To disclose or not to disclose

In an August 12, 2014 post on Pymnts.com, the information security executive at Urban Outfitters, Dawn-Marie Hutchinson, argued against disclosure of breaches.  In fact, the company’s policy is to notify their lawyers first so that they can use attorney-client privilege.

While I sort of understand the concept of not disclosing things too soon (like before you have any facts, for example), I have also seen companies not disclose breaches for 6 months or more.

I will argue that if customers find out that you have had a breach and decided not to tell them – without respect to whether that is even legal in many states – I can guarantee that you will tick off more people than if they find out from you in a timely and responsible fashion.  Social media will go crazy once it does get out – it always does.  Guaranteed.

For many years – prior to CA SB 1386, the grandfather of all breach laws – companies were not required to disclose and for sure, security was much better then — NOT!.

So what is the argument for not disclosing or not disclosing early?  Customers will beat us up.  Right!  What’s your point.  If you insist as a business to keep a lot of customer information and not protect it well, then you should get beat up.  The answer to that is to communicate.  Do it at the appropriate time.  Take responsibility.  Explain things.  Have people understand the world is not going to end.  And yes, you will likely take a short term hit.

Security is a business (financial) decision just like everything else a company does.  It has to be weighed against all the other needs that those dollars can also be spent on.  However, the pre-CA SB-1386 was  not more secure than the post-CA SB-1386.  In fact, most companies are paying way more attention now than they ever have.  It’s a VERY hard problem.  The hackers only have to be right (get in) one time.  The company has to be right (keep the hackers out) every time.  I have been doing this for a long time – it is not easy or simple.

Now maybe what Ms. Hutchinson was suggesting was that your first call after finding out about a possible breach should NOT be to the NY Times or Wall Street Journal.  If so, then I agree with her.    Responsible disclosure means just that.  Responsible.  You have to have some facts in order to be responsible.

Does that mean 1 day?  1 week?  1 Month.  Probably one of those.  It does not mean silence, however.

Mitch Tanenbaum

Update:  Here is another article on the issue.

 

Facebooktwitterredditlinkedinmailby feather

Does your anti virus software help or hurt you

According to a presentation at the SysScan 360 security conference, Anti Virus software and other security products have security flaws just like every other piece of software on the planet.  To some of us, that does not come as a big surprise.

The researcher, Joxean Koret, tested a number of security products and found issues with many of them.  The issues ranged from denial of service attacks to the ability to execute arbitrary code.

Anti virus software products often run with the highest system privileges possible.  Many of them are huge and when any piece of software is large, the opportunity for security holes grows.

Ben Williams, another security researcher, tested a variety of security products including web and email security gateways, firewalls, remote access servers and others.  He says the results were not great.

Security software has to be able to read hundreds of file formats.  That requires lots of code – which is one reason that the software has such a large attack surface.  More than likely, the security company did not write all this code themselves, but rather licensed it from many different companies.  The integration of code from many different vendors adds complexity to applications.  Add to this, the fact that the software is running with the highest system privileges and you can see this could present a problem.

Joxean thinks that vendors should find and fix problems themselves – or if not, pay security researchers who do find holes – so he has not disclosed all the bugs he found to the vendors.

According to an article in Network World, some of the vendors were informed and fixed the holes they were told about.

What didn’t he tell them and what holes still exist?  Good question.

M

Facebooktwitterredditlinkedinmailby feather

A Billion here, a billion there …

It has been reported in the NY Times, among other places, that a Russian crime gang has amassed 1.2 BILLION userid/password combinations, along with 500 million email addresses.  Even to me, that is a large number.

The passwords represent data stolen from 420,000 web sites, including both large and small companies.

The bad news is that they are not disclosing the names of the sites that have been compromised, in part because many of them are still vulnerable.  What this means is that you as a user have no idea where to look.

Ultimately, this tells us that the security processes and mechanisms that we are using have failed and cannot be fixed, but rather must be changed.

The challenge is that people don’t like change and will, for the most part, resist it  — which is why we are still using userids and passwords.

Apparently, this particular gang is currently only using this data to spam people, but that does not mean that it will only be used for that or that the gang won’t morph into a different business model.  If they do change into a financial crime model, it could get pretty ugly.

For now, all you can do is be vigilant, and that is hard to do for more than a short period of time.  Do pay special attention to important sites like online banking and bill pay, credit cards and e-commerce sites.

Even though it is inconvenient, I avoid allowing web sites to store my credit card and bank account information.  This is especially true for the smaller sites.  Remember that if your userid and password have been compromised and the site has your credit card information, your credit information is also compromised.  So, while you may not care if the hackers know that you are buying jeans at Wal-mart, you probably care if those crooks can lift your credit card information from that site.

The better web sites do not allow you to see your credit card information after it has been entered (other than the last 4 digits) to make harvesting the card information harder.

Stay tuned … there will be more details I am sure.

M

Facebooktwitterredditlinkedinmailby feather

The FBI is looking for a little love

According to an item on Govtech, The FBI is looking for a little help from businesses in their effort to bring cyber criminals to justice.

Assistant AG for National Security  John Carlin and FBI Director James Comey said they need more than knowing how a breach occurred.  They also want to know why the bad guys are after them.  So exactly what is in it for businesses to cooperate?

I assume that number one on most company’s list would be to get the bad guys, get the information back and put the perpetrator in jail for a long, long, time.  Let’s analyze this.

While some cyber attacks come from inside the US, many come from foreign countries.  Countries that are not terribly friendly to us.  Countries like Russia, China, North Korea and other places.  Do you think China is going to help us catch some cyber thieves?  Not likely.  Many of them are likely on the government’s payroll.  The ones that are not and are doing things that the government doesn’t like will likely disappear.  That problem is solved.  Sending them to the US to face trial?  Not gonna happen.

What are companies concerned will happen?

1.  My company will be turned into a crime scene.  To some extent, this is likely to happen.  The Feds are going to want to collect evidence.  Are they going to come thundering in and haul off all your computers?  Not likely, but there are no parameters that say what they are going to do and not do.  Are they going to question my employees and take their time?  Likely yes.

2. I will get a lot of PR – all bad.  This is likely to happen anyway unless you can keep the breach quiet.  If it consists of stealing corporate intellectual property, you can probably do that, but the odds of catching the bad guys go to zero.  On the other hand, once the IP is stolen, getting it back is probably not very useful, since it has likely already been copied and distributed.  You cannot get the cow back in the barn.

3. The FBI is not going to understand what I am telling them and I will get frustrated.  Also likely to an extent.  The FBI is hiring a bunch of cyber agents, but they are not programmers and not system administrators and they have not been involved with your company to understand how your systems work.  Still, they are getting much better than they were.

4. The bad guys won’t get caught.  Also likely.  The US just indicted a bunch of Chinese military hackers.  Do you think the Chinese are going to turn them over to us.  Not very likely.  That indictment was a publicity stunt to try to impress the uninformed.  At least we do have some idea of who was attacking us, but the odds of us getting our hands on them to put them through our legal process is as close to zero as you can get.

5. Information I don’t want to get out will get out.  Partly true.  Some information will be protected, but unless a judge agrees to seal an indictment or clear the courtroom before testimony,  which is very unusual, some information will get out and you won’t get to decide what does and what does not.

So it is a messy situation.  No easy answers.  Your board will have to make some decisions. Also consider, however, that if it involves PII (like credit cards) or PHI (like medical records), the decision is mostly out of your hands unless you want to break the law – and they know where you live, so that is probably not a good plan.

Best answer – work hard to protect yourself and hope that your breaches are small.

Sorry if you were looking for a better answer.

M

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Are you managing your third party connections

Those of you who have been following the Target Company’s security breach are probably aware that the publicly stated source of the breach was a heating vendor who clicked on a malicious email and set the wheels in motion for one of the largest security breaches ever.

Since since the old adage says that your firm’s security is only as good as it’s weakest link, you might assume that companies would be reviewing the security of third parties that are vendors and are part of the company’s supply chain.

