Category: Compliance
Security Not a Top Priority for Many Small Businesses
I recently found an article that outlined a study about cyber security and small businesses. In the study, by Newtek Business Services’ Small Business Authority, it was discovered that “just 27 percent of small business owners have had an outside party test their computer systems to ensure that they are hacker-proof…” I found this to be a relatively shocking number, but one that is believable in today’s tough economy. It would seem that most small organizations would be watching every penny and often during that type of number crunching, Information Technology and I.T. Security budgets are often the first to
get cut. Security has always been one of those items that, to most organizations, has been a hard sell to upper management, particularly if that organization has never experienced any sort of security or data breach. Security budgets are often looked upon as, “Why are we spending so much money on something that may happen.” Until an organization is hit, it is often a tough sell for many to pass a decent security budget.
This same article also highlights a recent study by PwC that “found 43 percent of global companies think they have an effective information security strategy in place and are proactively executing their plans.” Another interesting finding in this report was the number of respondents that have “confidence” in their plans. “Seventy-two percent of the more than 9,600 security executives…report confidence in the effectiveness of their organization’s information security activities… (a number that) has declined markedly since 2006.” This figure, in my opinion, shows that even the large organizations, as much as they may feel prepared, really are not too confident in their security preparations.
Maybe their lack of confidence comes from the large number of data and security breaches that are reported every day. In addition to these breaches are numbers that are behind them. Another study from the Ponemon Institute, sponsored by Symantec, found “that the average cost of a data breach increased by seven percent to $7.2million in 2010-with the most expensive data breach jumping 15 percent over the previous high to a whopping $35.3 million.” In addition, the study calculated that “the average data breach cost per individual compromised record is $214.” This is a staggering figure when you look at many of the breaches that have been reported, in most there are hundreds of thousand s of records lost each time. Multiply these numbers by $214 and the fines and associated fees per breach will climb quickly.
With these numbers in mind, this goes back to my original point, that only 27 percent of small business owners value security enough to have an outside company come in a test their security. Taking into account that many small organizations may not have the capital available for such security or “penetration” tests, it also begs the question, “Will they have enough capital to cover the fines and other fees associated with a data breach ($7.2million in 2010)?”
Is your Security Policy up to date?
It seems that every day we see a story in the news about an organization that has been affected by a data breach. And it also seems that these organizations may not have been maintaining a secure infrastructure with which to protect their data. Although this may seem illogical, this is often the case. An organization may have the stoutest and layered defense in place, but a well targeted attack, or “spear
phishing” attack can bypass these controls quickly and easily. Since a task as simple as opening a malicious file in an email can compromise the data of an entire organization, this highlights the importance of an organization’s overall information security policy, specifically any administrative controls that may be in place.
These spear phishing attacks will often target specific individuals within an organization with emails that appear to be legitimate. If these email messages look authentic enough, they will often entice the recipient to open a malicious attachment, disguised as a legitimate document or spreadsheet. Once this is done, the attacker may potentially gain access to the recipient’s computer or beyond.
In this day and age, ensuring that your employees are knowledgeable and up to date on relevant security policies and procedures is critical to the reducing the risk of targeted attacks within your organization. This should begin with basic messaging to your employees that outlines your security policy, including acceptable use criteria and specifically outlining what to watch for in a potentially malicious email. In addition, annual or semi-annual testing or certification will also help to ensure that your employees are made aware of your security policies and have confirmed this knowledge.
This may seem like an overly simple and meaningless task, but it’s one that is often overlooked. While logical controls, like your firewalls, routers and IDS/ISP devices, will hopefully mitigate the majority of questionable messages and traffic patterns into your organization, knowledgeable and vigilant employees are often an important last line of defense in protecting your organization’s information assets.
Cloud Computing: Moving Faster than the Speed of Law
Regulators are in a constant race to keep pace with advances in technology. Cloud Computing is no different. The United States legal system currently has no choice but to try to mold existing laws into viable solutions for the inevitable problems of Cloud privacy and security.
The Stored Communications Act (SCA) of 1986 is the primary source of guidance for Cloud Computing regulation in the United States. The act was written with the reality if the 1980s in mind and contains little accommodation for future technological advancements. The SCA breaks computer networks into two distinct camps: Electronic Communication Services (ECS) and Remote Computing Services (RCS). ECS covers data transmission and electronic mail, while RCS is for computer processing and data storage provided by third parties to businesses. The specific purpose of the RCS portion of the act is to protect the privacy of a business’ data while in the hands of the provider. Most Cloud services fall under the RCS portion of the act. This is problematic, as RCS has fewer privacy protections associated with it than ECS.
According to the SCA, the government can access data stored in an RCS if it can prove the data pertains to a criminal investigation. Although a provider such as Google can act as both an ECS and RCS, all of its services do not automatically qualify for the greater ECS protections. To confuse matters further, the SCA privacy protections granted subscribers to an email service are subject to the determination of the individual court. In some cases, the data will be covered by either ECS or RCS depending upon the status (opened, or unopened) of the messages. Even if the user’s data is determined to be covered by the SCA; however, they are not necessarily safe. The USA Patriot Act of 2001 specifically states that a user’s data may be subpoenaed “without notification of the data owners.”
One last pitfall a potential user may also be up against is using a Cloud provider whose service intentionally qualifies for neither ECS nor RCS protections. This most commonly happens with contextual advertising that replaces user fees. For contextual advertising to work, the provider must access the user’s data to determine what ads they will receive. That access violates SCA protection requirements, because the user is no longer using their provider solely for data storage or processing, as specified in the act.
Staying with the theme of advertising denying privacy protections, the tired cliché of “but wait, there’s more” gains new meaning. Enforcing existing regulations can be very challenging. Simply determining who is processing the data is difficult. If the processing is taking place in a state or country other than where the user resides, who has jurisdiction? Is it the user’s state, or the state or country where the data is stored and processed? What happens if the state that is determined to have jurisdiction has few or no information security laws?
Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have Breach Notification Laws that protect users who store personal information online. In short, these laws require that data owners storing a user’s personal information inform the user if unauthorized access of that data has occurred. Despite the existence of these Breach laws, the majority of states do not have laws requiring companies to implement reasonable information security measures. Instead, it is up to the companies themselves to determine what, if any security measures they wish to put in place.
Obviously, the work outlined above shows the many holes in current regulations. The United States must replace or update the SCA. All states must be required to join those who have enacted information security laws. Unfortunately, Cloud providers are in no rush to see the government pass legislation that favors their users in cases of privacy and security breaches. It is imaginable that industry lobbyists will ultimately play a role in any new laws passed.
To the individual user, the answer seems clear. At the very least, they should choose a Cloud provider who is located in the United States and stores their data here as well. More importantly, until all 50 states get on board, it is most wise to choose a provider in one that has privacy and security laws in place.
Data Breach Disclosure Laws Are Now Long Overdue
Ah, Europe – why do its citizens seem to have to wait forever for action to be taken on issues that seem obvious to everyone else? While they may take some solace from the overdue departure of Signore Silvio Berlusconi (although I’m sure they will miss his ‘unique’ brand of humour – what a card!) it seems they will have to wait longer than expected for the right to find out if their personal information has been compromised.
Earlier this month, the European Commission (EC) announced that it was delaying the release of a new version of its Data Protection Directive – originally scheduled for mid-November – until the end of January 2012. When released, the legislation will install a welcome ‘mandatory data breach disclosure’ ruling across both public and private sector organisations, requiring them to report any breaches to relevant regulatory bodies, such as the UK’s Information Commissioner’s Office (ICO), as well as inform affected individuals. The ruling is expected to have global implications, as the law is likely to also cover non-EU companies that store data on European citizens.
Laws enforcing mandatory data breach disclosure are now long overdue in Europe. Such legislation is already in place in the US, and our recent research shows that the majority of the UK public are dissatisfied with the minimal consequences UK organisations face when they jeopardise sensitive data. 83 percent of the 2,000 UK consumers we surveyed support compulsory data loss disclosure legislation and the delay means they’ll have to wait even longer before this governance is in place.
With an unprecedented number of high profile data breaches occurring in the past year, this will no doubt be a huge frustration to the UK public, who are more prepared than ever to take drastic action against organisations that lose data. Our survey found that 26 percent of respondents were adamant they would never have anything to do with organisations which had lost data as a result of cyber crime, a rise of nine percent when compared to similar LogRhythm research conducted in 2010.
Once mandatory data breach disclosure laws are enforced, organisations will find they need to develop a much deeper insight into the activity taking place across their networks. This is because they will be required to generate accurate notifications which will specifically identify who and what has been compromised. This has been a particular problem in the US, and many companies are forced into issuing blanket breach notifications, which may even overstate the severity of the incident, due to a lack of visibility into their IT systems.
Solving this problem depends on organisations making better use of the log data generated by IT equipment. Both investigating breaches after they occur and detecting them beforehand depend on systems that can automatically collect and analyse 100 percent of log data in real-time. Only this approach can provide the forensic insight required to truly understand how threats penetrate systems and compromise data. With data breach incidents reaching an all-time high this year, it is clear that traditional perimeter security solutions are an inadequate defence. Organisations now require the traceability provided by continuous log data analysis to identify anomalies, formulate damage limitation strategies and generate accurate breach notifications.
However, organisations should not wait for new legislation to obligate them into gaining a better understanding of the IT estate. The high proportion of the UK public in favour of mandatory notification tells us a lot about the lack of trust that exists when it comes to an organisation’s ability to defend against cyber attacks, and when asked if organisations are doing enough to secure customer data, 81 percent did not believe this was the case and that more needed to be done. Clearly it is best practice to be constantly aware of the smallest changes that occur across organisations’ IT systems, which will help to ensure major breaches do not occur in the first place.
Unfortunately online threats are becoming ever more sophisticated and harder to identify. If only IT systems wore undesirable activity as a badge of honour like Italy’s departing premier – it would certainly make the CIOs job a lot easier!
Where is YOUR line drawn?
I had a busy weekend. I was recovering my elderly mother’s email account from a spam bot, while at the same time containing her stress levels about the safety of her associated PayPal, Amazon and eBay credentials. This proved a troublesome affair – particularly considering I only just managed to intercept the backdoor account that the script was trying to put in place.
I tried to keep in mind that this kind of attack is not personal. How could it be? It’s just a script, right? Well, then I was talking to a friend about the situation and I realised that my much beloved mother was as defenceless in the face of this assault as she would have been in the face of an actual armed physical assault. To an able bodied person with a sufficiently foolhardy nature, physical assaults can be challenged. Similarly, a cyber-theft to a technically competent person is typically more inconvenient than actually costly.
However, to someone who doesn’t know to immediately check the backdoor accounts for a hijacked identity, or to get a password reset sent, then this sort of thing could rapidly degenerate into a seriously injurious affair, both in terms of the stress and the cost. However, even with all those factors in mind, I see this sort of crime in the same way as I see street theft. It’s just villainy. Nothing personal, and just the way that undesirables make money.
However, I found my limit after the recent hacking of the Sesame Street channel. This was where hacking for the nobility of the art, or to illustrate to people what was possible in the face of lax security was forgotten. This was just vandalism – and particularly damaging and ill-informed vandalism too. Whatever your feeling is about pornography, you’ll hopefully agree that posting it to a channel where the median age visitor is 8 years old crosses a line.
But what can we take from this? Given that the internet is peppered with people who would do this sort of thing, what safeguards were in place to stop them? Consensus suggests that the channel concerned had a weak password. In this instance, is there anything to be gained from ultimate culpability for the channel administrator? Probably not this time, but if it happens again, then that’s a different matter.
We need to learn these lessons once, and learn them well. Safeguards are available in the form of quality SIEM solutions and a raft of best practises that underpin internet security. Everyone – particularly those responsible for what reaches young eyes – needs to make use of them.
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."