Tom Olzak

Posts Tagged ‘PII’

Yes, sensitive data on QA and Development servers is still sensitive

In Access Controls, Business Continuity, Data Security, Network Security, Security Management on August 18, 2009 at 11:48

Any organization with an effective software development lifecycle (SDLC) builds QA and development environments to test new or upgraded systems.  Testing, either unit (developer) or user acceptance (UAT), requires data available to the application which looks very close to production data, including construction of all data dependencies.  The fastest way to make this happen is to copy production data into the test and development databases.  However, perception of the sensitivity of data in these non-production environments is often… well… wrong.

I like to practice data-centric security.  This means security controls are about protecting sensitive data and access by critical systems to that data.  So if someone moves a customer database, for example, to a development server the data should be protected with the same controls used to protect it in production.  Organizations often use a system-centric approach to security, assuming that servers, workstations and data not in the production environment don’t require the same level of trustworthiness.

Research commissioned by enterprise applications vendor Micro Focus and carried out by the Ponemon Institute surveyed 1,350 application development staff at UK and US firms with turnover between $10m (£6.1m) and $20bn-plus.

The past 12 months have seen data breaches at 79 per cent of respondents, with the same amount using live production data in application development and testing. But just 30 per cent of firms mask this data during the process.

Application testing takes place on at least a weekly basis at 64 per cent of companies, with 90 per cent claiming it happens once a month or more. A mere seven per cent of respondents said data protection procedures were more rigorous during development and testing than during normal production.

Source: Lax data masking hits four in five firms, Sam Trendall, CRN, 18 August 2009

Granted, the purpose of the study was ostensibly to promote a data masking solution.  But it demonstrates the need for better focus on non-production data stores.  In other words, data in QA and development systems must be managed with the same rigor as that residing in production.  And if extending security controls to these systems is not feasible, then data masking is necessary.

Help for the Clueless

In Data Security, Email, Mobile Device Security, Network Security, Risk Management, Uncategorized on July 15, 2009 at 08:06

For the past four years, I haven’t connected to any public hotspot unless I was using a service which encrypts my session over the local network unless I was doing someone not even remotely important online.  I did this—and continue to do so—because it’s been common knowledge for at least long that connecting to public wireless is like posting your personal information on a bulletin board in the parking lot; it’s available to anyone interested in looking.

So why are so many users still connecting to hotel, airport, coffee shop, rogue, and restaurant public wireless networks and sending passwords, PINs, and other sensitive information in the clear?  A few years ago we might have given them the benefit of the doubt.  But today there is enough information available from numerous sources to ensure every computer user has at least heard that public wireless is dangerous.  In my opinion, the problem is they can’t be bothered or they have no clue how to protect themselves.

Evidence of the problem showed up recently in an online article in which the author writes,

“Much of the time, people just log in to the first robust network they see,” says AirTight spokeswoman Della Lowe. “When we did our airport study, we found only 3 percent of the people were using secure networks.” (Wireless Cybercriminals Target Clueless Vacationers, Fox Charlotte, 11 Jul 2009)

As security professionals, we may need to speak a little louder about solutions for this growing—and largely ignored—problem.  Every chance we get we should discuss with our mobile business users, acquaintances, and anyone else who will listen how to protect themselves, including:

  1. Resisting the urge connect to the first hotspot they see without giving it some thought and without protecting their user session
  2. Using HTTPS protected Web mail, such as Gmail
  3. Using online VPN services, such as WiTopia or ShareVPN, both fee-based but inexpensive

Going beyond one-off user solutions, organizations with more than a few mobile users should encourage or force their users to access the Internet via a company-hosted VPN solution, such as SSL VPN.  Under no circumstances should company laptops access the Web via public hotspots unless the sessions are encrypted, at least through the hotspot infrastructure.

Data discovery does not have to be just about security.

In Business Continuity, Data Security, Risk Management on June 30, 2009 at 12:37

Sitting back, looking at his security controls matrix, George felt comfortable with the trustworthiness of systems on which he expects sensitive information to reside.  His database servers are located on segments locked down and monitored by unified threat management (UTM) devices.  The NAS where he expects unstructured data (e.g., Word and Excel files) is encrypted.  Data in motion is also protected, with nothing leaving the boundaries of his network in clear text.  But he has a nagging feeling deep in his gut telling him something is missing.  Then it hits him.  What if users don’t put data where he expects?  Does he already have PII or ePHI stored in risky storage? The worst of it, George realizes, is that he has no tools to help him answer these questions.

George’s situation isn’t unique.  Across the globe security managers working for medium and large organizations are asking themselves these same questions.  The most common barrier to answering them is the absence of an effective data discovery tool.  Most of us have looked at data leakage prevention (DLP) solutions, but the cost is often high.  Further, DLP solutions often provide little value beyond the security controls matrix.  If you’ve done your job and achieved SOX or HIPAA compliance–an assertion verified by external auditors–you may find it hard to get approval for additional dollars for a security-only solution.  But there may be another way.  Why not demonstrate to executive management that the proposed solution will not only solve multiple security problems; it will also address an increasingly painful business challenge—e-discovery.

The DLP products I’ve seen were largely designed for just that, DLP.  E-discovery is typically added as an afterthought due to growing market demand.    However, when I looked at solutions designed specifically for e-discovery I made an interesting discovery; they were not only designed to discover and deal with data at rest.  They also cost much less in most cases.

One of my favorite e-discovery solutions is StoredIQ’s Intelligent eDiscovery module.  The module works without an agent installed on target systems and runs on a network appliance.  Based on the EDRM model, it performs the following tasks (from StoredIQ product Web page):

  • Scanning
    Targeted scanning is available by custodian, path, share, server, modify date, and additional key metadata. Expansive scanning helps prove that any potentially relevant ESI [Electronically Stored Information] was not missed.
  • Identification by content and metadata
    StoredIQ Intelligent eDiscovery provides topology mapping of potentially relevant ESI by sources, key player names, date ranges, keywords and document types.
  • Collection and preservation
    Data objects are copied to central repository, with no alteration of system or object metadata. An audit trail of the copy process is developed that supports chain of custody and authenticity. Original, full-object path, SID and ACL information is properly maintained.
  • Indexing and searching
    StoredIQ Intelligent eDiscovery performs content-level culling by full-text indexing your preserved data collection. Data is culled based on input from legal counsel regarding potentially relevant document sources, key player names, date ranges, keywords, phrases, metadata, classifications, concept tags or document types.
  • Review-ready output
    Users can produce review ready output of native files with Concordance or standards-based XML load files. The product supports all rolling productions, allows subsequent collections to be compared to prior productions, and permits only the new documents to be produced.

By itself, the eDiscovery module can locate files with sensitive information in locations let you know if they present high risk.  With the addition of the vendor’s Information Governance module,

Policies can be defined to associate an appropriate action (such as retain or secure) and apply it to positively identified and classified objects. Policies are symmetrically scaled across the StoredIQ platform to improve performance and scalability. Deep policy auditing at the individual item level is also supported (Information Governance product Web page).

StoredIQ isn’t the only solution which offers this dual functionality.  McAfee, through its acquisition of Reconnex, offers a similar solution.  The McAfee product, however, is more DLP focused.  It’s able to not only find files at rest.  It can also identify sensitive data in motion.  McAfee claims it will integrate the Reconnex functionality into it’s centralized management product, ePolicy Orchestrator, by the end of 2009 or early 2010.

Both of these solutions, however, provide both DLP and e-discovery functionality at some level.  So it might make sense to speak with your legal team before you try to make a case for a data discovery tool.  Consider their e-discovery challenges when building your requirements and business value analysis presentations.  You should be able to spreading the cost across multiple challenges thereby enhancing the value of your solution.  You might also be able to enlist the legal department as an ally.  Altogether you just might have enough to convince the signer of the checks that he or she is making a good business investment, not just incurring another security expense.

Security Risk Extends Beyond Simple Loss of Data

In Business Continuity, Data Security, Government, Insider risk, Mobile Device Security, Network Security, Patching, Risk Management on June 7, 2009 at 14:52

Laptop encryption as a security control has become an expectation rather than an option.  Organizations worried about data breaches and their possible business impact are spending exorbitant percentages of IT budgets to avoid having to tell customers or employees they’ve lost their personal information.  Couple this with regulatory requirements to report certain types of breaches, and laptop encryption becomes as common on mobile systems as Notepad.  But not everyone agrees with this movement to protect laptop data at all costs.

Even the big picture suggests that spending is poorly allocated. “Thieves got 99.9 percent of their data from servers and 0.01 percent from end user systems, but enterprises spend about 50 percent of their security budget on endpoint security,” [Dr. Peter Tippett, founder of ISCA Labs] said. “They should spend more of it on server security.”

“The cause is a problem I call WIBHI, for Wouldn’t It Be Horrible If,” he said.

