Tuesday, October 2, 2007

A Simple Incident Response to a Simple Oversight

Today may be the day you need to step up and respond to a breach involving someone else’s confidential information. Do the right thing and you will be OK. Assuming the breach is less than it really is can negatively impact your company, the victims, and your livelihood.

A Little Background
I write for this and The Breach Blog because I am passionate about information security and protecting people when dealing with confidential information. The Breach Blog was born out of this passion just a few months ago, and I have already written 69 articles (with a backlog of four) about breaches and the lessons they teach us. I believe that people can really learn from other people’s mistakes. Anyway, on to the story...

The Incident
This morning I received a phone call from one of the IT administrators at a company that I provide information security consulting for. He was in a panic.

He regularly receives email updates from his human resources department outlining terminations, new hires and management changes. He gets these updates so that he can update the company’s Active Directory. Today, he received his spreadsheets as normal, but this time there was an additional column that he did not recognize before. The column was titled “Assoc. ID”, and the spreadsheet contained information on about 50 company employees.

Can you guess what the “Assoc. ID” is?
If you guessed Social Security number, then you are correct! Oh boy.

On the surface, you may say this isn’t that big of a deal. We can just go to human resources and inform them that this is an unacceptable practice and be done with it. OK, but put yourself in the shoes of a person that was in the spreadsheet. Would you be OK if information security just went to human resources and told them to quit it? I am guessing that your answer may be the same as mine, NO!

If I was a victim, what kind of questions would I demand answers for? Let’s see:

  • I want to know where this information came from.
  • I want to know if this has been an acceptable practice by human resources in the past and if so, how long?
  • I want to know if there was anyone else that received this email.
  • I want to know that the email containing the spreadsheet was deleted. Not just from the “Inbox” either, but also “Sent Items” and “Deleted Items”.
  • I want to know if there were any copies stored locally on the sender’s computer.
  • I want to know if there are any copies on a network drive (i.e. is “My Documents” synchronized).
  • I want to know if this information may be in a backup anywhere that needs to be
    dealt with.
  • I want to know why this happened in the first place.
  • I want to know what human resources is going to do to make sure that this never happens again.
  • Are there any laws and/or regulations, i.e. do I need to disclose this breach to any state attorney generals?
You get the picture yet? I want to know everything there is to know about this breach and I want to take every possible action to contain the damage caused by it.

Victims and shareholders should expect demand no less!

As it turns out, this seemingly innocent mistake/training issue quickly escalated into a full-blown investigation that took away from other important tasks and cost the company money. It would have been easy to take the lazy approach and sweep this under the rug, but what service would I be providing to the victims, the company, or myself? Thank God this breach only affected 50 people and was relatively easy to contain and respond to. What would I have done if this breach affected 5000, 50000, or 500000 people? What if the human resources person sent the email outside of the company?

Tips I've Learned
An easy way to respond to an incident involving personally-identifiable information is to put yourself in the shoes of a victim. This may sound obvious, but too many times I have witnessed information security “experts” going the other way. Answer the questions that you would have as a victim. Take money, lost consumer confidence, stock price, etc. out of the equation and do the right thing. If we all did the right thing we would have less regulation and more time to do other “right things”.

The CIO of this company asked me a question on my way out the door once the investigation was complete. He asked me what makes an information security professional so good at what he (or she) does? My answer: 95% of what makes a good information security professional is common sense. The other 5% is skill.

Unfortunately, it is very difficult to teach someone common sense. Read more!

Monday, September 17, 2007

Shame on Wells Fargo or Shame on Me?

Friday was a busy day, but I found a little time to check my gmail account. My peak performance brain has been trained to immediately key on certain words that appear in my inbox and classify them as threats, either phishing or spam. You know words such as “Alert”, “PayPal”, “Warning” and “eBay”? This time my brain tells my eyes to check out this email labeled “Wells Fargo Online Notification of New Legal Notices”.

There are three primary reasons why I am particularly interested in this email. One, I am a Wells Fargo customer. Two, I signed-up for email updates and regularly get emails from the company. And three, gmail typically does a great job of filtering out phishing attempts from my inbox. So I open the email.

The email looks legit to me.

A Phish is a Phish?
I have been training users for the last couple of years to NEVER click on a link in an email to a login page, then proceed to login. I assumed that this is a “best practice” to protect oneself from phishing. I am always skeptical. Did this email really come from Wells Fargo? I check the header of the email, looks good. I check the links, look good. I check the html code, still looks good.

This legitimate Wells Fargo email goes against what I thought were best practices in regards to phishing prevention. Being the concerned (paranoid) information security guy that I am, I emailed reportphish@wellsfargo.com with the following:

to reportphish@wellsfargo.com
date Sep 14, 2007 1:50
subject Fwd: Wells Fargo Online Notification of New
Legal Notices

To whom it may concern:

It appears that the email depicted below actually came from Wells
Fargo. The email contained links that went to your login page and
asked people to sign in. Wells Fargo should not be sending emails
like this to your customers! It goes against everything that we try
to teach people with respect to phishing.

Concerned customer

Surely Wells Fargo knows much more about phishing than I ever could, so am I wrong?
Read more!

Tuesday, September 11, 2007

Where Have I Been?

You may have been wondering where I have been for most of the last two weeks (maybe not!), and here I am to tell you.

I have started a new blog and have been spending much of my time creating content for it and getting it up to speed. The blog is "The Breach Blog" where I have been researching and providing commentary on breaches that have occured over the last month or so. I am motivated to share breaches with the public, provide insight from a security point of view, and give people a place where they can come and voice their opinions publicly. Basically, I get great satisfaction from helping people who don't know any better.

Information for The Breach Blog is compiled from a variety of sources including (but not limited to):

- The Attrition.org Data Loss Archive and Database (pioneers in breach disclosure)
- Privacy Rights Clearinghouse
- Google Searches
- News sources
- State government sites
- Victim emails

I hope that people from all walks find value in the information provided.

The Trusted Toolkit Blog will start to get more attention again soon as I begin to divide my time more and get more organized. I'll be back...
And here is the rest of it.
Read more!

Thursday, August 30, 2007

Passwords Written Down, Real Life Real Risk

I sound like a broken record sometimes. I get sick of hearing myself speak too. I will say it again because it is of utmost importance:

People, please STOP writing passwords down!

Here is a real-life example of a written down password that could have very easily led to over $500,000 in theft.

The Incident
I get the call all of the time. Someone calls to report (anonymously) that they have found a password written down on a laptop. As always, I initiate an investigation to determine the extent of the risk to the company I am contracted to work for. Upon arrival at the site of the laptop, I notice various passwords written down on stickers just to the right of the mouse/thumbpad.

Typically, the passwords I find pose more risk to the company (i.e. Active Directory passwords, VPN passwords, etc.) than they do to the individual at fault, but this one was different. My eye was immediately drawn to one written password entry, it read:

E-TRADE: etrade.com
USER ID: jdoe
PASSWORD: jdoeDoneB4d

NOTE: These user IDs and passwords have been modified for the sake of this article. The actual user IDs and passwords on the stickers were different.

Naturally, I want to find out who this person is. After searching everywhere within the company and interviewing numerous people I had run out of options. I think to myself, self “The user name and password can’t still be valid, can they?” I decide to try. I go to http://www.etrade.com/. Oh %^$*@! They are valid! Upon login, I get confronted with the “Complete View” account page.

$492,640.25 worth of risk! Now I can find the user however, which is my main motivation. Obviously the first thing to do is have the user change their password, which they did. I spent a good amount of time with the user explaining what could have happened if this information fell into the wrong hands and gave them some alternative methods for password management. I am not sure if it sunk in or not, but it felt good to help for now!

How did the laptop end up where it was?
This is the question I would be asking myself. Through investigation it was discovered that the laptop was turned in to the help desk for normal hardware rotation. The user basically sends their old laptop to the help desk for a new one, which is common every couple of years. The help desk placed the old laptop in storage then brought it out as a loaner for a contractor.

Why didn’t the help desk remove the stickers and inform Information Security personnel when the laptop was returned for recycling?
Another good question. Because sometimes people forget that information security is EVERYONES job. People need to understand what role they play because we all play one. I have found through experience that an effective training and awareness program goes a long way. Training and awareness conducted correctly could have stopped the user from writing their passwords down in the first place and may have reminded help desk to remove and report.

I have given this much thought over that last few days. It really bugs me when people fall victim to scams, thieves, and the like. There is no sense in making it easy for them! People write down passwords because they typically do not know of a better way to manage all of their passwords. Can we blame them? See my previous article "Passwords Part 3/3 - Password Management" for some suggestions.

In hind sight I should have not logged into the account to find the username. This poses a risk to myself. Next time I will call eTrade and inform them of the username and password found on the laptop. I hope there won't be a next time, but I would to too naive to believe so.

Read more!

Thursday, August 23, 2007

Information Security Quote of the Day

"It's seems like there's a problem with security inside Homeland Security and that makes no sense"

 - James Slade, TSA screener and the executive vice president of the National Treasury Employees Union chapter at John F. Kennedy International Airport in talking about the lost TSA hard drive containing Social Security numbers, bank and payroll information for roughly 100,000 employees in May, 2007.

NOTE:  The agency said it did not know whether the device is still within headquarters or was stolen.

Hardly a week later DHS employees announced a class action lawsuit against the TSA in AFGE, et al v. Kip Hawley and TSA which to my knowledge has not yet been resolved.

Read more!

Tuesday, August 21, 2007

TJX Breach News, and on and on...

Today the Boston Globe reported an arrest related to the TJX record-setting breach (in terms of numbers of affected consumers) in thier article, "Suspect named in TJX credit card probe Ukrainian's arrest seen as break in record fraud case".

I continue to be intrigued by the details of this case.  Maksym Yastremskiy stands accused of playing a "key role in the sale of many credit card numbers stolen from TJX Cos" and likely the "largest seller of stolen TJX numbers".  

According to the article, Mr. Yastremskiy sold cards in batches of up to 10,000 for $20-100 per card through various online forums.  Let's do some math.

10,000 cards @ $20-100/card = $200,000-1,000,000!

Let's say for a second that 45 million cards (allegedly lost in the original breach) were able to be sold for the same price.

45,700,000 cards @ $20-100/card = $914,000,000-4,570,000,000!

Up to 4.5 billion dollars!  Now this is all VERY hypothetical, but it should be VERY clear why organized crime is so interested and active in information security (or insecurity).  The amount of money made is incredible.

The article goes on to state that TJX reported that initial estimates of how much the breach will cost the company were grossly understated.  TJX estimates that it will spend $256,000,000 to cover the costs of the breach, improved security controls, and lawsuits.  
I don't know, but this still seems understated to me.

There is evidence of cards and/or information related to the TJX breach being used all over the world from retail WalMart stores to cash advances.

What a mess.  What did Mom say?  Something like an ounce of prevention is worth a pound of cure, or was it an ounce of security is worth $20-100/card?  I can't remember!

Some good TJX breach-related links:
 - The original TJX press release announcing the breach dated 1/17/07
 - The original Information Week online article dated 1/17/07
 - "TJX profit down sharply on breach costs" reported by CNNMoney on 8/14/07
 - The recent Boston Globe story reporting Yastremskiy arrest dated 8/21/07
 - Massachusetts Bankers Association class-action lawsuit announcement dated 4/24/07
 - FTC Notice of Proposed Routine Use; Request for Public Comment, Privacy Act of 1974; System of Records: FTC File No. P072104
And here is the rest of it.
Read more!

Monday, August 6, 2007

Mystery Credit Card Cancellations

This article raises more questions for me than it answers. I am referring to the article written by Stewart Carter, editor of The eCommerce Report titled "Visa confirms data tapes theft". I am assuming that this article is credible.

Data tapes containing "card data" were stolen in late May, 2007. Visa International has confirmed that "an investigation into the theft of data tapes on May 25 is ongoing and therefore we cannot comment further on this matter". Dead end.

On July 19th, the Sydney Morning Herald reported that Westpac (a large Pacific Rim bank) was cancelling Visa cards en mass. On July 24th, ZDNet reported that Virgin Money (Westpac's card partner) was cancelling MasterCard credit cards. It is unclear why Westpac and Virgin Money are cancelling so many credit cards.

Jane Counsel, Westpac’s senior media relations manager did respond to the eCommerce Report's inquiries by stating "…[T]he card data compromise which has impacted Westpac and Virgin cards relates to transactions that have occurred with a third party vendor who uses a payment gateway provided by one of the other major banks…”. "A third party vendor"??? Who?

It is clear from the article that none of the organizations involved want to take an responsibility into what could be a very significant breach. Stay tuned, as I am sure this story is far from over.

But, then again I wonder if this news is credible. I looked for both the Sydney Morning Herald and the ZDNet articles and couldn't find either. Please post them if you can find them.

Read more!

Friday, August 3, 2007

Information Security Policy 101 – Policy Approval

OK, the time has come for us to wrap this up!  July is over and so is “Information Security Policy Month”. This is the 19th and final installment in the Information Security Policy 101 Series.

If you have been following along over the last month you will notice that we have covered 16 of the most common information security policies, but we haven’t tied them together or sought formal approval yet.

NOTE: The “approval” we are seeking now is the approval of the written policies. This should not be confused with the initial approval you should have received prior to even beginning an information security policy project.

The advice that I will give in this article is based on what has worked for me in the past. I have had the honor of leading multiple information security projects in the past for both private and public companies from assessment through to final approval and adoption.

The Company XYZ Corporate Information Security Policy
The Company XYZ Corporate Information Security Policy is the one document that everyone in the organization is expected to read and understand. Some portions of the policy may apply more directly than others, but everything is meant to be understood by the audience.

Take the 16 policies (or however many your organization has deemed necessary) and place the “Company XYZ Corporate Information Security Policy” wrapper around them adding some important information that may include:

Header explaining the document
Versioning information
Table of contents
Purpose (of the Corporate Information Security Policy)
Scope (of the Corporate Information Security Policy)
Disciplinary Actions
Supporting Information, and;

Woah! Seems like a lot of information, doesn’t it? Admittedly, yes it does. Take a look at the sample and it should be clearer


Once the document is complete, it’s ready for approval!

NOTE: Be prepared for mutiple "back and forth" go arounds with management before the policy is "golden"!

The detailed process for approval of the newly written Corporate Information Security Policy will differ greatly from organization to organization. Some organizations have a more “approachable” executive team than do others so use judgment and care in your approach. When in doubt follow the chain of command by seeking the advice of your direct up line manager.

Approval must come from the leaders of your organization. If you have any hope of adopting, implementing and enforcing your policy then executive approval is a must. Too many times have I seen information security personnel attempt to implement policy without seeking the right approvals and every single time their efforts have failed miserably. Who has overall authority in your organization? This is the person that needs to approve.

Ideally, you have included your organization's leaders all along during the information security policy project. This makes communication and approval much easier. All is not lost however if you have not.

What does management need to know?
1. The Corporate Information Security Policy is based on sound security “best practices”.

Ensure management that the policy is a best of breed policy that was written after careful analysis and research.

2. Approval of the policy will not disrupt business.

The bottom line is that a company is in business to make money. You will not receive the approval of management if they perceive that information security will in any way hinder the ability of the company to make money.  An art of information security is that it must NOT EVER stand in the way of business or be percieved as such.

Inform management that “approval” of the policy does not mean that the policy has been “adopted” or “implemented”. Approval gives the organization (and information security personnel) the ability to begin adoption and start the “secure” process. Create an adoption/implementation timeline that highlights when information security believes that the organization could be compliant with most of the policy and inform management that the organization will never be fully-compliant. Remember, security is evolutionary not stationary!

3. The expected costs involved through the approval of the information security policy will be more than offset by reduced risk and exposure

You can probably think of other items of note to use in your approval process, but the ones above have consistently worked for me.

Next Steps
The real work begins!
Now that you have your new approved policy in hand, decide how you will train the organization’s personnel. There are a variety of training options available including CBT, web-based, instructor-led, in-sourced, out-sourced, etc. Once a training timeline has been tentatively agreed upon, formally announce the new policy to the organization.

