13. March 2010 · Comments Off on Verizon Business extends its thought leadership in security incident metrics · Categories: Breaches, Research, Risk Management, Security Management, Theory vs. Practice · Tags: , ,

The Verizon Business Security Incident Response team, whose yearly published Data Breach Investigations Reports I've written about here, has has extended its thought leadership in security incident metrics with the release of its Incident Sharing Framework. Their purpose is to enable those responsible for incident response to "create data sets that can be used and compared because of their
commonality. Together, we can work to eliminate both equivocality (sic) and
uncertainty, and help defend the organizations we serve." The document can be found here.

Of course Verizon Business is a for-profit organization and the license terms are as follows:

Verizon grants you a limited, revocable, personal and nontransferable license to use the Verizon Incident Sharing Framework for purposes of collecting, organizing and reporting security incident information for non-­‐commercial purposes.

Nevertheless, I do hope that this or an alternative incident sharing framework becomes an industry standard which enables the publishing and sharing of a larger number incidents from which we can all learn and improve our security policies and processes.

23. February 2010 · Comments Off on FTC warns 100 organizations about leaked data via P2P · Categories: Breaches, Next Generation Firewalls, Privacy · Tags: , , , ,

CNet News reported yesterday afternoon that:

The U.S. Federal Trade Commission has notified nearly 100
organizations that data from their networks has been found on
peer-to-peer file-sharing networks, the agency said on Monday.


The FTC notices went to private and public entities, including schools
and local government agencies and organizations with as few as eight
employees to as many as tens of thousands, the FTC said in a statement.
The sensitive information about customers and employees that was leaked
could be used to commit identity fraud, conduct corporate espionage,
and for other crimes.

Unfortunately file sharing based on peer-to-peer technology is only a part of the problem. Some firewalls and most intrusion prevention systems (IPSs) can block peer-to-peer file sharing. However, the problem is actually much worse – the growth of browser-based file sharing applications designed to bypass most firewalls and IPSs.

Palo Alto Networks, a next-generation (as defined by Gartner) firewall vendor, recognizes and can control or block 88 different file sharing sharing applications. Of these, 40 use peer-to-peer technology, 39 are browser-based, and 9 are client-server. Therefore if your network security infrastructure can control or block peer-to-peer file sharing, you are solving less than half the problem.

For more information about the hundreds of applications that ought to be controlled or blocked, go to Palo Alto Network's Applipedia.


20. February 2010 · Comments Off on Top two attack vectors – remote access applications and third party connections · Categories: Breaches, Research · Tags: , ,

Trustwave's recently published 2010 Global Security Report shows that the top two attack vectors, by far, resulting in breaches are Remote Access Applications and Third Party Connections. Here is the list of the top five:

> 95% Remote Access Application

> 90% Third Party Connection

> 15% SQL Injection 

> 10% Exposed Services

< 5% Remote File Inclusion

Clearly for each breach they investigated, there was more than one attack vector. It's also important to note that 98% of their investigations were on Payment Card Data breaches. No surprise since Trustwave is focused primarily on PCI compliance. The report does not indicate what percentage of the breaches occurred at organizations for which Trustwave was the QSA.

Regardless of these caveats, I believe it is worthwhile to note the total dominance of Remote Access Application and Third Party Connections.

It is imperative that organizations upgrade their firewalls to provide network segmentation (zoning) and to be able to recognize and control the use of most major application categories including Remote Access Applications.

Unfortunately you will have to register here to get the full report.

10. February 2010 · Comments Off on Insiders abuse poor database account provisioning and lack of database activity monitoring · Categories: Breaches, Database Activity Monitoring, Log Management, Security Information and Event Management (SIEM) · Tags: , ,

DarkReading published a good article about breaches caused by malicious insiders who get direct access to databases because account provisioning is poor and there is little or no database activity monitoring.

There are lots of choices out there for database activity monitoring but only three methods, which I wrote about here. I wrote about why database security lags behind network and end-point security here

01. February 2010 · Comments Off on First HITECH lawsuit filed by CT Attorney General against Health Net · Categories: Breaches, Health Care, HIPAA · Tags: , , , ,

American Medical News reported today (Feb 1, 2010) that the first lawsuit has been filed by a state Attorney General for a personal medical information privacy violation under the HITECH Act. The HITECH Act, part of the 2009 stimulus bill, was designed to strengthen HIPAA, which until then had limited penalties for violations.

If the HITECH Act itself was not enough of a wake up call, this lawsuit surely ought to be.

A week later, "Operation Aurora," which I discussed in detail here, is still the most important IT security story. PC Magazine provided additional details here.

Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!

Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.

In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:

  • Next Generation Firewall
  • Secure Web Gateway
  • Mail Server well configured
  • Desktop Anti-malware that includes web site checking
  • Latest version of browser, perhaps not Internet Explorer
  • Latest version of Windows, realistically at least XP Service Pack 3, with all patches
  • Database Activity Monitoring
  • Data Loss Prevention
  • Third Generation Security Information and Event Management
16. January 2010 · Comments Off on Google discloses breach and new threat type from China – Advanced Persistent Threats · Categories: Advanced Persistent Threat (APT), Books, Botnets, Breaches, Malware, Phishing, Privacy, Risk Management, Security Management, Trade Secrets Theft · Tags: , , , ,

Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.

First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."

I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.

Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.

Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:

The world has changed. Everyone’s threat model now needs to be adapted
to the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your core
intellectual property, private nonfinancial customer information and
anything else of intangible value. 

Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:

Malware is just a tool. The fundamental element to these (and
any espionage attack) lies with the tether that connects the victim
with the attacker. Advanced Persistent Threats (APT), like their bigger
and more visible brother “botnets”, are meaningless without that tether
– which is more often labeled as Command and Control (CnC).

Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.

Indeed, the threat landscape has changed.

10. January 2010 · Comments Off on Heartland to pay Visa up to $60 million for its 130 million credit card data breach in 2008 · Categories: Breaches, Legal · Tags: , ,

Heartland Payment Systems has agreed to pay up to $60 million to Visa and Visa Issuing banks for its 2008 breach of over 130 million credit card data. The press release offers very little in the way of details and simply says, "Visa will present the details of the settlement in coming days."

A key question is whether this settlement includes the issuing banks' costs for reissuing cards or just losses due to actual card fraud directly related to the illegal use of the stolen card data.

Recently, issuing credit card unions and their insurance company lost a lawsuit they filed against BJ's and its acquiring bank, Fifth Third, for losses they incurred which resulted from BJ's 2004 breach. The key  difference with this settlement is that Visa was directly involved in the negotiations. If Visa were to terminate Heartland's Visa card processing contract, it could be an existential blow to Heartland.

The amount of this settlement blows well past the $12 million CEO Bob Carr said Heartland set aside when he announced the $3.6 million settlement with American Express. Of course, it may be years before we know (if we ever find out) exactly how much Heartland actually has to pay.

03. January 2010 · Comments Off on BJ’s Wholesale Club and acquiring bank not liable for third party expenses resulting from the 2004 breach · Categories: Breaches, Legal · Tags: , ,

In mid-December, the Massachusetts Supreme Court affirmed the earlier dismissal of the case against BJ's Wholesale Club and its acquiring bank filed by credit card issuing credit unions and their insurance company for expenses incurred as a result of BJ's 2004 breach. Articles here, here, and here review the details.

The key to the dismissal of the lawsuit was the clause in the contract between BJ's and Fifth Third Bank, BJ's acquiring bank, which said, “This agreement is for the benefit of, and may be enforced only by,
(Fifth Third) and (BJ’s) … and is not for the benefit of, and may not
be enforced by, any third party.”

The court is saying that an agreement, in this case, between two parties (merchant and acquiring bank) that is well understood by the court to be part of an overall process (credit card transactions) that includes two other specific third parties (credit card issuing banks and their customers, the credit card holders) can simply agree that the benefit of their agreement does not include these other two third parties.

The opinion goes on to say (page 17) that the plaintiffs could have filed claims against Visa and MasterCard. The implication is that they did not. Why not? Perhaps the issuing banks were concerned that Visa and MasterCard would revoke their contracts to issue credit cards, a far greater loss of fees than the expenses they incurred as a result of the breach.

Or perhaps there is an understanding by issuing banks that in the case of a breach at a merchant, they are liable for their own breach-related expenses. In fact, CUMIS Insurance Society, a plaintiff in the lawsuit, insured these credit unions against losses to due fraudulent transactions.

Clearly these issuing banks bought insurance because they understood their risk and shifted it to the insurance company. Unfortunately for them, they only insured against fraudulent transactions, not the replacement of cards of customers whose credit card information was breached.

Furthermore, page 23 of the opinion states, "they [plaintiffs] continue to participate as issuers in the Visa and MasterCard system and to rely on the regulations [Visa's and MasterCard's] because the system is 99.94 per cent effective." And of course, they buy insurance to cover fraudulent transactions.

In summary, it appears that this judgment and the other similar judgments in similar cases make sense because the losses to credit card issuers and insurance companies are just part of the cost of doing business. Of course the banks and credit unions could get out of the credit card business if their losses become too high. Regarding CUMIS, if it feels its losses are too high, it can either raise its rates or exit the fraudulent credit card transaction insurance market. The bottom line is that the system is working.

28. December 2009 · Comments Off on Heartland pays AmEx $3.6 million for 2008 breach · Categories: Breaches, Legal · Tags: ,

Let the payments begin. Heartland Payment Systems settled the lawsuit brought by American Express due to Heartland's 2008 breach of 130 million credit cards (which I wrote about here) for $3.6 million. There are still many more lawsuits outstanding including Visa and MasterCard which no doubt represent the majority of the credit cards stolen.

The article quotes Heartland CEO, Bob Carr, as saying that Heartland "has set aside $12.6 million to charges related to the hack." I find this number to be a gross underestimation considering that TJX believes its breach will cost $250 million as reported here, here, and here.