I really can’t say it better than Bruce Schneier’s Blog Post. 

I was browsing some blog posts this morning and came across one on The Dark Visitor which is a site focusing on Chinese Hackers.  The post was about how China’s cyber warfare efforts have caused India’s military to step up their own cyber defense capabilities. 

This may seem to be an international political issue but does your company outsource anything off shore?  Do you offshore to India?  Do your partners?  Do you really know where your critical information is once it leaves systems under your direct control?  Do you verify that your outsourcing company protects your information at least as well as you do?

Let’s forget for a minute that the attacker is China (Honestly they’re just an easy target for my attention; there are other countries that have information warfare programs.); let’s forget that the target in this case is India.  The real point is that critical information is at risk once it has left the corporate environment.  By outsourcing, companies are delegating responsibility for protecting the information but in the end they cannot truly transfer this responsibility. 

It is not enough to include clauses in a contract that mandate the protection of your critical information, you must audit and verify that your partner (be they domestic or international) is conforming to how you mandate your information be protected.  Outsourcing can bring great savings but along with that savings comes additional Risk.  Have you considered the additional risk?

On March 7^th 2008, the Hatch Nuclear Power Plant in Georgia was shut down for 48 hours due to a software update.  This computer was used to monitor data from the facility’s primary control systems.  The issue was that the computer was also on the plant’s business network.  The patch was designed to synchronize data but when it rebooted, it also reset the data on the control system.  The system interpreted this reset as a drop in the water level contained within the cooling systems.  As a result it responded as it should have and triggered a shutdown.

Why is this important?  Aside from the implications that this has for our nation’s critical infrastructure, this incident highlights the unintended consequences of updating systems.  Now I’m not advocating the practice of not updating our systems.  I think it is important to update our systems.  What we should not do is update critical systems without prior testing. 

This may seem obvious but there are quite a few companies out there that blindly update their systems without testing these patches first.  Had there been a patch testing program in place, it is possible that they would have realized that the data store would have reset itself and then be able to deal with the situation without inadvertently causing a shutdown.  It is also possible that this system was so unique that testing would not have discovered the problem prior to the patch “going live.”  No program is full proof.  There is always something that could go wrong – that is why it is called Risk Management rather than Risk Elimination.  Having a Patch and Vulnerability Management program instituted not only can save you from having a loss due to an unintended consequence but it also shows that you were practicing due diligence when a loss does occur. 

Verizon Business has released a report on data breaches that span four years and more than 500 forensic investigations involving 230 million records.   The main message is that nine out of ten breaches could have been reported had reasonable security measures been implemented.  While I won’t repeat the report summary here, this report should be useful as supporting evidence when developing the business case for a comprehensive risk management program. 

You can find the full report here:

http://newscenter.verizon.com/press-releases/verizon/2008/verizon-business-releases.html

In the matter of a class action lawsuit against Ameritrade, U.S. District Judge Vaughn Walker has declined to approve a proposed settlement.  He is concerned whether the deal would provide any real benefit to Ameritrade’s customers according to Wired Magazine. 

But even if this settlement did provide a benefit to the customers, would it provide a benefit to the public?  The deal apparently involves a one year subscription to spam blocking software as well as an agreement that Ameritrade “monitor for cracks in its online security.”  Apparently this deal does not include any money to the actual victims (but plaintiff’s council is apparently looking for $1.8 M in legal fees)

Ameritrade contends that this is a good settlement because there is “no evidence of identity theft.”  Here in lies the problem.  We know that customer records were compromised.  We know that hackers had access to customer names, phone numbers, email accounts, and home addresses but apparently there is “no evidence” that this compromise resulted in the release of social security or account numbers.  Apparently unless the customers actually fell victim to identity theft then “no harm no foul”. 

Now I’m not a lawyer but I can see the legal argument supporting the argument that Ameritrade’s customers didn’t experience any loss as a result of this breach.  Perhaps I should restate that – I can understand the logic of the argument not that I personally agree with it. 

What may be morally wrong is not necessarily legally wrong.  What we as information security professionals need is actual case law surrounding data breaches.  We have legislation but no actual examples of the law holding up in a court of law.  If this case goes to settlement then we will have to wait until another high profile breach goes to court and hope that that too doesn’t settle.