Along with a bunch of other excellent data, a recent report from TELUS and Rotman suggests that firms that explicitly block social media (i.e. Facebook, Twitter, etc.) are more likely than firms that don’t block to experience a breach.

Why?

Well, we don’t know for sure, but we can guess.  The hypothesis suggested in the report is that blocking of these sites creates a perverse incentive for employees to violate security policy in a way that increases the likelihood of breaches in other ways.  For example, by encouraging them to install software from untrusted sources to bypass the filter *or* to install untrusted devices onto the network to allow them to get around the restriction.

This is exactly the reason why metrics are important.  It seems counterintuitive so without data to point the way, we wouldn’t know that implementing a security control could actually increase risk in this way.  Pretty cool, right?

This report is a must-read, by the way.  Highly recommend you go check it out, even though registration is required to get a copy.  It’s worth it.

Image source: suptg.thisisnotatrueending.com

I came across this over on DarkReading about how lost productivity is the biggest impact from security breaches.  This from a survey conducted via Applied Research (funded by F5).

So that’s interesting.  I went looking for, but couldn’t find, the actual results upon which this is founded but came up with the big goose-egg.  So I don’t have the detailed data – neither do I know what questions were asked.  But it does make me wonder a little bit.  Specifically, it makes me wonder about whether the folks who were breached actually have a handle on how much breaches are actually costing them.  Because I suspect if they had a hard number for ongoing costs, they’d probably conclude that productivity isn’t the biggest hit.

Why do I say that you ask?  Take, for example, what happens when a breach occurs that impacts cardholder data.  Take a “joe average” shop – take a hospital.  If they suffer a breach, it’s true that staff lose some productivity while everything gets sorted out.  But under PCI, now they have to file a RoC yearly (when a merchant is breached, they immediately incur level 1 merchant auditing requirements).  That’s an annual cost that they incur in audit costs alone.  Remediation costs for PCI aren’t cheap, so they incur that cost to become – and stay – as compliant to PCI and held to the same auditing standard as Amazon.com.  How is that less impactful from a cost standpoint than the lost productivity during the breach itself.  Unless they’re including that in the productivity calculation.

Anyway, just wondering…

So remember a few months back when Sony said how they were “loving the way they lose your data”?

Well, they’ve now also gone on record saying that they’re “all good” from a security standpoint:

“I’m pleased to tell you that the PSN is more secure and better than ever,” Stringer said at a news conference at the IFA electronics show here. “We are aggressively expanding its content. We have more than 3 million new customers since the network came back online, and sales are exceeding what we had before the cyberattacks.”

Yep, not only was their cavalier exposure of your data great for business (thanks for that by the way), but apparently now all those pesky security problems are all cleared up in an unprecedented two month time window (“mission accomplished!”).

Because, as we all know, getting to the “we’re all good” stage in security is just a matter of flipping the switch…  It’s not like it’s a process or anything that takes years of diligence and improvement, amirite?

So, glad to hear they’ve closed the book on that problem… now they can go back to exactly the way they were operating before all that bad stuff happened.

Image Source: ebaumsworld.com

And so it goes that the PCI council revoked Arizona QSA firm “Chief Security Officers” license as a QSA.  Now, lord knows I have my issues with that process (complaining about my issues with QSA remediation would take all day), but I have to confess to finding it a bit refreshing that there is at least one entity that can revoke an assessor’s license to practice for quality reasons.  Whatever you think of the QSA remediation process specifically, I’m bummed that we can’t do it with other types of auditors.

Consider, for example, HIPAA auditing.  I just found out this morning via PHIPrivacy.net (one of my new favorite hangouts by the way) about the fact that KPMG was selected by the OCR as the auditor to conduct HIPAA audits – an interesting point of fact given their own record in losing patient medical records.  Interesting.

I’m, unsure if they looked at the track record of loss or not; it’s all very mysterious.  From the article:

Asked if OCR considered the KPMG involvement on this 2010 breach at any level when considering it for the HIPAA audit contract, McAndrew only said, “the award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.”

The process to hire KPMG involved a Department of Health and Human Services (HHS) panel that reviewed and ranked all technical proposals and qualifications by “predetermined evaluation criteria,” McAndrew said.

Sounds like a “no” to me…

Granted, mistakes happen.  And anyone can have a breach, so I’m not going to arbitrarily hold KPMG to the fire for it.  But what if they continue their pattern here of not protecting our medical records?  What if they have more breaches impacting medical records?

