Security Pie

First, let me start stating that this is NOT a security issue with Google, even though it might be presented this way.

Unless you were hiding in a cave in the past hours you know that Google is taking some serious steps to protect its customers (you, me, all of us) after it was attacked one more time (see  ”Google on the defensive, vulnerable; China risks international and U.S. response“). Among other things, “Google Finally Improves Security of Gmail Connections as Consumer Watchdog Urged” which is great:

Consumer Watchdog said Google should use encryption for connections to all its Internet-based services, not just Gmail.The new security measures would not have prevented the sort of cyber attack that targeted Google from China. It does increase security to prevent third parties from snooping as information moves from a computer over a network to Google’s servers. Google has offered SSL encryption using the https protocol as an option since 2008

But if you look on the  the screenshot you can see that NOT all the traffic is encrypted… While this might be OK for static pages, who knows what other pages are not protected with SSL? Why can’t you turn it on for the entire site? It will add more credibility and assurance…

HTTPS by default - not so sure

Many security companies sell what they call a DLP solution. In many cases this DLP solution is a grouping of regular expressions that looks for SSN and CCN and maybe other items. The limited protocol coverage and limited granularity of the engine gets re-positioned as built in simplicity. Cisco and Proofpoint jump to mind but there are many others.

At the heart of this approach is an assumption that data security is just another version of network security. A credit card in an email is somehow just the same as a virus in a web download. Well, technically it might seem that way, but I would like to propose that this assumption is as far from reality as possible.

To demonstrate this point, let’s look at the nature of the risk surrounding data security. I will demonstrate using a single standard, with a single set of predefined “punishments”, a similar scope of breach, but a resoundingly different outcome. I compare two incidents where PCI DSS (payment card industries notorious and somewhat silly data security standard) was triggered by having a lack of any data governance whatsoever, resulting in massive breaches.

The two companies are CardSystems Solutions which lost 40 million customer records out of its Tucson office and TJX where over 94 million customer records were siphoned (according to the lawsuit filed against the perpetrators of that breach).

The cases are similar:

1. Both companies had very little to no data governance. (The companies will not agree to this point, but a company that sends out 94 million records whether knowingly or not has NO data governance IMHO).

2. Both companies had installed some malware that siphoned off millions of records that were used to steal identity of customers.

3. Both companies had an abrupt change in PCI status (fully compliant the day before the breach, and non compliance the day after – funny, and indicative of a fundamental flaw in PCI DSS)

4. Both companies accepted their responsibility witht he caveat that “it was not their fault” (as if it was not their servers, their IT systems, or their lack of governance).

In spite of the above similarities, there is very little resemblence in the risk profile, as can be attested by the outcome of the breach. CardSystems ended up paying the ultimate price, cleaning up shop and being required to sell their assets to Solidus Networks (Pay by Touch). Meanwhile TJX is doing well. The discount retailer thrives in bad economy scooping back customers from Nordstrom and Neiman Marcus (Ahem). At most, TJX response was summarized in a series of letters from its CEO Carol Meyrowitz.

The one difference between the two scenarios is the risk profile. CardSystems had no public face. They were one of many processors operating in the background. They could not afford the cleanup (expensive post breach hush money to pay-off FTC, PCI members, court fees, class action payoffs, etc.). Visa, MasterCard, and Amex exercised their muscles and forced the company (now without customers) to sell its assets and cease existence.

TJX meanwhile, was a cash cow, making the credit card industry vast amounts of cash. A “slap on the wrist” was the most the credit card comapnies did to TJX. After pay-offs (100′s of millions of dollars) all was well.

(BTW, the latter is not unique: Hannaford Brothers supermarkets had a similar incident with similar results to TJX).

So next time you hear the message that in data security “one size fits all”, I propose that you verify that the technical and business capabilities of the solution really do align with your risk profile.

/al

Ok – so this stuff bugs me. Whenever a company sets up standards for others to live by but fails to live up to the same standards themselves I get annoyed. Amex is the “bully” in point.

See http://www.kpho.com/money/19936013/detail.html for a story in which two guys who worked at Amex were able to abscond with “thousands” of credit card number and “millions” of customer dollars.

I have two Amex cards. So I went to the Amex website to figure out if my card was somehow exposed. NADA. Not a single word anywhere on the site (perhaps I missed it?).

What is the use of PCI if one of the three card peddlers (Visa and Mastercard being the other two) reflect an attitude of indifference towards protecting MY data.

Wake up Amex CEO: Kenneth I. Chenault. I entrust you with my data. It is time for you to protect it! Mighty nice of you to harrass others with odd PCI requirements. Perhaps it is time you pass a PCI audit yourself.

/al

lightning will hit the same place more then once

I like to revisit good restaurants. If I like the place they will see me again. In  one or two places I even don’t have to see the menu. I’m using the good restaurant analogy to describe why hackers revisit previously hacked sites: They know the place and feel comfortable. Hackers would return to the “scene of crime” and hack if they can.

Recently one of our salesmen forwarded me a note from one of his prospects that were hacked in the past. The team at that company decided that since they were hacked once, the chances to get hacked again are very low. “Lightning does not hit the same place twice” the prospect wrote.

That’s wrong of course.  Lightning can strike any location more than once. It’s not just statistical, given enough time, it is actually inevitable. Some places (like high radio towers) will get hit several time within a single lightning storm.  See also here

Poorly secured applications and databases are for hackers like radio towers to lightning. They will get hit several times.  One cannot change the weather or prevent a lightning storm but he sure can prevent the next hack, data theft and lose of data.

Yahoo! is reducing costs and sending people home. In my opinion they could have saved a lot of money just by not sending all those proxy letters and tons of other items to my address. (Yea, I have some few shares). As expected, the internal presentation explaining how to cut employees was leaked to the Internet. I guess that the Internet Protocol (IP) doesn’t really work that well when the Do Not Forward bit is defined as text on a Power Point.

As a second thought, maybe there’s an opportunity for a new start up to create the technology to embed ‘Do Not Forward’ text into packets that can never leave the network.

So Aaron got the sack and articles regarding the threats of a slugging economy and recession era (such as this) are common.   Organizations should protect sensitive data at all times based on their risk management strategy. Unfortunately, such times help us to understand the risk better. I’m not saying that the damage of leaked presentations (BTW, I think that the content itself is good, but the context is awful) is on Yahoo!’s top risk matrix, but I do think that organizations should set their strategy for data protection.