[SecurityRatty] tag: extremely

Not Your Father's Data Breach

Thu, 20 Nov 2008 06:37:59 +0000

I am surprised this doesn't happen more often, or become public when it does happen, and I suspect it will:

Corporate custodians of confidential medical data should be closely monitoring events connected to a nightmarish computer security breach in the St. Louis region.

Express Scripts is one of the nation’s largest pharmacy benefits managers. The company, with headquarters in St. Louis County, handles approximately 500 million prescriptions per year for 50 million workers at 1,600 American companies. Early in October, it received an extortion letter, the details of which it released on Nov. 6.

The letter included personal information on about 75 Express Scripts clients — Social Security numbers, dates of birth and, in some cases, information about prescription medications. Whoever sent the letter demanded money from the company — the amount has not been disclosed — and threatened to use the Internet to reveal personal and medical information about millions of people if the demands were not met.

...

Beyond the scale of the problem for Express Scripts — and the potential impact on the company is enormous — the issue extends well beyond the mounting concerns about identity theft, a phenomenon with which most people have become at least somewhat familiar.

The greater problem is the unique nature of personal medical records, the importance of moving to computerization of such records to improve health safety and reduce costs and the irreversibility of the damage people can suffer if confidential medical information becomes public. The stakes are so high that a federal law establishes strict standards for maintaining the privacy of medical information and stiff fines for failing to do so.

Medical records of all kinds — paper and, especially, electronic — must be protected with the most sophisticated kinds of security systems available, including backup protections and automatic alerts of security violations. Yet Express Scripts learned of this breach in the “worst way,” as InformationWeek.com security correspondent George Hulme put it in an online report: “via an extortion letter.”

The Express Scripts breach raises many questions for all elements of the health industry: hospitals, clinics and doctors’ practices, benefits management firms, insurance companies, pharmacies, employers and government agencies:
Are they using the most advanced information security technology possible? Do they minimize the amount of data they collect and keep it only as long as necessary? Do they have strict protocols governing access to personal and medical data — and systems to enforce those protocols? If criminals were to hack into their systems, how would the companies know? How soon? And are the systems capable of instantly cutting off illegal access as soon as a breach is discovered?

Confronted with a grave breach of electronic security, Express Scripts has responded by contacting law enforcement, establishing an informational website, offering a substantial reward and hiring a private consulting firm to help clients who have privacy concerns and investigate situations that “appear to be tied to identity theft” and provide “identity restoration services.” There is no question that the company is taking the situation extremely seriously.
Given the ongoing criminal situation, information about how Express Scripts’ data systems were compromised — and whether it could have been avoided — has yet to be disclosed. But the American people have the right to expect that their sensitive personal and medical information is zealously protected and kept secure — not only by Express Scripts but also by every person or company entrusted with it.

The reason I am surprised this doesn't happen more often is that many Fortune 500 companies have oceans and oceans of personal data. Almost the only companies that have even tried to get to a medium level assurance are financial companies, yet many of the other companies have as much or even more data, with lower assurance. All that was lacking in the mix was an incentive and a bit of creativity and risk taking by the bad guys.

I posted this to the security metrics list and Andy Jaquith quoted it in his great book Security Metrics:

"Customers and customer relationships...have tangible measurable value to businesses, and their value is much easier to communicate to those who fund projects. So in an enterprise risk management scenartio, their vlaue informs the risk management process...[For example, consider] a farmer deciding which crop to grow. A farmer interested in short term profits may grow the same high yield crop every year, but over time this would burn the fields out. The long term focused farmer would rotate the crops and invest in things that build the value of the farm and soil over time. Investing in security on behalf of your customers is like this. The investment made in securing your customer's data build current and future value for them. Measuring the value of the customer and relationships helps to target where to allocate security resources."

Of course this is the opposite of how most organizations do risk management and security architecture, and now, the fields have turned brown.

(Thanks to Chris for pointing me to this story)

Risk or Security Management: What's In a Term?

Tue, 11 Nov 2008 11:59:18 +0000

When Gartner security and risk analysts give presentations, write research or talk to clients, we often get criticized for using the terms security and risk management interchangeably. This is deemed to be confusing by the audience as they try to articulate a clear differentiation between these terms. Indeed, in large sections of our client base, vigorous debate is being held on defining, differentiating and positioning information security vs. information risk management.

