Last week I hosted a webinar called “5 Data Security Predictions for 2011.” The webinar was my first of many for Perimeter. It was lots of fun. I received some excellent questions from the audience. And I was gratified to see that we had several hundred registered attendees, too!

For those of you who couldn’t make the webinar, you can click on this link to view the replay. But if you are allergic to multimedia, I thought I’d summarize the topics I covered in the webinar here. Last week’s webinar had three goals:

• To take a look back at the key security trends from 2010
• To summarize the three most interesting security events of the last year, and the lessons we learned from them
• To predict five data security trends for 2011

This post covers the first item on the agenda: looking back at 2010.

2010: The Year of Living Dangerously

With many apologies to the actor formerly known as Mel Gibson, 2010 extended and deepened four trends we’ve seen in previous years. These should seem familiar to you, but there are a few twists that make them worthy of comment. In 2010, we observed:

• Multiplying threats. It should come as no surprise to astute security professionals that malware has continued to proliferate. As with previous years, the number of circulating malware samples increased, by some counts, by a factor of 10 over the previous year. McAfee, for example, estimates the the number of samples has exceeded 50 million. Other AV vendors have reported similar figures. The reason for the increases is simple: attackers are creating malware in smaller “batch sizes” (but with a larger number of batches) to evade detection by anti-virus engines. We are getting close to what I call “designer malware”: one signature, one victim. It’s not hard to understand why that strategy would work for the bad guys: if you can create unique malware for each victim, you can slide under the radar screen of the AV labs because the prevalence is nearly zero.  The low-and-slow attack vector for modern malware is a difficult challenge for everyone in the industry. And it is clearly successful. From Perimeter’s perspective as an MSSP, we have been tracking nearly 25 botnets that we’ve observed in action inside our customers’ networks. We expect to track more incursions in the future.
• Migration of malware to the web. Hand-in-hand with the explosion in malware samples is the change in attack tactics. Instead of mailing infected attachments to their intended victims, the bad guys are much more likely to send e-mails with hyperlinks in them, which they then induce the recipient to click on. When clicked on, the link leads to a site that dynamically generates “drive-by” malware that is custom-made for the victim. Again, this goes back to the “designer malware” comment in the previous bullet. Some of the vendors I’ve worked with in the past (like WebSense) have noted the movement of malware away from e-mail and towards the web. As an MSSP with content filtering services, we’ve noticed it too. What it means for our customers is that web content-filtering becomes a lot more important than it used to be. Keeping inbound web traffic free from malware becomes as critical for security (indeed, more so) than the outbound stuff. Never mind whether Johnny in Accounting is spending too much time on ESPN’s website — you should care just as much if he’s getting 0wned when he goes there.
• Mobile security fears. From the iPad to those newfangled Android devices, every enterprise I’ve spoken with is worried about what modern Post-PC devices will do to their security posture. The urgency stems from two sources. First, managers want to know how to apply security controls to consumer-grade gear being brought into the workplace by employees and executives. They want to know what kind of password and data protection policies they need, and how to apply them to gear that isn’t named BlackBerry. Second, companies have concerns about the iPad in particular, because of business initiatives outside IT. Both scenarios are equally important. You can read about my perspective on Apple devices in this Forrester report, which I wrote last summer, and in press accounts of it here and here.
• More compliance pressures. Compliance and security are often conflated, but it’s best to view the kinds of security activities enterprises do for compliance purposes as a kind of tax they have to pay to stay in business. And every year, the “tax rate” goes up. For example, with the passage of the HITECH provisions of the American Recovery and Reinvestment Act (ARRA) of 2009 (aka “the stimulus bill”), health care Covered Entities (hospitals and providers of medical care) and their Business Associates (insurers, and other partners) are subject to more stringent rules on what they must do to safeguard personal protected health information (PHI). For retailers, recent revisions to the Payment Card Industry’s Data Security Standard (PCI-DSS) means that businesses that accept and process credit cards must tighten up their wireless networks, manage their server log files better and audit their web-facing applications. And in the banking sector, new rules from FINRA around social media means that employers must monitor their employees’ use of Facebook and other outside websites.

All four of these trends are top-of-mind concerns for just about every security professional and CISO I speak with. What is most interesting for me, as an observer, student of security and CTO is the mix of concerns. Threats and compliance pressures are perennial concerns: they are always with us, and always need tending to. The attackers won’t stop brewing up increasingly lethal doses of malware for consumption by the unwitting, and the auditors won’t put down their clipboards. But the new evergreen issues on this list — mobile security, and the increased lethality of web content — could cause rapid shifts in company security postures very quickly if they aren’t dealt with. How we respond to these two issues is the key.

And on that note, we’re at a good breaking point for this post. The next posts will summarize what we learned from 2010′s three most interesting events, and offer predictions for  2011.

The need to comply with industry and federal regulations for keeping data secure drives a good part of what many big organizations spend on security. In a recent Last Watchdog blog post, Tim Harvey, CEO of Perimeter E-Security, outlines the basic considerations. Perimeter supplies compliance, security and messaging services.

By Tim Harvey, CEO Perimeter E-Security

A need for renewed focus on risk management and compliance in business is one with which few would disagree. But putting that focus into action is creating a tremendous hidden cost that will affect nearly every company in the United States as we exit the Great Recession. A crushing burden of new regulations is creating compliance and cost challenges from Wall Street’s behemoths to Main Street’s entrepreneurs.

According to AMR Research, governance, risk and compliance spending will reach $29.8 billion this year alone, and that’s only going to increase. Much of that money will be spent on information security: programs and systems for monitoring and protecting corporate and customer data.

Several compliance regulations, such as GLBA (Gramm-Leach-Bliley Act) for financial services companies and HIPAA (Healthcare Information Portability and Accountability Act) for healthcare and medical organizations, have been in place for over a decade. But in the last several years there has been a flurry of requirements that impact nearly every company in the U.S.

New compliance regimes

There are also relatively new regimes, many driven by technology’s rapidly growing influence on customer transactions. Compliance with the PCI-DSS (the Payment Card Industry Data Security Standard) is required for any company that accepts credit cards. Data breach disclosure and notification laws now exist in 46 states with new national legislation being proposed within the senate this month which includes requirements for comprehensive information security programs.

The Red Flags Rule, introduced in 2008, is designed to curb the explosion of identity theft but is not even being enforced yet as Congress redefines the broad scope of businesses that must comply. And lest a company consider any shortcuts, FRCP (Federal Rules of Civil Procedure) has been updated with requirements that impact all businesses in the U.S.

Of course, this already-long list doesn’t include other specific industry regulations, state regulations, or those that regulate government agencies.

Many businesses are just now becoming aware of the avalanche of regulation, with little in the way of knowledge and preparation. However, while many don’t yet understand all the rules, the risks of non-compliance are clear as a bell: anything from fines to businesses being shut down. So, what’s a business owner, or a regional bank, or a hospital, to do to comply in a way that best protects their businesses and their customers?

Back to basics

When faced with complexity, it’s often best to start with the basics and begin to prepare your organization from there. Here are a few simple steps:

• Understand the regulations and requirements you now face, and create a strategy that protects you and your customers. Regulatory compliance can be a millstone around the neck of your organization or can be used as a map to achieve best practices that lead to greater security for your company and customers. Map your current policies, procedures and risk mitigation strategies to the regulations affecting your business. Then, identify the gaps that exist in your current security program and look for solutions that are best suited to fill these gaps.
• Don’t be afraid to look at replacing solutions that have been in place for some time with newer systems that that offer the necessary insight and value. In times of external change, companies need to be open to change too. New systems can ease compliance and result in lower cost of ownership over time. For example, you can now replace your separate firewall, intrusion detection systems, web content filtering, anti-virus, and virtual private network appliances with a single “unified threat management” (UTM) device that does it all and much more.
• Consider using an outsourced information security and compliance provider. Many companies are beginning to realize that they can save a substantial amount of money by outsourcing those elements of their information security program that are human resource-intensive. Few businesses are expert at maintaining a 24×7 security operation center, and for small businesses trying to create a comprehensive information security program, having “round the clock” monitoring isn’t even an option. Be sure to engage with a partner that can offer tools, reports, and other resources that make your regulatory compliance easy to manage.
• Don’t forget the ongoing testing. Once changes have been made to your overall security and compliance program remember to follow up with testing and reviews. Use outside help if needed, and look for solutions to fill remaining gaps until you’re in compliance are comfortable with your exposure.

In today’s technology-driven world there is no such thing as being 100 percent secure and you can never eliminate all of your risk. But clearly regulators are going to great lengths to ensure that organizations are at least meeting a minimum of smart IT security and risk mitigation. The success of your business depends on achieving and maintaining a good information security foundation based in best practices, one that meets an evermore complex web of regulatory compliance requirements while not choking your bottom line.

About the author: Tim Harvey joined Perimeter E-Security as CEO in October 2009, coming over from the CEO post at XAware. Before that he served as S1 Corporation’s Senior Vice President of Sales, Marketing and Product Management. He graduated from the University of Florida with a BSBA in Finance and served four years as an officer in the United States Marine Corps.

Look for yourself in the case of Heartland in the attached graph of the Heartland stock ticker over the past year.

