Security and Risk Management Strategies Blog

Blogger: Trent Henry

Here at Burton Group we’ve been looking at x86 virtualization and its impact on security. In my recent report on that topic, I specifically called out how auditors respond when they encounter virtual systems. The major issues include:

• Separating systems with perimeters and limiting audit scope Hardening systems against attack and maintaining patches (including hypervisors themselves and offline guest machines)
• Protecting data in easily replicated virtual machines
• Controlling privileged user access and activity
• Monitoring virtual systems
• Recognizing that control environments can change dynamically among hypervisors

Generally, auditors are just beginning to acknowledge these issues—especially vis-à-vis PCI. But they’re getting savvier with each passing moment.

What they don’t yet understand are storage virtualization and converged fabric. With technologies such as iSCSI and Fiber Channel over Ethernet (FCoE) emerging, lots of new security questions arise. (And it’s not just the auditors in the dark; I think the whole industry is grappling with these.):

• Block-level access to disk across ethernet: What do we do about clients whose access represents not just a single file system, but huge amounts of disk spanning multiple servers and OSes?
• Authentication: How do we ensure that proper authentication strength is enforced (despite being turned off by default) and move from simple CHAP techniques to stronger mutual authentication?
• Authorization: How do we move beyond spoofable initiator node-name authorization to something better?

In July at Burton Group’s Catalyst Conference (in San Diego), we’re dedicating an entire daylong topic to the issues of Storage, Networking, and Security for the Dynamic Data Center. Have a look at Thursday’s agenda and try to join us for the conversation.

Blogger: Eric Maiwald

Intel sponsored a study (released on April 22, 2009) by the Ponemon Institute on the cost of lost laptops. The sample size for the study was not large (138 cases) so the value of any statistical conclusions is questionable right from the start.

The initial analysis and conclusion is startling – the average cost of a lost laptop is $49,246 when you factor in all of the costs (including not only hardware replacement but investigations, data breach, intellectual property loss, and local costs). But if you dig into the information provided in the report and in Appendix 1, there is more to the story. So…to steal a line from Paul Harvey, let’s look at the rest of the story.

While the average cost may be over $49,000, bar chart 1 shows the quartile cost results. The averages of the first three quartile costs are all below $4,000 and it is only the average of the fourth quartile that skyrockets to over $186,000. Table 1 shows a break out of the average total cost in terms of the components that were used to calculate the overall cost of the loss of a laptop. It clearly shows that the largest cost factor (over $39,000 of the total $49,000 cost) is data breach cost which is calculated (not measured) based on a $202 per disclosed record average cost identified in an earlier Ponemon study. Intellectual property cost is a distant second at just about $6,000.

Now, let’s go look at the table in Appendix 1. Three lines (with three big numbers and huge variations) jump out at me. First is the line regarding data breach cost – minimum $0, maximum $973,400. That is a huge swing over 138 cases. The second line is the line regarding intellectual property loss – again the minimum is $0 but the maximum is huge $250,000,000 (that’s $250 Million!) - an even bigger swing over 138 cases. The last line is near the bottom, Other legal or regulatory costs (expected) – minimum $0 and maximum $36,000. So what does this tell us? It looks an awful lot like there were a small number (maybe one or two) of cases where data was breached and/or intellectual property was lost. But for most cases no data was breached and no intellectual property was lost. I think this conclusion is borne out by bar chart 4 which shows the average intellectual property loss by industry, Three industries (totaling 23% of the total cases) had much higher intellectual property loss averages than the other industries.

So what can we conclude looking at this study? I don’t think you can conclude anything. I guess my biggest complaint is that Ponemon shows averages but not the distribution of the samples. We can see the minimum and the maximum sample for various cost categories but that does not tell us much. By looking at the average in comparison with the minimum and maximum, I think we can draw the conclusion that most of the samples were closer to the minimum than the maximum but that is about it. We can also conclude that the median would fall between the 2^nd and 3^rd quartile averages (probably around $3,000) which is less than 10% of the reported average. Readers should not go hanging their hats on this study as justification for any type of decision.

Blogger: Eric Maiwald

The latest US Federal Government stimulus package included new rules for health information. You can read the details in the American Recovery and Reinvestment Act of 2009 (see page 144 or search for HITECH).

According to the law, physicians will now be required to track a patient’s medical information anytime it is disclosed to a third party – even if the patient has given permission for that disclosure. While this provision does not go into effect until January 1, 2014, patients will have the right to request disclosure information from up to three years in the past. That seems to make it a requirement that the disclosures be tracked from 2011.

While the tracking provision will cause medical institutions to incur additional costs, the breach provisions of the act may be of greater concern. The act is similar to state laws that require disclosure of any breach of personal identifiable information (PII). For medical information that is breached, the medical practice will need to contact the individuals and post about a breach affecting 10 or more patients on the practice’s web site. If the breach is larger (500 patients or more) the medical practice will have to inform local media and the government.

In reading through the act, I didn’t find a specific exception for encrypted information like we have seen in many of the state PII breach notification laws but I did find that the disclosure only applies to “unsecured protected health information.” Now unsecured protected health information means “protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under paragraph (2).” If the Secretary does not provide the guidance, further definition is provided so that the term will mean “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.” It seems likely that encryption will be such a technology standard.

So what does this mean? I think that over the next few years we will start to see stories in the media about lost computers belonging to hospitals and other medical practices. We will also see an increase in the use of encryption by the medical community.

Blogger: Eric Maiwald

We are in a time of rapid change – of course this is not news to anyone working in IT. Virtualized environments, cloud computing, software as a service, and mobile workers have changed much of what was normal in the world of IT. If these things haven’t reached you yet, they will soon as the economic downturn forces executives to look for ways to cut costs.

There is one thing that all of these technologies and trends have in common – information or data is moving. Our information is no longer safely locked away in a database on a huge mainframe in a physically secure data center some place. Instead, the information is moving from server to server, data center to data center, and vendor to vendor. Even our own employees are moving information all over the place as they extract information into spreadsheets and store it on local hard drives, USB sticks, and handheld devices. All this mobility is enough to give a security guy the shakes.

Let’s take a quick look at the major new technologies and trends and see what can help:

Virtualization
Virtualization means that applications can be placed on different physical hardware so as to utilize the hardware more efficiently. Specific applications will not live on specific servers any longer. Moving applications around will impact network zoning and other static controls. We can look for security tools that live within the virtual environments but they are only beginning to appear. An alternative is to package some controls with the application (make them a part of the virtual environment that moves with the application). Controls such as host intrusion prevention might help here. Process and procedures may also help. Define risk levels or control requirements for each application and use that criterion as the basis for determining which physical machines are appropriate for different applications.

Cloud Computing
Cloud computing encompasses a lot of things including hosting services and SaaS (I’ll deal with SaaS in a moment). If servers and applications are hosted at someone else’s data center you may not be able to install all of the network controls that you have at your own data center. So here again, moving the controls into the server (or virtual machine or the part of the application that you control) may alleviate some of the problems. Take for example, web application firewalls (WAFs) – you may not be able to deploy a WAF in front of your servers at a hosting facility. If you need the WAF functions, you might look for vendors offering software solutions that load on to the server rather than residing in a separate appliance. Contracts and SLAs are also important if your enterprise is considering hosting facilities. Make sure you check on what they are really providing and work with your legal department to include the necessary language in your contracts.

Software as a Service
SaaS is sometimes considered part of cloud computing but I wanted to call it out separately as there are some unique aspects to SaaS. The biggest issue is that you will lose all management over technical controls. You will not be in charge of firewalls, IDS/IPS, web filtering, or any other security device on the vendor’s network. At the same time, all of your data will be under the control of the vendor and its employees. So what can you do? There are three big things that can be done. First, before the vendor is chosen and the contract is signed, check out the vendor. Look to see what controls are in place and what control standards the vendor is using. Verify that the controls you’re using are appropriate to protect your data. Second, have a long talk with your legal department and make them aware of the necessary protections and the risks of a breach. See if they can negotiate with the vendor regarding the right to audit the vendor. Third, once the contract is signed, do the follow up. Audit the vendor periodically. Check on what they’re doing to make sure your information is protected.

