New bill introduced in the senate "Fostering a Global Response to Cyber Attacks Act", available here.

Maybe I have a strange sense of humor, but I find this amusing. It is a nothing little piece of proposed legislation, just says that Congress has a sense that cybersecurity is bad (really? did y'all just wake up to this reality?). And, I know, let's work with other nations to fix things up. Oh, and the pin the tail on the donkey part of it lands on the Secretary of State's office to make something happen, and report to back to congress on progress within 270 days (assuming this passes).

I have no argument that cybersecurity is indeed in a sorry state, nor that we should reach out to other governments to try and address some of the issues. As things stand today, attackers from many other countries operate with zero fear of getting caught or prosecuted.

I think it's a little naive to think that this is a Secretary of State issue (nothing against or Sec State, I just think that State would need a lot of help with this issue), and that much can be accomplished in the next 3 quarters. I generally applaud the recognition that there's a problem here to be solved.

Jim

David Rice has a must read blog post here, on leadership of security and compliance. It includes this insightful observation: "In other words, compliance is blind to value and insensitive to risk."

He goes on to discuss how lack of a national cyber security leader is a problem.

Jim

This just in from riding the risk range - RIM is so far out in front with end-to-end enterprise-class mobile smartphone security, nobody is going to catch them before all the ice cap melts in Antarctica.  The battle is for number two.

In this corner the security challenger is the wildly popular Apple iPhone, riding the strength of the Apple brand and all the Steve Jobs cool.  iPhone sales are single-handedly propelling AT&T's wireless sales in a poor market.  Problem is Apple is a cool consumer device, not ready for prime time enterprise work with sensitive information.  Apple displays way more security savvy in concealing their product roadmaps and introductions, executive succession and Steve Jobs whereabouts, than in designing and building the iPhone.  An entire cottage industry of third-party security solutions is attempting to fix the iPhone's security failings for the enterprise marketplace.  Without AT&T's help to secure the iPhone user, device and session, good luck.

Palm and Google are making noises about providing enterprise-class security for their mobile devices, we'll see.  Palm already has announced more security than that provided in the iPhone.  Google is making a lot of claims for security baked into Android.  It's still very early in the product cycles of these two, stay tuned.  They clearly are targeting the enterprise marketplace, in addition to the consumer.  The end-to-end security offerings for these two ultimately could be determined by the carriers supporting them.

Stay tuned for Microsoft and Nokia's Symbian.  Both companies know security and could quickly re-arrange the furniture with a future smart phone offering.     More on this brewing street fight later,   

This just in from riding the risk range.  Do not trust mobile wireless devices (can you say iPhone?) with any sensitive information.

Just about anybody with a mouthpiece in the security and compliance industry is talking about the increased risk of cloud computing.  They should be, the risks of cloud computing are higher than traditional IT inside a controlled, trusted network.  The ongoing risk dialogue around cloud computing has been good. It's started organizations down the path to identifying and understanding the issues, one small step for mankind.

The efficiencies driving cloud computing are creating a similar growth curve in mobile computing for the enterprise marketplace.  See the amazing  proliferation of smart phones, netbooks and other wireless devices supporting fully-enabled web sessions and IP telephony.  The security and compliance marketplace hasn't yet turned up the volume for the risks associated with the IP data stream supporting mobile computing.  Mobile computing adds an entirely new risk dimension to everything it touches, in the cloud or inside a trusted enterprise network.  This discussion is just beginning to commence. 

Don't try this at home - the risks are greatly compounded when a mobile user accesses cloud-based sensitive enterprise resources with a wireless devices.  You need to understand the risks and how to manage them before firing up the latest cool wireless gadget.  Compliance is not part of the Apple/AT&T service.  Bolting security onto the latest consumer wireless device is going to be more painful than a mouthful of root canals sans anesthesia. 

Prima facie, assume no compliance.  Empirical evidence shows Apple's security for enterprise usage to be equivalent to Microsoft's circa 2000, despite selling a million iPhones monthly.  Fixing the flaws in the iPhone is going to be ugly and take a lot of time.  If security is a requirement, RIM has a good security and compliance solution for the Blackberry.   

Do not beam yourself off the surface of the planet with an insecure wireless device.  More on this later, Risk Ranger signing off, Hi-O Silver

Here’s an industry with no regulation, no oversight, no one looking over their shoulders. And they collect A LOT of data about individuals, and they have a lousy record of securing this information. The industry in question is higher education, and as anyone who has gone through the college application and financial aid gauntlet can attest, colleges collect extremely detailed information on applicants and their parents. They get a copy of your taxes, income and expense info., SSN for student and parents, and much more.

My son heads off to college in the fall, and did a great job in high school, got into a great school. We could not be prouder, but I digress. I don’t want to trash the school, but the university he is headed off to recently disclosed that a computer that had lots of records (thousands) of current and former students, and faculty, was stolen. Said computer had PII, including SSN’s on these individuals. Apparently not encrypted. No identity theft that they know of yet, and they are not saying much other than “we’re investigating”. C’mon folks, it’s 2009, identify systems that contain PII, restrict access to this information, and implement encryption. It’s just not that hard, and it’s not that expensive.

It struck me how frequently educational institutions pop up in news stories about security breaches, how much information they collect on students and parents, and there’s absolutely zero oversight in the industry. Higher education accrediting organizations care a lot about quality of education, but I am not aware of any IT security standards they’ve put in place.

Having worked with some .edu’s, (and in the very distant past I worked for one), I know that they have funding challenges (maybe more so than most other industries, in funding IT security initiatives), and their cultures tend to be open, sharing, etc., both of which make securing their assets tough. But really, given the kinds of data they collect and store about us, there’s just no excuse for poor security.

And from a big picture standpoint, I clearly see why we need a national data breach law, both to reconcile and make sense of conflicting state laws, and to cover all the gaps that exist in various industries, including (in this example) higher education. For better or worse (and I would argue better, on balance), the payment card industry took it upon itself to develop an industry-wide set of IT security standards, and a mechanism to enforce them. Maybe higher education needs something similar.

Work took me to both the RSA show and the InfoSec show this year (whose brilliant idea was it to schedule those two shows back-to-back, anyways?). Wandering around both shows a little, and talking to some of the vendors, it struck me that:

- there's a whole lot more that IT organizations have to comply with in the US... many more regulations affecting IT in more industry sectors, and more teeth in them

- US security vendors have grabbed onto compliance messaging for a few years now. Every security vendor claims to help with compliance, and 2008 seemed to be the year of IT-GRC at RSA.

- some of the US vendors at InfoSec were trying to use compliance messaging in the UK and Europe, I suspect to not much effect.

A few people I spoke with mentioned the Data Protection Act, which has little and lax enforcement. A couple of vendors specifically mention the UK GCS Code of Connection, which applies to government entities connecting to the UK government GCS network. But that's about it. The impact of PCI isn't really being felt in Europe yet either, based on the people I spoke with at InfoSec.

Maybe as a result of the lack of regulations, there were very few active IT-GRC vendors at InfoSec.

I have to believe that European firms are being targeted in the same way that US firms are, both by profit motivated and state-sponsored hackers. The UK has had some high profile data breaches in the past couple of years, although they have tended to be of the "lost laptop, lost memory stick" variety. It will be interesting to see what develops in terms of new regulations in the UK and across Europe. For now, in terms of compliance regulations, and an emerging IT-GRC market, Europe seems a few years behind the US.

Jim

The big buzz seemed to me to be around two things:

1)    The high profile infrastructure and defense industrial base breaches, and the big changes that will inevitably result with more government intervention, more regulation in these areas. An interesting panel was the one on Securing Critical Networks (Marcus Sachs of Verizon, Michael Assante of NERC, and 3 others). I learned a few things about the challenges utilities/energy face in securing their networks. Air gaps between SCADA networks and IP networks frequently don’t exist, and many of the devices in use have serious problems (inability to run A/V, patch issues, embedded OSes, simple password change issues). This industry faces technical challenges, and the usual “unfunded mandate” kind of challenge from NERC/FERC CIP. One of the panelists mentioned seeing Conficker traffic from medical devices (diagnostic equipment running embedded OSes), looking for updates. It struck me how similar that issues in energy and medical are, with the issue of critical networks (control networks in energy, and medical device networks in healthcare) merging with or being connected to IT networks, and with embedded systems that necessarily run older OS versions that can’t be patched frequently (think FDA-controlled OS releases). Big issues that will take time, money, and vendor creativity to fix. Let’s hope that the government (as they get more involved) recognize the real issues, and help solve the problems, vs. creating new ones.

2)    Everything is cloudy. With the Cloud Security Alliance announcement and 1st deliverable, Jericho Forum’s cloud cube model, lots of panels talking about cloud security, and John Chambers talking about the vast security problems in cloud computing, cloud security was the topic du jour.

Other notes:

Session quality was just OK – need a little more diversity of speakers, and more case studies. I got the most out of a session by Jose Varghese, of Paladion, a MSSP in Mumbai, who provided a case study of lessons learned running security and risk management for a large bank in India. He covered a huge amount of ground, talked very fast, and presented a lot of interesting, real world findings.

Attendance seemed to be a little off to me, and there seemed to be not as many vendors there. Will information security be immune from the present recession? You might think so talking to vendors at RSA, but I think we’ll see serious attrition in the next twelve months. Not consolidation really, just attrition and going-out-of-business sales. It would be a fun time to be a BD/corporate development guy at a security vendor with deep pockets, you could see more broad line security vendors created on the cheap.

Bob Blakley has a great blog post up here on the effect that privacy breach insurance may have on privacy. He describes how the concept of moral hazard applies to this area, with the unintended consequence that the actual privacy of data may get worse as a result. Worth reading.

Jim

A new cyber crime study about  targeted and politically inspired attacks on countries, was reported on in the NY Times today here. My first reaction was to just sort of shrug...this sort of attack has been going on for a while, last fall saw similar attacks on the White House itself, and the Obama and McCain campaigns. The actual research papers (there are two related papers, one that addresses the targeted attacks on Tibet and the Dalai Lama is here, and a much broader study is available here), have a lot of interesting details- worthwhile reading.

The Dalai Lama attacks were pretty sophisticated, and highly targeted. Attack vectors included malware via targeted e-mails to influential people in the "free tibet" movement, and keystroke loggers which would transfer files and data out via HTTP. In addition, the study found that some of the computing practices in use contributed to the breaches (users storing files and data that was deemed sensitive on local machines that were used to open e-mail, and browse the internet.)

I am encouraged though by what seems to be a more serious look at cyber security by the new US administration. Putting additional healthcare security provisions in the recovery act, to bolster security/privacy ahead of healthcare IT advances such as Electronic Health Records, and health information networks is welcome and needed.

The 90 day Hathaway cyber security review seems promising as well, as does the prospect of bringing cyber security under the direct responsibility and control of a White House official.

Obviously the stakes are pretty high, and whether the attackers are profit motivated or politically motivated, their capabilities are getting pretty scary. As the Shishir Nagaraja/Ross Anderson study points out, the typical enterprise wouldn't stand a chance against this kind of determined attack.

Jim

Rich Mogull pretty well nails the problem with respect to some of the recent breaches in the retail area. I couldn't have said it better.

In a previous life with an IT-GRC vendor, we played around with messaging that described "continuous compliance", vs. "point in time compliance". The idea being that as soon as the (audit/regulators visit) is done, compliance starts degrading as things change in the business (new IT infrastructure is added, staff come and go, business units are bought/sold, and on and on). Lots of people identified with the reality that the compliance posture starts degrading as soon as the auditors leave the building.  The compliance posture tends to only start improving towards "being in compliance" as the next audit draws near. But, it turns out "continuous compliance" as a marketing message for an IT-GRC vendor went over about like "continuous root canal" might for a dentist. 

I think where we need to get to is assuring a continuous state of security controls (proscribed in this case by the PCI SSC). Not easy for technical controls (although The Open Group is working on a standard that may help in this area, details are here.) Very difficult for administrative and process controls that have to be assessed periodically by a questionnaire process.

Coming back to the folks writing the standards and regulations, they have this conundrum. There's probably only so much pain they can inflict upon those affected by the regs. and standards. Increasing the frequency of audits helps, but increases the burden on affected entities.

Jim