Useful tip from nataliedee.com

Given the string of well-publicized ID theft schemes recently, it seemed HelpNet’s choice of putting out tips for seniors to avoid identity theft was a good idea.

Of course, then it occurred to me that maybe HelpNet wasn’t in the top ten of sites that the elderly are likely to read with any frequency.    So good effort, HelpNet… but your tips, though useful, are likely to go unread.

Which is a shame.  Because seniors (particularly those that don’t use computers or the Internet) are at risk – more-so because of the online access to records and data.  Those folks don’t realize they are move vulnerable now than they were twenty years ago.  But they are.

Of course, it’s no wonder why.  Note that I’m not about to dig on HelpNet, but I think the following screen capture of the article-reading experience illustrates just a tiny bit of why this problem is as big as it is.  Namely, conflicting and contradictory advice – even from the same source.  Check it out:

If you can’t read the text and don’t want to follow the link, the text warns about the dangers with supplying your email address to web sites… right under the box where you can submit your email address to their website.  Mixed message.

Anyway, just a few thoughts.

Interesting…  If you haven’t seen the coverage, the FTC forced Twitter to update its information security program after a slew of information security issues including password problems, breaches, and fraudulent claims about the security of the site (in other words,  claimed protection measures that just weren’t implemented the way they said they were).  Check it out:

In one case, attackers were able to exert administrative control over the site, which enabled them to deliver bogus tweets pretending to originate from the accounts of a number of well-known members, including President Obama.

Hah!  It’s never any good when you let shady characters post content as the president of the US.  Semi-related, but in epic bad timing, a researcher demonstrated XSS issues in the platform… that’s not good.

Anyway, this is interesting to me in that the FTC should choose to exercise its muscle for cleaning up Twitter. I mean, they’ve gone after others in the past – but this is one of the relatively few in that there wasn’t actual cash at stake.  So… props to the FTC for taking the situation seriously.  No question that there were some serious issues and failure to uphold their security claims.  But I’m surprised at how forward thinking this is of them – most regulatory bodies are fairly slow to react.  Good job, FTC.

So, next stop: farmville?  I hear it’s a seedy underbelly of animal cruelty and lax agricultural safeguards…

It’s getting pretty ugly over there in Utah.   What’s that have to do with Colorado Casualty?  Wait for it, we’ll get there.  Anyway, long story short: University of Utah had some backup tapes containing ePHI for about 2 million patients (containing patient medical records from the university hospital) go missing on their way to an offsite storage provider.  The University spent about 3.3 million dollars making up for the trauma from this whole situation – a hefty bundle, but probably not as bad as it could have been (just over 1.5 USD per record – not a bad metric as these things go).

Anyway, here’s where it gets juicy.  Now, the University seeks reimbursement of their 3.3M.  Why not?  It wasn’t their fault that the tapes went missing.  And they (thoughtfully) used a storage provider who was insured against breaches.  Good planning (or so one might think) on the part of the University.  However, the storage provider apparently uses Colorado Casualty Co., as the provider of their breach insurance.

Now not only has Colorado Casualty said that they are not responsible for paying anything to the University, but in a move worthy of Emperor Palpatine himself, they’ve  actually taken it one step farther and filed a federal lawsuit in Utah seeking protection for any claims that the University might make against the storage provider.   So if the University wants their money, someone’s going to have to sue them for it.

Nobody seems to know what their reasoning might be for why they don’t have to pay.  In fact, one might wonder what the value actually is in carrying breach insurance if there’s a costly legal struggle involved in actually making a claim.  I’m sure I don’t know.  But in the meantime, my recommendation is to avoid Colorado Casualty like the plague since they’ve tipped their hand for how they handle situations like this one.

The trouble with buying stuff used is that you never know what the last person who had owned the thing was up to. Sometimes you win out and the preowned factor works in your favor – like when we bought our “preowned” Wii the other week.

But on the other hand, sometimes you lose out big time – like when my neighbor back in NJ got the crabs (ewwww) from a pair of pants he bought at a thrift store. That’s no good… Seems to me like probably the least fun way to get crabs is the “used pants” route.

But then there’s this, which is a whole different category of pre-owned crazy. Turns out that this fellow (a kiwi) bought an MP3 player from a thrift store, and it turned out that it had all kinds of military data on the thing – personal data on soldiers, troop and equipment deployment information, and generally all kinds of crazy stuff. Not bad for 9 bucks.

Of course, this kind of thing happens all the time. For example, in college I bought a used Compaq “portable” (think laptop but in the form factor of a 25 pound suitcase) from my father’s work. At the time, he happened to work for a government agency (unfortunately not one of the cool ones) and of course there was all kinds of crazy data on the thing that you wouldn’t want the average citizenry to have.