At what point can we — as an industry or even as the general public — push back and say “not with my data”?  Should we be pressuring OCR to define some kind of panic button in this regard?  Seems like the PCI council has one… Why?  We could speculate that the victim’s of  credit card theft are the brands and member institutions (i.e. the same folks that bootstrapped the council in the first place).  So maybe there’s a link between the financial side and the QA?  Could be.  Maybe we — as the folks primarily impacted by the lost data — should have a safety valve just like they do?

Dissent links (via PogoWasRight) links to a Sydney Morning Herald article about how there are a large number of breaches that go unreported.   Great find by Dissent as usual.

But I confess to being surprised by the SMH article.  Not because of its content mind you, but instead because of its newsworthiness.  I thought it was a known, established, and accepted fact that breaches go unreported.  I didn’t realize that there was anything less than universal acceptance on this point.   But apparently there is.  Well paint me flabbergasted.

Look, in case there’s any doubt – here’s the hard truth: not only do breaches go unreported, but I’d posit that most breaches go unreported.  What evidence do I have, you ask?  A few things:

1. We know that the numbers imply unreported breaches in the mobile device space. Specifically, enough devices go missing that the only way to explain the breach disclosure rates is ludicrously small amounts of PII and PHI stored on them.  Like, would you agree that less than one tenth of a percent of mobile devices contain PHI or PII?  I wouldn’t either. But yet that’s what’s implied by the “conversion” rate we see between lost device and reported breach.
2. The exact same thing is true with respect to stolen and lost laptops.  The breach numbers are such that we can demonstrate a universe of unreported breaches given the metrics of stolen laptops.
3. Anecdotal evidence.  I’ve heard from people who watched it happen.  I’ve also watched organizations make questionable judgement calls and decide not to notify.
4. What we saw happen in healthcare when HITECH passed.  We know breaches weren’t being reported in that sector – then when the law passed, they were.  Were they not happening before?  Or is it more likely they are just reported more now?

So, I’m going to go out on a limb and say that my humble, unscientific “back of the envelope” math suggests that the amount of actual breaches exceeds the amount of reported breaches by at least two orders of magnitude.  Meaning, if we’re seeing 100, I think the more likely number is probably in excess of 10,000.  Yeah, it’s a WAG.

For the record, if someone with copious free time wants to join forces, and write this up with me… for example by surveying users to find out percentage PII/PHI on laptops/mobile devices – and then comparing that formally to published breach disclosure rates, I’m game.

So I had my credit card stolen (again) the other day.  Second time in as many years.

Anyway, one thing that continues to impress me is how very quickly my issuer discovers fraud when it happens.  The bad guys got a few charges off like they did last time – but my cardholder caught it right away.  Most impressive.

It struck me that the most likely reason for the incredible alacrity and efficiency of the fraud detection process has to be because they – i.e., the financial institution – is financially liable.   I’m not paying for it in anything other than in terms of the PITA factor.

On the other hand, I’ve been following with interest the recent string of PHI exposures and other healthcare data breaches over the past week or so.  In fact, it’s been a banner few weeks overall from a healthcare standpoint.  Don’t believe me?  Just take a surf over to PHIprivacy.net and let Dissent tell you what the score is.  It’s crazy out there.  And it strikes me that financially, there is no liability for healthcare providers when they lose patient data.  Makes you wonder why they’re slower to catch it, right?

All told, loss of medical information is slower for the victim to recover from.  It doesn’t “age out” like financial data does (a few years from now, who cares what my bank account number is) and there’s not much I can do to prevent against it (like putting a lock on new lines of credit like I could if my SSN goes missing.)  In short, there’s no way to unring the bell once my medical history goes missing.

It seems like lost PHI is probably the most dire type of breach, and there’s much less incentive for the loser of the data to find, report, and prevent the loss in the first place.  It’s unfortunate: economic forces favor increased loss of data in that space — and reduce prevention — while overall the impact is greater for those impacted.  Not sure that’s a recipe for good things to come.

Given a long enough time horizon, will all our medical histories be a matter of public record for those who care to go look?

So I’m editing this post in light of being totally wrong.  I had originally railed on Spartanburg for not disclosing within the 60 day timeline (I didn’t see the coverage back in May, just the letter to patients that went up this week).

Turns out there was a notification that they made and I (along with Softpedia) appear to be off-base on thinking that this was originally just brought to light now.

