The thought started as I watched in amazement as each passenger on my flight readily handed over his or her credit card to purchase a snack. Many didn’t need it, certainly not the person next to me, but that’s off the point. Those who tried to pay in greenbacks were told the airline does not accept cash.

Does this trouble you? It does me; on many levels.  Forget for a moment the technical aspects, and the information security of credit card data.  What is happening to data privacy and what does it ultimately mean?  Does the average person think about privacy as they readily hand over their cards?

You may answer that I have nothing to hide and that’s great but do you know what fingerprints you are leaving, where, and how they might be ultimately used against you without your permission and or knowledge? What other items exist in our lives that intrude on our privacy and how might they be utilized to create the ultimate compromise?

In my mind privacy clearly has been compromised by technology.  That compromise is ultimately leading to our collective demise.

As individuals we espouse to love our freedom as it slowly sails out of sight.  At what point do we reach what author Malcolm Gladwell refers to as “The Tipping Point”, and how might that affect your life?  Putting back on my Information Defense hat, what unforeseen event(s) might occur as information continues to be collected at alarming rates and it is used for ill will?

Clearly fraud has been around since the beginning of time.  The manner in which it is perpetrated continues to morph and information technology has been a great enabler.  Misuse by officials, unintended mistakes, or deliberate actions might damage our lives irreparably.

Every step we take on a journey is tracked. A simple vacation or business trip may lead to hundreds of data points collected about you including locations, photographs, purchases, meals, beverages, conversations, entertainment sources, etc.  The more technology expands the less that goes untracked and the less privacy we have.

What I am concerned about is how might your person be compromised?  What about your business and its assets, or your clients?

I’d like to pose more questions but I’ve got to run my airline carrier just emailed me with new offers knowing I have returned home from my recent trip.

Find out how to Prepare, Prevent and Respond, contact us.

Now being a technologist you might answer that it is at the forefront of your activities and that’s great but for the business people at what point does it enter the business discussion?  Chances are it doesn’t.

The reason I raise the question is simple.  Effective security should be core to business operations and culture, not a bolt on application, or a retrofit but rather part of the business process itself.  I think it is in our human nature to look at the upside when discussing anything new whether a business opportunity, investment, or other venture.  Far too often we forget the downside perhaps choosing to ignore it and without consideration we create situations that are emotionally charged and highly reactive when the unforeseen arises.

The same is true for information security.  While organizations and business leaders seek the advantages of implementing technology based solutions to create competitive advantage, the downside and potential risks associated with exposing electronic forms of critical business assets are generally not given appropriate consideration.  Without consideration the threat of electronic asset theft is left unmitigated and the cost of such an event never considered.

Too often information security is seen as a purely technical function that adapts to the needs of the business.   However such an approach leaves huge gaps in business process and procedure for which technology is not an effective stopgap.  Without clearly architected and documented business process, and technology solutions that support the business process, technology solutions have no hope of keeping a check on unwanted activity.

We see repetitive disconnects in organizations that have suffered information compromise, are seeking to become compliant, or in general looking to improve their overall security posture.    Information security is not effective operating as a disconnected organization that builds perimeters of firewalls, intrusion detection systems, log analysis devices and jumps to the call of some alarm.   Too often broken process can be a root cause that reactive security measures will never stop and a security breach goes on unnoticed for months and beyond.  Once identified the organization’s approach to the information breach is emotionally charged and highly reactive.  The lack of preparation can cost the affected organization dearly between brand degradation, costs of cleanup, loss of customers, and legal proceedings.

Effective information security programs are tightly integrated into the businesses they serve across people, process and technology.  Highly effective, high profile organizations get this.  You can see it in the manner in which the organizations themselves are structured, how new ideas are discussed, vetted, and implemented.  Sound risk management principals prevail in the organizations that get it.

A highly integrated approach applies business centric risk management principles that evaluates risk, identifies compensating controls, and implements the appropriate structures to prepare, prevent and respond in protecting sensitive business assets from information compromise.

A well-constructed information security program should bridge the gap between business operations and its processes, to standards based security measures such as those developed by NIST, SANS, ISO or others.

To find out how your information security programs measure up contact us.

I am amazed at the number of organizations that continue to take either a lax, or too narrow approach in protecting information assets. I am certain that those of our legislators who understand the threats against our corporate assets and the individual’s identity would agree. Just look at some of the regulations that currently exist, Sarbanes Oxley, PCI DSS, Red Flags Rule, HIPAA, GLBA and you will begin to get where I’m going. Throw in the regulatory bodies FTC, SEC, FFIEC, and so on.

There are armies of resources now and a growing attitude for more legislation and governing bodies. This is purely reactionary and misguided when it comes to securing information assets. What is really missing in the equation is focus by the companies themselves who hold the intellectual property, sensitive consumer information, or infrastructures of national concern.

In general executive leadership does not understand the real and growing threats that their businesses face. There are literally thousands of attempts at their organization’s assets on a daily basis from, internal hackers, and externally sophisticated organized crime and espionage groups. Still none of this is on the average executives’ radar screen. Too often the media when they do speak on the topic doesn’t get it right as they are going for the sensational as opposed to the facts. We need to focus on the facts, as this is not a Sci-Fi drama, its real world.

Perhaps the government has gotten the attention of corporations in only the way it believes it can through regulation. However regulators don’t always do their job so various frauds and information thefts of identity, healthcare, credit, and other crimes continue to grow. In large part the regulation has pressed companies to focus on passing audits and not securing information assets. The two require markedly different approaches and levels of commitment. A complaint organization is not necessarily a secure one.

So when do most corporate leadership, principals, partners and other executives focus on information security? The all to often answer is, after the compromise. The approach then is ad hoc, reactionary, and an ill focused response to an information compromise. The loss occurred, the organization not prepared, preventative measures failed, the compromise not detected for an extended period of time, and now chances are there is little opportunity to fully recover at any cost. Information security breaches can cost an organization millions and high-profile public cases can run into the hundreds of millions of dollars.

Information Defense is often called in on incident response and forensic investigations. Many times long after the breach has occurred. We have seen “compliant” organizations suffer significant information losses. Again I want to stress that securing information assets and being complaint are not one and the same. Piecing together the facts in an investigation where a theft has occurred is difficult, costly and a lengthy process. Results are highly dependant on evidence that may no longer exist and are out of the control of the incident response and forensics team. While comprehensive information security programs, across people, process, and technology often form the basis for solid compliance solutions the converse is not true.

While security awareness can often arise from comprehensive steps taken to become compliant, without understanding at the most senior levels, and a corporate mandate accompanied by the resources to drive the necessary steps for information security the organization will be largely unsuccessful.

Engaging expert external resources such as Information Defense can bring the critical comprehensive experience and balance to the organization. Experts can help to balance compliance and security initiatives while help define and drive priorities and timelines to manage what can be enormous investments. Often outside resources can assist in engaging the executive team for sponsorship and drive the importance of following strong risk management practices and principles to support today’s information rich, connected, online present organizations.

FACTA added sections to the Federal Fair Credit Reporting Act intended primarily to help consumers fight the growing crime of identity theft.  In adopting FACTA, Congress recognized that consumers were unable to prevent identity theft and could only react long after the event had occurred.  In order to stop the fraud at its source businesses that offer credit need to address the events that signal a potential fraud.

Six agencies were involved in drafting the red flag rules: the Treasury Department’s Office of Thrift Supervision, Office of Comptroller of the Currency, Federal Deposit Insurance Corp., Federal Trade Commission, National Credit Union Administration and the Federal Reserve System. The Red Flags Rule identifies 26 “ Red Flags” which may be indicators of attempted fraud.

According to FTC statistics nearly 10 million people were victims of identity theft in 2008 in the US.   In the broadest sense identity theft is the act of someone assuming the identity of another individual to gain access to the victim’s personal resources.  Last year over 35 million known data records containing sensitive personally identifiable information (PII) were stolen.

While some perpetrators know their victims, having stolen their wallets, credit cards, checkbooks or other personal items, the vast majority of perpetrators do not.  Identity theft comes in many forms and most victims learn their fate long after the initial event occurs, often months to years after the fact.

Most data theft is primarily due to poor controls surrounding PII.  This can range from sensitive records being thrown in dumpsters to electronic records being improperly secured online and breached by hackers.

Personal resources accessed by data thieves may include use of credit cards, establishment of credit under the victims identity, access to utilities, healthcare benefits, banking, employment, loans, government benefits, and many other acts limited only by the imagination of the perpetrator.  The common element is the use of defrauded individuals persona to gain credit or access to established resources.

The Red Flags Rule applies to both financial institutions and creditors.   The definition of “creditor” is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later.  These companies may not traditionally be thought of as extending credit and include utility companies, health care providers, telecommunications companies, cable and satellite providers, and others, depending on how and when they collect payment for their services.

The Rule also defines a “creditor” as one who regularly grants loans, arranges for loans or the extension of credit, or makes credit decisions. Examples include finance companies, mortgage brokers, real estate agents, automobile dealers, and retailers that offer financing or help consumers get financing from others by processing credit applications.  Additionally, the definition includes anyone who regularly participates in the decision to extend, renew, or continue credit, including setting the terms of credit – for example, a third-party debt collector who regularly renegotiates the terms of a debt.

Organizations that are covered under the Red Flags Rule must create written plans that are reviewed and signed off by the organizations board of directors that:

• Create Policies and Procedures that Identify Red Flags Which Pertain to their Business
• Create Policies and Procedures that Detect the Identified Red Flags
• Create Policies and Procedures that define the Actions to be take when Red Flags are Detected
• Monitor changing Red Flags, Train Employees and Monitor 3rd party contractors

An appropriately designed and managed plan depending on the business may require considerable skill and effort.  Most organizations will do well to reach out to experts in designing their programs.  Is your organization subject to the Red Flags Rule?

Information Defense is prepared to assist in evaluating whether your organization is subject to the FTC ruling and assist in defining and developing the necessary steps to reach compliance.  Contact us here for further information.

What your employees know about your business may be of strategic value and provide that competitive edge.  It may be the special sauce that took the company years to develop and it may walk out the door prior to any exit interview or tender of resignation.

Recent surveys, media reports, prosecutions, and our investigations show an alarming number of ex-employees stealing company data, including when changing jobs.  Compromised data may include customer lists, contact information, know how, and other forms of intellectual property.  The majority do so in order to benefit in some financial arrangement or assist with a new job.  A recent theft of a proprietary trading platform at a major Wall Street financial institution is under investigation.  The platform enabled the firm to generate millions of trading profits each year.

There is a growing pervasive sense of entitlement to works for hire. Access to computers and technology without appropriate controls makes such theft inviting and simple for those inclined. How these thefts occur and remain undetected for extended periods of time has much more to do with the lax protective measures in place within the organization then the skills of the perpetrator.

In our investigative experience we have seen far too many cases where there is employee theft, limited binding agreements, no procedural or technical controls or measures, and far too much blind faith and trust extended to those who are not trustworthy.

Forgive me if my experiences make me appear cynical but I have seen thieves rob charities, business owner’s life’s work compromised by over zealous employees, and organizations hobbled and made vulnerable by employees gone bad.

Too often the lack of detective measures, extended periods before suspicion and investigation, further compounded by the lack of protocol in disengaging employees compromises critical evidence.  Lacking sustentative evidence, it is increasingly complex and costly for the organization to pursue justice in what may have been otherwise a clearly defined case.

Organizations must take comprehensive controls and measures seriously to avoid a potentially devastating event precipitated by a individual to which the organization has extended its trust.  This starts with the appropriate legal, technical, and procedural controls from engagement through discharge, employer beware.

Similar scams are being perpetrated via the telephone and are called vishing attacks.  These scams are aimed at getting individuals to give up sensitive information such as credit card data, banking credentials and or some other sensitive information.    Many individuals have come to accept ANI or caller id as verification of who is calling.   Scammers know this and are using the ability to manipulate caller id information to defraud unsuspecting individuals.

Anyone can manipulate caller id information, called ANI spoofing and it’s as simple as purchasing an online service.  The online services will enable the caller to change the number displayed on a caller id, change the voice from male to female or reverse, and record everything that was said.   A tool like this may be fun for the average prankster but could be costly to those exposed to a criminal intent on defrauding individuals.  Here’s how a typical scam might work.

An organized crime group sets up its own server to manipulate ANI.  The group utilizes a predetermined set of phone numbers to call and dials them in mass.  This is called war dialing.  As the call rings on the receiving end the caller id displays the name of the ‘institution’ the caller pretends to be.   A message is played which indicates that the receiving indiviudal has a problem with an account and must dial a particular phone number to resolve the issue.  When the caller makes the call they are prompted by a voice activated agent to enter sensitive information, such as banking info, credit card data, address, social security numbers and more.  What the unsupsecting individual has not determined is that the call was a scam and they have just provided a thief access to a credit card, online bank account, or worse provided enough information to be the victim of identity theft.

Since the beginning of time there have been frauds, today this behavior remains.  What has changed are the methods upon which a criminal can defraud the unsuspecting individual or institution.   Technology has been a catalyst in enabling many ongoing exloits.   In order to protect oneself  follow a few simple rules that you normally follow in everyday life.

• Know who you are dealing with.  Just because the phone says Bank of  Your Choice don’t assume it is.
• Your bank knows who you are therefore for them to ask you to provide sensitive information such as a social security number is a big red flag.  If it is your institution and they are using such information to validate who you are, get a new banker.
• Be on guard, if it sounds too good to be true, it is.

Know now that there exist scammers who launch social engineering attacks via vishing scams.  Be wary of what your caller id tells you.  If you find you can not resist believing that little display, put a piece of duct tape over it!

Was 9/11 not enough of a wake up call?  The events of that day cast doubt on the US government’s ability to protect its people.   Now we must question can the government protect our military secrets which enables our patriots to defend this country.    The worst part of all of this is that the cyber spies have apparently been stealing secrets for well over a year’s time undetected.

Information Defense sees this type of activity all of the time within corporate entities that have been compromised and need our help.    The organziations are certain they have the greatest tools in place and they are covered.  They find out after the fact they were not, this is perhaps somehow forgivable.

The Pentagon however must do a better job, these are supposed to be the best and brightest that protect these secrets.  I now truly realize how naive  I am.  There is no room for being asleep at the wheel or incompetence when it comes to national security.  We must do better and address responsibility and accountability.

To say that since data was encrypted they could not determined what was accessed is ridiculous.   The reason no one can say what was accessed or when is due to a lack of oversight and controls.  This is not an overly complex methodology I am talking about.  It’s more common sense than techno sense.  How is it that critical information flying out the back door is not important enough to be detected?   To say that differing security standards within the contracted vendors that work on these projects is how the compromise occurred is not an excuse I am willing to accept.   Who allowed those differing standards to exist without verifying their viability in protecting sensitive US secrets?

Our Legislators are ready to have a cyber czar tell US corporations what they must do to protect their information assets or face the consequences.   Who must we hold accountable for the lack of performance in these breaches?

I am certain we will soon hear the next brilliant idea, from the next want to be in the lime light politician.  Stay tuned.

It is my opinion that this is nothing more than window dressing and a platform for more big government and politicians to be politicians. Government networks are compromised on an ongoing basis and now we need the government to tell private industry how to protect themselves?  I find that interesting at best.

The bill proposes for a cyber czar to set compliance standards and monitor performance.  Lets get real, compliance and security are two different things.  How many PCI compliant or HIPAA compliant organizations have been compromised and lost consumer credit card info, social security numbers and other sensitive information?  The answer is far too many!   It does not matter that you were compliant when you have lost a million or more credit card numbers, social security numbers, or company specific proprietary data.

Unless there is a change in corporate culture and a genuine and informed approach to protecting critical data, theft of information, compromise of infrastructure and other malicious activity will continue.  Yes I agree whole heartedly cybersecurity is a major issue but its not all about technology.  When the CEO looks to his Chief Information Security Officer and say were covered, right?  And meanwhile HR is hiring criminals or employees find themselves in financial trouble and theft of company data viewed as a solution, the answer is not a chance!

While the sponsors of the bill talk about power being knocked out or traffic lights not working due to malicious activity, that is trivial to what could really happen.  The largest potential threat is data poisoning. I can assure you that a monetary system compromise poses a significantly greater risk than compromise of utilities. Compromise or poisoning of monetary transactions could certainly have global impacts especially if we consider most compromises are not detected when they occur but rather months later.

If our power is compromised we know it soon after because THE LIGHTS ARE OUT. Compromised financial transactions are not as readily detectable and could take months before being recognized.  The SEC has enough problems identifying white collar criminals and bogus transactions.  What if there were deliberate acts of data poisoning within the worlds monetary systems, how long might that take to identify and how would the issues be reconciled?

Having now said all this you tell me where the real threat is?  Establishing more compliance regulations only creates more misunderstanding.  Information security starts with culture and you can not regulate that.