Ascension Blog

Business Week has published a pretty good article on the Lessons Learned from the Heartland Data Breach.  I think the title is a bit misleading though.  There aren’t really any lessons learned, at least as far as what we in the security industry would call lessons learned.  Now from a business point of view it does highlight the need to try and get out in front of a story.   

The original draft of this post had me summarizing the Business Week article with a bit of commentary here and there.  As I reread it I realized that I wasn’t really adding anything and what I really wanted to accomplish had very little to do with the timeline and a lot to do with disclosure.

All in all I can’t really fault Heartland on the public relations side of this security incident.  The only two items that don’t seem to jive for me is the claim that Robert Carr, the CEO at Heartland only found out about the breach at 10:30 PM the night of Monday January 12^th and the claim that they didn’t try to bury the disclosure in the middle of the media storm that was the Inauguration of President Obama. 

As the article pointed out, Heartland was informed by VISA in October 2008 that there appeared to be signs of a breach based upon card issuer’s reports.  Heartland took the information seriously enough to go out and hire two forensics companies to examine their systems.  Now I know that Heartland is a big company but when you add up the costs involved in having two different forensics companies come in for at least two months and couple that with the possible implications of a data breach of this magnitude I find it hard to believe that Robert Carr wasn’t at least aware of a critical potential problem before the phone call on January 12^th and if he truly wasn’t then he wasn’t doing his job. 

The second point is the accusation that Heartland tried to bury the story by making their public disclosure in the midst of the media storm surrounding the Inauguration.  Heartland claims that they couldn’t disclose the details until law enforcement were finished with their initial assessment and that they did so “as soon as was practicable.”  It is true that they couldn’t make any announcement in the midst of an investigation but don’t insult my intelligence by implying that the release date and time wasn’t by design. 

Now that I have that off of my chest let me move on.  It is easy to sit out here on the Net and snipe but let’s look at the situation objectively.  Heartland was compliant with industry standards and guidelines.  When they were notified of a possible breach they began an internal investigation.  This investigation most likely involved spending massive amounts of money in the retention of not one but two separate companies that specialize in digital forensics.  When they received official notification that a breach had occurred (Supposition would lead one to conclude that the final document was delivered and briefed to someone at Heartland most likely on January 12^th.) they informed the appropriate authorities.  After law enforcement concludes their initial assessment they make a public announcement and own up to the facts rather than trying to pass the blame on to anyone else.  They follow this up by personally contacting their customers, either in person or by phone.  Since then Carr has spearheaded an effort to encrypt card data at the point of collection as well as co-founding an organization to share security within the payments industry. 

I’m sorry but I can’t find anything to fault here and quite a bit to praise.  I predict that in the years to come the Heartland Incident will become a case study in how to respond to a security incident.  All too often companies try to play the blame game and dance around on the issues.  I think that had Heartland done this they would have taken a bigger hit and garnered a lot more media attention than they already have. 

Not that this has been painless for Heartland says that they lost a few hundred customers; their stock price lost 78% of its value and is currently trading at about 50% of what it was worth prior to the announcement.  They have spent something on the order of $12 million dollars in remediation and mitigation activity thus far.  Expect that number to go up.  TJX is reported to have spent $171 million.

Was Heartland negligent in some way?  Well that has yet to be seen but based upon the information we have thus far I’d venture to say that they weren’t.  Negligence is the failure to exercise the care toward others which a reasonable or prudent person would do in the circumstances, or taking action a reasonable person would not. If they were compliant with industry standards and guidelines coupled with responding appropriately when notified of a problem then I would say that would constitute exercising due care commensurate with a reasonable or prudent person’s actions. 

Now if Heartland isn’t to blame, who is?  There is the assertion that PCI is to blame.  Personally I’m not a fan of competing standards.  I just don’t see why we need so many different standards when we obviously are just repeating ourselves in varying levels of detail.  All that said I’m not so sure it is the fault of PCI or any other standard that Heartland could have applied.  What I believe the issue to be is in the application and measurement of standards and guidelines.  All too often we take an audit mentality when we talk about complying with standards and guidelines.  When we do this we distill everything down into some sort of checklist and then equate this with being secure.  You pass the audit you are secure; you fail the audit you are not secure.  The Heartland Incident is just another example of this being a false premise.

Now I don’t want to appear to be advocating the proverbial throwing the baby out with the bath water.  What we need to do is find some way to encourage and support companies to make informed risk based decisions about security.  We can utilize standards and guidelines as frameworks upon which to build sound security practices but we also need to find a way to support companies to make security decisions based upon acceptable risk and not compliance. 

But do you want to know what the kicker is to all of this?  It is that if we do this then we will eventually come across a company that does all the right things and still has a security breach.  That will be the moment of truth.  How do we react?  Do we support the company for doing the right things and making sound risk based decisions or do we slam them for non-compliance with an arbitrary set of standards and guidelines? 

If we slam them then we are right back to where we are now. Stuck in the quagmire of checklist/compliance driven security which we know doesn’t work.  If we support them and use the security breach as an opportunity to learn from the mistake in order to improve then we’ve turned the corner. 

I’m not saying that I have all the answers either.  There has to be some measure of incentivizing companies to incorporate security into their processes other than forcing compliance with a law or regulation.  I’m just not quite sure what that is.  I do know that what we are doing now isn’t working.

Tags: Compliance, Heartland, Heartland Payment Systems, PCI, Robert Carr

I wanted everyone to know that the audio version of “Into the Breach: Protect your Business by Managing People, Information, and Risk” has just been released.  I reviewed the hardcopy version back in March and was just sent the brand new audio version.  If you are anything like me there is always too much to read so it is nice to have a version that I can listen to on the way to the airport or during other times where reading it isn’t an option.  The audio version has a smooth clean professional feel to it.  Michael Santarcangelo reads the book himself and unlike most authors, Michael is a professional speaker.  That means the awkward pauses or monotone cadence that is often present in author read books aren’t there.  Michael comes across as if he is sitting next to you explaining the process.  The audio version is very well done and an excellent complement to the written version. 

Check out a snippet of the audio version of the book at:
http://www.securitycatalyst.com/innovation/security-catalyst-podcast/

Just wanted everyone to know that I’ll be teaching a new seminar on Cybersecurity July 16th at the Willard InterContinental in Washington DC.  The class is aimed at government executives, managers, and system owners rather than folk in the security industry (though I’d love to see you guys and gals there as well.)

We’ll be defining Cybersecurity, discussing the various threats, discussing the pertinent federal regulations, and discussing the Cyberspace Policy Report that was just released by the White House. 

If you work for or support government and know someone who may benefit from this seminar please forward them the following link:

Cybersecurity for New Government Executives, Managers, and System Owners  (www.potomacforum.org/?view=308)

I look forward to seeing you there!

“The nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat.  We need to demonstrate abroad and at home that the United States takes cybersecurity related issues, policies, and activities seriously.  This requires White House leadership that draws upon the strength, advice, and ideas of the entire Nation.”

~ A quote from the Executive Summary

 

 

It is probably best to set the stage rather than assume that everyone out there knows what I’m talking about.  Shortly after President Obama took office he directed a 60-day comprehensive, “clean-slate” review to assess US Policies and structures for Cybersecurity.  Outside the scope of the review were those areas that are unrelated to national security or securing the United States’ critical infrastructure.  This type of review has been needed for quite a while and there has been debate as to whether or not the government would actually release anything that is useful or if they would just recapitulate what has already been said just in a different way.  You can find the Cyberspace Policy Review on the White House website.  There is also a nice list of the documents that went into the review. 

 

What follows is a review of the report and my initial impressions:

 

The report declares that cybersecurity risks rank up there with the most important economic and national security challenges of the 21^st Century.  In order to meet this challenge the report declares that:

 

“It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and ensure that the United States and the world realize the full potential of the information technology revolution.” 

~ A quote from the Executive Summary

 

To support this declaration the report mentions a few malicious activities have already disrupted critical infrastructure elements in other countries (the disruption of electric power grids); the exploited financial services (any number of data breaches and fraud cases); and the systematic loss of US intellectual property (Estimated to have a loss of economic value as high as $1 trillion dollars.)

 

In order to address these issues the report breaks down its findings and recommendations into five areas:

 

·         Leading from the top;

·         Building the capacity of a digital nation;

·         Sharing responsibility for cybersecurity;

·         Improving information sharing and incident response; and

·         Building the architecture of the future.

 

Under Leading from the Top, the report calls for the US to be a world leader in addressing the challenges of cyberspace.  In order to do so the report states that in order to realize this goal, leadership must come directly from the White House.  The rational for this is the fact that within the US government only the White House has the authority to coordinate the wide array of capabilities and authorities required to respond to cyber incidents.  In order to support and facilitate this authority the report recommends that cybersecurity policy official be appointed to coordinate the nations cybersecurity related policies and activities.  This individual would be part of the National Security Council (NSC).  Additionally it is suggested that this new official should participate in economic, counterterrorism, and science and technology policy discussion in order to provide the cybersecurity perspective.  A very good idea.  It would go a long way to integrate cybersecurity concerns into all sorts of decision making processes.  The report goes on to talk about the specific duties that this individual should have and how they should strive to facilitate coordination and cooperation within the federal government with regard to cybersecurity. At a high level these duties revolve around the area of reviewing laws and policies (which would lead to new proposed legislation), strengthening federal leadership and accountability for cybersecurity (greater accountability is a good thing), and increase the interaction between the federal government and state, local, and tribal leadership with regard to cybersecurity (a laudable goal). 

 

Under Building Capacity for a Digital Nation, the report covers a few different items and likens the challenge to that which the United States faced after the launch of Sputnik back in 1957. (Okay the analogy was noted in the Exec Summary but it fits in here.)  In order to rise to this challenge the report calls for an emphasis on math and science skills in order to develop a workforce of US citizens to compete on a global level and sustain the leadership role of the United States.    

 

In order to meet these challenges the report calls for the need to build public awareness into the nature and risks involved in the use of cyberspace.  Awareness is always a good thing but it isn’t the end of the road.  Building upon awareness the report suggests an effort to enhance our education system by including cybersecurity and promote scientific, engineering, and market leadership in the IT space.  Recent studies has shown the US is lacking in this regard therefore this suggestion is timely and needed.  If nothing else is implemented within this plan, this one should be.  Once we have these educated people the question arises on where to put them to work.  The report calls for a need to expand and train the federal information technology workforce.  The language here seems to foreshadow a trend to expand the government by recapturing a lot of the IT positions that have been lost through outsourcing to the private sector.  There is even language here to allow for the rotation between assignments in different agencies.  I’m going to be eagerly looking forward to how this pans out because I think it could very well be a boon for the federal workforce. 

 

Under Sharing Responsibility for Cybersecurity, the report acknowledges the fact that the federal government cannot succeed without engaging others.  A national dialogue is called for between the public and private sector.    Some of the language here points to a dialogue that would allow the government to hear the concerns that the private sector has over cybersecurity issues as well as learn more about the difficulties that are faced in order to craft legislation and regulations to support businesses incorporate security to a greater degree. 

 

This interaction isn’t limited to the US either.  The report recognizes that international norms are critical to supporting cyberspace and therefore a strategy needs to be designed to foster international cooperation and collaboration with regard to cybersecurity.  Some of the items mentioned were the development of uniform technical standards and the legal issues that arise owning to the borderless nature of cyberspace. 

 

Under the Creating Effective Information Sharing and Incident Response, the report calls for a form of nationwide incident response capability to include Federal, State, local and tribal governments working together with the private sector and international allies.  This is in recognition that cyber incidents are likely to affect networks and systems across both the public and private sector.  This section also leverages the Cybersecurity Coordinator named in the Leadership from the Top section of the report and calls for the development of a national incident response framework.  This framework would go a long way to avoid the confusion surrounding roles, responsibilities and authority that always comes up when multiple departments and agencies respond to an incident. 

 

In addition to an ability to react to a cyber incident, the report calls for the investment into preventative processes, technologies, and infrastructure.  This could take the form of increased testing, centralized administration, and restricted connectivity for unclassified government systems (Sounds like the TIC will fit in here.)  As I read this I’m beginning to imagine some sort of common federal security operations center.  Apparently it will coordinate with other similar centers on state, local, and tribal levels.  It will be interesting to see how this is actually operationalized.   

 

Under Encouraging Innovation, the report acknowledges that there has been a convergence of technologies where data, voice, and video are now sharing a common infrastructure.  This decentralizes the nature of the technology and allows for innovation.  It also presents a common vulnerability namely the susceptibility of the common infrastructure to a disruption.  Understandably there are national security implications as this infrastructure forms the veins through which the nation’s (and the world’s) economy flows.    As a result the report calls for the government to find ways to incentivize the market to innovate and make more secure products.  It even hints that legal changes in the form of liability considerations could be in the works for companies that come on board.  Conversely increased liability consequences would exist for those who have poor security.  (Both from the Executive Summary Section) Sort of a carrot and stick approach.  I like the combination of incentives and penalties.  In my experience it tends to illicit change greater than the use of penalties alone.   

 

The report then calls for an increase in the research and development efforts of the federal government that would focus on “game-changing” technologies in the effort to enhance the United States’ competitiveness.  These efforts would be in conjunction with industry and academia in order to avoid duplication and leverage complementary capabilities.  While the language indicates that the aim would be to ensure the timely transition of this new technology to market, I get the feeling that the federal government’s role would be to facilitate this collaboration, provide some requirements based upon other cybersecurity efforts (incident response comes to mind) and help define goals in conjunction with national and international standards bodies.  There is no clear indication of this though, it is just my gut feeling at this point.  Items such as supply chain security and emergency preparedness would also be areas of interest in this R&D initiative. 

 

One of the options that were put forth is the establishment of some sort of federal level identity management system.  There are many pros and cons to this option.  The report acknowledges that people may be uncomfortable with this idea and in what I read to be a preemptive move calls for cooperation with the civil liberties and privacy communities. 

 

The report concludes with two forms of action plans, a near-term plan and a mid-term plan.  I’ve copied them below:

 

The Near-Term Plan:

 

1.   Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.

2.   Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.

3.   Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.

4.   Designate a privacy and civil liberties official to the NSC cybersecurity directorate.

5.   Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.

6.   Initiate a national public awareness and education campaign to promote cybersecurity.

7.   Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.

8.   Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement

9.   In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.

10.                Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.  

 

The Mid-Term Plan:

 

1.   Improve the process for resolution of interagency disagreements regarding interpretations of law and application of policy and authorities for cyber operations.

2.   Use the OMB program assessment framework to ensure departments and agencies use performance-based budgeting in pursuing cybersecurity goals.

3.   Expand support for key education programs and research and development to ensure the Nation’s continued ability to compete in the information age economy.

4.   Develop a strategy to expand and train the workforce, including attracting and retaining cybersecurity expertise in the Federal government.

5.   Determine the most efficient and effective mechanism to obtain strategic warning, maintain situational awareness, and inform incident response capabilities.

6.   Develop a set of threat scenarios and metrics that can be used for risk management decisions, recovery planning, and prioritization of R&D.

7.   Develop a process between the government and the private sector to assist in preventing, detecting, and responding to cyber incidents.

8.   Develop mechanisms for cybersecurity-related information sharing that address concerns about privacy and proprietary information and make information sharing mutually beneficial.

9.   Develop solutions for emergency communications capabilities during a time of natural disaster, crisis, or conflict while ensuring network neutrality.

10.                Expand sharing of information about network incidents and vulnerabilities with key allies and seek bilateral and multilateral arrangements that will improve economic and security interests while protecting civil liberties and privacy rights.

11.                Encourage collaboration between academic and industrial laboratories to develop migration paths and incentives for the rapid adoption of research and technology development innovations.

12.                Use the infrastructure objectives and the research and development framework to define goals for national and international standards bodies.

13.                Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.

