Now I do realize that I run the risk of sounding like a broken record with this post but I think it will underscore a point as well as provide a basis for further posts on proactive security. 

I subscribe to the Data Loss Digest put out by DataLossDB.org.  While I don’t always have time to peruse it daily, I do go back and look through the messages from time to time.  I was doing so today when two news stories jumped out at me as good examples to use here on the blog.   While both of these stories dealt with data breaches and the way that they were handled.  They also speak to how being proactive can help when disaster strikes.

Our first story is about a missing hard drive that may contain the names, addresses, passport numbers, dates of birth and driving license details of 100,000 individuals who are employees of the UK Ministry of Defense.  This number constitutes about half of the UK’s armed forces.  See:

EDS loses unencrypted Armed-Forces Data and

Lost MoD drive hadn’t required encryption says EDS

In an interview on BBC Radio 5’s “Drive” program, the managing director of EDS (Defense) in the UK, Sir Robert Fry told the BBS’s Anita Anand:

“The hard drive was not encrypted but neither did it need to be, in terms of the protocols to which we and the Ministry of Defense work, when it sits inside a secure site.”

Now I have no doubt that what Sir Fry told the reporter is true but that is little comfort to the 100,000 individuals who’s information has gone missing. 

Compare this story to the loss of a laptop containing the personal details of 100,000 National Rail and British Transport Police pension program.  That laptop was stolen from a public place from a Deloitte employee.  

See: Pension Data was on Stolen Laptop

Now the first quote that you see from Deloitte was that there was a “very  low risk” of the details being accessed.  “Yeah, right” was my first impression but as you read on the article goes on:

“In a statement, the company said the laptop was protected by a number of security measures, including start-up and operating system passwords and data encryption. 

It said the theft had happened despite employees being issued with guidelines to pay close attention to their laptops in public places.”

For the sake of full disclosure I must admit that I am a Deloitte Alumnus.  As one, I can report that the company’s statement is true.  Our laptops were encrypted and they do put in place quite a few security measures to protect their client’s data over and above what I’ve found as normal in many companies.  In fact during my time there I was very impressed with the lengths they went to in order to protect their own as well as client data. 

My point wasn’t to praise Deloitte however.  It was to point out that while both cases involved a data breach they can be interpreted in two different ways.  On one hand you have a company that is trying to justify why certain security measures weren’t taken and on the other hand you have a company that is telling you that they had instituted multiple security measures that are intended to safeguard the information even though it has left the companies control. 

If I read these stories and try to put myself in the place of one of the individuals whose information was lost I come away with two different feelings.  On one hand I read the article and don’t feel any better that my information has been lost, in fact I feel worse – I’ve just been given the “pass the blame” answer.  On the other hand I feel better about the loss (not that I’m happy, just mollified) because it appears as if prudent security measures have been taken to secure the information on the laptop. 

Taking a proactive stance on managing the risk to information and implementing sound security measures is just good business.  What executive wants to be put on the spot by reporters having to answer questions as to why something wasn’t done?  Isn’t it a much better place to be in to inform every one of the efforts that a company has taken to go above and beyond in protecting its customer’s data?  In today’s tough economic times it is a prudent company that takes proactive measures to maintain the competitive edge when the inevitable happens.   

Tags: Anita Anand, BBC, Data Breach, Data Loss Digest, Deloitte, EDS, Ministry of Defense, National Rail and British Transport Police, Pension, Sir Robert Fry, stolen hard drive, stolen laptop, UK, United Kingdom

In order to better understand you, our readers, we’ve instituted a new poll section.  You will find it along the right hand side of your screen at the bottom.  Here we will be asking you various questions so that we can tailor our posts to your specific needs/industry.  As always, if you have any specific topics that you’d like to see addressed please drop me a line blog@ascensionriskmanagement.com. 

Tags: Poll

What is security?  How can I be secure?  How will I know my systems are secure? I was compliant with the regulations, how was I able to be hacked? 

Over the past month or so these questions have come up in one form or another.  Now the conversations have been with different people and in different contexts.  At first I was a bit dismayed that we are still struggling with the concept of security but the more I thought about it the more I welcomed the opportunity to address this topic. 

We are what we repeatedly do.  Excellence, then, is not an act, but a habit.

~ Aristotle

Let’s face it, most, if not all, of us are results oriented people.  We like to have tasks with a clearly defined start, clearly defined milestones, and a clearly defined ending.  The problem is that information security doesn’t fit this model of the world.  It isn’t so much a state as it is a state of mind.  This is one of the reasons my wife and I named our company Ascension Risk Management as opposed to Ascension Information Security.  Risk Management is the process of managing risk not achieving a risk-less state (as with information security there isn’t any such state.)

I personally don’t believe there is any such thing as a secure system and for a while there was pretty much consensus among the people I talked with until I was sitting in a meeting the other day with someone who said “We can make your systems 100% secure, the problem is that it is cost prohibitive.”  Needless to say I don’t agree with statement.  Unfortunately the other people at the meeting immediately turned to me for clarification.  I clarified the statement by saying that the amount that you spend on information security should be commensurate with the value of the information being protected.  As I said before Information Risk Management/Information Security isn’t so much a state as it is a state of mind. 

