jump to navigation

Standards Aren’t Security and We Shouldn’t Expect Them to Be January 11, 2012

Posted by Heather Mark in InfoSec & Privacy, PCI DSS.
Tags: , , , , , , , ,
add a comment

Today I saw an article about the PCI DSS in which the author lamented that, although progress had been made, there were still significant flaws in the Payment Card Industry Data Security Standard. I have seen a great many articles centered on the same idea: Though good in theory, the PCI DSS is just too flawed to work. I would argue that, in many ways, the PCI DSS is doing exactly as it is intended. Now, I do have to take off my academia hat here a bit and admit that, without a comprehensive policy and  program evaluation, it is simply not possible to accurately determine the efficacy of the standard. We cannot determine that a certain population of individuals has been spared identity theft as a result the implementation of PCI DSS or rising compliance rates. What we have is anecdotal evidence that, despite the best efforts of the card brands, the Qualified Security Assessors and everyone involved in the payment transaction chain, data breaches continue to occur and may even be growing, in terms of frequency and magnitude. Since anecdotal evidence seems to be the central data point in these arguments, I’d like to share some anecdotal evidence of my own.

I’ve been involved in the payment card industry, and specifically in the security side of it, for too many years to admit. When we began working with Visa’s Cardholder Information Security Program (CISP), the predecessor to the PCI DSS, many companies had no data security programs in place. In fact, we would often see global ecommerce companies that didn’t run anti-virus or have properly configured firewalls. It was not uncommon to ask about incident response plans and have the IT supervisor respond with “we unplug.”  Literally, they would pull the Cat 5 cable from the wall and pull their entire site down until they could figure out the issue.

In the intervening years, we’ve seen the industry make significant strides in their understanding and awareness of security issues. Merchants, third-party service providers, even consumers, have come light years in terms of knowing the questions to ask, the technologies to employ and the policies to implement. Security discussions around the protection of cardholder data have evolved to a very sophisticated place. Ten years ago, discussion about what is or is not cardholder data were unheard of, whereas today they are almost commonplace. In that regard, the PCI DSS has been successful. Has it stopped any data compromises? It’s difficult to judge that, but it has certainly driven companies to take security seriously and the ensuing noise around the standard has driven, and continues to drive, technological innovation in the security space.

Yet the most significant flaw in the standard is not with the standard, per se. It’s with the dependence on the standard as a comprehensive security program. It is certainly up to the discretion of each company to determine how far beyond the standard they need to reach in order to address the threats in their environment. Yet each time a compromise occurs, the first thing we hear is that it is another failure of the standard. No standard, regulation, law or best practice, regardless of how well written it may be, is going to address every contingency. Certainly there is room for debate about whether a compliant company can be compromised, but let’s remember that the standard is necessarily vague in some areas to account for the wide variety of business models in the industry. If it were otherwise, we’d certainly hear about how the standard is too prescriptive (and that charge has been leveled at the standard with equal ferocity as the too vague accusation) and still does not prevent all the compromises.

The important thing to remember is the objective of the standard is the protection of cardholder data. If you, as an individual responsible for data security or compliance, recognize an area of risk to the company or its customers that is not addressed by the PCI DSS, it is your (and your company’s) fiduciary duty to act. Court cases are now wending their way through courts to determine whether or not there is an implied contract between companies and their customers. If such a decision is made, then PCI DSS or no, companies will be held responsible for the loss of that data, and likely for a broader swath of data than is contemplated in the PCI DSS. Compliance is not an excuse to cede control of your security program. While the PCI DSS has a lifecycle of three years, companies should be constantly evaluating their threat environment and ensuring that their security program adequately addresses the risks to the data.

(Guest Post) “Is Privacy Possible?” December 26, 2011

Posted by Chris Mark in Laws and Leglslation, Piracy & Maritime Security.
Tags: , , , , ,
add a comment

There is a lot of discussion lately about the right to privacy online.  Specifically, discussion has centered around two concepts of late – 1) the “do not track” concept and 2) the right to be forgotten. While there is significant debate about what these concepts mean, I think it’s interesting to take a look at the notion of privacy in today’s world.  What does it really mean to have privacy?  Is it possible to have privacy or are these policies and plans simply the act of closing the barn door after the horse has gotten out?

The fact of the matter is that privacy, at best, is a nebulous concept.  The amount of data that is available on any given individual, irrespective of social media, is plentiful to say the least.  Even before the advent of Facebook, MySpace, LinkedIn and other sharing sites, the information available on individuals was mind-boggling.  Over the last decade or more, a number of laws have been established to prevent the sharing and selling of information about individuals.  The Federal Trade Commission has been actively involved in pursuing violators and enforcing these privacy protection standards.  The “enforcement actions” in which the FTC has been involved range from companies selling customer  lists to those whose networks have been breached resulting in the loss of customer data. For a list of enforcement actions, visit the FTC website.