Oh well, what’s the point in blogging if you can’t be wrong once in a while.  :-)  Thanks to Dissent (see the comment thread) for keeping me honest.

Image source: freedomtwentyfive.wordpress.com

So, much like everyone else, I’ve been reading about the thing with Lulz, Unveillance, etc. over the past few days with quite a bit of interest.

In case you haven’t been following along, the deal is this: Lulz was able to break into Infragard Atlanta chapter and get the account DB, which let them crack the passwords of the members. This in turn allowed them access into other websites where those users used the same password as they did at Infragard.

So, what did we learn?  Aside from the fact that the Love Boat theme is more irritating than I remembered it (please to enjoy should you visit the Lulz Sec website), there are two things are notable IMHO:

1. Despite the password characteristics being pretty good (i.e. non dictionary-based), the majority of those passwords were crackable in a relatively short amount of time given the enciphered password list
2. Despite the fact that these were all security professionals, passwords are still being shared among sites.

Is it just me, or does anybody else see either of these as an issue?  Particularly #2.  And I’m not judging – I’ve done it: shared passwords among a number of services.  And if you can’t ask a database of security professionals to reliably do the right thing, how are you going to ask ol’ Uncle Jimmy to?

The point is, passwords are lame.  But we all knew that already, right?  But of course we have no alternative.  Nope, it’s all doom and gloom – nothing exists in the whole entire world that would make authentication stronger or prevent users from using the same password everywhere they go.  Even if there were products that we could buy, everyone knows there’s nothing out there free. It’s all astronomically high fees preventing adoption all around.  Yep…  might as well just suck it up and bow to the inevitable.

Or maybe this is a wake up call…  maybe a couple bucks for a OTP, a few extra seconds using a password generator/vault, or a little extra hassle for central auth might be worth it.

This morning, I came across this on Security Park entitled, “Retailers must begin to explore how to become PCI-DSS compliant to avoid being next on the hacker’s hit list”.   Anybody else find this concerning?

The indication seems to be that there is an implied connection between being PCI compliant and being “next on the hacker’s hit list”:

Retailers aren’t giving enough attention to compliance so the execution is poor. SMEs in particular are vulnerable. Larger companies are richer targets, but most have accompanying budgets and IT departments dedicated to protecting their vital customer information. As PCI DSS regulations take hold, fraudsters are targeting less well-defended small businesses.

Are folks still thinking these are connected in any way? Because they’re not. Being compliant with PCI introduces a bare minimum set of controls. Does the bare minimum prevent hackers? No. Does it reduce the likelihood of hackers? Possibly, but we don’t really have a way to measure that in the industry.

Security is not compliance.  Hackers don’t care if you’re compliant with some arbitrary standard or not.  Seriously.

As predicted, congress is stirring the pot around additional oversight relative to breach disclosures. This time, the plan is to ask the SEC to get involved and require firms to give details about breach disclosure risk.  An interesting idea.

Their supposition is that firms aren’t really doing anything about IT risk.  A supposition that is correct, by the way.  As a person in the business of providing risk-based support to companies, I’m all about making the services I provide mandatory across the board (how sweet would that be?)  But realistically, I think they’re missing a piece of the puzzle.

Namely, their premise seems to be that increased risk of a breach is somehow a risk to investors – so investors should be able to tell how risky a company is before they decide to take a position in it.  An interesting premise, but one not entirely supported by the facts.  Ask yourself: who is the party most impacted by a breach?  Is it the shareholders?  Is it the company employees?  No…  it’s customers.  And really, long term, they tend not to care very much.

Taking an investor’s-eye view, we know that while firms that are breached tend to take a short-term hit in their stock price (really, any bad news will do that), after a few months, that hit will tend to smooth out.  In fact, historically – because the consequences of being a victim of a breach for a firm from an investment perspective tends to be relatively minimal.  Sure, there could be fines and lawsuits.  But generally speaking, the core of their business: the desire of customers to purchase whatever widget it is they’re selling, remains unaffected.

Don’t get me wrong, I’m not saying regulation in this area isn’t a good thing.  In fact, I think it’s huge.  I think that firms have a responsibility to act as stewards of data they hold on behalf of the public.  But disclosure of IT risk for the purposes of guiding investment decisions?  Maybe I’m off base here, but would anybody really care about that?  Or would it just become another document filing that nobody reads?