[SecurityRatty] tag: outsider

Top NSA Scribe Takes Us Inside The Shadow Factory

Tue, 14 Oct 2008 16:37:00 +0000

No outsider spends more time tracking the labyrinthine ways of the National Security Agency than James Bamford. But despite three books on the U.S. government's super-secret, signals-intelligence service, even he gets lost in the maze.

"Walking" with the SDL - Part 4

Fri, 25 Jul 2008 16:49:00 +0000

Jeremy Dallman here with the final piece of my multi-part series on “Walking” with the Security Development Lifecycle (SDL) [Part 1, Part 2, Part 3]. So far I have discussed getting management approval, expanding security training, formalizing security requirements and effective ways to reuse your threat model or attack surface review data. In this post, I will wrap up with a look into setting up final security reviews and managing post-release documentation.

Formalize your Final Security Review (FSR) Process

A Final Security Review is your final security audit to ensure your software is secure enough to deliver to your customers. I will assume the idea of an FSR is a new concept and try to provide some FAQ-style detail on this topic.

Who is the FSR team? An FSR Team usually consists of a non-product-team security expert (for impartial perspective), a security representative from the product team, and individual representatives from the separate disciplines. However, that size team may not scale to your company. If that is the case, at a minimum, you should have an impartial “outsider” separate from the product team who understands the security requirements as well as the measurements used to validate them. This person along with a project manager can probably perform the bulk of the FSR with development or test leadership providing input as needed.

What is needed to do an FSR? All threat models should be revised to reflect the final product, the code should be complete, and all security-related testing should be completed and documented. In addition, everyone involved in the FSR should have full access to the bug database to review status or exceptions to security bugs.

What does an FSR team do?

Re-review threat models to verify all mitigations identified in those exercises were fixed or went through an exception process.
Verify that all security issues uncovered during the development process were fixed or granted exceptions by the appropriate people. This is where you verify whether the state of your security bugs meets the “bug bar” requirements you have defined for your products.
If there is any output from security tools that you have used to define requirements, the FSR team would verify that the results of the tools meet the security requirements.
Review all exceptions to verify that they approve these decisions in the context of the final product. If they identify risks associated with the exceptions, they should communicate those to the business ownership for a final decision before signoff. Any decisions related to known risks should also be reflected in the response plan for future reference.
Finally, there should be a final signoff exercise where all security people and project leadership jointly approve the decision of the Final Security Review.

How long does an FSR take? If done correctly, the FSR will likely take some time. You should schedule this review well in advance of your release date to give your FSR team some time to complete the review, push issues back to the product team, and respond to any serious issues that may be discovered.

Final security reviews are a crucial piece to your Security Development Lifecycle. It would be easy to encourage secure development in your team, but as you expand your process to include formal security requirements and begin enforcing those requirements, it is necessary to perform a final audit of your product before it is released. Your customers will thank you for taking the time to add this layer of quality control to your operations and you will likely save yourself some security embarrassment down the road by adding a FSR to the end of your product cycle.

Document security work for reference

After the FSR is complete, there is still work for the security team. The final FSR documentation should be archived along with the symbols and code that represents the finished project. This becomes the time-stamped “snapshot” of your product. Your post-release process should include archiving the following documents in an easily accessible location:

· All final threat models for future reference.

· Bug bars, tool settings, and test results related to your project and the supporting tools used to validate. These will be referenced and reused in the next product cycle.

· All documented security bug exceptions. These need to be rolled into your next product cycle to ensure they are addressed.

· The final symbols that reflect the product shipped should be archived.

· The Final Security Report and project signoffs to validate your security audit activity

· Your Incident Response Plan (discussed in the Crawl post). This must be accessible for quick reference if security incidents occur.

Archiving this evidence serves a few critical purposes: it shows historic evidence of the work you did to ensure a secure product, allows you to postmortem the results and improves your process each time, and reduces the amount of time your team will have to spend next time around by making the existing resources reusable.

In closing…

I hope this long series has provided some practical steps you can take to move your Security Development Lifecycle practices to the next level. At Microsoft, creating a lifecycle to match security development practices has faced a fair share of challenges. However, the investment and time has resulted in more secure products. We’ll continue refining how we execute the Security Development Lifecycle and hope to share those ideas with you along the way. We welcome your thoughts and questions as you start “Walking” with the SDL in your own company and look forward to seeing more secure products and customers as a result.

I’ve created a unique tag on the SDL Blog to cover this series. To get a full list of the related posts, click the “Crawl Walk Run” tag on the left column. I’ll post a Word document version of the full “Walk” series sometime in the next week.

The insider threat - jobs at risk!

Thu, 01 May 2008 17:51:00 +0000

Looks like Her Majesty's Revenue & Customs does not take lightly to employees peeking at sensitive data - they have disciplined around 600 employees.

Lots of questions come up - intentional breach, stupid mistakes etc. If the data were protected with the right policies and access controls would this have been prevented?

My Dad always said when I leave stuff in my car seat - "Don't tempt folks. Even if they are not thieves, the sight of something valuable can turn people". I started believing this after my car was broken into and it turned out to be a neighbor kid.

I firmly believe that taking temptation away (in this case not having access to data you should not) is a great strategy. Insider threats are more troubling, since this is targeted at the most sensitive and valuable data - while the outsider threat depends a lot on luck to get to this.

Presbyterian Hospital admissions rep allegedly steals patient information

Mon, 14 Apr 2008 12:04:54 +0000

Technorati Tag: Security Breach

Date Reported:
4/12/08

Organization:
Presbyterian Hospital/Weill Cornell Medical Center

Contractor/Consultant/Branch:
None

Victims:
Patients

Number Affected:
Over 50,000

Types of Data:
"names, phone numbers and social security numbers of male patients between 58 and 78 years old"

Breach Description:
"A former employee of the New York Presbyterian Hospital/Weill Cornell Medical College pleaded guilty on Friday to selling information from the personal records of over 50,000 patients."

Reference URL:
The Cornell Daily Sun
New York Post
United Press International

Report Credit:
United Press International

Response:
From the online sources cited above:

A former employee of the New York Presbyterian Hospital/Weill Cornell Medical College pleaded guilty on Friday to selling information from the personal records of over 50,000 patients.
[Evan] According to this statement, he has already pleaded guilty.

After the hospital was made aware of the theft in January, it was confirmed in an internal investigation hospital spokeswoman Myrna Manners said.

"We obviously deeply regret that this has happened," she told the Times.

Dwight McPherson, the man arrested in connection with the crimes, was said to have been selling information since 2006, when he was approached with a request for the names, phone numbers and social security numbers of male patients between 58 and 78 years old.
[Evan] He was approached rather than the other way around? This is interesting if it is true. It means that identity thieves (or those that trade in such information) are actively seeking out employees of organizations for sensitive personal information. This is an angle that I never really thought of, though in hindsight I should have.

McPherson's alleged scam was uncovered when postal inspectors in Atlanta executing a search warrant on an identity-theft operation there discovered 221 documents that had come from New York-Presbyterian Hospital.

Dwight McPherson, a 38-year-old patient-admissions representative from Brooklyn, admitted he began to access the files and sell information in early 2006

the information was used for identity theft

McPherson was released on Saturday under the condition that he not leave the state

McPherson was released on $500,000 bail
[Evan] Whoa! Does this mean that he had to come up with $50,000 to post bail? I think you have to come up with 10% yourself. $50,000 is a lot of money for a "patient-admissions representative" to have lying around.

His lawyer, Bob Walters, defended his client, saying, "He is a hardworking, honest man,"
[Evan] Uh, but he pleaded guilty to taking the easy way and committing fraud, right?

After looking through computer logs, they realized McPherson's user login had been used to improperly access the files of 49,841 patients.

McPherson most recently sold 1,000 records near the end of last year for about $750 and more records a bit later for $600.

Those whose identities have been stolen will receive a letter detailing what happened, and have access to a hotline with credit-monitoring services.

Commentary:
Of the 300 breaches reported thus far on The Breach Blog, this is the first one that I recall in which an outsider approached an employee for personal information. I have read about breaches where the employee approached and sold information to an intermediary or outsider (i.e. Fidelity/Certegy and William Sullivan), but not the other way around. This is interesting.

Mr. McPherson appears to have used his legitimate user account to access records in a manner for which he was not authorized. This activity can be difficult to detect without specialized controls. People that do bad things end up costing us all in the long run.

Past Breaches:
Unknown

Customers of 14 Advance Auto Parts stores are victims of intrusion

Mon, 31 Mar 2008 17:45:18 +0000

Technorati Tag: Security Breach

Date Reported:
3/31/08

Organization:
Advance Auto Parts, Inc.*

*Headquartered in Roanoke, Va., Advance Auto Parts is the second-largest retailer of automotive aftermarket parts, accessories, batteries, and maintenance items in the United States, based on store count and sales. As of December 29, 2007, the Company operated 3,261 stores in 40 states, Puerto Rico, and the Virgin Islands. The Company serves both the do-it-yourself and professional installer markets.

Contractor/Consultant/Branch:
None

Victims:
Customers that made purchases and one of 14 retail stores

Number Affected:
56,000

Types of Data:
"financial information" including "credit card, debit card and checking account information"

Breach Description:
"Advance Auto Parts Inc. (AAP) said data from 14 of its stores may have been affected by a network intrusion, potentially compromising financial information of up to 56,000 customers."

Reference URL:
Advance Auto Parts News Release
CNNMoney
Reuters via Forbes.com
eWeek.com

Report Credit:
Advance Auto Parts, Inc.

Response:
From the online sources cited above:

ROANOKE, Va.--(BUSINESS WIRE)--March 31, 2008--Advance Auto Parts, Inc. (NYSE:AAP), a leading automotive aftermarket retailer of parts, accessories and maintenance items, released information today regarding the Company becoming the victim of a network intrusion.
[Evan] I don't think of the company as a "victim". I think of the people and possibly the banks that may have to reissue cards and reimburse the people as victims.

The investigation by Advance Auto Parts revealed that data from 14 of its stores may have been impacted, potentially compromising customer financial information of up to 56,000 customers.

The following 14 Advance Auto Parts stores were affected by this network intrusion:

Affected Store Address             City              State
----------------------------------------------------------------------
2920 Martin Luther King Jr. Drive Atlanta           Georgia
----------------------------------------------------------------------
6100 Old National Highway          College Park      Georgia
----------------------------------------------------------------------
1354 Harrisburg Pike               Columbus          Ohio
----------------------------------------------------------------------
950 E Boston Street                Covington         Louisiana
----------------------------------------------------------------------
2055 South Locust St.              Canal Fulton      Ohio
----------------------------------------------------------------------
422 US Highway 80 W                Garden City       Georgia
----------------------------------------------------------------------
2414 Belle Chase Highway           Gretna            Louisiana
----------------------------------------------------------------------
1370 Ashland Road                  Mansfield         Ohio
----------------------------------------------------------------------
6645 E. Shelby Dr.                 Memphis           Tennessee
----------------------------------------------------------------------
179 Sgt Prentiss Drive             Natchez           Mississippi
----------------------------------------------------------------------
5185 Jimmy Carter Blvd.            Norcross          Georgia
----------------------------------------------------------------------
936 N. Gospel St.                  Paoli             Indiana
----------------------------------------------------------------------
6300 W. Broad St.                  Richmond          Virginia
----------------------------------------------------------------------
1802 Teall Ave.                    Syracuse          New York
----------------------------------------------------------------------
[Evan] I don't recognize any pattern in the store locations. I wonder if there is a pattern elsewhere. Why these stores, or is this just all that is known at this point?

Advance has notified its credit, debit and check processors.

As a precautionary measure, the Company has also started sending letters directly to the impacted customers whom it has been able to identify. Customers who purchased products in the 14 stores and who do not receive a letter can call the toll-free number listed below to determine if they have been impacted.

Advance is also working with the appropriate law enforcement officials who are conducting a criminal investigation.

The Company believes that the incident has been contained. However, the Company is continuing to investigate and has partnered with a leading global third party security expert to assist in the investigation.

In addition, Advance continually partners with leading experts to enhance the security of information technology systems.
[Evan] Like who? What makes a person a leading expert?

"Safeguarding our customers' confidential financial information is extremely important to Advance Auto Parts, and we take this responsibility very seriously," said Darren Jackson, President and Chief Executive Officer.
[Evan] I respect the fact that the CEO of the company addresses the public regarding this breach. It demonstrates that Mr. Jackson understands his role and ultimate responsibility for information security.

Advance has also established a special toll-free number with dedicated resources for potentially impacted customers who made purchases in the 14 stores to call to ask questions. The special toll-free number is 1-800-704-1154. Customer service representatives will be available to answer questions seven days a week from 8 am until 12 midnight EDT through May 31, 2008.

Advance is offering the affected customers a credit monitoring product from a national credit reporting agency at no cost for one year.

"We sincerely apologize for any inconvenience this attack on our network may cause. Advance Auto Parts has been dedicated for the past 75 years to earning customer trust and for providing Legendary Customer Service. We strive to serve each and every customer better than anyone else," said Jackson. "We truly appreciate the business of each Advance Auto Parts customer."

Commentary:
There are many many details missing from this news release. I expect more details to follow as people continue to ask questions and demand answers. A "network intrusion" is very general and implies an outsider attack. Why these 14 stores?

Stay tuned...

Past Breaches:
Unknown

A Page from Gregs Diary: Nerwana Software

Tue, 25 Mar 2008 09:21:42 +0000

I started my career in IT many years ago and since that year have worked in enterprise IT for year and years. Almost all of my odd career story evolves around working with end users, often advising, architecting and managing the complexity of large systems integration projects, from hands on implementation to strategic vision development. My deep background is with Techrotech in network systems engineering.

A few years ago, years after I started my career at Techrotech, I grew a bit dismayed at enterprise software companies. They would, for the most part, always come to us, the end users, and try to sell us large software packages. Their sales and technical teams had very little domain knowledge of the problems they claimed they could solve - and they had little doubt that if we purchased their wares, our problems would be solved,

These software companies were keen on buzzwords and technology jargon but somewhat clueless on operational solutions or the challenges of implementation across a large federated organization with many powerful business units and “in name only” CIOs. We often referred to these software sales guys, and their favorite systems integrators, as “drive by (or fly by) implementations” where they dump the software (and hardware) at your door and run like crazy!

So, I joined a very cool Silicon Valley company, Nerwana Software, hoping to change all of that, or so I thought

Naturally, when I first came on board Nerwana , the entire organization, from executives to recent new hires out of school, heaped praise-upon-praise on my years of operational experience at Techrotech and elsewhere. They cheered me on as I wrote papers and created slides on operational use cases and event processing solutions that the sales and solutions teams could take to market. They sang my praises as I spoke to large audiences and evangelized their most innovative software and solutions. They were pleased with the great reviews from customers.

As one would expect, I was destined to learn the face of the problems I experienced as an end-user “outsider,” now from an ”insider’s” perspective.

One of the interesting challenges that surfaced at Nerwana was the “let’s export our culture and business model to the world” mantra, maybe better referred to as “if it sells in New York, then we must sell it the same way in Tokyo or Bejing!”

Also, I really was surprised to find out how dependent Nerwana was on the opinion of analysts. When I was worked for the customers and end users, we rarely paid any special attention to the analyst’s opinions. Sure, analysts provides a good data point, but that is all it was (or is), simply another data point.

I soon found that software companies are often held hostage by “analyst chasing” which really was an eye opener for me, because we end-users, the people who actually buy the software, view analysts as mere mortals reading from the same foggy crystal ball as everyone else.

Another one of the fasinating challenges I experienced at Nerwana was what some would call “The Hero Culture.”

I’ll elaborate on some these, hopefully interesting, observations and experiences in a future Page from Greg’s Diary.

The Other Side of Life

Fri, 21 Mar 2008 13:06:00 +0000

Hello everyone, Shawn Hernan here. I used to work on the SDL team, and I might have been a regular contributor to this space, but instead I joined the SQL Server security team. Ralph Hood, Microsoft SDL guru, asked me if I would contribute a post about “Life on the other side,” talking to what I’ve learned about the SDL from this new perspective -- sort of the reverse of his recent post. I couldn’t turn down the opportunity.

First, let me say what I knew about the SDL going in: no policy can anticipate every situation; you have to make tradeoffs; the details matter; the big picture matters; you need tools; you need human insight; you need management support; and we’re never going to be perfect. All of the things you’ve read in this blog are true, and they really shouldn’t be controversial. Since joining SQL, I’ve learned a lot about SQL Server too, and what it means to ship a product - but that’s outside the scope of this blog. So instead, I’ll try to describe three real experiences that illustrate things that shouldn’t be controversial either, but aren’t usually covered under the rubric of security. They are crucial nonetheless.

Security is not the point, it’s the needs of the customer. It’s easy to believe that security is the point of producing a product. It’s not. We won’t produce an insecure product, but the primary driver for a product team is to produce a valuable, useful product. Yes, security is a big part of that, but security is not a goal in and of itself. For example, one of the areas of fierce competition in enterprise database products is performance, and we have to balance security with performance. One of the ways we do that is by verifying data we receive really well, but only when necessary. We define clear trust boundaries, and check the data thoroughly once on the way in, and then work very hard to enforce those trust boundaries.

I first encountered this in SQL when I helped review threat models for the database engine. The engine trusts that the data on the disk was written correctly by a trusted entity (with checksums to guard against random errors), and enforce that. Instead of a slavish adherence to the principle of total mediation or defense in depth, which, when taken to its extreme would say to “check everything, every time,” we are hard core about making the right checks, but only the right checks.

I will note that it is not an either/or choice between security and performance – it is possible to do both. Indeed, I would say that doing one without the other is pointless, but to get both 1) world class performance, and 2) world class security, you have to understand your data flows really well, and make detailed decisions.

Be polite, but don’t be afraid: Job interviews at Microsoft can be challenging. When I interviewed for this job, my final interview was with a very senior architect. The subject of integer overflows came up, and he asked me to describe the problems and solutions. So I started writing some code on the whiteboard. After about 10 minutes of describing my approach to integer overflows, he said to me, “What if I were to tell you that’s a really bad solution, and the interview is over?”

My heart sank.

But instead of rolling over, I said, “well, that’s a bad outcome, tell me why.” He proceeded to attack my solution on several grounds, including being unreadable and unmaintainable, and he proceeded to describe his solution to the problem. Now, this was a very serious, very senior technical architect, and I was in a high pressure, asymmetric situation. So, not willing to be intimidated, but unable to attack back, I pointed out several shortcomings of his solution, politely, but firmly. And we spent the next 40 minutes talking about various aspects of the problem, and me defending my solution, which I think was credible. I don’t know if he agreed with my solution or not, really, but I suspect it might have been a test to see if I would cave. Or maybe he thought it really was a bad solution, I don’t know. But I got the job.

As a security professional, you’re always going to be at a technical disadvantage when you’re reviewing another team’s components. They designed and implemented the system. You are an outsider, and it is absolutely impossible to understand the system to the degree as the people who built it. Nonetheless, you’ve got to find a way to ask hard, probing, impolite and sometimes even uninformed questions without being threatening or insulting, or undermining your own credibility.

Be polite, be firm, put your ego in a box, and ask questions until you understand.

“It should work” is not a good answer: We take the giblets problem very seriously, and managing giblets can be quite difficult at times. And in SQL, we have lots of giblets. We consume things from Windows, and Office, and Visual Studio, and others, and we provide giblets to other teams as well. In fact, we provide components that other teams use to build the giblets they provide to us – we consume our own giblets!

And as it happens, one of the components we use was updated recently. Even though it would get serviced through Microsoft Update, we want to ensure we have the latest and greatest version of any component we ship. But to consume the latest and greatest version of this particular component would require some small updates to either our installer or theirs. So we met with the team that owns the giblet in question to try to divvy up the work, and to avoid schedule disruptions on either side.

There was a lot of back and forth about various things to try, and we continued to refine a solution until we had reduced the problem to a single issue.

At this point, there was an air of hope in the room. If the idea actually worked, we had a solution at relatively low cost. But would it work? When the question of “will this work” comes up, all eyes turn towards test managers.

Our general manager was looking right at our test manager and she asked, “Will that work?” The test manager looked across the table at the development manager from the other group, and said, “I don’t know. That depends on their level of confidence in the behavior of their component under these conditions.”

Now, all eyes were starting at the dev manager, and the room got quiet. A somewhat sheepish look came over his face, because he knew the answer he was about to give would be unsatisfactory. He said, “Well, I’m not a tester, I’m just a developer, but it should work.”

At which point the room erupted into hysterical laughter.

“It should work” means “I think so, but we have to test it.” And that means the whole battery of tests for each of the affected components, across all of the supported platforms. And that has to be scheduled in test labs. To be clear, this wasn’t a lack of confidence in the developer, quite the contrary, he was laughing along with everyone else. We just know that writing software to satisfy all the scenarios in which our software is deployed requires far more testing than can reasonably be performed on a single desktop system.

So the tests were scheduled, the developer was proven correct, and we’re picking up the latest version. Even seemingly simple changes require a lot of testing.

So, that’s what I’ve learned: security isn’t the be-all-end-all,, things are really complex and hard to understand, and you don’t really know if anything works until you test it. None of which should be controversial, but none of the central ideas in the SDL are controversial either. The hard part is putting theory into practice, and recognizing that no venture is risk free, despite the natural inclination of security engineers to avoid any risk whatsoever. In this, I am reminded of one of my favorite books, “To Engineer is Human: The Role of Failure in Successful Design,” by Henry Petroski. He writes, “No one wants to learn by mistakes, but we cannot learn enough from successes to go beyond the state of the art. Contrary to their popular characterization as intellectual conservatives, engineers are really among the avant-garde. They are constantly seeking to employ new concepts [and are] constantly striving to do more with less. [] The engineer always believes he is trying something without error, but the truth of the matter is the each new structure can be a new trial. [] Such is the nature not only of science and engineering, but of all human endeavors.”

Harvard University warns graduate students about web hack

Thu, 13 Mar 2008 21:25:51 +0000

Technorati Tag: Security Breach

Date Reported:
3/12/08

Organization:
Harvard University

Contractor/Consultant/Branch:
Graduate School of Arts and Sciences

Victims:
"applicants for admission and housing"

Number Affected:
~10,000

Types of Data:
"name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and school records"

Breach Description:
"A Harvard Graduate School of Arts and Sciences (GSAS) Web server that contained summaries of GSAS applicant data for entry to the Fall 2007 academic year, summaries of GSAS housing applicant data for the 2007-08 and 2006-07 academic years, and administrator information was hacked by an outsider and compromised in a way that the data on the server could have been viewed or copied."

Reference URLs:
Harvard University Gazette
The Boston Globe
The Boston Herald
Bloomberg

Report Credit:
Robert Mitchell and Joe Wrinn, Harvard University Gazette

Response:
From the online sources cited above:

Harvard University notified students at the Graduate School of Arts and Sciences yesterday that their personal information may have been compromised when a hacker hijacked the school's server last month.

The GSAS site was taken down from Feb. 17 until Feb. 21 in order to investigate the incident and to improve security.

The University’s initial examination did not reveal the full extent of the hack. As the investigation continued, it became apparent that some sensitive applicant data, including Social Security numbers, could potentially have been accessed.
[Evan] Without knowing all of the details, it seems like this was a poor incident response.

The University has informed the GSAS community, and has apologized for the error.

At Harvard’s expense, identity theft recovery services are being made available to the people who might be potentially affected.

Guarding against hacking is a constant battle as hackers continue to challenge and occasionally breach security systems. Harvard has taken and will continue to take steps to protect its servers as well as possible.
[Evan] Yes, but this is absolutely no excuse. "Harvard has taken and will continue to take steps to protect its servers"? This is a problem. We don't aim to protect servers, we aim to protect information.

“Protecting personal information is something Harvard takes seriously, and we are truly sorry for the inconvenience and concern this incident may cause,” said Margot N. Gill, administrative dean of the GSAS.

“We are notifying and apologizing to the affected individuals and making identity theft recovery services available to them at our expense. Please be assured that we are taking steps to do what we can to prevent future incidents of this kind.”

The server contained summaries of data from approximately 10,000 applicants for admission and housing that were used by GSAS administrators during the admissions process and to match students with housing.

There were approximately 6,600 summaries from admissions candidates from the United States consisting of each applicant’s name, Social Security number, date of birth, address, e-mail address, phone numbers, test scores, previous school attended, and school records.

The remainder of the admissions data did not involve Social Security numbers. There were approximately 500 summaries of housing application data that included Harvard University ID numbers. A small number of housing application summaries (13) contained information about personal health issues such as food allergies.

Dan Moriarty, Harvard's chief information officer, said the college had strengthened its security system.
[Evan] Had? How?

"This is really a cautionary tale for anyone in higher education," he said.
[Evan] This is really a cautionary tale for people that do not secure confidential personal information properly. Higher education or not.

``This is really unprofessional, of course, and we're quite upset that something like this would happen at Harvard, of all places,'' said Patrick Hamm, a spokesman for Harvard's Graduate Student Council.

Harvard discovered the attack Feb. 16 after information from 19 graduate student-housing applications appeared on an Internet site called Pirate Bay that hosts anonymous information, said Daniel Moriarty, the university's chief information officer.
[Evan] Unreal. The school was not even aware of the breach when it occurred of even shortly after it occurred.

Kyle Brown, president of the Graduate Student Council, said the university's delay in realizing the extent of the hacking was troubling to him.

`No One Was Really Aware'

``No one was really aware of the scope,'' said Brown, 21. ``That, in of itself, may indicate a problem with the way Harvard goes about securing information. When someone breaks in, we need to know exactly what was compromised, soon.''

Because the University could not rule out the possibility that all of the information on this server was copied and distributed more broadly, notifications are being sent to all persons who may have been affected by this incident.

In situations where applicants’ Social Security numbers or Harvard University ID numbers may have been accessed, the notifications provide contact information for free use of the services provided by Kroll Inc.

Commentary:
My first thought was actually a question. Why was this information accessible on or through a web server? I assume that the web server was compromised and through it a back end database was accessible. So fine, this leads me to a more questions. #1, Did the school conduct regular risk and vulnerability assessments and/or penetration tests on servers that collect, process or store confidential information? Unlikely in this case. #2, Why did the school not detect the breach as (or shortly after) it occurred? Information security cannot protect everything, but we can certainly be alerted when something is amiss.

Judging only from what I have read about this breach, I would have expected much more.

Lawd knows Hawvahd ain't cheap ya know.

Past Breaches:
Unknown

Is Risk-Based Security Really Possible?

Thu, 26 Jul 2007 16:42:00 +0000

Yes. Few security professionals doubt that our job is all about risk mitigation. But there tends to be sharp debate about whether you can measure risk. I think you can and should, but quantitative models don't work. I'll come back to "why you should" and "how you can" another time, but for now I want to discuss why the quantitative approach doesn't work.

The classic textbook quantitative risk calculation is Annualized Loss Expectancy:

ALE = (Impact of the event in $$) * (Number of times in a year the event will happen)

So, you calculate your ALE and that's the maximum you should spend to mitigate that risk.

If the real world was that simple, we'd all use ALE to plan our security strategies. But ALE is fundamentally wrong for for information security. I'll concede that ALE can be useful as a simple conceptual model for risk because it requires us to think about both of the factors that generally influence risk: Likelihood and Impact. But literal use of ALE for information security decisions is problematic to say the least.

The problem with ALE is that the numbers we plug into that formula are so baseless that the resulting calculation has no credibility. We probably inherited this simple conceptual model at some point from the insurance industry, which is different from security management in at least two key ways:

They have statistics and actuarial models that predict the likelihood of certain events with reasonable numerical accuracy across a certain demographic - we don't
They have a straightforward way of estimating the loss associated with those events with reasonable numerical accuracy - we don't

Not to mention the fact that insurance and information security are fundamentally different models, but I'll save that tangent for another time.

How does one calculate the financial impact of a security breach? Here's a hint: the amount of money you paid for the server that was just compromised is wrong. There's a whole bunch of things that go into it... the cost of employees and consultants to restore order after the breach, the potential legal liability, the cost of business you may have lost when the system went down, the opportunity cost of things you couldn't do because you had to spend time and resources responding to the incident, and the impact of lost goodwill and reputation damage that you suffer in the market. All of these factors are either immeasurable or unpredictable, which makes them poor candidates for mathematical calculations.

How does one calculate the likelihood of a security breach? The spectrum of threats is too broad and too unpredictable to have any hope of doing this. If you were just hacked by an outsider, or fell victim to a disgruntled employee, or made a simple mistake and exposed a bunch of sensitive information on a website, chances are you never saw it coming, and sure couldn't have sat at your desk six months ago and said "there's a 20% chance that this will happen in the next year".

So, with ALE hopelessly wrong for information security, how can we argue in favor of risk-based security? The answer lies in qualitative models - stay tuned.

Cheers,
Bryan