But what’s interesting to me is not so much that this MP3 player is “da bomb” from a data leakage perspective, but moreso that the data was missing since 2005 and nobody knew it was out there. The scary part, in my opinion, is that the data had a good four years of floating around in the ether before anybody realized it was missing.

Scary.

That’s right, you guessed it – TJX is currently holding their “we lost your data, now give us your money” sale. They’re calling it their customer appreciate sale and it’s going on right now.

Originally, the 15% off sale was supposed to be part of the settlement over the loss of all that credit card data. Turns out they didn’t have to do it, but they decided to anyway. And why not? Free publicity for their sale, and they still make money at that rate anyway. Don’t think of it as them losing your data – think of it more as them selling it in order to hold a second presidents’ day sale.

I wonder if Heartland will discount their services now too?

For years risk and security professionals have been trying to escalate awareness about the frequency of insider attackers. We’ve been working to combat the perception that many “non-riskers” have that external pen test scans of firewalls and web applications are “cool” (heck Harrison Ford did a whole movie on firewalls) and the responsible assessment approach of interviewing employees, reviewing policies and procedures, performing scans on internal assets, and creating risk/benefit analysis – yawn inducing. How many times have you heard something like this: “The inside is safe, I trust my employees”?

But we know internal matters! And we’ve been pressing this point for so long that when an IBM executive mentioned that “90-95% of attacks” initiate from inside at this week’s Security Summit – no one raised and eyebrow. Yeah, yeah – we’re security people, we *know* that.

Or do we? Dark Reading just published a thoughtful piece on “Why Risk Management Doesn’t Work” and in it references both the RSA report that Ed discussed earlier this week and a Verizon report on data breaches. The Verizon report is an analysis of hundreds of actual breaches across multiple verticals.

The entire report is worth reading, but the finding that really got me checking my assumptions was this: “data compromises are considerably more likely to result from external attacks than from any other source. Nearly three out of four cases yielded evidence pointing outside the victim organization. . . . Internal sources accounted for the fewest number of incidents (18 percent), trailing those of external origin by a ratio of four to one.”

Four to one? Hmmm…that’s definitely something to think about.

So interestingly, we’ve been reading some articles over the past few days that are speculating heavily about what the current economic meltdown will mean to us guys over here in IT security and risk. The net consensus appears to be – with budgets shrinking and credit freezing up, spending on IT risk is going to be hard hit.

Really? We’re not so sure about that. Historically, security spending goes up when perceived risk goes up. Look at DHS in the post 9/11 era. Or your own house after a break-in. Or your company’s spending after a worm took down the mail server.

Also – what about the way spending soared after key regulations and bills were passed? While it might have been hard to sell the CEO on file/disk encryption before SB1386, et al came into effect, it became a “get it done” spend for many afterward. Couldn’t get the budget for wireless intrusion detection or application scanning before PCI? After high-profile breaches like TJX, Forever21, and Hannaford, executives freed funds and started demanding why purchases weren’t being completed and implemented fast enough. And the big Daddy of ‘em all – SOX. Implemented to, ostensibly, prevent another Enron, but in reality a huge spend in IT governance, risk, and audit.

So, sure, we agree that budgets are going to shrink overall. And that many companies will not withstand the credit freeze and financial turmoil. But for those who do – we suspect there’s going to be increased oversight (The Financial Stability Oversight Board and congressional oversight panel in the current “bailout” for example) and that’s going to translate into IT security and risk spending. Not because it’s right necessarily, but because it’s going to be mandated by overseers, auditors, and examiners. We’re in for a bumpy night.

Now this is a bit more speculative, but we could even see a direct increase in overall electronic fraud and crime given the new economic outlook. Studies show that straggling economic conditions tie directly to increased crime rates – lower wages, worse economy, more crime. So, even assuming those folks who foresee less spending are right, it could lead to higher spending once the initial hit is over. It’s like the dude from Les Mis – he was a decent guy, but needed to steal bread to feed his family. And some percentage of that crime will be electronic crime – meaning more need for risk, risk managers, and infosec.

Audit’s going up, perceived need will go up, and fraud is likely to go up. Sounds to us like business could actually boom in these conditions.

So, you heard about Best Western, right? The Sunday Herald originally ran the story saying that up to 8,000,000 records were impacted. Best Western says that wasn’t the case. So which is it? I’m not sure we’ll ever know. We can speculate, or dig around to try to get more data, but at the end of the day, it’s going to be hard to figure out.

