Archive for May, 2006

Example of a Noncompliance Action for the USA PATRIOT Act: $600,000 Fine

Tuesday, May 30th, 2006

I am concerned when I am at conferences and professional meetings and I hear presenters telling the attendees, from any industry, that there is really nothing that they need to do to address the requirements of the USA PATRIOT Act, and I’ve heard this communicated several times since the law was enacted in 2001.  Here is a good example that yes, indeed, doing nothing can come back to haunt you…and negatively impact your business with penalties and bad press.

It is rare that you see the USA PATRIOT Act, the follow-up for which is the USA PATRIOT Improvement and Reauthorization Act of 2005, being referenced as being part of actions taken by law enforcement for surveillance, or by regulators as part of the basis for fines.  However, I just ran across a story on the government’s FinCEN site that talks about how noncompliance with the USA PATRIOT Act was used in determining a $600,000 penalty against Liberty Bank of New York…I need to check that site more often, don’t I?

In brief, the Financial Crimes Enforcement Network (FinCEN), Federal Deposit Insurance Corporation (FDIC), and New York State Banking Department (NYSBD) assessed a $600,000 penalty against Liberty Bank of New York for violations of federal and state anti-money laundering laws and regulations. Liberty Bank consented to payment of the civil money penalties without admitting or denying the allegations (this is pretty common with regulatory noncompliance situations).

What did Liberty Bank do…or not do?  FinCEN, FDIC, and NYSBD found they:

  • Failed to implement an adequate Bank Secrecy Act/anti-money laundering program with internal controls and appropriate measures to detect and report money laundering and other suspicious activity in a timely manner.
  • Did not have an anti-money laundering program that complied with information sharing requests from law enforcement under section 314(a) of the USA PATRIOT Act.

I anticipate seeing more, and probably more aggressive/costly, actions taking place with regard to the USA PATRIOT Acts as time goes on…companies need to take notice and be aware; not only for section 314(a), but for all the sections, some of which apply to more businesses than just those considered by the law as a financial institution.

Wonder what section 314(a) is all about?  Here you go:

"SEC. 314. COOPERATIVE EFFORTS TO DETER MONEY LAUNDERING.

(a) COOPERATION AMONG FINANCIAL INSTITUTIONS, REGULATORY AUTHORITIES, AND LAW ENFORCEMENT AUTHORITIES-

(1) REGULATIONS- The Secretary shall, within 120 days after the date of enactment of this Act , adopt regulations to encourage further cooperation among financial institutions, their regulatory authorities, and law enforcement authorities, with the specific purpose of encouraging regulatory authorities and law enforcement authorities to share with financial institutions information regarding individuals, entities, and organizations engaged in or reasonably suspected based on credible evidence of engaging in terrorist acts or money laundering activities.

(2) COOPERATION AND INFORMATION SHARING PROCEDURES- The regulations adopted under paragraph (1) may include or create procedures for cooperation and information sharing focusing on–

(A) matters specifically related to the finances of terrorist groups, the means by which terrorist groups transfer funds around the world and within the United States, including through the use of charitable organizations, nonprofit organizations, and nongovernmental organizations, and the extent to which financial institutions in the United States are unwittingly involved in such finances and the extent to which such institutions are at risk as a result;

(B) the relationship, particularly the financial relationship, between international narcotics traffickers and foreign terrorist organizations, the extent to which their memberships overlap and engage in joint activities, and the extent to which they cooperate with each other in raising and transferring funds for their respective purposes; and

(C) means of facilitating the identification of accounts and transactions involving terrorist groups and facilitating the exchange of information concerning such accounts and transactions between financial institutions and law enforcement organizations.

(3) CONTENTS- The regulations adopted pursuant to paragraph (1) may–

(A) require that each financial institution designate 1 or more persons to receive information concerning, and to monitor accounts of individuals, entities, and organizations identified, pursuant to paragraph (1); and

(B) further establish procedures for the protection of the shared information, consistent with the capacity, size, and nature of the institution to which the particular procedures apply.

(4) RULE OF CONSTRUCTION- The receipt of information by a financial institution pursuant to this section shall not relieve or otherwise modify the obligations of the financial institution with respect to any other person or account.

(5) USE OF INFORMATION- Information received by a financial institution pursuant to this section shall not be used for any purpose other than identifying and reporting on activities that may involve terrorist acts or money laundering activities."

Technorati Tags






VA posts data security information…some good security info/references for everyone

Monday, May 29th, 2006

The Veterans Affairs department has established a couple of web sites to provide information about the status of the VA data security breach, and some FAQs concerning the incident.

Besides providing information about the current breach incident investigation, the FAQ also has some links beneficial to anyone concerned with information security.  The following is an excerpt of some of the references.

"Request a free credit report from one of the three major credit bureaus – Equifax, Experian, TransUnion – at www.AnnualCreditReport.com or by calling 1-877-322-8228."
"the fraud department of one of the three major credit bureaus:

Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
Experian: 1-888-EXPERIAN (397-3742);
www.experian.com; P.O. Box 9532, Allen, Texas 75013
TransUnion: 1-800-680-7289;
www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790"

"On May 25, 2005, the VA’s Office of Inspector General (VA OIG) and the FBI announced a $50,000 reward through the Montgomery County Crime Solvers organization, for information that leads to the recovery of a laptop computer and external hard drive that contained personal information for millions of veterans."

Technorati Tags




Privacy, Compliance and International Data Flows

Friday, May 26th, 2006

Yesterday I posted a new paper to my site, "Privacy, Compliance and International Data Flows."

In today’s technology and business environment, computers are more mobile and more powerful than ever before. Information is shared more easily, more quickly, and in more ways than previously possible.  One voice-activated command can send a message or document to many different locations throughout the world in milliseconds.  Huge amounts of data can be downloaded onto small mobile computing and storage devices more easily than ever before…and we’ve seen by the ongoing incidents how these mobile devices put data at great risk.

This advanced technology revolution certainly has improved business efficiency and expediency. However, it has also created potential threats to the privacy of personal information and violations of new and emerging data protection laws. In this article I discuss privacy, related laws around the world, compliance and international data flow issues, what organizations need to think about with regard to international data protection, and what they need to do to address the wide range of issues.

Technorati Tags






How to Protect Laptops While Traveling: Great Site for Travel Safety Information of All Types

Thursday, May 25th, 2006

The continuing thefts and losses of laptops highlights the need to provide ongoing security awareness and training to the people who use these mobile devices to store and process the personal information of customers and employees.

Over the past couple of weeks I have had the pleasure of speaking with Kevin Coffey about laptop thefts, related crimes, and what people need to do to protect their mobile computing devices and storage media when they are in their homes and traveling.  Kevin is Detective Sergeant for a large metropolitan city in California, and also founded and owns his own company, Corporate Travel Safety.

Kevin has amassed a great list of resources on all topics related to travel safety, including how to protect mobile computing devices.  A couple of years ago he also created a laptop theft prevention video that organizations should consider showing as part of their awareness activities.

Technorati Tags






Insider Threat Example: Former Red Cross Employee Commits Crimes with Personal Information on 8,000 up to 1 Million Individuals

Thursday, May 25th, 2006

A story today in Computerworld reports that former Red Cross worker allegedly used the information to which she had authorized access, including names, social security numbers, and birthdates, to open credit card numbers using their names and then go on shopping sprees.  So far at least four people have been confirmed as being victims of this type of identity/credit card fraud…commonly referenced in the papers as identity theft.

This demonstrates how trusted insiders can do bad things with the information for which they are authorized to use. 

What is interesting is that the report indicates that she "had access to 8,000 blood donors in a database she used in her job," but then it goes on to say "she may have accidentally accessed other records in the larger group." 

So…she actually was authorized to access the entire group, it appears?  You can’t "accidentally" access information that you are not authorized through the system to access.  You can try to use others’ authorizations to access the information, but to "accidentally" access something you would have to have access to it to begin with…through the access control settings.  Kind of like "accidentally" grabbing a wrong-sized shirt out of your closet; you have access to everything in your closet even though you may only wear 3 or 4 of the shirts regularly.

