Security as a Strategy (SaaS)

Data Loss Prevention Systems: Do you need one?

Data loss prevention systems are another form of employee monitoring which aim to detect the possible transfer or vulnerable storage of valuable and sensitive data assets. Reports from Osterman Research indicate that employees who use email also use instant messaging clients and wikis, post to blogs, use personal Webmail accounts for business purposes, check email from home, send files through FTP systems, take work home and on the road, use USB thumbdrives, transport corporate data on mobile devices, and use collaboration tools of various types.

Most of these communications and files are sent and transported without any sort of monitoring, encryption or oversight. The result is that organizations are deploying a growing array of tools and endpoints for employees to become more efficient. And, at the same time, they are creating a growing number of opportunities for information to leak out of an enterprise in unauthorized and potentially damaging ways.

The vast majority of these data breaches are inadvertent, but the opportunity exists for malicious users to send confidential and sensitive data, as well.

According to a survey conducted by Osterman Research during April 2008:

• 100% of organizations have deployed anti-virus capabilities
• 99% have deployed anti-spam capabilities
• 96% have deployed anti-spyware capabilities

However, even using a fairly broad interpretation of data loss prevention (DLP) capabilities, which would include products that don’t provide true DLP functionality, only 49% of organizations have deployed these capabilities.

Clearly, the data above suggests that organizations of all sizes are well aware of the need to monitor their inbound communications for spam and malware. However, they are not nearly as aware of the need to monitor outbound communications, or they are not taking the threat as seriously as they should. This, despite the fact that 27% of organizations in the same survey reported that during the previous 12 months data or information was accidentally or maliciously leaked from their organization.

What should you do?

• Identify the leak points.
• Deploy systems that will take appropriate action. Based on the suspected level of data breach, the systems that monitor outbound communication should take the appropriate action.
• Promote appropriate employee handling of data. For example, if an employee sends an inappropriate message to a co-worker or a confidential document to a competitor’s domain, a monitoring system should remind employees of corporate policies that may exist regarding the appropriateness of the communications vehicle they have chosen or other corporate policies.
• Perform the appropriate level of inspection. Based on corporate policies, the role of the employee in the organization and other factors, content should be inspected based on the appropriate policies
• Train and make employees aware of corporate policies.
• Implement forensics capabilities. Organizations may want to implement forensics capabilities in order to check on how data has been handled after it has been sent, either for legal purposes or simply to understand how its data is being managed.
• Implement a sender authentication scheme. While not an outbound content scanning mechanism, it is important for any organization to implement an authentication mechanism, such as SPF or DKIM, to ensure that recipients of its emails are given some level of assurance that the sending organization is valid.
• Tight integration with existing infrastructure. In order to speed reduce costs, organizations should consider solutions that are well integrated with their IT infrastructure whenever possible. This approach will also speed implementation and lower on-going administration costs.

Building a Better Password

A recent Newsweek article discussed the state of website passwords and asked the question "how do you build a better password?" What we learned is that the majority of accepted password methods, used on various websites, add a lot of complexity but not more security.

Computer researchers at Carnegie Mellon University are finding that many of the recent security advances in the banking, e-mail, and other critical systems you log into every day are adding more burdens to users but can still be hacked.

For example, mnemonic passwords which are created when one thinks of a phrase, and combines the first letter of each word are quite common. The article gives this example; "The famous Ghostbusters line "Dogs and cats, living together!" becomes, with a few substitutions, "D&c,lt." However, most people use common well-known phrases to create mnemonic passwords. As a result, scientists in a crude test were able to crack four percent of mnemonic passwords, suggesting that motivated hackers could do even better.

The other way most people create passwords is to rely on a single password and use simple variants for most websites. The problem with this approach is if that password is cracked at just one site, a savvy hacker can break into your personal information stored at other sites.

To discourage the latter from happening experts will tell you to create unique passwords for each website. And if you forget a password, no problem, just enter the right answer to one of several "security questions" that only you know. But a May 2009 study from Microsoft Research and Carnegie Mellon pulled the rug from under that approach by finding that subjects could guess their acquaintances' AOL and Yahoo challenges more than a quarter of the time. And, according to the study, one in five subjects forgot the answers to their own security questions in six months!

Instead of a mnemonic password, research suggests that users are better off constructing passwords out of a phrase itself-a passphrase. Newsweek gives this example; "a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. "

The main point here is a simpler approach to creating a password can be stronger than the accepted wisdom of combining letters, numbers and symbols.  So break out those old Sinatra songs, "do be do be doo... strangers in the night..." there could be some great passwords in them.