Well, maybe such a clear differentiation is not always required. Maybe security and risk management is so intertwined that continuously trying to separate them becomes counterproductive. Let's try to look at this objectively: I can make a clear argument that security is an integral part of risk management. But I can make a similarly cogent argument that risk management is an integral part of security management. The definition is largely in the eye of the beholder. It is contextual and situational. Maybe security and risk management are not the two sides of the same coin - maybe these disciplines are so integrated that they ARE the coin. The business is interested in the coin, not the pictures embossed on either side of it.

I am not arguing that the security and risk management are one and the same. They are indeed discrete disciplines with different functions and activities. And from an organizational perspective, is it important the different roles are named appropriately to the responsibilities of the individuals concerned. But let's be frank, does your business really care whether you call yourself a security manager or a risk manager? All they want is for (both of?) you to help them manage your information security and IT risks appropriately.

Risk management and security management. It's not either/or. Black or white. So here is my call: Let's spend less time debating and arguing the differences, and more time on using and maturing these extremely important, completely interrelated disciplines.

Reading a Letter from the Envelope it Was In

Tue, 11 Nov 2008 04:55:21 +0000

Fascinating:

Paul Kelly and colleagues at Loughborough University found that a disulfur dinitride (S₂N₂) polymer turned exposed fingerprints brown, as the polymer reaction was initiated from the near-undetectable remaining residues.
Traces of inkjet printer ink can also initiate the polymer. The detection limit is so low that details of a printed letter previously in an envelope could be read off the inside of the envelope after being exposed to S₂N₂.

"A one-covers-all versatile system like this has obvious potential," says Kelly.

"This work has demonstrated that it is possible to obtain fingerprints from surfaces that hitherto have been considered extremely difficult, if not impossible, to obtain," says Colin Lewis, scientific advisor at the UK Ministry of Defence. "The method proposed has shown that this system could well provide capabilities which could significantly enhance the tools available to forensic scientists in the future."

Microsoft Releases Emergency Patch For Critical Windows Vulnerability

Thu, 23 Oct 2008 21:01:14 +0000

Microsoft has released an out-of-band patch to fix an extremely critical vulnerability that exposes Windows users to remote code execution attacks. The emergency update comes just one week after the regularly scheduled Patch Tuesday and follows the discovery of a targeted zero-day attack, Microsoft said in an advisory. The vulnerability is rated critical on Windows 2000, [...]

A horse's ass approach to virtualization security - Part 3 - Data is the "constant"

Thu, 23 Oct 2008 16:51:00 +0000

The third in the series where I am trying to think through the current approaches to securing virtual environments...

See part one and two here...

Virtualization enables organizations to optimally manage their infrastructure resources. It can provide significant cost benefits (by sharing resources), flexibility (by just-in-time allocation of resources where they are needed), and agility (speed of provisioning resources). Therefore, organizations have been able to virtualize:

Devices/OS: Companies such as VMWare, Citrix, Microsoft, and Sun are providing hypervisor, virtual machine, and virtual device solutions where several virtual “devices,” “servers,” or “desktops” can mimic separate physical devices.
Networks: Virtualized networks enable dynamic collaboration by slicing bandwidth into virtual, isolated channels that can be assigned to a particular set of devices, real or virtual. Setting up new connections and collaborative environments becomes extremely easy.
Applications: Virtual applications can either be streamed down to execute on local desktops (Microsoft App-V or Altiris SVS) or executed remotely from server farms such as Citrix XenApp. This allows applications to be portable and accessible from anywhere while reducing inter-application conflicts.

However, organizations will never be able to virtualize the fourth element, I talked about in teh second blog post — the data itself. The focus of device, network, and application virtualization is about flexibility, resource sharing, and agility. This involves short life spans, since these elements are brought up to fulfill a specific short term task, and upon completion, they are brought down or even deleted. Data, however, has a lifetime beyond the short term and will therefore live on for further use or analysis in a non-virtual or subsequent virtual world.

This makes data the “constant” in a dynamically changing environment — even if the location of data itself is virtualized. Data will also have the longest lifetime of the four elements in the infrastructure and thus will have to live “outside” of the virtual environment. Therefore, from a security standpoint, it is imperative that data becomes the focus of protection - and we dont just continue protecting the infrastructure. Data is the critical asset, and since it travels across boundaries and lives longer than virtual elements, it can be easily compromised.

Critical Flaws Patched In Opera 9.61, New Zero-day Vulnerability Remains Unpatched

Thu, 23 Oct 2008 07:24:30 +0000

New Opera 9.61 makers correct an issue where History Search could be used to reveal browser history (rated extremely severe). Also fixed: a Fast Forward bug that allows cross-site scripting (highly severe) and an information disclosure flaw in news feeds (also highly severe). On the same day Opera shipped a browser update with patches for [...]

