IT security in any realm involves logical security and physical security.  Logical security is the integrity of data (content), precision of associated processing, and the delivery of coherent, accurate, content.  In other words, data that reflects reality; data that does not mislead or distort various actuals by virtue of distortion/errors of input, process, and output.

Physical security is such things as locked doors on computer rooms.  It’s the safety and surety of infrastructure; protection against overheating, for example.  Physical security is often mundane; don’t set your coffee on a server, for example.

Mobile is especially vulnerable within the realm of physical security.  Devices are constantly transported, their owners on the go, and they can be lost or stolen.  Ensure that users make immediate reportage of loss or theft.  Consider strong encryption, as any content risks exposure.

As to logical security, determine whether users access organizational resources via a virtual-private-network (VPN), or the internet.  Also, ensure strong malware protections are emplaced on devices.

In BYOD environments, that last is especially important:  It’s hard to know where users will be surfing, and what manner of personal downloads will be transpiring.  Regularized scanning for viruses, malware, and unauthorized intrusions is imperative.

It’s interesting to me that the European Union’s European Commission is considering some standard rules for breach notification.  These rules would govern how companies make notification to stakeholders, and also govern their behavior throughout breach fallouts.

These “practical rules,” are being crafted from solicited input from the public, and also from national data protection authorities, as well as from consumer protection organizations.  In the wake of several high-profile breaches, it’s an understandable consideration (see several of my prior posts regarding breaches).

As stated by Neelie Kroes, the EU’s digital agenda commissioner, “The duty to notify of data breaches is an important part of the new EU telecoms rules.  But we need consistency across the EU so businesses don’t have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses.”

If transparency is key, as one of the stated goals, then I wonder why no mention of government?  What of government breaches?  Is there the same timely notification requirement for various agencies?  In terms of stakeholders’ wellbeing, the government harbors extraordinarily critical content regarding citizens and their interests.

It’s of further interest to me that many “experts” feel that breaches will be an ongoing problem, by virtue of the number of private companies, banks, agencies, etc., that gather and store ever-more personal and empirical data about customers, clients, patients, and so on.

I rather agree that breaches will be an ongoing problem – but not due to an expansion of data stores – that is, more targets.  Breaches will occur largely through careless harbor; poor security security practices, lagging security initiatives, and that most venerable and vexing problem:  human error.

Joe McNamee, the head of European Digital Rights, says:  “It is precisely because there will inevitably be breaches that rules are needed to ensure that citizens are informed and that companies have compelling reasons to minimize the data they collect and maximize their internal security,” he noted.

I rather think that breaches can be thwarted – with proper security protocols, proactive updating of environments to best security features and practices, sound training of personnel, and ever better encryption techniques.

Meantime:  I’m back to government:  What is their duty in notification of breached agencies and harbored data?  Nothing I’ve read has indicated government’s oversight of… government.   

I’ll also be curious to see what’s mounted, or attempted, in terms of government control here in the United States.

I’d like to hear from you.  What are your thoughts on “breach notification laws”?

Stay safe out there.

NP:  Elsa, Cannonball Adderley, jazz24.org

According to eWeek and others, approximately 200,000 card members’ accounts were accessed.  The specific information compromised were names, card numbers, and e-mail addresses – perhaps other contact info depending on what you read.

Fortunately, other critical information, such as birth dates, social security numbers, card security numbers (typically on the back of your card) and card expiration dates were not compromised, as they are stored elsewhere.

It’s heartening to know that there’s a discretionary storage of critical data:  That is, there is a separate repository for one set of data, but another repository (or repositories) for a complimentary set of data necessary for the “whole record” view of any one entity – in this case, person and associated credit data.  This separation of data, into separate “secured” (ahem) areas makes it a little more difficult, at least, to assemble the critical info necessary to make bogus charges or acquisitions of cash at the expense of card holders.

It’s disheartening to know, however, that any measure of breach occurred to any measure of system at Citigroup.  This isn’t to pick on them – for a little perspective, access the Privacy Rights Clearinghouse and their Chronology of Data Breaches.  That list isn’t even comprehensive – there are far more breaches, both reported and unreported, transpiring.

Citi is going to establish “enhanced procedures” according to Sean Kevelighan, spokesman for the North American Consumer Banking Division of Citi, in order to prevent future breaches.  Well, that’s all well and good, but I’m curious to know if these “enhanced procedures” are general industry established and known procedures – and if so, why were they not already instituted?  Also, the word “procedure” is an interesting choice.  It almost makes it sound as if internal human error compounded an insecure situation. 

And, I characterize the human failing of neglect, in keeping systems updated for latest security threats and actions, to be human error:  Whether someone is simply not approving budget for protections, or someone is lax in surveying for risk and matched solutions. 

Security solutions must be extremely aggressive.  They must constantly lead threats – by a wide margin. 

It doesn’t take much for a business to lose the faith of customers.  In fact, it can happen at just about the speed of a button push on a keyboard…

NP:  John Coltrane with the Red Garland Trio, original Prestige vinyl LP… what more needs to be said? 

It’s been reported that RSA Security has been attacked, with the result being “certain information… being extracted.”  Had you heard about this?  I was alerted to it through my Google Alerts.

As a slight aside:  I highly recommend the alerts – they deliver news and articles to you according to interests you specify, such as “Data Breach,” “Cyber Attack,” “Information Security,” and so on… or perhaps “Cloud Computing,” “Web 2.0.”  You get the idea.  Of course, “celebrity gossip” serves some too.  But I use it for career purposes and general professional knowledge.

Back to the attack:  RSA Security is a division of EMC².  EMC² has many contracts with our federal government, for many tens of millions of dollars, for their SecurID system.  SecurID generates a token which, used in combination with a password and user ID, grants secure (well…) access to systems at various government agencies.

These agencies include the Social Security Administration, the Department of Defense, and many others – it doesn’t get much bigger than this.

At present there is no data loss being reported (that is, customer or individuals’ data); however, it’s thought that the “extracted” information may grant a successful attack later – presumably with the further breach of critical content.

Art Coviello, RSA Executive Chairman, said:  “We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

Hmmm… “We do not believe…”.  Would those words reassure you if a solutions partner, a security partner, gave them to you in a similar situation?

SecureID is not only in use at government agencies.  A leading Fortune500 chief security officer has been quoted, albeit namelessly:  His company processes transactions worldwide for payrolls – and they use SecurID.  He states that RSA provided details, within minutes, on how the breach occurred so that they could defend against possible attack. 

Within minutes?  Color me skeptical on that one.   :^ )   Oh.  Perhaps they mean 180 minutes, 240 minutes – something like that.

In today’s environment, where the big dogs themselves are within risks that manifest, what should you do?  Learn how to spot signs of breach or malfeasance in your environment.  Put in the products and ally the security solutions partners that make you most comfortable.  But, don’t lean totally into vendors, solutions, and solutions partners. 

You have to also stand on your own in actively surveying for risk and possible incursions.

NP:  Falling in Love, Stan Getz, jazz24.org

It’s rather interesting to monitor what’s happening in the UK right now.  Data protection legislation is moving forward.  And… business there supports data protection legislation. 

A survey of 1200 businesses indicates that those businesses are concerned about the strength of laws:  Nearly 50% feel that laws are weak and require revision, and 87% believe that organizations should be required to divulge breaches of sensitive content where information about the public is involved.  [Source:  Sophos].

Here in the U.S., I rather doubt business is keen on more legislative oversight.  Generally speaking, I’m wary of new legislation – new laws must be thoroughly reviewed so as to guard against unintended – and negative – consequences, particularly where business is concerned.  In today’s economy, we don’t want to impinge businesses’ opportunities for hearty conduct and growth.

However, I do like the breach notification idea.  It serves a couple purposes that come readily to mind: 

-      Stakeholders (the public, customers, allied agencies…) are entitled to know about breaches that affect them, or ones that just have the potential to affect the general well-being of the business. 

-      Also, healthy exposure and just that potential help to motivate businesses in the currency of their ongoing security measures.

Particularly for small/medium business, and smaller government agencies such as those at county/municipality level:  Do you have in-house security professionals who cast the horizon for new threats, with attendant posture of proactivity?  And, do you have strong security partners in the form of advisors, vendors and allied security products?

How do readers of the Exchange feel about it?  Would you welcome new legislation?  Are you confident regarding data security in your organization?

July 21^st:  On this day in 1990, Pink Floyd’s The Wall is performed where the Berlin Wall once stood.