Are Security Leaders that Incompetent or is Security simply still not a Priority within Organizations?

I’ve recently heard/read commentary on the panel discussion presented by Chris Nickerson, Marcus Ranum, and Alex Hutton at INFOSEC World 2012. First, let me start off by saying I respect each of individual as being a thought leader in the industry and the contributions in which each have made to the Information Security field. Let me also say, that I have not had a chance to actually attend INFOSEC World and/or have been able to actually watch the presentation. This is important as my comments are based off second and third hand explanation of the talk and I apologize if I take anything out of original context.

From my understanding, the main point of the discussion was that security leaders aren’t prioritizing security initiatives appropriately and, in many cases, simply aren’t intelligent enough to protect their organizations. In my experience, I actually agree with both these points assuming that these points were actually made in the discussion. However, I think what may have been missed, is that typically CSO’s/CISO’s aren’t the ones that are actually prioritizing security initiatives within the organizations but are simply taking marching orders from those that are. Let me use the movie Moneyball as an example. Brad Pitt, the GM of the Baltimore Orioles, is tasked with putting a team together that is competitive on the field. As such, he approaches the owner to ask for money to be able to sign big name All Stars. The owner denies this request as the Orioles are a small market team and don’t have the same size wallet as a team such as the NY Yankees. The obvious problem with this is that it is hard to compete against a big market team, such as NY, without allocating budget and spending money in order to be able to do so. As can be seen, the owner of the team was perfectly content in not improving his team significantly enough to actually be able to compete with the big boys.

Let me use another example. Let’s say my personal mission is to date the best looking girl in the world. I hire my best friend as my dating consultant and say “here is 200,000 dollars and the first thing I need is an Audi R8”. My buddy perfectly understands what my mission is. Does the fact that he knows what my mission is help him better make decisions and prioritize objectives when I already told him what my first priority was? No. He is taking marching orders from me without having any real say as to what he actually believes is the best thing to do with that $200,000 which I allocated to him. He could of course come back to me and say “Andrew, I think we should take the money and use it for plastic surgery as, being the expert in the field, I truly believe this better aligns with your mission.” That’s the only real option he has but at the end of the day, he is at the mercy of what I tell him to do if he wants to stay employed as my dating consultant.

How is this any different than what happens in the Information Security field? Typically when it comes to Information Security objectives are already determined by upper management. Many times security leaders know what the right things to do are and what priorities the company SHOULD be focusing on, but because of the lack of budget, resources, other business objectives, politics, etc. have their hands tied to what their bosses tell them is important. Many times, and as I believe discussed in the talk, these priorities are based off regulatory mandates the organization is subject to. Obviously, most security professionals know that prioritizing security initiatives based off regulatory mandates does very little at actually protecting your company. However, if you are a CISO and the CEO (you would be lucky if you directly reported to the CEO as typically this is not the case) comes to you and says we need to be PCI compliant or we are going to lose our ability to accept credit cards that becomes your main objective and what you will be focusing on. Nothing else matters at this point as you were directly told what your priority was by your superior and, oh by the way, you have a family at home that relies on you having a good job.

Look, all I am trying to say, is that the individuals in which gave this presentation aren’t your average run-of-the mill security professionals. One of them is founder of his own company. Obviously he has no problem getting budget or prioritizing security initiatives as he reports to no one. It’s like the GM of the NY Yankees telling the GM of the Cleveland Indians that he has no idea how to run a baseball team. They aren’t operating on the same playing field. With that said, I do believe there is a fundamental problem with those that are tasked with running a security organization. Many of them think because they have the CISSP certification, that somehow gives them the “know how” to be able to truly protect an organization and prioritize security initiatives off business objectives and company mission statements. Again, I didn’t get the privilege of watching the presentation and apologize if I took something out of context. However, I have seen a lot of good security professionals fail not because they didn’t know how to protect the company, but because security wasn’t important to the company in which they were tasked to protect. These same security professionals thrived at other organizations that did take security seriously.

- Andrew

@AWeidenhamer

“Girls Around Me” Application Pegged as Stalker Application

My thoughts to Bill Brenner’s blog regarding the “Girls Around Me” application found at the below link:

http://blogs.csoonline.com/social-networking-security/2115/they-should-have-called-it-stalker-app?page=1

Individuals need to start taking responsibility for their own actions and not blaming all their problems on someone or something else. This application is simply compiling information that is already publicly available provided by the individual. It’s a simple solution, if you don’t want to be stalked, then don’t provide all the needed information in order to do so. You can’t draw on an analogy saying this is like “someone deserving to be raped because they were coming on to their attacker with a short shirt and skimpy, revealing top” as I’m not sure there is any relevant studies or correlation to that of short skirts and rape. In fact, I think most studies actually show that most abusers choose victims based on power and not what their victim is wearing at the time.

I mean if we are going to punish and/or crucify the company that developed this application, then we probably should just punish FourSquare and Facebook as well for providing the ability to be able to check-in to places, post pictures, and update relationship status.

As the old saying goes, don’t hate the player, hate the game. i-Free had a great idea and decided to capitalize on it as they knew that this is something that guys would use.

Whether or not i-Free violated FourSquare’s Privacy Policy is another topic of discussion.

My Top 5 Security/Privacy Stories Over the Last Week (03/26)

1) http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/?view=pc

2) http://www.darkreading.com/database-security/167901020/security/attacks-breaches/232700065/anonymous-legacy-hacktivists-stole-more-data-than-organized-crime-in-2011-breaches-worldwide.html

3) http://www.darkreading.com/database-security/167901020/security/vulnerabilities/232700031/1-5m-fine-marks-a-new-era-in-hitech-enforcement.html

4) http://www.exploit-db.com/exploits/18666/

5) http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

My Top 5 Security/Privacy Stories Over the Last Week (03/05)

http://www.csoonline.com/article/701628/lulzsec-leader-39-s-digital-trail-led-rival-hackers-and-possibly-fbi-to-him

http://www.csoonline.com/article/701651/trustwave-buys-m86-security-for-undisclosed-sum

http://www.comptia.org/news/12-03-05/IT_Departments_Scramble_to_Keep_Pace_with_Mobility_Growth_CompTIA_Research_Finds.aspx

http://www.infosecurity-magazine.com/view/24295/rsa-2012-top-gman-says-anonymous-not-alqaeda-will-be-top-security-threat/

http://tsaoutofourpants.wordpress.com/2012/03/06/1b-of-nude-body-scanners-made-worthless-by-blog-how-anyone-can-get-anything-past-the-tsas-nude-body-scanners/

My Top 5 Security/Privacy Stories Over the Last Week (02/27)

http://www.csoonline.com/article/700909/the-perilous-path-to-a-new-privacy?page=3

http://www.csoonline.com/article/700856/wikileaks-releases-stratfor-emails-possibly-from-december-hack

http://blog.securestate.com/post/2012/02/27/How-to-Protect-Yourself-from-Skimmers.aspx

http://www.informationweek.com/news/healthcare/mobile-wireless/232601422

http://krebsonsecurity.com/2012/02/half-of-fortune-500s-us-govt-still-infected-with-dnschanger-trojan/

My Top 5 Security/Privacy Stories Over the Last Week (02/20)

http://www.darkreading.com/vulnerability-management/167901026/security/security-management/232601041/making-windows-secure-from-the-ground-up.html

http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232601036/flash-zero-day-used-in-targeted-email-attacks.html

http://eprint.iacr.org/2012/064.pdf

http://www.csoonline.com/article/700397/lieberman-cybersecurity-act-of-2012-will-help-us-protect-critical-infrastructure

http://33bits.org/2012/02/20/is-writing-style-sufficient-to-deanonymize-material-posted-online/

My Top 5 Security/Privacy Stories Over the Last Week (02/13)

http://www.darkreading.com/cloud-security/167901092/security/application-security/232600667/tech-insight-penetration-testing-your-cloud-provider.html

http://www.csoonline.com/article/700046/mozilla-patches-critical-firefox-bug

http://packetstormsecurity.org/news/view/20577/Microsoft-To-Send-Users-4-Critical-Patches-On-Valentines-Day.html

http://packetstormsecurity.org/news/view/20565/Over-3-Years-Later-Deleted-Facebook-Photos-Are-Still-Online.html

http://yro.slashdot.org/story/12/02/13/2156214/europes-right-to-be-forgotten-threatens-online-free-speech

My Top 5 Security Stories/News over the last Week (02/06):

http://blogs.csoonline.com/malwarecybercrime/2016/it-was-bad-anonymous-make-good-threat-attack-boston-pd

http://www.csoonline.com/article/699427/google-won-t-delay-new-privacy-policy-despite-eu-concerns

http://packetstormsecurity.org/news/view/20536/Pirate-Bay-Prison-Sentences-Are-Final-Court-Rules.html

http://www.bankinfosecurity.com/articles.php?art_id=4467

http://www.informationweek.com/news/galleries/security/management/232600174?pgno=1

My Top 5 Security Stories/News over the last Week (01/30):

1) http://www.darkreading.com/mobile-security/167901113/security/news/232500591/hopping-aboard-the-mobile-payment-bandwagon-bring-a-helmet.html

2) http://www.darkreading.com/compliance/167901112/security/attacks-breaches/232500515/eu-s-more-stringent-data-privacy-proposal-poses-challenges-for-businesses.html

3) http://blogs.csoonline.com/social-networking-security/2007/some-say-facebook-timeline-privacy-threat-i-disagree

4) http://www.exploit-db.com/download_pdf/18415

5) http://www.fox8.com/news/wjw-orange-students-technology-security-firm-explains-txt,0,7602693.story

Restaurant Challenges US Bank and the PCI DSS after Seizure of Funds

An interesting lawsuit has been filed by a Utah-based restaurant against US Bank after US Bank seized money from the restaurant for, US Bank claims, failure to protect cardholder data. Owners of Cisero’s Ristorante allege the bank forces merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that the bank imposes random fines on merchants based on what seems like arbitrary numbers without providing a sufficient method to dispute fines.

http://m.wired.com/threatlevel/2012/01/pci-lawsuit/

A Complicated Challenge

This lawsuit is the first to really challenge the PCI Data Security Standard. However, I would argue it isn’t as much about challenging the PCI DSS as much as it is about challenging what appears to be a lack of notice within contractual agreements with acquiring banks as well as the methods used to impose fines on merchants.

Focus on Consistency

I definitely agree there may be some underlying issues, especially with regard to the consistency of the fines passed down by Card Brands and Merchant Banks alike. The Card Brands definitely need a method to their madness by creating some sort of formula/algorithm based on past actual damages/losses for breach of cardholder information. Obviously, I’m assuming a method such as the one mentioned does not currently exist, which, within Cisero’s counterclaim, appears to be the case. In addition, merchants need to have a way to be able to dispute claims against them, and acquiring banks need to ensure that any changes within contractual agreements are clearly communicated to their merchants.

A Strong Case in the Face of Ignorance

So with all that said, I honestly believe Cisero’s Ristorante has a strong case and, in the end, will be able to retrieve some of the seized money, primarily based on the same reasons organizations get sued for “unfair practices.” However, I do believe there are some pretty ignorant statements made in this article. First and foremost:

“It’s just like Visa and MasterCard are governments,” said Stephen Cannon, an attorney representing the McCombs. “Where do they get the authority to execute a system of fines and penalties against merchants? That’s a very important issue in this case.”

VISA and Mastercard are private organizations. No one is forcing merchants to accept these credit cards. Merchants choose to accept VISA and Mastercard because, from an overall business perspective, it makes sense. Cisero’s Ristorante basically claims that in order to compete, they had to enter into a merchant agreement. This may be so, but in the end, they ultimately CHOSE to accept credit cards. In other words, no one forced them to sign that agreement with US Bank. When a breach occurs, the Card Brands do incur financial impact. To assume anything else is a bit ridiculous. If the Card Brands experienced no sort of financial impact AT ALL with regard to breach of cardholder information, there would be no reason to pass down fines to Merchant Banks. Even if you consider no actual damage or loss to the Card Brands in the event of a breach (which I believe not to be the case), it still takes resources from the Card Brands to deal with a potential breach situation. Either way, it’s the right of the Card Brands to pass down some of the liability to Merchant Banks, whom ultimately pass down liability to their merchants. This makes sense and is seen in many more cases than simply the PCI standard. Upward contractual obligation is not a new term and is certainly not unique to PCI compliance. The problem in this specific case, among many other things, is the fact that 1) No breach of cardholder information was determined by two different forensic companies and 2) the number of unique accounts used to invoke Visa’s Account Data Compromise Recovery (ADCR) process may have been inflated when reported to Visa.

Secondly, the below comment:

“The McCombs assert that the PCI system is less a system for securing customer card data than a system for raking in profits for the card companies via fines and penalties. Visa and MasterCard impose fines on merchants even when there is no fraud loss at all, simply because the fines “are profitable to them,” the McCombs say.”

This is a pretty bold statement without many qualifying comments behind it. The PCI DSS isn’t perfect, we all can agree with that. However, without PCI, organizations wouldn’t do anything at all to secure cardholder data. How do we know this? We know this because in 2008, it costs organizations on average $2.8 million to become compliant with the PCI DSS. Does anyone really think it would have cost organizations this amount of money if they would have simply been implementing security best practices as soon as they made the business decision to accept our personal information? I mean, the PCI DSS isn’t even in line with what is typically considered security best practices. The second reason we know this, is because companies are choosing to do nothing with regard to Privacy right now, even on the verge of looming comprehensive U.S. Privacy legislation. For this same reason, it will cost organizations a significant amount of money in 3 to 5 years when comprehensive privacy regulation is passed within the U.S. (Although probably not as much as PCI, as rest assured, there will be lobbyist sitting on Capitol Hill arguing about how difficult it is to adhere to a new privacy regulation.)

Plus, how can one assert that there is no “fraud loss at all”? Is it possible that we don’t actually know the extent of the breach yet? It can take a couple of years after a cardholder breach for the attacker(s) to start using the breached credit card information in a malicious manner. Why is this? Because it helps to cover up the breach and where it occurred. After a certain number of years, it’s hard to track where the stolen credit card numbers came from.

Again, many people want to pick on the PCI. However, compliance mandates are necessary to force organizations’ hands in doing something with regard to protecting our information. There does, however, need to be a more consistent fine structure, and merchants should be able to execute their right to argue any fines passed down to them.

Transparency Needed before It’s Too Late

To summarize, although the PCI DSS is a necessary evil, so to speak, in this specific case, I actually do side with Cisero’s Ristorante but only because of the aforementioned reasons. There simply is not enough transparency right now with regard to PCI fines, and Merchant Banks are not doing a good enough job enforcing contractual requirements on their merchant, until after it is too late.