Tuesday, May 22, 2007

What SMBs Need to Know About Computer Security Threats

I found a handy set of pages by a Victor Ng titled What SMBs Need to Know About Computer Security Threats in a publication called SMBedge which describes itself as "The Pulse of SMBs in Asia Today."

It is basic infosec 101 material that is handy because you can send that link to someone who doesn't know what infosec is--but should--just to get them started. Ng's material is more current than some of the 'intro' articles I had been using for this purpose in the past. You know, when someone says "So, you're a computer security consultant? I got a question. Should I renew that Symantec software that came with the PC I bought last year for inventory? I heard there are zombies out there." What do you tell them? Ask for their email address and send them a link.

Of course, this may be someone to whom you have just paid money for services rendered at the rate of $1 a minute and they are now inviting you to donate about $20 of your time given them a basic education (although they probably won't see it like that). As a CISSP, I always try to strike a balance between politely doing my civic duty and giving them that 10 minute intro and telling them to just go buy a book (valuing my time at $2 per hour minimum).

Usually it takes less than 5 minutes talking to the SMB to figure out if it is in more immediate danger than the rest of us, i.e. doing something really dumb with their systems. If they are, I am obliged, I think, to advise them to call in a professional. If I have the time I might be the professional and do a 10 minute fix for free, but then you start to encounter others issues, like: the problem you are fixing is just the tip of the iceberg; they have no budget; and what about liability if there is no formal contract?

Saturday, May 19, 2007

TJX Discovering Cost of Security Failure

Here is a pretty good reason to make sure your company is doing a good job of protecting customer data: TJX: Data breach damage $25 million and counting.

That's right, according to SearchSecurity, the bottom line for TJX Companies Inc. took a big hit in the first quarter of 2007, thanks to a $12 million charge tied to the security breach that exposed at least 45.7 million credit and debit card holders to identity fraud. In total, the breach has cost the company about $25 million to date. And that doesn't include the cost of customers who decided to shop elsewhere.

TJX executives better hope that they can document the security policies and practices they had in place to prevent the hacking that took place. If a judge deems them to be up to par, they may avoid censure even though they were hacked. An active and well-documented security program is a good defense against charges of negligence or failure to meet the standard of due care.

Friday, May 18, 2007

As Predicted: Lawsuits up the security stakes

As predicted, by myself and numerous other information security experts, lawsuits are becoming an increasingly common response to a security breach. The latest example: The American Federation of Government Employees is suing the Transportation Security Administration after the TSA lost a hard drive containing employment records for some 100,000 individuals, including names, social security numbers, dates of birth, payroll information and bank account routing information,

The drive went missing from the TSA Headquarters Office of Human Capital. The names included various personnel and even U.S. Sky Marshals. The law suit is AFGE, et al v. Kip Hawley and TSA (AFGE = American Federation of Government Employees and Kip Hawley is the TSA Administrator). The AFGE claims, that by failing to establish safeguards to ensure the security and confidentiality of personnel records, the TSA violated both the Aviation and Transportation Security Act and the Privacy Act of 1974.

The
Aviation and Transportation Security Act (ATSA) requires the TSA administrator "to ensure the adequacy of security measures at airports." The 1974 Privacy Act requires every federal agency to have in place security measures to prevent unauthorized release of personal records. Losing a hard drive containing employment records for some 100,000 individuals constitutes unauthorized release. Stay tuned for progress in the suit.

TSA web site dedicated to this incident.

Thursday, May 10, 2007

Public Wi-Fi Often Wide Open, But Who Cares?

Nice article by David Colker of the LA Times, republished here in the Chicago Tribune: Public Wi-Fi may turn your life into an open notebook. He vividly reminds us that surfing with your notebook at Starbucks can be a less than private experience. There is quite a bit of personal irony in this for me.

Wi-Fi at Starbucks is served by T-Mobile which made a big noise in October of 2004 about offering secure Wi-Fi at all its hot spots: T-Mobile Rolls Out Strong Security at Wi-Fi Hot Spots. I am personally aware of this because back then I was Chief Security Executive at STSN, now iBAHN, which provides Internet service to thousands of hotels, hotel lobbies, restaurants, and conferences around the world. At the time, iBAHN was close to completing its own roll-out of secure Wi-Fi and was under the impression it would be the first such major provider to offer this level of security at all its locations. Naturally, T-Mobile's announcement stung, partly because it garnered headlines while being ambiguous. Consider this "reporting" which is close to the wording of T-Mobile's press release:
T-Mobile is introducing strong, 802.1x-based authentication and encryption across its network of 4,700 hot spots. The move, which appears to be the first use of advanced 802.1x-based security by a national mobile carrier in U.S. hot spots leverages the existing 802.1x infrastructure used to authenticate GSM (Global System for Mobile Communications)/GPRS (General Packet Radio Service) cell-phone users. "CIOs across the country have been asking for enhanced security, and we're the first U.S. wireless carrier to deliver it.

But T-Mobile was not the first to deliver strong, 802.1x-based authentication and encryption. iBAHN was already doing that, but had not talked about it publicly because the roll-out was not complete. T-Mobile decided to claim the glory by talking about their own roll-out before it was complete. I know because, at the time of the announcement, I was in downtown Chicago and I walked many blocks to test several Starbucks locations to see if 802.1x authentication was indeed available. The results were mixed, some consolation to my boss, Brett Molen, iBAHN's CTO, and CEO David Garrison.

Despite the fact that Brett and David were two of the best bosses I have ever had, I decided to leave iBAHN in 2005 and take a break from the corporate world. For a while I lost track of the secure hotspot debate. But now I am back "on the road again," so to speak, I have had occasion to try the Wi-Fi at Starbucks in several locations around the world over the last six months and have noticed that the logon had changed considerably. It's a lot less complicated, with a lot less warning about potential security problems, than it was in 2004, and 802.1x-based authentication was apparently not offered.

Which suggests that there is considerable truth to what some of us security experts have been saying ever since computers escaped from Fortress Data Center in the eighties: Unless security is really simple and seamless, users won't use it. About the only exception to this is the user who has been educated about the risks. That is why iBAHN spent a lot of time educating its chosen market place (hotels and conferences) about those risks. And that is why iBAHN makes money selling secure connectivity at a premium.

Sunday, May 06, 2007

Spector CNE and HTTP Traffic Cops

Remember when SPECTOR stood for Special Executive for Counter-Intelligence, Revenge and Extortion?** Now comes Spector CNE - one of a group of products I've been sniffing around in response to this question: What's to stop employees from copying and pasting confidential company data into blogs and Google App documents?

I've been putting this question to clients lately and not getting very good answers (where 'good'='good for their information security'). I don't feel comfortable sharing specifics on a public web page, but I think this is a big problem for some big companies. I also think this could become yet another front in the endless arms race between the good guys and the bad guys (where 'bad guys'='everyone from ruthless corporate spies to weak-willed individuals under stress, or merely under-trained.) So, if anyone knows of a good http traffic cop, or any other solution to this problem, I'd love to get your comments on it.

**If you already knew what SPECTOR stood for, then you already know the name of its on-screen nemesis. But do you know the make and model of the weapon said nemesis is brandishing in the famous black tie promotional 'shots' for the second movie in the genre? I will email an electronic copy of my privacy book to the first person who sends the right answer to scobb at scobb dot net.