Thursday, December 20, 2007

YADSB (Yet Another Data Security Bill)..

Looks like the lawmakers are gettting serious (maybe they always were) about data breach legislation. Rep. William Clay has just introduced a new bill , H.R. 4791, to address some of these issues. This follows previously failed starts, in June, with a similar proposal from Rep. Tom Davis.

We conducted a consumer survey of approximately 400 consumers during the Black Friday post-Thanksgiving shopping season and found that many favored a single federal law compared to the myriad of state laws on the issue. Makes sense...

Have not looked at the full details of the proposed bill, but am looking forward to finding out more. Let me know if you have thoughts on this specific bill...

Tuesday, December 18, 2007

Data-centric security: How far do you de-perimeter your perimeter?

Ever since the Jericho Forum coined the term, we have seen some interesting jousting over “deperimeterization” (I personally need a cup of coffee before I attempt to pronounce that!). While the idea intrigues me, I see historical evidence against short-term deperimeterization for most organizations. Consider the Itanium vs. Opteron battle as a prime example. While the purist might say the battle is not over yet, the initial rounds by far were won by the hybrid 62/32 bit Opteron chip. The futuristic Itanium would have required significant changes in software to take advantage of the capabilities and is still trying to gain a footing.

Current investments ensure that the incumbent is favored - and by the same logic, a hybrid model for the next generation investment. And this means, a combination of perimeter security with further hardening of the current “soft” core.

From BitArmor’s perspective, we are looking at this discussion in the context of protecting the data itself regardless of where it resides (which could be the ultimate in deperimeterization), and not devices or end-points per se. I am having an increasing number of conversations with customers and industry experts about data-centric security. While I don’t think the tide is completely shifting away from end-point security, such as firewalls, full disk encryption or port control, more people are recognizing that device or perimeter-focused solutions are no longer fully adequate for their purposes. They must be paired with secondary (and tertiary, etc.) defenses.

But, if you lock things down to the point where people can’t do business, that obviously defeats the purpose; business rules and processes must enter into the equation as well, allowing people to collaborate, share documents…in short, to do business. And this is where data-centric security has already begun playing a more important role.

Therefore, while I think that security investments will migrate from hard perimeter defenses to more data-centric models of protection, it will not be immediate nor, by any means, complete. There will be more balance, stemming from a “defense-in-depth” philosophy. Multiple, smaller perimeters for authentication, encryption, access control etc., will continue to gain traction, even to the granularity of individual files.

I am almost tempted to say “multiperimeterization,” but one tongue twister for that space, is one too many!

Monday, December 17, 2007

Record fine of over $2.5M for UK insurer

The FSA (Financial Services Authority) in the UK has fined Norwich Union a record $2.5M (or 1.26M GBP) for incompetence. Seems like criminals pretended to be customers and cashed in on policies worth GBP 3.3M.

$2.5M - thats a large sum for a fine. The previous high was Nationwide Building Society for GBP 980K, earlier this year. Seems like the regulators are getting tough on companies who are incompetent. And this seems to showcase a trend in increasing levels of fines.

Monday, December 10, 2007

The crystal (now with no lead!) ball of security predictions..

Seems like everyone is predicting what the future will bring for security... I read with interest what Schneier has to say, looking out ten years (wonder why 10 is such a magic number?). Lots to get worried about. But of all the predictions, the one I got concerned about is abstraction of core skills - "..people getting by with just knowledge of Powerpoint" (must admit I do my fair share of ppt!).

I think better awareness and knowledge is the best antidote against threats and it is scary to think that we are losing our focus on core technology and assuming that some other "smart" person is on the lookout. The rest of the predictions may or may not come true, but I think we will find ways to overcome them. Some reactively and some proactively.

I also read Rich Mogull's framework for predictions - I see this to be similar for all IT investments, not just for security.
1. Hard dollar investments since I am losing money or can' make money
2. Somewhat hard dollars since my customer is losing money or I may lose money.
3. Soft dollars - some costs may be avoided and I might be able to make more money.

Thursday, December 6, 2007

Got PCI? Another aspect of data security and PCI, I did not know

Brian Kilcourse, managing partner from RSR Research shared some interesting research data with us at the recent conference. Turns out the best-in-class retailers are lagging behind in PCI compliance. Hmmm… we agree that this does not make sense, and there were many conjectures as to why this is the case. A few of the reasons put forth - they know how difficult the process is and are taking their time; they don’t care about fines (the fines don’t make a dent), it is too complex for the leaders etc.

My theory is this – retailers who are best in class, have to be operationally best-in-class as well. They must have the best logistics, high-end analysis capabilities for a streamlined operation that lowers their costs (retail is a thin-margin game). As part of this, they already have built up best practices on how to handle data well and dont see PCI as providing immediate benefits.

I suspect they all have looked at their environments from a PCI perspective. Some have concluded they meet many of the requirements and thus are not under imminent risk. Others may have decided they need to do some fundamental improvements and need the time to design and plan.

The common thread is this – these organizations are disciplined and don’t look at PCI just as a check-box. This approach is definitely the better one – make sure you have the right processes instead of just checks in the right PCI boxes.

Friday, November 30, 2007

Got advertisement? Maybe you should shout your PCI compliance from the rooftops!

Will advertising the fact that you are PCI compliant make you more of a target? I don’t believe so.

Here’s why. It’s no longer the proverbial pimply-faced kid who is hacking into the company. It is organized crime that is doing so. And what do these guys want? Money, pure and simple - and from sensitive information such as cardholder data. They are not here for the glory and peer recognition from other hackers, by breaking into a trophy account. In fact, if you advertise the fact you are PCI compliant, I think it will deter them from attacking you - you don’t store swipe or card data anywhere (or the data is encrypted). Why should they even bother when there are multiple, easier, juicier targets just another click away?

In addition, as consumers become more aware of stolen cards, they will care more about breaches and the impact it could have on them personally. The recent survey we did seems to vaildate this. Do consumers care if you are keeping their data safe? In the long term, absolutely. They will start to take notice and bring their business to companies who can promise and deliver a higher degree of security.

So go ahead, proudly proclaim your resolve to secure your customer data as it if were your own. And brandish your PCI compliance as a badge of honor.

Wednesday, November 28, 2007

New survey: Consumers plan to sharply limit use of cards (AKA, have we awakened a sleeping giant?)

We have heard it all over – customers do not seem to be concerned about retailers mismanaging their data. They still spend money in those stores. It does not impact retailer revenue or stock price. So, let us not worry about it too much.
Wrong. I believe it is just a matter of time before consumers understand the issue and become intolerant of sloppy data protection. And maybe that time has come. The recent story on “60 Minutes” is shining a light on the issue and is an indicator of rising consumer awareness.
Coincidently, we at BitArmor, in partnership with several local TV news departments, conducted a survey over the Black Friday weekend (400 respondents) on this very issue. The results are significant, if not surprising:
· Three out of four consumers are concerned about companies not adequately protecting their data;
· Two-thirds of consumers plan to use their credit card for less than 25% of their holiday purchases;
· Only around 2% say they will continue shopping at a retailer they have heard does not do a good job of protecting data;
· More than 40% have had their identity stolen or know of someone who has;
· 75% of respondents say they would warn friends and family if they knew a store where they shopped wasn’t adequately protecting their data, 33% would sign up for credit monitoring and around 70% say they would be more careful while using their cards.
This should serve as a huge wakeup call to any company that works with sensitive payment card data; their customers are seeing what’s going on, and they don’t like it. Shoppers are increasingly concerned about what’s happening to their data. It’s reflected in fewer people using their credit cards, and it’s reflected in them saying they’ll shop at other stores if they don’t feel their personal information is being adequately protected. It seems we have awakened a sleeping giant…consumers who are spreading the word among friends and families about whom they consider to be are “poor” retailers (from the data protection point of view).
I’ve talked with some analysts who reject the notion that things will ever change. They say that consumers talk a good game, but don’t change their actual buying habits. Perhaps…but when “60 Minutes” starts referring to TJX by name, and calling its security efforts “outdated” and “obsolete,” I have to believe that a lot of shoppers will think twice before using their credit cards there right away. (And apparently Michael Horowitz at CNET agrees with me.)
All this points to the importance of securing customer data and making sure the right policies are in place. Is that enough? Maybe, but to increase customer confidence in a retailer, they will have to work just as hard in protecting their brand and increasing perception of trust.

Monday, November 26, 2007

Got Sopranos? Yet another thing I did not know as much about

The recent trip to the RSR conference gave me another nugget (from Mike Dahn of the Aegenis group) that I knew peripherally about, but did not understand to its full extent. One of the common misconceptions about breaches is that most are the handiwork of some lonely, Mountain Dew guzzling teenager – bored of playing video games and looking for some real kicks. Well, there are some of those no doubt, but it seems that hacking has become the new organized crime. It may not be as widely known as drug cartels or the arms dealers, but information is becoming the new “dust.”
Credit card numbers, card swipe data, etc., are selling for a prince’s ransom in the marketplace. You saw this recently on 60 minutes. There are websites that provide you with specific cards such as “Visa Gold” and you can bid on them! You shut one down and another pops up in its stead. Some of these are run eBay-style with members providing ratings on the “trustworthiness” of the seller! There is every reason to believe that terrorist organizations are using these methods to finance their nefarious goals.
The point to note here is this : there is a lot of money at stake. This makes cardholder data a target in this illegal and very organized crime business. For companies handling cardholder data, being fully PCI compliant in spirit and letter is the best way to foil this.
There still will be breaches, but let’s at least make the risk/reward and amount of work/reward ratios skewed enough to make it not worth their while.

Sunday, November 25, 2007

Got Milk? Stuff I did not know about data protection and privacy

I was at the RSR-sponsored data security conference at Las Vegas recently (where Patrick, our CEO, presented on the importance of a data-centric view on protecting and managing data) and stumbled across a few interesting tidbits that I did now know. Here is one that came up during a conversation about consumer privacy and how aggregated data is being mined for interesting information. Similar to the famous beer-diaper correlation but interestingly different.
Apparently a grocery chain was concerned about attrition and mined data about its customers from its loyalty program to understand this trend (I hope this grocer does not keep personally identifying information and has a good security and privacy policy in place!). They were specifically looking for something that would give advance warning that a customer was about to reduce purchase frequency and maybe stop coming to the store. And what was the bottom line? Milk is the leading indicator!
The short shelf life and the ubiquity of milk dictated the purchase frequency of all grocery items in the home and thus timing of trips to the store. If the customer found milk (better, cheaper, organic, closer etc) they are more likely to purchase other items from that location as well. When customers start reducing their frequency of milk purchase, they are probably substituting from another store.
Interesting, isn't it? Milk – to stop bone loss and customer loss!

Tuesday, November 20, 2007

Who guards the guard and evolution of the hackers?

Yet another aargh.

Computerworld reports a former security researcher, John Schiefer, has admitted hijacking a quarter of a million PCs, using spyware to steal bank and PayPal account information, and making money by installing adware on the massive botnet. Mr. Schiefer could get up to 60 years in prison and faces a fine of $1.75 million; sentencing is scheduled early in December.

Great. Simply great. Who guards the guards?

In analyzing this case and trends in cybercrime, Rich Mogull claims Amrit Williams has “missed the main point” in his blog. Williams says that cybercrooks are becoming “more organized, more sophisticated, and much harder to detect with traditional security measures.” Rich says Mike Rothman is more on target, when he says that it’s not about the level of penalty, it’s simply about the matter of getting caught…which, says Mike, most hackers obviously don’t want to happen.

Rich argues for increased enforcement of laws already on the books, saying that penalties are fine, but as long as you have rules that aren’t enforced, the bad guys will continue to act with a blatant disregard for those laws.

It seems to me that they’re all touching upon the same fundamental point, but from different angles. Amrit’s "I shall be more careful and more sophisticated” actually complements and leads to Mike’s “I don't think I will be caught” perspective. Seems Darwinian, interestingly enough: The lesser hackers will become extinct as stronger ones evolve. As long as there is money to be made, I think we will see evolution.

Wednesday, November 14, 2007

PCI compliance – are you just checking the box?

I will be presenting at the RSR conference this week, and this has me thinking more deeply about challenges that retailers are facing in complying with the Payment Card Industry (PCI) standards. I speak with many retailers in my role – BitArmor helps them secure and manage cardholder data in their environments. One of the challenges that retail CISO’s face is selling senior management on the funding of PCI initiatives. Often, senior management would rather invest in opening a new store than in purchasing an encryption solution to secure their existing infrastructure. For them, PCI is viewed as a necessary evil: many retailers are simply trying to check the compliance box instead of embracing the business benefits that PCI compliance can bring.

Is there value beyond just checking the box?


PCI compliance efforts deliver significant value beyond the immediate data protection benefits. As part of becoming compliant, many retailers are being forced to rethink their systems, data paths, security models, networks, and policies. Fully addressing PCI requires solving these hard process problems, and this is an opportunity to build a strong operational base (making you competitive and agile) for the future of the company. As a result, working towards PCI compliance can increase both revenue and profit.

I see PCI (and so do many retail technologists) as today’s Y2K for retailers. Over the past 10 years, many companies have benefited from their efforts to address the Y2K bug. Y2K catalyzed massive investment in IT infrastructure that improved corporate processes and facilitated more efficient relationships with customers. The similarities between Y2K and PCI initiatives are striking. I believe the benefits will prove to be similar as well.

IT funding exists within many retailers to address PCI challenges. Retailers that take PCI compliance seriously and implement deep operational changes will reap many benefits. Those who view it as an exercise to pass an audit are missing a huge opportunity.

Wednesday, November 7, 2007

Britain mulling "random" audits to enhance data protection..

Britain's House of Lords recently issued a report on Internet security, urging the Government to examine “as a matter of urgency” that country's laws regarding standards of data protection as they apply to businesses. The report says current laws on the books don't have enough teeth; it says the government should have the authority to conduct “random audits of the security measures in place in businesses and other organisations holding personal data.”

Wow. Imagine the uproar that would erupt here in the United States, if anyone introduced legislation suggesting the government could randomly check to see if businesses are keeping their data safe. Granted, most states have laws that mandate public disclosure in the event of a data breach, and Minnesota has passed a law that makes offending businesses responsible for the cost of remediation. But these laws are designed to address post-breach actions; they don’t enable the government to check prior to any incident.

At what point, however, does the public become so fed up, so wary of doing business with companies that apparently treat data in a seemingly cavalier manner, that Congress passes such a law as recommended by the House of Lords' report?

We must police ourselves to keep secure data controlled. We must ensure that private information remains private, regardless of where it ends up…on or off the network. And we must train our people to continuously implement the policies we’ve developed; technology is a part of that equation, of course, but only part.

If we don’t, we run the risk of falling prey to those who would take advantage of us. And we run the risk of having irate lawmakers, driven by irate constituents, implement new (and onerous) rules that make it far more difficult for us to conduct business. We fail to control the data entrusted to us at our own risk.

Friday, October 26, 2007

The Govenator flexes for privacy!

Well, you can’t accuse Arnold Schwarzenegger of doing nothing about protecting citizens and stopping data breaches.

While the California governor has come under fire for vetoing a bill that would have required businesses to better protect customer information, he did sign another bill, mandating that California government agencies must truncate taxpayers’ Social Security numbers, so that no more than four numbers are displayed publicly. He also signed a third bill, ordering that consumers’ “personal health records” comply with the state’s existing medical privacy laws and require that consumers be notified when their medical or health insurance information has been lost, exposed, or stolen.

Say what you will about his failure to sign all three bills, the truth is that Governor Schwarzenegger took a step in the right direction. While California law will not be as stringent as Minnesota’s when it comes to mandating that businesses protect customer data, or suffer the consequences, it is more protective than before.

Which begs a simple question: why should we need such laws before we act?

No, I haven’t been drinking too much Kool-Aid; this is a relatively elementary matter. It’s something all businesses should consider. For instance, if you’re keeping personal information about your employees or customers, shouldn’t you be keeping their Social Security or credit card numbers under lock and key? Shouldn’t those numbers be encrypted? Shouldn’t you have plans and procedures in place to carefully regulate who has access to that information and how and when they can do so?

And before you tell me, “it’s going to cost too much money to do that,” consider how much it’s costing TJX to settle the data breach cases filed against it. Maybe it’s just me, but I don’t think there are that many companies that can afford to spend $200 million, when they could have spent just a small percentage of that making their systems more secure…which is something they should do in the first place.

Realistically, you should be looking at the steps your company is taking to control the data that’s under your responsibility: ask yourself, “What policies do we have to ensure that people who shouldn’t see this data don’t see it? What have we done to restrict access to the information? And how do we prevent unauthorized access if somehow the information makes it off our network, either through email, USB drives, or even if we’re hacked?”

‘Cause if you don’t do it, please rest assured that there are lawyers somewhere who will be more than happy to ask a jury those very same questions. And in this era, you may not like the answers they deliver.

Yeah, the Governator did the right thing in signing the bills. Companies need to do the right thing by their customers as well, and not wait to act until they’re forced to do so.

Monday, October 15, 2007

Clooneygate and the need to secure and manage data

So, it’s come to this: a fellow can’t even go to the hospital any more without his private medical records being considered fair game for journalists. And with the headlines about George Clooney, we should all be appalled at how this happened, and reconsidering what we need to do to ensure that the information that we consider most important doesn’t make it out to where it shouldn’t be.

Here’s what happened: Clooney was injured in a motorcycle accident in New Jersey last month. He was taken to a hospital for treatment. Apparently, more than two dozen hospital workers were able to access his medical records, and at least one of them leaked some of that information to the media. The fact that such a disclosure is in direct violation of HIPAA regulations seems not to have bothered them at all.

Each of the workers has been suspended by the hospital for a month for the breach. And while Clooney himself has taken the high road (saying in a statement, “While I very much believe in a patient’s right to privacy, I would hope that this could be settled without suspending medical workers.”), it points up a very real problem which businesses of all sizes face: the need to control data, especially sensitive data, using technology (such as encryption), policies (such as access control, background checks), education and obviously a big stick..

A significant portion of unauthorized accesses to private or corporate-critical information will not come from the outside. No, many of these incidents will come from behind your firewall...from the workers within your company whom you trust every day – most of it due to negligence, rather than obvious malfeasance as evidenced in this case. And if they succeed, not only do they access information they really should not have, but they leave you vulnerable to being punished under any one of the myriad of regulations that are out there, both from Federal and state governments (SOX, GLBA, Minnesota HF 1758) and those from the private sector (PCI DSS).

Which, of course, reinforces the absolute need for companies to control their data from the moment it is created, and to ensure that only those people with an absolute need to know have access to it. Taking it further, companies need to remember that data does not exist solely on the network; it’s entirely possible that any one of the hospital workers may have copied Clooney’s medical information onto a USB drive and left the hospital with it.

While technology cannot prevent authorized users from accessing sensitive information for the wrong reasons, it can make it harder for them to move it outside of the organization. Furthermore, technology can absolutely stop people not authorized to see private information from gaining access to it. Encryption and access policies that persistently reside with the data, not simply on the network, can render that data unreadable to anyone not authorized to see it, regardless of where the data ends up (e.g., a USB drive, laptop, etc.).

Again, this isn’t about George Clooney. It is about every company that must protect its information. Your data is constantly at risk, from within your organization and beyond. If you choose not to address the challenge from a holistic perspective, you run the risk of ending up in a true wreck…one that has nothing to do with a motorcycle.