Data security. “Adequate” is not good enough.

Posted on June 8, 2011 by Lindsay

I’ve commented several times now on the gap I am seeing in data security where existing controls and processes are not going deep enough to prevent a potential data breach taking place. The recent Sony, Amazon, Google and Nintendo stories which have been all over the news only go to back this observation up.

I read a great blog this morning by David Lacey of Computer Weekly in which he talks about the Lockheed Martin data breach which also broke in the press recently.

David highlights 5 key points on data security controls which you can read more about in the link I have attached below -

  1. If you have secrets to protect, have more than one level of strong protection around your data
  2. Don’t do what everyone else does. “Best Practices” are not good enough to combat today’s threats
  3. Be imaginative. Don’t be afraid to use controls that others ignore
  4. If there is any suspicion that your authorisation system might have been compromised, address it immediately
  5. Have a catastrophe plan for major failures which have massive business impact

Did Sony, Amazon, Google, Nintendo and Lockheed Martin have all of the above in place? Possibly some. But not deep enough to stop them being “outed” in the press, and have all the bad PR and knock in client and market confidence that went with it.

I keep hearing from industry experts ”have adequate controls to protect your data and keep the regulators & Big 4 audit firms happy”. The word “adequate” by its definition says that you have some controls in place but they are not what you really need to protect against a data breach taking place.

Good blog David, and I’m with you in saying “do what needs to be done, not what you think should be done”

For Davids full blog click here http://www.computerweekly.com/blogs/david_lacey/2011/06/lessons_from_the_attack_on_loc.html

Posted in Data Breach, Database Activity Monitoring, Database Vulnerability & Configuration Management | Leave a comment

Another financial crisis “around the corner”. What’s that got to do with Alan Greenspan and data security?

Posted on June 1, 2011 by Lindsay

In Monday’s edition of Bloomberg news (see link below), Mark Mobius, Executive Chairman of Templeton Asset Management’s emerging markets group said “another financial crisis is inevitable because the causes of the previous crisis haven’t been resolved”

But what has that got to do with Alan Greenspan, former Chairman of the US Federal Reserve, and the area of data security where I work?

In September 2009, Alan Greenspan said of the global banking crisis “It’s human nature. Unless somebody can find a way to change human nature then we will have another crisis. This crisis will happen again”.

The same inbuilt security weakness of “human nature”, and the lack of monitoring controls in picking up evidence of anomalous behaviour and activity around data, still doesn’t seem to have been resolved either from the major data security breaches which have been reported over the last few years. Does this mean that another data security breach crisis is “inevitable” or “will happen again”? Probably. However, will we really learn any lessons out of what happens to make sure that it doesn’t happen again? Probably not. 

There are lot of simlarities when it comes to looking at what has happened with the banking crisis and what has happened with the number of data security breaches which have been reported. Unless proper monitoring of “human nature” and human activity is put in place (and I mean in either the global banking sector or the data security marketplace) then I’m afraid the same old thing is going to happen again …… and again and again ……. where businesses reputations will suffer.

http://www.linkedin.com/share?viewLink=&sid=s407300199&url=http%3A%2F%2Fbloom%2Ebg%2FmLXTV6&urlhash=QtJ9&pk=network_update_snippet&pp=0&poster=337137&uid=5481576093905330176&trk=NUS_UNIU_SHARE-title

Posted in Cervello, Data Breach, Database Activity Monitoring | Leave a comment

Human Rights Act drives need for monitoring of employee data security

Posted on May 16, 2011 by Lindsay

I attended a breakfast briefing presentation in London recently where Stewart Room, Privacy & Information Law Group Partner at Field Fisher Waterhouse, talked about the importance of management monitoring the security of their employees data to save breaching their responsibilities under the Human Rights Act to this data.

Stewart related the published story of an employee who took her employer to court for allowing sensitive data on her to be exposed which caused her personal distress, and who ultimately took her case to the European Court of Human Rights who found in her favour.

Nothing to do with someone hacking into the company’s IT or data systems here, or anyone inside the organisation deliberately breaching the security systems around her data. Just a case of personal, sensitive data on the employee being leaked which was not only found to be a breach of her rights under the Act but which was reported as bad publicity for the organisation.

