Friday, July 31, 2009

BREACH is the Word, is the Word, is the Word that you Heard….

…to the tune of $6.6 Mil per-r-r Breach.  Yup – according to Ponemon Institute the average cost of a data breach is $6.6 million and they also report that it costs about $215 per compromised record (pdf).  McAfee estimates $1 trillion in losses yearly, due to data theft – that’s 10 to the 12th dollars.  Imagine if IT budgets could get that back?

The past two years saw a significant increase in large scale attacks with the January 2007 TJX breach starting the massive flurry.  As of October 2007, TJX said that more than were 94 million accounts affected at a cost of over $256 million.  At the time it was the largest data loss incident to date.  The crooks kept it up, however.  Hannaford Grocers was hit Dec 2007 but they didn’t discover it until February 2008 and announced in March 2008 that 4.2 million cards had been exposed  leading to over 1800 cases of fraud.  In both cases thieves were able to capture the data, in clear text, as it traveled over the network.  December 2008, at the height of the economic crisis, both (online bill pay) and RBS Worldpay (payment processor) announced they had been infiltrated.  Checkfree with a DNS switcheroo and RBS Worldpay with a straight up ‘they broke in.’  RBS had 1 million accounts compromised and Checkfree, 5,000,000.  Payment card data was the top target in 2008.

Then at the start of 2009, instead of hitting individual retail chains, hackers decided to go after the big score – and boy was it.  Heartland Payment Systems, which processes about 100 million credit card transactions a month was compromised and it unseated TJX as the largest breach ever in the US.  This too was a case of malware planted on the network and thieves able to capture clear text data in transit.  In addition to Heartland, initially over 220 issuing banks were affected by the breach and that grew to 656 by June 2009.   The total number of accounts compromised is still unclear.  The common theme in many of these breaches is that the hit companies were PCI compliant.  Currently, PCI  does not require encryption during transmission of sensitive data on internal networks – where most of these occurred.  Ignoring the lawsuits, fines and bad press, the bright spot in all this is Heartland has instituted end-to-end encryption of all data (although some question the overall effectiveness) and has developed new equipment in the wake of the fiasco.  This one is still playing out.


One stat I remember but can’t remember the source (sorry for forgotten reference) is that 60 percent of companies had experienced a data breach in last year. However, only a minority of six percent could say with certainty that they had not experienced any such breaches in the past two years.  Yikes.


Previous blogs covering some of these:

The 'lost' paragraph - added Aug 2:
I meant to include this thought in the original post but forgot.  The other silver lining in all this is that the companies that have been breached, and the above just got the most press, are probably more secure than they ever were.  The breaches have made them more aware of their vulnerabilities and they have taken additional measures to ensure it doesn't happen again.  While brands can suffer after public disclosures, one could argue that the experience & knowledge gained - post breach - actually puts them in a better, more secure position moving forward.  ps

Thursday, July 30, 2009

26 Short Topics about Security: Stats, Stories and Suggestions

The crew at DevCentral has a great series called A to Z, which goes through various technologies including Social Media, PowerShell, Networking and the most recent NSM (Network and System Management) and gives tips, tricks and technical info on the topic. 

I decided to build upon (or steal, however you see it) the idea with ‘26 Short Topics about Security.’  Yes, I’m a Simpsons fan (22 Short Films About Springfield) and got some inspiration.  This blog series is actually an altered version of a presentation I did a few months back that I always thought of turning into a blog series.  The idea is that there is so much going on with Security in so many different places that I figured it might be good to cover 26 of those over the next few weeks.  Not too technically heavy or all encompassing but definitely areas of concern for IT.  So, then – let’s get on with it!

First, Security (and not just Information Technology) is all about Risk and Threats.  There’s a whole industry based on Risk Management, Risk Assessment, Risk Mitigation, Risk Analysis and so on.  Risks, in my view, are based on actions that we (you/I) either take or don’t take while Threats are actions (or attacks) coming from other entities.  We take risks while we try to reduce threats.  ‘That’s a risky move you’re making’ and  ‘don’t you threaten me.’   Certainly they are intertwined. shark What’s the risk if I don’t respond to this threat?  The 12ft shark might threaten my life if I risk swimming with it.  We deal with risks & threats every day and make quick decisions if it is worth it – you get it.  But this is just the set up (think slides 2-3).  :-)

[Theme song]

We begin with Authentication. Authentication has never been more important to users, corporations and web applications at large.  We’ve been confirming our digital identity against user stores for a while, particularly in our work domain environment & financial web applications.  Just about all the ‘my.public/portal’ sites that offer any sort of customization requires us to enter a username and password and much of today’s malware is targeted toward capturing someone’s credentials.  Once someone gets a hold of your ‘secret,’ they can pretend they are you and access information that only you should be viewing.  In the physical world, a doorman or ticket agent can check a photo ID against your real face and determine if you are who you say you are and hopefully, you’re the only one with that laminated picture.  In the digital world, all the system can go on is whether or not you know the stored secret so it’s important to keep those in the vault and not taped to the top of your laptop.  Plenty has been written about the security implications of ‘Forgotten Password,’ ‘Email password,’ and ‘Password Hint’ retrieval so won’t get into that but Alan Murphy does a have an interesting blog on ‘How to create strong, dynamic passwords.’

Strong Passwords (requiring letters, numbers, caps, special characters, rotation, etc), Two-factor auth (additional password or token) and OTP (one-time passwords) are all ways that IT can enhance their authentication scheme.  Biometrics (thumb print, iris, facial, voice, keystroke, etc) were supposed to be somewhat mainstream by now and can help in determining a user’s authenticity but can be very cost restrictive.  Fingerprint is appearing on many notebooks now and even the keystroke style, which is probably one of the least costly, isn’t completely solid since if I break my finger, the admin can revert to text password or lessen the sensitivity.  I’ve seen ‘What if I’m drink,’ as part of keystroke vendor questions. I understand that alcohol can influence my typing style but does my employer really want a sloshed, uninhibited employee accessing sensitive info?  There are also authentication systems that use pictures and shapes.  Instead of remembering a set of characters, you remember a shape and whatever the random numbers that comprise that shape is your OTP.  Or you do remember a set number password but the numbers appear in different locations every time.  There are also virtual keyboards where you ‘type’ your password by mouse clicking on a little keyboard screen on the log on page.


Oh, there are many ways.

SSO (single sign-on) and Federation take focus in many IT departments.  SSO allows users to log in to a system once and then be able to navigate (gain access) to the other related but independent systems.  For instance, a user would log in (or authenticate against a domain) to their corporate intranet and one of the links available might be a application.  Typically, the user would have to re-enter their credentials, but SSO passes identity (usually cached) which allows access without the additional UN/PW entries.  Federation is essentially trust between networks or domains and can be a part of a SSO solution.  Federated trust is usually a system, server or network trust between two businesses or private systems.  The user probably doesn’t have full reign but can access specific resources on their partner’s network.  With SSO it is usually just the user’s info that is passed to each system, with Federation, the entire (or groups of) infrastructure is trusted.  SAML, Kerberos and WS-Trust/WS-Federation services are all enablers of federation.  SSO can be achieved thru a host of vendors but things like Kerberos, smartcards and client certificates can all play a role.  For public web applications, especially social media sites OpenID is becoming a method for users to ‘claim’ they are themselves at various web portals.  There’s still some hesitancy for enterprise IT to adopt but many web facing applications support OpenID.  Many portals that do support OpenID, however, are reluctant to be that ‘3rd party vouch,’ especially if it’s for a competing portal.

That’s it, nothing groundbreaking just a point in time pertaining to Security topics.  To give you a little taste of what’s next [sung to the tune of GREASE]: BREACH is the word, is the word, is the word that you heard, to the tune of $6.6 Mil, per-r-r-Breach.