It may be helpful at this point to try to define exactly what privacy is, particularly in this day of social media and (over) sharing.  One of the primary challenges with privacy, especially in such a connected age, is the complexity of defining it.  How can one protect or preserve something, when one can’t fully define what that something is.  Robert Post once wrote “Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”

The concept of privacy to which I subscribe is that “privacy as control over information,” as described by Charles Fried. Fried refines the notion of privacy as the absence of information by saying, “Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves.”  I like this definition for a few reasons.  First, it provides some personal accountability for the individual.  Many modern definitions of privacy place the onus of protecting that information entirely on the enterprise or company in question, as if the very act of holding consumer data is a breach of privacy.  While this definition would certainly call for some action on the part of those organizations, it also calls on the individual to be selective about the information that is made available.  The phenomenon of “facebook firings” brings this issue into stark relief.  Individuals can control the quality of information that is shared by using care with respect to what information they post on their own sites.

The other component of this definition that resonates is that of cooperation and transparency on the part of the organization toward the individual. This is an element of privacy that is present in most, if not all, of the current information privacy models.  (For reference, see OECD Guidelines on the Protection of Privacy, FTC Fair Information Practice Principles and Privacy by Design).  According to this element of privacy, the individual should have access to any of his or her personal information held by the company.  Further, the individual should have the right to correct any inaccuracies and to determine how or if that information can be shared with third parties.

This takes us back to the question posed in the title; “is privacy possible?”  The answer is still rather nebulous, but what we do know is that it relies on both the individual and the organization. This is not to say that concepts like “do not track” and “the right to be forgotten” are useless, but that we as a society have to refine our definition of what privacy is – the concept is far more complex than legislators and the media would have one believe.  Individuals must be cognizant of the information that they are sharing on public forums and how that data might be used.   Similarly, companies must be aware of the sensitivities around sharing consumer information and take appropriate steps to ensure an appropriate level of protection – in terms of policy, process, and technology.

Heather Mark

This is a guest post from my wife, the illustrious Dr. Heather Mark.  She is a frequently published and quoted expert on regulatory compliance and privacy issues.  This is a post from her personal blog which you can read here.

Piracy and Failed States April 18, 2011

Posted by Heather Mark in Failed States, Piracy & Maritime Security.
Tags: , , , ,
add a comment

Governments that are unable to enforce laws within their own boundaries or project and protect their interests outside of their geographical limits are largely considered to be failed state.  The Fund for Peace studies 12 specific characteristics of failed state in their annual Failed States Index.   This serves as a very comprehensive analysis of what causes states to fail.  However, for the purposes of analyzing the genesis, spread and growth of modern-day piracy, the inability of a state to project force will serve as the definition.

The ability to project force is an essential characteristic of a functioning state. Not only does this enable states to maintain order within their domestic boundaries, it serves notice on those outside of the country’s borders that the state can and will protect their interests abroad – whether that means in the diplomatic community or in international waters.  When governments lose the ability to protect their interests, it ceases to be a legitimate government.  Its citizens no longer depend on the state for protection and its enemies (in this case pirates) begin to take advantage of the power vacuum left by the failed state structures.

The Gulf of Aden provides an ample illustration of how failing and failed states have allowed piracy to take root and flourish.  Somalia is a failed state.  In fact, it ranks at number one on the Failed States Index.  Its governmental organs are non-existent.  There is no recognized law, nor is there any means to enforce that law if it did exist.  Somali pirates often claim to be members of the Somali Navy or Coast Guard enforcing fishing rights in the region.  Since  no actual Somali Navy or Coast Guard exists, there is no one to prevent such acts from occurring.  One might suggest then that regional collective security arrangements might be beneficial in taking on the problem of piracy.  An examination of the surrounding states, however, once demonstrates why collective security arrangements would fail.

Djibouti, Somalia’s neighbor to the north, is considered a “failing” state.  Yemen, the state directly across the Gulf of Aden is a “failed state.”  Eritrea, the Sudan, Ethiopia – all of these states bordering either Somalia or the Gulf of Aden itself top the list of Failed States.  They have little or no means of enforcing laws within their own borders, let alone attempting to work together to stem the tide of Somali pirates.

While simply identifying states that are struggling to maintain control over their physical territory cannot stem the tide of piracy, it can help in predicting growth trends and likely “hot spots” for piracy, that have not yet been identified.  A more detailed analysis of the geopolitical context for modern-day piracy, can be found in the following www.drheathermark.com

Dr. Heather Mark, PhD