Ahhh, to look back to early 2007, when you could take a Sunday drive on the Information Superhighway with data leaking out everywhere and by the time you got home, there wouldn't already be ten versions of you shopping at OverPriced.com. The days of data ease seem so long ago (what's the calculation: two days on the internet equals a year in Medieval times?). Well those days of data innocence are gone. P-V-E-R!

2007 was the year of the big data breach, and some of the lowlights were:

Monster.com -- One of the first big multi-staged attacks, as in they collected info then used that info for spearphishing attacks. News later revealed that Monster waited five days to inform customers (information that's critical to stopping a targeted phishing attack), but hey, they said this happens to companies all the time (or maybe it's time Monster polished up it's Resume).

TD Ameritrade -- Another multi-staged attack, and anther huge lag in customer notification (some estimate it took as long as a year). What's so scary about this breach is the closer they get to you, the closer they get to your money, and with TD Ameritrade, they're already in your money.

TSA -- Cybercrooks breached them not once but twice, the first with two lost laptops with the names, addresses, birthdays, SS # and commercial driver’s license numbers of hazardous material truckers, the second where cyberbaddies stole a computer hard drive with the names, Social Security numbers, dates of birth and bank account and routing information of current and former employees, including federal air marshals. I've heard the saying screw me once, shame on you, screw me twice, shame on me, but what do you say when it happens a third time?

There are certainly a many more notable breaches, but the story starts to get a bit repetitive...you know, hacker meets company, hacker steals company's data, company makes excuses, but that still doesn't fully explain the grand prize loser of the year:

TJX -- First reports estimated 10 million records lost, and that number now stands upward of 100 million. Just checked the TJ Maxx website, and it proudly exclaims, Fear not, last-minute shoppers! I would add, though, that the only thing TJ Maxx's shoppers need to fear is their data itself.

OK, 'nuff preachin about the breachin, as I want to point out an excellent podcast that's like a bullet train to the future of security, that being Virtualization Security, and is recorded by Mike Rothman. You can give it a look/listen right here.

Happy holidays all!

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Regular readers here are well aware that system complexity often stands directly at odds with security. Nothing is worse for an enterprise than having a security breach go down and the company not even knowing about it because it happened on some unaccounted for or unknown area of the network. (OK,. there is something worse, and that's having a breach and doing nothing about it).

According to the Tao Security blog, the federal government is planning to do something about it. In what is being called the Office of Management and Budget's (OMB) Trusted Internet Connections (TIC), the TIC will require government agencies to implement real-time gateway monitoring, as well as force government agencies to simplify the number of internet connections from an estimated more than 1,000 down to around 50.

Why 50? That would equal two a department, but 50 is not set in stone.

"The reduction of access points to trusted Internet connections will improve our situational awareness and allow us to address potential threats in an expedited and efficient manner," Karen Evans, OMB's administrator for e-government and information technology, said. "While we optimize and improve our security, it is also our goal to minimize overall operating costs for services through economies of scale."

“The [TIC] initiative is saying, ‘We have to know what we own in order to protect it,’ ” Evans said. “We also must know we are managing risk at an acceptable level.”

Makes sense to me.

And now for something fun -- see if you can figure out the trick behind this guess-your-number wizardry.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

This question recently arose on Eric Norlin's CSO blog and is definitely worth considering.

Many believe that we are still waiting for the 'big bang' to happen in IAM, a term Phil Becker coined referring to the seminal event from which everything that comes after derives. In terms of the PC, one would definitely have to include the McIntosh and it's introduction of the graphic interface (as the OS made the computer usable, the GUI made the PC wildly popular).

Norlin states that for the past five years, most folks in identity have been thinking about IAM as a function of risk management and cost reduction, which in essence are limitations. But what exactly can identity management enable?

So what will be the graphic interface of IAM? I don't know the answer to that question, but I sure hope it comes soon.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Reading the latest news on TJX -- which says that TJX, after compromising as many as 45.7 million credit card numbers (with the banks claiming 94 million accounts were compromised) in a massive data breach, has offered to settle with both Visa and Mastercard for $40.9 million -- makes me wonder when some sort of consumer security confidence measurement will come into play.

While $40.9 million marks a pretty pricey mishap, some of the worst news to come out of the incident is some recent revelations that TJX (which owns TJ Maxx) knew about the data breach two months before, in October, before they went public with the problem. What do you want to bet the powers-that-be at TJX decided to keep quiet to avoid any negative publicity during the holiday shopping season?

One of the more surprising things to come out of this whole TJX debacle is the fact that, with all the attention this data breach has received, it hasn't seemed to hurt sales at TJ Maxx. But you know what, I understand. This is essentially the first widespread data breach (but definitely not the last), and most consumers simply aren't all that informed about the retailer side of data protection and don't really know whose at fault.

The whole idea of consumer security is still pretty new (to consumers), and as far as they know, the credit card companies bear most of the risk. But a real dishonest-to-goodness identity theft can really disrupt someone's life. It happened to a friend of mine (got her info out of the garbage), and it took her about a year and a half to clear everything up (and she was an attorney).

Consumers will become educated, and in the not too distant future, expect consumer security confidence to start playing a role in where consumers shop.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

A recent blog on Securosis pretty much codifies what has become common knowledge when thinking about where security is going, and that's to where the attacks are, or at least the high-profile, company-slaying type of attacks, which means most of the future growth in security will come from data and application security (although Identity and Access Management will remain an important issue).

Taking a good guy versus bad guy approach, we have seen a major shift in the types of attacks on companies and the people doing the attacking -- with hacking moving from essentially a hobby to a full-time career choice, and with cybercriminals using the Internet to organize and exchange information and set up secondary markets to buy and sell malware and data -- and on the flip side, you have companies who have mostly remained static in their defenses, employing stop-gap measures like firewalls and IDS and antivirus.

Looking at it like that, I think we can expect to see some high-profile breaches in the future, which will in turn influence stricter and stronger compliance, which will continue to feed into data and application security growth.

As Rich Mogull concludes in Securosis, “data security issues (and the related application security) will account for over 60% of new enterprise security spending -- this includes spending on new technologies, and excludes maintenance of existing technologies such as firewalls and antivirus, which account for most current security costs. “

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

As we approach the end of the year, the security surveys are stacking up like wide-bodied jets waiting to touch down at JFK. The most recent, and most informative, survey that has come to my attention asked 12 questions and received 455 responses, mostly from SMBs. The survey was conducted by eMediaUSA.

The most salient finding is that while 96% of enterprises use anti-virus software, another 93% deploy firewalls, and 80% engage anti-spam, a full 42% of them do not consider their networks secure. One of the central reasons for that is that almost a third of the companies experienced a security breach in the past year. Another 55% used a combination of software, appliances and hosted services to protect their network.

71 percent of companies say that their main IT fear is either downtown or security breeches. Also, 39% still feel that email viruses pose the biggest risk.

So what are companies doing to allay these fears? While a majority (55%) spend less than 10% of their IT budget on security, a full 77% percent said they thought this was enough to keep secure, so clearly don't expect companies to raise security spending much in 2008. The measures they do plan to take, though, with at least 48% of respondents said they plan to better educate their employees on security awareness, while another 25% plan to make senior management more aware of security issues.

So education is where most corporate minds seems to be at, but if that doesn't work, and breeches keep happening (many say that SMBs have become the low-hanging fruit of the cybercriminal) count on the greater awareness leading to greater spending.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

A friend forwarded me a link about a whole new breed of social engineering attack discovered by PC Tools that can actively chat (and flirt) with people in chat rooms, all in the effort to capture personal information. Mike Greene, vice president of product strategy at PC Tools, said they learned about this Cyberlover's existence by monitoring a Russian IRC malware chat room.

The program mimics online flirtation, and is so convincing that most people cannot distinguish between a flirt-bot and a real person. I have always been interested in the Turing Test, which supposes that, if someone can carry on an online conversation with someone else and not tell that who they're talking to is a computer program, then that machine has achieved artificial intelligence.

Who ever knew that the Turing Test would first be broached by a social-engineering cyberscam? Of course, the real Turing Test is conducted by a judge looking for conversational flaws, which is quite different than folks in chatrooms looking for some saucy give and take -- but still, it surprises the hell out of me.

As reported by CNet, the pseudo-lover can offer a range of chat personalities, from 'romantic lover' or 'sexual predator,' or can be used to direct victims to a web site in order to deliver a malware load. The app can establish up to 10 relationships in 30 minutes, and compiles a report on each 'relationship,' complete with name, contact info...whatever info the cyber-duped gives up.

"As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering," PC Tools senior malware analyst Sergei Shevchenko said.

Currently, the heart-killer app is targeting Russian chatrooms, and while Greene could not say how widespread it was being used, he estimated it must still be in the early stages. To counter this, obviously, no one should use their real names in chat rooms, and should never give away personal information with unknown chats.

This could call every IM and chat into question. I mean, who knows if the person who forwarded me this story really was my friend? So be careful out their, clickers.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

According to a survey by Ziff Davis and featured on eWeek, over 80 percent of 207 people surveyed agreed that laptop security was an important factor when buying a laptop. Also, heightening the need for laptop security, nearly 60 percent of respondents said that the laptops were used primarily for end-users who travel a lot, which certainly would make them data rich.

And while security only rated fifth on factors when evaluating laptops, over 20 percent of respondents said they had 1 to 4 laptops lost or stolen in the past year, and over 10 percent said they had more than 10 laptops lost or stolen in the past year.

Of those laptops stolen, nearly 50 percent reported they'd been grabbed out of cars, and as you can never discount human-error, 25 percent reported they'd been left behind. After that, over 20 percent said they'd been stolen at the office, and the rest from home.

In essence, while many companies are effected by laptop theft or loss, not many companies rate laptop security all that highly. I don't know, maybe laptops should come handcuffed to the owner like an important prisoner. Or perhaps laptops should be made out of solid gold, so people would never forget how valuable the data on them is. Easier yet, maybe companies should just invest in laptop security.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

It's that time of year when everyone seems to be prognosticating about the future of security, so I figured it was high time to run some type of overview on all these predictions.

One of the main points seems to be that while computers will continue to rapidly evolve, us humans will pretty much remain unupgradable. So the entire branch of exploits based on human weaknesses and social engineering, like vulnerability, or greed, or fear, will continue to flourish, and will continue to find ways into any new computing or communications device we'll think up in the future.

Another consistent trend seems to be that, in the past, much of security essentially seems to be securing the barn door after the horses have left. And while the nature of cybercrime is to exploit the exploitable, if security finally gets built into many systems and applications in development and is not just bolted on after, maybe all these criminals will go back to mugging little old ladies.

Also, with the growing use of Web 2.0 and social networking, many experts are predicting vulnerabilities in Salesforce.com (specifically an AppStore data loss), Google (tools to exploit the cross-app networking application Open Social), and with Facebook widgets. Online gaming, which is already big, will also become a big target.

The Storm Worm will continue to thrive, as it has been called the most sophisticated piece of malware ever, and even has it's own defensive capabilities, and in 2008 many think we will learn full capabilities of the Storm Worm. And where will the nexus of cybercrime be located? As China and Russia seem to be in no rush to throw the bums out, they're expected to continue dominating the cyber-underworld.

The general and depressing trend is that many expect things to get worse. But really, this year feels a lot like last year, and in summarizing the year ahead I could just as well say, Say New, Same New. But as computers continue to play an ever more important part of our lives, security is the one peg that will either get us stuck or allow tech to climb ever higher.

The blogs I culled much of this from are Richard Stiennon, Bruce Schneier, and of course, Mike Rothman.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Another day, another data breach survey...you know, I'm really starting to feel like data breaches are becoming the leading cause of statistics. But this most recent one, found over at Dark Reading, is interesting, as it points out that, as you buy every gadget and gizmo to protect your precious data, it's the human-driven data leak that remains the leading cause of most data disasters.

This survey, undertaken by the Information Security Forum (ISF), studied 887 leaks, and found that most leaks were accidental and non-technical. This survey is a bit different in that, as there have been numerous insider-attack surveys, most focused on online leaks while ignoring the types of data leaks that have been around since before there were targeted data attacks (yes, there once was a time).

These data slips -- like sending an email to the wrong address, or sensitive documents left at the copy machine, or employees simply leaving the office with high-priority data -- are generally accidental and not malicious, and feature the one indispensable, unupgradable element: the human being. This human being often loses data simply by not thinking: by being overheard in a restaurant, by being shoulder surfed at a coffee shop, or even leaking the data on social networking sites.

Some of the data losses were less expected, like "print screen" capabilities or screen shots saved on mobile devices, or meta data hidden within a file.

But until the human 2.0 version comes along (better security, more memory, better looking), the best way to stamp out these types of leaks is through pure security awareness. As Simone Seth, senior research analyst at ISF says. "I know it's a tired phrase, but we're talking about human behavior here, and the only way to correct the problem is to correct the behavior." Enterprises need to enforce security policies so that there are consequences for leakage, she says.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Two weeks ago I was in L.A., jumping from meeting after meeting, and at the end of every meeting, I asked everyone what they saw in the Identity and Access Management road ahead. I got some great answers, which you can peruse right here, and just this morning, I got these additional answers from Baber Amin of Novell, and definitely thought they were worth adding to the discussion. And hey, it is the holidays, so I can certainly forgive a little lateness.

1) What do you think will be the biggest challenge for IAM in the coming year?

One of the main challenges IT administrators will face next year is addressing the internal concerns associated with getting approval for and deploying an identity and access management solution. Enterprises should have a complete vision of how identity and access management will improve their identity infrastructure, but small implementations early on can show immediate ROI and are the best way to avoid some of the most common deployment pitfalls.

2) What will be the main trend for IAM in 2008?

Convergence is the biggest trend we will see in 2008. This includes the convergence of identity with credentials (roles based provisioning), convergence of physical and IT security, and the convergence of identity and security information and event-based management.

And while we're in the area of security predictions, I'd like to point out Christopher Hoff's excellent glance ahead right here. Some interesting highlights are a Virtualization Hypervisor Compromise, an expected major breach at a social networking site (but with the news today of Facebook intruding on their users surfing, who needs hackers), a SaaS hack, and much more, so it's definitely recommended reading.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

It's not too surprising that the most recent study from the Ponemon Institute -- sponsored by encryption software maker PGP and data loss prevention vendor Vontu (see today's announcement by Symantec about finalizing their purchase of Vontu) -- revealed that us humans, us bi-pedals, us laptop and memory stick losers, still represent the greatest threat to the security of a company's data.

Larry Ponemon, chairman and founder of the Ponemon Institute, told eWEEK that at least 80 percent of data breaches involve the human factor, a number that has remained pretty much consistent for the past few years. And as the study pointed out, while the loss of a laptop will certainly get noticed, if a memory stick drops out of someone's pocket while trying to pretzel themselves into an airplane's seat, that person will probably just replace that memory stick without bothering to tell IT that there might be some very devastating data floating around.

One well-known security person wondered who would bother to waste their time reading a memory stick. As PGP Director of Product Management John Dasher succinctly stated, "I would." The real trouble with data security is easy to see in the following scenario offered by Dasher: "Think of legitimate behaviors. A financial analyst goes into a secure database, legitimately. He does an extract of your top 1,000 customers. He slams it into a spreadsheet. It's no longer in a database, so database security is no longer at play. Now it's on a server, or a laptop, or a thumbdrive: multiple copies of highly sensitive, highly valuable information floating around."

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)