jump to navigation

“You Can’t Unring That Bell!” – What is a”Data Breach” and When Should I Notify? August 21, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
add a comment

There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more.  I frequently find myself working with companies on data breach notification plans.  One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”.  More interesting is when I ask them to define a “suspected data breach”.  Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example.  You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes?  Maybe, maybe not.  It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc.  In short, it is not easy to decipher yet it is critical to be as accurate as possible.

Understanding what is, and what is NOT, a data breach or data compromise is the first step in defining your company’s data breach notification plan.  The reason it is so critical is in the titled of this article.  Once you notify that your company has been ‘breached’ you cannot ‘unring that bell’.  The genie is out of the proverbial bottle and things start moving quickly.  Most company’s would absolutely hate to make an announcement only to find that, while they may have experienced a security incident, it did not impact sensitive data (PII, CHD, NPI, PHI, etc.).   It is important that you work with your compliance group, legal (don’t forget legal!), and the infosec & risk department to ensure you have a solid understanding of when, and under what conditions your company is required to notify of a breach or suspected breach.  Here are some basic definitions to use as a starting point.  (check with your legal council and don’t simply use these…there..that should protect me!;)

Security Incident/Event – Any event that compromises the availability, accessibility, or integrity of any asset.  This includes systems, personnel, applications, services, etc.

Data Breach – Any exposure of or unauthorized access of sensitive and/or protected data to include PHI, PII, CHD, and NPI.

Suspected Data Breach– In the absence of  direct evidence (identified fraud, or misuse of data, for example), any Security Incident in which it can be reasonable assumed that sensitive and/or protected data was exposed or accessed without authorization.

Remember, some state breach notification laws do not consider a breach of encrypted data as a trigger for notification…others do 😉  If you need help unraveling these issues (insert shameless marketing plug)…contact Mark Consulting Group…www.MarkConsultingGroup.com

graphic by Hippacartoons.com

“The Rise of Cyber Espionage” – The Counter Terrorist Magazine August 5, 2012

Posted by Chris Mark in cyberespionage, cybersecurity, terrorism.
Tags: , , , , , , , , , , , ,
2 comments

UPDATE:  I want to thank The Counter Terrorist magazine staff for including attribution to the article.  They quickly corrected a mistake and the inaccuracy.  Kudos!

Chris Mark (that is me;) has an article in the June/July 2012 issue of The Counter Terrorist Magazine.  The article is titled: “The Rise of Cyber Espionage” and provides an overview of the current cyber espionage issues being faced by US businesses today.  The article covers the breach at RSA to the subsequent attacks at Lockheed Martin, General Dynamics and others as examples of the types of attacks being faced by state sponsored cyber espionage groups. While this magazine may be new for some readers of this particular blog, it in its 4th year and is filled with great information for military, law enforcement, first responders, and even businesses.  This particular issue is 76 pages of information covering Iran’s Nuclear Objectives, Cyber Espionage, First Responder Intelligence, Intelligence for Terror, and a number of great product reviews and other information.  The magazine is subscription based but if you are interested in a copy of this particular issue, leave a comment with your email and other contact information and I can forward a free ezine.

“SDVOSB” – Mark Consulting Group Registers as Service Disabled Veteran Owned Small Busines August 3, 2012

Posted by Chris Mark in News.
Tags: , , , , , , , ,
add a comment

I have finally completed the Department of Veterans Affairs and the SAM (formerly CCR etc.) registration process to have Mark Consulting Group certified as a Service Disabled Veteran Owned Small Business (SDVOSB).  Hopefully, the VA will complete verification within a few days.  If you are in need of information services please consider The Mark Consulting Group.

According to the United States Code of Federal Regulations, a Service Disabled Veteran Owned Small Business (SDVOSB) is formally defined thus:“A service-disabled veteran-owned small business concern is a business not less than 51 percent of which is owned by one or more service-disabled veterans, or in the case of any publicly owned business, not less than 51 percent of the stock of which is owned by one or more service-disabled veterans; the management and daily business operations of which are controlled by one or more service-disabled veterans, or in the case of a veteran with a permanent and severe disability, a spouse or permanent caregiver of such veteran. In addition, some businesses may be owned and operated by an eligible surviving spouse. Reservists or members of the National Guard disabled from a disease or injury incurred or aggravated in line of duty or while in training status also qualify.”

“Experts Around Every Corner; Part Deux” -Safes, Security, Expertise and Ignorance July 16, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

“There is nothing so stupid as an educated man. If you get him off the thing he was educated in.” – Will Rogers

This weekend I was reading a major news source and I was struck by an article on Safes.  As I have a gun safe, and other safes, I thought it would be interesting to read. I have written posts before on expertise (Experts in every room).  Various ‘expert’s are interviewed in the article.  One in particular stood out.  He said: People need to wake up. They think they are protecting themselves, but they may actually be putting themselves at more risk,”  As this was a very pointed statement (People need to wake up!)…I immediately thought that my own strategy of securing my valuables was mis directed.  I continued reading to see who this expert was…He then said: “Sure you want to have some cash at home, but more than a little feels unsafe,” (I have added the bold)…the expert was a man named Michael Cresh…what is his job?  You are probably thinking police officer, security expert, safe expert, or something similar.  You would be mistaken.  He is a Certified Financial Planner.  If I were asking for financial planning, this is the person that I would turn to. If I am considering the purchase of a safe, I can safely say (pun intended) I could not care less what a CFP has to say unless he has some other level of expertise.  His statement belie his ‘expertise’ and demonstrate he has little understanding of physical security or risk analysis as it pertains to physical security. (…feels unsafe).

When considering a security professional that proclaims expertise, take a very close look.  Whether maritime security, information security, personal security, or any other area of security there are more than a few self proclaimed experts walking the halls.

Last year I wrote a paper for companies to use when evaluating expertise in the maritime security industry.  While focused on maritime security it is relevant to all areas of expertise.  You can read the article here.

“Are You Eating a Rotten Apple?” – Personal Data May have Been Exposed in Global Payments Breach July 9, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Let me preface this post by saying this is not intended to take shots at either Global Payments or the PCI DSS.  Rather, this post is intended to generate discussion and discourse on the topic of compliance and risk management.

According to reports, it seems that the Global Payments data breach may have exposed more than payment card data.  n a June 12 update posted to its breach microsite, Global says hackers may have gained access to servers containing personal information collected from a subset of merchant customers.

“The company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost,” Global says. “The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company’s U.S. merchant applicants.”

Based upon this statement it seems fair to assume that Personally Identifiable Information (PII) such as Social Security number and Bank Account information may have been exposed, as well.

This situation exposes the danger of using a narrowly focused, static standard as a baseline of security management rather than adopting a risk based approach to data security.   I have personally conducted over 100 PCI DSS audits and have seen first hand the resources consumed by the standard.  Companies often appear so laser focused upon protecting payment card data that other systems and data may take a back seat in the pursuit of “PCI DSS compliance.”  As there are significant penalties associated with non-compliance that it is difficult to blame the merchant or service provider. The penalties are designed to compel compliance with the standard.  As such, companies are going to give precedent to the PCI DSS over any other standard that does not have equivalent penalties associated with non compliance.

As a reminder, the PCI DSS is ONLY focused protection of Cardholder Data.  Surely some are going to say that the PCI should be applied across all systems etc.etc.  This is great in theory but does not happen in practice.  Companies take great pains to minimize their cardholder data environment specifically to lessen the compliance burden.

I am sure we will continue to see breaches of payment card companies having PII exposed as companies focus on PCI to the exclusion of risk based security management.

%d bloggers like this: