Archive

Archive for January, 2010

Has “Data Breach” become a buzzword?

January 27th, 2010 Comments off

You hear about a new, significant data breach in the news. What’s your reaction? Chances are, you’re a lot more desensitized to this than you were 3-4 years ago. Is this a good or a bad thing? Personally, I think there’s two ways to see it. First, the general public becoming desensitized to it. After the TJX breach, people happily handed their credit cards over at TJ Maxx and Marshall’s stores, so I’m not inclined to think these sort of announcements leads to actual consumer behavior changes in many cases. The other side of this is from an organization’s standpoint – safeguarding against data breaches is rapidly becoming “something you just kinda have to do”. Peer pressure? All the cool kids are doing it? We’ll see.

I took a look at the SC Magazine 2010 Data Breach survey found here. I’ll comment on a few points in this survey, as I am generally getting more and more skeptical of the validity of responses to these surveys, or generally questioning some of their usefulness. All images are taken directly from the survey page.

0110_data_breach_chart02_82818_82821

No shocker here. Compliance is the big driver. And it looks like “negative brand impact” is another one. However, this brings up a point, in my mind at least – why aren’t organizations doing this to “enhance security” or “adhere to security best practices”? Are all organizations like spoiled children who continually ask “Awww, do I HAVE to?” I understand money is involved, but it boggles my mind that companies do not understand the intrinsic need to not shit all over employees, customers, and partners by losing something entrusted to them.

0110_data_breach_chart20b_82830_82833Here’s another one that begs a question – how could even 7% of respondents NOT KNOW the answer to this? And “Yes, but not enough” seems like a cop-out answer that is “safe”. Either you have a cohesive plan, or you do not. Or you live under a rock and answer “Don’t Know”. Apparently, SC Magazine can reach you under said rock. Bravo.

Some additional nuggets of awesomeness (these graphs I only found in the magazine article):

  • The company is preventing the data from being stolen, exposed, or lost. The responses? 91.2% agree, 4% disagree, and 4.5% neither agree or disagree. Two things – those numbers add up to 99.7% (where’s the other .3%?) and what kind of dumbass doesn’t have an opinion on the matter? To Mr. I don’t Know What the Hell is Going On…this Bud’s For You.
  • Most and Least Helpful in detailing safeguards to protect customer data stored electronically. Holy nonsensical results, Batman – check this out!
    SOX was the most helpful to 28.1% in 2009. WHAT!!!! HOW? There IS no detail.
    GLBA was the most helpful to 16.3% in 2009. See comment above.
    HIPAA was the most helpful to 30.3% in 2009. Maybe you have no CLUE as a healthcare CISO, and you did a knee-jerk response on “your” compliance thingie. But really?
  • Departments involved with this plan [breach response] to ensure that it is carried out properly. And HR is not even on the list. Internal folks don’t steal data?

So to bring this full circle with the opening paragraph and title of the post – did SC Magazine publish this useless bit of drivel to get some attention; in other words, use a “buzzword”? I say yes. For less “fluffy” infosec publishing, check out Bill Brenner and crew at CSO or Marcia Savage and the folks at Information Security. And yes, I know what they say about opinions.

Categories: Information Security Tags:

A Glimpse Into the Security Mindset

January 22nd, 2010 3 comments

backtofuture_228x224All IT professionals, regardless of specialty, face a number of challenges. Some, if not all, of these will affect most IT professionals in some way or another throughout their career:

  • Lack of budget, IT is considered “overhead”
  • Lack of respect from other business units, we’re only one step removed from R2-D2
  • Lack of social skills, you spilled Mountain Dew on your too-short pants at the meeting
  • Politics, the smiley well-dressed guy that wears too much cologne with the football analogies is better-liked than you

There’s also a bevy of more specific technical challenges that could plague IT folks (this list is almost infinite):

  • You are trying to integrate new platforms into the environment
  • You are trying to keep legacy systems afloat
  • You are trying to communicate with the mainframe people, who DO in fact resemble R2-D2
  • Upgrading/replacing systems
  • Upgrading/replacing applications
  • Managing users, scripts, logs, storage, networks, devices, etc etc etc.

Security people have a challenge that is 100% unique to their discipline: we have adversaries.

Now I know some of you in areas other than security will argue that you have adversaries, too. If security is even a tiny part of your job description, then you may be right. But the burden of fending off adversaries, both internal and external, falls squarely on the shoulders of information security teams. This lends an entirely new dimension to the concerns that plague everyone else:

  • We cannot prioritize new functionality over security and stability. Ever. Lest adversaries take advantage of this and exploit vulnerabilities.
  • Things like coding languages employed, platforms chosen, and applications deployed really need consideration not from what they offer us, but for how breakable they are.
  • The concept of time is more relevant to us than anyone – our priorities can, and should, change as the threat landscape does. We have opponents, some coordinated and others standalone, actively trying to come up with new ways to cause us harm. This means we need to ensure these new methods they’re employing will be as ineffectual as possible, all the time.

This is an over-simplification at best. However, it’s an oft-overlooked factor that tends to be forgotten in the day-to-day dynamics of our interactions.

Categories: Information Security Tags:

2010: A Security Odyssey

January 13th, 2010 2 comments

So here we are. 2010 – a new, shiny year for things to be as %*# up as ever. <sigh>

OK, OK, that was pessimistic sounding. I do have some thoughts in general on this year in security. Here we go:

  • Compliance will be a hot topic again this year. PCI is growing (MasterCard Level 2 peeps, talking to YOU). HIPAA is being changed, legislators are looking at breach disclosure and other topics, etc.
  • DLP – love it or hate it – will get more mature and could become even more relevant with tie-ins to e-Discovery and compliance mandates. Trust me, I hate buzzwords more than most, but I think the notion of keyword searches and data fingerprinting have merit. Just early in the evolution.
  • Howard Schmidt will do almost nothing. Oh sure, he may *talk* and stuff…but I don’t see anything changing this year. The government is just way too bureaucratic and bloated to change quickly. Not his fault, but I don’t think he’ll be the infosec savior by any means.
  • Cloud computing will start to become more tangible, and we WILL have to secure that beeyotch.
  • On a related (sort of) note, virtualization security will leave the “Chicken Little” phase and assume a normal place as YAICTS (Yet Another Infrastructure Component To Secure).
  • We will have to really address some of the major “gray area issues” in security. For example, the whole PI license for computer forensics issue…WTF?
  • Please please please please PLEASE – can we stop being such geeks and embrace risk management as the cornerstone of information security? I’m all for packets, hacking tools, and the like, too…but businesspeople still look at security folks often times like the 17 year-old that still plays with Legos. We talk all this bullshit about wanting to be more accepted with business folks, but many of us don’t really walk the walk. And no, I do NOT think metrics are the answer. <shudder>.

Some other general thoughts (not security):

  • It is officially time to stop clipping your phone to your belt. You are not Batman. In fact, not even Robin.
  • All movie critics suck. Why do we listen to them at all? I, for one, do not need my movies to be deep and meaningful all the time.

And off we go.

Categories: Information Security, Musings Tags: