March 31st, 2008
In a blog posting several weeks ago, I lamented Indiana’s not having been able to pass new and better legislation concerning protection of personal information. You may recall that current Indiana law in effect requires notifying potential data security breach victims only if a portable electronic device containing their personal data is not password-protected or if the password has been disclosed.
Both the Indiana House and Senate have now passed an amendment to the existing law requiring that potential data security breach victims be notified unless the data on a portable electronic device is encrypted and the encryption key has not been disclosed.
This change will become effective on July 1 this year.
The new legislation in Indiana is by no means anywhere near perfect. For one thing, the strength of encryption is not specified. (This weakness in Indiana’s new legislation is the same weakness that has limited the effectiveness of California law SB1386.) A company could therefore use the most rudimentary of encryption algorithm, something like ROT13 (i.e., a simple cipher in which each letter in plaintext is converted to the letter that is 13 positions to the right of it in the alphabet), to encrypt customer data. If the computer on which the data resided were compromised or stolen, decrypting the data might thus not be very difficult.
Additionally, the provision in previous versions of Indiana’s protection of personal information bill that required that the state attorney general be notified of data security breaches fell by the wayside in the most recent version of the bill. This provision was strongly opposed by a number of big, powerful corporations; accordingly, a number of Indiana legislators omitted it from the version of the bill that passed.
Over the years considerable progress in national cybercrime legislation, particularly in the US, Canada and Europe, has been made. States within the US have also achieved considerable progress. For example, 39 of the 50 states in the US have data security breach notification laws.
A small but growing number of states now also require some level of protection for personal and financial data. Obviously, there is still a long, long way to go, but at least seeing changes such as the recent amendment to Indiana’s law concerning protection of personal information is very much a step in the right direction.
And while we are at it, let’s be sure to give a word of praise to both State Representative Matt Pierce, the author of the legislation, and a persistent graduate student from Indiana University named Chris Saghoian.
Last year Saghoian contacted Rep. Pierce, requesting that he examine loopholes in the protection law as it was then and proposing ways to close them. Rep. Pierce should be credited with being open minded and knowing the right thing to do once he understood it.
Saghoian also deserves considerable credit. If Saghoian had not taken the degree of initiative that he took, the new legislation would almost certainly never have been passed. Saghoian is young—he is still in school—yet he has already accomplished quite a feat. Think of the potential he has to make a tremendous impact over the span of his professional career!
~ : ~
March 27th, 2008
I recently read with great interest a news item that covered a gigantic “Cyber Storm” war game that transpired approximately two years ago. The US Department of Homeland Security, in cooperation with the Pentagon, Justice Department, State Department, Pentagon, National Security Agency, and CIA, conducted a detailed simulation of three categories of massive disasters: computer attacks, physical attacks and psychological subversion attempts.
Participants included employees of the US government and the private sector within the US as well as others from countries such as Australia, England, and Canada. Scenarios included unauthorized access to airline computers, a breakdown of police communications systems in one city, hundreds of individuals on “no fly” lists arriving at airport check-in counters at approximately the same time, commercial software blueprints being stolen, computer failures at border checkpoints, computer blackouts at New York Harbor ports, and many others.
Observers generally rated the participants’ performance as fair or sometimes better.
Conducting exercises such as the “Cyber Storm” War Game seems like an exceptionally good idea in that incident response testing too often is ineffective because those who must engage in incident response efforts lack hands-on incident response experience.
Paper and pencil tests and table top walkthroughs are better than nothing when it comes to testing incident response procedures and affording some level of familiarity of the nature of incidents and the types of responses that are appropriate. But these tests and walkthroughs simply do not go far enough when it comes to the realism dimension.
Scenario playing is the obvious solution, but for a variety of reasons, lack of knowledge and lack of resources in particular, many organizations never engage in this activity.
Catastrophes such as the ones in the scenarios to which participants in the massive war game responded are bound to happen some day, perhaps soon, given the crazy, topsy-turvy world in which we live. The experience that the participants gained is likely to be closest to what they will actually experience when they have to deal with large-scale catastrophic incidents.
Additionally, participating in the scenarios enabled organizations to find missing or inappropriate steps in their incident response procedures so that both could be corrected and/or updated. Procedures, after all, are not really validated until they can actually be successfully performed under real-world or near real-world conditions.
Most organizations do not have the time and resources to hold exercises of the magnitude of the war game that occurred several years. They can, however, benefit considerably by obtaining information about the one that was held.
Obtaining this information was at first nearly impossible, as the government for obvious reasons held on tightly to this information for a long time after the termination of the war game. The Associated Press ultimately won in its efforts to obtain this information through the Freedom of Information Act, opening the door for this information’s widespread dissemination.
And if you missed the last war game, stay tuned-the US government has announced that it is going to hold another one soon.
~ : ~
March 24th, 2008
In connection with my being one of the editors of the SANS NewsBites, twice each week I look though potential security-related news items. Yesterday I read that Indiana state lawmakers are considering proposed legislation that would mandate encryption of customers’ personal information. The purpose is to protect individuals against identity theft in case of unauthorized access to such information.
The Indiana House and Senate have different versions of this bill. The House version, Indiana House Bill 1197, differs from the other in that it would additionally require both that commercial entities employ strong encryption for customer-related information and that they report data security compromises to potentially affected individuals as well as to the office of the attorney general. Reported breaches would then be available on a public Web site.
The proposed legislation is by no means watertight.
For example, an individual’s name and social security number are considered personal information, but numerous categories of information that could potentially comprise personal information are not mentioned. Still, the proposed legislation represents a big step forward in that it would require upfront protection of customer information, not merely post hoc measures such as prompt notification in case of a potential data security breach (which is still considerably better than requiring no control measures whatsoever)-a real potential victory for the general public and a real setback for perpetrators of identity theft.
The requirement for strong encryption and also notification of data security breaches to the attorney general’s office in the House version of the proposed legislation would also be extremely beneficial to the public.
Perhaps most importantly, however, if Indiana were to pass this legislation, it would set a new standard for other states (and, hopefully, the federal government at some point in time, and perhaps even other countries) to follow.
Things that appear to be just fine are never as good as they seem to be, and the Indiana legislation is no exception. Strong forces in the form of corporate giants such as AT&T, Microsoft, and Lexus-Nexus strongly oppose this legislation (specifically, the House’s version of the legislation) because of the requirement to report data security breaches to the Indiana attorney general’s office, and are working vigorously to defeat this legislation. These organizations’ opposition is not void of logic. For one thing, the requirement to report data security breaches to the attorney general’s office would mean government involvement in what would almost always be an already complex and potentially charged situation. Additionally, a publicly available site that lists information about data security breaches could, if not designed, implemented and secured very wisely, turn into a catastrophe.
It appears to me that the more critical part of the legislation as far as the potential benefit to the public goes is requiring encryption of personal information.
Because the provisions for encryption and for reporting are in the same bill, if the corporate giants are successful in their efforts, encryption of customer data will not be required. This would be a real shame. The Indiana legislature would then in effect have to start over in its effort to pass this kind of legislation, but almost certainly with less momentum than before.
One can only thus hope that the House and the Senate can reach a compromise concerning the provisions of this proposed legislation, and that whatever this compromise is, it will retain much of the strength of the original versions and that it will also now be acceptable to the corporations that oppose the House’s version.
~ : ~
March 20th, 2008
Several weeks ago President Bush signed an executive order, National Security Presidential Directive 54/Homeland Security Presidential Directive 23, intended to improve cyber security within the US government by mandating monitoring of US government networks.
The order, which provides an unspecified, but presumably huge amount of funding, stirred up no small amount of controversy. Critics complained that the order calls only for monitoring, not up-front security measures, and as such they have predicted that this order’s provisions will do little if anything to genuinely improve cyber security within the government.
The fact that the public sector was excluded, even though the public sector is a critical part of the critical national infrastructure, triggered additional criticism. To top it off, privacy advocates have pointed out that the order will result in what will effectively amount to yet more government spying on individuals.
Although the real motivation for putting this new executive order in place is not certain, a few hypotheses seem extremely plausible.
First, most US government agencies have not gotten very far in their efforts to secure their systems. US government systems are among the most vulnerable in the world to attacks, as shown by the plethora of security breaches (in many of which sensitive and even classified information has been compromised) in these systems over the years.
Security within agencies desperately needs to be improved, and monitoring is likely to help.
Second, the many widely publicized incidents in these systems have caused considerable embarrassment to the President, who, ironically, has strongly advocated fighting terrorism and bolstering national security while until recently doing little to improve the protection of systems that can be used for sordid purposes by terrorists and other enemies of the US.
Third, the government as a whole is to a large degree in the dark concerning what is actually going on with respect to cyber security within each of its agencies. The lacks of central monitoring capabilities as well as failure on the part of agencies to report incidents are two of the major causes. Once again, monitoring is likely to help.
