Monday, June 05, 2006

A coworker sent me a link to a news article today, yet another one about a data breach from - you guessed it - a stolen laptop. This one was an auditor working for Ernst & Young and doing an audit of Hotels.com, and apparently the auditor (and I can't believe this) left it in his or her car and it was broken into and stolen.

So now, thousands of Hotels.com customers' personal data - meaning names, addresses and credit card information of about 243,000 people - is potentially in the hands of someone who could use it improperly. Oh, and by the way, my name is certainly on that list.

Up until today I was frustrated to no end with these events.

Now it's personal. Now I'm angry.

And get this: The theft occurred in February and Ernst & Young didn't notify Hotels.com until the first week of May. What??? And on top of that, customers were not notified until a few days ago. You've got to be kidding me...

This post contains some useful information about data breaches, packaged with a bit of a rant by yours truly about information security - or the serious lack thereof - in US companies and institutions. As a reminder, what I post here is my own opinion and not that of my employer or anyone else. I work in information and cyber security, and I care - a lot - about these issues.

There's a major attitude problem - let's call it a lackadaisical mentality - out there and it's high time someone did something about it. Lazy security means lots of helpless victims, and we're so far behind the 8-ball as a country it's downright scary. There's a fundamental "people problem" at the root of this, and no matter how much technology we throw at it, the analog physical and human components need to be addressed before any of the technical issues can be resolved.

The Privacy Rights Clearinghouse maintains an online chronology of data breaches with descriptions of each event, outlining any known data breaches that have occurred since February, 2005.

All told, as of the time I write this, there are 84,797,096 individuals whose identities are known to have been included in these data breaches. Banks, universities, health care providers, insurance companies, corporations, credit card providers... Lord only knows about the ones that have not been reported. Ugh, it's depressing. It's also ridiculous.

What bothers me the most is how often the term "stolen laptop" shows up in the list. What in the world are people doing with sensitive information stored on computers that can walk out the doors of all of these heavily regulated companies and institutions? It's insane from a security management perspective.

But then again, let's take a look at just how many US banks, universities, health care providers, insurance companies, corporations and credit card providers are certified under some kind of recognized information security management standard. Let's take the big standards - BS 7799-2 and ISO 27001 - for example.

BS 7799-2:2002 (in this case, the "BS" stands for "British Standards") has long been the recognized standard for overall security management, and the new ISO/IEC 27001:2005 international standard is basically BS 7799-2:2002 in an updated form. It's also related to ISO 17799, since we're throwing around fancy names. Ultimately it's all the same stuff, just renamed and reassigned. The 27001 standard represents a systematic approach to managing sensitive information so that it remains secure. It encompasses people, processes and IT systems.  It is used to determine and evaluate a company's security management framework and is internationally recognized as the gold standard for security.

If a company doesn't have a security management framework in place, not only is it unaware of what's happening in it's own walls, it doesn't really know whether or not it knows much of anything. Yeah, that's confusing. What you don't know is what will most likely kill you. Either way, it's negligent in this day and age not to be formally on top of information security, and that involves not just firewalls and technology, but risk assessments, people, processes, and an over-reaching management framework to ensure all the bases are covered.

Did he say "negligent?" Yes, negligent. And I mean it.

It's a lot of work to achieve and maintain the 7799/27001 certification and to hold up to ongoing audits, to be sure (just ask me or my coworkers about it some day, we live it), but it's not rocket science and for gosh sakes, IT'S IMPORTANT. And it's not about the actual certificate, it's about all the things that go into the process of getting the certificate and keeping it.

So, if you had to hazard a guess, how many agencies, institutions and companies in the United States do you think have this important and recognized certification?

Be prepared to be disappointed. Especially when compared to the number of certified organizations in other countries, like say Japan and India and Korea. Or pretty much any other developed country, for that matter. It's really quite pathetic.

Of the 2600+ organizations on the certificate register, there are only seven  (yes, that's "7") companies or organizations in the entire United States certified under ISO 27001, and only 39 have been certified in the US under BS 7799-2 and ISO 27001 combined. Keep in mind, there's overlap on the lists, as a number of companies (like ours) have converted from the British Standard cert to the ISO 27001 model, meaning we've been certified twice.

This table shows how many organizations are certified under either ISO 27001 or BS 7799-2 as of June 5, 2006. The term "organization" can mean any one of several things: companies, portions or divisions of companies, agencies, or various other other entities. I've left off most of the countries that have only one certified organization to save space.

Japan

1602

Brazil 

9

Slovenia 

2

UK 

244

Sweden

8

South Africa

2

India 

186

Spain

7

Armenia

1

Taiwan 

92

Turkey

7

Bahrain

1

Germany

57

Iceland

6

Chile

1

Italy 

42

Greece 

5

Egypt

1

USA 

39

Kuwait

4

Lebanon

1

And of the US companies, agencies and organizations on that list, only one of them is a bank (and even then it's only the information security team's component of the business). None of them are credit unions. None of them are insurance companies. None of them are health care providers. One of them is a university. A couple are government agencies - and not the same ones that have been in the news lately, that's for sure.

If you think about it (or search for it, for that matter), how often do you hear about information disclosure outside the United States? Sure, it happens, but seemingly not nearly as often. And why is it, I wonder, that in Japan there are so many certifications? ISO 9000 (the gold standard for manufacturing) is huge there, as well. 

The fact of the matter is that overall, companies and institutions in the US don't take security nearly seriously enough.

So - It's time to do something about this. Now, not tomorrow. It's already much too late, so we need to get moving. We're already in triage mode, friends.

What to do? To start, if you do business with any company that handles sensitive individual data, ask them about their security certifications. And don't accept just a SAS-70 certification as covering the bases - it only covers operations of the datacenter and has practically nothing to do with the rest of the company. Also, make sure you know specifically what any issued certifications actually cover - this is called the "scope" of the certification. Is it the entire company (usually it's not so you have to ask), or is it just a department or division? If the company is not formally certified, do they have a security management framework and a standard they follow?

Also, this is formal security management we're talking about. Don't accept lame responses like "we're covered under HIPPA" or "we get audited for Sarbanes-Oxley so that's all covered..." Sorry, that doesn't come close to cutting it. Neither of those auditing standards require a company to have a security management system in place, and neither come close to covering what's needed to ensure proper security standards are met outside of their narrowly focused scopes.

Get educated. Find out what needs to change. Demand change. Question systems that put the secrets in the hands of people who don't have a personal stake in the game. Do business wherever possible only with companies that are cognizant enough of security to formalize their program on a standard framework and which preferably have external certification of the results of that effort. I'm not kidding here. And yes - it can be done.

Unless you have a better idea (and feel free to share - comment away), that's what it will really take to create change - Market forces. We certainly can't count on the government to do anything about it - they'll just come up with vague, useless legal acts that almost always miss the mark and cost the business sector billions (take SARBOX for example). Individual action and demanding that companies get serious - and that they do so in a manner where they can be formally reviewed and held accountable - is the best real-world way to force change.



Add/Read: Comments [3]
IT Security | Safe Computing | Things that Suck
Monday, June 05, 2006 10:06:00 PM (Pacific Standard Time, UTC-08:00)
#  
Tuesday, June 06, 2006 5:52:40 AM (Pacific Standard Time, UTC-08:00)
This is a good post, Greg. I am a sysadmin who has recently made the move to IT auditing, and your mentioning of the BS and ISO standard is an interesting one. What is more interesting, though, is the use of other standards as their certification or basis for the construction and maintenance of their IT environment.

Admittedly, I am new to the lingo of this practice. It is an interesting one, and I think much can be done on just security. IT auditing seems to be quite comprehensive, and I am beginning to think that in some cases it should be separated between systems audits and security audits. There is so much that can be reviewed on just the security front.
Tuesday, June 06, 2006 8:51:45 AM (Pacific Standard Time, UTC-08:00)
Totally agree. These companies *are* negligent and should be held accountable (as if "accountability" actually meant something in 2006...).

But it's so much work for me to become educated about standards and how they apply, and what my rights are under one or the other, and which ones are most relevent when I'm speaking with which institution...it makes my head spin. Frankly, the oppurtunity costs of learning that stuff need to be weighed against the very real likihood that my bank, for example, just don' giva fuck about what *I* want as a customer! Single customers are like flies, they bat us away. It's far far more important that institutional victims of these losses penalize each other.

On the other hand, if someone were to summarize clearly which standards I should ask about for my bank, my university, my employer, etc., that would be helpful.

Another side to this though: people walk out of offices with 200,000 customer records on an insecure laptop probably not out of stupidity, but to get around some inane IT restriction that's in place already. I mean, I had to make a special request to be given rights to *remove shortcut icons from my desktop* and to *install fonts*. Should I ask them to diaper me and feed me soft foods, too? Give me a break.

In that light, I can *easily* imagine these two scenarios playing out every day: "Crap, I can't install the software I need to do this analysis here at the office, because IT doesn't let me install the software I need on my own desktop machine. I don't have time to requisition a purchase, so I'll just dump it onto the laptop and finish up at home." Or, "If we don't have some legitimate data in the demo for that big customer next week, we'll never close the sale. Hmm, maybe I can do a SELECT * FROM... and just pull it down locally."
Andrew
Thursday, June 15, 2006 1:29:52 PM (Pacific Standard Time, UTC-08:00)
My bank notified me that a laptop containing my personal data as well as all other clients of MERCANTILE POTOMAC VALLEY BANK was stolen on a laptop from an employee's house. They're offering to sign us up for one-year of credit alert to keep an eye out to make sure we're not having our credit messed with. Wow, what a pain.
Steve
Name
E-mail
Home page

Comment (Some html is allowed: b, blockquote@cite, em, i, strike, strong, sub, sup, u) where the @ means "attribute." For example, you can use <a href="" title=""> or <blockquote cite="Scott">.  

Enter the code shown (prevents robots):

Live Comment Preview