Not that it matters for where I’m going with this, but my personal take is that Best Western must have some kind of leg to stand on since they put out a press release refuting the Sunday Herald story. Say, hypothetically, that the original story as reported was accurate – can you imagine the world of pain and suffering that Best Western would experience in terms of bad PR? We know from Hannaford and TJX that not much happens to you when you lose a lot of data – but if you say you didn’t lost the data and then it turns out you did? That’s like a PR bunker-bomb. So it seems to me like the stakes of the press release being false are so high that – in my opinion – it’s likely to be almost retentively accurate.

I got a question for you. What percentage of corporate laptops do you think have some sort of personally identifiable data on them? Take a second to mull that over while we go over something else.

Now, you may not remember this, but I’ve suspected for a long time that things are not what they seem in the disclosure space. I.e., do we really think that everybody who actually has a breach is disclosing the way they should?

Now, back in the day, I speculated that at least 10 percent of breaches were going unreported. Where are we now? Let’s use the same method as last time and see if the situation has gotten any better in the year or so since I last posted that.

Now, we know that the “stolen laptop” number was up to about 624000 for 2007 (for just airports alone, but let’s use that since we don’t have any better data.) Now, while we don’t know if any of those laptops had PII on them or not, but we *do* know that the total universe of publicized breaches (446) for 2007. If we assume that every stolen laptop with PII lead to a breach disclosure (which it should), then we can accept that – at the very least – the total (446) represents some superset of all the lost laptops.

So, let’s churn some logic to see what we can conclude about how many of these laptops have “disclosure-requiring” data on them:

We’ll start with the (spurious, but useful for making the point) that every breach was a result of a stolen laptop. Realistically, the number of breaches will include other things as well, but assuming that they’re all a result of laptops gives us a “best case” upper bound for how many are responsible for breaches.

To get to where we need to be, we figure out what percentage of the total laptops stolen were reported via breach disclosure. That number is .07% – 7 in 10,000. Which means, 7 in 10,000 laptops have PII on them.

If that’s true, it’s more likely for Joe Average to pull a full house in his next game of 6 card stud than it is for him to have PII on his laptop. Bullshiz. 7 in 10k? Not likely. In reality, it’s gotta be higher. Maybe, if you really want to get all optimistic, you might say that 1 in 100 have PII on them. Which is still an order of magnitude lower than what’s being reported.

So, really… where are we now? The only conclusion I can possibly draw is that breaches are under-reported by at least an order of magnitude – for airport laptop thefts alone. And unless I’m totally off base, it’s a common enough occurrence that it’s only a matter of time before someone gets caught failing to report. As to whether anyone will care or not – well, that’s a different question.

(Today’s topic has been brought to you by Dave N.) So, strange things are afoot at the Circle K – provided that by “Circle K” you mean “Breach Disclosure” and by “strange things” you mean “corporate irresponsibility”. Specifically, have you seen the recent statistics for how often laptops are lost? Now, while I haven’t seen an “authoritative” source for this statistic, I see 1600 per day cited fairly often as is 2000 per day. Now, whether it’s 1600 or 2000 is irrelevant… the point is that it’s a lot.

File that number (1600 per day) away for a minute. Now consider the number of breach disclosures reported this year. According to the ID Theft Center, the number was 138 as of the end of August. Using our figure from before (1600 laptops stolen per day), let’s solve for how many laptops have been stolen in the same timeframe (we can assume 30 days per month here – no need to be a stickler). We get: 1600*(30*8) or 384,000 laptops stolen as of the end of August. See any kind of disparity there? Even if we assume that every breach disclosure stemmed from a stolen laptop (not the case, by the way), the percentage of stolen laptops leading to a beach disclosure is: (138/384000)*100… or .036 percent.

Now, how could it be that this number is so low? Could it be that firms aren’t disclosing when they should? Is it possible that the corporate custodians of our data are running afoul of the law – either intentionally or unintentionally? Maybe so, maybe not. First of all, not every state has a breach disclosure law – so, we wouldn’t expect that every case of disclosed data would lead to notification, right? Last count I saw, it was only 23 states that had a law – just about half. So, adjusting for half of states not having breach disclosure laws – we would expect that if everybody’s reporting when they should that .07 percent of laptops contain unencrypted personally identifiable data, right? Now, I don’t have any numbers on how what the actual number of laptops containing personally identifiable data is, but 7 in 10000 seems small to me – it just doesn’t jive with personal experience.

So, without having an estimate of how many laptops contain PII, we can’t really point an accusatory finger – other than to just say that the numbers seem “fishy”. Going by personal experience, I would think that maybe on in five or one in 10 would be more realistic… If that’s the case – if one in 10 laptops contain PII, we would expect to see 38,000 breach-disclosure incidents. Too high for you? How about 1 in 100? If only one laptop in a hundred has PII on it, we would expect 3,800 reports – meaning that over 95 percent of breaches still are unreported. But maybe I’m just being cynical…