14.                Refine government procurement strategies and improve the market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services.

 

In summary I think it is a good plan though I do need to read it through a few more times.  I think it is ambitious and for the most part will be good for the country.  There are a few areas of concern but it is clear that these are intended to be high level ideas and to spark debate which is always a good thing.  This report is also consistent with the proposed legislation that is out there (Namely S.773 the Cybersecurity Act of 2009).  It is almost so consistent that it makes you wonder how much cross over there was between the people advising on the legislation and those conducting and preparing this report. 

 

 

Tags: 60-Day Review, challenges, critical infrastructure, cybersecurity, Cybersecurity Coordinator, Cyberspace Policy Review, mid-term plan, near-term plan, White House

On the evening of April 27 2009 Abdirahman Ismail Abdi entered the facilities of the California Water Services Company (Cal Water).  After presumably parking his car in the employee car park, he entered one building with his electronic key card and proceeded to the office of a senior executive.  Sitting down at the executive’s computer he initiated three separate transfers totaling $9 Million USD from the accounts of Cal Water to an account in Qatar.  Having completed this transaction he exited the office and building and proceeded to another secure building on the Cal Water campus.  Again he used his electronic key card to access the building.  Proceeding to the office of yet another senior executive, he again used that executive’s computer to access the Cal Water’s financial systems and approved the transfer requests he initiated just a few minutes before in the other building.  His work completed he most likely walked out to his car and drove away. 

 

What we don’t know yet is how he accessed the financial systems: did he use his own credentials or did he use the credentials of the senior executives whose computers he accessed?  To me it sounds like he somehow compromised the accounts of the two executives but this is just conjecture on my part.  The next question raised is why he would need two separate computers.  If he had the user account information then couldn’t he just access the financial system from the same machine logging in once to initiate the transfer before exiting and logging in again to approve it? A number of reasons come to mind:

 

·         Perhaps he was trying to frame these two executives;

·         Perhaps the software used to access the financial system required different client modules thus the need for two separate computers;

·         Perhaps the financial system required an electronic certificate from these users that was only stored on their own computers. 

 

I’m sure other reasons come to mind but let’s go with these.  Moving on, how do we know that Abdi is the perpetrator?  Having just broken down how the financial account was accessed I would venture to guess that he did not use his own login credentials.  Cal Water is the largest investor-owned American water company west of the Mississippi River and the third largest in the company.  I think that it is safe to assume that they had some sort of separation of duties controls in place hence the need for two computers in two different buildings.  Again this is conjecture on my part but it does make sense. 

 

But if he used the accounts of those senior executives then how do we know it was him? We believe it to be Abdi because he was observed by janitor in the buildings on the night of the crime and he also allegedly attempted to deposit a check for more than $25,000 USD made out to Cal Water in his own bank account.  Add to this the fact that (1) Abdi put his wife and children on a plane to Germany on April 28^th the morning after the crime and (2) Abdi resigned his position as an auditor for Cal Water just hours before he allegedly committed this crime and things don’t look so good for him right now. (Abdi is currently on the run and is believed to have fled the United States through Canada as of this writing.) 

 

Now this is a good story worthy of a “movie of the week” (or perhaps an afterschool special for young security professionals still in school).  It goes to show that the human element is both our greatest weakness as well as our greatest strength.  Let me explain that. 

 

Going back over the story a few things stand out to me.  The first is that Abdi needed to access Cal Water facilities with his electronic key card.  The second is that he needed to use two separate computers presumably with two separate accounts in order to complete the crime. 

 

Now I have no inside knowledge of the Cal Water environment or systems but it makes sense that if Abdi could have accessed the facilities without his key card he probably would have so they are most likely adequate to protect against unauthorized access by an external threat source.

 

Next he used two separate computers assigned to individuals who most likely had the authority to initiate and approve fund transfers.  Not only did he need their computers but he probably needed and used their login credentials.  How he gained their login credentials is unclear.  Were they written down somewhere; did he eavesdrop them sometime in the past; did he install some sort of key logger software when he was acting in his capacity as an auditor? (The last is a scenario that I made up because it seemed plausible – there is absolutely no indication that this actually happened or is alleged to have happened.) Right now we just don’t know but it makes sense to me that he had to have needed two separate computers and two separate sets of login credentials with the right level of access to the financial systems.  As an auditor it is likely that Abdi was privy to vulnerability information concerning the financial system therefore he probably chose the easiest way to exploit the system.  That tells me that it is very likely that the technical controls on the Cal Water financial system were operating as intended or were at least sufficient otherwise why would he to go the trouble and risk of compromising two buildings, two offices, and two accounts.  (Again, I have no inside knowledge of Cal Water.)

 

So if the physical access controls were working as intended and the technical financial controls were working as intended then the only thing we have left is a failure of the human control – namely the disgruntled insider, that lead to this breach.  It was also the human control that identified the perpetrator.  Remember that a janitor has identified seeing Abdi in the building on the night of the crime after he quit.  Remember also that Abdi tried to deposit a check made out to Cal Water in his own account – not a very smart thing to do. 

 

People will argue that there was also a failure of the termination process and that Cal Water should have disabled his access (physical as well as technical) when he resigned.  What we don’t know is if his resignation was effective immediately or if he gave two weeks.  In many companies it is normal operating procedure to have an employee departing on favorable terms to wrap things up and transfer their work to another person in their final days in a position.  We have no indication at this time that Abdi was a problem employee or that he would have given any indication that he posed a threat.  Remember from what we know he resigned; he wasn’t fired.  There is also every indication that he probably didn’t even use his on login credentials once inside the facility so even if his technical access had been minimized it most likely couldn’t have prevented his use of another’s credentials.   

 

The bottom line is that it appears as if the physical and technical controls were working and operating effectively therefore the solution probably isn’t a technical one.  The human control is what failed.  Yes you could go through and upgrade the physical and technical controls to require multi-factor authentication both for entry into the facility as well as for identification within the network but is that really feasible in a majority of companies?  The need for security must always be balanced with the needs of the business.  Had Abdi actually been able to walk off with $9M then perhaps you could justify that sort of expenditure but in truth he didn’t.  (The account in Qatar was frozen and the funds transferred back to Cal Water.)

 

The insider threat is real and in an economy like this is growing.  Studies such as the 2009 Data Breach Investigations Report notwithstanding, the impact of an insider breach if often greater than that of an external breach.  In this case it was a transfer of money but what if it had been a customer list or proprietary data concerning a major company project.  (We’re speaking in general here not about Cal Water specifically.)  Touting the number of scans detected or intrusions blocked at the firewall don’t mean anything when Joe the employee who has just been laid off walks out with your customer list or the details of your proprietary processes on a flash drive.  Your competition could then undercut your prices or catch up on year’s worth of development in the space of a day. How much is that worth to your company?

 

As much as I don’t like the fact that some studies and reports have tried to downplay the risk posed by outsiders, I don’t want to overplay their importance either.  They are a threat just like other threats and they need to be addressed just like everything else.  What this story shows us is that your security controls need to go beyond the physical and technical realm.  Your staff and management needs to be trained to identify the potential for employees to become disgruntled insiders and take steps to address the issue before it becomes one.  I talked about this a lot in my three part series on Insiders (Part One, Part Two, Part Three). 

 

You also need to recognize that there is no way to completely guard against the insider threat so you need to have a plan on how to deal with it when it does eventually happen.  This takes a coordinated effort across the organization and since it may involve the seizure of evidence by local or federal authorities (should they become involved) you’ll need to account for that.  How should you deal with the media, stockholders, and the public?  What you say in the early days when you aren’t sure exactly what has happened is just as important as what will eventually be said in hindsight. (See my post on Public Relations and Security.)

 

This post has given me the idea that it might be useful to do something on the order of a breach analysis in order to bring up issues that need to be addressed well before an incident happens.  Perhaps I’ll do something like that in future posts. 

Tags: Abdi, Abdirahman Ismail Abdi, Cal Water, California Water Services Company, Data Breach, financial control, financial system, human factor, human factors, seperation of duties