Just think of the potential these personal information opportunists have, with so much access at their fingertips, to sell this information to other criminals and make even more money off their crimes than just opening a few credit card accounts.  She had access to names, Social Security numbers, phone numbers and birth dates.  She was a telephone blood-drive recruiter…why would she need all this access?

The alleged crook "began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered."  So the Red Cross knew about this in March, but only notified the victims last week?  Two months after the crime was discovered?  And the employee was fired, not immediately arrested? 

"The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams [a spokesman for the regional agency] said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters."

Well, access controls should have been set to allow access only to that information necessary for job responsibilities long before this incident.  Unfortunately many organizations do what is easiest up front and give all access to all databases to all their personnel.  This even though it has been a standard of due care for many years now to limit access, through such methods as role-based access control (RBAC) method, to only that which is necessary, and even though growing numbers of regulations, such as HIPAA and GLBA, require such access restrictions.  It’s too bad it often takes an incident for organizations get their 20/20 security hindsight vision.

"The agency is reimbursing any of the affected 8,000 donors if the credit reports can’t be obtained for free. The agency also set up a toll-free hotline to aid any identity-theft victims of the incident and said it’s taking additional security steps to ensure that such an incident doesn’t happen again. All staff members are being reminded, for instance, that donors don’t have to put their Social Security numbers into their Red Cross donor records."

Well, it is good the Red Cross is stepping up as much as they can considering they are a nonprofit agency.  It is such a vital and valuable organization…but incidents like these are so senseless! 

Wouldn’t it be nice if the three credit reporting giants, Equifax, Experian and Trans Union would provide, free of charge, credit monitoring for these individuals?  Yeah, well, I’m optimistic…it’s nice to think they would for an important charity…and to help protect the people, whose information was taken, who have been so kind as to donate their blood so that others can live…but I’m also a realist…

Okay…so just a few of the lessons learned…

  • Give access only to the information necessary for people to perform their job responsibilities.  Use RBAC, access control lists (ACLs), or whatever is most appropriate for your computing environment to limit access to the data items…not just to the entire database.
  • Your authorized users are, and will always be, a threat to the information to which they have access.  Numerous reports support this, including the annual CERT/Secret Service insider threat report; the 2006 report should be coming out soon.
  • Perform due diligence before hiring personnel and giving them access to sensitive information with which they can easily commit crime.
  • Perform continuous monitoring of personnel with access to sensitive information.  Make sure you have appropriate separation of duties to make this effective.
  • Create an incident response and notification plan that will ensure the impacted individuals are notified as soon as possible when someone starts to inappropriately use their information.
  • Provide ongoing awareness and training for information security and privacy.  This will help all your personnel not only know what they should be doing, but also know how to identify when others they work with are doing something wrong.
  • Establish, and consistently enforce, sanctions for policy non-compliance.  This will help to dissuade at least some potential crooks.

Technorati Tags








Reference For Protecting Portable Data

Wednesday, May 24th, 2006

Just a few days ago CSO Online provided a pretty nice resource, and timely considering all the continuing laptop and mobile storage media losses. 

Their "Portable Data Protection Options" provides a nice start for organizations to start planning on protecting their mobile computing devices and storage media, or to quickly see if their current program is not addressing something.  Their list of potential vendors for the product categories listed are very limited…there are many other good vendor solutions available…but it is a place to start. 

I’ve written on this quite a bit.  For one of my recent papers discussing the issues involved, see "Managing Mobile Computing Risks."

Technorati Tags






Some VA Laptop Theft Lessons: Don’t Get Complacent Over Laptop Thefts…Bad Things CAN Happen to Any of the People Involved…And May Not be Discovered For Years

Tuesday, May 23rd, 2006

Much has been written over the past two days about the theft of the laptop from a government worker’s home that contained SSNs, birthdates and names for 26.5 million U.S. veterans. 

What concerns me is a recurring, almost a lackadaisical…and in some cases flippant or dismissive…attitude about these types of incidents.

One in particular on CNET News, "Veterans’ data swiped in theft" captures the essence of some of the recurring themes in these incident reports.  For example:

"The good news for Veterans Affairs is that the crooks may not know what they have.  "It is possible that (the thieves) remain unaware of the information which they posses or of how to make use of it," Veterans Affairs said on the Web site.  Gartner’s Litan agrees. Studies have shown that thefts of computers storing sensitive data have resulted in only a small percentage of identity theft, she says. And she added that information on millions of veterans would not necessarily yield much loot.  "Frankly, veterans don’t have a lot of money," Litan said. "They aren’t typically wealthy people. Criminals aren’t going to be taking out 26 million loans (in the names of the veterans whose information was stolen). That’s a lot of information, and the thieves have time constraints just like everybody else. They want information on the wealthiest individuals.""

Wow, this certainly is good spin from the PR department.

I don’t believe such studies of computers stolen provide any type of conclusive evidence.  SSNs, names and birthdates could potentially be used YEARS after a theft to do bad things.  Just because nothing bad has BEEN DETECTED YET does not mean bad things will never be done with that information. 

Additionally, there are so many ways that this type of information can be misused by the crooks and fraudsters who have this information in hand that it is very possible that the people about whom the information applies will not find about about nefarious activity until years later.  And it doesn’t matter how much money the people involved make…this seems a rather insulting statement to the victims, doesn’t it?  You’re too poor to worry about anyone wanting to do crime with your information?  C’mon now…individuals don’t need to make anything to have their lives made a mess by identity theft!

A great example is a story I read recently in Reader’s Digest about child identity theft.

"Seventeen-year-old Randy Waldron, Jr., was shocked when he applied for his first credit card and was denied. He was even more shocked by the reason: He was delinquent in repaying thousands of dollars in debt.  Waldron’s identity had been stolen by his estranged father, who left when Randy was a toddler. From 1982 to 1999, Randy Waldron, Sr., used his son’s Social Security number to obtain credit from various merchants and lenders, then racked up tens of thousands of dollars in debts. He declared bankruptcy in his son’s name, which resulted in default judgments against the younger Waldron. It has taken Randy Jr., now a 24-year-old flight attendant, years to untangle the mess."

This identity theft…criminal use of another’s SSN and nameoccurred for around 18 years without the victim’s knowledge!  And then, the victim, who was not even making money during this criminal activity, was severely impacted for years.  And apparently this type of crime is not uncommon.

The fact is, there are no time constraints on using this type of information.  The fact is, most people are not going to change their names, SSNs or birthdates to make the data invalid.  The fact is, if nothing bad has happened within a few weeks, many, perhaps most, of the organizations that caused the mess…by poor data handling practices, lack of encryption, lack of controls, lack of awareness and training, lack of policies…are not going to step up and do what they should to protect the individuals, which at the least is to enroll them into credit monitoring services.

The fact is, once this much information has been stolen, chances are the culprits are not going to perform the crimes themselves…they possess very valuable information that they can sell…to 1000’s and perhaps millions of other criminals throughout the world…to use at their own leisure.

This particular statement hit a nerve: 

"Criminals aren’t going to be taking out 26 million loans (in the names of the veterans whose information was stolen). That’s a lot of information, and the thieves have time constraints just like everybody else. They want information on the wealthiest individuals.""

What?  Crime with personal information can occur in so many other ways than just taking out loans.  The names, SSNs and birthdates are valuable items…they can be exploited in many ways, and over a course of time by many, many criminals.  It’s just not true that criminals only want information on the wealthiest individuals.  What data supports this?  If you know someone who has been a victim, or at least read the news on a daily basis, you know this.  The most frequently scammed and violated people are those that are not wealthy.  Very rarely do you read about the wealthy that have been victims.  According to various FTC studies and reports this is a widespread problem, and definitely not limited to only the wealthy.  The September 2003 Federal Trade Commission ‚Äì Identity Theft Survey Report indicates that identity theft, and other criiminal use of personal information, impacts people of all income levels.

When an incident occurs, organizations need to be pro-active, not reactive…not waiting until bad things happen to the individuals involved.

Of course, prevention is the best course of action.

  • Encrypt mobile data
  • Implement strong policies that are enforced
  • Provide training…awareness…more training…more awareness…more awareness…more awareness…almost all incidents involve people who did not know any better, but should have.

Technorati Tags







Yet Another Laptop Theft…This One With Info About 26.5 MILLION Military Vets

Monday, May 22nd, 2006

There was a widely reported Reuters story today, "Data on 26.5 million veterans stolen from home" about yet another laptop theft with massive amounts of personal information stored upon it. The theft took place sometime this month.  Data included names, social security numbers and birthdates.

The Department of Veterans Affairs spokesperson indicated the employee took home this large amount of data in violation of "rules and regulations and policies."

Well, it is good they had these policies in place.   Policies cannot prevent people from doing the wrong things, but they are necessary to establish the expectations for appropriate business activities, and the security framework for an information handling and processing environment.

Hopefully there are some strong sanctions policies also in place.  The employee was put on administrative leave during the investigation.

Policies, though, without communicating them to personnel will be ineffective…people cannot be expected to do the right thing if they are not told what the right thing is to do.  Is there a strong information security education program in place at these companies where such incidents are occurring?  I think of the oft-quoted Rumsfeld quote when these incidents occur and I question whether or not there is adequate awareness and training in place, "But there are also unknown unknowns – the ones we don’t know we don’t know."  Your personnel don’t know that they don’t know about information security risks if you have not been communicating with them.  This is a huge risk…ignorance is definitely not bliss for your organization.  Companies need to start beefing up their awareness and training efforts or these types of senseless and avoidable incidents will continue to occur.

Technorati Tags







Another U.S. Gov’t Site With Useful Cybercrime and Fraud Information

Monday, May 22nd, 2006

I just ran across another U.S. government sponsored site, Looks Too Good To Be True, with some information that could be useful for information assurance professionals, particularly small- to medium-sized businesses, in addition to the general public.  From a business practitioner perspective this site isn’t quite as useful as some of the other government sites I’ve mentioned, however, you can always find useful nuggets.  For example, this site has:

*  There are some awareness quizzes that businesses could either point their users to, or use to give them ideas for their own quiz questions.  The threat thermometer is cute; I don’t agree with some of the "temperatures" resulting from some of the answers the quiz taker gives, but it does provide a nice visual form of feedback.
*  The victim stories that web visitors have supposedly submitted are interesting; I didn’t realize there was so much activity going on with Internet-order bride schemes!
*  The consumer alert section is pretty good for your general computer user.  When you are implementing your awareness programs, it is good to go beyond the scope of just your own business security issues and communicate to your personnel the issues they need to know about for their own personal use.  Pointing them to these types of stories helps to keep information security issues at the forefront of their thoughts.

Technorati Tags






Keyloggers Proliferating…Personnel Continue to Take Bait…Not Surprising Considering Meager InfoSec Awareness Efforts

Thursday, May 18th, 2006

Okay, this story was widely reported starting Tuesday, "Websense survey says 50 percent rise in keylogger spying at work," but I’m just now getting to it.

"There was a 50 percent increase in the number of companies that reported spyware problems over the last year, according to the annual Websense Web@Work survey, the findings of which were released on Tuesday."

Hmm…yes, very interesting, but not that surprising.

""In April 2005, there were 77 unique password-stealing applications. In the latest March report, there were 197. Unique Web sites hosting keyloggers in the same time frame have gone up from 260 to 2,157–almost a 10-times growth,""

I’m not surprised, are you?  Just look how quickly other types of malicious code have grown over the years…exponentially.  It would be interesting to graph the occurrences growth trends of the different types of malicious code and overlay them…wouldn’t you think other types are still growing just as quickly…or more in some instances?

"The current survey also found that most companies believed that their staff could not distinguish between genuine sites and phishing sites. "Forty-seven percent of IT decision makers said their employees have clicked on phishing e-mails, and 44 percent believe employees cannot accurately identify phishing sites," Camissar revealed. "I am surprised that the results are not showing a larger growth in the number of organizations hit by this kind of threat.""

Now this does NOT surprise me at all!  Just look at the numerous reports about the meager awareness and training budgets organizations have for their information security efforts…E&Y, Deloitte and PWC have all published such surveys recently.  Your staff will not know how to distinguish real sites from bogus and/or malicious sites if you do not continuously remind them.  So, of course they are continuing to go these phishing sites.

Technorati Tags