“The Internet will never again be as free as it is this morning” – Dan Geer at SOURCE Boston
Think on that for a while. If it doesn’t scare you, it should.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Posts tagged as:
risk
Back in 2009 I wrote a blog post about locking doors. I proposed that there are some people who think it is an indictment on the door locker to lock doors. Some people are proud that they live in a place where they don't need to lock doors. But some of them seem to go too far, by not only being proud of not locking doors, but by casting aspersions onto people who do lock doors.
While listening to NPR recently, I heard a woman make a statement that reminded me of this. She said something to the effect of, "If you have a nanny, and feel you need a nanny cam, then you have the wrong nanny."
She was saying you don't need to employ security measures (nanny cam) if you hire the right nanny. It seems to me that the unspoken assertion here is that if you hire the wrong nanny, it's your own fault. That sounds like blaming the victim.
Suppose someone wants to come into your home and steal your valuables (let's say you're very wealthy). Suppose that someone applies to be your nanny. Now let's suppose this individual is very charming and does a great job in the interview, they say all the right things and really wow you over. You check out the references, do a web search, maybe even get a background check. Everything looks good, so you hire that person.
One day you come home to find the nanny and possessions valued at over $100,000 gone.
The woman interviewed by NPR would probably say, "You hired the wrong nanny." To which you reply, "Well of course we did! But how were we to know we hired the wrong nanny?"
Maybe if you had had a nanny cam, this could have been avoided.
The problem with the attitude that says, "If you feel there's a need to employ security measures, then there's something wrong with you," is that there are plenty of bad people out there and you just want to protect yourself from them. There are dishonest people who will victimize you if they can. Maybe they are professionals and maybe can get through the most extensive security measures. But not all dishonest people are seasoned professionals. Employing security measures might not prevent all loss, but it can prevent some. And employing no security will only prevent loss if no one tries anything.
Ultimately, the woman interviewed on NPR is advocating some security measures, namely screen the nanny. She was simply scornful of those who want to use more. But the point of more security is that there are more bad things you can prevent because some crooks will get by some of the security. In other words, maybe measure A alone or measure B alone won't stop all crooks, but put the two together and you have something much more powerful. There comes a point where there's not much more you can do, and there are professional crooks who could get by any measures you do employ. But if it is within your power to apply some more security, it is not inherently a bad thing to do.
I think it is wrong to impugn the character of those who wish to employ more or different security than you think is appropriate.
Are we at risk of looking away and missing the action?
Legal and regulatory pressure is risking turning security into a tick-box exercise. Boards rely on security professionals to deliver on corporate issues such as compliance without forgetting the underlying risks. Changes such as the European Commission proposals on Data Protection will only increase the focus on regulatory risk. From a security standpoint, it’s the wrong focus.
If we’re actually going to reduce data loss incidents we...
In a number of recent posts, Risk Management has been a hot topic. I’d hate to leave you with the impression that Risk Management is somehow a panacea for all security programs and problems. To address that, here’s a post dedicated to a specific wart on the complexion of risk management. Many people are data [...]
After all the focus of the last few decades, it should be surprising that information risk is still one of the least well understood risks most organisations have to deal with. Mature industries are used to looking at issues like capital, finance and operations as business risks, but information security is still often seen as an issue for the IT department. Alternatively, it’s seen a regulatory issue with compliance, rather than customers, in the driving seat. Reputations take a long time to...
A breach. A data loss incident. An insider leak. A media report of client data loss. All would probably bring about a mild panic attack for most CISO's. Eventually and dependent on the size of the organisation, that data breach will end up in the public eye, either via official acknowledgement that a breach had occurred - as is required by say the UK Information Commissioners Office - or a simple media response to explain that 'everything is under control'. Ultimately that public information, could damage the brand and future customer base of the organisation. Dependent on the industry and type of product or service that is being offered, the damage could be irreparable.
The sources of data breaches and losses are many and complex, with new and complex attack vectors appearing all the time. If we could quickly categorize a data breach we would probably come out with a list something like this:
The sources of data breaches and losses are many and complex, with new and complex attack vectors appearing all the time. If we could quickly categorize a data breach we would probably come out with a list something like this:
- Malicious cyber attack
- Malware within the corporate network
- Negligent employee (laptop loss, USB loss)
- Malicious insider
- Careless insider (erroneous data copying, emailing of confidential data)
- Mis-configured software and hardware
Whilst that is only a high level view, it would cover a multitude of data loss scenarios for many organisations. In response to a known threat, there are several process and technology counter measures an organisation could implement to reduce or ultimately remove the threat.
- Malicious cyber attack > Firewall, Intrusion Detection System, Intrusion Prevention Systems
- Malware within the corporate network > Anti-virus, SIEM logging, abnormal event monitoring
- Negligent employee (laptop loss, USB loss) > Data Loss Prevention, data & asset management
- Malicious insider > Event monitoring, access monitoring
- Careless insider (erroneous data copying, emailing of confidential data), DLP, event monitoring
- Mis-configured software and hardware > Baselining, penetration testing, auditing
Each counter measure would be applied using a standard risk framework to identify any vulnerabilities and any threats that could exploit those vulnerabilities. In turn, a structured approach to counter measure selection would be done in order to provide a decent return on investment with regards to the loss expectancy before and after a counter measure was put in place - less of course the cost of the counter measure.
This is basically following the standard Annual Loss Expectancy = Single Loss Expectancy X Annual Risk of Occurrence. The counter measure selection would be based on an implementation that would be lower than the ALE. This assumes that the ARO is accurate (which is often not the case) and that the ALE is accurate (which is often not the case).
So, if in one year the ARO was zero, would their viewed return on investment of the counter measure be higher or lower? Well if you've never been attacked or had a vulnerability exploited it could be difficult to quantify the true effect of the existing counter measures. On one hand it could be argued, the counter measures are infinitely worth more than the actual cost of implementation, as the assets their are protecting have never been exposed. It is the potentially the case however, that the loss of an asset is worth infinitely more once lost than when secure, so it would only take one loss to reduce all protection measures to have been meaningless.
I think in practice, if an organisation has identified a failing in a process, product or scenario that has resulted in a data breach or loss, it becomes politically justifiable to implement further counter measures above and beyond the ALE, due to the non-tangible effects of such a loss. Similarly, if the ARO was zero, could the reduction of the counter measure be justified for the following year?
Of course, their are probability analytics that could be applied to help formulate a result mathematically, but the costs of brand damage, reputation and future trade loss are often difficult to quantify, which could result in a 'belt & braces' approach from a post-breach organisation.
(Simon Moffatt)
By Chris Pickles, Head of Industry Initiatives, Global Banking & Financial Markets, BT
Projects dealing with issues of identity often result in considerable duplication of effort and cost across banks and investment firms, but this may now be reaching the point where it can no longer be sustained by financial institutions. One reason for this is that heavier regulatory requirements for capital adequacy mean that there is less money to fund projects that ultimately add to overall inefficiency.
We all know that we have multiple financial “identities” to the outside world – one everyday reflection of that is the number of different payment and ID cards that we carry in our wallets and purses. However, we’ve often got different identities even with the same service provider, largely because the service provider hasn’t been able to grasp the concept of centralising identity management internally.
This has now become a major issue not only for financial institutions but also for the regulators that monitor and supervise their activities. Regulators now want to understand the risk exposure of financial institutions to specific counter parties and clients. They understand that having a unique identifier for each and every financial institution, rather than a collection of pseudonyms that varies by institution and function, is critical to effective market regulation and the avoidance of a repeat of the market crisis like the one that began in 2008.
The proposal now from the Financial Stability Board in Basel is to have a unique identifier for every financial institution in the world, and the scope will also include their counterparties and clients that are legal entities. This initiative is being backed by regulators around the world, and will impact the IT systems of every financial institution.
Some of the related documentation on this Legal Entity Identifier initiative can be found here.
Last Friday Brian Krebs broke the story that MasterCard and Visa were warning of a major processor breach. Later in the day it was announced that the payment processor was Global Payment Inc. and that approximately 50,000 card numbers had been compromised, a number that was later revised to 1.5 million card numbers. Global Payment took such a pummeling in the stock market that they had to halt trading in the middle of the day on Friday, and appears to not have resumed trading as I’m writing this post. They have a press conference this morning, but the initial reporting shows that Global Payments isn’t saying anything that’s not already in a press release. And to add insult to the injury that Global Payments has had their listing as a compliant service provider yanked as of Friday, pending the security review of the compromise and a new assessment, a process that could take months.
The relationship between customer, merchant, banks, card processors and the card brands is complex and not at all clear to the average consumer. When a customer swipes their credit card or places an order online, the merchant passes that information on to their processor. The processor is a company, such as Global Payments, that has been designated by the merchant’s bank to process payments on their behalf. The processor sends the request to the card brands, who check the balance with the bank that issues the credit card and forward an approval or denial based on credit availability and fraud checks. That approval is forwarded back to the merchant and the customer and the whole process only takes 2-3 seconds on the average day. At the end of the day the merchant bundles the credit card requests and sends them to their bank, appropriately designated the merchant bank, who forwards the information through the card brands to the banks of the people who charged their cards that day. The relationship is complex and my explanation doesn’t cover the many variations that can crop up, but it covers the basic idea. For more information, there is a wiki page.
On of the most interesting aspects of this is that Visa has removed Global Payments from the list of compliant processors, a step that I don’t think has been taken for any breach since that of CardSystems in 2005. CardSystems was the first major breach of the credit card flow to catch the public attention and it was very clear that de-listing was done to buoy consumer confidence. But since then very few service providers of any stripe have had their listing pulled, which indicates there may be more going on behind the scenes than is being reported publicly. Global Payments’ relative silence and the updates to the number of records compromised add to this impression. Of course, no one expects any company to come clean immediately when faced with a compromise, but the degree to which this incident is causing lips to be sealed is interesting by itself. Will Global Payments have to go through a similar process as CardSystems, basically selling themselves to prevent total collapse?
We’ve gotten to the point where we almost expect daily or weekly notifications from merchants stating they’ve been compromised. But where merchants are not in the business of securely taking in credit card numbers, that’s exactly what processors and banks are supposed to be focusing on. A merchant makes their money by selling products to consumers whereas a payment processor is selling the security of the transaction and any breach of that trust is a major issue. The processors are also aggregation points for multiple merchants and many processors have millions of card transactions flowing through their systems on a daily basis. As such, they know, beyond a shadow of a doubt, that they are being targeted by attackers and that their security is paramount to continuing to be in business.
I strongly suspect that what’s been disclosed so far is simply the tip of the iceberg. If Global Payments was compromised for a month and a half, as currently stated, then a much higher number of card numbers than 1.5 million were most likely processed during that time. Which means the compromise was either contained in some way with or without the awareness of Global Payments, or there is another shoe waiting to drop. My money is on the latter.
Update: I forgot to add that there was a brief outage of the Visa network on Saturday morning when they updated systems inside VisaNet. Yeah, that can’t be at all related to the Global Payments breach, could it.
Last month, this question came up in a discussion forum I’m involved with: Another challenge to which i want to get an answer to is, do developers always need Admin rights to perform their testing? Is there not a way to give them privilege access and yet have them get their work done. I am [...]
