DiggingUp.com

this was inspired by Indexed.  Check them out sometime.

Yet again, another government agency tasked with protecting the security of our nation, is compromised. 

Hackers broke into the Federal Aviation Administration’s computer system last week, accessing the names and Social Security numbers of 45,000 employees and retirees.

The agency said in a statement Monday that two of the 48 files on the breached computer server contained personal information about employees and retires who were on the FAA’s rolls as of the first week of February 2006.

I’m just hoping Barack’s CyberSecurity ideas start inside and work their way out.  It’s a shame when contractors and private sectors are held to a higher degree of security than the government.

StillSecure announced today they are jumping in to the MSSP game.  With the purchase of ProtectPoint, they are positioning themselves to hedge their bets on the current economy. 

I think this is a good bet, and a good place to be.  I feel that it’s a little late to be making a move in to MSSP, but still a good decision.  With Verizon Business (CyberTrust), IBM (X-Force), and other companies getting in this gamespace, it only makes sense to see more hardware vendors jump in as well. 

1) Skillset reuse and employee retention:

With a downward economy, most security vendors have talented employees who could easily reuse their knowledge of their products, and others.  So instead of waiting out the economy, and for management to pick your team off one at a time, you are still working and the company retains talent through a tough economy.

2) Leveraging a bad economy and the opportunity within:

Companies will spend less on security this year.  This is a natural fact of a down economy.  It would make more sense to sell a service that can save you having to hire more security, or provide more training.

3) It’s an easy sell:

See above.  Plus, also consider that a company that can’t afford $150K for a new product, could more easily swing $40K/year for a SNOC that provides equipment, service, and reliability that you could not. 

In summary, smart move!

While banks are scrambling, the first law suit of the Heartland Breach has been filed.  According to the complaint, filed in US Court in New Jersey, those affected were victims of Heartland’s negligence in protecting card-holder data.  Already customers are complaining of fraud related to the breach.

My general complaint is that most credit cards hold the cardholder liable for the first $50.  Then there is the downtime of not being able to use your card while a new one is issued.  Much less, the breach of fiduciary trust required to do business with anyone.

This was supposed to be exactly what PCI was supposed to protect us from.  Once again, I feel if the PCI doesn’t step in with a statement or action of some sort, we will see more of this.

Over at StillSecure, Alan Shimel writes a good post on waiting to see what PCI does to Heartland, beautifully titled, “Don’t Throw out the baby with the bath water“.   I’ve posted my reply that I’ve left on his blog, here to add to my previous post:

Eric writes:

PCI has a fine line to walk right now, on one hand the death penalty would hurt the already struggling Payment Card Industry, on the other, all PCI-compliant customers are watching them to determine what the worst-case scenario really means. 

So as most of the security prac’s know, Heartland Payment Systems (http://www.2008breach.com) was breached and a few million people’s credit information compromised.  Sadly, the full extent of the problem appears to be covered up by the criminal investigation.  What can be assumed, from their response, is that the problem was:

1) Related to PCI data being sent in the clear
2) Possibly related to data being sent across network
3) Possibly related to poorly secure databases

What irritates me about their response plan, is they sell their remediation plan, as if they are going above and beyond the call of duty to protect their customers.

“Created plans and taken actions to expedite the development of end-to-end encryption - which will protect data in motion as well as data at rest - as an enhanced standard of payments security”

I’m sorry but that is not an enhanced standard, that should be THE STANDARD.

So what does this breach mean to PCI?

I think this shows us how PCI has “no teeth” at this point.  I would fully expect this not to be Heartland’s first rodeo with PCI Audit.  PCI doesn’t have the best security requirements, but it’s a start.  Even minimal effort to check the boxes, should have prevented this.

The PCI will need to make an example of Heartland and others, if they ever wish to prevent these crimes from becoming as large and commonplace as they have become.

What really hurts risk management is the issue of time to assess compared to time to act.  I’ve been working on a risk assessment for a few months now, and I keep going down rabbit holes that take me back to square one.  In order for the risk management program to be effective, it has to be practical.

If you work in an organization that has 20,000 employees across multiple geographic regions, and your management make risk assessments and management a secondary job function, then you can’t expect a comprehensive program that will address and document each risk.

However, if you work in a 5 person shop, you can justify one person do nothing but risk management.

There has to be a balance.  This is where you put on your salesman hat and tap dance over to management.

In my case, I’m trying to sell them on not looking towards risk assessments for compliance, but to look to them as a leg in their security program.

Risk Assessments are point-in-time pieces of the puzzle.  Once you manage these risks over the life of the risk, you’ve created a risk management process.  The tactics you take to mitigate these risks become the projects your teams work on, the programs they govern, and the processes they manage.  These are all measured through your Metrics.  These numbers help determine your effectiveness with handling risk, as well as your ROI (of if you are Hoff Failure-On-Investment, FOI).

I’m getting the idea that 2009 will be a big year for Governance, Risk and Compliance packages.  With the release of ISO 27005:2008 and several other 2700-series standards approaching, people have been asking the same questions.  How do we manage compliance?  How do we integrate compliance in to our risk management program?  How do we measure our successes with compliance and risk management?

I’ve been doing some research for my company and the answers are out there, though they are still ugly.  Most of the products either fall in the category of overly complex and requiring full-time resources to manager, or overly simple and not meeting the user needs. 

I’ll keep an eye out, either way, and wait and see what shakes out in this emerging market.

There is a nice debate going on between AndyITGuy and Alan Shimel.  It all began when Andy wrote a post about a vendor going over his head to speak with the CIO of his organization.  You can read the more detailed part from Andy here.  In short, his frusteration is that regardless of the salesperson situation, they should show professional curtosey towards their point of contact.  Alan, partly playing devil’s advocate, partly just being Alan, proposed that the salesperson’s job is to sell the product to the company, not to the point of contact.  He makes some good points here.

Andy provided a good play, by play of their arguments here also.

Before I begin my rant, I have never been on the sales-side.  I have provided sales engineering, but that was closer to “up-selling” than what “open-door selling”. 

I do see both sides of the argument, but I do feel that unless the point of contact is doing something wrong (and not buying is not something wrong) they should not jump the chain of command.  There is no better way to ruin a business relationship, than to violate the trust between two parties, and I feel going around me is a violation of that trust.  In my org, here is how that scenario plays out.

Vendor: Yes, Mr. VP I am Bob, I represent XYZ and I wanted to find out what we can do to close the deal we’ve been working on.
VP: Uh…okay, who were you working with on this…and how did you get my information?
Vendor: I’ve been working with, Eric, but I feel he doesn’t recognize the importance of buying now and he hasn’t been too helpful.
VP: Oh…okay, I’m sorry you feel that way.  Let me get Eric on the phone and find out if we can sort this out.
Eric: Hello?
VP: Hey Eric, Bob from XYZ is on the line, he tells me that you all are having some problems with the product?
Eric: Yes, as I told Bob, we’re not prepared to buy because the product is great, but it doesn’t fit our needs.  I told him we’d reevaluate the product next quarter.
VP: Oh…gotcha, thanks for calling Bob…*click*

At this point, I drive over to Bob’s house and throw eggs at the door. 

If this sounds detailed, it’s because this has happened before and it hasn’t been pretty.  I took out the last part where our VP chewed the vendor until the vendor hung-up. 

Errata Security has made their pick for President known.  I don’t, personally, have anything against them doing this.  I do, however, feel there are a lot of factors that a company needs to consider, before throwing their hat in this ballgame.  Security Companies depend a lot on their reputation.  When a company issues such political-leaning statements like “radical Democrat”, they may cause the general public to question any advice they receive from this company. 

Most Security Vendors advocate education of users.  We want them to make informed decisions and be aware of threats and dangers that lurk.  Gary Warner who works on UAB’s Spam project is a good example of this.  He travels the country speaking to other researchers and the general public of the dangers that lurk.  If he began going to various political rally’s for one particular cantidate and made some opinionated statements, people may not want to hear the good his projects have done, for fear of having to sit through a political rant.  Thankfully, Gary isn’t like that. 

I guess it’s similar to when a Hollywood Actor makes political statements.  I find myself disliking Johnny Depp, Tom Cruise, and other political and controversial star’ movies, because I can’t suspend my disbelieve to get past, “this is the guy who supports this stance”, or “this is the actress that said that”. 

Errata Security: Errata Security endorses McCain

Errata Security endorses McCain
Posted by Robert Graham at 1:35 PM
The choice in this election is between a small or large left-ward shift. McCain is a moderate Republican, Obama is a radical Democract. A bigger issue than the candidate is the Democrat-controlled congress. Our country was designed with the idea of checks and balances, but this system breaks down when the same party controls both the presidency and congress. Our country has prospered most when difference parties controlled these two branches of government.