Rich Mogull pretty well nails the problem with respect to some of the recent breaches in the retail area. I couldn't have said it better.

In a previous life with an IT-GRC vendor, we played around with messaging that described "continuous compliance", vs. "point in time compliance". The idea being that as soon as the (audit/regulators visit) is done, compliance starts degrading as things change in the business (new IT infrastructure is added, staff come and go, business units are bought/sold, and on and on). Lots of people identified with the reality that the compliance posture starts degrading as soon as the auditors leave the building.  The compliance posture tends to only start improving towards "being in compliance" as the next audit draws near. But, it turns out "continuous compliance" as a marketing message for an IT-GRC vendor went over about like "continuous root canal" might for a dentist. 

I think where we need to get to is assuring a continuous state of security controls (proscribed in this case by the PCI SSC). Not easy for technical controls (although The Open Group is working on a standard that may help in this area, details are here.) Very difficult for administrative and process controls that have to be assessed periodically by a questionnaire process.

Coming back to the folks writing the standards and regulations, they have this conundrum. There's probably only so much pain they can inflict upon those affected by the regs. and standards. Increasing the frequency of audits helps, but increases the burden on affected entities.

Jim

The obvious answer is it depends. It might be $1,500 if it’s a nice new laptop with no data on it. News last week on the VA security breach from a couple of years ago sets a new upper bound on the value at $20M, which is the cost to settle a class action suit related to their “lost laptop” breach.

I see this development as sort of a second wave of external factors that will influence how seriously senior management considers information security. The first wave was all the security breach notification laws that force disclosure, and that have caused all of the publicity around them. No one in senior management wants to be the next TJX, Hannaford, or Heartland.

My hypothesis for a while now has been that we would see big class action lawsuits as a result of some of the breaches of the past few years, and the VA settlement is evidence that there can be huge financial impacts as a result of these breaches and the class action lawsuits. In the VA suit, I don’t believe they even proved any direct identity theft related to the breach. Money talks…and the class action legal community will likely move rapidly towards this opportunity. A class action lawsuit has already been filed in the Heartland breach as well.

Jim

Article that I co-wrote with Mark Willoughby, on compliance and cloud computing, part of a series of five articles, published on The Compliance Authority here (registration required).

Jim

I noticed on Rebecca Herold's blog (who provides excellent coverage of privacy/security issues) that today is international data privacy day. I tend to be a little bit of a cynic when it comes to things like this, but this seems to be a good faith effort to raise awareness of privacy issues. In researching who is behind this initiative, I found some great resources gathered by Intel here, to do with privacy for teens on social sites, and other privacy related issues.

Privacy is one of those terms that has many different dimensions, and it will be a big, front and center issue for a long time, I think. Growth of Web 2.0/social networking, and the increased notification of security breaches are drivers that will cause much more attention on privacy of our personal data. And, without a doubt, we'll see more activity from legislators in this area, as citizens and affected businesses start to get angry about how our PII is being lost and stolen.

Jim

Wow! Another retail/credit card breach, potentially 100 million credit cards at risk, as reported here:
Heartland Payment Systems, a credit card processor, announced today, January 20th, that up to 100 Million credit cards may have been disclosed in what is likely the largest data breach in history

Until we know more, it probably isn't fair to discuss the PCI compliance angle. But what initially struck me about this is that the last few really big retail security breaches have all involved malware being planted in the retailer/processors network. This software, after capturing card data has to send it somewhere, through some communications channel. To me the really obvious key questions are:

1) How did this software end up on the network?
2) How do we stop this from happening in the future?

The less obvious question is why didn't they spot this sooner? Presumably these attackers have to send the valuable data they are stealing out of the processors network, else it is worthless.  Richard Bejtlich wrote a terrific book, Extrusion Detection, that is a pretty thorough analysis of how to use Snort and other tools to look at outgoing (to the internet) data flows, and spotting anomalous behavior that is usually indicative a security problem, whether involving people or technology.  Sure it would be better to figure out how to stop this stuff getting on one's network in the first place. But putting an extrusion detection capability in place as a tripwire would be of great benefit in limiting the scope and duration of attacks like this.

Jim

The Open Group Security Forum has recently published two documents in the risk management area that are worth taking note of. The first is a Risk Taxonomy Standard. This standard fills a gap among the many risk management frameworks that are out there, it is definitely worth a look.

In addition, the Open Group Security Forum has also produced a technical guide, Requirements for Risk Assessment Methodologies. This document will be posted here in the next few days.

Both are freely available. If you are interested in the risk management subject area, The Security Forum has additional work ongoing in this area, and we would welcome your input and participation. Among our future risk management projects are cookbooks showing how to use the risk taxonomy standard with frameworks such as COSO ERM, Octave, and other risk frameworks.

Jim

A shameless little self-promotion, The Open Group is putting on a security-focused conference in San Diego, 2/4-2/5. The big topic is "Security of Cloud Services", and a first-rate slate of speakers from Burton, Forrester, Google, Amazon, IBM, Salesforce, Juniper, and Qualys are scheduled to address this issue.

In addition, The Jericho Forum will be discussing their past accomplishments, and presenting their future vision at this conference.

For more details, see: http://www.opengroup.org/sandiego2009-spc/

In addition, on 2/3 The Open Group will host the Enterprise Cloud Computing conference, which will look more generally at cloud computing issues in the enterprise.  This event is co-located with the SPC above in San Diego.

If you have an interest in cloud computing, and the security of cloud computing services, these events are definitely worth checking out.

Jim

An interesting study on the financial impact to financial institutions of the TJX and Hannaford breaches is here. It was conducted by the Maine Bureau of Financial Institutions, and looks only at the costs borne by Maine financial institutions (Maine chartered bans and credit unions). Some summary findings: The TJX breach affected 52 institutions, comprising 64,825 accounts, and $485k in recovery cost (they considered costs in four areas, investigation, communication, reissuance, and net fraud.) Hannaford totals were 71 financial institutions affected, 243,599 accounts affected, and $1.5M in recovery cost.

In an article on the study , Maine Herald reporter Edward Murphy suggests that lawmakers in Maine might be prompted to legislate forcing retailers to share some of these costs.

Interesting study and article.

My take on this is that we will see more legislation from the states trying to shift the cost from the financial institutions, back to the retailers in the event of security breaches that impact financial institutions. In terms of fairness, seems right to me that the total cost of lousy security from a credit card accepting retailer (including the costs to individuals and financial institutions) should go back to the retailer.

Minnesota is the first state I am aware of to already pass such a law, which I blogged about previously.

As a practical matter, having many states pass individual laws in this area will only deepen the compliance quagmire. It will be like the proliferation of individual (and different) breach notification laws all over again.

I think an interesting question in this area is whether compliance with PCI DSS constitutes due care and due diligence. In other words, whether a state law that shifts the cost burden exists or not, if I'm a financial institution that has a large unexpected cost associated with a retailer security breach, I would like to be able to sue the retailer to recover costs. If I remember right, one of these retailers claimed to be PCI DSS compliant at the time their breach occured. As a best practices standard developed by the industry, and with attestations of compliance, does that constitute due care and due diligence? I guess we'll need a lawsuit to find out.

Jim

I finally got around to installing and using NoScript recently. First let me say that I appreciate the functionality it provides, and the attacks that it prevents. Now that I got that out of the way, let me also say that it makes surfing the internet painful (if safer).

I would guess that in three weeks of use, 70-80% of the sites I access are trying to send me Javascript, Flash, or the other things that NoScript blocks. Virtually every major website, NoScript blocks something or other. Every PDF download, for example. And I understand that you can tune the product site by site (or even page by page) to allow some scripts by default, so it gets less intrusive over time. The thing is, even for major websites, I basically have no clue as a user which scripts might be OK. Some sites have 5-10 scripts on a page, many of which come from ad serving sites, etc..

The average internet user can't possibly cope with this- I know that I should in theory tip my friends and relatives off to use something like this, but trust me, I can't devote the time that would be required to support them using it.

It’s another example I think of application development technology (all that AJAX stuff…) and deployment racing ahead of security, causing security vulnerabilities (browsers that allow this stuff in), and threats targeting the vulnerabilities. And then the inevitable security solution response causing things to not work too well, resulting in user backlash. This action/reaction scenario has been playing out for the 24 years I’ve been in the security industry anyways.

How do we flip this paradigm, cause this just isn’t working?

An interesting article is here, that describes the impact of data breach laws. The article rightly credits the California data breach law with starting the ball rolling on requiring companies to disclose security breaches. To date 43 other states have followed suit. And in the five years that these laws have been in existence, a reported (disclosed) 245 million individuals have had their PII exposed.

The article calls into question whether the data breach laws are having any impact in the reducing identity theft, and it cites a study by Carnegie Mellon researchers that compared the incidence of identity theft in states with and without security breach laws in place. The conclusion of the study was there was little actual difference.

I can’t quibble with the conclusion, nor with the study results, but I do think there’s a different point to be made, which is that the existence of these laws has (IMHO) caused companies to “raise the bar” with respect to information security, spending more to protect critical IT assets, and to protect our PII. Not that companies or industries are where they need to be in terms of providing adequate security, but the existence of the laws has helped- no organization wants to be sending out those letters to their customers that start “We’re sorry to inform you…”.

Think about all of those breaches getting reported (now) to do with lost laptops, tapes, USB drives. Encryption solutions for this market segment are a big deal now, as they should be. Now rewind about five years. Were laptops going missing back then? Sure. Did companies spend much on securing the data on these devices then? Not so much. The problem (pre-breach laws) was pretty much swept under the rug. Disclosure (or the threat of it) forces companies to be more responsible. And it probably helps to get Sr. Management a little more focused on spending adequately on IT security.