I have mixed reactions to the latest of a series of US government cyber security initiatives. On one hand, someone or some group of individuals within the current administration seems to genuinely understand the high level of risk that US government systems currently face. Furthermore, the fact that a tangible solution has been proposed and that the executive order will result in a substantial amount of funding to try to get the job done is quite encouraging.
Finally, although some have criticized the post-hoc nature of the measures called for in the executive order, monitoring, if done correctly, can prove extremely effective; it enables technical staff members who monitor to quickly spot security-related breaches and respond to them, thereby effectively containing the potential damage and impact.
On the other hand, the current executive order is just one of many such massive cyber security initiatives that the government has undertaken over the years. I honestly do not recall any even partially successful such initiative because of a combination of big egos in high places within agencies, irrational political games, bureaucratic bungling, and squandering of programmatic funds. Even much smaller scale efforts, such as NASA’s previous initiative to centrally monitor network activity at all NASA sites, have failed miserably.
Remember—those who do not heed the lessons of history are doomed to repeat it.
So the question remains—will Bush’s executive order on cyber security do any good?
My guess is that despite the odds, it will do some good. If nothing else, it should help the Department of Homeland Security (which has been assigned the responsibility of doing the monitoring) become more aware of the kinds of attacks and security breaches that government agencies actually face. At the same time, however, at the end of it all when the costs versus the benefits are weighed, the costs are likely to far outweigh the benefits.
~ : ~
March 17th, 2008
Trying to check my leave balance on a Web site operated by the provider High Tower uses for personnel administration and payroll. I just attempted to log in to an account set up by this provider. My password did not work. Frankly, I cannot even remember the name of this account; let alone what the password is. Why? I am certain that it is because I have so many accounts, some that I use in connection with my job, others that I use for Internet access through two Internet service providers (ISPs), still others that I use for things such as frequent flyer programs, more that I use for additional rewards and discount programs, yet others that I use for access to accounts set up by organizations for which I write papers and book chapters, and, finally, others that I use for stock broker accounts.
Frankly, I do not even have a chance of getting any password right except for the primary accounts that I use at work and my ISP accounts. I hesitate to write down any passwords on slips of paper because in information security doing so is taboo, and I am also reluctant to use the same password for more than one account because of the risk of a break-in into one account resulting in easy unauthorized access to other accounts. I could, I suppose, choose a base password and then add characters to it based on the particular account in question, e.g., borders for an account at Borders Books, but then I would almost certainly forget what the account name was anyway. I suspect that the only viable solution for someone like me is a tool such as Password Vault™, which allows a user to store all passwords for all accounts in one place. The user must remember only a master password. As good as Password Vault™ appears to be, however, I wouldn’t count on my purchasing and installing this tool any time soon.
The real solution to the underlying problem, namely that organizations are still relying on password-based authentication, is doing away with passwords altogether. True, there are several advantages associated with using passwords. For one thing, many systems and applications are password-dependent; changing the authentication method may be possible, but it could prove to be expensive and complicated. Furthermore, passwords are at least by superficial appearances easy to assign and administer. But I suspect that the main reason that password-based authentication is so much alive and well is that everyone, users very much included, is used to them. Passwords, after all, have been used for access to systems for as long ago as nearly a half century.
What people who still defend the use of passwords in authentication and authorization too often forget is the many associated liabilities. Passwords are extremely crackable; doubters should obtain and run a copy of a powerful password cracking tool such as Rainbow Crack, something that is a truly eye opening experience for the uninitiated. Also, conventional passwords are static credentials. As such, they are subject to being sniffed over the network or captured by keystroke and tty sniffing tools. Additionally, the effort involved in password administration runs up IT costs in organizations much more than people realize. One of the major reasons for help desk functions is in fact the need to reset forgotten or expired passwords. Finally, as I have previously mentioned, remembering and caring for passwords for multiple accounts is very arduous.
Good alternatives to password-based authentication exist. Tokens, biometrics, smart cards, and picture identification are just a few. Major hurdles include cost, usability (which is less than optimal with some of these methods), cost (purchase and maintenance), having to modify systems and applications to accommodate new authentication and authorization methods, and disruption of the status quo in the IT environment. The downsides can, however, often be easily offset by numerous advantages, of which considerably stronger authentication that results in fewer and less costly security breaches is one of the greatest. Additionally, help desk costs may diminish considerably if a suitable alternative form of authentication and authorization is chosen and the procedures associated with it are well designed. In one fortune 500 company the information security manager proposed that smart chips embedded in employee badges be used for authentication and authorization in all company computing systems. He successfully made his case to senior management by pointing out just how high the cost of assigning and resetting passwords was. Embedding chips in badges did not really inconvenience employees because they were already required to bring their badges with them and use them to enter this company’s premises. System and application administrators were required to change settings to terminate new sessions that were authenticated with the same smart card used to authenticate another current session, thereby greatly attenuating the problem of smart cards being loaned to employees.
The problem of gaining access to systems and applications that cross-organizational boundaries is, however, much more formidable. For example, for several years Microsoft touted Windows Passport, in which a single password could be used in a wide variety of Internet transactions. Passport, however, never caught on with the public. Certain credit card companies are experiencing somewhat greater success; they are embedding smart chips in the credit cards that they issue. Major downsides include the financial expense and effort involved in widespread dissemination and maintenance of smart card readers as well as some usability liabilities.
Regretfully, however, there is no easy solution to the problem of liabilities in connection with users having to use passwords, let alone multiple passwords. Hopefully, better solutions than are currently available with emerge in time.
~ : ~
March 13th, 2008
I read with interest a news item based on a study performed by the University of California at Berkeley’s Center for Law and Technology. This study’s findings show which US financial institutions, retail merchants, and utilities have the most complaints concerning identity theft incidents. Bank of American was first, AT&T was second, Sprint/Nextel was third, JPMorgan Chase came in fourth, and Capital One was fifth.
Virtually no research is conducted perfectly, and, not surprisingly, critics were quick to point out several significant limitations of this study. The data were more than two years old, and the primary statistic was perceived identity theft incidents (i.e., cases in which customers complained that they had experienced identity theft), not necessarily confirmed incidents.
Still, this research not only provides some empirical data concerning the prevalence of identity theft complaints among various well-known commercial entities, but also constitutes a giant step forward in promoting accountability among these institutions. From a public relations viewpoint, appearing in the “top five” list, as Bank of America, AT&T, and other institutions did, is anything but good. These (as well as other) institutions are now likely to be highly motivated to “clean up their act” with respect to reducing the number of complaints about identity theft.
What can these institutions do?
The answer is that they need to adopt the “usual” measures (e.g., strong authentication, data encryption, strong access control measures, and more) designed to reduce data security breach incidents as well as improve their notification procedures should a data security breach occur.
No security control measure is perfect, however, and despite the best intentions and the use of strong security controls, data security breaches are still likely to occur (even though they may be less likely). This is where rapid detection of data security breaches comes in. Audit logs can provide the data needed to detect such breaches, as can intrusion detection data, but many if not most attacks designed to gain unauthorized access to personal and financial information are “beneath the radar” attacks designed to escape the notice of system administrators combing through audit logs and intrusion detection analysts inspecting the output of intrusion detection and intrusion prevention systems.
An excellent technology solution exists-Security Information and Event Monitoring (SIEM) tools. These tools collect information from a large variety of sources-individual systems, firewalls, routers, switches, intrusion detection and intrusion prevention systems, Web servers, and more-and then apply event correlation algorithms to determine whether or not a security breach has occurred.
Because these tools can “see” far more than one system (especially a compromised system) can “see,” they can and do detect subtle indications of attacks and alert operators in near-real time. It would thus be fascinating to find out whether the most complained out institutions use SIEM technology, and if they do, whether they use products that yield nearly perfect correct detection rates and extremely low false alarm rates. I’m not a betting person, but if I were, I would bet that none of these institutions do.
The University of California at Berkeley deserves much credit for pioneering research that is likely to in the long run be of great benefit to consumers. Let’s hope that this is only the first of a long line of studies of this nature.
~ : ~
March 10th, 2008
Most of us do not know very much about a Web site named “Wikileaks.org,” but recent events virtually guarantee that many if not most of us will at least learn considerably more about sites of this nature—whistleblower sites.
Recently a disgruntled ex-employee of Swiss bank Julius Baer posted sensitive customer account information on Wikileaks. Last month the bank pressed for and was successful in getting the US District Court in San Francisco to issue an injunction that forced the site’s operators to take it offline.
Activist organizations such as the Electronic Frontier Foundation (EFF), one of a number organizations that filed briefs on the case, and the American Civil Liberties Union as well as The Associated Press and the ACLU were unhappy with this ruling and pressed for its reversal. The ruling, they said, violated the First Amendment right to free speech and it also could have simply required that the account information be removed rather than requiring that the site be shut down altogether.
Last week, only approximately two weeks from the original ruling, US District Court Judge White reversed his decision at a follow-up court hearing by allowing the site to go back online. White said he had serious misgivings about whether the legal measures that the bank desired were constitutional and also about whether they “constituted prior restraint by the government.”
Wikileaks is actually only one of many Internet sites at which sensitive information is posted. If you know where to look, you’ll find an amazing amount of personal information, including information about people’s habits, preferences (including sexual preference), dating history, religious beliefs, home addresses, and more on various sites.
On other sites disgruntled employees bare their kimonos concerning detested co-workers, working conditions that they deem deplorable, and the like. What is different about these sites is that few individuals whose names and information appear therein are aware of the type and amount of information about them is being posted, so few people care.
In contrast, Wikileaks contains deliberately leaked corporate and government documents. Given that Swiss banks attract many of their customers on the basis of individuals and organizations being able to deposit money there anonymously, imagine the strong reaction that executives of Julius Baer Bank must have had when they were informed that the identities of their account holders were publicly available on the Internet.
Just yesterday Julious Baer dropped its complaint, saying that it will use other methods to try to get Wikileaks to remove the posted documents. As a representative of the EFF said, once information is posted on the Internet, ruling that it be retracted is moot.
The Wikileaks case provides some valuable lessons learned. First, organizations that have experienced data leakages, such as the one Julius Baer Bank had, are not likely to find legal action to be a suitable remedy—once the damage is done, it is done.
Additionally, this case illustrates just how difficult controlling against data leakage really is. Disgruntled as well as not disgruntled employees get access to sensitive information as part of their job duties.
Many studies show that disgruntled employees constitute a much higher than average risk when it comes to perpetrating insider attacks. Few organizations, however, try to systematically identify disgruntled employees and provide mitigating measures such as employee counseling.
Finally, I worry that very few of those charged with data protection truly understand just how many data compromise vectors potentially exist. Unfortunately, in many cases it will almost certainly take a rude wake-up call in the form of a major data security breach to substantially increase this understanding.
~ : ~
March 3rd, 2008
I don’t want to drone on and on concerning information security policy, but this issue is so important that it warrant considerable analysis and discussion. In this last blog entry on this topic, I’ll assume that an organization has an appropriate, well-written, and well-distributed information security policy. This organization may deserve plenty credit for this accomplishment, but if the organization does not do more with the policy, the policy will not yield the range of benefits that it can and should produce. In short, an information security policy should be the anchor of a number of important processes that go well beyond simply having a policy in place.
Here are a few examples:
- Dealings with potential business partners, contractors, and others can and should be dependent upon information security policy.
As I mentioned earlier, an information security policy reveals an organization’s security posture. If an organization that has a reasonably good security posture is contemplating doing business with a potential partner, the way the potential partner practices information security could very much affect security-related risk and risk management within that organization. If the potential partner has a similar security posture, the organization has little to worry about. If, on the other hand, the potential partner has a poor security posture, by opening up its network and furnishing business-critical information to the partner, the organization’s security risk will skyrocket. The information security policy of the organization and the potential partner both often provide the best “yardstick” of the state of security in both entities. An increasing number of organizations require that potential business partners, consultancies, and so on pass a security audit based on the organization’s information security policy before they will do business with the outside entities.
- When they apply, information security policy provisions need to be part of negotiations with both internal and external service providers.
This is particularly important in internal service level agreements (SLAs), e.g., as when a function or group within an organization is considering obtaining network or system administration services from an internal provider. Provisions in the information security policy should translate to requirements in SLAs. The same is also true for external providers—in this case, information security policy provisions should become the basis for contractual provisions. If for any reason the provider has neglected to provide security called for in an SLA or contract, the function or group that pays for the provider’s services can threaten to or actually withhold payment or take other permissible measures.
- A growing number of information security practices take out insurance in case of large security-related losses due to security incidents.
The insured typically must first prove to the insurer that it is a good risk, however. External auditors are often thus called in to audit security in the organization that the security practice serves. Frequently, the goodness and enforceability of the information security policy are heavily scrutinized in the audit.
In conclusion, there are many benefits of a good information security policy, some that apply directly to an information security practice, and some that have potentially far-reaching effects within an entire organization. When push comes to shove, nothing is more important in information security than policy.
~ : ~
