jump to navigation

“These are not the droids you are looking for” – Using “geek speak” to confuse and confound January 31, 2012

Posted by Chris Mark in InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , ,
add a comment

In reading through various companies’ websites, I often take a look at their security statements to see what, if anything, is being said about security.  More often than not these statements are little more than “geek speak” written to give consumers and others a peace of mind yet don’t really provide any information on the security posture of the company.  In the vast majority of cases the statements are ‘marketing fluff’ and provide little value.  Here are some of the more common and interesting statements I have come across:

-”We use industry leading encryption, including SSL, to protect your data as it is transmitted to us.”  Encrypting transmission of credit card data is not only required by the card brands and the PCI DSS, it is also required by a number of laws and is simply good practice!  The fact that a company feels compelled to state that they are using SSL to protect transmitted data leads to more questions.  It doesn’t say anything about how your data is used (privacy discussion) or whether the stored data is adequately protected by encryption or other technologies.  SSL is a very small piece of the puzzle.

-”We use multi-tiered firewall controls to protect sensitive data.” Again, multi-tiered network architectures are required by the Payment Card Industry Data Security Standard (PCI DSS)  and being that we are now in the year 2012, operating without a multi-tiered network would be irresponsible at best.  This statement only states that the company has implemented firewalls between various segments of their network and suggests that they are not operating a ‘flat’ network in which every system can touch every other system (very 2003).  It does not state anything about whether the devices are configured correctly nor does it differentiate between application layer and network layer firewalls. (more geek speak to confuse and confound)

-”All customer data is housed in our secure data centers.” For those unfamiliar with the term, a “data center” is nothing more than a building that is used to house computer servers typically for a number of different clients.  Data centers are designed with safety, physical security, and redundancy in mind.  The fact that data is housed in a 4th generation data ceneter does not provide any information on the technical security controls implemented to protect customer data.  It simply means that if someone wanted to physically steal the computer they would be challenged.

-”we use robust encryption and change the encryption key at least annually.”  The use of ecryption technology is a good step but encryption is only as good as the algorythms used and the key management employed.  This statement simply says that once again, the company is following industry accepted controls.  While changing encryption keys periodically is good practice, it doesn’t say anything about how the keys are managed in the intervening periods nor does it say anything about what data is encrypted or what access controls are in place.

When evaluating a company with which to do business, it is suggested that you take the time to really ask the difficult questions about security.  Simply reading website information will not provide you with the assurance that the company is protecting your data.  In some cases the information provided is not simply irrelevant but may provide a false sense of security the the buyer.  By using ‘geek speak’ it is easy to convince a non-techie that they are doing the right things.  If you are not confident in your own technical skills to evaluate a vendor, it is worth taking the time to find a consultant or some other trusted party to support you in your evaluation.

Standards Aren’t Security and We Shouldn’t Expect Them to Be January 11, 2012

Posted by Heather Mark in InfoSec & Privacy, PCI DSS.
Tags: , , , , , , , ,
add a comment

Today I saw an article about the PCI DSS in which the author lamented that, although progress had been made, there were still significant flaws in the Payment Card Industry Data Security Standard. I have seen a great many articles centered on the same idea: Though good in theory, the PCI DSS is just too flawed to work. I would argue that, in many ways, the PCI DSS is doing exactly as it is intended. Now, I do have to take off my academia hat here a bit and admit that, without a comprehensive policy and  program evaluation, it is simply not possible to accurately determine the efficacy of the standard. We cannot determine that a certain population of individuals has been spared identity theft as a result the implementation of PCI DSS or rising compliance rates. What we have is anecdotal evidence that, despite the best efforts of the card brands, the Qualified Security Assessors and everyone involved in the payment transaction chain, data breaches continue to occur and may even be growing, in terms of frequency and magnitude. Since anecdotal evidence seems to be the central data point in these arguments, I’d like to share some anecdotal evidence of my own.

I’ve been involved in the payment card industry, and specifically in the security side of it, for too many years to admit. When we began working with Visa’s Cardholder Information Security Program (CISP), the predecessor to the PCI DSS, many companies had no data security programs in place. In fact, we would often see global ecommerce companies that didn’t run anti-virus or have properly configured firewalls. It was not uncommon to ask about incident response plans and have the IT supervisor respond with “we unplug.”  Literally, they would pull the Cat 5 cable from the wall and pull their entire site down until they could figure out the issue.

In the intervening years, we’ve seen the industry make significant strides in their understanding and awareness of security issues. Merchants, third-party service providers, even consumers, have come light years in terms of knowing the questions to ask, the technologies to employ and the policies to implement. Security discussions around the protection of cardholder data have evolved to a very sophisticated place. Ten years ago, discussion about what is or is not cardholder data were unheard of, whereas today they are almost commonplace. In that regard, the PCI DSS has been successful. Has it stopped any data compromises? It’s difficult to judge that, but it has certainly driven companies to take security seriously and the ensuing noise around the standard has driven, and continues to drive, technological innovation in the security space.

Yet the most significant flaw in the standard is not with the standard, per se. It’s with the dependence on the standard as a comprehensive security program. It is certainly up to the discretion of each company to determine how far beyond the standard they need to reach in order to address the threats in their environment. Yet each time a compromise occurs, the first thing we hear is that it is another failure of the standard. No standard, regulation, law or best practice, regardless of how well written it may be, is going to address every contingency. Certainly there is room for debate about whether a compliant company can be compromised, but let’s remember that the standard is necessarily vague in some areas to account for the wide variety of business models in the industry. If it were otherwise, we’d certainly hear about how the standard is too prescriptive (and that charge has been leveled at the standard with equal ferocity as the too vague accusation) and still does not prevent all the compromises.

The important thing to remember is the objective of the standard is the protection of cardholder data. If you, as an individual responsible for data security or compliance, recognize an area of risk to the company or its customers that is not addressed by the PCI DSS, it is your (and your company’s) fiduciary duty to act. Court cases are now wending their way through courts to determine whether or not there is an implied contract between companies and their customers. If such a decision is made, then PCI DSS or no, companies will be held responsible for the loss of that data, and likely for a broader swath of data than is contemplated in the PCI DSS. Compliance is not an excuse to cede control of your security program. While the PCI DSS has a lifecycle of three years, companies should be constantly evaluating their threat environment and ensuring that their security program adequately addresses the risks to the data.

(Guest Post) “Is Privacy Possible?” December 26, 2011

Posted by Chris Mark in Laws and Leglslation, Piracy & Maritime Security.
Tags: , , , , ,
add a comment

There is a lot of discussion lately about the right to privacy online.  Specifically, discussion has centered around two concepts of late – 1) the “do not track” concept and 2) the right to be forgotten. While there is significant debate about what these concepts mean, I think it’s interesting to take a look at the notion of privacy in today’s world.  What does it really mean to have privacy?  Is it possible to have privacy or are these policies and plans simply the act of closing the barn door after the horse has gotten out?

The fact of the matter is that privacy, at best, is a nebulous concept.  The amount of data that is available on any given individual, irrespective of social media, is plentiful to say the least.  Even before the advent of Facebook, MySpace, LinkedIn and other sharing sites, the information available on individuals was mind-boggling.  Over the last decade or more, a number of laws have been established to prevent the sharing and selling of information about individuals.  The Federal Trade Commission has been actively involved in pursuing violators and enforcing these privacy protection standards.  The “enforcement actions” in which the FTC has been involved range from companies selling customer  lists to those whose networks have been breached resulting in the loss of customer data. For a list of enforcement actions, visit the FTC website.

It may be helpful at this point to try to define exactly what privacy is, particularly in this day of social media and (over) sharing.  One of the primary challenges with privacy, especially in such a connected age, is the complexity of defining it.  How can one protect or preserve something, when one can’t fully define what that something is.  Robert Post once wrote “Privacy is a value so complex, so entangled in competing and contradictory dimensions, so engorged with various and distinct meanings, that I sometimes despair whether it can be usefully addressed at all.”

The concept of privacy to which I subscribe is that “privacy as control over information,” as described by Charles Fried. Fried refines the notion of privacy as the absence of information by saying, “Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves.”  I like this definition for a few reasons.  First, it provides some personal accountability for the individual.  Many modern definitions of privacy place the onus of protecting that information entirely on the enterprise or company in question, as if the very act of holding consumer data is a breach of privacy.  While this definition would certainly call for some action on the part of those organizations, it also calls on the individual to be selective about the information that is made available.  The phenomenon of “facebook firings” brings this issue into stark relief.  Individuals can control the quality of information that is shared by using care with respect to what information they post on their own sites.

The other component of this definition that resonates is that of cooperation and transparency on the part of the organization toward the individual. This is an element of privacy that is present in most, if not all, of the current information privacy models.  (For reference, see OECD Guidelines on the Protection of Privacy, FTC Fair Information Practice Principles and Privacy by Design).  According to this element of privacy, the individual should have access to any of his or her personal information held by the company.  Further, the individual should have the right to correct any inaccuracies and to determine how or if that information can be shared with third parties.

This takes us back to the question posed in the title; “is privacy possible?”  The answer is still rather nebulous, but what we do know is that it relies on both the individual and the organization. This is not to say that concepts like “do not track” and “the right to be forgotten” are useless, but that we as a society have to refine our definition of what privacy is – the concept is far more complex than legislators and the media would have one believe.  Individuals must be cognizant of the information that they are sharing on public forums and how that data might be used.   Similarly, companies must be aware of the sensitivities around sharing consumer information and take appropriate steps to ensure an appropriate level of protection – in terms of policy, process, and technology.

Heather Mark

This is a guest post from my wife, the illustrious Dr. Heather Mark.  She is a frequently published and quoted expert on regulatory compliance and privacy issues.  This is a post from her personal blog which you can read here.

Privacy, Discrimination, and Facebook September 15, 2011

Posted by Chris Mark in Uncategorized.
Tags: , , , , ,
add a comment

This post is going to deviate from maritime security.  I was asked today by a person on Facebook whether someone should provide their Facebook login to a potential employer who asks.  In short, a person is applying for a job and the potential employer has asked for the person’s Facebook credentials to view their Facebook account.  Let me preface my answer with some background.  For the past 10 years I have worked extensively in data security and privacy.

The US, Canada, EU, Japan and most other industrialized nations have laws that prohibit discrimination based upon various aspects such as race, creed, religion, disability, political views, etc.  The US is about 10 years behind Europe when it comes to data security laws and privacy laws.  An employer that is asking for your Facebook login is exposing themselves to potential liability and is likely infringing upon your rights.  Many, if not most people, post private information in their Facebook accounts.  Sexuality, marriage status, family, religion, political views, associations which could divulge private information are all commonly posted on Facebook.  By asking you for your login, the employer is doing a few things incorrectly.  First, they are asking you to violate Facebook policy by providing your personal login to the account.  Second, they are placing themselves in a precarious position by removing the non-repudiation from your account.  Consider an example where an employer logs into an account and reads something that their employee wrote that is deleterious to the company.  Who is to say that the employer did not actually write the post?  Since there is a single login there is no way to state definitively that it was the employer.  Additionally, by asking for the login, the employer may be given access to personal private information that could expose them to risk should your employment end.  If a person is gay, or disabled, or an anarchist, or planning on having children, this is their own business and the company has no right to ask about this information and it is a violation of various laws to discriminate based upon such facts.  The US has the Equal Employment Opportunity Commission (EEOC) and the Americans with Disabilities Act (ADA), as well as other laws that protect individual rights.  The UK has, among other things, the Disability and Equality Act; 2010, and the EU has the EU Anti Discrimination Law, among others, that protect employees.

The long and short is that if you are asked to provide your Facebook login, you may want to politely inform the potential employer that 1) You have a public facebook profile that they are free to peruse and 2) There is private information in your Facebook account that the employer has no right to ask to see.  Their asking may, in itself, be a violation of the privacy laws.  Finally, make sure that if you have strong opinions, or lewd photographs, or you curse like a sailor that you don’t post it on your public profile 😉

Managing online “Reputational Risk” August 24, 2011

Posted by Chris Mark in InfoSec & Privacy, Piracy & Maritime Security.
Tags: , , , ,
add a comment

In today’s world of near instant communication, and social media, it is easier than ever to get information to the world.  Companies would be well advised to consider employing such technologies as they often provide a very good return on investment.  Like many technologies, social media is a double edged sword and must be managed.  Companies can be exposed to many forms of risk including that of “reputational risk”. What is “reputational risk”?  Simply it is a risk to an organization (or person) which derives from a negative association to the brand.  This can be brought on by an executive saying or doing something illegal or an employee voicing a seemingly innocuous statement in what they believe is a private setting that gets forwarded and distributed.  Many Gen X job seekers are learning the hard way that their Facebook pictures of keg stands and Mardi Gras flashing follows them to their interview.  Companies are much more savvy in searching out indiscretions on social media.  The same holds true for companies and their executives.

I am constantly surprised by how little corporate executives seem to understand about the Internet, social media and how easy it is to find information.  In today’s age it is important that company’ have social media policies in place to ensure that 1) OpSec is not being compromised by an employee inadvertently giving away secrets and 2) reputational risk is being managed by ensuring employees understand that everything they do online is publicly available.

All employees should understand that everything they post online is accessible for perpetuity.  While it is certainly every person’s right to have their own views on politics, sexuality, religion, and other topics, posting these views may irreparably harm the very company for which they work.  It should be noted that the level of reputational risk exposure is directly proportional to the person’s role within the company.  A junior level employee that rails on about their views on gay marriage may harm their own reputation in some areas but likely will have less impact than a CEO who rails on about his dislike of women in the workforce.

Recently, I was doing some research on some companies and I found the CEO of a company that listed as his favorite quotation: “F@#K All”.  As a former Marine and Sailor I am not offended by colorful language but I question the professionalism of a CEO publicly listing his favorite quotation as something so patently offensive to so many people.  What is more disturbing is that this quote was not referenced once but many times in various places throughout the Internet (as were other things).  I am sure that this particular person felt his railings had been archived and deleted over time but, as stated previously, it is relatively trivial to find information that is believed to have been long deleted.

To protect yourself and your company from reputational risk follow these simple guidelines:

1) Operate with the belief that anything you post online is there “forever”. While the average user may not be able to retrieve some information, there are some people that can access nearly everything…and can repost.

2) Don’t post anything patently offensive.  While we all have our own political, religious and other beliefs, they may not be in line with our employer’s.  While most companies are tolerant (there are laws that protect expressions) of such beliefs, understand that patently offensive statements can harm the company and your employment.

3) Don’t say anything that is patently offensive.  Remember that this is 2011 and not 1988.  Calls are recorded ‘digitally’ which means they are easy to retain, repost, and republish.  If you are angry at someone, don’t call and record drunken, profane threats.  They are preserved forever (see #1).

4) Be aware that as an officer of a company there are likely people tracking your public online actions in near real time.  This means that if you twitter something and then immediately ‘delete’ it is still captured.   Look at all of the US athletes and actors that have ‘tweeted and deleted’ only to have the press have the original tweet.

Certainly some are reading this post and saying: “this hits close to home”.  It should.  Follow the simply rules above and you can manage online reputational risk for you and your company.