[ISN] 50-Cent Holes

[InfoSec News]

Forwarded from: William Knowles <wk at c4i.org>

http://www.csoonline.com/read/100105/security.html

BY THOMAS WAILGUM
CSO Magazine
October 2005 

This has not been a banner year for information security.

 From a stolen laptop full of Social Security numbers to a website
that lost oceans of credit card data, commonsense security procedures
seem in short supply. "Almost without exception we're living in a
world where no one thinks to lock the stable doors until the horses
have escaped," says David Friedlander, a senior analyst at Forrester
Research.

CIOs can spend millions on firewalls, intrusion detection systems and
whatever else their security vendors are selling, but when that VP of
marketing decides to sync his work laptop with his unsecured home PC -
and there's no policy or training to make him think twice - your
million-dollar security efforts become worthless.

With that in mind, here are 10 common security ailments and 10
practical remedies. They're easy and inexpensive, and you can do them
right now. All involve some form of user education and training. "How
do you stop stupid mistakes?" asks Mark Lobel, a partner in the
security practice at PricewaterhouseCoopers. "It's education and
security awareness - basic blocking and tackling - and it does not
have to cost a fortune."


Save As...

The Hole | A company familiar to Adam Couture, a principal analyst at
Gartner Research, searched its Exchange servers for documents called
"passwords.doc." There were 40 of them.

The Problem | Uneducated users. "Some of these [mistakes] are so
obvious that you think, "Nobody would do that,'" Couture says. "But
you give people too much credit." Any hacker, malcontent employee or
grandmother with a minimal amount of computer know-how could unlock
those documents and ravage your company's most sensitive applications
(not to mention all of your employees' personal information).

The Solution | First, CIOs need to acknowledge that there might be
passwords.doc files on their networks, find them and destroy them.  
Then, via e-mail or a companywide meeting, they need to explain to
users why keeping a file like this on the network is a really, really
bad idea.


Ever Heard of "bcc:"?

The Hole | On June 13, 2005, the University of Kansas Office of
Student Financial Aid sent out an e-mail to 119 students, informing
them that their failing grades put them at risk of losing their
financial aid. The e-mail included all 119 students' names within the
e-mail address list.

The Problem | Besides embarrassing their students, U. Kansas
administrators may have violated the Department of Education's Family
Education Rights and Privacy Act, which protects the privacy of
students' grades and financial situations.

The Solution | First, companies need a policy that explicitly states
what can and cannot be sent out via e-mail or IM. "A lot of companies
don't have good acceptable-use policies for e-mail," says Michael
Osterman, founder of Osterman Research. He suggests that they map out
how employees should handle confidential information, offer them
training and have them sign a one-page document stating that they have
taken the course and understand what to do. University of Kansas
officials say they have "undertaken internal measures - such as
reviewing e-mail and privacy policies, and training staff - to ensure
it does not happen again."

Osterman also suggests that CIOs add an outbound scanning system to
the existing e-mail system that looks for sensitive content in e-mails
(such as 16-digit numbers, which could be credit card numbers). He
says these systems are inexpensive and are offered by scores of
messaging vendors; some vendors will even do a complimentary scan of a
company's messages to see how bad it might be. One vendor that he's
familiar with started scanning a new customer's network and found 10
violations in 10 minutes.


No One Noticed? Really?

The Hole | Orazio Lembo, of Hackensack, N.J., made millions by
purchasing account information from eight bank employees who worked at
several financial institutions, including Bank of America, Commerce
Bank, PNC, Wachovia and others. Lembo paid $10 for each pilfered
account. Most of the felonious employees were high-level, but two bank
tellers were also arrested. Lembo had approximately 676,000 accounts
in his database, according to Capt. Frank Lomia of the Hackensack
Police Department, an official investigating Lembo.

The Problem | Capt. Lomia says that many of Lembo's contacts usually
accessed and sold 100 to 200 accounts a week - but one managed to
access 500 in one week. "What surprised me is that someone could look
at 500 accounts and have no one notice," he says.

The Solution | CIOs, with the help of the HR, security and audit
functions, need to institute a clearly defined policy on who has
access to what information, how they can access it and how often.  
After all, with HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley looking
over CIOs' shoulders, compliance and controls have to be on the top of
the to-do list. "Through all the phases of information creation to
maintenance and storage and destruction," asks PwC's Lobel, "do you
have that data classification and lifecycle process, and do people
know what it is?" Lobel says many of his clients have compliance
controls, but employees either don't know such controls exist or
aren't clear where they apply. "User education is not easy, but it is
worth the effort," he says.


ChoicePoint's Bad Choice

The Hole | Criminals posing as small-business owners accessed the
information - names, addresses and Social Security numbers - of
145,000 ChoicePoint customers.

