In the midst of the global recession, I found the RSA 2009 Conference to be a big snooze. Not much was new and the show lacked focus.
I doubt whether this year’s conference will be as lethargic. Security spending is on the rise and new regulations around data protection and breach notification are making their way through congress. With this as background, I believe the hot topics at this year’s conference will include:
The RSA Conference is a tale of two cities. Half of the people there are talking and learning about real security problems and strategies while the other half yacks about products. I’m hoping that my time is spent on the former.
Tags: cloud security, Cybersecurity, data security, endpoint security, identity management, network security Posted in Uncategorized | 1 Comment »
According to the website datalossdb.org, there were a total of 436 publicly-disclosed breaches in 2009, down from the disastrous 717 in 2008. Does this decrease represent real improvement? No — simply the luck of the draw. It wouldn’t surprise me a bit if 2010 was a banner year for data breaches. Heck, we are only 4 days in and there have already been two reported breaches — one at Larch County Correction Center (OR) and one at the TSA here in Boston.
While I’m afraid 2010 may be an especially bleak year for cybersecurity, there is a bit of good news with regard to data breach legislation.
First, there is significant momentum for this issue on Capitol Hill. In December, HR 2221, the Data Accountability and Trust Act (i.e. the DATA Act) passed a House vote. Of course, the Senate is working on its own similar legislation — S.1490, the Personal Data Privacy and Security Act (sponsored by Senator Leahy D-VT) and its companion bill, S.139, the Data Breach Notification Act (sponsored by Senator Feinstein D-CA). The two bodies of Congress have to somehow merge these bills into some cohesive body of legislation but I do expect this to happen by the summer.
Data breach legislation is by no means limited to the United States. The EU is contemplating new legislation that would cover all member countries. Canada recently passed tougher criminal penalties for identity theft. The UK passed the UK Data Protection Act and recently backed up this legislation with guidelines for businesses and the public.
While these federal laws come to fruition, my home state of Massachusetts will finally enforce the most stringent data breach notification laws to data, MA 201 CMR17. Yes, this legislation has been delayed several times and watered down a bit, but it is still a milestone.
So what does all this mean?
As for security breaches themselves, all of this legislation will be fairly ineffective in the short term — there are simply too many vulnerabilities and threats at this point. Nevertheless, more attention to data privacy and security is a welcome change since we’ve given these issues little more than lip service in the past. As long as we view legislation as progress and not a data security panacea, it can only help.
Tags: Cybersecurity, data security, Federal Government, HR 2221, MC 201 CMR17, S.139, S.1490 Posted in Uncategorized | 2 Comments »
Confidential data (i.e. regulated data, private data, company confidential data, PII, etc.) is everywhere — on laptops, thumb drives, file servers, and enterprise storage devices. This also means that confidential data is at risk everywhere. In other words, my organization could suffer a data breach as a result of a stolen laptop, external hacking exploit, or lost box of backup tapes.
This represents an overwhelming situation for IT and security professionals. How can you possibly safeguard data when it is literally everywhere inside and outside of the enterprise?
There may be a glimmer of hope. ESG Research indicates that confidential data is most at risk based upon three factors:
1. Volume. If lots of people have access to confidential data it is more at risk than if only a few can see it. Likewise, if there are many copies of a file containing confidential data, it is more at risk than if it is on a single common file.
2. Mobility. The more mobile the confidential data, the higher the risk of a confidential data breach. There are few examples of lost tapes in the data center but many data breaches related to lost tapes in transit.
3. Proximity to IT. Ten terabytes of confidential data stored in the data center is safer than a 1MB file on mobile laptops. In other words, the more IT oversight, the less risk.
These three risk factors can be a useful guide for security countermeasures. High volume, mobile data must be surrounded by security safeguards in the form of user training, data security, and behavior monitoring. Authentication and entitlement management is also part of the solution.
At ESG, we created the “outside-in” security model where risk grows as a function of distance from the data center. It proposes different processes, training, and security technologies for 5 different security zones. The paper is available on the ESG website. I hope it helps to bring some order to the pervasive state of data security chaos.
Tags: authentication, data security, entitlement management Posted in Uncategorized | No Comments »
In January 2008, the Office of Management and Budget (OMB) instituted a security initiative called the Federal Desktop Core Configuration or FDCC. FDCC is comprised of about 300 settings on Windows PCs. The objective is to create a standard federal desktop configuration that eases operations and improves security. All Federal agencies were required to implement FDCC settings by February 4, 2008.
Fast forward to October 2009. The Washington Post breaks a story on a pending investigation of 30 lawmakers by the House Ethics Committee. Information about the Committee probe was inadvertently leaked from a Junior staffer’s PC via peer-to-peer file sharing software (ex. BitTorrent). Someone anonymously accessed the file and then forwarded it to the Post.
These two events illustrate part of the complex problem we face with data security. The feds went out of their way to define a Windows configuration that was “secure by default,” yet a Junior staffer was able to either access a confidential file from an insecure computer or install peer-to-peer software on an FDCC-compliant system.
At a high level, here are some of the problems associated with this episode as well as potential ways to address them.
1. Data classification. The confidential file that leaked may not have been properly classified as such. This is a very common occurrence — employees have no idea that the data on their PCs may be private or regulated so they treat confidential documents the same as photographs, music, and other documents.
Possible solution. Improved data discovery and classification. Extensive and continuous user training. DLP/eRM software. Data encryption.
2. PC administration. While FDCC provides secure PC provisioning, users may be able to download and install vulnerable software and thus open doors to the outside world.
Possible solution. Lock down configurations and avoid giving users administrator privileges. Log changes to PC configurations and generate alerts when rogue software is installed. Create and enforce an application white list. Educate users.
3. Data leakage. The Junior analyst may have wanted to work at home so she innocently saved a confidential file on a portable storage device and then installed it on an insecure system.
Possible solution. Port controls, restricted use of portable media (i.e., authorized encrypted devices only), DLP/eRM software, user training.
I have no idea whether the Junior staffer in question had an FDCC-approved PC configuration but in this case it doesn’t matter. The leak was a combination of poor PC administration, a lack of specific data security controls, and either non-existent or incomplete user training.
This is a great example of the old saying that security is a process and not a product. The FDCC is a great start but it needs to be surrounded by a culture of secure IT administration and regular user training. Without these other changes, we should not be surprised with the continuous epidemic of data breaches.
Tags: Cybersecurity, data security, FDCC, Federal Government, Peer-to-peer software Posted in Uncategorized | No Comments »
Your email:
