All that being said, I found something very interesting in the Goatse response that I hadn’t thought of before.  One of the pieces of information that they captured (or rather systematically guessed and then verified through data extraction) is the ICC-IDs.  This is the unique identifier on the iPad.  Using the ICC-IDs, someone could potentially identify the location of any particular iPad owner and track everywhere the user goes.  This could have very serious security ramifications, especially when you consider those that were among that list of 144,000.  If this were really possible (which no one has shown that it really is yet), it is certainly a privacy issue but would hedge on a national security problem.  Imagine if a foreign government knew exactly where all the top military leaders and the secretary of state were at all times.  There are a lot of scary scenarios that we could talk about if this were really possible.  But I didn’t think of the risk the ICC-IDs could potentially have when I wrote my initial blog post.

Lawsuits, as a result of data breaches, were out of control.  Sure, if a company has a breach that results in fraud or identity theft, I can understand why someone would want to sue the company.  I believe that if a breach occurs, and it is at all possible that identity theft or fraud might occur as a result, that the company should offer credit monitoring services for people.  But what I have never agreed with are those suits filed by individuals or groups where no identity theft has occurred, no fraud occurred, and there is little or no chance of having that happen and still, they get sued.  The Ninth US Circuit Court of Appeals has ruled that a man whose personal information, including his social security number, was exposed has no legal standing to seek damages BECAUSE HE DID NOT SUFFER MATERIALLY AS A RESULT OF THE BREACH.  This is how it should be.  I remember the class-action lawsuit against the Veterans Affairs where they had to pay $20 million and no identity theft or fraud had occurred.  There were 26.5 million records exposed, so was everyone going to get $0.50 after the attorneys were paid.  These lawsuits have been ambulance-chasing lawyer’s dreams for some time.  I am glad it is moving in another direction…

Poor website security practices by AT&T lead to the breach, but like many breaches, AT&T is just the third party.  So when everyone references this breach in the future it will be Apple’s name, not AT&T.  That being said, this is somewhat symbolic because emails by themselves usually don’t constitute a data breach.  It is unclear what other information, if any, was also captured.  This is an interesting case because no other time would anyone care about email addresses being exposed.  This isn’t about a data breach, it is about a group being able to capture an exclusive list of America’s most influential people and their private email addresses.  A list like this simply doesn’t exist.  But Goatse (the security consulting group) was able to write a script that systematically harvested these addresses from the AT&T website for any iPad owners that signed up for the 3G service.  While they say 114,000 emails were compromised, it is likely that many others were compromised as well.    Personally, this is where I think Goatse stepped over the line.  They detected and exploited the vulnerability.  They told AT&T about it.  They wanted press and they have it.  But they said that they gave the vulnerability exploit and script to others.  Who are these others?  What did they do with this information?  It is always a slippery slope when a rogue security firm does this type of thing in the first place.  But if you are going to do this and already be in a “grey area”, you really shouldn’t give the script out to others to use.  That is what makes it go from grey to black very quickly.  Let’s all remember it is just email addresses (as far as we know).  It isn’t like someone hacked into the government, took over the presidents “red phone” and called in a nuclear strike.  But due to the high profile nature of those compromised (you can’t get much higher profile), AT&T and Apple will take a lot of heat for this.

I was asked to answer some specific questions for a reporter of Processor Magazine. They usually take bits and pieces of what I send combined with others in the industry to write their articles. So I thought I would list the questions here and my full answers. At some point we will see what they use of these…
—————————

What does it take to keep the enterprise secure?
A lot more than people think. The idea that a firewall and anti-virus software are enough can only be described as reckless these days. Even intrusion detection and prevention systems can be easily bypassed by cyber criminals. Every organization is different and therefore there isn’t one answer that will keep all enterprises secure; but in general a layered security approach that includes information security defenses at the edge, in the core of the network, and on the endpoints is what is needed.

More importantly than the technologies or solutions employed is the way in which the enterprise will get the most out of those solutions. Centralized reporting and administration is key. Central repositories for compliance documents and audit documentation is critical. Policies, procedures and controls are paramount. The best thing an enterprise can do is work with a security expert that has their best interest in mind and help them design and roll out a comprehensive security program that fits their requirements and budget.

Why should some applications (or classes of apps) NOT be used in the enterprise?
The term “applications” is so broad it is tough to answer this. In general, there are lots of applications that shouldn’t be used in an enterprise or closely managed and monitored if they are used. Some for productivity reasons. Others for security reasons. In my mind, what is more important than broadly banning applications (although there are times you should do that) is ensuring that systems only have the applications they need to perform their various functions. Any application can have vulnerabilities that can be exploited. Look at Adobe Acrobat for example. It is on more systems than any other application on the planet and has one of the highest rates of known, critical vulnerabilities. I don’t know of many enterprises that are going to ban Adobe Acrobat. So the more important thing is a process whereby you can patch the systems and keep them up to date to reduce the chance of compromise.

If you are referring to “applications” in the context of security solutions then I would answer differently. Simply stated, every organization is unique and information security must be implemented and somewhat customized for that particular organization to offer real value.

Why should others be used? Do you have any examples?
Again, if we are talking about security applications, one that I feel is really necessary these days but often not known or used is Host Based Intrusion Detection & Prevention (HIPS). This is software that goes right on the endpoints you want to protect. It does a great job with securing individual assets you want to protect at a higher level such as mission critical systems, customer databases, active directory services, or Internet accessible devices like an email server or web server. Web Content Filtering is another one that is absolutely necessary to help keep malware out of your organization. From a security standpoint, there are so many solutions an enterprise really needs to work with an expert to see what they need.

Why isn’t it the best idea to give end-users administrator rights?
There are lots of reasons for this 1) the user may install software that could compromise the system and subsequently the entire network. 2) Hackers that compromise the system may use these rights for other nefarious purposes.

How is mobility affecting the typical company’s security planning?
USB thumb drives, smart phones, iPods/iPhones, and other devices are causing major problems for enterprises. Malicious insiders can use these devices to steal massive amounts of information and walk out with it on their keychain or in their pocket. Careless and untrained insiders often spread malware, viruses, Trojans, worms and other things that can compromise or destroy systems and data. Mobile users such as telecommuters and travelers often have laptops stolen which have sensitive data on them. 45 of the 50 states have data breach disclosure laws that require an enterprise to publicly announce these incidents which can have a huge impact on revenue, customer retention, and stock prices, not to mention the fees and class action lawsuits that usually follow.

Is there such thing as too much or too little security?
Of course there is such a thing as too little security. I also believe that there can be too much security. If you have so many security solutions and technology that you aren’t able to keep up with the 24×7 management and monitoring, you aren’t getting what you need out of those solutions. You are wasting money. In the hands of properly qualified information security experts, it would be better. But there are so many solutions that people have deployed and they simply aren’t getting much value from them. Maybe they were at one time, but people keep adding solution after solution and technology after technology rather than doing a risk and gap analysis and finding out what they really need and then simply using those things. They will find they spend less in the end and get much better risk mitigation.

Peer to Peer is continuing to be a real problem for organizations. Recently, the FTC sent out letters to about 100 organizations that they had detected personal information about their customers or employees. They say that failure to prevent this information from being shared may represent a violation of one or more laws that the FTC enforces, such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act.

What is happening is that an employee or other insider is installing a P2P program on an inside computer, probably for the purpose of downloading music, movies or other (usually illegal) content. Insiders like using their employer’s Internet connection because it is usually faster than their bandwidth at home and they can do it during business hours. What these insiders usually don’t know is that these programs scan internal hard disks and other systems for other content to share with others on the Internet. Some of these programs are set to scan and present for download to anyone on the Internet things such as database files, word documents, excel spreadsheets and other sensitive document types.

If you don’t have a policy or ability to enforce such policies that prohibit these type of activity, you could be next to get a letter from the FTC.

Some people question the real costs behind a data security breach. Here is an example I thought was really interesting. BlueCross BlueShield of Tenn had a breach and they have already spent more than $7 million dollars. The breach is from the theft of some hard drives that were in an abandoned office. One of the costs that is often overlooked in a breach scenario is the cost of simply trying to figure out what information is on the stolen media. That is where a significant portion of the $7 million has been spent. As many as 500,000 people are believed to be affected by the breach.

Just looking at round numbers, 17 million people at (lets say) $10/month will be $2 billion/year plus the fee for identity theft cases. Hannaford had 1,700 known cases on their 4.2 million records lost. So if you mulitply that by 4 to meet the same number or records lost in the Contrywide breach, they may see 6,800 identity theft cases. If they had to pay the maximum for each of those, it would be an additional $340 million.

Not surprisingly, the breach was committed by an insider over the course of two years.  Keep an eye out for our upcoming free webinar about Insider Threat.

You can read the ABCNews.com article here.

I must commend Google on the way they handle the information security breach. They are forthright about it. See, Google understands that breaches happen. They also understand they are significant and must be addressed promptly. They utilize the resources to delve fully into them…which often uncover additional issues.

There is still some controversy about this bill. One the one hand, it would standardize all the various state data breach disclosure laws and make things much more simple. It would also cover those few states that still don’t have a data breach disclosure law. On the other hand, it states that the FTC would be responsible for enforcement. There are some industries that are exempt from FTC enforcement (the government, financial institutions, insurance companies, non-profits, and institutions of higher education) so it is somewhat unclear how these organziation would fall under the new legislation.

Read More…

While there will likely be significant resistance in the full Senate, I think this shows the direction these laws and regulations are moving and it is only a matter of time before everyone is on the hook for better information security.

But that isn’t all. They used that information to send customers targeted phishing messages telling them to download additional software that was in fact malicious in nature. The malware captured additional information directly at the desktop.

This type of blended attack is becoming more common. It isn’t enough to just break in and download a database, but then they use their previous success to launch different types of attacks. Host Based Intrustion Detection and Prevention (HIPS) is a great service to help mitigate this type of threat.

The reason I think this is interesting is because this bank realizes just how big of a deal a data breach can be. A single email, even with a single customer’s account information, would constitute a data breach. In an effort to keep from having to disclose it, they went directly after Google. They were smart. Because they were able to get Google to delete it, they don’t have to go through the pains and often times class action lawsuits that often accompany data breaches. Financial institutions are starting to take this data breach stuff very seriously…especially now that laws require the disclosure in nearly every state.