It is also time to decide how you will adopt and implement. Read through the policy and detail what you have in place now and what you will need in order to be compliant. Create projects and/or timelines for the implementation of the various standards, procedures, administrative and technical controls.

Thank you to all that have read and provided feedback to this series!  You know who you are.  I will be posting a summary post that includes all of the "Information Security Policy Month" articles in a nice consice format.

Feel free to contact me if you have and feedback or need any assistance in your own policies.

Previous: "Information Security Policy 101 – Virus Protection Policy"
Read more!

Wednesday, August 1, 2007

Do you care? - Aflac lost laptop

I have been debating over the last week whether I even wanted to mention this, but this story just seems too good to pass up as an example of what is security news and might not be.

The headlines read:
"Aflac Reports Laptop Detailing 152,000 Clients Stolen" - bloomberg.com 7/26/07
"Aflac Loses Data on 152,000" - darkreading.com 7/27/07

And, etiolated.org reports this as an "incident" (etoilated and Attrition.org are a couple of my favorite sites BTW).

Your first reaction might be (or have been) a little like mine was.  I immediately assumed the worse, shook my head, and clicked on the link to read a little more.  You can read the articles yourself (click the links above) so I won't delve into all that they say, but some interesting points worth mentioning:

1.  A laptop was stolen from an Aflac employee on a commuter train that contained "clients' names, addresses, birth dates, and policy details".  Bad news, right?  Read on...

2.  "All the information was encrypted and password-protected, so it would be very difficult for any third-party to access it".  Amen!  Encryption if properly managed can make it nealy impossible for a third-party to access the data.  I sincerely hope that the employee who had the laptop stolen from him/her is not akin to many of the employees I see with laptops when it comes to password management, i.e. written on a Post-it note or on the back of the laptop.  Most likely a password is used by the employee and doubles as the "secret key" that enables decryption of the drive/data.  Given the limited amount of information to work with, one can only assume.

"Aflac wanted to send letters apologizing to policyholders before alerting the press"  Why?  Don't most (if not all) breach disclosure laws and regulations have safe harbor statements when the data is encrypted?  Maybe a reader can help me out here.  If a company is not required by law to disclose the lost laptop publicly AND there is very very little risk of disclosure (encrypted), then why send letters and notify the press?

Thankfully, cooler heads seemed to have prevailed on this piece of news (or non-news) and it wasn't blown out of proportion.  Kudos to Aflac for using encryption on laptops!
Read more!

Monday, July 30, 2007

Information Security Policy 101 – Virus Protection Policy

Part 18 in the Information Security Policy 101 Series

For many organizations the threats posed by viruses are manageable given appropriate controls. A Virus Protection Policy is the first step towards ensuring that appropriate controls are in place on workstations, laptops, email gateways, servers, etc.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

The purpose of the %ORGANIZATION% Virus Protection Policy is to describe the
requirements for dealing with computer virus, worm and Trojan horse infection,
prevention, detection and cleanup.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. A Virus Protection Policy applies to all persons with any type of access to an %ORGANIZATION% information resource.

The %ORGANIZATION% Virus Protection Policy applies equally to all individuals
that use any %ORGANIZATION% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Virus Protection Policy
The Virus Protection Policy is simple policy that you may find some overlap with other information security policies. One additional benefit of having a separate Virus Protection Policy is the ease of reference for users and support personnel. Be careful to write statements that do not contradict those in another policy, however rare.


- All %ORGANIZATION% owned and/or managed workstations, including laptops whether connected to the %ORGANIZATION% network, or standalone, must use the %ORGANIZATION% IT management approved virus protection software and configuration.
- All non-%ORGANIZATION% owned and/or managed workstations, including laptops must use %ORGANIZATION% IT management approved virus protection software and configuration, prior to any connection to an %ORGANIZATION% Information Resource.

The draft, approval, implementation, and enforcement of a Virus Protection Policy can decrease the amount of risk to an organization’s information resources as a result of malware (virus and/or spyware).


Next in the series: “Information Security Policy 101 – Policy Approval”

Previous: “Information Security Policy 101 – “Vendor/Third-Party Access Policy”
Read more!