Not only did Heartland have approximately a 40% stock drop the day this was announced, the stock continued to drop for some time. Heartland recently announced their Q2 2009 financials which includes the cost and write-offs associated with the data security breach.

They specifically noted that $.32/share was the write-off amount associated with resolving issues with their data security breach. They said this was associated with the $19.4 million dollars it cost them to settle these issues.  This resulted in a quarterly loss of 2.6 million ($.07/share) for Q2.

This also does not include the money they are putting into deploying end-to-end encryption which is their answer.

It should be noted that both Visa and Mastercard have said that Heartland was not PCI compliant at the time the breach occured.

For those companies that do business in the state of Nevada, it will soon be required by law to be PCI-DSS compliant. Nevada passed a law that goes into effect January 1, 2010 that will make this mandetory. Of course it was mandetory before, but I believe this will add additional penalties to those that are not compliant. It should also be a strong reminder for those that keep putting this off, that PCI compliance is not going away.

http://www.boazgelbord.com/2009/06/nevada-mandates-pci-standard.html

While PCI-DSS is not perfect and truly doesn’t go far enough in many aspects of data security, it is a good first step because it requires those that do interact with sensitive consumer and customer data to reach a minimum level of complaince and at least be cognative of data security. It should be noted that for most companies this isn’t enough however. I am somewhat encouraged by Heartlands response over the past few months in response to their data security breach (while likely the largest in history), they seem to be taking steps to reach an adequate level of security. For example, they are implementing end to end encryption which is not specifically called out by the PCI DSS. While, I was not at all impressed with the way in which Heartland announced their breach (“coincidentally” at the same time as Obama’s inaguration), I am glad to see they aren’t taking the same approach now.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=340371

Despite the good things that PCI-DSS does, there is a lot of negative feedback regarding the cost and effectiveness of PCI-DSS. As a result, the PCI Council is eliciting feedback to improve the standard. It is true that merchants will have to spend some money to be more secure, but frankly, this is over due. Merchants do not like spending money on these types of things…especially when the economy is like it is. The bigger problem is that companies and people get it in their mind that if they are compliant…they are secure. And these are very different things. Being PCI compliant does not mean you will not be hacked. Just ask all the companies that have had breaches in the last couple of years even though they are PCI compliant including Hanaford and Heartland.

http://www.scmagazineus.com/PCI-DSS-standards-to-face-open-comment/article/138998/

Robert Russo, director of the PCI DSS Council said “I have no doubt that compliance to PCI standards are the best line of defense.  We have never found a breached entity to be in full compliance at the time of breach.”

But does that mean that PCI is designed in a way to help organizations be more secure?

Commenting on the debate Rep. Ben Ray Lujan, D-N.M., compared the PCI DSS Council to the fire service declaring a home’s fire safety systems inadequate after a fire and stated “It seems to me that the system we have today, we can all agree, from different sides, it’s not working.”

What appears to be happening is that retailers are trying to hide behind their PCI certification status when a breach occurs.  The investigators determine that maybe they were compliant at one time, but aren’t compliant at the time of the breach.

My experience with most retailers so far is that they feel PCI is a huge burden.  They seem to be trying to do the bare minimum but don’t have an attitude towards protecting their customers data.

Personally, I think the PCI DSS is one of the better documents in that it is more specific than most regulations on what organizations must do.  But the problem is that if someone is simply trying to “check the boxes” and not actually improve their security, that attitude difference is going to cause problems in the end.  As I have said before, compliance does not equal “secure”.  Compliance is simply where the minimum standard is set, not where organizations should stop.  So as long as the attitude is that PCI is burdensome, difficult, costly, etc. a real security improvement will be lacking.

So if an organization is 100% perfectly PCI compliant, or compliant with any regulation out there, can they be breached?  Of course they can!  Regulations need to not be about scape goats and shields but more about good principles and best practices followed for the safety and security of sensitive data.

http://news.cnet.com/8301-13578_3-10208827-38.html?part=rss&subj=news&tag=2547-1_3-0-20

http://www.forbes.com/2009/03/31/visa-mastercard-security-technology-security-visa.html

Credit card issuers will also be able to get at least partial reimbursement for reissuing credit cards and fees associated with customer fraud and losses.  This is good news because over 600 banks have already reported losses associateed with the Heartland breach.

This is one of the first signs of real “teeth” in the PCI DSS.  Card brands are taking these breaches seriously and placing the blame and responsibility at the feet of those at fault.  I think this is a good move for VISA.  Until now, PCI was beginning to look like a way to hide from responsibility and fend off lawsuits.  With this move, it just may move in the direction of compelling merchants and processors to take data security seriously for the purpose of eliminating consumer fraud.  Lets hope anyway.