Do We Still Need Employee Monitoring Software?

Several years ago software that monitored employee use of the Internet was big news. We heard how thousands of workers, on company time, visited pornographic sites, downloaded music and videos or just spent inordinate amounts of time surfing the web.

Sexual harassment cases and lawsuits came up when folks saw offensive materials on their co-workers computers. Bandwidth charges were going up and network performance going down. In addition, there were statistics that said over 87% of hacking and confidential data losses were from company insiders. Workers just couldn't be trusted.

The question is: "Has the situation evolved?" While there are more restrictions, guidelines and penalties for inappropriate use of company assets and handling of confidential materials, has employee behavior changed? And therefore, do we still need surveillance software for our employees? The answers are no and yes, respectively. Behavior hasn't changed and yes we still need monitoring software.

Recent surveys indicate a majority of employers monitor their employees. They are motivated by concern over litigation and the increasing role that electronic evidence plays in lawsuits and government agency investigations.

Internet monitoring software has now evolved into larger security and surveillance suites. You can monitor and trace employees' use of e-mails, the Internet, computer files, keystrokes, chats in all popular instant messengers, logins and logouts as well as "shadow copy" which allows network administers to create copies of files that are transferred to USB devices by workers.

Solutions include the following:

Record logging: record everything from key strokes, websites visited, FTP downloads, P2P downloads, and even screen captures of what is on a user's computer

Email Logging: emails sent and received as well as attachments and Instant Messenger discussions can be monitored and recorded

Internet Filters: block ports on your network servers normally accessed by certain Internet protocols, as well as specific websites, bulletin boards, P2P downloads, foreign languages, and content using keyword filters

Anti-spyware/anti-virus: block downloads which are identified as potentially harmful as well as viruses, worms, malware, spam, drive-by downloads and phishing attacks

While most transgressions in the workplace are committed by a few, the impact on the organization of a single breach of trust could be great. Therefore we continue to monitor, safeguarding the halls of our institutions.

Swine Flu, Michael Jackson and Network Security

 

Huh? That was probably your reaction when you read the title. What does the H1N1 virus, called swine flu, and Michael Jackson have to do with network security? I'm glad you asked. One of the methods increasingly used by cyber criminals to infect, hi-jack and ransom user's data are malicious websites promoted via search rankings based on popular news items.

Here's how it works. A person wants to know more about swine flu, so they type the term in Google and various websites appear in Google's search results.  You click on a website, but it doesn't have anything to do with swine flu so you leave the website. Bam! You've been infected by a "drive-by download."

Drive-by downloads describe the installation of spyware, a computer virus or any kind of malware that happens without knowledge of the user. Drive-by downloads happen by visiting a website, viewing an e-mail message or by clicking on a deceptive popup window.

In 2008 Symantec reported that there were 18 million drive-by download attempts. In the first half of 2009 there were already 17.5 million attempts. This threat appears to be increasing. One of the more nefarious schemes is malware is downloaded, in a drive-by, which encrypts the user's data on their computer. The criminal then sends a ransom notice, stating the key to unlock the data will be released if the victim makes a payment.

What can you do to protect yourself? Maintain and keep up-to-date all facets of your security and risk prevention systems. As cyber criminals become craftier in their methods, our security needs to be one step ahead.

Will The Responsible Party Please Step Forward?

In a recent article posted to Dark Reading, a couple is suing their bank for failure to protect their account resulting in a fraudulent wire transfer. Apparently someone stole the logon credentials to the couple's on-line account, obtained a loan of ~$26,000 which was deposited into the couple's business account. From there the money was transferred to a bank in Hawaii and on to Austria.

The couple is suing the bank largely based on allegations that the bank failed to properly secure the couple's account. In the article, Mr. Bruce Schneier states, "But it makes no sense that the customer should be responsible for [banking] fraud...The only way to improve security is for the person with the ability to mitigate it [like a bank] to take responsibility for this. Even if it's the customer's fault, the bank should be liable."

This intrigued me and so I went to his blog (http://www.schneier.com/blog/archives/2009/09/eliminating_the.html) to find out more. It is, or was at the time of the blog entry, Mr. Schneier's opinion that the only way to combat this type of fraud is to make the bank liable for fraudulent transactions. With all due respect, I have to disagree. Promoting this point, in this particular case, is a bit like putting the cart before the horse.

What the article does not tell you are at least a few important points regarding this case:

• How did the thieves obtain the logon credentials? Did either the man or woman (both?) write them down in plain sight; was their PDA stolen; did they use something easily guessable; etc.? It seems that no one is contesting the validity of the credentials so my first question is how they were obtained. If the couple did not take adequate risk protections then where is their responsibility and liability?
• Were there other, similar transactions (obtaining a loan of similar amounts) in the banking history of this couple? Maybe the bank's fraud transaction system did notice it, but since others had occurred (with similar characteristics) it was not ,a red flag.
• Were there any regulatory or legal statutes broken by the bank? If not, then that could imply they were doing their due diligence. We don't know the results of their last security audit from regulators - did they pass with flying colors, were there shortcomings in on-line security measures and/or countermeasures?

Mr. Schneier goes onto suggest that banks become more like credit card companies with regard to identifying and stopping fraudulent transactions. As he correctly points, out credit card companies have "...developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They've pushed most of the actual costs onto the merchants." And you can bet that these security technologies are a large investment - money that many banks don't have. I don't know exactly how Citizen's Financial Bank ranks in terms of revenue but it is probably a safe bet they are not as large as major credit card companies. And while the credit card companies may not be drowning in fraudulent transaction losses, their feet are not completely dry. Their solutions and technologies do reduce the chance of fraud but they are not perfect - especially if someone has a legitimate credit card number.

Suppose someone stole a credit card that you (against all advice) had not signed. A thief uses the card to purchase a big-ticket item and when you get the bill, you rightfully contest the charge. Is it the credit card companies fault that a legitimate card was used? No. Is it the fault of the store clerk who did not check for a signature? Maybe. If they had questioned the "card holder" they probably would have forged the signature anyway. Is it the fault of the original card holder who should have signed the card, thereby giving the clerk an opportunity to compare signatures, making the purchase more difficult? That's my belief.

Without knowing the extent to which the original bank account holders did their own due diligence to protect their account, and without knowing the extent of the banks security measures, I don't think we can just put the blame on the bank.

I do agree with Mr. Schneier on one point: "It's an important security principle: ensure that the person who has the ability to mitigate the risk is responsible for the risk." My point exactly. If it turns out the account holders (who have a major role in protecting their account) did not do this, then they should be held responsible.

The full article can be found here regarding this case: http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=220100950

Public Apathy for Security Issues

I’ve had a nagging question for some time now. It comes to mind when an incident happens like the one in Estonia (see Wired magazine: http://www.wired.com/politics/security/magazine/15-09/ff_estonia). I read the aforementioned article and thought,  "My God, if this was done on U.S. soil we’d have an international incident on our hands! The press would have a field day if another country tried to bring a halt out to our financial systems.”  If I’m thinking this, then surely more people are equally amazed and intrigued as I am, right?

 It turns out, maybe not--at least not in the numbers I would have expected.  Granted I don’t watch TV, (I do have a Netflix account but I do not subscribe to any cable service, by choice) but there was hardly a whisper outside tech circles about this particular incident.

That being said, when one takes a step back and looks at the big picture, this seems to be a common theme. Cyber crime just doesn’t draw the attention that physical crimes do.  I believe the biggest problem is an apparent apathy for technological crimes. It’s what we could call "Darfur Syndrome".

By this I mean we as a people disconnect from that which we cannot relate to. Identifying and caring about something small and substantial is easy, like a friend or family member for example. But when the number of people grows and the common bond becomes less apparent the personal connection is lost and disinterest begins to take hold.

We don’t “see” cyber crime. We see figures and definitions that mean little as we have no context for them. We can put armed robbery in context. It's right there on the tv screen--masked men with guns and hostages challenging our basic fears. A DNS attack on a server in a small European country that one may or may not know of doesn't have the same effect. While physical harm in the first instance is daunting, few people can relate to the devastating effect of stolen identity. 

So I pose a question to those reading this post. How do we get an average person to care about security issues we all face but few pay any attention to? What can we do to raise the seriousness of such crimes? 

Are We Ready for a National Data Protection Law?

A by-product of almost every transaction made by people today is personal data being stored electronically somewhere - usually in several different places such as a retail outlet, bank and credit card companies.

According to the Federal Trade Commission, in a 2006 Identity Theft Report by Synovate, during 2005 8.3 million American citizens were victims of identity theft. And while identity theft is a federal crime there are no federal laws to protect personal data on a national basis. Some of the laws currently in force deal with specific industries: Gramm-Leach-Bliley Act (GLBA) applies to financial entities, Health Information Portability and Accountability Act (HIPAA) is for healthcare, Federal Information Security Management Act (FISMA) is for government entities, Payment Card Industry/Data Security Standard (PCI/DSS) for the credit card payment industry and so on. Individual states have also been busy enacting various laws to help protect their citizens from identity theft and related incidents. One example is the State of Maryland House Bill 208. This law requires businesses that have personal information to notify the residents of Maryland in the event the business' computers are breached and the personal data may have been exposed. The Maryland law also requires businesses to "...implement and maintain reasonable security procedures and practices..." But these, and other State laws, are only valid at the State level.

What our country needs is a national data protection law -- one that can be used as a basis for protection and that individual states and industries could opt to expand. This law would define baseline protections that must be afforded to personal information regardless of who is collecting, storing and using the data. Such a law would also mandate that the government would have to define exactly what data elements are to be considered "personal". For those of you familiar with the laws above know, what is considered "personal" to HIPAA is not the same as GLBA. However, some similarities do exist and from these a common definition of "personal" data can be established. These similarities can also be found in the pending bills before the US Congress. An on-line search at the Library of Congress  for the phrase "data protection" returned several pieces of legislation that are yet to be voted on, eleven of them containing the exact phrase. Many of these documents seemed to focus on the notification aspect of after a breach has occurred however Senate Bill 495 (S. 495) is fairly comprehensive in the protection of sensitive personal data. But what this bill and others does not do is definitively list the data elements to be protected.

The proposed legislation reviewed for this article revealed that (with one exception - S. 495) a person's name, address, and phone number would be required to be protected along with a list of other elements if used in combination with the required elements. Among these "combinatory" elements were social security numbers, financial account numbers, PIN numbers, driver license numbers, and biometric data to name a few. Senate Bill 495 only requires the person's name to be protected and as part of the "combinatory" elements lists "social security numbers, passport numbers, and driver license numbers all of which are ‘non-truncated'". Senate Bill 1558 (Federal Agency Data Breach Protection Act) did not specifically list a person's address or phone number but all of the data elements listed were required. S 1558 also included the phrase other linkable information to the individual which could be taken as address and phone number, among other items. Individual industries can then add more pertinent elements as necessary. From the "common" list of elements an appropriate protection scheme can be built.

Enacting a national data protection law may help us with the international community as well. The European Union (EU) has established a data protection directive, and several countries within the EU have adopted their own individual data protection laws. Australia, Japan, Canada, and other countries have all adopted similar legislations -- some wrapped into a national privacy law but the protection portions still exist. Occasionally it is reported in the news that certain negotiations between the US and other countries, normally involving trade, are held up while discussions are held concerning the lack of adequate protection of personal data from non-US citizens. A national data protection plan may help these negotiations progress. It certainly couldn't hurt.

I certainly support the various laws (federal and state) that have been enacted thus far. They are necessary for prosecuting criminals and assisting victims of identity theft. We need to go to the next step and enact a data protection plan, on a national scale, that can be expanded as needed by state or industry. My plan would be similar to many of the requirements found in Senate Bill 495 however I would like to see a better definition of the required elements and the "combinatory" elements. It would not include phrases like "non-truncated". This national data plan would apply to all entities (public, private, and governmental) so that the data is protected regardless of who has it. Such a plan would help us reduce the number of victims and the severity of consequences of identity theft and aid in negotiations with other countries to boot. Are we ready for a national data protection law? For the reasons stated above I think so.

 UPDATE - Massachusetts enacts data protection law

I see where the Massachusetts state legislature has enacted a data protection law for their residents. Basically the law states that anyone (not just in the State) who gathers certain information on Massachusetts residents must take certain protective measures for that data. So if a Massachusetts resident were to purchase something on-line from a site in Tennessee the seller would be responsible for protecting some, if not, all of the data on the buyer. While I applaud Massachusetts on taking this stand this has the potential of causing mass confusion for business owners. When other states develop their own data protection laws, and why shouldn't they, they may use the Massachusetts law as a model but there will certainly be some minor changes/tweaks/etc. to satisfy each state legislature. Looking down the road this has the impact of causing business owners to be aware of, and build the infrastructure to accommodate 50+ (including US territories) sets of data protection laws - the costs of which could be enormous. The possibility of this furhter emphasizes the need for a baseline, national data protection law. States could increase the protections but could not decrease the minimum measures required to protect US residents data. Again I call for the US Federal Government to be proactive rather than wait for confusion and headaches 50 such state laws will cause. To read more on the Massachusetts law - go to  Massachusetts Data Protection Law