The Problem | Call it what you will - fraud, "social engineering," the
Kevin Mitnick effect - this was one really glaring example of how
these kinds of attacks are plaguing companies. Lobel says commercial
enterprises could improve when it comes to training users about social
engineering - hackers targeting well-meaning users over the phone or
Internet to obtain private information such as passwords. "We're
always going to find somebody who doesn't know what they shouldn't be
doing," he says.

The Solution | CIOs should make sure that both users and customers are
adequately trained in how to recognize and respond to phishing and
other related attacks - especially before they go out and hire a
company such as PwC to audit their user base. "[CIOs] should spend
their money on a [training] program rather than on testing," Lobel
says.  ChoicePoint claims that it has strengthened its
customer-credentialing procedures and is re-credentialing broad
segments of its customer base, including its small-business customers.


Loose Laptops

The Hole | On April 5, MCI said that an MCI financial analyst's laptop
had been stolen from his car, which was parked in his home garage.  
That laptop contained the names and Social Security numbers of 16,500
current and former employees.

The Problem | In many recent cases involving laptops, the computer's
security was handled by a Windows log-on password. "It's getting
easier for even the more casual criminal to find out how to break into
the laptop," says Forrester's Friedlander. "There's more awareness
that the information is valuable." Plus, the data in many of these
recent incidents wasn't encrypted. (MCI won't say whether the stolen
laptop was encrypted, just that it had password protection). According
to Friedlander, encryption adoption is much lower than firewall
adoption because encryption historically has had performance issues
(it slows the computer down) as well as usability issues (users are
often confused about how to encrypt the right data). In a recent
Forrester survey, 38 percent of respondents said they have no plans to
deploy encryption tools. Ouch.

The Solution | CIOs need to do some classic risk management, says
Friedlander, and ask themselves: What is the information on the system
that I care about the most? Who's connected to a network where I might
be exposed? And then they should create or revise their security
policies based on that assessment. For example, if a laptop has
customer information on it that would kill the company if it got into
a competitor's hands, then the CIO should ensure that encryption was
turned on. Users need to understand "why these policies and
technologies are in place that may seem inconvenient, but why they do
matter," says Friedlander. "If they realize the implications, most
people will want to act." If the information on another laptop is less
critical, then more basic security measures, such as strong passwords,
can be used, he says.


Tales of the Tapes

The Hole | Let's not forget the good ole data tape—in particular,
CitiFinancial's now-infamous UPS shipment of unencrypted computer
tapes that were lost in transit to a credit bureau. A whopping 3.9
million CitiFinancial customers' data was on those tapes, including
their names, Social Security numbers, account numbers and payment
histories.

The Problem | CitiFinancial has stated it "[has] no reason to believe
that this information has been used inappropriately." But on the other
hand, there's no reason to believe that it won't be.

There are companies that specialize in handling data tapes, Iron
Mountain for one. But even Iron Mountain is not impervious to security
snafus. In May, Time Warner announced that Iron Mountain had lost 40
backup tapes that had the names and Social Security numbers for
600,000 of its current and former U.S.-based employees and for some of
their dependents and beneficiaries. Iron Mountain says it has recently
suffered three other "events of human error" that resulted in the loss
of customers' backup tapes—and these are the guys who supposedly are
all about security and nothing else.

The Solution | In July, Citigroup said it will start shipping customer
information via direct, encrypted electronic transmissions. Though
"you can squeeze a lot more data into a truck than you can over the
wire," Couture of Gartner Research says, "[sending data
electronically] could be cost-effective for smaller companies with
small amounts of data." Citigroup's new shipping method will also take
much of the people part out of the equation. "Any time you have to
touch that tape and add a human element in the process, there's the
potential [for] incompetence, malfeasance, and pure and simple
stupidity," Couture says. (For more on solutions to identity theft,
see "New Locks, New Keys.")


How Much for a BlackBerry?

The Hole | This tale has been told so often that it is teetering on
the brink of urban legend status: Back in 2003, a former Morgan
Stanley executive, apparently with no more use for his BlackBerry,
sold the device on eBay for a whopping $15.50.

The Problem | The surprised buyer soon found out that the BlackBerry
still contained hundreds of confidential Morgan Stanley e-mails,
according to a Forrester report.

The Solution | First, users with handhelds, laptops and other devices
need to be made to understand what's really at stake. "It's not the
laptops that are the issue; it's what's on them," says For-rester's
Friedlander. Second, CIOs need to institute a repeatable and
enforceable policy for device and access management—even for
high-powered executives. When someone leaves the company, he should
have to turn in all of his corporate-issued devices, and IS should
lock him out of all applications to which he had access. "If you have
1,000 users, there should be 1,000 accounts," says the CISO of a large
Midwestern financial services company. "So why are there 1,400?  
Because people who have left still have authority to log in."  
According to the Forrester report, Morgan Stanley did have a policy
that stated that mobile devices should be returned to IS for "data
cleansing," but this exec must have slipped through the front door.

Another huge problem is those longtime employees who move around the
company and retain access to data associated with their previous jobs
even though it's unrelated to their new position, says Jeffrey
Margolies, lead for Accenture's security services and identity
management practice. "They accumulate access over time, and they are
an audit nightmare."

A solution is to set up one place (whether it's a website or paper
form) where employees can request access to applications, Margolies
says. CIOs need a policy that states who has access to what systems
and why, with IT, HR and security getting to make the decisions. "Over
the last 10 years, we have built hundreds of applications, and every
single application has its own way of [determining] access and
managing that access," he says. "But just [giving people] one place to
go and [saying] just fill out this form - even if it's paper - the
level of confusion is reduced."


IM Not OK

The Hole | One of your top sales guys is a huge believer in instant
messaging. In fact, he's been using a consumer-grade IM client
(probably AOL Instant Messenger) to communicate with his customers for
years. And this hypothetical salesman's IM name fits his personality
perfectly: Big Bad Texan.

The Problem | There are three, says Osterman of Osterman Research.  
First, security: A consumer-grade IM client used on a corporate system
will bypass all antivirus and spam software. Second, compliance:  
Consumer-grade IM clients don't have auditing and logging capabilities
for regulatory compliance. And third, name-space control: If Big Bad
Texan takes a job at your competitor, rest assured he's taking his IM
name - and your key customers - with him. "There's no clue to the
outside world that he left," Osterman says.

The Solution | The first step is for CIOs to admit to themselves that
consumer-grade IM could be running rampant in their organizations.  
Osterman estimates that 30 percent of all e-mail users are instant
messaging these days. Like e-mail, CIOs need to develop an
acceptable-use policy and make sure everyone understands it. Then CIOs
have two options: Allow consumer-grade IM to remain in place and
deploy a system that will provide any number of security functions,
such as blocking file transfers or mapping IM screen names to
corporate identities, says Osterman. Alternatively, CIOs can replace
consumer-grade IM tools with an enterprise-grade system. "This can be
a more expensive and disruptive option, but it's one that many
organizations are choosing," Osterman says.


Unwired and Unsafe Workers

The Hole | The CISO of the Midwestern financial services company
shares this nightmare: An executive decides she wants to put a
wireless access point in her house so she can work at home from
anywhere in her house. Her son gets her up and running. She wirelessly
logs into the network, and she uses the default password for the
connection that came straight out of the box.

The Problem | "Go to every single hacker site, and you can find every
default password and user ID [for wireless routers]," says the CISO.  
"Home PCs are one of the greatest vulnerabilities." And once this
executive authenticates, others can see how she did it, "then people
are in," the CISO says.

The Solution | Back to the basics with this one. CIOs need to make
sure all employees who work from home know that they have to change
all the default settings, and they can't forget about firewall, VPN,
antivirus patching and authentication tools. That all takes an
omnipresent security education program, but to this CISO, it's the
cost of doing business today. "The struggle with security education is
getting it so it becomes like breathing," the CISO says. "Users have
to become smarter about how they do things."


40 Million "Served"

The Hole | In June, MasterCard announced that CardSystems Solutions, a
third-party processor of credit card transactions for MasterCard,
Visa, American Express and Discover, allowed an unauthorized
individual to infiltrate its network and access cardholder data.

The Problem | Up to 40 million cardholders' information could have
been exposed. It turns out CardSystems had violated its agreement with
the credit card companies: It was not allowed to store cardholders'
account information on its systems, and yet it did just that.

The Solution | If a company has an agreement not to store another
company's data on its systems, it shouldn't. And if for some strange
reason it becomes necessary, the company had better ensure that it has
the necessary controls. "All of those cases of breaches speak to the
need for a good, old-fashioned defense, in-depth, with multiple layers
of control," says PwC's Lobel. For example, he says, instead of just
having a firewall, companies should have multiple layers of controls
on their network. Or rather than just using SSL, companies need to use
authentication too. "You get into the security versus ease-of-use
trade-off and cost," he says. "That's the decision that businesses
have to make with their eyes wide open."

In the end, how a company views security and protects its customers'
and employees' data will have a direct correlation to its longevity.  
In the case of CardSystems, in July both Visa and American Express
said they no longer wanted to do business with the company.

-=-

Staff Writer Thomas Wailgum can be reached at twailgum at cio.com.  
Editorial Intern C.G. Lynch contributed to this report.


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*