jump to navigation

“Are You Eating a Rotten Apple?” – Personal Data May have Been Exposed in Global Payments Breach July 9, 2012

Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Let me preface this post by saying this is not intended to take shots at either Global Payments or the PCI DSS.  Rather, this post is intended to generate discussion and discourse on the topic of compliance and risk management.

According to reports, it seems that the Global Payments data breach may have exposed more than payment card data.  n a June 12 update posted to its breach microsite, Global says hackers may have gained access to servers containing personal information collected from a subset of merchant customers.

“The company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost,” Global says. “The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company’s U.S. merchant applicants.”

Based upon this statement it seems fair to assume that Personally Identifiable Information (PII) such as Social Security number and Bank Account information may have been exposed, as well.

This situation exposes the danger of using a narrowly focused, static standard as a baseline of security management rather than adopting a risk based approach to data security.   I have personally conducted over 100 PCI DSS audits and have seen first hand the resources consumed by the standard.  Companies often appear so laser focused upon protecting payment card data that other systems and data may take a back seat in the pursuit of “PCI DSS compliance.”  As there are significant penalties associated with non-compliance that it is difficult to blame the merchant or service provider. The penalties are designed to compel compliance with the standard.  As such, companies are going to give precedent to the PCI DSS over any other standard that does not have equivalent penalties associated with non compliance.

As a reminder, the PCI DSS is ONLY focused protection of Cardholder Data.  Surely some are going to say that the PCI should be applied across all systems etc.etc.  This is great in theory but does not happen in practice.  Companies take great pains to minimize their cardholder data environment specifically to lessen the compliance burden.

I am sure we will continue to see breaches of payment card companies having PII exposed as companies focus on PCI to the exclusion of risk based security management.

Social Media as a Privacy Tool? June 14, 2012

Posted by Heather Mark in privacy.
Tags: , , , , ,
add a comment

As one that closely follows the intersection of privacy and technology I read with great interest a paper released by Google entitled “Vanity or Privacy? Social Media as a Facilitator of Privacy and Trust.”  The paper is to be presented at the  2012 ACM Conference on Computer Supported Cooperative Work.  The paper is relatively short and presented as though it was undertaken in the nature of academic research.  I doubt I need to replay for the reader Google’s recent privacy issues and its recent changes to the company’s privacy policy.  With that in mind, it is difficult to read the short paper as anything other than a justification for these recent changes.   Unfortunately for Google, the paper is patently one-sided and the premises themselves are flawed, to put it mildly. It should be noted that the authors of the paper do include the following caveat: “While these examples offer no judgment on whether social media is good for privacy in any absolute sense, they do support our contention that it is possible to design social media systems that are engaging and supportive of privacy and trust.”

Before I delve into the paper itself, it is important to provide some baseline definitions for privacy and trust, particularly with respect to the online environment.  Privacy has traditionally been defined as the right to be let alone.   (more…)

Combining Blog Content (GlobalRiskInfo / DrHeatherMark) May 31, 2012

Posted by Chris Mark in News, Politics.
Tags: , , , , , , ,
add a comment

In the near term I will begin integrating blog content from Dr. Heather Mark’s privacy and payments blog. This will give new information and insight into privacy, regulatory, and information security issues. We will be combing both blogs into GlobalRiskInfo. Please stay tuned and, in the meantime,take a spin through Heather’ blog!

 

“CyberSecurity Cold War” – Spending ourselves into Oblivion May 8, 2012

Posted by Chris Mark in competitive intelligence, cybersecurity, Industry News.
Tags: , , , , , , , , ,
1 comment so far

A recent report published by Bloomberg outlines the challenges of securing critical infrastructure against cyber attacks in the 21st century.  According to a survey of 172 companies in six industries, current security measures are only stopping 69% of cyber attacks against banks, utility companies and other ‘critical assets’.   To stop 95% of attacks, companies would need to spend 7 times more than they are today.  This would increase spending from $5.3 billion$30.8 million average) to $46.6 ($270.9 million average).  This, it is estimated, would still only prevent 95% of attacks.  While not a consistent increase, it could be calculated that for every 1% increase in protection, another $1.588 billion would need to be spent by the group.  This amounts to roughly $9.23 million per company…for each 1% increase in protection.  If this is indeed accurate, it is clear that the current perspectives and strategy of cybersecurity is fatally flawed.

During the 1980’s the US and Soviet Union were fully engaged in a Cold War.   With the election of President Ronald Reagan, the US’s strategy changed.  A major component of Reagan’s strategy was to exploit the inherent inefficiencies in the Soviet Union’s command economy. By increasing spending, and forcing the Soviets to match spending on an arms race, the theory held that the SU could be bankrupted.  This has become known as the “Reagan Victory School” and while not completely responsible for the collapse of the Soviet Union, can be credited as hastening their demise. As outlined in a Stanford piece: “A central instrument for putting pressure on the Soviet Union was Reagan’s massive defense build-up, which raised defense spending from $134 billion in 1980 to $253 billion in 1989. This raised American defense spending to 7 percent of GDP, dramatically increasing the federal deficit. Yet in its efforts to keep up with the American defense build-up, the Soviet Union was compelled in the first half of the 1980s to raise the share of its defense spending from 22 percent to 27 percent of GDP, while it froze the production of civilian goods at 1980 levels.” (more…)

Chris Mark Speaking in London- “Hactivists, CyberSpies, & Thieves: Risk & Data Centric Security” April 18, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , ,
add a comment

On June  19th, Chris Mark (that is me;) will be hosting a workshop at the CISO Intelligence Forum: Energy in London, England.  My particular workshop will be titled: “How to select a security vendor”Not really..that was a bad joke 😉 (security geeks get it).  The 1/2 day workshop will be titled: “Hactivists, CyberSpies, and Data Thieves: A Discussion of Risk & Data Centric Approaches to Security”.  You can download the brochure here.  While my own workshop is sure to be the most well attended (another bad joke), I do have to give some props to the other speakers.  This event has some top shelf talent shelf talent speaking including speakers from the PCI SSC, Lanco, SOCA, and Northrup Grumman, among others.  If you are looking for solid information on data security in the energy segment, this is the place to be.