IT Security Blog

We will touch on this in some more detail during the Security Buzz podcast (Episode #25) that will be recorded this Friday, but I wanted to make a couple of comments here as well about an article that was posted on canada.com regarding a Staples Business Depot Store in Ottawa, Ontario that sold a returned hard drive that still had a number of personal files on it. 
To summarize the article, a woman named Jill Vickers, a retired political science professor from Carleton University had purchased an external Maxtor Mini portable drive, then attempted to return it to the store after her son noticed that the automatic backup function was not working properly (Vickers had already put a number of her personal files, including some that contained sensitive information on the drive). 

Staples is getting a lot of the bad press here for not properly wiping the drive prior to putting it in the clearance bin.  Staples says that it is standard operating procedure to wipe "anything with memory" prior to it being resold.  So, mea culpa on Staples' part in this case for not following their own policy and so the negative attention is well deserved.  What the article doesn't state is "how" they wipe the drive.  Is it a quick format?  Is it being wiped to DoD standard?  This is a point left to speculation, but I think is an important point nonetheless because I don't think you can expect the average consumer to know the difference and why that difference is important.   

That being said, I believe that Vickers deserves at least part of the blame as well.  If the data that she was storing on the drive was so important to her and if it was potentially sensitive, she (or her son) should have thought to at least take basic steps to ensure that this information was not readily visible to anyone who would be handling the drive (including the employees of the Staples store that she returned the drive to).  Even if Vickers isn't familiar with the different types of data deletion standards that are out there, doing a "Select All" and then "Delete" on the files contained on the drive is certainly better than nothing at all.

I guess the best take away from this experience for the rest of us is that we should always be taking whatever steps necessary and possible to protect our own sensitive data from potential exposure because even if others who are handling our information have protection policies in place.   You cannot rely on them to be followed.

Happy "Cyber Monday" - what is widely considered to be the official start of the online shopping season.  After eating too much turkey, gravy, mashed potatoes, and stuffing on Thursday (and probably Friday, Saturday, and Sunday too!), then spending way too much time in line for Black Friday shopping deals that probably weren't worth getting up at 3am for, today is the first day back at work after the long holiday weekend.  As such, today is also the day that many people start buying presents online.

According to comScore, spending on Cyber Monday has historically reflected overall holiday season spending.  The question that I have though, "Is Cyber Monday relevant anymore?"  Many retailers now offer the option, even on Black Friday, to order items via their web site to get the same deals.  So, many of the specials that people were standing in line for on Friday could have been purchased online, at home, in your pajamas. 

From a security perspective, Cyber Monday is the start of a season where we attempt to educate users as much as possible as it relates to being aware of the "too good to be true" deals that may arrive in your inbox and have typically offered a couple of pointers to keep yourself safe online:

-- Shop only with vendors that you already know and trust.  Don't give your credit card information away to someone that you don't already have some kind of pre-existing shopping relationship with. 

-- Avoid clicking on what appear to be links to legitimate web sites in an email or IM.  If you want to go to the Land's End web site to shop, go to the URL directly.  The link may actually go to a look-alike site setup solely to steal information.
-- Ensure that web sites that are accepting credit card information and/or that you have to log into have SSL encryption on the pages that are processing this data.  This should be a given and a standard nowadays, but the lack of existence of encryption of your sensitive data should be your first red flag that your business should likely be taken elsewhere.

-- Look for seals from organizations from privacy enforcement organizations like TrustE and BBBOnline.  Although this isn't a guarantee that their site cannot be compromised, cooperation with these organizations means that they do not ask for sensitive information like social security number without explicitly explaining in their Privacy Policy why they are collecting it.  So you can at least be certain going in why you are being asked for something that you wouldn't normally provide.  You can then make an informed decision as to whether you want to take your business to another merchant.

These tips are not just important for Cyber Monday though.  They are relevant to the entire holiday season and for the entire year.  Sometimes with the rush and hurry to find the best deals for that must-have gift we let our guards down or think that it is too inconvenient to go through some of these extra steps.  The question then comes down to, whether you want to take a few extra minutes to make educated decisions about who you are giving your credit card data to now or risk spending a lot more time trying to clean up an avoidable mess later.

Here's to a fun, safe, and secure holiday season.  Cheers! :)

Hardly a day goes by anymore where there isn't some sort of breach of confidential data. Whether it is the exposure of almost 40,000 Social Security Numbers of Georgetown University alumni, faculty, and staff or the theft of 35,000 records of current and former customers of T. Rowe Price, or even the well documented theft of over 45M credit and debit card numbers from TJX, data theft is rampant and we still haven't learned our lesson.

No matter how much education you do on security best practices and even if 99.99% of your company follows those practices, it only takes one person making one mistake to cause a potential breach. Although some data breaches are the result of large scale infrastructure weaknesses, a large number of them are also the result of the indiscretion of one person. One person who didn't properly secure an open PC or who didn't properly secure a hard drive with sensitive data can cause the loss of millions of records which can result in untold numbers of identity thefts!

We've said this before, but I absolutely believe it to be 100% true: protect your personal information and monitor your bank accounts and credit cards like the data has already been compromised (because it likely has. The real question is whether or not someone is going to use YOURS). As with many things in life, early detection gives you the best possibility of recovery. You may not be able to prevent damage to your credit or reputation from happening, but there is a lot we can do to mitigate it once it happens.

MX Logic has announced that we will be joining the National Cyber Security Alliance (NCSA) to actively promote awareness of internet safety and security issues in conjunction with National Cyber Security Awareness Month (NCSAM) during the month of October.

As such, I have pledged to devote a series of blog postings this month to assist with the development of a Security Awareness Program within your organization.

Before we get into the meat and potatoes of developing a Security Awareness (SA) program, the question one must first answer is "Why should I implement a security awareness program? Aren't security programs for the Techies?" This is an excellent question, especially for organizations who might not be anything Information Technology related.

The answer to that question is that no matter what field you are in, security should be a part of your organization. Security doesn't just mean making sure someone doesn't hack your web site or that your computer doesn't get infected with a virus. The concept of corporate security also involves physical security of your office as well as data that you might be storing there.

Let's use a car repair shop as an example. Should they be concerned about security? Absolutely! We'll put aside for the moment that a car repair shop may have thousands of dollars of inventory sitting right in their main lobby area (tires and the like), but where the real money is to be had from a thief's perspective is from the customer records. A car repair shop has customer lists with customer names, addresses, phone numbers, and potentially credit card numbers. If this information isn't properly secured by the shop, your personally identifiable information could be at risk.

As organizations, who are we trying to defend ourselves against? From a technology perspective there are virus writers, hackers, spammers, etc. Those are a given. Data and physical property thieves are also a risk. What are companies doing though to protect against their internal employees? As much as you want to believe that everyone that works for your organization is there to advance the progress of the company, a 2006 E-Crime Watch Survey reports that insiders were responsible for 27% of all security incidents. More than 1 in 4 security incidents (either accidental or intentional) were the result of an employee at a company obtaining access to information that they shouldn't have had access to.

Why is that? For starters, it is easier to get information. The higher up you are in an organization, the more critical data that you likely have access to as part of your normal network access levels which means that your potential risk to a company is also much higher. Why break into the house to steal the jewels when you are already in the bedroom?

Over the next few blog entries we'll go into some more detail on what the goals of a successful SA program should be, some of the inherent challenges that come along with the implementation of such a program as well as steps that you can take to start implementing a security awareness program at your organization. Different types of companies have varying requirements for security (Do you have servers? Do you accept credit cards? etc), but the discussion can certainly be made general enough to apply to everyone.

Hopefully over the rest of October the information that is presented here will be of use to you and will help jog some thoughts of your own on how a security awareness program could work for you.

The Computer Security Institute's annual Computer Crime and Security Survey reports that insider attacks are now surpassing computer viruses as the most common cause of security incidents within organizations. It also says, however that the losses incurred are not significant. The fact that insider threats have surpasses viruses in prevalence makes sense to me, but the argument that damage is minimal does not. Companies have been fighting the virus wars for years now. Granted, insider espionage has been a potential issue for much longer than computer viruses, it has generally not received the same level of attention.

It is estimated that a little less than one third of all security incidents are the result of an insider, whether the incident was a result of malicious intent or an honest mistake. What is not accounted for here, however is the level of ease by which insiders can obtain potentially damaging company confidential information. Some users have access to it by default as a result of their position within an organization. Others gain access by finding security weaknesses within the company's infrastructure. Either way, I believe that the reason companies are saying that the resulting losses from the insider threat are not the biggest cost is because they don't know how to estimate the damage.

Do they know how much data was really altered/copied/deleted? Do they have a good idea as to how much that data is really worth? Are the values being underestimated because they don't want to lose face in their respective industries? Do they not want to give their competitors ammunition to use against them? Do they not want their customers to lose confidence in them as a provider of a good or a service?

I think all of those are valid points to consider, but the real question at the root of the entire issue is not "Will you have a security incident?", rather "When will you have a security incident?" and are you equipped to respond?

We generally spend so much time trying to make sure that the bad guys can't get in from the outside, but we need to also consider the possibility that they are already "in" and have been for quite some time.

Do not underestimate the insider threat and the ease by which they can cause damage to your organization. Chances are that someone who may cause either inadvertent or intentional data leakage/deletion already has access to the information they need....they don't have to break in or be sneaky to get it.

Another part of my role here at MX Logic in addition to being in charge of our Threat Research group is that of our security officer. This includes not only security education, but also implementation and enforcement of our internal security policies and procedures.

One of the things that I have been putting a lot of thought into lately is the security implication of telecommuting. Telecommuting is becoming much more commonplace among many different types of organizations now that more and more companies are adopting mobile computing practices. This often comes at the cost of security, however. In an effort to make employees more productive when they are away from the office (either traveling or working from home), the security implications of opening up your network in this way are not always considered...or if they are considered, they are set aside for the trade-off of getting more out of your workforce.

So, what's the big deal? So what if Jane wants to work on her desk PC at home when she telecommutes instead of using her laptop?

There was an article posted recently on darkreading.com that said that 94% of Federal CISOs do not believe that telework/telecommuting programs are a threat to security. It also stated that 83% of Federal CISOs are "interested" in mobile endpoint certification for compliance with the Federal Information Security Management Act. Being interested means that they aren't doing it yet, but think it is a good idea.

These numbers don't add up to me. How can you not be concerned about the security implications of telecommuting, but at the same time haven't even certified that your own equipment is in compliance with your own Information Security Management Act?

Let's discuss some best practices that companies can use when implementing a work from home policy:

-- Setup access control so that only your company authorized PCs are allowed to connect to your VPN. If Jane has been connecting her work laptop to her own home unsecured wireless network or to the local Starbuck's Wi-Fi network, you still can't guarantee that she won't be trying to spread a virus across your corporate infrastructure, but you have more control over this PC than you do Jane's home PC that she shares with her two teenagers.

-- Implement as many defense-in-depth strategies on your company PCs as possible. This includes at least one anti-virus product and some kind of Host-Based Intrusion Prevention System (HIPS).

-- Disable ports on the PC which allow users to plug in external storage devices like USB drives. Not only are these devices handy if someone wants to steal your corporate secrets off of your corporate intranet, but they are an easy injection point for malware.

-- Turn off the wireless radio when the PC is going to be hard wired to the network. It will prevent accidental connection to a potentially rogue wireless network. A nice side effect is that it will increase battery life on a single charge as well since the radio is such a wear on the battery when it is on.

As with anything technology related, technology solutions are only part of the answer. User education is also a large piece of this pie as well. One of the most important jobs of a security officer is security awareness and making sure that security is part of the consciousness of every employee at an organization. It is one thing to put policies and technology in place which enforce security, but it is another entirely to make sure everyone in your company is also aware of those policies and knows and understands how to follow them. The backend technology should be in place to enforce those policies, but it is the end user's responsibility to try to not put themselves into a vulnerable position and that is done through education, education, and more education.