He added that it explains laptop encryption. He said that we encrypt laptops not because it will protect them better (passwords are good enough for that) but because we don’t have to report a breach if the laptop was encrypted.

Source: Enterprise Security Should Be Better and Cheaper, Alex Goldman,, 6 June 2009

I make a habit of reading as much as possible about actual breaches, and I agree that we may be overdoing it a bit when we put multiple layers of security on devices which are not typically the primary target of attackers.  But I have three questions for Mr. Tippett.  What about botnets?  What about loss of access to critical systems due to malware-caused enterprise network shutdowns?  And what about the impact on a business if the public discovers encryption—a security control they’ve been told must be implemented or a business is negligent—was not used on a lost laptop containing personal information?

Business risk extends beyond a simple breach.  Its scope must include all possible negative impact scenarios which might be caused by weak endpoint security.  Yes, it is all about the data, including its availability and public perception—not necessarily based on a scientific assessment of actual risk—of how well it’s protected.  So until potential victims, potential customers, careless employees, and knee-jerk-driven politicians are removed from the risk formula, we will likely continue to spend more than might be reasonable and appropriate in a perfect world.

System physical security should include mobile device asset management

In Access Controls, HIPAA, Physical Security, Piracy Legislation on May 27, 2009 at 21:43

Some organizations spend a lot of time worrying about administrative (policies) and logical (application and system electronic) access controls without much concern for physical security.  I don’t mean the kind of physical security where you make sure your data center is locked.  I mean the kind of security which allows you to track who has your resources and ensures your organization takes the right steps to quickly mitigate impact.

For example, it doesn’t make much sense to lock the data center when unencrypted, unmanaged mobile devices travel across the country.  The sensitive information stored safely in the data center might as well be in the lobby.  This might seem a basic principle, but many organizations still don’t get it.  Take the US Department of the Interior, for example.  According to a report completed last month by the department’s inspector general, Western Region,

…13 computers were missing and… nearly 20 percent of more than 2,500 computers sampled could not be specifically located.  Compounded by the Department’s lack of computer accountability, its absence of encryption requirements leaves the Department vulnerable to sensitive and personally identifiable information being lost, stolen, or misused.

Source: Evaluation of the Department of the Interior’s Accountability of Desktop and Laptop Computers and their Sensitive Data, U.S. Department of the Interior, Office of the Inspector General, 24 April 2009.

So the IG could verify the loss of 13 unencrypted computers, but about 500 were simply unaccounted for.  The reason? Several of the agencies within the department had no process to track computer inventory.  The following is from a related InternetWorld article:

Despite policies mandated by the Federal Information Systems Management Act and other regulations, including rules that say computers should not be left unattended in plain view and that organizations should establish policies to protect their systems from unauthorized access, the Department of the Interior doesn’t require that any hardware that costs less than $5,000 — that would cover most PCs — be tracked in an asset management system, and the current tracking system doesn’t have proper backing, according to the report.

Source: Department Of The Interior Can’t Locate Many PCs, J. Nicholas Hoover, InformationWeek, 27 April 2009

Most of us agree that encryption is a necessary part of any mobile device security strategy.  But why worry about tracking laptops?  Isn’t encryption enough to render the data on a lost or stolen laptop inaccessible?  Well, it depends.

Many organizations do not use strong passwords.  The reasons vary, including:

  • Users tend to write complex passwords down, leaving then easily accessible
  • Password reset calls constitute a high percentage of help desk calls, rising exponentially as password complexity increases

In other words, strong passwords are often seen as weaker and more costly to the business than simple passwords.  And password complexity tends to remain the same when an organization implements full disk encryption, raising concern about the real effectiveness of scrambling sensitive information.  The complexity of the password and the configuration of the login policy (i.e., history, failed login attempt, etc.) are factors in the strength of any encryption solution.  In any case, encryption solutions should be supplemented to some degree—depending on the organization—by a mobile device physical management process, including,

  • Mobile device assignment process which includes recording employee name and date of assignation
  • Clearly documented mobile device usage and protection policy signed by each employee before he or she receives a mobile device
  • Periodic, random verification that the assigned user still has physical control of the device
  • Strict employee termination process which includes receipt of assigned devices
  • Documented device end-of-life process, including
    • recording receipt of device
    • recording of device disposition, in accordance with the organization’s media sanitation and reuse policy
  • Tested and documented device loss process, including
    • process for reporting a mobile device lost or stolen
    • assessment of the probability of sensitive data breach and notification of affected individuals
%d bloggers like this: