jump to navigation

Beating an Old Drum October 27, 2012

Posted by Heather Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

It’s the end of what has already been a tough year for data security.  And the news just got worse.  South Carolina has announced that its Department of Revenue suffered a major breach.  The breach is so massive, in fact that more than 75% of the state’s residents have been affected.  The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents.  Also included in the breach were about 390,000 payment cards.  Most of those were encrypted, though.

This is disturbing on a number of levels.  I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those).  Consumers have built in protections on payment cards.  As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions.  The far more sensitive data, the social security numbers, were not encrypted, though.  This defies logic.  Consumers have little to no protection against misuse of SSNs.  Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.

Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.”  WHAT?  If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold.  After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.

Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data.  It’s long past time states put forth the same level of protection.  On the plus side, the state did comply nicely with its own data breach notification law.

Because I Said So September 23, 2012

Posted by Heather Mark in cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Politics.
Tags: , , , , ,
add a comment

Last week, Democratic leaders made some minor news when they sent a letter to President Obama suggesting that he issue an executive order on Cybersecurity.  Their position is that, since Congress seems to be at loggerheads over the issue, the president should take the opportunity to force action by issuing an Executive Order.  In fact, Secretary of Homeland Security Janet Napolitano told a congressional committee that just such an order was in its final stages.  So what might we see in this forthcoming order?

According to reports, the order will attempt to regulate sixteen “critical” industries.  The guidelines will be voluntary, after a fashion.  Compliance with the standards may determine eligibility for federal contracts.  The White House has not made any secret about its intentions on Cybersecurity.  In fact, the White House website lists  “Ten Near Term Actions to Support Our Cybersecurity Strategy.”  Brevity prevents me from getting into a deep discussion about those actions here, but you can read them and draw your own conclusions.

The questions remain, however – 1) how stringent (read intrusive) will the requirements be?; 2) Will they be relevant to the threats in the landscape?; 3) How will compliance be policed? and 4) How much additional cost are we potentially adding our already stretched budgets?

Another question that merits examination is whether or not the standards will be redundant.  Many industries are already straining under the weight of a variety of infosec requirements – whether industry-regulated or government mandated?  Will another layer of regulation mean increased efficacy of data protection strategies and mandates or will it be just another layer of red tape?

 

 

 

“Cyber Espionage is Alive and Well”; Motorola Employee Sentenced in theft of IP August 30, 2012

Posted by Chris Mark in cyberespionage, cybersecurity.
Tags: , , , , , , , ,
add a comment

According to a story in CIO, a former Motorola employee was sentenced to 4 years in prison for theft of trade secrets. For more information on the cyber espionage threat, you can read my  article: “The Rise of CyberEspionage” published in The Counter Terrorist Magazine.

Below is an excerpt of the CIO article.

“Hanjuan Jin, 41, a nine-year Motorola software engineer, conducted a “purposeful raid to steal technology,” U.S. District Judge Ruben Castillo said while imposing the sentence, according to a statement by the department.

The Judge did not however find her guilty of three counts of economic espionage for the benefit of China and its military, although he found by a preponderance of the evidence, that Jin “was willing to betray her naturalized country,” according to the department. Jin had earlier been convicted by the court of three counts of theft of trade secrets.

Judge Castillo’s order was not immediately available on the website of the U.S. District Court for the Northern District of Illinois, Eastern Division where Jin was on trial.

Jin, who is a naturalized U.S. citizen born in China, was stopped from traveling on a one-way ticket to China on Feb. 28, 2007 at O’Hare International Airport by U.S. customs officials who are said to have seized from her possession more than 1,000 electronic and paper documents from Motorola.”

Companies need to be vigilant and understand that the same techniques used to steal national secrets are being employed in US businesses.  While not exclusive to China, they certainly represent the greatest threat today.

“A Rose by Any Other Name…” – Selecting the Right InfoSec Professional August 22, 2012

Posted by Chris Mark in cybersecurity.
Tags: , , , , , , , ,
add a comment

Last week I had an experience that left me chuckling and shaking my head at the same time. I had been approached by a company that had some infosec needs.  According to the person with whom I spoke, they had found me on LinkedIn and wanted to talk.   This company had recently settled with some regulators over some privacy and other regulatory practices and were looking to beef up their security and compliance.   I spoke to one person for about an hour and a half and was asked to send more info.  Later that week I received a call from the person with whom I had spoken an was informed that the company was looking for someone with INFORMATION SECURITY experience.  I (likely not so politely) asked what they thought I did for a living?  His response was that the company was looking for someone with a computer science degree.  It was curious that they did not say an information assurance degree, or cybersecurity degree…or…list an certifications or skills…simply computer science.  Well then…there you have it.  Apparently, this company feels the only real qualification for ‘infosec’ is a computer science degree.   Considering their previous issues, you would think they would have a better handle on info sec and their needs.

When looking for an infosec professional understand that there are technical skills which are certainly important (encryption, configuring firewalls, devices, systems, app layer security etc., etc., etc.)  There are other aspects which are important, as well.  Understanding the compliance mandates as well as the various regulatory requirements and regimes is critical in today’s world.  While not specifically defined as ‘infosec’, an understanding of privacy issues (how data is used) is also important.  While understanding technology is critical, being a skilled infosec professional is about more than simply understanding technology and about more than computer science.  While I may not have been right for that particular engagement for other reasons, the company’s laser focus on a ‘computer science’ degree at the exclusion of the other aspects suggests this company may be focused on the wrong areas.  Maybe they should question why they had issues to begin with.

“You Can’t Unring That Bell!” – What is a”Data Breach” and When Should I Notify? August 21, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
add a comment

There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more.  I frequently find myself working with companies on data breach notification plans.  One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”.  More interesting is when I ask them to define a “suspected data breach”.  Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example.  You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes?  Maybe, maybe not.  It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc.  In short, it is not easy to decipher yet it is critical to be as accurate as possible.

Understanding what is, and what is NOT, a data breach or data compromise is the first step in defining your company’s data breach notification plan.  The reason it is so critical is in the titled of this article.  Once you notify that your company has been ‘breached’ you cannot ‘unring that bell’.  The genie is out of the proverbial bottle and things start moving quickly.  Most company’s would absolutely hate to make an announcement only to find that, while they may have experienced a security incident, it did not impact sensitive data (PII, CHD, NPI, PHI, etc.).   It is important that you work with your compliance group, legal (don’t forget legal!), and the infosec & risk department to ensure you have a solid understanding of when, and under what conditions your company is required to notify of a breach or suspected breach.  Here are some basic definitions to use as a starting point.  (check with your legal council and don’t simply use these…there..that should protect me!;)

Security Incident/Event – Any event that compromises the availability, accessibility, or integrity of any asset.  This includes systems, personnel, applications, services, etc.

Data Breach – Any exposure of or unauthorized access of sensitive and/or protected data to include PHI, PII, CHD, and NPI.

Suspected Data Breach– In the absence of  direct evidence (identified fraud, or misuse of data, for example), any Security Incident in which it can be reasonable assumed that sensitive and/or protected data was exposed or accessed without authorization.

Remember, some state breach notification laws do not consider a breach of encrypted data as a trigger for notification…others do 😉  If you need help unraveling these issues (insert shameless marketing plug)…contact Mark Consulting Group…www.MarkConsultingGroup.com

graphic by Hippacartoons.com