This guide examines current information security threats to business and describes techniques for developing a security management strategy that leverages established best practices. Designed for IT professionals and business managers, this guide provides an overview of security threats, their impact on businesses, and, perhaps most importantly, practices and technologies for controlling security risks. The first chapter begins with a discussion of cybercrime and the business resources targeted by increasingly sophisticated and organized attackers. The second chapter moves to examine how common weaknesses in business processes, such as insufficient use of SSL, leave organizations vulnerable to data breaches and compromised systems. The final two chapters address how to create a high impact security strategy and implement best practices, including multiple uses of SSL technologies, to protect your business.

Request Now

A Prescription for Privacy: What You Need To Know About Security Requirements for Electronic Health Records

Learn the measures that organizations need to start taking right now to prepare for the upcoming changes in the healthcare industry. As organizations implement EHRs–or as they ramp up their existing systems to make them more robust–concerns about patient privacy will move to the forefront. This report looks at the challenges surrounding the new world of EHR technology, including the requirements that govern protecting confidential patient data online, as well as security breaches and other risks that come with storing and accessing that information with web-based systems.

Request Now

Beginners Guide to Digital SSL Certificates

Whether you are an individual or a company, you should approach online security in the same way that you would approach physical security for your home or business. This guide will de-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.

Request Now

Implementing Best Practices for Web 2.0 Security with the Websense Web Security Gateway

The way to address Web 2.0 threats that combine the best aspects of traditional security and control techniques is with new technology designed specifically to address the dynamic, real-time nature of Web 2.0. This paper describes how the Websense Web Security Gateway enables you to quickly and effectively implement a best practices approach to making Web 2.0 secure and effective.

Request Now

Mobile Device Management and Security

How to benefit business users with secure mobile access to corporate data systems and the solutions that work. The evolution of mobile networks and devices has changed the way we communicate, with people increasingly able to stay in touch through greater mobility and flexibility than ever before. This evolution is also changing the way people work. Time and money can both be saved when mobile employees have easy access to information and their corporate IT infrastructure. At the same time, the security of that information as well as the ability to manage access to it has never been more important. Learn about the fundamentals of security and device management and how you can provide secure mobile access to corporate data systems and benefit business users.

Request Now

Financial Privacy & Electronic Commerce: Who’s In My Business, this is the question. The financial industry whether banking, investments, or credit card services face an ever changing landscape when it comes to privacy and if they are to safeguard themselves and their consumers a proper plan must be implemented. There are a number of challenges surrounding privacy in terms of data protection, consumer confidence, supplier partnerships, and of course laws and regulations. The financial industry is particularly at risk because of the nature of business as well as the utter amount of transactions and the sizable customer base. Not only does the Internet pose what is likely the single largest risk in the realm of privacy but also traditional communications must accurately address privacy.

To set the stage of what privacy exemplifies the Webster dictionary defines privacy as the quality or state of being apart from company or observation. Now that the definition of privacy is clear, the financial industry must account for laws and regulations in order to both safeguard themselves and their customers. To address privacy it is imperative to establish a policy, which outlines the steps of how a bank manages and shares personal information. Many banks will use personal information to increase partnerships, provide a good or service, or even to assist in protection against fraud and identity theft. At this point, the scope of privacy begins to take form.

Over the years, a business typically used paper-based statements and communications to convey information but modern day, the Internet has improved the legacy business model. While the Internet has not entirely substituted the legacy model, it does offer convince for consumers and at the same time helps to diminish cost for a business, at least in terms of traditional mailers. Of course, the Internet opens the door to hackers who can exploit vulnerabilities as well as take advantage of the population that does not practice concrete security practices. In order to properly address privacy then the financial industry must abide by laws and regulations while also sharing in the responsibility of education for suppliers, partners, and consumers.

This article will take a deeper dive into the financial industry in terms of a comparison and contrast as well as recommendations in the area of change that must occur.

Organization and Mission

The banking industry exists to serve customers from individuals, corporations, and groups. The role of a bank is to facilitate in the end goal of financial freedom and investments. The banking industry also serves a staple in both the United States and global economies that in turn drive a robust need of regulations and laws. Typically, a mission statement may include:

1. Provides best of breed financial services
2. Accountability to shareholders and customers

By nature the banking industry is at abundant risk solely due to the utter amount of sensitive data from the customer is enormous. The details of personal information and daily transactions drive stout concerns from customers from both a privacy and security point of view.

Privacy Policy and Laws

The Federal Deposit Insurance Corporation (FDIC) is in place to aid in the protection of the privacy of participants and the overall banking industry. The FDIC commonly provides both high and low level guidance in the area of financial activities and operations, and in other limited circumstances such as where required for law enforcement and public disclosure activities. In addition, the minimum necessary information will be used, except in limited situations specified by applicable law. Other uses and disclosures of financial transactions will not occur unless the customer authorizes them. Customers will have the opportunity to inspect, copy, and amend their privacy elections as required by both existing laws and regulations. Privacy is extremely important within the financial industry. Customers may also exercise the rights granted to them under these same laws and regulations free from any intimidating or punitive acts. The public in general is becoming much more educated and aware of the risk of personal information as well how all facets of business and how they share information, because of this there are two fundamental principles:

1. Establish both initial and annual privacy policies
2. Provide a mechanism for customers to opt in or opt out with information sharing

There are established acts that allow banks to share customer information and once such act is the Gramm-Leach-Bliley Banking Modernization Act of 1999. Oddly enough, the Gramm-Leach-Bliley Banking Modernization Act is rooted in a case from Victoria’s Secret. In this case, Representative Joe Barton of Texas felt that his credit union had disclosed his address to Victoria’s Secret even though he had not established a business relationship with Victoria’s Secret. As we turn our attention to the scope of technology and the variety of usage it brings to the table, it becomes apparent that technology helps in everyday life activities but at the same time, this same technology has unmistakably broken down other aspects of privacy.

Policy and Law Changes

The single largest challenge within the financial industry may be how privacy is addressed in terms of business and the end consumers. While there are both modern and historical laws and regulations, they often conflict one another or worse leave open opportunities that are easily exploited or maybe even entirely overlooked. The banking industry as a whole is doing a much better job surrounding privacy but as technology and business partnerships continue to evolve, so does the need to address current policies and laws.

Data collection and sharing has become ever so important in terms of conducting business to the degree that ethics becomes center place. Over two decades ago, four issues of ethics arose from the information age and a new acronym was born called PAPA which calls out privacy, accuracy, property, and accessibility. The challenge is to take all existing laws, whether at state or federal level and balance these laws across the banking industry while keeping in mind the needs of the business and most importantly the customers.

Individual Rights

All consumers must have the right to access, inspect, and copy his or her information within accordance to policy and laws. The banking industry generally must honor these rights, except in certain circumstances when the information may result is a breach of privacy that a spouse or family member is allowed to under applicable laws. Once consumers begin to understand their rights, only then will they be in a better position to both protect them and self-police the banking industry. Of course, this is easier said than done. Most consumers are provided privacy information from the financial vendor in which they conduct business but the information is confusing at best. Stop and consider for a moment the process a consumer undergoes when opening a checking account with a bank. The bank adheres to laws and provides a privacy statement but more often than not, these same privacy statements are written in legal terms rather that common everyday language. The Federal Trade Commission (FTC) plays a vital role between consumers and industries. Overall, the FTC performs as to expectations in terms of consumer protection and one such example is the Fair Information Practice Act of 1997. This act outlines five core principles:

1. Notice and Awareness
2. Choice and Consent
3. Access and Participation
4. Integrity and Security
5. Enforcement and Redress
6. Liability

Should banks not conform to laws and regulations the results it can be disastrous to the industry itself but more importantly it has the potential to destroy personal financial freedoms. For example, Chase Manhattan Bank was charged with selling their customers purchase history and an agreement was reached in 2000 with the New York State Attorney General’s office. There are many other cases, which relate directly to the Chase Bank infraction that driven the need for strong penalties when the area of privacy is violated. To better understand the liabilities surrounding privacy, one must first understand the measures of protection, which may include:

1. Implement a clean desk practice. Personal Identifiable Information (PII) must be put away if the employee is away from his or her desk throughout the day and PII will be placed in closed and locked drawers or cabinets when the employee is not in the office.
2. PII in paper format will be destroyed when it is obsolete or is not required to be retained for storage purposes, with shredding the preferred method of destruction.
3. Limit the substance of PII in conversations with partners and other outside vendors to the required minimum necessary.
4. Implement reasonable measures to prevent other individuals from overhearing conversations, e.g., using speakerphone only when in a closed office.
5. Limit remote access to systems to secure methods.

By starting with these five points, the groundwork starts to take shape and a clear understanding of risks begins to bubble up to the surface. As risks are identified and categorized only then can the liability start to be reduced by taking these risks and build out strong policies and procedures. In the case where a bank is conducting business over the Internet, The Federal Reserve Board (FRB) has established guidelines where additional disclosure rules are needed to both protect consumers and reduce the liability of the company in question.

Risk Management

The areas of managing risks are mutual by both the financial industry as well as consumers and each must participate in certain risk management activities to ensure compliance. The business has the greatest responsibility and because of this, there are numerous opportunities when it comes to reducing risk.

1. Workforce training on the Policies and Procedures
2. Developing a complaint process for individuals to file complaints
3. Designing a system of written disciplinary policies and sanctions
4. Mitigating damages resulting from improper use or disclosure
5. Retaining copies of its Policies and Procedures, written communications, and actions

Some of these risk management rules require stakeholders to design processes affecting employees under their control.

Complaints

Banks must have an established process to process a person’s complaint about the privacy policies and procedures, practices, and compliance. The resolution of complaints depends on the varying facts and circumstances of the complaint. Examples of viable complaint resolution include:

1. Educating the consumer
2. Implementing changes in the policies, procedures, and practices
3. Providing appropriate training for employees
4. Issuing new communication materials both to the company and consumers

This process will assist in properly addressing consumer concerns as well as assisting banks in terms of legal obligations.

Security Implications

At the end of the day, privacy is much more than just protecting information. When a bank’s information is breached by hackers or even by the everyday nature of business, the results are extremely damaging. The criminal act of stolen identities is a billion dollar criminal enterprise and it all starts with improper privacy practices. While many countries have defined agencies that oversee privacy, the reality is these same agencies tend to be rooted in existing laws that are outdated or even must advocate the need for new laws.

Conclusion

At this point, the gravity of privacy as applied to both the banking industry and consumers should be a call to action. Banks must make every reasonable effort to protect the privacy rights and interests of consumers in the collection, use, transfer, or retention of information to prevent inappropriate or unnecessary disclosures of information.

In closing, the following is instrumental to continually understanding and measuring privacy concerns. The financial industry must make every reasonable effort to protect the privacy rights and interests of consumers and their partners to include unnecessary disclosures of information. The industry must further comply with all existing laws and regulations. Since technology has become commonplace the online privacy aspect opens another area of concern that warrants a drastic change is regulations. Of course, the challenge is the ever-changing technology landscape that typically drives parties who enact laws to move quickly but often do not fully comprehend the challenges surrounding modern day technology.

References

1. Burton, R. N. (2000). Discussion of information technology-related activities of internal auditors. Journal Of Information Systems, 14(1), 57. Retrieved from http://www.atypon-link.com
2. Earp, J., & Payton, F. (2006). Information privacy in the service sector: an exploratory study of health care and banking professionals. Journal Of Organizational Computing & Electronic Commerce, 16(2), 105-122. doi:10.1207/s15327744joce1602_2
3. FDIC. (2001). Privacy Rule Handbook. Federal Deposit Insurance Corporation (FDIC). Retrieved on November 13, 2011 from http://www.fdic.gov
4. Hale, R. (2001). Federal privacy regulation of Internet credit card advertising and solicitation. Journal Of Internet Law, 4(7), 16. Retrieved from http://www.aspenpublishers.com
5. Hoofnagel, C. & Honig, E. (2005). Victoria’s Secret and financial privacy. Retrieved from http://epic.org/privacy/glba/victoriassecret.html
6. Mason, R. (1986). Four ethical issues of the information age. MIS Quarterly, 10(1), 5-12. Retrieved from http://www.jstor.org
7. Nilakanta, S., & Scheibe, K. (2005). The digital persona and trust bank: A privacy management framework. Journal of Information Privacy & Security, 1(4), 3-21. Retrieved from http://www.ivylp.com
8. Warren, A. (2007). Stolen identity: Regulating the illegal trade in personal data in the ‘Data-Based Society’. International Review of Law, Computers & Technology, 21(2), 177-190. doi:10.1080/13600860701492187

In most facets of business, a large percentage of financial transactions occur electronically either by credit card or debit cards. Since these types of transactions provide an inherit security risk, the need to define acceptable standards were established. Many businesses fail to follow Payment Card Industry Standards (PCI). Many business owners could avoid intrusions if they make sure that their point-of-sales software was up to these standards. PCI standards include a variety of measures that are particularly relevant for business owners, but which are often overlooked. These security measures include employee security awareness training, policies and procedures, transaction security measures (such as encryption standards and PIN codes), and frequent vulnerability scans. According to PCI Security Standards, most network invasions of a small business database take place in businesses that fail to meet PCI standards. The Payment Card Industry Data Security Standards (PCI DSS) outlines requirements to enforce proper measures in terms of processing, storing, and transmitting data in a secure mechanism. PCI DSS provides a purpose, however, many believe this regulation is nothing more than a hurdle to the true problem of security and because of the controversy the PCI Standards Council has begun addressing a number of updates. The proposed changes begin to tackle the use of technology to determine vulnerabilities as well as secure coding fundamentals early in the Software Development Life Cycle (SDLC). While PCI DSS addresses the issue of security, it does not remove the responsibility a business has, in fact, Bob Russo of the PCI Security Standards Council stated:

Ultimately, it is the merchant’s responsibility to make sure that they have the right contracts in place, and make certain that their providers are working in a compliant manner.

Still business and industry experts are speaking out saying that PCI DSS often is to slow to adapt with the constant change of technology. For example, in 2006, TJX Companies fell victim to a breached via wireless technology and the PCI Security Council did not produce guidance in this area until mid-2009.

In the context of achieving PCI DSS, comes the task of additional components of security that are applicable at all levels of business. While regulations provide the direction as to expectation, they do not address how to achieve compliance. Because of this, a business must define internal processes that will ensure compliance by accounting for training, policy, communications, and planning. Therefore, many argue that regulations lead to conflict within the day-to-day operations of Information Technology (IT) in the aspect of true security. While many would like a solution that clearly defines expected behaviors and outcomes this is not realistic. Every business must define processes, which work best in their given circumstances.

While many companies may feel like regulations place an undue burden upon them, the reality often is security breaches typically decrease. It is a proven fact that businesses that adopt PCI DSS and takes on the challenges are much more secure than those who do not. To support this assertion, a recent 2011 PCI DSS Compliance Trends Study depicts the value of organizations that adopt PCI DSS.

What is probably most alarming is the fact that the businesses that suffered one or less breaches were non-compliant. Could it be true that PCI DSS is nothing more than a hindrance? To answer this question it is important to note that those businesses who suffered two breaches or more; breaches increased over those business that were compliant. The lesson to take away here is that regulations were never intended to be the final solution but rather they are intended to provide assistance and direction.

What better way to begin addressing the relationship of the United States Government and the private sector than turning to the Chief Executive Officer (CEO) of Northrop Grumman and his remarks on cyber-attacks.  In September 2011, Wes Bush was addressing an audience at the Aerospace and Defense Summit and made the statement that further regulations are warranted to address cyber security (Wutkowski, 2011).  In today’s political climate, this statement clearly is in the minority where many are now calling for less regulation.  The need for regulations may be questionable but it does set the stage for the debate to combat the problem at a level where a variety of interested parties will have a voice in the matter.

There have been partnerships that span the across the government to include cabinet level departments, states, international countries, and over sixty private sector organizations.  This partnership called Cyber Storm has the purpose is to identify threats, establish procedure, address information sharing, and lessons learned (Homeland Security, 2011).  Cyber threats are not isolated to the private or public sector therefore; partnerships such as Cyber Storm bring these sectors together to best address the ever-growing cyber threat.

Over the last decade, more and more regulations become law that levels the playing field and protects both business and consumers.  Many individuals claim that the federal government has done nothing but intrudes into private business to a degree that the business often believes the federal government has crossed the line (Fisch, 2004).

High Level Threat Overview

Cyber threats stem from a wide range of technologies as well as arguably the greatest challenge being the individual.  Once these threats are defined and understood, only then does the bigger picture come into focus.  Verizon Security publishes a security finding each year and figure 1 demonstrates the mechanisms on how security differ as well as outlining the landscape in which they occur (Baker, 2011).

Government Responsibility

While I understand the role of the government, the concern is that many regulations may not have been completely and appropriately addressed because technology is both complex and a moving target.  For example, the U.S. Congress has taken up a bill that addresses personal data privacy and security, which on the surface sounds like a noble cause.  The issue may be that Congress is not entirely capable of instituting the details, which will be executed within the effected entities across the nation.  While this bill outlines legal authority and defines the roles clearly, it is not entirely clear in the details of implementation and execution.  The most alarming part of this bill is that Internet Service Providers (ISP) are mandated to keep 18 months of history when it comes to their customers.  While the bill speaks to security, it does not provide meaningful and clear guidance and if we continue to see data breaches that have occurred in 2011 private data in this case a break will become the single greatest risk.

Often regulations lay the framework but they fall short in properly addressing the underlying problem and security is a moving target.  To overcome this, the government should partner with business experts to address the shortcomings of regulations.

Businesses typically do a good job with protecting themselves, employees, and their infrastructure, but often turn up short in protecting consumers.  In fact, consumers depend upon entirely too much on the organization that they are conducting business with to the degree that proper security measures are established and provided (Crews, 2007).  Obviously, this dependency is fundamentally flawed when Sony Play Station fell victim to a substantial cyber-attack.

This bill, as well as past and future regulations, will begin addressing both privacy and security as organizations begin to understand the scope of the risk.  One argument is that anonymity contributes to the security problem and there are those who believe individuals must be clearly identified similar to proper identification to a driver’s license for example (Crews, 2007).  A modern day example of taking identity seriously is Google+ and the restriction they require when it comes to real and verifiable names, which in its own right has been surrounded with controversy.  In order for the Internet to become a safer environment, we must undergo change and there will be growing pains.  While no one desires the “big brother” effect, our government is responsible to protect its citizens.

Private Industry Responsibility

As a deeper dive into the private sector occurs, it becomes evident that this sector burdens a large responsibility in terms national security.  In reality, the private sector provides services to the government and in many cases possess information that if fell into the wrong hands would substantially affect a number of areas.  Take the military as an example, the dependency and relationship between the government and private is very clear.  The military secures aircraft, ships, weapons, and much more all from private industry.  Clearly, this industry must protect national security as well as work closely with the government to ensure this is accomplished.

Private Industry and Government Partnership

The private industry clearly is the sole largest stakeholder in terms of finances and the government falls into public safety (Lin et al., 2007).  In terms of roles and responsibility, the decision would vary depending who is speaking.  At the end of the day, private industry should burden the largest responsibility with government regulations to assist.  To drive home this point, direction from the National Research Council (NRC) published a paper that out outlines five key steps that address barriers to cybersecurity (Lin et al., 2007).  From this publication came a proposal in terms of regulation titled the Cybersecurity Bill of Rights (CBoR).  Should you ask if cybersecurity is at the point that government intervention is required, the answer is yes!  According to Harry D. Raduege (2009),

Nearly every day our nation is discovering new threats and attacks against our country’s networks.  Inadequate cybersecurity and loss of information has inflicted unacceptable damage to U.S. economic and national security.  (p. 37)

The threat surrounding the nation’s cyber infrastructure is rooted in reality and the future of cyber warfare is quickly becoming painfully disturbing.  The lack of urgency will result in a detriment to the economy and national security.  At the end of the day, the real issue comes down to that companies do not believe that the government can help is resolving the problems that they face within the business segment (Homeland Security, 2005).

Real Word Examples

Arguably, 2011 should be labeled as the year of the hacker.  Data breaches came from all types of private industries as well as government across the globe.  At the end of the third quarter of 2011 contains large names which fell victim to cyber-attacks which include McAfee, Sony, Central Intelligence Agency (CIA) and many more (The Guardian, 2011). Taking a deeper look into the scope of organizations that were impacted emerges the fact that no one is safe. What is likely most distressing is the top 3 which include hospitality, retail, and financial services.  These three areas of business play an enormous role in the economy and the associated risk is critical to an immense audience.  In fact, the financial services group could potentially cause damage across the globe not to mention the possibility of destroying individual investment opportunities or even retirement plans.

Challenges

In order for private sectors and the government to provide the much needed security measures all sectors must work together in a coordinated effort.  The last thing that should occur is the government disappears behind closed doors and emerges on the other side with a bill that addresses a problem.  In reality, the private sector is willing to work with the government body.  When it comes down to policy, the language must be clear and concise.  Often arguments may be that policy is over demanding and problematic to implement at any level due the complexity of technology.  In fact, a well-meaning policy may start off strong but as it moves through the government body and eventually becoming law it may result lacking the initial desired effect (Armstrong,  2010).

Conclusion

In today’s political environment, one could make the argument that the government has our best interest at heart.  At the end of the day, the government is doing the best possible job to combat cyber-attacks and the needed level of protection in the cyber world for its citizens.  On the other hand, with the state of the national debt one could argue that this is a way to generate revenue or an argument can be made that the government does not provide the necessary expertise to drive the technical aspects of security.  To substantiate this point that the government is incapable of properly dealing with security resides the Federal Information Security Management Act of 2002 (FISMA).  This act could serve as a perfect example and it has come under fire over the years.  Critics have argued that FISMA has become nothing more than an annoyance and that organizations simply check the boxes without truly dealing with the problems that law originally intended to address.

In any case, it is clear that cyber security is paramount to protecting this great nation and its citizens.  The common denominator comes back to regulation and the voiced needs for the Federal Government to take an active role to deliver expectations and guidance within the cyber world.  In fact, once the public and private sectors begin working closely together then and only then may a real change occur.  The positive is that government regulations also have positive impacts in term of decision making and best practices that can assist to protect all interested parties (Fisch, 2004).  In closing, just like other aspects of business change will always be good and bad therefore, with technology plays a larger role with each passing day and the importance to cybersecurity regulations will become fundamental to all.

References

1. Wutkowski, K. (2011). Northrop CEO urges more regulation. Reuters. Retrieved on September 14, 2011 from http://www.reuters.com/article/2011/09/07/us-aero-arms-summit-regulation-idUSTRE7865GX20110907
2. Crews Jr., C. (2007). Cybersecurity and authentication: The marketplace role in rethinking anonymity – before regulators intervene. Knowledge, Technology & Policy, 20(2), 97-105. doi:10.1007/s12130-007-9010-z
3. Lin, H. S., Spector, A. Z., Neumann, P. G., & Goodman, S. E. (2007). Toward a safer and more secure cyberspace. Communications of the ACM, 50(10), 128. Retrieved from http://www.acm.org.ezproxy.umuc.edu
4. Swartz, N. (2005). Cybersecurity report reveals weaknesses. Information Management Journal, 39(3), 19. Retrieved from http://www.arma.org
5. Raduege, H. (2009). Cyber threats may be hazardous to your privacy. Policy & Practice, 67(2), 24. Retrieved from http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_ps_CyberThreatsMayBeHazardoustoYourPrivacy_Technology%20Speaks%20_061509.pdf
6. Homeland Security, (2005). Homeland Security Advisory Council private sector information sharing task force on Homeland Security information sharing between government and the private sector final report. United States Department of Homeland Security. Retrieved from https://www-hsdl-org.ezproxy.umuc.edu/?view&did=462311
7. Homeland Security, (2011). Fact Sheet: Cyber Storm III: National cyber exercise. United States Department of Homeland Security. Retrieved on September 17, 2011 from http://www.dhs.gov/files/training/cyberstorm-iii.shtm
8. The Guardian, (2011). Biggest series of cyber-attacks in history uncovered. The Guardian. Retrieved on September 15, 2011 from http://www.guardian.co.uk/technology/2011/aug/03/biggest-series-cyber-attacks-uncovered
9. Baker, W. (2011).  2011 Data Breach Investigations Report released. Verizon Security. Retrieved on September 13, 2011 from http://securityblog.verizonbusiness.com/2011/04/19/2011-data-breach-investigations-report-released/
10. Armstrong, I. (2010). Following FISMA. SC Magazine: For IT security professionals (15476693), 21(2), 36-39. Retrieved on September 14, 2011 from http://www.scmagazineus.com
11. Fisch, J. E. (2004). The new federal regulation of corporate governance. Harvard Journal of Law & Public Policy, 28(1), 39-49. Retrieved from http://www.law.harvard.edu/studorgs/jlpp/

To understand the severity of cybercrime all you have to do is look at the Sony and the PlayStation attack earlier this year. When you frame the discussion in the context of the attack on Sony, Central Intelligence Agency (CIA), and Booz Allen Hamilton the issue begins to take shape and defines the problems that can arise in terms of consumer confidence, national security, and of course profit.

S.1151 Abstract

Personal Data Privacy and Security Act of 2011 – Amends the federal criminal code to: (1) make fraud in connection with the unauthorized access of personally identifiable information (in electronic or digital form) a predicate for racketeering charges, and (2) prohibit concealment of security breaches involving sensitive personally identifiable information. Sets penalties for attempts and conspiracies to commit fraud and related activity in connection with computers.

Requires a data broker to: (1) disclose to an individual, upon request, personal electronic records pertaining to such individual maintained or accessed for disclosure to third parties; (2) disclose adverse actions by third parties against an individual; and (3) maintain procedures for correcting inaccuracies and incompleteness in such records. Defines a “data broker” as a business entity that collects, transmits, or provides access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity for purposes of providing such information to non-affiliated third parties on an interstate basis.

Establishes standards for developing and implementing safeguards to protect the security of sensitive personally identifiable information. Imposes upon data brokers and business entities civil penalties for violations of such standards. Requires business entities to notify: (1) any individual whose information has been, or is reasonably believed to have been, accessed or acquired, (2) all nationwide consumer reporting agencies if an agency or entity is required to notify more than 5,000 such individuals, and (3) the United States Secret Service and the Federal Bureau of Investigation (FBI) if the number of individuals involved exceeds 10,000.

Authorizes the Attorney General and state attorneys general to bring civil actions against business entities for violations of this Act.

Requires the Administrator of the General Services Administration (GSA), in considering contract awards totaling more than $500,000, to evaluate: (1) the data privacy and security program of a data broker, (2) program compliance, (3) the extent to which databases and systems have been compromised by security breaches, and (4) data broker responses to such breaches.

Requires federal agency information security programs to include procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the agency information systems or operations involving personally identifiable information and for ensuring remedial action to address any significant deficiencies.

Requires federal agencies to conduct a privacy impact assessment before purchasing personally identifiable information from a data broker.

Reaction and Thoughts

Within the first 12 pages of this proposed bill the punishment is outlined to the extent that that anyone who has knowledge of a breach in security and hides this fact can be punished under the law. Furthermore, this breach is defined as economic impact to one or more individuals, which results in a fine or imprisonment for no more than five years with authority given to the United States Secret Service for investigations.

Those entities that are collecting data on individuals will have to institute measures where an individual can request the data they have collected and the broker my turn this information over to the requester all at a reasonable cost. This is a positive step however how many data brokers are out there? For example, say you conduct business with Google and Microsoft would a $25.00 fee be reasonable? Now consider that you also have a Facebook, FourSquare, Twitter, and any other of numbered services you may utilize then you begin to see that you can spend hundreds of dollars for such a request when it is all said and done. Could the answer reside in the credit reporting model where there are a limited number of agencies?

Finical Impact

Remember that pesky financial penalty I eluded to earlier? This penalty comes in at $1,000.00 per violation and for every day that the violation is not corrected. So if you have five violations and it takes fourteen days to resolve the issue the price tag comes in at $70,000.00 and twenty-eight days would result in $140,000.00 in fines. The good news is there is a cap of $250,000.00 per violation but this will be an expensive lesson to business should they find themselves in this precarious position.

If this is not enough to get business to take security seriously and invest then I am not sure what other incentives may help.

Conclusion

In today’s political environment, one could make the argument that the government has our best interest at heart and I believe at the end of the day the government is doing the best possible job to provide a level of protection. On the other hand, with the state of the national debt one could argue that this is a way to generate revenue. In either case, it is clear that cyber security is paramount to protecting this great nation and its citizens.

References

1. Personal Data Privacy and Security Act of 2011
2. Applying Information Security and Privacy Principles
3. Congress wants answers from Sony on PlayStation hack
4. August 2011 Cyber Attacks Timeline

Security Threats

The single toughest challenge is trust.  Most organizations outsource cloud storage needs to vendors like Amazon and by doing so, it is imperative to understand the roles and responsibilities of this type of relationship.  In fact, organizations begun building upon this trust many turned to third party identity and access management (IAM) services to further strengthen security (Rai, & Chukwuma, 2009).  IAM is essential to control who has access and what system interfaces are established.  With traditional managed servers, the cloud is no different when it comes to threats such as viruses, hackers, and cyber-attacks (Bisong, & Rahman, 2011).  The risk can vary and present new concerns that an organization must consider.  Outside the obvious data leaks, insider threats, and application interfaces comes the unknown of regional distribution.  History has demonstrated down time can cascade to affect a number of organizations, just look at the recent Amazon outage (Bisong, & Rahman, 2011).

Responsibility

The topmost level of security starts with the Chief Information Security Officer (CISO) however it does not end there.  This role serves to establish continuity, disaster recovery, policies, and strategies (Dawson, Burrell, Rahim, & Brewster, 2010).  All employees at every level are to be held accountable but this requires that management and leaders must be responsible.  In order to achieve security the responsibility stakeholders must start with defining policy and procedures that drive daily activities and responses in term of protecting data and infrastructure.  The process does not stop once policies and defined, there must be continuing reviews and defined education.

Cloud Provider Questions

As cloud computing is being considered there are a number of topics to consider.  To understand the pros and cons as well as the vulnerabilities a number of questions are to be asked, for example:

• Compliance and Auditing
• Portability
• Encryption and Key Management

At the end of the day, the organization purchasing a cloud computing option is and always will be responsible for data (Everett, 2009).

Security Provisions

The business requirements of any organization will drive the components that make up secure computing (see Figure 1).  Taking the service needs in account will assist in performing a risk assessment and how the risk are to be mitigated and controlled.  This conclusion then is incorporated into Service Level Agreements (SLA) whereby expectations are clearly defined (Blandford, 2011).  At this stage, the decision is made what operations are candidates for cloud computing and what are not.  Remember there will always be instances where propriety information must be protect and there may even be conditions where you’re performing work for the Department of Defense (DOD) for example where no level of assurance can be achieved.

References

1. Rai, S., & Chukwuma, P. (2009). Security in a Cloud. Internal Auditor, 66(4), 21-23. Retrieved from http://www.theiia.org
2. Bisong, A., & Rahman, S. M. (2011). An overview of the security concerns in enterprise cloud computing. International Journal of Network Security & Its Applications, 3(1), 30-45. doi:10.5121/ijnsa.2011.3103
3. Dawson, M., Burrell, D., Rahim, E., & Brewster, S. (2010). Examining the role of the Chief Information Security Officer (CISO) & security plan. Journal of Information Systems Technology & Planning, 3(6), 1-5. Retrieved from http://www.intellectbase.org
4. Everett, C. (2009). Cloud computing – A question of trust, Computer Fraud & Security, 2009(6), 5-7. doi:10.1016/S1361-3723(09)70071-5
5. Blandford, R. (2011). Information security in the cloud. Network Security, 2011(4), 15-17. doi:10.1016/S1353-4858(11)70040-X

Traditional Hackers

While WikiLeaks had been existence for some time, they gained notoriety when a United States (US) service member leaked classified Pentagon documents.  For this reason, I advocate that the term hacker is not relevant.  In fact, it seems the US Congress agrees and in 2010, they introduced a bill that intended to both prevent leaking of material as well as publishing this material (Goth, 2011).  In essence, leaking documents of any nature may be punishable under the law; however, it in no way rises to the level of hacking.  Either way attacks cripple or damage an organization.

Monitoring

All systems are at risk from attacks both from internal and external entities.  For this reason, it is imperative to employ intrusion detection to provide the needed security measures in protecting people, data, and other systems.  This type of detection can be costly and time consuming however, intrusion detection can leverage a number of technologies and algorithms.  One approach is machine learning in terms of classifying network use based upon dependent and independent set of variables (Das, Pathak, Sharma, Sreevathsan, Srikanth, & Kumar, 2010).  Another approach includes the combined use of software to build a customized intrusion detection system.  Open source as well as commercial products are used and the former has security concerns beyond commercial products but if the risk with open source is mitigated it can be beneficial on many levels.  Monitoring comes with risk to both systems and the end users therefore it is vital to plan and gain approvals (Silver, 2010).

Countermeasures

Since in the case of WikiLeaks deals more with publishing sensitive information rather than attacks it is no less important to implement firewalls, vulnerability assessment tools, intrusion detection systems, logging tools, password security, and the list goes on.  This single greatest threat is the individual and for this reason, sensitive data must be encrypted and restricted to key personnel.  One could take a play out of the playbook from Al Jazeera where they claim to use encryption at all levels of a news story (Goth, 2011).  Another valuable deterrent would be clear and enforceable laws and regulations that keep up with changing technology and the digital world.  An access control list is a valuable asset in terms of identifying those requiring access as well as ensuring that individuals who no longer require access are removed.  Remember, a high percentage of people have global access to information that just ten years ago was not available.

Post-incident Procedures

Most often learning comes from experience and post-incident security measures will provide valuable insight into vulnerabilities.  Consider developing a repository to house data from known attacks as well and industry information.  This data is analyzed in order to revisit existing policies to determine if an area has been overlooked.  The same data can also assist in training and education.  Because vulnerabilities exist in hardware, software, and configuration tackling the issue may be more wide spread than imagined (Lai & Hsia, 2007).  In the event that business partners are impacted, it is imperative to have a communications plan.  Assume that port 80, which serves HyperText Transfer Protocol (HTTP) traffic is allowed and it was used to circumvent exiting security measures.  In this scenario, products Nmap (Lai & Hsia, 2007) and similar products can be employed to scan systems, determine the needs for this port, and then plan, and coordinate isolating this port as well as other ports that present a risk.

References

1. Goth, G. (2011). Welcome to the Age of Antidiplomacy. IEEE Internet Computing, 15(2), 7-10. doi:10.1109/MIC.2011.48
2. Das, V., Pathak, V., Sharma, S., Sreevathsan, Srikanth, M., & Kumar T., G. (2010). Network intrusion detection system based on machine learning algorithms. International Journal of Computer Science & Information Technology, 2(6), 138-151. doi:10.5121/ijcsit.2010.2613
3. Silver, T. (2010). Monitoring network and service availability with open-source software. Information Technology & Libraries, 29(1), 8-22. Retrieved from http://www.ala.org/
4. Yeu-Pong Lai, & Po-Lun Hsia (2007). Using the vulnerability information of computer systems to improve the network security. Computer Communications, 30(9), 2032-2047. doi:10.1016/j.comcom.2007.03.007

U.S. Secret Service Assistant Director A.T. Smith said,

Americans over the past several years have seen the significant impacts data breaches are having on our nation’s financial infrastructure. Today, cyber criminals are operating in nearly every civilized nation in the world, exposing Americans’ personal information, either stored or transmitted, to substantial risk.

The following graph demonstrates the effects of security breaches and where breaches originate.

It is not news that a high percentage of attack are derived from external sources but where you should take note is that 18% of attacks come from inside and business partners. Previously I wrote about Facing cyber security threats from employees, if you have not taken the time to read this post; I highly suggest you do so.

The external risks are often easily identified in most cases however threats from within are often much more complex to prevent.

Combating The Problem

Access controls are the front line of defense and they help to prevent the accidental or malicious disclosure, modification, or destruction of data. Access controls also play a role in malfunctioning programs, all software has some type of defect and defects open your software up to vulnerabilities or even leaking confidential data.

Because business partners are necessary they must not be allowed free access to networks and to help prevent prying eyes there must be policies in place. One such policy may be that when none employees are on the floor computer screens are to be turned off and desktops are to be cleared.

Finally the biggest bang for the buck is auditing. I know this seems obvious but I am amazed at the lack of auditing that I have seen over the years and particularity with software. I’m not saying audit everything but you should identify the greatest risk and start from there. For example, password resets and data transactions can provide tall tell signs if systems have been compromised.

Conclusion

Security is a daily process that is ever changing in large part to the growing threats. It is simply not enough to purchase hardware and software and expect that your organization is protected. In particular, if you provide services in the area of software either internal or external to the company, secure coding, and education of the development team is paramount to success.

References

1. Database Security : Tech Center – Dark Reading
2. Verizon 2011 Data Breach Investigations Report: Breaches Increased Dramatically While Data Loss Was at All-Time Low

To put into perspective it is crucial to address the scope of security. Inside the United States alone, there are dozens of international airports where millions of people move from country to country. As millions of people move through the airports, all it takes is a single breach in security to put others at risk.  The sheer number of travelers often may be unbelievable as hundreds of millions travelers make their way across the globe. At this point, the task of security operations and the challenges associated with air travel begin to take shape. The point of failure is not the technology itself rather it falls often to the human dynamic. Threats can be either intentional or unintentional but either way airport security must be vigorous and ready on short notice to react to any occurrence. There are both advantages and disadvantages to security protocols and understanding both aspects is vital to the overall success of securing airport infrastructure.

Operational Breakout

International airport operations and the people involved have an enormous responsibility to both the physical aspect of operations and those who travel through this nation’s airports. Understanding three areas of operations are the first step in this journey.

1. Daily operations are the aspect in which people conduct daily activities with their job.
2. Technical operations are actions based within the Information Technology (IT) systems.
3. Management operations are risk analysis, supervision, and oversight of both personnel and IT systems.

Daily Operations

The Atlanta, GA International Airport has processed over twelve million passengers without a major incident. Security originates as travelers enter the airport perimeter by vehicles or arriving by aircraft. TSA conducts surveillance of personnel across the airport using telecommunications equipment in the form of cameras. Audio and video surveillance are a strong deterrence to those who wish to cause harm. This type of surveillance also can be used in legal matters as well as improving upon training.

Processing passengers and their baggage is no small task. To accomplish this task a variety of systems are utilized to ensure the passenger possesses a valid ticket, valid credentials, and is cleared to fly. These high priority systems are protected with intrusion systems to include firewalls and physical security to the server vaults. Maybe even more important is to implement redundancy for key systems. Load balancing the computer equipment allows for distribution of the workload and helps to ensure operations are maintained in the event a single server goes offline.

One could argue that airport employees present the single greatest risk to security. This in itself opens room for discussion where secondary measures must be strengthened. For anyone who has flown before it is commonplace to see airport employees swiping an access card to access areas the public is restricted from. In 2010 an airline pilot posted an amateur recording of San Francisco’s flaws in security from the point of view of employee access. In the pilot’s own words, the public is at risk due to poor access control once employees enter the internal working areas of an airport.

Well, folks, I just wanted to give you an idea of what type of security for the ground personnel there is. This is their screening. As you can see, there’s only a card slide and one door. So when you see a cart, those carts aren’t screened at all.

Card readers do provide a level of acceptable access control however to take security to the next level may include a combination of card readers and iris scanners to further control access. The obstacle with iris scanners may come down to cost. Verified Identity Pass provides kiosks that allow passengers to move through the conventional security protocols much more quickly. These kiosks perform both fingerprint scanning and iris scanning to confirm the identity of the individual. The cost of this technology comes in at a $150,000.00 price tag. This same technology could be adapted and employed at various internal operational checkpoints to ensure personnel are only gaining access to areas that the job requires. The scope of technology, effectiveness, and financial investment surrounding security quickly become both expensive and time consuming but it is extremely important.

Technical Operations

The single most noticeable component of airport security may be the use of full body scanners. The Advanced Imaging Technology (AIT) is software based on technology similar to that of an x-ray machine found in any local hospital. This scanner takes an image of a person, which in turn allows TSA agents to determine if a threat exists. With all hardware and software based security systems come a number of threats. In this case, two threats include loss of electrical power or a defect within the software. According to the National Science and Technology Council,

Today, many vulnerabilities are easy to exploit, and individuals and organizations worldwide can access systems and networks connected to the Internet across geographic and national boundaries.  Current technology also makes it easy to hide or disguise the origin and identity of the individuals or organizations that exploit these vulnerabilities.

Since modern day security precautions implement a wide variety of technology through various checkpoints, it has become imperative an appropriate power supply is available should a power outage occur. It is equally important to address the physical aspects of this hardware in the sense of access control and environmental controls, which include air conditioning and humidity. Access control is probably the easiest area to address and two possible measures are card readers or biometric controls. Both are viable solutions in protecting critical areas and biometric controls are least likely to present a risk since the access cards can be lost. Access control points are critical to security and the operations surrounding airports.

Management Operations

The last stage of operations touches on those who are in positions of authority of others. This includes supervisors, managers, and others that hold positions of responsibility over others. These individuals have the duty to ensure proper procedures are observed during the daily activities. Often personnel in this role are the first line of defense and have the responsibility to train and educate both new and current employees on policy and procedures.

Conclusion

Airport security is not an easy task to complete and it requires a great deal of investment in both people and infrastructure. Because IT plays such a large role in modern day security, the following actions are vital:

• Physical facility security must strengthen.
• Employees must perform above reproach.
• IT infrastructure must implement restricted access, employ environmental controls, and account for redundancy and secondary power options.

The federal government and TSA have tediously taken steps to ensure both policies and funding are in place. This puts the responsibility squarely on the shoulders of those employees in international airports across the United States. The job of securing this nation’s airports often may be overwhelming; however, it is possible to accomplish this duty with attention to detail.

References

• Transportation Security Administration
• What InfoSec professionals should know about Information Warfare tactics by terrorists
• U.S. airports debut document scanners
• Minimizing Construction-Related Security Risks during Airport Expansion Projects
• Iris scanning, now at JFK
• Federal plan for cyber security and information assurance research and development
• Aviation Security: A National Strategy and Other Actions Would Strengthen TSA’s Efforts to Secure Commercial Airport Perimeters and Access Controls, Report to Congressional Requesters  (Report No. GAO-09-399)

Introduction

In part 2 of this series I want to focus of SQL Injection and for those of you just getting started it is important to understand what a SQL Injection attack is. Here is what Microsoft has stated:

• SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parametrized data can be manipulated by a skilled and determined attacker.
• The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.
• The injection process works by prematurely terminating a text string and appending a new command. Because the inserted command may have additional strings appended to it before it is executed, the malefactor terminates the injected string with a comment mark “–”. Subsequent text is ignored at execution time.

The two root causes for SQL Injection attacks are the use of dynamic SQL and ineffective or even all together lacking input validation. The best advice here is:

1. Use parameterized queries or stored procedures
2. Validate all input. Always assume that the data coming in is corrupt and possibly malicious.

Breaking The Bank

We are all too familiar with the login process and much like your favorite social network or even your banking website the typical login process includes the collection of a username and password. Assume for a moment that your favorite website does not address SQL Injection and therefore uses dynamic SQL. Consider the following:

SELECT OrderID, CustomerID, ShipAddress, ShipCity, ShipPostalCode
FROM Orders
WHERE (CustomerID = '" + customerid + "'";)

Do you spot the problems? The issue is the customer id is passed as literal string values and they may contain malicious input which can allow the end user to perform actions that you never thought that they could. The user may be able to access data they should not, drop tables, or even worse drop the entire database for example. Let us assume for a moment that the end user enters the id of VINET’. Now paying attention to the single quote the SQL is now constructed as:

SELECT OrderID, CustomerID, ShipAddress, ShipCity, ShipPostalCode
FROM Orders
WHERE (CustomerID = 'VINET'')

When this statement executes, the SQL parser will locate the extra quote mark and throws an error. How this error is captured and the user alerted is a topic in itself but let us assume that the raw error is being returned to the user. This error is a dead giveaway that user input is not being sanitized and that the application is wide open to SQL injection attacks. With this information the user can begin to probe the database. Never provide to much details to the user via error messages.

SQL Explained

Since we are talking about merely constructing essentially a string that will represent a query that is in turn to be executed against a given database if we construct the following you begin to understand what is occurring. So assume the user enters VINET;drop table Orders– , what do you think would happen? If you said the statement is valid and would not only execute the query but also drop the Orders table then you are correct. This is not the fault of the database nor should one think it is. In fact the SQL syntax is 100% valid.

SELECT        OrderID, CustomerID, ShipAddress, ShipCity, ShipPostalCode
FROM            Orders
WHERE CustomerID = 'VINET';DROP TABLE Orders--'

So the lesson here is simple, never trust a user’s data input to perform database actions.

Validate Input

Sanitize the user input at all times to insure that they do not inject malicious values. You may begin to consider building a blacklist to prevent unacceptable characters, such as quotes or semicolons or escapes, but I strongly urge you not to take this approach. Though it may be simple to point out some dangerous characters, it’s harder to capture all of them. Rather establish a whitelist and define what is acceptable and anything else is rejected.

Conclusion

SQL injection attacks are nothing new and not difficult at all to address. All it really takes is attention to to detail and a few extra minutes of time where in the long run your efforts will protect your database, otherwise you may find yourself in a precarious position. If you find that you have inherited a project and you run across this vulnerability then by all means bring it to the attention of the team.

References

1. OWASP SQL Injection
2. OWASP SQL Injection Cheat Sheet
3. SQL Injection FireFox Plugin
4. SQL Injection Basics Demonstration
5. HP Scrawlr
6. Microsoft Security Development Lifecycle (SDL)