Mobile Workers
Employees are working on the road, from home, and from coffee shops. Information is stored on laptops, USB sticks, and handheld computers. You may not even know where the information is actually going as employees may put it on their home machines or personal smartphones. Any of these devices can be lost, stolen, or just given away. For computers and devices that are owned by the enterprise, use proper protection. That means use a VPN, system firewall, and malicious software controls. Try to manage the systems properly so that they are patched and that unnecessary applications are limited. For some devices, you can install a remote erase function that will remove all data if the device or computer does not check in for a certain amount of time (note that this works better on handhelds than on laptops). You can also use encrypting USB sticks that require a password to access the data on the stick (hey even a short password is better than nothing!). If your employees are going to use non-enterprise devices you can set up terminal servers so they can access their desktops (and sensitive information) without having to store too much on the local machine. This also gives you some control over what can be copied to the local machine. When you have employees that need information on non-enterprise machines that will not have reliable network connectivity, you may need to apply controls to the information itself in the form of enterprise rights management.

That was a very quick look at some of the major trends in today’s IT. All of the controls I mentioned need to be considered in the context of the larger IT environment. In other words, do your tradeoffs and identify the risks that you can accept and those that you cannot. Try to mitigate the risks that you can’t accept. Talk to the business. Talk to the other parts of IT as some of the suggestions that I made will have big impacts on networks and servers. You can’t turn back the tide but you can work with it.

Blogger: Ramon Krikken

With Data Leakage Prevention (DLP) being one of the ‘hot products’ for 2008, It should be no surprise that nearly every single loss of sensitive information results in one or more “our product would have prevented this” messages from the different vendors. The latest incident where a USB flash drive containing sensitive usernames and passwords was left in the parking lot of a pub in the U.K. is no exception. And while it is certainly the case that a DLP solution might have prevented the storing of such data on the USB drive, it always makes me wonder if it provides the best control for its cost.

In the ideal world, security would be integral to the data. Enterprise Digital Rights Management (e-DRM) offers some promise, but lack of interoperability standards and never-ending discussions on how to implement encryption, key management, and make data accessible off-line quickly derail the effort. More mature would be disk and file encryption technologies, but when implemented with poor controls such as simple passwords and not automatically requiring or enabling encryption on removable devices they also quickly lose their effectiveness. So we tried the next best solution: preventing data from going or being where it isn’t supposed to. It’s not that the discussions on the what, where, and how are necessarily less heated, but at least there is some emerging body of evidence on how to make it work for certain use cases. Network content detection can work well for accidental disclosures via email, agent-based contextual detection can be a better alternative when the enterprise is concerned about employees stealing trade secrets using their iPod. But still, using or not using the active prevention features of DLP is a contested race.

We expected this, of course: because active blocking technologies are very visible to users in the case of failure (in this case a false positive, where something is blocked even though it’s an approved operation) the security teams and IT departments are, rightfully so, concerned about inhibiting business. Unless the environment and culture are conducive to this kind of rigid control with the occasional problem – or unless the security and IT team have the time and resources for a careful roll-out and endless fine-tuning – using blocking technologies can be a risky proposition. The alternative is to use DLP solutions to scan data repositories in order to find sensitive information, which is certainly helpful in a time when many enterprises aren’t even sure what data lives where. To me this loses some of the value proposition of DLP, but in some cases – especially if combined with classification and ‘tagging’ of the information – it may certainly be good enough. If nothing else it is a helpful tool in the identification and classification of data in the organization, a journey on which most companies have hopefully embarked on by now.

Things of course always get more complicated – not easier. Software as a Service (SaaS), cost-cutting by having employees use their own equipment, and the need to share with business partners are an ever increasing inhibitor of centralized controls, and DLP is no exception. Coupled with the cost of acquiring, implementing, and maintaining the solution it does raise the question whether already scarce budgets would be better spent on other controls … or whether the cost of maintaining security in such environments outweighs the cost savings to begin with.

In the end it’s all a matter of risk versus reward. Although I predict a much brighter future for preventive controls such as encryption and rights management, it’s certain that today’s environment – and from the looks of it, tomorrow’s as well – is much more conducive to detective and reactive technologies. Working from the use and abuse cases as a starting point, enterprises should be able to evaluate not only the functionality of DLP solutions, but also be able to make at least an educated guess on their cost effectiveness.

Blogger: Dan Blum

It is no surprise for us to hear loose lips flapping in India about a capability to decrypt Blackberry and other carrier traffic.

After all, we’ve done basic threat analysis for years and it was only months ago that I was brought into a company-wide CISO meeting at a U.S. defense contractor to help them hash out their travel policy for mobile devices. Going into the meeting, I knew their policy restricted taking devices to a list of countries considered dangerous – but there was an exemption for BlackBerries.

