Monday, March 30, 2009

Devolution, job responsibilities and data-centric security

Seems like the data/information-centric approach to data protection is gathering more steam. Interesting article in CSO Magazine by Forrester analyst Andrew Jaquith talks about giving up control to gain control - using a data-centric security approach. Very interesting.

It talks about forgoing a infrastructure control perspective to being more data-centric and giving up responsibility to those to use the data.

Here is a short excerpt:

"Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization."

Another excerpt I agree with :

"Confronted with these three challenges, some nervous CIOs and CSOs choose to throw the proverbial kitchen sink at the problem: DLP, encryption-everywhere, enterprise key management, NAC, and employee education. However, this approach will fail because at its roots, the problem of data security stems from four sources: digital information was meant to move; information classification isn't ingrained into work processes; technical solutions aren't standardized; and accountable parties are too far from the controls."

The main one being (highlight above is my emphasis) - data is meant to move, distribute and gain in value! You cannot stop data from moving and be a friend of the business!

The Chinese Cyber very, very, very, targeted attack

Incredible news about the cyber attack launched from China - and its taking over systems worldwide.

What is amazing about this is the large number of countries attacked - 103 with the small number of actual computers affected - 1200! Just about 10 systems a country - now that's a targeted attack! And to top it off, apparently over 30% were "high-value" systems and those within embassies of many countries.

It is remarkable that something this targeted can be achieved using one malware - unless it is the secondary phase after another one was spread wide, segmented the market and finally targeted those that are important.

Without taking away from the seriousness and criminality of it, the marketer in me is impressed - and shocked.

Wednesday, March 18, 2009

Heartland and Visa - a big case of CYA?

The latest salvo in the Heartland saga is Visa's decision to delist both Heartland and RBS WorldPay from the PCI DSS compliance list. According to a harsh assessment by Avivah Litan, Gartner analyst: "It's all legal maneuvering by Visa," Litan said. "This is PCI enforcement as usual: They're making the rules up as they go."

Ouch. These are interesting developments, and raises some questions -

  • Is complying to PCI not enough anymore?
  • Was Heartland really compliant?
  • Or did the auditors not do a good job when they looked at Heartland?
  • Do compensating controls not do the work?
  • Is the PCI standard too vague and open to interpretation?
  • Or is Visa just ensuring it does not get caught in the legal storm brewing around the breach?

Questions, questions...

I hope that this drives the industry forward in creating better standards, better auditors and better solutions that can address the increased threats we face daily - all we can hope is look for the silver lining in this debacle...

Thursday, March 5, 2009

Fraud affecting the huddled masses

Could not believe the recent Gartner analysis that says that 7.5% of Americans are hit with financial fraud - a good chunk of it due to breach, phishing etc. That is about 22M people, assuming a population of 300M. Thats a lot!

From the article:

"Gartner says financial losses are highest in the case of new-account, credit card and brokerage fraud, with the average cost per incident totaling $1097, $929 and $900, respectively."

The amount of money lost is staggering - if we assume a more conservative number of $500 lost for 22M Americans who have been defrauded - that's a total loss of $11B in 2008!

But wait, there's more -

"Victims of brokerage, credit card and debit card account fraud find it easiest to recover their losses, receiving an average of 100%, 86% and 77% of the funds stolen, respectively."

These defrauded customers get back their money - and the banks have to pay for these losses! (well, they get it back from the customers with increased fines and interest).

I guess the point I am making is - the losses are real, the pain is real. We need to work to reduce these losses and fraud.