According to an article in CSO Online, only 44% of companies surveyed take the effort to vet the security of third party vendors and others in their supply chain.

92% of the firms don’t have a supply chain risk management process.

We have heard of law firms being targeted.  Apparently, the bad guys have figured out that may be easier to attack a company’s law firm than the company itself.

Do your vendors have the ability to log in to your systems?  You might say that if the answer to that question is no then you are safe.  Maybe not.

If those third parties have the ability to send you an email or send you a Word doc, then they could be the vector for an attack on you.  If they can log on to your systems, the risk is even higher.

My suggestion – use a risk management process to minimize the likelihood of your most important vendors being the source of a breach of your information.

Remember that even if they have cyber liability insurance (and since you are not vetting them you don’t know),  who is getting the black eye is you, not them.  Nobody remembers the name of the heating contractor that started the Target breach.  And, if all they have is general corporate liability insurance, then the odds of you collecting a dime are nill.

Food for thought.

M

 

Facebooktwitterredditlinkedinmailby feather

Is cyberinsurance an effective tool to protect against the costs of a cyberattack?

An article at Investors.com made a number of good points, but I have a bone to pick about one point.

First the good points –

One of the many changes that the Internet brought about is that it is easier than ever to steal someone’s data.  You don’t have to break in to someone’s house or office — you can be thousands of miles away – which means that the odds of getting caught are very low.

People are buying more and more cyberinsurance.  It seems like a good thing.  Have a risk?  Insure against it.  The attacks are endless and mindnumbing – Target, eBay, Boeing, Lockheed.  The list seems to go on for ever.  Attacks are more prevalent and harder to detect.

The industry has been writing fire insurance for over a hundred years.  They have been writing cyber insurance for less than ten years.  Do you think the insurers have this figured out?  Do YOU know what is covered in your cyber liability policy and what is not covered?

The article points out that we don’t even know what percentage of companies have cyberinsurance. Three different studies reported very different results – from 52% to 33% to only 6%.  Even if you are very optimistic, it means that half of the companies don’t have cyber insurance.  That’s probably not a good plan today.

Now the bone –

The article says “Yet challenges remain to raise awareness that cyberinsurance can be an effective tool to protect against the costs of repairing and defending against cyberattacks.”

Far be it from me to suggest that people should not buy cyberinsurance.  I think most companies should have some cyberinsurance, BUT, all that will do is help defray some of the costs – after the fact.

While Target is not the typical breach, it is representative.  It has been reported that Target had $100 million in cyber insurance.  I don’t know if that is true, but that has been reported. It has also been reported that Target will likely spend more than a billion dollars mitigating the attack.  That includes everything from PR to lawsuits.  Of course it depends on the outcome of the 50 lawsuits that have been filed against Target, but the cost might be several billion dollars.

So, if you are optimistic, Target’s insurance will cover 10% of the cost of mitigation.  If you are pessimistic, it might only cover 1%.  Ignoring for the moment the purely financial impact of paying to mitigate the breach, Target has been the recipient of an awful lot bad publicity and their sales fell significantly after the breach as well.

What companies really need to do – besides making sure that they do have cyberinsurance – is to take some positive action to reduce their own risk of being the victim of a cyberattack.  What most companies do is install anti virus software and a firewall and call it good.  Tomorrow I will write a post on the downside to anti virus software – check that out.

What companies need to do today is way more than that.  To start with, do you have a Chief Risk Officer (not someone who does 10 things plus risk management)?  Do you have a chief data security officer?  If you a small to medium size company, these could be part time or they could be fulfilled by a contractor, but these need to be well defined jobs.  AND, they need to brief the board of directors on a regular basis.  Ultimately, this is a bet the company issue.  Studies report that somewhere around two thirds of companies that suffer a data breach go out of business.  Whether that number really is 66% or 40% or even 33%, the number is significant and as a result, this issue needs real ongoing visibility at the board level.  What this likely means is spending money, changing processes, dealing with people complaining about change and a whole lot of other things.

Alternatively, be prepared to be the next Target.  At Target, the CEO, CIO and CISO all lost their jobs.  Among other people.

Choose!

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed