I read a short section in Bruce Schneier’s book Liars and Outliers that tells the tale of Jamaica Ginger:
“an epidemic of paralysis occurred as a result of Jamaica Ginger… it was laced with a nerve poison… and the company was vilified”, but not until 10s of thousands were victims, this resulted in the creation of the FDA.
To date, throughout most industries there is no absolute requirement with meaningful incentives to introduce and sustain operational information technology safeguards. There are isolated elements focused on particular threats and fraud (such as, PCI for the credit card industry, CIP for the Energy sector, etc…). So what will result in the Jamaica Ginger of information security?
Some portend that a cyber-war (a real one) that creates such societal disruption; a long enough sustained negative impact to survive the policy development process, and driven enough motivation to be complete. OSHA, FDA, and other such entities exist as a result of such events.
The best action enterprises can follow is to mature and engage sufficient operations that address their information technology concerns in the marketplace. As a means of self preservation; selfish (perhaps) demonstration of a need to NOT have legislation or a body established (such as the Federal Security Bureau), and ultimately preparedness should such a requirement be introduced the changes to your business would be incremental at best.
Posted in audit, Compliance, IT Controls
Tagged 2013, best practices, china, Compliance, cybersecurity, europe, fines, fisma, it compliance and controls, IT Controls, james deluccia, jdeluccia, pci, PCI DSS, regulation, Security
A recent research effort demonstrated through what they call “Phonotactic Reconstruction”, the ability to “decipher” the encapsulation/encryption process employed by a substantial amount of VOIP providers – including Skype. The research is pretty clear cut, and highlights that – 1. It is within means to eavesdrop on these conversations, and 2. Security through obscurity still does not hold water.
The second point is that which has become more important as I work with global organizations and grow to understand the complexities that exist within the co-mingling of corporate-consumer system environments (more on that in the future). VOIP is complex … it is a classic example of security balanced with a technology application (enough security but not too much that creates voice distortions). Unfortunately, if the calls can be eavesdropped than the security is insufficient. This is significant given the enormous usage of this technology that occurs within most global corporations (Skype alone has about 124 million active monthly users with 560 registered). Beyond eavesdropping there also exists the ability to leverage these “voip environments” to break into other parts of the business.
This raises the question – how do organization’s be agile and aggressive in leveraging these beneficial technologies, safely. The simple answer is that as technology is acquired a risk assessment is absolutely necessary, but as a technology evolves future risk assessments are paramount. The evolution is what is critical here – Skype, Iphone/App-stores, Blackberry devices, etc … these all were introduced with unknown trajectories and without obvious benefits or risks. It is THIS fact of unknowing and the shifting of what is known that creates the need to mature how businesses embrace, continue to embrace, and manage (yes by manage… I include secure) all these technologies. The need here goes beyond simple technical specifications, but a balance of “risk” and “security”. Meaning the following should be, at least, considered:
- How dependent is the business on the technology .. what are our backup plans
- What type of information will traverse this technology and who will depend upon it? – and therefore who are the stakeholders / inputs for discerning what is critical –> this usually leads to conducting an assignment to owners and assets (it is only then can the risk be accepted let alone thought through properly)
- As the owner and information alignment exercise will show – this is a point in time exercise … future visits are needed to learn if the owner sees additional risk, or sees the risk universe shift completely
- What are the security safeguards – are they proven or new-fandangled? (new is 100% always more risky and should initiate a broader consideration of risk)
- What encryption is being used .. and is it being used completely and in the right places? (If home music stream devices can employ AES-256, enterprise products can too)
Much more time can be spent on risk assessments (I would suggest investing time to look at NIST 800-30 or Octave as a starting point… ISO 2700X is good too, but not free). The key takeaway is challenge ‘complexity’ as a security and assurance control – it is neither. In the world of PCI, the VOIP guidance / call center / and PCI DSS 2.0 provide insight – simplifying the language, yes encryption of the activity is required.
Article on “Phonotactic Reconstruction”can be found here and here (pdf).
A great challenge with gaining massive industry adoption of a set of standards – regardless of security, privacy, or operational effectiveness measures is making it worthwhile. Some aspects of regulation and industry led practices are obvious and clear. Others are strikingly similar (duplication in many instances) and can be adopted simply by communication and adjustments. Unfortunately there are specific requirements that are not sufficient alone as self-evident, and these are then made necessary through fines and punitive actions.
HIPAA / HITECH components are absolutely valuable to the consumer, the individual enterprise, and the industry as a whole. This is true when the directives are merged into the existing culture, and the business is able to remain competitive. There are challenges of course when a business tries to bolt-on a set of requirements, as these are seldom done efficiently, effectively, and are generally unsustainable.
The financial damage to industry is clear – the most recent studies show over the past 5 years data breaches have cost victims $139 billion (Digital Forensics Association). In addition there is a growing trend of enforcement by state and the federal agencies, such as the California DPH actions (audio teleconference file).
When these enforcements are released though there is always valuable intelligence released highlighting what is expected – today. This perspective reinforces that security mandates’ intent are to secure the data, and businesses must shift and respond as the attack vector shifts and evolves. The recent Rite Aid $1,000,000 penalty enforced by the OCR and FTC provided the following direction:
- Implementation of complete and sufficient Policies and Procedures is critical – specifically must include safeguarding PHI during the disposal process (dumpsters, shredding, disk wipe management, third party terminations)
- Develop complete training related to all aspects for protection of sensitive information – job specific training
- Develop, implement, and maintain sanctions policies
A nice article regarding Rite Aid is available here from Information Week.
As has been consistent with prior Federal enforcement, a 20 year expectation of independent security assessments is required with sufficient monitoring and triggering. Here is the link to the Federal press release. Other case examples and resolutions are available here.
As the data suggests that 395,000 individuals’ data files are being stolen daily, this is not a focus on the Healthcare sector but to provide lessons learned from others.
Posted in Compliance
Tagged 2010, audit, best practices, Compliance, data breaches, fines, hipaa, hitech, it compliance and controls, IT Controls, Security
What best practices can we derive from FINRA based on the attack and subsequent response by Davidson & Co.?
A common statement by practitioners is that regulation speak to intent and reasonable security safeguards, but do not stipulate precisely what exactly is required for satisfying a regulation. It is understood by most that security and managing risk is a fluid process, so (thankfully) most regulations allow for time as a factor in meeting the needs of the consumers of such systems and technologies. This breach provides excellent quantitative factors to consider for any security program, regardless of industry.
Davidson & Co. was breached using SQL Injection – a nasty and highly successful type of attack. Records were stolen and FINRA fined the business $375,000 based on a number of factors to include:
- No known use of stolen customer data (the fine is based on the lack of proof that the data was used maliciously, despite the fact there was a blackmail attempt by the perpetrators.)
- Davidson & Co. were cooperative with law enforcement
Safeguards that were highlighted considered necessary to prevent the breach by FINRA:
- Sensitive data must be encrypted
- Vendor passwords should be changed from default settings
- Network logs should be actively managed and reviewed sufficiently to identify network intrusions
- Firewalls and application services should be configured to minimize direct connections to the public internet (including databases)
- Deploying an active detection solution, such as Network Intrusion Detection
Finally, an interesting point – Davidson & Co. stated they had a 3rd party auditor conduct a penetration test and failed to breach the security. This is an important point as it speaks to the necessity to ensure that such tests are done in balance to a full information security program. Such practices must at least include an internal evaluation of firewalls; network configurations; server management; change control; people-process; and essential IT Controls are required to ensure a satisfactory level of operational integrity (secure; compliant; happy customers).
FINRA through this judgment clearly states what is expected – encrypted sensitive data (as is encouraged by over 50+ state and federal laws); current security safeguards; and serious attention wherever required. The FTC, SEC, and UK counterparts have provided exceptional such detail over the past few years and should be considered through regular updates to each companies GRC programs.
Link to the ComputerWorld article is here.
Link to another great write up is here at Wired’s Threat Level (more details of perpetrators).
Thoughts / Insights?
Posted in Compliance
Tagged 2010, best practices, Compliance, data breaches, denial of service attacks, fines, finra, it compliance and controls, IT Controls, regulation, Security
Proper business practices are a necessity in business, and when dealing with other people’s money it is paramount. The FTC, again, has charged a fine against a business for not doing proper due diligence on new accounts within their operations. ChoicePoint, now owned wholly by Lexis-Nexis, was previously found guilty of such practices in their infamous “breach” where an account was setup and pilfered 100,000s of accounts records.
The latest fine is against a payment provider who did not properly follow its own guidelines for onboarding new merchants. The result was the fraudulent charges against consumers of more than $2.38 million. The business has been ordered by Federal Court to pay $1,779,000 in consumer redress and end the illegal practices.
…the payment processor did not follow its own guidelines for new merchants and did not check addresses, phone numbers, or references the bogus merchant provided. The FTC alleged that the defendants anticipated that the scam would generate high return rates, that they did not request or obtain proof that consumers had authorized debits to their accounts, and that they continued to process charges even after receiving complaints from consumers and banks and unacceptable explanations about unauthorized debits from the merchant. The complaint alleged that more than 70 percent of the merchant’s transactions were returned or refused by the consumers’ banks
What is interesting is – what type of risk management practices existed in the business to let this occur for so long, and what audit efforts were conducted that did not catch these deficiencies in existing controls?
Guidelines and proper business practices are NOT check boxes for the sole purpose of checking them, but to be adhered in a manner that ensures the operational integrity of the business and the fidelity of operations.
A great article on the power of “check lists” is available here at the New Yorker.
James DeLuccia IV
Posted in audit, Compliance, fraud, information security, Institute of Internal Auditors, IT Controls
Tagged best practices, fines, fraud, ftc, merchant, payment processor, PCI DSS, sas 70
The recent news of RBS WorldPay and Heartland in recent news highlights the importance of quality audit efforts by the firms attesting to the security adherence of each organization. Quality is important, and as every QSA is required to accept liability and indemnify the Card Brands prior to delivering any work an entire business can be at risk. Why is this news now 4 years after the event?
CardSystems is still alive and well in courts these days where the Acquirer (Merrick) that had to cover the costs of the fraudulent charges has filed suit against the Auditor (Savvis) for negligence and lack of due care. Now this is under the original Visa CISP, but can naturally create a precedent for current firms conducting these evaluations. Check out the the news story here and the court case details here.
What does this mean for Auditors / QSA firms? Simple:
- Get it right the first time;
- Have proper engagement documents to protect against such cases;
- Maintain good documentation, and again – do it right.
- Go to the professionals – the Accounting Auditors / Internal Auditors ; Institute of Internal Auditors, there are great workpaper guidances and quality methodologies that are 100s of years old and carefully maintained.
This court case highlights the importance of diligent work and careful quality review. Ideally the 2009 Quality Check process will capture deficiences in the process early before breaches happen.
What does this mean for Businesses relying on these audits:
- Carefully consider the points I raised on hiring a QSA
- Check out Siva’s post on vetting a QSA
- You get what you pay for…
- These audits are VALIDATIONS and not exams – it is in everyone’s interest to identify; mitigate; protect and maintain
A nice write up at Wired on this brewing activity by Kim Zetter.
Thoughts on how this will affect the landscape?
James DeLuccia IV