Archive for July, 2006

Confidential Info on 100,000 Posted on Navy Website for 6 Months: 2nd Navy Breach Incident in 2 Weeks

Sunday, July 9th, 2006

Friday (7/7) the Naval Safety Center (NSC) reported personal information on more than 100,000 Navy and Marine Corps aviators and aircrew had been posted on its public Web site for over 6 months.  The data reportedly included Social Security numbers for current active-duty and reserve aviators and aircrew, and potentially every Navy and Marine aviator who has actively served in the past 20 years.

"The same personal information was contained on 1,083 Web-enabled safety program disks mailed to Navy and Marine Corps commands, according to an NSC statement. The center’s Web site has been shut down since July 7."

And yes, they had a similar incident just weeks ago.

"In late June the Navy Personnel Command (NPC) said it had discovered that personal data – including Social Security numbers and birthdates – on 28,000 service members and their family members had been published on a civilian Web site."

Where are the controls over this sensitive information?  If this is simply human error, where is the oversight?  Why isn’t someone checking these sites continuously to ensure nothing inappropriate is getting posted?  What are the policies and procedures in place to protect this type of information?  ARE there policies and procedures in place?

Hackers don’t need to break into most networks to get confidential information; they can just keep an eye on websites for whenever the information is posted.

The Navy, and probably every other government agency, needs to do a privacy impact assessment (PIA) to find where their other privacy breach risks exist, and they need to ensure security and privacy are built into their SDLC process to help keep this type of incident from happening.  And, of course, it definitely appears that their information security and privacy awareness and training efforts could be beefed up.

And yes, government agencies ARE required to do annual PIAs…but are they being done effectively?  It seems a lot is getting overlooked based upon the ongoing security breaches.

Technorati Tags







Managing the Impact of Privacy on Business

Saturday, July 8th, 2006

Privacy and trust are essential to maintain good relationships with customers, employees and business partners, as well as to comply with the growing number of privacy regulations worldwide. Addressing privacy touches all facets of an organization, including business operations, websites and services, back-end systems and databases, communications with third parties, customers and service providers, and legacy systems.

Over the past three years I have been delivering a 2-day workshop I created that addresses these issues, along with explaining practical steps for structuring an effective privacy governance program based on a privacy impact assessment.  I update the workshop each time I give it (approximately twice a year) to ensure all the latest privacy and related information security challenges are addressed.

I will next be giving the workshop in San Francisco on July 20 & 21.  For more information click here.  To save $100, enter the priority code SAN06 in the registration form.

I really enjoy giving this class and working with the participants on how to address their privacy governance challenges.  If you have the chance please join us!

Technorati Tags




Dept of Health and Human Services Makes HIPAA Tool Available

Thursday, July 6th, 2006

Yesterday the U.S. Department of Health and Human Services (HHS) published "HIPAA Privacy Rule: Disclosures for Emergency Preparedness – A Decision Tool."  The flow chart that is part of the tool should be particularly helpful for healthcare providers.

Technorati Tags






SMB Security Made MADDENING!!!! Security Vendors; Please Get Some Customer Service Skills!!

Wednesday, July 5th, 2006

Today was the culmination (at least I hope there is no more of this to deal with) of over two weeks of dealing with notebook computer hell…created through a combination of wireless woes (I just got wireless in May, but after a computer crash it was not been working correctly) and computer woes (got the "old" computer fixed to use as a backup and bought a new one…a LEMON…which I just exchanged for a brand new one out of the box this morning). 

I was elated with how well my new computer was running today…so fast…so quietly…so good I did a happy dance with my sons.  All was well…Internet access…email service…until…I installed Norton Internet Security Center and viola…I could no longer send or receive email, even after many Norton setting changes…I could no longer get to some Internet sites, or some sites just loaded the HTML code, even after many Norton setting changes. 

Okay, fine, I’ll disable Norton.  Gee, did that help?  *NO*!!!  Well, then I’ll uninstall it…gee did that help?  *NO*!!!!  According to both my ISP and my hardware/software support service the error codes I was receiving on Outlook indicated that it was Norton still interfering with my computer’s communications with the outside world.  Apparently once Norton is installing it just does not want to go away.  Hmm…doesn’t that make it a type of malicious code itself?

Without going into minute details, suffice it to say that one of the MANY actions I took was calling Symantec’s "SUPPORT" line, and I found myself in a automated phone response nightmare.  What really ticked me off was that the Symantec computer voice indicated that I should get a priority number to be able to be helped most quickly.  It then rattled off the URL so quickly I had to listen to it 3 times to get the URL correct.  But, guess what?  *I COULD NOT GET OUT TO THE INTERNET TO GET THE D*MN PRIORITY CODE BECAUSE OF WHAT THEIR SOFTWARE DID!!!* 

Okay, fine, then I called them back…and after another 45 – 60 minutes of being the virtual silver ball in the Symantec customer support pinball phone system, I hung up.  I have never experienced such poor customer service…not even getting a real human…ever before.

AAAAAARRRRRGGGGGGGHHHHHHHHH

There are literally millions of small to medium sized businesses in the U.S….including sole proprietors such as myself.  Most do not have dedicated tech personnel on staff…we are OUR OWN tech support.  We spend enough time doing our own daily tech support activities without being pushed through a maze of "press number 1" for this and "number 2" for that when we need some technical support for huge problems a vendor’s software causes, making us spend inordinate and valuable amounts of our business time trying to figure out and fix the mess their software…bundled in with my computer and which launched itself automatically…causes.

Okay…thanks for letting me vent.  I also found out today that there *ARE* some vendors with very good customer service skills.  From my own experience today, I am very happy with CompUSA (at least the folks in the Clive, Iowa store), and I’m very thankful for being able to use and connect quickly with their software support partner, Dial-A-Tech, who helped me to finally get rid of all the claws Norton left imbedded in my system…I think I am finally working okay.

And yes, I have installed a different security package…I’ll not comment about it until I see how well it works for at least a week or two.

The lessons of this tale (besides allowing me to vent)?

  1. Vendors need to make sure their software doesn’t screw up a computer to an unusable state.  Yes, I know this is nothing new…but it is still worth beating the drum about.
  2. Vendors, particularly software vendors, and very critically security software vendors, need to establish GOOD customer service capabilities!  It would be nice if they had GREAT customer service…but you know, I’m starkly realistic right now, and I think just asking for good would be a huge improvement.
  3. Small and medium sized businesses often have no dedicated tech staff have to deal with all these tech problems themselves.  If security vendors continue to allow their products to screw up the ability for the businesses to function, most will likely not install security software.  I wrote about data breaches in small businesses in this blog in March; the use of security software would likely increase if less buggy, overzealously agressive and downright disruptive security software were not so heavily marketed and forced upon the businesses purchasing their computing equipment. 

I think my ordeal is not unique.  There are probably thousands of small and medium sized businesses losing days of work and income while trying to address the technical problems caused by security software that does not work like it should.  Security vendors, if you really want to help improve security, improve your security products and improve your customer service.

Technorati Tags







Risky Business: Using Production Data for Test Purposes

Tuesday, July 4th, 2006

Today some stories ran in multiple UK publications, such as the Techworld’s "Firms play Data Protection roulette" discussing the use of production data for test purposes.  It contained some interesting, but unsurprising, statistics.

  • "Nearly half (44 percent) of companies use live data in test environments – something the 1998 Data Protection Act warns against explicitly, according to a recent survey of IT directors by Compuware.
  • Half the directors (48 percent) were only ‘vaguely familiar’ with the Act itself, according to the research, which highlights the importance of understanding the demands and keeping track of how customer data is treated.
  • A further "83 percent used only minimal measures such as using non disclosure agreements (NDA) to control data when outsourcing.""

These statistics come from UK organizations, and actually sound a little low.  Based upon the many business partner and vendor security program reviews I’ve performed I think the number of organizations using live data would probably be at least in the 75% – 90% range…admittedly a very unscientific estimate.

The article provides some discussion of UK’s Data Protection Act and provides a few high level recommendations.  It also reminds the reader of the risks of outsourcing and how such precautions as NDAs will still not stop the insider threat to data, such as the case of the outsourcer employee I blogged about a few days ago who committed fraud using the information he used to perform his job.

There are many, many more issues involved.  There are also many other laws and regulations that prohibit the use of live data for test, pilot and quality assurance testing…basically any type of use that is not for production. 

I wrote about this important topic in the December 2005 issue of the Computer Security Institue Alert newsletter, "Is There Privacy When Testing?"  I’ll plan to update the article and post in the reading room of my Realtime IT Compliance website sometime in the near future.

In the meantime, here are some paraphrased or abbreviated points from my article with a listing of some of the key points organizations need to address when testing, particularly how to deidentify production data to be able to then use for test purposes:

  • Test and development teams need to work with databases that are structurally correct functional copies of the live environments. However, they often do not necessarily need to be able to view real confidential personal information. For test and development purposes, as long as the data looks real, the actual record content is usually irrelevant.
  • De-identifying data is considered a leading practice, and is also legislated in regulations such as HIPAA.  Basically, when data is de-identified it covers, removes or alters real or production data so that the data elements cannot be linked to a specific individual.  Data that has been de-identified is generally considered acceptable to use in the test environment.

De-identifying Data
There are several options for de-identifying data, both operational and automated.  I go into more detail within the article, but here is the barebones listing to start your thinking around this topic:

  1. Data deletion
  2. Data NULLing
  3. Data Mixing
  4. Data replacement
  5. Data Substitution
  6. Encryption
  7. Interjecting Unrelated Text
  8. Modifying Numerical Data
  9. Using an Isolated Testing Environment

Whatever de-identification method you use, you need to make sure the de-identification results are appropriate for the context of the application being tested, and must make sense to the person reviewing the test results.

Because testing activities occur throughout the application lifecycle, organizations must consistently follow documented procedures to thoroughly test applications while at the same time staying in compliance with privacy-related laws, regulations and contracts.  And yes, de-identifying data will be challenging, but still achievable, when the application uses relational databases. 

However, there are many data de-identification solutions and vendors out there, just a few of which include:

I am not endorsing any of these, but provide them to give you an idea of the wide range of automated products available. 

Technorati Tags







OMB Issues Recommendations for Laptop and “Sensitive Agency Information” Security

Monday, July 3rd, 2006

I’m just getting around to reading the memo issued largely in response to the VA laptop and harddrive incident by the Office of Management and Budget (OMB) on June 23, 2006, "Protection of Sensitive Agency Information."  This is a good document to serve as a model for other agencies and organizations for protecting personally identifiable information (PII) and other sensitive information.  The key to making this document effective will be good communication of the policies, procedures and requirements through ongoing awareness and training.

Let’s look at a few of the items within this memo, issued by Clay Johnson III, Deputy Director for Management:

"I am recommending all departments and agencies take the following actions:

  1. Encrypt all data on mobile computers/devices which carry agency data unless the data is determined to be non-sensitive, in writing, by your Deputy Secretary or an individual he/she may designate in writing;
  2. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access;
  3. Use a “time-out” function for remote access and mobile devices requiring user re-authentication after 30 minutes inactivity; and
  4. Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required."

Why just make these recommendations?  Why not make them requirements?  This is weak wording and seems to allow for agencies to not follow these security requirements at their discretion.

Hopefully the OMB has documented what constitutes sensitive and non-sensitive information.  Otherwise recommendation #1 is also subjective and a weak statement to make…open again to interpretation.  They should provide a documented definition of what is considered sensitive and non-sensitive information…perhaps this is in their documented data classification policy, if they have one.

Requiring two-factor authentication from remote locations is a good security measure.  All organizations would be wise to implement this if they allow remote users access into network information that is confidential, is PII, or they have PII and/or confidential information on their remote computer.

Requiring reauthentication after a short period of inactivity is a good idea for any computer with access to or containing your organization’s data.  Less time than 30 minutes of inactivity would be better.

Logging data access is always a good idea also.

It will be good to see the agencies issue these recommendations, with stronger statements, as requirements within each of their agencies and offices.

"Please ensure these safeguards have been reviewed and are in place within the next 45 days."

Well, this is a stronger statement…it sounds more like a requirement.  However, it’s likely the actual solutions (such as 2-factor authentication and encryption solutions) cannot be realistically implemented with 45 days…unless these initiatives are already in progress.  This is optimistic, although with good intention, and probably being stated in this way to help address the backlash from recent incidents.  All agencies should be able to have an implementation plan in place fairly quickly, though, showing an implementation timeline for each of the requirements.

The The National Institute of Standards and Technology (NIST) checklist for protection of remote information is attached to the memo.  Again, this really is a great model to use for your own remote information asset protection plan.  I really like that they included the flowchart showing the process; visually providing the flow of procedures always helps those responsible for implementing them better understanding of what is involved, and how to do it correctly.

There are many references to NIST documents within the memo attachment.  I encourage organizations to visit the NIST special publications site to take advantage of this library of great information security guidance repository.

Technorati Tags







Red Cross Laptops Stolen: Finally, Laptops That Used Encryption!

Sunday, July 2nd, 2006

Yesterday the Dallas Morning News reported "Three laptops, one of them containing personal information on thousands of blood donors ‚Äì including Social Security numbers and medical histories ‚Äì were stolen from a locked closet in the Farmers Branch office of the American Red Cross in May."   

It is good to read that this data was encrypted.  The report indicates the information could be decrypted with a password, though, so hopefully they had a strong password in effect.  Effective and successful security all comes down to human decisions and actions, as do most information security issues. If the password was a good one, the data was probably safe…assuming it was not an insider with knowledge of the password who took the laptops.

BTW, the laptops were recovered. 

Technorati Tags








Encryption…”Maybe I will, GOSH!!”

Sunday, July 2nd, 2006

I got a kick out of a story posted yesterday in the Phasetwo blog, "IBM using Napoleon Dynamite quote to encrypt data." I love this movie…and to think it has been incorporated into encryption…"sweet"!  🙂 

""Knock it off, Napoleon! Just make yourself a dang quesa-dilluh!". This phrase, from the movie Napoleon Dynamite, is the cipher key IBM are using to publish encrypted XML at this year’s Wimbledon grand slam. But is this a rather glaring lapse in security, or simply an anticipatory nod to curious hackers, many of whom surely rank amongst the fans of this quirky 2004 movie?"

Kinda looks like the IBM folks were experimenting with encryption in this case…it doesn’t sound like any confidential information was being protected with it.  It wasn’t even any critical IP they owned, was it?  I really can’t tell from my limited, okay, basically nonexistant, knowledge of this "font of live data." 

It’s nice to know some companies enjoy using encryption, isn’t it?  Heck yes!

Technorati Tags