Our research uncovered that BlackBerry is pretty secure in most respects. It has transport encryption along with optional password protection, remote kill, disk encryption, and S/MIME encryption. Viruses have not flourished on this functionally limited and closed platform. Few if any third party add on programs are required for additional protection. Nonetheless, I went into the meeting prepared to talk with the CISOs about the risks and security limitations of life on BlackBerry.

Was the BlackBerry exemption reasonable? At the time, BlackBerry transport encryption was not known to have been broken (to be fair, the article listed above still qualifies as rumor, not certainty of breakage). However, I pointed out that it is dangerous to assume well-equipped attackers like military or intelligence organizations can’t crack transport encryption. And even if they haven’t cracked the BlackBerry network and whole disk encryption features, sophisticated adversaries have other attack paths. Check out Neal Stephenson’s excellent book Cryptonomicon for a description of how a talented adversary might “see” your keystrokes and screen images through a motel room wall, for example.

If one of your employees – such as a key scientist, project manager, or executive – is targeted for surveillance and is carrying sensitive data through certain countries, one could argue that he or she had better undergo serious counter-intelligence training.  Learn to spot and shake tails, sneak into dark alleys for that BlackBerry fix. Learn to paper the closet with layers of aluminum foil and send messages in the dark. Defend that BlackBerry with encryption, long passphrases, and kung fu. But unless James Bond is running your company, I doubt this is what your executives have in mind for the next business trip!

Assuming your organization’s lower level employees are like needles in a haystack and won’t be bothered could be an exercise in wishful thinking. It is always possible that nation states are monitoring some or all of the airwaves. Not so long ago the NSA had a massive a covert surveillance program in place. Years before the government was reportedly snarfing up terabytes of emails and crunching them through a program called Carnivore. And of course, selective monitoring of people on watch lists continues on a large scale. This is just the surveillance we know about in the U.S. We suspect there’s more behind the scenes and especially in countries such as China. Even if you train your non-specifically-targeted low level employees to write and speak in search-keyword-free code, the carnivore programs of the world are pretty good at sniffing out those interesting needles – such as descriptions of your business plans, manufacturing processes, and trade secrets.

Sound paranoid? I admit that I don’t know what the probabilities of being targeted or monitored are – just that it can happen. It’s the height of arrogance to believe that a nation state can’t get your information if they’ve targeted it and you’re within their borders. And it’s dangerous to rely on security by obscurity when medium or high consequence information must be protected.

What can be done? If key personnel can't dispense with the BlackBerry (or any other email device) during international travel to those countries where information may be most at risk, they (the users) should limit communications to what they’d feel comfortable uttering over a potentially-monitored telephone call. Controlling incoming communications – messages sent by others – is a harder problem. Until data loss prevention (DLP) products become more contextually sensitive about the travel issues, it may be best not to synchronize the BlackBerry with the overseas user’s home mailbox. Instead, have the user give out a temporary address for the BlackBerry and warn senders to be discreet.

Blogger: Randall Gamby

As briefly mentioned in a Burton Group IdPS blog and a ZDNet Australia published article on July 3, 2008, HR data from Google was stolen from one of their previous HR outsource partners.  It seems that the partner, Colt Express Outsource Partners, had equipment stolen that contained HR data from some of its clients, including Google.  The data was unencrypted and stored on systems that were apparently portable.

So what does this mean for all of us? 

First, it shows that even large SaaS companies like Google can be bitten by a lack of security at their partners, just like many of us can.  Burton Group has been warning clients for a long time about the dangers of sending confidential information to outsource partners without proper security and audit processes in place. Of course this should also be backed by strong contractual language. 

Second, be prepared to pay.  Even if Google had breach mitigation terms in their contract, Colt Express announced that it was in financial difficulty. So Google has had to pay for financial reporting and other compensation to its own employees, even though Google did nothing wrong. 

Third, a Google representative stated "We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an on-going basis.”  Does this mean that Google doesn’t require encryption of its confidential information since encryption of the data was not deployed at Colt Express?  When working with third parties, whether it’s financial data or confidential personal data, this information needs to be protected from unauthorized access. One of the simplest ways is encrypting the data while at rest, regardless of where it’s located. 

Final, the Colt Express breach brings to mind a question Burton Group is always asking: “What is your exit strategy if the contract is terminated with your outsourcing partner?”  A lot of effort is expended in creating an outsourcing agreement around use and protection of data, but what happens when the contract is ended?  Do you obtain and retain the information the outsource partner maintained?  Do you have the outsource partner destroy the information and any archives of it (and verify this was done)?  Do you create a custodial contract with the outsourcing partner for them to maintain the information and archives on your behalf (ensuring the data is properly protected)?  As was found in this incident, after their contract with Google was terminated the outsourcing partner apparently retained the employee data unencrypted on their servers. This was the fatal mistake that allowed the breach to occur.

So as you work with your outsourcing and SaaS vendors, you should not only consider how day-to-day operations should be secured to maintain the confidentiality of your data. You should also think about how that data is being maintained over time, and what are your procedures should the unthinkable happen if your partner allows your data to be compromised.

Blogger: Diana Kelley

The TJX “computer intrusion”, first reported in December of 2006, set off serious alarm bells and repercussions for entities that store and process credit cardholder information. Card protection standards are not new, but it was the TJX intrusion that ratcheted up the compliance heat significantly.

As is often the case, when an industry is deemed to be unable to regulate itself, lawyers and lawmakers stepped in. Lawyers lost no time in filing suits against TJX (details on most of these can be found in the TJX March 28, 2007 10K filing and lawmakers weren’t far behind. Minnesota passed the Plastic Card Security Act in June of 2006. And other states, including Massachusetts and California have similar bills under review.

The lawsuits, and the current and proposed state laws, are significant because, for the first time, payment for damages would be paid by the entities deemed responsible for the data loss. Specifically, the cost to card issuing entities, such as banks, would be remunerated for costs incurred in the course of notifying affected consumers and issuing them new credit cards. Cost per consumer/card vary, but is commonly reported as being between US $12 and $15. Note that the consumer damages for lost credit card information is a different issue. Although no consumer wants to hear that their credit card number is being used fraudulently, the actual dollar amount of damages is low. Consumer liability for fraudulent use of a credit card is capped at $50 dollars, but it is rare that an issuing bank makes the customer pay even this amount.

Now, here’s the fun part – being PCI compliant doesn’t let the entity that lost the credit card data off the hook. Compliant entities that lost data are still responsible for having lost that data. If the lawyers arguing for the prosecution can convince a judge or jury that retailer A really is liable for the damages the cost could be financially devastating. If, for example, TJX had to pay for card replacement costs for even one quarter of the card numbers lost settlement would be around US $135million (45000000/4*12). How many retailers, even large ones, could absorb that kind of loss?

But let’s flip the case around -  in the TJX instance there was relatively a clear path from the TJX databases to the fraudsters. But it won’t always be so easy to close the loop. Just because PANs 1-100 were stolen from retailer A – it doesn’t prove that the fraudsters using PANs 1-100 got them from retailer A. If a single source of resale of PANs 1-100 can be found – it would be easier to draw the line between the two. But what if credit card sellers get smart – add more layers between those who steal the PANs and those who sell them and also mix batches of available PANs from different thefts? This would benefit the thieves by making it harder to pin a specific theft on a group of people – but it also could benefit the retailers who may claim that there’s not enough hard evidence that the breach of PAN data from their database is the reason those PANs were for sale on the open market. And a smart defense lawyer will know this and argue this point.

So what’s the solution? Is there one? Being PCI compliant can decrease the risk of losing card data, but doesn’t eliminate it. And it doesn’t provide protection against lawsuits or legal violations. And all the risk protections in the world, can’t guarantee data will never go missing.  Yet retailers and banks are going to look for ways to protect themselves. Which is why I’ve been thinking we might start seeing this on the doors to stores that accept credit cards: “Consumers be advised use of credit cards could lead to loss of credit data – use at your own risk.” And have to sign an agreement with our issuing banks that states: “Credit card use may lead to loss of credit data, if your card information is lost you will be charged a $15 replacement fee per card.” Heck, the fraud monitoring services could even tack on an extra $20 per year for “free” card replacement.

Granted, playing up the security of credit cards is something the industry has done for a long time, but consumers are hooked now. And addictive substances that come with warning labels don’t stop use. The beverage you are about to consume is extremely hot and the credit card number you’re about to use may be lost. Proceed at your own risk.