jump to navigation

“Here I (we) go Again…”; GlobalCerts.net hacked August 27, 2012

Posted by Chris Mark in cybersecurity.
Tags: , , , , , , ,
add a comment

On this lovely Monday morning on the opening week of College Football (WAR EAGLE!)…I open with some classic Whitesnake and their awesome song from 1987: “Here I go Again”.  It seemed appropriate since here ‘we’ go again with another hack and data compromise.  According to Cyber War News,  GlobalCert.net was hacked and their data posted to Pastebin..according to the report, GlobalCert.net’s web database was hacked and over 1000 clients’ data posted online by Anonymous.  GlobalCert.net’s website says the following about their website:

“GlobalCerts provides a comprehensive solution that meets a full range of secure messaging needs—including an automatic, transparent, inter-organizational secure messaging product, the SecureMail Gateway. GlobalCerts also offers a trusted, scalable, user friendly solution to overcome the hurdle obstructing many organizations from deploying a standards-based, secure messaging solution. SecureTier is a hands-off global, certificate management solution for key creation, discovery, and revocation. No other key distribution and discovery system is as effortless and efficient as GlobalCerts’ solution.”

Seems that GlobalCert.net should practice what they preach 😉

“You Can’t Unring That Bell!” – What is a”Data Breach” and When Should I Notify? August 21, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
add a comment

There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more.  I frequently find myself working with companies on data breach notification plans.  One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”.  More interesting is when I ask them to define a “suspected data breach”.  Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example.  You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes?  Maybe, maybe not.  It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc.  In short, it is not easy to decipher yet it is critical to be as accurate as possible.

Understanding what is, and what is NOT, a data breach or data compromise is the first step in defining your company’s data breach notification plan.  The reason it is so critical is in the titled of this article.  Once you notify that your company has been ‘breached’ you cannot ‘unring that bell’.  The genie is out of the proverbial bottle and things start moving quickly.  Most company’s would absolutely hate to make an announcement only to find that, while they may have experienced a security incident, it did not impact sensitive data (PII, CHD, NPI, PHI, etc.).   It is important that you work with your compliance group, legal (don’t forget legal!), and the infosec & risk department to ensure you have a solid understanding of when, and under what conditions your company is required to notify of a breach or suspected breach.  Here are some basic definitions to use as a starting point.  (check with your legal council and don’t simply use these…there..that should protect me!;)

Security Incident/Event – Any event that compromises the availability, accessibility, or integrity of any asset.  This includes systems, personnel, applications, services, etc.

Data Breach – Any exposure of or unauthorized access of sensitive and/or protected data to include PHI, PII, CHD, and NPI.

Suspected Data Breach– In the absence of  direct evidence (identified fraud, or misuse of data, for example), any Security Incident in which it can be reasonable assumed that sensitive and/or protected data was exposed or accessed without authorization.

Remember, some state breach notification laws do not consider a breach of encrypted data as a trigger for notification…others do 😉  If you need help unraveling these issues (insert shameless marketing plug)…contact Mark Consulting Group…www.MarkConsultingGroup.com

graphic by Hippacartoons.com

“August 2012 TransactionWorld Magazine” – Chris & Heather Mark’s Articles August 13, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Industry News.
Tags: , , , , , , , ,
add a comment

Chris and Heather Mark both have articles in the August 2012 issue of TransactionWorld Magazine.  Chris’ is titled: “The Impact of the Fortress Mentality  & Today’s Compliance Strategies” while Heather’s is titled: “After the Compromise; Security Incident Response and Mitigating the Damage”

One note.  I apparently forgot to update my bio with the Editor in Chief so the article erroneously references me as the Executive Vice President of Data Security and Compliance for a payment processor.  You can visit Mark Consulting Group at the following: www.MarkConsultingGroup.com

“Tell me, Show me, Convince me”; Policies, Enforcement, and Auditing August 7, 2012

Posted by Chris Mark in cybersecurity, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I was speaking with a client yesterday about policies and auditing.  He asked me a question and it reminded me of what I told my clients for years regarding policies.  First, it is important to remember that a policy is NOT a document. The document is a record of the policy that was passed and tool for disseminating the policy. It should be a reflection of the policy that has been approved by management.  Simply having a written document does not mean you have a policy.  The policy must be approved, documented, disseminated, and enforced.  Second, it is important to remember that writing and approving a policy is the easy part.  Ensuring adherence with the policy  and enforcing the policy is the difficult part.  Make no mistake.  A policy that is not enforced will not be followed for very long.  People are inherently lazy (this writer included).  We take the path of least resistance.  Policies require difficult, often inefficient methods.  Without enforcement, they will fall by the wayside.  Third;writting, approving and documenting a policy is often much easier than implementing the policy.  Consider the following example.  Company X passes a policy that requires all computer and IT users’ access be modeled on “need to know” and “model of least privilege” (standard model).  This alone requires an audit of every person’s existing privileges, as well as identification and documentation or their roles and responsibilities.  Then each role would need to have access levels documented and assigned.  As you can see, a simple one line policy statement may have deep implications.  Finally, it is important to ensure that your company adheres to the documented policies.  This is a three step process I describe as “tell me, show me, convince me”

1) Show the auditor that you have a documented policy that is updated, approved by management and disseminated to employees.

2) demonstrate to the auditor that you are currently in compliance with the policy.

3) convince the auditor that you have a history of following the policy by producing relevant documentation/evidence to show compliance over time. (last 3 months, last 6 months).

By using the tell me, show me, convince me model with policies and departments you can have confidence that your policies are being enforced, and followed.

2012 European Central Bank Report on Card Fraud August 6, 2012

Posted by Chris Mark in News.
Tags: , , , , , , , , , , ,
add a comment

In July 2012 the European Central Bank released a report on bank card (debit, credit, etc.) fraud in the Single Euro Payment Area (SEPA).  According to the report, the total fraud equaled €1.26 billion in 2010.  For those in the payments industry, this report is an interesting look at the fraud patterns related to card usage. You can download the report here.

%d bloggers like this: