Security

The Bourne Identity: A CISO sheds light on risk management mind-set

Bonk CISO Larry Whiteside on the head, and like Jason Bourne he will wake up thinking about security in 12 different languages.

“For me, security and risk management is a mind-set. When I go into a restaurant with my wife and kids, I automatically see where the exits are,” says Whiteside. And how the waitress handles the credit card. How far the credit card machine is to another table. The location of the security cameras, the station of the guard.

“I am always thinking about the security scenario, not to take advantage of it, but to be aware,” Whiteside says.

Whiteside is chief information security officer for Visiting Nurse Service of New York (VNSNY), the country’s largest not-for-profit home health care provider. Some 130,000 patient medical records and pieces of credit card data fall under VNSNY’s watch. The organization must comply with the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard and the Sarbanes-Oxley Act (SOX).

Whiteside practices what is called a risk management approach to security compliance. I interviewed him this week for a story I’m doing on the topic. While his organization has many regulatory obligations, “the way I approach compliance is through risk. We do not focus on just ensuring we are compliant,” Whiteside says, stating the first principle of risk-based management to information security.

“When I look at new applications or systems or architectures, I am looking at the risks to our business and the risk to our information. Those are the things that are important, not does it meet a line item associated with HIPAA and SOX,” Whiteside says.

A risk management mind-set is always looking for patterns — not items on a regulatory checklist — that pose a threat to the asset one is responsible for protecting. So when somebody comes to him with a security problem, even if he knows nothing about the particular system or application, he can formulate a set of questions.

Incidentally, most CISOs live in a security mind-set, he says, whether they’re hard-core techies or recruits from the business side. “The methodology they follow by day at work is the methodology they live outside of work,” he says. At conferences, when CISOs unwind afterward with a drink, they invariably play a Where’s Waldo? version of security gaffes, competing to see who can spot the most security lapses. “It’s kind of weird if you are outside the circle.”

The mind-set can have its limitations, as in “If you are a hammer, the whole world looks like a nail,” adage.

Indeed, when he is taken by surprise, it is typically by something that happens on the business side.

“You can’t believe that business would make that decision. You have that mind-set and forget people don’t think that way,” says Whiteside, who nonetheless never forgets what needs to happen next.

“But the fact is they went down that path, and you have to make it right. CISOs are support personnel. That is the reality. We are on the same side of the business as the help desk, and that is all we are. Until it can be determined how a CISO can make the company money, we will always be there to support.”

Disabling accounts after employee layoffs: A necessary evil

Linda Tucci’s story on SearchCIO.com today on disabling accounts after employee layoffs and the security risks “orphaned” accounts can pose if not properly closed out was a timely one, of course. I’m actually sort of surprised we’re not seeing more stories about disabling employee accounts, considering November saw the loss of 533,000 jobs in the United States, and December layoffs might be just as bad - or worse.

If I may try to add some levity to the situation, the “orphaned accounts” story (particularly the line about one person who was still on the payroll six months after being terminated) reminded me of the first minute from this infamous clip from the film “Office Space.”

Now, I don’t think anybody would question that there are risks associated with leaving employee accounts open following layoffs. When you’re laying off IT folks, it’s even riskier, according to Tucci’s story, since these individuals “usually have the keys to the kingdom” and could wreak absolute havoc. Hmmmm, reminds me of a little IT hack incident earlier this year in San Francisco you may have heard about.

Unfortunately, I think the points touched upon in Tucci’s story might strike a cord with a lot of the people who read this blog - I know they struck me, both on a personal and professional level. It seems unnecessary to immediately disable the accounts of 99% of laid-off employees who wouldn’t dream of downloading sensitive company information. They might have downloaded a picture of a grandkid on their work computer, or may have even been in mid-email when their access disappeared. Yes, their computers belong to the company, but shouldn’t these employees have an opportunity - even if it’s brief and monitored by current staff - to recover those items? I believe so.

Precluding former employees’ access to their contacts and working documents with little or no warning could be bad for the business, too. Particularly if a company is laying off longtime employees who might have hundreds of contacts built up in Outlook, or have files that would be useful to others in their organization. If the employee is immediately locked out, then recovering and piecing through that business information is likely to be a lot more challenging for remaining co-workers.

And yet … I sure wouldn’t want to be the head of IT in a company that took a lackadaisical approach to disabling employee accounts after layoffs and was burned by one of the 1-percenters who caused problems in the system.

So for any of you with experience in layoffs: Have you gone with immediate system lockout, or ever considered a less drastic approach (for the reasons I cite above, or others)? Do desperate times call for Draconian measures, or is there room for a more personal touch?

Cybersecurity initiatives require education, shared knowledge

Cybersecurity initiatives aren’t about just you, the CIO, or your organization. And because of that, the solutions shouldn’t come solely from you, but from shared knowledge from all sectors.The same model applies to the U.S. government’s approach to cybersecurity initiatives. The Center for Strategic and International Studies’ Commission on Cybersecurity for the 44th Presidency, a panel formed in August 2007 “after the United States suffered a wave of damaging attacks in cyberspace,” recommends that incoming President Barack Obama should establish a new White House office and appoint a presidential assistant to oversee a “comprehensive national security strategy for cyberspace,” CNN is reporting.

As we noted last week, 2008 has been a very spammy year, with threats targeting social networking sites. The cybersecurity report takes the spectre of these threats even further, stating that cybersecurity is one of the major national security problems facing the U.S. and “all the tools of U.S. power” - diplomatic, intelligence, military and economic - are needed to deal with cybersecurity, CNN reports.

Some of the recommendations with regard to national cybersecurity should sound very familiar to enterprise CIOs charged with overseeing cybersecurity protocols in their organizations. For instance, the report recommends “requiring better authentication” of digital identities and limiting government purchasing to secure products and services. Research, training and education should also be expanded, the report says.

The lesson here? Your cybersecurity insights and experiences carry far beyond your individuals organizations’ walls. Share your cybersecurity stories and solutions with others. You can start by clicking the “comments” link below! 

Social networking sites, credit fears leading to new spam attacks

Symantec has released its MessageLabs Intelligence 2008 Annual Security Report, and social networking sites and the credit crisis are providing new platforms and fears upon which new spam attacks are being launched, CNNMoney.com reports.”Web 2.0 offers endless opportunities to scammers for distributing their malware — from creating bogus social networking accounts to spoofed videos — and in 2008 the threats targeting social networking environments became very real,” said Mark Sunner, chief security analyst at MessageLabs.

“Web 2.0 thrives on user-generated content, as do the spammers. The ability to adapt to new mediums and upload enticing content as ’snake oil’ to persuade an information-hungry user to activate it is one of the cybercriminals’ strongest talents and has made them successful in transforming deception into a fully scalable business model within the underground shadow economy,” Sunner said.

In addition, towards the end of this year, the credit crisis generated many new finance-related spam attacks as scammers tried to take advantage of the resulting panic and uncertainty. “Spammers increased the number of finance-related emails, including phishing attacks targeting banks and credit unions, lottery scams, loan and job offers and other financial enticements,” the report finds.

In particular, the article mentions phishing via fake profiles on social networking sites, which I’ve witnessed on Facebook this year. In a couple of instances, spammers managed to commandeer an individual’s screen name and post “wall” comments (linking to suspicious-sounding sites) as though they were that person. And I have certainly noticed an increase in the number of emails notifying me of the “contests” I’ve won if only I’ll provide bank account information, or “exciting job opportunities” for the unemployed. I thought I must have accidentally provided my email address to a questionable site, but it sounds like the number of those emails really has increased.

I’d encourage you to look over the full report to better understand the spam landscape. Among the report’s findings: Total spam levels peaked at 82.7% in February and averaged 81.2% for the year, compared with 84.6% the year before (so, surprisingly to me, the percentage of spam has actually decreased). As much of 90% of the spam was distributed by botnets.

For more information on spams ‘n’ scams, check out these SearchCIO.com on Angelina Jolie-inspired spam attacks and malware as a real threat when employees are doing holiday shopping on company time.

Electronic-discovery worries may lead to BlackBerry blackout for Obama

See, maybe we all shouldn’t have been so down on John McCain for acknowledging that he didn’t know how to send an email – apparently, it’s something presidents don’t do, thanks to electronic-discovery concerns. According to CNN.com, in taking his oath for office, President-elect Barack Obama is unlikely to carry his BlackBerry, and will probably not send an email for (at least) four years.

That’s because, according to the article, the president’s emails, whether personal or for business, are subject to a subpoena at any time and could be considered public records. Neither Bill Clinton nor George W. Bush emailed while they were in office, CNN reports.

“It’s all discoverable; it creates a trail that might end up in congressional investigators’ hands,” said Clinton press secretary Mike McCurry in the CNN article. If you want to delete White House email, you get a stern warning about archiving presidential records, he said.

Now, I’ll ignore the fact that CNN’s fact checker apparently missed a beat with this article (toward the bottom, there’s a psychology professor quoted from Keene State University, but it should be Keene State College – that’s my hometown). But I’m still kind of baffled and left at a loss with this whole issue. Naturally, the president wouldn’t want his private emails out there for the world to see. But am I the only one who thinks that there must be some better solution than the chief executive of the country living without email?

There’s a reason that email is so ubiquitous in the business world: It allows for communication across geography and time-zone differences. It can provide useful information more quickly and efficiently to a range of people, and certainly increases productivity, in my view. Shouldn’t the chief executive of a 300-million person “corporation” have access to the same tools on which other top executives rely, especially when he’s clearly already a “CrackBerry” addict?

Maybe the answer is to give Obama “read-only” access to his email. That way, he can feel in the loop without ever typing a sentence or hitting “send.” What would you suggest, given his current “BlackBerry blackout” predicament?

It’s up to Obama whether he keeps using email, of course – he’s the president, and I don’t think anybody can command him not to send an email. I’ll be curious to see which way he goes, and whether he feels more or less productive as a result.

Express Scripts data breach includes demand for money; FBI brought in

The Express Scripts data breach comes with an alarming twist.

Yesterday, the St. Louis-based pharmacy benefits manager revealed that it received an anonymous letter in early October demanding that it pay up or risk exposure of the records of millions of patient members on the Internet.  Express Scripts did not say if the extortion letter specified an amount of money. The anonymous letter included the personal information of 75 members, including their names, dates of birth, Social Security numbers and, in some cases, their prescription information, the company said.

In its announcement yesterday, the company said it turned over the letter immediately to the FBI, which is investigating the threat, and hired outside experts to help in its own investigation of the data breach. The company said the 75 members singled out in the letter have been notified, and that it is unaware at this time “of any actual misuse of the information.”

A company website on the data breach and extortion letter states that Express Scripts staff members believe they “have identified where the data involved in this situation was stored in our systems and have instituted enhanced controls.”

One of the largest pharmacy benefit management companies in the country, Express Scripts provides prescription benefits to about 50 million people. The website said the company deploys a variety of security systems designed to protect members’ personal information from unauthorized access.

“However, as security experts know, no data system is completely invulnerable,” said George Paz, chairman and CEO.

“We have been conducting a thorough investigation since we received this threat, and we are taking it very seriously,” Paz said. “We are cooperating with the FBI and are committed to doing what we can to protect our members’ personal information and to track down the person or persons responsible for this criminal act.”

The New York Times said the company has not ruled out the possibility that the data breach was an inside job.

A Wall Street Journal blog says this is not the first extortion attempt involving health records.

“Just last month, the FBI announced the arrest of some guy who allegedly stole a computer server from the Indianapolis office of Medical Excess LLC, a subsidiary of AIG, that contained “personally identifying and health care sensitive information” of more than 900,000 people. The man is also accused of trying to extort AIG for $208,000 under a threat to release the data on the Internet, the FBI said. A spokesman for AIG told us that to the best of the company’s knowledge, no personal information was disclosed.”

Three men arraigned in alleged IT kickback scheme

Three Boston-area men have been arraigned in connection with allegedly setting up kickbacks from a vendor in exchange for securing computer software and service contracts for Partners Healthcare.

According to the Massachusetts Attorney General’s Office, investigators discovered that between July 2003 and October 2007, Brian Colpak, owner of enterprise technology reseller Future Technologies, allegedly paid two men thousands of dollars for their help in obtaining contracts to provide IT systems and service for Partners and its entities, which include the Dana Farber Cancer Institute.

Before vendors can do business with Partners, they must complete a vendor application, and the winning bid is selected and must be approved by the department’s supervisor. The guidelines stipulate that the vendor cannot provide any members of Partners with rewards, gratuities or gifts.

Co-defendant John Dimille was a group leader in the production division of the information systems department at Partners, and had a great deal of control as to who was awarded the contract for the acquisition, installation and maintenance of these particular systems. As master engineer in Dimille’s division, co-defendent John Cleary played a major role in reviewing the contracts for these systems.

Authorities allege that Dimille and Cleary often would not solicit competing bids for contracts, or failed to engage other interested parties, before awarding Colpak the winning bid.

Colpak pleaded innocent in Suffolk Superior Court to four counts of commercial bribery and one count of conspiracy to commit commercial bribery. Dimille pleaded innocent to commercial bribery and conspiracy to commit commercial bribery. Cleary was charged with two counts of commercial bribery.

According to Future Technologies’ website, the company helped move Dana Farber to a large-scale data center based on two large Sun servers. The company claimed the cancer center saved $1 million a year.

Also, interesting to note: try Googling “John Dimille” and then click on the Future Technologies “Testimonials” page (for me, it’s the fifth result). Compare the cached version with the current version of the page — notice anybody missing?

Thanks to Universal Hub for the heads up.

Think like a hacker (and other World of Warcraft-inspired musings)

Yesterday, I attended Forrester’s security forum in Boston. In one of the morning sessions, “Exploiting Online Games,” Gary McGraw, chief technology officer at Cigital (and co-author of a book by the same title) discussed how online gamers are contributing to a multi-billion-dollar industry.

Online games draw up to 900,000 simultaneous users at any given time, McGraw said. The ubiquitous World of Warcraft has 10 million subscribers. If 10 million users pay the $14 subscription fee each month for a year to play the game, you’re talking about $1.68 billion. Wow. I am definitely in the wrong industry.

(Side note: I don’t know much about World of Warcraft, outside an excellent, Emmy-winning “South Park” episode…no, really, you think I’m kidding but I’m not. Probably NSFW, but here are some clips if you want to check it out later on.)

So why was McGraw presenting at a security conference? Because, in online gaming, security problems are built right into a successful business model. Game makers want millions of people to be accessing and interacting within their site. But what if they’re handing that piece of Internet real estate over to unsavory folks who might cause damage with it? And how do organizations in a Web 2.0 world deal with similar challenges?

To bring his point home, McGraw talked about Dan Farmer, whose controversial Security Administrator Tool for Analyzing Networks (SATAN) program would, essentially, allow companies to hack their own systems to determine their vulnerabilities. But, upon its release in 1995, Farmer’s employer fired him, fearing that it would increase malicious hacks.

The irony, McGraw says, is that nowadays, an IT exec charged with minding security could possibly be fired for not attempting to “think like a hacker” and protect his system accordingly. While his presentation got into the legal and financial ramifications of gaming, I think that the most important message for network security administrators was “think like an attacker,” and do the proper code review and architectural risk analysis on the front end to prevent problems later on.

Has your company adopted a “think like a hacker” approach to IT security? Any success stories you would like to share? Or just general love for “World of Warcraft” so that I can better understand the online sensation?

Maybe I should just keep my money under a mattress?

There have been a lot of scary bank-related headlines the past couple of weeks, but I have to say that this one frightened me more than most: “Security flaws in online banking sites found to be widespread.”

According to a study by the University of Michigan, more than three-fourths of bank websites surveyed have flaws that can allow hackers to easily gain access to customers’ personal information.

“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” said Atul Prakash, a professor in the university’s Department of Electrical Engineering and Computer Science. “Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking.”

Some of the most common banking website flaws, the study finds, include:

• Placing secure login boxes on insecure pages.

• Putting contact information and security advice on insecure pages.

• Having a breach in the chain of trust.

• Allowing inadequate user IDs and passwords.

• E-mailing security-sensitive information insecurely.

Gulp.

I was very proud of myself a few years ago when I set up centralized online access to all of my checking, saving and money market accounts. It made me feel more in control of my own money. And - in part because I don’t want to overdraw, and in part because I worry that a cyberthief who gains access to one could potentially access them all - I check their status almost every day.

Now, after seeing this study, I’m thinking twice a day.