We can do all the right things but there is still no guarantee that our systems are secure.  At any time we may fall victim to a zero-day exploit or a malicious insider or simple user error.  We can implement technical controls to limit this possibility but we cannot limit it all together.  It just isn’t possible. 

Let me leave you with two quotes.  The first is from Dr. Eugene Spafford of Purdue University. 

The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards – and even then I have my doubts.

~ Dr. Eugene Spafford

And the second may be original.  I’m not sure if I made this one up or if I heard it somewhere.  I’ll claim it for now but if anyone can cite another source please let me know.  Either way I think it is an accurate depiction of our goal to seek a totally secure system.

Imagine a line with a point on either end.  Point A is a totally unsecure system and Point B is the theoretical totally secure system.  As we start our journey from Point A to Point B the furthest we can travel is half the distance.  That is the best we can do so we travel half way, then half way again, then halfway again.  If we keep going half the distance between where we are and Point B we will never actually reach Point B.  Granted we are a lot closer than we were when we started but we still never reach our destination.  Since we can never really reach our destination we must focus on the journey itself.  Information Risk Management is like that. 

~ Graydon McKee

Tags: Aristotle, Dr. Eugene Spafford, half the distance, It is a Journey, Purdue University, Secure Systems

An excellent summary and analysis of the Terry Childs/City of San Francisco Incident was passed on to me by a friend.  It does a wonderful job of looking at both sides of the issue yet remaining neutral. 

http://www.uoregon.edu/~joe/loss-of-network-control/loss-of-network-control.pdf

As I’m sure that most people reading this blog are aware, we here in the United States are in the midst of an election.  As I’ve been watching our candidates out on the campaign trail I have been reminded that perception is as important (if not more important) than substance.    The candidates are bouncing around the country communicating their message.  As the country is in financial crisis, communication is critical. 

Communication is also critical when a company is facing crisis.  I’ve been considering two security incidents and how they are being handled in terms of public relations.   Now what I’m going to give should not be considered legal advice and I’m of course not a public relations expert.  I do however have an opinion and feel that both of these situations are being handled poorly.

The first case is that of the World Bank.  Fox News is reporting that the World Bank is in the middle of a security incident.  Apparently the World Bank Group’s computer network has been compromised for over a year.  The Bank controls $25 Billion a year in funds to the developing world and holds one of the world’s largest repositories of sensitive data concerning the world’s economy.   One of the systems is reported to have held contract-procurement data.  (I can’t help but wonder how many contracts have been won based on compromised data?)

Now no matter what the specifics of the breach(s) are, what is important for this post is how the World Bank is handling it.  Currently the World Bank’s tactic is to deny what is happening despite the leak of internal memo’s which paint a different story. 

The second case is that of the Massachusetts Bay Transit Authority (MBTA).  For those of you who don’t already know, several students from the Massachusetts Institute of Technology (MIT) who intended to give a presentation at DEFCON explaining vulnerabilities that they discovered with the MBTA’s fare card system.   These students were hit with a restraining order and forbidden to present their paper (apparently the information had already been released on CD’s given to the conference attendees – I wasn’t there; that is just what I heard).  (The restraining order has since been reversed by the court)

Again, I don’t want to get into the specifics of who did what and when.  That is for the court to decide.  What I’m concerned with for this post is how the company handled the situation.  The NBTA elected to go on the offensive and use the legal system to keep the information from getting out.   Ironically the action had the reverse effect causing the incident to be widely publicized.  (See the so called Streisand Effect). 

Having a security incident is a nightmare and won’t endear you to stockholders but can the actions a company takes actually make the situation worse?  I believe so.  Let’s look at these two stories.  In one case we have a company that feels that loud public denials of the situation are the way to go and on the other hand we have a company that is doing all it can to hide the details of their vulnerabilities.  Their very actions are calling public attention to the incidents. 

Imagine the situation at the World Bank.  If the Bank had issued a statement that it was their policy not to comment on security incidents until they have been resolved there would probably have been some hoopla over it but it would have most likely have died down rather quickly.  As it is now we have a denial in the presence of apparent evidence to the contrary.  That just invites increased scrutiny by the news media. 

In the case of the NBTA you have an organization that is trying to suppress information.   The simple act of suppression is going to bring about increased attention.  During hunting season (and it’s always hunting season) why paint a larger target on yourself than you need to?   

The time to decide on how to handle the public relations side of an incident is before an incident actually happens.  Too much disclosure can be just as harmful as too little disclosure.  Of course you won’t know the details or the specifics of an incident before it happens but a company can decide whether or not it should comment and if so what it should be.  There may be legal considerations so legal needs to be part of this process. Guidelines should be set forth to determine what criteria need to be met before certain information is released in company statements.   

Personally I’d recommend acknowledging that an incident has happened and that to restrict comments until the incident is actually over.  Now I’m sure that will probably draw fire from some of you out there and that is okay.  By all indications, both of these companies are still in the midst of these incidents.  They are still investigating what has happened and are still in the process of instituting controls to keep the incident from reoccurring.   The key at this point is to manage the public relations aspects of an incident rather than have them manage you. 

Tags: DEFCOM, disclosure, Fox News, Massachusetts Bay Transit Authority, Massachusetts Institute of Technology, MBTA, MIT, Public Relations, Streisand Effect, World Bank