Thursday, August 30, 2007

Passwords Written Down, Real Life Real Risk



I sound like a broken record sometimes. I get sick of hearing myself speak too. I will say it again because it is of utmost importance:

People, please STOP writing passwords down!

Here is a real-life example of a written down password that could have very easily led to over $500,000 in theft.

The Incident
I get the call all of the time. Someone calls to report (anonymously) that they have found a password written down on a laptop. As always, I initiate an investigation to determine the extent of the risk to the company I am contracted to work for. Upon arrival at the site of the laptop, I notice various passwords written down on stickers just to the right of the mouse/thumbpad.



Typically, the passwords I find pose more risk to the company (i.e. Active Directory passwords, VPN passwords, etc.) than they do to the individual at fault, but this one was different. My eye was immediately drawn to one written password entry, it read:

E-TRADE: etrade.com
EXERCISE PASSWORD: 88946571335
USER ID: jdoe
PASSWORD: jdoeDoneB4d

NOTE: These user IDs and passwords have been modified for the sake of this article. The actual user IDs and passwords on the stickers were different.

Naturally, I want to find out who this person is. After searching everywhere within the company and interviewing numerous people I had run out of options. I think to myself, self “The user name and password can’t still be valid, can they?” I decide to try. I go to http://www.etrade.com/. Oh %^$*@! They are valid! Upon login, I get confronted with the “Complete View” account page.



$492,640.25 worth of risk! Now I can find the user however, which is my main motivation. Obviously the first thing to do is have the user change their password, which they did. I spent a good amount of time with the user explaining what could have happened if this information fell into the wrong hands and gave them some alternative methods for password management. I am not sure if it sunk in or not, but it felt good to help for now!

How did the laptop end up where it was?
This is the question I would be asking myself. Through investigation it was discovered that the laptop was turned in to the help desk for normal hardware rotation. The user basically sends their old laptop to the help desk for a new one, which is common every couple of years. The help desk placed the old laptop in storage then brought it out as a loaner for a contractor.

Why didn’t the help desk remove the stickers and inform Information Security personnel when the laptop was returned for recycling?
Another good question. Because sometimes people forget that information security is EVERYONES job. People need to understand what role they play because we all play one. I have found through experience that an effective training and awareness program goes a long way. Training and awareness conducted correctly could have stopped the user from writing their passwords down in the first place and may have reminded help desk to remove and report.

Conclusion
I have given this much thought over that last few days. It really bugs me when people fall victim to scams, thieves, and the like. There is no sense in making it easy for them! People write down passwords because they typically do not know of a better way to manage all of their passwords. Can we blame them? See my previous article "Passwords Part 3/3 - Password Management" for some suggestions.

In hind sight I should have not logged into the account to find the username. This poses a risk to myself. Next time I will call eTrade and inform them of the username and password found on the laptop. I hope there won't be a next time, but I would to too naive to believe so.

Read more!

Thursday, August 23, 2007

Information Security Quote of the Day



"It's seems like there's a problem with security inside Homeland Security and that makes no sense"

 - James Slade, TSA screener and the executive vice president of the National Treasury Employees Union chapter at John F. Kennedy International Airport in talking about the lost TSA hard drive containing Social Security numbers, bank and payroll information for roughly 100,000 employees in May, 2007.


NOTE:  The agency said it did not know whether the device is still within headquarters or was stolen.

Hardly a week later DHS employees announced a class action lawsuit against the TSA in AFGE, et al v. Kip Hawley and TSA which to my knowledge has not yet been resolved.

Read more!

Tuesday, August 21, 2007

TJX Breach News, and on and on...



Today the Boston Globe reported an arrest related to the TJX record-setting breach (in terms of numbers of affected consumers) in thier article, "Suspect named in TJX credit card probe Ukrainian's arrest seen as break in record fraud case".

I continue to be intrigued by the details of this case.  Maksym Yastremskiy stands accused of playing a "key role in the sale of many credit card numbers stolen from TJX Cos" and likely the "largest seller of stolen TJX numbers".  


According to the article, Mr. Yastremskiy sold cards in batches of up to 10,000 for $20-100 per card through various online forums.  Let's do some math.

10,000 cards @ $20-100/card = $200,000-1,000,000!

Let's say for a second that 45 million cards (allegedly lost in the original breach) were able to be sold for the same price.

45,700,000 cards @ $20-100/card = $914,000,000-4,570,000,000!

Up to 4.5 billion dollars!  Now this is all VERY hypothetical, but it should be VERY clear why organized crime is so interested and active in information security (or insecurity).  The amount of money made is incredible.

The article goes on to state that TJX reported that initial estimates of how much the breach will cost the company were grossly understated.  TJX estimates that it will spend $256,000,000 to cover the costs of the breach, improved security controls, and lawsuits.  
I don't know, but this still seems understated to me.

There is evidence of cards and/or information related to the TJX breach being used all over the world from retail WalMart stores to cash advances.

What a mess.  What did Mom say?  Something like an ounce of prevention is worth a pound of cure, or was it an ounce of security is worth $20-100/card?  I can't remember!


Some good TJX breach-related links:
 - The original TJX press release announcing the breach dated 1/17/07
 - The TJX "IMPORTANT CUSTOMER ALERT" dated 2/21/07
 - The original Information Week online article dated 1/17/07
 - "TJX profit down sharply on breach costs" reported by CNNMoney on 8/14/07
 - The recent Boston Globe story reporting Yastremskiy arrest dated 8/21/07
 - Massachusetts Bankers Association class-action lawsuit announcement dated 4/24/07
 - FTC Notice of Proposed Routine Use; Request for Public Comment, Privacy Act of 1974; System of Records: FTC File No. P072104
And here is the rest of it.
Read more!

Monday, August 6, 2007

Mystery Credit Card Cancellations



This article raises more questions for me than it answers. I am referring to the article written by Stewart Carter, editor of The eCommerce Report titled "Visa confirms data tapes theft". I am assuming that this article is credible.

Data tapes containing "card data" were stolen in late May, 2007. Visa International has confirmed that "an investigation into the theft of data tapes on May 25 is ongoing and therefore we cannot comment further on this matter". Dead end.

On July 19th, the Sydney Morning Herald reported that Westpac (a large Pacific Rim bank) was cancelling Visa cards en mass. On July 24th, ZDNet reported that Virgin Money (Westpac's card partner) was cancelling MasterCard credit cards. It is unclear why Westpac and Virgin Money are cancelling so many credit cards.

Jane Counsel, Westpac’s senior media relations manager did respond to the eCommerce Report's inquiries by stating "…[T]he card data compromise which has impacted Westpac and Virgin cards relates to transactions that have occurred with a third party vendor who uses a payment gateway provided by one of the other major banks…”. "A third party vendor"??? Who?

It is clear from the article that none of the organizations involved want to take an responsibility into what could be a very significant breach. Stay tuned, as I am sure this story is far from over.

But, then again I wonder if this news is credible. I looked for both the Sydney Morning Herald and the ZDNet articles and couldn't find either. Please post them if you can find them.



Read more!

Friday, August 3, 2007

Information Security Policy 101 – Policy Approval



OK, the time has come for us to wrap this up!  July is over and so is “Information Security Policy Month”. This is the 19th and final installment in the Information Security Policy 101 Series.

If you have been following along over the last month you will notice that we have covered 16 of the most common information security policies, but we haven’t tied them together or sought formal approval yet.

NOTE: The “approval” we are seeking now is the approval of the written policies. This should not be confused with the initial approval you should have received prior to even beginning an information security policy project.

The advice that I will give in this article is based on what has worked for me in the past. I have had the honor of leading multiple information security projects in the past for both private and public companies from assessment through to final approval and adoption.

The Company XYZ Corporate Information Security Policy
The Company XYZ Corporate Information Security Policy is the one document that everyone in the organization is expected to read and understand. Some portions of the policy may apply more directly than others, but everything is meant to be understood by the audience.

Take the 16 policies (or however many your organization has deemed necessary) and place the “Company XYZ Corporate Information Security Policy” wrapper around them adding some important information that may include:

Header explaining the document
Versioning information
Table of contents
Introduction
Purpose (of the Corporate Information Security Policy)
Scope (of the Corporate Information Security Policy)
Definitions
Responsibilities
Waivers
Disciplinary Actions
Supporting Information, and;
References


Woah! Seems like a lot of information, doesn’t it? Admittedly, yes it does. Take a look at the sample and it should be clearer

SAMPLE CORPORATE INFORMATION SECURITY POLICY

Once the document is complete, it’s ready for approval!

NOTE: Be prepared for mutiple "back and forth" go arounds with management before the policy is "golden"!

Approval
The detailed process for approval of the newly written Corporate Information Security Policy will differ greatly from organization to organization. Some organizations have a more “approachable” executive team than do others so use judgment and care in your approach. When in doubt follow the chain of command by seeking the advice of your direct up line manager.

Approval must come from the leaders of your organization. If you have any hope of adopting, implementing and enforcing your policy then executive approval is a must. Too many times have I seen information security personnel attempt to implement policy without seeking the right approvals and every single time their efforts have failed miserably. Who has overall authority in your organization? This is the person that needs to approve.

Ideally, you have included your organization's leaders all along during the information security policy project. This makes communication and approval much easier. All is not lost however if you have not.

What does management need to know?
1. The Corporate Information Security Policy is based on sound security “best practices”.

Ensure management that the policy is a best of breed policy that was written after careful analysis and research.

2. Approval of the policy will not disrupt business.

The bottom line is that a company is in business to make money. You will not receive the approval of management if they perceive that information security will in any way hinder the ability of the company to make money.  An art of information security is that it must NOT EVER stand in the way of business or be percieved as such.

Inform management that “approval” of the policy does not mean that the policy has been “adopted” or “implemented”. Approval gives the organization (and information security personnel) the ability to begin adoption and start the “secure” process. Create an adoption/implementation timeline that highlights when information security believes that the organization could be compliant with most of the policy and inform management that the organization will never be fully-compliant. Remember, security is evolutionary not stationary!

3. The expected costs involved through the approval of the information security policy will be more than offset by reduced risk and exposure

You can probably think of other items of note to use in your approval process, but the ones above have consistently worked for me.

Next Steps
The real work begins!
Now that you have your new approved policy in hand, decide how you will train the organization’s personnel. There are a variety of training options available including CBT, web-based, instructor-led, in-sourced, out-sourced, etc. Once a training timeline has been tentatively agreed upon, formally announce the new policy to the organization.

It is also time to decide how you will adopt and implement. Read through the policy and detail what you have in place now and what you will need in order to be compliant. Create projects and/or timelines for the implementation of the various standards, procedures, administrative and technical controls.

Closing
Thank you to all that have read and provided feedback to this series!  You know who you are.  I will be posting a summary post that includes all of the "Information Security Policy Month" articles in a nice consice format.

Feel free to contact me if you have and feedback or need any assistance in your own policies.

Previous: "Information Security Policy 101 – Virus Protection Policy"
Read more!

Wednesday, August 1, 2007

Do you care? - Aflac lost laptop



I have been debating over the last week whether I even wanted to mention this, but this story just seems too good to pass up as an example of what is security news and might not be.

The headlines read:
"Aflac Reports Laptop Detailing 152,000 Clients Stolen" - bloomberg.com 7/26/07
"Aflac Loses Data on 152,000" - darkreading.com 7/27/07


And, etiolated.org reports this as an "incident" (etoilated and Attrition.org are a couple of my favorite sites BTW).

Your first reaction might be (or have been) a little like mine was.  I immediately assumed the worse, shook my head, and clicked on the link to read a little more.  You can read the articles yourself (click the links above) so I won't delve into all that they say, but some interesting points worth mentioning:

1.  A laptop was stolen from an Aflac employee on a commuter train that contained "clients' names, addresses, birth dates, and policy details".  Bad news, right?  Read on...

2.  "All the information was encrypted and password-protected, so it would be very difficult for any third-party to access it".  Amen!  Encryption if properly managed can make it nealy impossible for a third-party to access the data.  I sincerely hope that the employee who had the laptop stolen from him/her is not akin to many of the employees I see with laptops when it comes to password management, i.e. written on a Post-it note or on the back of the laptop.  Most likely a password is used by the employee and doubles as the "secret key" that enables decryption of the drive/data.  Given the limited amount of information to work with, one can only assume.

"Aflac wanted to send letters apologizing to policyholders before alerting the press"  Why?  Don't most (if not all) breach disclosure laws and regulations have safe harbor statements when the data is encrypted?  Maybe a reader can help me out here.  If a company is not required by law to disclose the lost laptop publicly AND there is very very little risk of disclosure (encrypted), then why send letters and notify the press?

Thankfully, cooler heads seemed to have prevailed on this piece of news (or non-news) and it wasn't blown out of proportion.  Kudos to Aflac for using encryption on laptops!
Read more!