Stewart highlighted that a security fence around data is just not good enough in its own right when it comes to protecting company data. Employers need to monitor what is happening with their data, or to the security structure around their data, to immediately alert to management if a security breach is taking place which could expose them to potential legal action under the Human Rights Act.

For information on Stewart and on his area of experience in this area click below. Definitely an industry expert in his field.  http://www.ffw.com/people/all/r/stewart-room.aspx

Posted in Best Practice, Data Breach, Database Activity Monitoring | Leave a comment

Amazon cloud problem highlights need for independent fault reporting

Posted on May 1, 2011 by Lindsay

Amazon’s data cloud environment went down last week causing the websites of many of their clients to cease functioning – and in most cases cease online trading also.

I wonder how quickly Amazon reported to it’s clients what had happened (although their clients would have become patently aware that there websites were down anyway)?  

Cloud is getting all the heavy sales pitch and heavy press marketing just now. However, the area of cloud computing messaging which is getting missed out in all of the ”plus points” which are going out to the marketplace just now is “how does management get independent visibility and reporting of any potential anomalies taking place within the cloud which could affect the integrity of their organisations?” 

In the Amazon case, their clients would have become instantly aware that there was a problem as their websites would have been down. However, if there had been a problem at Amazon’s end and it had not been anything to do with a website which thye had been hosting would the clients have known immediately that there was a potential problem with their data? I doubt it.

Independent, real time reporting and true separation of duty away from the operational side of the Cloud. It is the only way it can be done. Otherwise, you have the responsibility of anomaly reporting being dealt with in the hands of the companies hosting your data and services and that cannot be good in protecting the reputation of your brand.

For more information on the Amazon story click  http://www.bbc.co.uk/news/business-13242782

Posted in Best Practice, Cervello | Leave a comment

Sony data breach. Will lack of trust drive users to another “play station”?

Posted on April 27, 2011 by Lindsay

The Sony data breach story which has been all over the news today has shown, yet again, what can happen if an organisation does not have deep vulnerability identification and continuous activity monitoring controls around its clients data to identify a potential breach taking place before it even happens.

On the BBC News this morning, the newsreaders said that Sony had pulled in experts, after they had become aware that a breach had taken place, to establish what data had been compromised before the company made a statement to its customers and the marketplace. The words “Horse” and “Cart” come to mind!

Come on Sony, the damage had been done by then! The security controls experts should have been called in when you were setting up the security structure around your data, not after the breach had happened. It’s too late by then.

What will happen now is that Sony will be on a defensive, damage limitation strategy to convince its customers (and the marketplace) to stay with the company – which is going to cost the company a heck of a lot more money, and financial cost to repair the reputation of the company, than it would have done had it put better risk controls around its data in the first place.

Will all the Play Station users now jump ship? Not all of them. However, there will be some customer attrition as a result of this story, and the underlying reputation of the company will have been severely bruised when trying to attract new users.

An electric fence is not the ultimate barrier in the protection of data within an organisation. Management need to take it to the next level – continuous monitoring of the security position to immediately alert and report to management potential vulnerable positions being created on the security structure surrounding the data OR on potentially illegal or malicious activity taking place on the data itself. That way you are not dealing with the fact after the event.

Posted in Data Breach, Database Activity Monitoring, Database Vulnerability & Configuration Management | Leave a comment

Epsilon data breach forces management to look at third party security reporting

Posted on April 4, 2011 by Lindsay

The Epsilon data breach story which broke in the press on Friday of last week (see Reuters weblink below) highlighted, again, the continuing problem facing companies, directors and management when outsourcing both the storage and security structure of their data to third party organisations. It also brought to attention, again, the increasing responsibility being placed on management and company directors when signing off of data security controls on behalf of their shareholders, investors and clients.

Citigroup, JP Morgan Chase & Co, Capital One and Walgreens were just four of the major names which had to issue urgent statements to their clients, and the marketplace, on Friday of last week informing them that a data breach had taken place on their personal information which they held. All of this would have been an exercise in public relations which they did not relish having to carry out, but which they were forced to do to protect the brand & reputation of their companies and to restore shareholder & client confidence in the data security processes surrounding their information.

I have written before about the responsibility of management and company directors in ensuring that the alerting and reporting processes of any security issues relating to the outsourcing of their data should come directly into them and not through management of the company hosting the outsourced data. This issue is only going to become more intense, and become more relevant, when it comes to monitoring and reporting potentially fraudulent or malicious activity taking place on data held in a Cloud environment.

Company directors remember! If a data breach takes place as part of a third party agreement which you have, or if your data is held in the Cloud as part of an outsourced business model you are operating, then you are ultimately responsible for the sign off of those data security controls to your shareholders & investors – and most importantly to your clients. Yes, you will probably be able to sue the third party organisation for committing a breach of the contract which you have with them, or for not having proper security controls in place around your data, but you will ultimately be the person who is held responsible for the data breach having taken place.

Make sure that if you do outsource your data to a third party organisation that you have monitoring controls in place on both the security structure of your data AND the content of your data reporting directly into you - not to the management of the company hosting your data. This will give you immediate alerting of any potentially fraudulent or malicious activity taking place on your data before it has an impact on the company PLUS give you true separation of duty away from the operational side of the business when it comes to reporting of your security controls to external audit forms and industry regulators. Only then will you be able to see for yourself if anything anomalous is happening with your data stored out of house, and ensure that you can take immediate and proactive action to clear or mitigate the threat to the company of the potential data breach.

For full Reuters details on the Epsilon data breach story see the following link http://www.reuters.com/article/2011/04/03/us-citi-capitalone-data-idUSTRE7321PI20110403?feedType=RSS&feedName=businessNews&WT.tsrc=Social%20Media&WT.z_smid=twtr-reuters_biz&WT.z_smid_dest=Twitter

Posted in Data Breach, Database Activity Monitoring, Database Auditing | Leave a comment

NASDAQ server hack points to shortfall in data breach reporting

Posted on February 16, 2011 by Lindsay

The story of the potentially malicious files found on the servers of NASDAQ OMX systems at the tail end of last year proved yet again that the actions of cybercriminals and potential rogue insiders are only increasing in their efforts to breach, and undermine, the sensitive systems of major financial insitutions in the world.

It was obviously good to see that NASDAQ management had database activity monitoring and database vulnerability & configuration management processes and controls in place to alert them of the files sitting on their servers. However, what the NASDAQ story also exposed was the differing standards of data breach legislation currently in place in the world to report on these security issues.

An article released today reports that had the NSADAQ’s servers been located in California rather than elsewhere in the US, NASDAQ board directors and management would have been forced to report the potential breaches immediately to all affected customers due to the Golden State’s laws covering data security breaches.

The issue of data breach legislation and data breach reporting is going to get tied up into one common standard eventually (this is also going to happen in the UK and Europe with new legislation which is coming forward in this area) to make sure that there are no loopholes in reporting standards when it comes to clients being made aware of potential data breaches of their sensitive information.

Watch out for common standard legisaltion coming this way on data breach reporting, and read the full article on what the impact on the NASDAQ breach could have been on customer reporting at http://news.hostexploit.com/cyber-security-news/4776-nasdaq-hack-points-to-shortfall-in-data-breach-reporting.html

Posted in Data Breach, Database Activity Monitoring, Database Vulnerability & Configuration Management | Leave a comment

Information Commssioner data security findings revealing

Posted on January 28, 2011 by Lindsay

The Information Commissioner’s Office published a report today highlighting that 92% of people they had surveyed do not feel that organisations are protecting their data sufficiently.

I talked in my last blog about the gap which is being left between legislatory, audit and regulatory requirements set out for data security and the deeper areas of data security which these guidelines are not addressing. This has only been backed up by what the Information Commissioner’s Office has said in their statement today. 

When are we going to wake up and do what is right to protect data and not just ”do the minimum” to get over an audit observation or a high level legislatory or regulatory check list? The experts are out there to show what needs to be done to protect data at it’s deepest level. Again, do the maximum to protect your data and surprisingly you may find that may just get your clients confidence back AND give your data the real level of protection it needs to save against the ultimate impact of a data breach or data loss.

For a full copy of the Information Commissioners statement go to http://www.ico.gov.uk/~/media/documents/pressreleases/2011/European_data_protection_day_news_release_20110128.ashx

Posted in Best Practice, Data Breach, Data Loss | Leave a comment

Data security legislation leaving operational control weaknesses

Posted on January 24, 2011 by Lindsay

I’ve been taking part in an on line security discussion forum hosted by Stewart Room, Privacy & Information Law Group Partner at Field Fisher Waterhouse in London. The forum has been debating the continuing challenges facing data security and data protection from a cybercrime and cloud computing point of view where emerging legislation is driving controls in this area.

The problem I am finding in the marketplace – and which has been expertly commented on by Stewart as part of one of the topics he put up for discussion - is that legislation is still not addressing the real operational risk to an organisations data when it comes to recommending proactive controls.

Stewart highlighted in the forum discussion -

The Data Protection Act requires “appropriate technical and organisational measures” for the security and confidentiality of personal data. Similarly, Court of Appeal case law requires controllers to implement appropriate controls to ensure the security of confidential information generally. Thus, the law drives controllers to implement appropriate controls against reasonably foreseeable risks.

I’m sorry but “appropriate technical and organisational measures” and “reasonably foreseeable risks” are not good enough, and are not going deep enough, when it comes to protecting the source of your data or that of your clients! By the mere interpretation of the statement set out by the Data Protection Act, the Act implies that there are other, more serious, areas of security risk to an organisations data which are not being addressed as part of the Act  if ”appropriate” and “reasonable” risk mitigation strategies are the measurements by which senior management and / or organisations are going to be judged as part of their overall data security risk strategies.

Board Directors and organisations are not going to be exempt from potential legal action, fines or loss of reputation from a data breach if they were seen to have signed up to controls which gave them “appropriate” and “reasonable” security risk strategies over their data.

The problem with adopting the Data Protection Act legislative approach to data security is that senior management are going to get a false picture of the full security risk their data  - held either internally within the organisation or externally within a Cloud environment. A tick list of legislative checks, or indeed external audit firm checks or regulatory checks, which does not go deep enough to give senior management the full picture of the security risk to their data is going to leave them open to areas of exposure which the legislative recommendation process is not going to cover.

You have to start from the bottom up when it comes to defining a proper data security controls strategy for your organisation and not from a ”high level” legislative position downwards. Legislative drivers and external audit checks are not going deep enough to define anything other than what is “appropriate” and / or “reasonable”.

Know what the full potential risk to your data is and then measure it against what the legislators, audit firms and industry regulators are telling you. Only then will you see the gaps which exist in your data security strategy, which you currently know nothing about, which lie between “appropriate” and “reasonable” controls to define what you really need to do to protect your data.

For informed legal opinion on data security and the legislative processes surrounding it – both current and emerging - I would thoroughly recommend following Stewart on his website at www.stewartroom.com and on Twitter at @stewartroom.

Posted in Best Practice, Data Breach, Database Auditing | Leave a comment

Databases STILL open to security breaches. Will it be the same in 2011?

Posted on December 17, 2010 by Lindsay

I’ve blogged, and referenced, many news stories this year which have highlighted the database security control weaknesses still being exploited by cybercriminals and rogue insiders. The WikiLeaks stories have only emphasised the data security breaches taking place, but why is the marketplace still not addressing some of these threats?

Lack of knowledge of where the database security vulnerabilities lie within their organisation? Yes. Lack of knowledge of where the data lies within an organisation in the first place? Possibly. Lack of visibility of “who is doing what” what with your data, or to the security structure of the data, which could threaten the organisation? Most definitely.

I wrote a blog back in August of this year ”The ignored evidence of data breaches” which talked about the findings of an independent data breach survey report which not only detailed where the attacks on databases were coming from but also where the evidence lay of data breaches within an organisation. A great report which guided organisations to what they should be doing to alert and report to management on anomalous activity taking place on their databases, and how to mine their databases for evidence of breaches which have possibly taken place.

Going into  2011, do I believe that management really have the full picture of what is happening with their data, or where the current vulnerabilities lie within their data security structureswhich could adversely affect the brand or reputation of the organisation? No.

My New Year resolution to them would be find out what is really happening at the database level of your organisation and sort the problems out before the regulators and lawyers come at you. Emerging legislation and audit powers are continuing to come in the data protection area which will force management to address this ever increasing risk to their organisations of data breaches, and will include the power to impose further fines and corrective action if audit weaknesses are found.

For a full review of all blogs and articles I have written this year on database activity monitoring and database vulnerability & configuration management go to www.cervello.co.uk/blog

Posted in Data Breach, Database Activity Monitoring, Database Vulnerability Scanning | Leave a comment