How do you want YOUR data protected?
I have been asked to put together some of my thoughts around information security to share with a wider audience. While I could lead off with complicated or technical topics, I won’t. Instead, I’m going to talk to each and every reader, on the most basic of levels. Hopefully this change of view will resonate with some of the readers, and if it does, then I’ve achieved my goals.
How do you want yourself to be protected?
Let’s get started then. Ok, most of you have automobiles, homes, apartments, perhaps children. Let’s talk about the basic security you perform without thinking every day. Most of you lock your cars, homes, and work very hard to keep your children safe. This unconscious process is not something you were born with, it’s a habit that you’ve taught yourself. While there are some genetic things that make you want to survive, we don’t normally operate in a constant state of fight-or-flight. We simply do what we do, because we have taught ourselves, directly or indirectly, to perform those tasks to lower our risk of theft and harm. So what are some of these tasks?
We take for granted our remote controls for our cars, our door locks, the thought process around where to drive, and where not to go after dark. These are all learned behaviors. If you take a different route to avoid a high crime area, that doesn’t make you a bad person. That makes you risk aware. Your re-routing may take longer, but it is clearly safer, for a myriad of reasons.
When we talk about securing applications, data, and people, we are also asking that you take a slightly different route. We’re asking you to take the extra time to lock the doors, check the windows and ensure that you, and everything / everyone you are responsible for, is safe and secure. This is a very minor ask in the grand scheme of things. To take the time to think about how someone might try to gain access to internal systems to take business data is something that should be in the forefront of everyone’s mind. If you don’t do this today, you need to add it to your routine. Just like you added locking your home when you moved in.
In some businesses, there are also requirements around protecting customer data. This is a higher level of security that is needed, as your business is trusted with protecting that customer data. Privacy laws already exist in Europe and other parts of the world, and are coming to the United States. Wouldn’t it be wise to get ahead of those laws? Also, if your customer data is held within the company you are employed by, ask yourself this:
How do you want YOUR data protected?
Let’s take the analogy of a submarine. Any submarine has at least one hatch, and the vast majority of them have several hatches, valves and other areas where water can infiltrate the areas that humans are occupying. When a submarine is on the surface, many of these hatches are open. On older diesel submarines, there is/was a Hull Opening Status Panel (sometimes called the “Christmas Tree” or “Green Board”) that shows red and green lights for every hull opening that could allow sea water to enter the submarine. Before the submarine can dive, all of the lights on the board need to be green (showing closed/safe hull openings). It is not enough to secure all but one of the hull openings, all of them must be closed.
This equates to covering ALL of the information security requirements, not just to satisfy an audit, but to go beyond that, and secure things to the SPIRIT of the requirements, not the LETTER. Sadly most companies don’t see a value proposition (read immediate return on investment or money) in doing so. This is one of the major reasons that data breaches exist today. It is not because security is difficult, or that the “hackers” have better skills, it’s that companies aren’t willing to go to the extra steps needed to properly secure their computers, data, and people. Believing that it is difficult is simply a delusion, perpetrated by people that don’t want to do the extra work, or pay the extra money to secure themselves. This would be like someone living in a cardboard box complaining that someone stole their belongings, while they left it unattended. When you leave things out in the open, people are curious by nature, and will look through it. Be sensible.
There are several types of audits that should be accomplished, and the results of these must be shared with business partners, trading partners, and some regulatory agencies. While a company may pass an audit, it does not mean that the company is actually protecting the information properly, or even securely. For example, every company that has been breached with PCI DSS Audit requirements, NOT ONE OF THEM HAD FAILED A PCI Audit! So, don’t be complacent with a “passed” audit. It only means that you’ve convinced an auditor that has taken a 2 day class and an open book test, that you are compliant. Is this the type of “security” you want to rely upon for your data?
In an even smaller business arena, there are businesses that hold highly sensitive data about every person in the United States, the United Kingdom, and other countries. This data is highly regulated, and there are strict laws around the use, distribution, dissemination, storage and security of said customer data. You already know this from your annual training, however, most people only think about it once a year when they have to go through the training. Let’s talk about this data.
For any company working with Personal Identifying Information, or PII, there are significant responsibilities around this information. In each of the areas of the world mentioned above, there are laws around how the data is to be used, stored and secured. To put this type of information in perspective, think how it would feel for you to lose your wallet with all of your information in it, while you also know, that there are people who are willing to pay real money for all of the information that your wallet holds. (Because there are)
Now think of how you would feel if your credit report was left out on a table in a coffee shop, or posted to a bulletin board in your grocery store?
How do you want YOUR data protected?
What are some of the things that you do that add to risk?
- Those shortcuts that you try to take? Risky
- The ambivalence that is expressed when you discover a weakness in the security? Risky
- Allowing Sr. Managers to cover up or ignore deficiencies? Risky
- Allowing PII to sit unencrypted for everyone to see? Risky
- Requesting that old and outdated methods of storage, transport or delivery of information? Risky
These are akin to these real life examples:
- Your home locks are breached, but you don’t call a locksmith for two weeks.
- You look at the broken window, shrug your shoulders and say, “It’s not that big of a deal, no one is going to climb through those shards of glass.”
- Your local police tell you that there is nothing to worry about, after your home has been burgled, and you really don’t need to replace the broken front door that now doesn’t close
- All of your private and personal information is written on a huge billboard, for all of your close friends, family, strangers, and thieves to see.
- Instead of driving a car to work, you choose to ride a horse, where there are only highways.
The above sound ridiculous? That’s because they are…
If YOU don’t take a few minutes every day to think about what you are doing with the information you are working with, you are contributing to the PROBLEM of information security. It would be wise for C-Level staff to lead with this idea… to make all employees more aware that everything they do, is either aiding or detracting from securing information.
Ask yourself, What could you do to make your company more secure?
That’s my 2¢, YMMV.
- Target Data Breach Much Worse Than First Thought…(news.filehippo.com)
- Think you’re now untrackable? Think again. HTML5 is now tracking you.(dc0de.com)
I was in a chatroom this afternoon, and saw a conversation go by from FnC about a problem with ASUS Technical support not taking understanding the MD5 check sums not matching on their latest version of the RTAC3200 Wireless Router Firmware. ASUS is pushing this firmware upgrade as a security issue, and the download cannot be validated. And when they were called to explain why the discrepancy exists, he was met with an uncaring and uncooperative technical support representative. In FnC’s view, the technical support personnel that he spoke to didn’t even UNDERSTAND what the MD5 check sum was for, and why the he was so concerned.
taking the information regarding the Firmware, I went out to do some validation on what he was saying.
He said to go to “http://www.asus.com/Networking/RTAC3200/HelpDesk_Download/” and select an OS, and to download version ASUS RT-AC3200 Firmware version 220.127.116.11.378.4145. I did this, and copied the checksum data as provided on their website. (MD5 checksum: 3F4CED45895966E595FA454D24CFF8D9)
The download appears to be coming from http://dlcdnet.asus.com/pub/ASUS/wireless/RT-AC3200/FW_RT_AC3200_30043784145.zip, and when I downloaded it and checked the MD5Sum, I received:
dc0de@t61:~/Downloads$ md5sum FW_RT_AC3200_30043784145.zip
Let me put this result together with the published result.
|Source of Data||md5sum|
|md5sum (GNU coreutils) 8.21||cd38a003f18c2302d469e6ae983e1cda|
Clearly something is wrong, and people should be looking at this very carefully.
Wow, I’m happy to put last week behind me… however, over the weekend, my left kidney decided that it should try to pass a stone that has apparently grown there. Sadly, it only caused me pain, and didn’t pass… although, I tried…
Whee, now I have a Kidney Stone Timebomb in my left kidney waiting to move… Yum…
The good news? I’m ready for it, and I hope it decides to leave soon…
Tuesday started my week out poorly, with my elbow making a large cracking noise as I rolled my hand off of my mouse from left to right as normal. This crack was immediately followed by a sharp and severe pain in the joint, and a loss of 10º of extension. Any attempt to extend the elbow was met with painful resistance. I did what most people would do, I called my Dr’s office, setup an appointment, and got in to see her on Wednesday. For the rest of the day Tuesday, the pain level slowly rose, until it was a steady 6 (on a scale of 1-10, 10 being the worst), and I went home and took some pain relief. Wednesday morning, I saw my Dr, got some X-rays taken, and scheduled the referral with the surgeon who did my last elbow surgery in November of 2013, for Thursday the 23rd of Jan.
I go see the Orthopedic Surgeon on Thursday, who tells me the following: “Well, the sharp cracking sound was you breaking off a bone spur, and now it’s floating around in your elbow… I need to schedule an MRI so we can determine how best to remove the pieces, and possibly we’ll discuss removing the entire radial head of the radius.”
We spent a few minutes discussing next steps, and we parted, with the knowledge that someone will be calling me to setup the MRI, once Insurance approves.
In the mean time, I’m taking an extra heavy dose of Naproxen Sodium, and being very delicate with my elbow. Thankfully, typing doesn’t harm the elbow…
So, now I’m just in a holding pattern… waiting for the call to setup the MRI… or to hear what excuse United Healthcare will provide for denying it.
So, I get to spend the weekend resting, and keeping from using my right arm, until I hear back from the Ortho… Yippee!
Today has been an eventful day.
To finish off dealing with my elbow popping and causing me incredible pain, organizing a return visit to my surgeon to see what is wrong, to dealing with people at the office that don’t understand why they have to encrypt PII being sent to a 3rd party.
As I drove home to get some pain meds for my elbow, less than a mile from home, I’m struck by another driver, who moved into my lane on North El Camino Real and made contact with the right rear of my vehicle. I contacted 911, who told me since there were no injuries, to share information with the other driver, and let the insurance companies deal with the issue.
The woman who was driving refused to provide her insurance information, and when I told her that I wasn’t going to give her any information if she wasn’t going to provide the information, she called the police.
So, when I finally got home, I wrote this up to memorialize the information from the accident.
I was driving a Blue Honda Accord (Vehicle A) in the left most lane on El Camino Real in Oceanside, approaching a slight left turn on to Douglas drive. As I had passed the White Lexus (Vehicle B) in the middle lane, the driver of the Vehicle B moved into the lane I was occupying, and struck my vehicle (B) on the right rear quarter panel, with their left front quarter panel. As seen in the images below, the damage to the Honda (Vehicle B) is on the left rear quarter panel, and the White Lexus (Vehicle B) front left quarter panel showing damage.
How this woman believes that this was not her fault, is beyond me.
Now to submit to insurance… groan…
Dear News Agencies – Please wake up.
Marc Rogers prepared a fantastic writeup on his blog entitled “Why the Sony hack is unlikely to be the work of North Korea.”. I suggest that EVERY media outlet take a moment, and review it. It is clear that there is far more research and digging to be done with regards to this security breach, and ANY future stories pertaining to Information Security breaches.
For the most part, (Brian Krebs being the primary exception), mainstream news has a significant knowledge gap when it comes to technology. They haven’t figured out how to report security breaches, without flogging the word “hack” or immediately blaming someone to gain headlines.
The most alarming part, IMHO, is that there is a chance that we will NEVER know the real root cause, however, Marc’s blog post does find some very insightful indicators that the North Korea angle is simply wrong.
Lastly, Thank you Marc, for a well reasoned and thought out contribution to the current Sony issues.
Welcome to the December Holiday Season! With our current December busy schedules, we need to be aware data breaches also occur during the Holiday Season. Criminals understand that the holiday season is a very busy time, not just for individuals, but also for employers, companies, and all sectors of industry.
For those that may have missed it, 60 Minutes did a short 13-minute piece on Credit Card fraud, and for those that remember, there were several breaches this past year, and many of them were in place far before the 2013 Holiday Season. The main point of all of this is to create an environment where we can all be on the lookout for the risks, have open discussions, and to ensure that we are all doing our part to secure our personal information. Please take a moment to view the video.
Original Video – More videos at TinyPic
Some Data Breach Presents for under your tree!
We have found a few infographics for you that show the number and sources of some of the largest breaches of 2013/2014. You can find them below.
As always, have a productive, safe and happy holiday season, from all of us here.
- 60 Minutes Video – As hacking of top retailers make headlines, Bill Whitaker discovers how insecure your credit card information is this holiday season(opensourcesinfo.org)
- More data breaches expected this holiday season(bizjournals.com)
- Avoiding credit card fraud in the holiday season(lexingtonlaw.com)
For those who have been following, there are some nuances of the latest Crypto Security flaws that may have been missed by most…
Adding to my previous post, you should not only completely disable SSL v 3, and 2, but consider disabling TLS v 1.0 as well.
As well, another good site to test your browser / client for it’s security configuration is https://www.howsmyssl.com/
- New POODLE SSL 3.0 Attack Exploits Protocol Fallback Issue(threatpost.com)
Not So Fast on BEAST Attack Mitigations (threatpost.com)
Wow, that happened FAST!!! (time flies…)
Well, it’s now the middle of October. We’re back, and had a wonderful time in Hawaii, getting married, and spending our honeymoon in Wailea and Kihea on the wonderful island of Maui. For those who care, we held a very private ceremony on Po’olenalena Beach (aka Changs Beach) with only our officiant and ourselves. There will be photos, soon… as we’re waiting on them from the photographer.
Now on to what I missed and fell into upon returning.
The POODLE vulnerability
The Great Californian Shakeout
National Cyber Security Month
You may, (or may not) have noticed that there is a gap in my posting recently.
I’m getting married on October 4th of this year, and now, I’m running at 110 mph finalizing and preparing to go out-of-town for that event! [i know, i can’t believe it either!]
I plan on returning to this space sometime after the middle of October with some new articles, opinions and thoughts around all things information security related.
Hope you all have a great week, and if you wish to contact us, please do so at dc0de at foundpackets dot org.