the risks of an industry standard?

To answer that below I will speak directly to PCI (to eliminate the obnoxious “it depends” statements) and about a Fortune 500 company that has other intellectual property.

Ultimate risk to an organization out of compliance with PCI is well documented (on the Card Brand sites themselves and breach news sites), but stems from a violation of contractual agreements with the business’ banks and ultimately the card brands.  This contractual obligation (and violation) can be determined without a breach.  The violation (profiled in a public court case out West) can be identified when a QSA / Forensics team from the Card Brands / or any of their team members conduct an assessment of compliance to the organization.  The court case referenced is of a restaurant that had been suspected of a Common Point of Fraud; proven to not have been breached, but in violation of PCI DSS based on forensics report issued to Bank & Card Brands).  So, the risk and associated damages can result from a breach (classic) or simply by confirmation that the business violated the contract established with the Card Brands.

The highlight here is being compliant means addressing the threat vectors to the business and the assets requiring protection.  Failure to achieve those results from either path can result in a number of business and financial negative events.  These, in part, are described below:

  • Financial punitive fines by the Card Brands ($500k is a number published by the Card Brands)
  • Per account # breached associated costs & fines – this number is a hard figure to lock down .. $100-$170 per card in some cases
  • Higher interchange fees per card transaction for the entire legal entity – this is very costly and most damaging
  • FTC and public government actions, that may include recurring privacy audits (such as 20 years of third party audits)
  • Automatic level 1 status for the company (which requires annual onsite attestation)
  • If you look at TJX and the other public breaches they have published hose expenses around $130M+
  • Civil / class action lawsuits likely

There are also reputation and periphery risks to the business:

  • The company possesses additional data protected and considered sensitive by industry and governments around the world, PCI Data is one element but it is likely that these systems share networks, applications, and permissions.  The breach of one could inadvertently result in the breach of the other (PII)
  • Not at least complying / deploying operational security controls broadly considered baseline practice would be damaging in an era when security of data and confidence is so important

The highlight here is that the risk is not addressed by the issuance of a ROC by a QSA or having run assessments, but that the security and risk programs are operational and effective.  These ROC and assessments are simply attestations of a program that is mature and functioning.  Compliance is not deemed by a ROC nor does it provide safe-harbor in the common sense of the term.  A long standing statement by the PCI SSC is that “no compliant organization has had a breach” <– including TJX, Heartland Payments, and Global Payments all breached with current ROCs signed by TrustWave.

The success of the PCI program is the ultimate reduction of risk and adequate security controls of the organization.  The risks addressed through a cohesive integration with the operational elements of the business are the critical success factors.

Other thoughts?

James DeLuccia IV

Rapid and proper response to data breach fundamental to defending against $75M lawsuit, in Oregon

In Oregon, the courts have upheld an important ruling related to a business that was breached, and responded by rapidly and proactively tackling the impacts to the business itself and the consumers put at risk.  This resulted in winning a $75 million civil law suit.  Below is a quick overview and straight link to the details.  Highly applicable to all data breaches, and specifically for sensitive data (such as PCI data):

The Oregon Supreme Court last week affirmed the dismissal of a class action lawsuit against Providence Health & Services-Oregon arising out of the theft of patient data on backup media that were stolen from an employee’s car in late 2005.

The case underscores the importance of taking prompt and effective action to protect patients after a data breach. The Supreme Court noted approvingly the substantial—and costly—steps Providence took to protect its patients in the wake of the theft.

See the full write up here “Rapid Response to data breach pays off

Release of Symantec source code leads to ‘uninstall’ recommendation

Symantec was the victim of an attack where its source code for most major products protecting consumers and enterprises around the world was breached.  This attack occurred in 2006 and the source code has been available to parties to leverage for attacking businesses, individuals, and governments since that time.  Recently, by the accounts recorded so far, Anonymous gained access to this stolen source code and is now threatening to release it – either generally or for a fee to those who would find value in it.

The result of this has lead Symantec to state in their Security recommendations whitepaper to uninstall or disable the PC Anywhere application.  This is a critical application for most, so such a recommendation is quite difficult.

There are a number of issues and risks that arise here that will likely be an ongoing list:

  • The source code was lost in 2006, so one can infer that this attack vector and every install was at risk to this attack for the past 6 years
  • The presence of source code being released does not in itself create an attack vector – example is how public cryptography is tested openly and the immense use of Open Source software.  In this case though, the release progressively escalated the risk from “increased risk” to “uninstall” now risk
  • Other major enterprise security applications were also stolen, do the same risks exist and are forth coming?

Symantec is an important security provider, as their systems are installed on a 100+ million end points globally and their PC Anywhere solution provides direct access to global companies.

Given the velocity of updates related to Symantec’s breach, I would offer for discussion the following takeaways:

  • There is no silver bullet to be secure and solve this single breach issue in the customer’s of Symantec, so a process must be established
  • Review the activity of your firewalls, behavioral analysis systems, and such systems to determine if you have been attacked through this attack vector … over the past 6 years (deep analysis of the Symantec application is in order – the “authorized and approved” connections activities, not just the failed attempts)
  • Focus on your programs of complicating the intruder to your system – a great case here … if a malicious user had access to your network what could be done.  This question should provide a substantial return in minimizing this type of breach of trust in the security model.  Similar cases should include Microsoft remote tools, operating system, and other infrastructure high install base applications.

Below are references to the article, paper, and Symantec’s update page.

This impacts all secure environments – PCI and other systems that are depended upon.  Perhaps the attack is not intended to modify or damage a system, but for corporate espionage and such.  Strong practices and a aggressive risk assessment review cycle is in order – such as ISO 27001 ISMS (done correctly and maturely).

Thoughts?  Corrections?

James DeLuccia

Would you be PCI Compliant if there were not fines, fees, damages? Possible result of court case

An interesting thought exercise is would businesses be compliant with an industry standard, such as PCI DSS, and regularly evaluate their security posture against this standard if there was NO fines, punishments, or financial liabilities present?  Would organizations secure and establish the same safeguards, better safeguards, or let the environments float away out of a compliant posture?

These are the questions that comes to mind when reviewing the counter-lawsuit of the Utah Merchant against U.S. Bank claiming that the financial institution wrongfully seized money from their account.  The money ($10,000) was seized to pay part of the $90,000 fine that Visa and MasterCard imposed on the establishment.

The case put forward by McCombs is summed up nicely by Wired – Threat Level, and vocalizes some of the complaints heard globally that PCI …

“force[s] merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.”

What is interesting here is that … through forensic review the Merchant systems were proven to not have (likely) been breached, but Visa and MasterCard actually fined the Merchant $1.33 million for being non-compliance (a result of having used 2 of the 6 approved forensic firms).  Ultimately the fines were reduced.  An additional interesting bit is 2 banks stated they incurred losses as a result of CPP (Common Point of Purchase) breach sourcing technique.  This added about $13k additional fines.  Despite no evidence being provided.

This is a unique example where the correctness of passing liabilities to merchants and members of the payment card universe will be challenged.  As a result the entire underlying Payment Card Data Security realm too.

Businesses of course have incentive to protect customer data, but to what extent and when the liability moves up to the payment gateways, banks, and card brands – how will practices change?

There are great examples of standards that are created collaboratively (NERC CIP pre-Energy Act Law) and adhered to, but there are many where standards exist without true adoption and success.

What will the protection of sensitive card data look like in the near future?  How will information security programs evolve when there is no mandate?  A lot of questions to consider moving forward.

Thoughts?

James DeLuccia IV