The High Cost of Being Wrong: Why Data Detection Matters

Mon, 20 Oct 2008 04:00:00 +0000

Imagine you see a car stopped on some train tracks, and you hear a train coming. How do you react? Do you ignore the sound of the train, thinking it won’t hit the car? In that same vein, not having an accurate data loss prevention (DLP) solution in place within your organization is akin to standing by and watching that train wreck about to happen – all while pretending you can’t see what’s going on even though the train’s horn is blaring.

In my ten years of experience in the search and categorization space, I can tell you that the risk of a DLP software policy allowing false negatives, when sensitive documents are missed by the policy and considered safe, is potentially extremely costly to a company...

Given the Current Economic Turmoil, What Should IT Managers Do?

Fri, 17 Oct 2008 07:38:02 +0000

Gartner's Compliance & Risk Management Research Community met recently and considered what IT managers should do given the economic turmoil spreading around the world.

What started as a problem with risky mortgages in hot real estate markets in the United States has spread to Wall Street with a devastating impact on the financial health and well being of a number of banks and an insurance company. Each day, the turmoil spreads, first to the equity and commodity markets where investors and speculators attempt to preserve what capital remains. Next, the central banks and governments rush in with an infusion of liquidity in an attempt to keep the money flowing through the world's financial market.

The media commentary on the current financial crisis sounds the tone that all the laws of economics and free markets no longer apply. The reporters sound as if the next developments will be Mother Nature suspending the laws of physics and gravity. Against this backdrop, CIOs and IT managers wonder, "What do we do?"

There is no denying that business as usual is not currently happening. To speculate or attempt to deal with the regulatory fallout that will follow this financial crisis is currently a waste of time. The central focus that CIOs must address now is what impact will this financial crisis have on IT in the next budget cycle. Also, how can IT help the enterprise demonstrate trustworthiness to key stakeholders, maintain critical functions that drive revenue and cash flow, and focus on the needs of the people who work for your organization.

At the heart of the current financial crisis is a lack in confidence in the credit markets. Government officials report that interbank lending has ground to a halt, which prompted the U.S. Federal Reserve to step in on 7 October 2008 and offer direct short term lending to U.S. corporations.

First, to combat this lack of confidence permeating the market, enterprises should take extraordinary means to increase their financial transparency and demonstrate that they have the ability to meet their obligations to creditors, customers, and the communities where they are located. Senior management must develop and exercise a voice in the public policy dialog immediately - and voluntarily. Do not wait for Congressional subpoenas, shareholder meetings, or ambush interviews by the media. Tell the world, honestly, about the state of your company and its plans for the near term and the long view.

Second, everyone must develop a laser-like focus on the organization's value proposition, those intangible reasons that define why your enterprise exists. To leverage an old cliché, every oar must be in the water and pulling in the same direction. The goal is not just to make it to the finish line, but to survive. Ancillary or tertiary projects must be postponed for a later time; and tasks that improve customer service, remove friction from processes, and increase cash flow should be top priorities.

Finally, think about the people who work for you. No doubt they are scared by the uncertainty about the future. Management must be honest and open in keeping the rank and file apprised of the organization's situation. They should be encouraged to communicate that information in a timely fashion with friends and neighbors in the community. Management should be extremely sensitive to non-work related issues that may have an impact on employee morale and well being. The most obvious is related to housing, mortgage default and potential foreclosure. However, it can extend beyond the most obvious issues. The problem with short-term lending is also having an impact on some governmental agencies, and some school districts are cutting back to only four days of instruction, forcing many parents to scramble and find new daycare arrangements.

Q&A: Threats to the US critical communications infrastructure

Tue, 14 Oct 2008 12:41:00 +0000

Paul Parisi is the CTO of DNSstuff.com and has an extremely broad and deep technical background offering reality based solutions to everyday issues. In this interview he discusses the biggest threats ...

A Life or Death InfoSec Subversion

Wed, 08 Oct 2008 00:42:07 +0000

Details about failures of complex and well-implemented information-based attacks on systems are extremely difficult to obtain. However, here the authors examine a real-life analogue—an information attack on a highly complex security system, that of the Colombian guerrilla group FARC. This operation included a man-in-the-middle attack, targeted denial of service (DoS), and authentication subversion. The attack on FARC's communications structure is interesting not only because of its electronic and analog components, but also because it was a life or death matter. The authors examine the hostages' liberation from an information security perspective, compiling data from several Colombian newspapers and magazines and using the most accepted version of the events.