Security Survivor All-Stars
Security Survivor All-Stars
Worming Their Way In
Cybercriminals have a parasitic side, and it's not to be underestimated. If they can't bust through the network perimeter of an enterprise, they're just as likely to go through the front door aboard an unwitting and trusted customer or business partner.
Enterprises like research information provider LexisNexis, for example, spend countless hours and resources on resolving malware issues, shoring up intrusion defenses and architecting security into the network. But admittedly, LexisNexis had done little to ensure that customer and partner environments with access to LexisNexis databases were secure.
This was the avenue by which hackers last year stole more than 300,000 accounts with names, addresses, and Social Security and driver's license numbers. Granted it took a conflagration of events for criminals to land on LexisNexis' virtual doorstep, but hundreds of thousands were still open to identity theft and LexisNexis' reputation was in jeopardy.
"We were security conscious and aware, but [only] from an internal standpoint of 'What can I do to ensure I don't bring bad software into the company?'" says Leo Cronin, senior director of information security. "We developed a couple of scenarios to deal with autoscript attacks of our apps and denial-of-service attacks, but those focused on our four walls versus us having to worry about the customer. This woke us up--we truly have to be worried about that environment."
The theft at LexisNexis began far away from its walls. A worm bearing a keylogging Trojan was spammed to thousands, promising pornographic images. The Washington Post reported that separate law enforcement offices in Florida and Texas took the bait of the social engineering component of the worm. Law enforcement--and government--makes up a big chunk of LexisNexis' 4.5 million customers.
Soon, the LexisNexis user names and passwords at these two unrelated offices were compromised and criminals had access to a legitimate account and a trove of personally identifiable information. The 300,000 accounts were harvested during 59 separate visits to a database managed by Seisint, a 2004 LexisNexis acquisition. They went unnoticed until one of the agencies reported unusual activity on its bill.
The timing couldn't have been worse. LexisNexis reported the incident in compliance with California's SB 1386 less than two months after the avalanche of 2005 data breaches started with the ChoicePoint identity theft. Senior management decided not to wait for legislators to recommend action, nor wait to notify those potentially affected. Marching orders from Day 1 were to be transparent about what was being done; president and CEO Kurt Sanford testified before the Senate Committee on the Judiciary and explained the breach for legislators.
The first steps toward recovery included a comprehensive review of perimeter defenses, especially at the Seisint subsidiary, as well as a search for anomalies in how customers accessed services. Cronin and his teams quickly realized that more had to be done to batten down customer access. No longer were customer environments inherently trusted.
"No matter what our controls were on our perimeter, [hackers] figured out how to attack our customers directly," Cronin said. "Our password controls and auditing controls needed a facelift. We kicked off a team with a set of requirements and a plan to put new features in place by the end of 2005. It was quite a task. Support from management got it prioritized."
New password protocols were implemented for all customers. Password strength was mandated and inactive accounts were suspended after 90 days. A fixed number of failed logins also resulted in account suspension. Cronin said more than 1 million accounts were strengthened in 2005.
In the future, Cronin wants to get customers closer to two-factor authentication, and cannot dismiss using some kind of federated token for single sign-on to banks and LexisNexis, or even a hard token as a second form of authentication. Some customers with access to sensitive data are subject to IP address restrictions, similar to what some banks have implemented. A profile would track a user's frequently used IP address and limit logins from only those locations. Hard tokens, for example, would then be required for logins away from those locations, like a home computer.
Cronin said LexisNexis is also implementing near real-time anomaly detection systems that score a user's behavior and restrict access if that score is at a level of fraud. Accounts would be shut down and users notified. Also, customers using a LexisNexis desktop interface would not receive the same level of access to data as those logging in fresh from a Web interface.
Policies around education and awareness training were beefed up for employees. A video for new hires, for example, reinforces the sensitive nature of the data LexisNexis stores and employees' responsibilities.
With more than 140 data breaches reported in 2005 and more than 50 million Americans exposed to identity theft, Cronin says enterprises cannot afford to be lax.
"Information security professionals have to do a better job of articulating the security we want in our products and services, and be articulators of the business value of security," Cronin says. "You'd better model those risks and make them understood as business risks."
Security Survivor All-Stars
A lesson in laptop larceny
Hackers weren't to blame for all of the data breaches in 2005--some were pulled off by old-fashioned, sticky-fingered thieves.
Take the breach at the University of California-Berkeley, where conditions were ripe for thievery on a particular day last March: an unlocked office off a remote corridor, a receptionist on break, a shiny new laptop unguarded on a desk.
The IBM ThinkPad, only a day old, was loaded with the Social Security numbers and other personal information of 98,000 graduate students, graduate and doctoral applicants, and others. A demographic analysis was being conducted on the data, some of which was 30 years old. It was a treasure trove for identity thieves.
Only this thief wasn't so sophisticated; this was a crime of opportunity. The thief was part of a ring that would steal laptops and other devices, scrub the hard drives, and sell the computers on eBay. The laptop was traced to the buyer and recovered. Officials at U Cal-Berkeley don't think the data was accessed.
Sometimes it's better to be lucky than good.
Associate vice chancellor and CIO Shelton Waggener is well versed in campus politics and understands the rigors of instituting change and lobbying for information security funding. The laptop theft was Berkeley's second breach in five months--in October 2004, hackers cracked a database housing account information on people participating in a home-care services program; more than 1 million files were exposed. But that was a nameless server hacked by a faceless criminal. A stolen laptop is different, and the realization that similar thefts could happen to anyone brought information security to the highest offices at Berkeley.
"It used to be perceived to be CIO problem, now it's perceived as a campus problem," Waggener says. "The message has sunk in that it's going to take personal accountability. That's huge in terms of progress."
Progress is the operative phrase. In the 13 months since the laptop theft, information security has been elevated to the point where security audits, policy updates and training are par for the course. Funding remains a struggle, but awareness is elevated, data security is paramount and resources are required.
"Security is really an insurance policy. You have to ask, 'How much are you willing to invest to reduce the possibility of having a security incident?' " Waggener says. "Can you afford to invest money to protect something that changes all the time? It's an uncomfortable investment to make. As it works out, incidents happen in areas you have not invested in. It's not that we didn't know how to protect every laptop, but it's an expensive thing to do."
Like in most security organizations, Waggener focused on areas of higher risk. With visibility heightened to the dangers of laptop theft, Waggener had to change his focus.
Outside auditors were hired to evaluate data exposure points. While they determined security policies to be strong, execution and implementation depended on the financial and technical strength of a particular unit. Policies were difficult to follow in a decentralized environment.
Best-practices audits were also instituted; internal teams of security experts would perform spot audits on different departments and help with recommendations. It was a creative way to provide advice without paying extra for it.
Training modules to instruct existing employees and new hires on their responsibilities around data and security policies in general have been developed. Students also undergo security training at orientation, and PCs and laptops are outfitted with free antivirus software. Centralized scanning tools monitor computers on the U Cal-Berkeley network for vulnerabilities and to ensure patching levels are adequate.
Encryption of sensitive data is a priority. U Cal-Berkeley is in the midst of evaluating products to provide mobile and database encryption, securing data whether in motion or at rest. Some encryption has already been deployed. Printed documents are encrypted from the source server to the printer.
Waggener said the key is centralizing security management.
"We're going to create download sites to autoinstall encryption tools and make it easy to use," he says. "We have the policies and standards around the need to encrypt data, but if we're not going to make it easy to get the software and keys, people are not going to do it."
Security Survivor All-Stars
Putting the brakes on insiders
Know how fast the concept of a trusted insider becomes an oxymoron? Apparently a few nights and weekends--just ask the Georgia Technology Authority.
Asif Siddiqui had worked for the GTA for four years--and for nine in state government--as a programmer before he was fired and arrested last April for downloading and stealing 465,000 files on Georgia drivers during off-hours. Siddiqui horded the files for close to three years, and investigators still aren't sure what he was going to do with the sensitive data, which included Social Security numbers.
What the breach did for GTA was force the organization, which runs telecommunications and data center operations for the state including Georgia's Department of Motor Vehicles, to re-evaluate its hiring processes, institute pre-employment and periodic background checks on established employees, re-categorize data and accelerate its search for a state-of-the-art data center.
The real casualty for GTA, however, was trust. Even long-term employees now merit inspection. Proper authorization and access controls must be maintained, with particular focus on the revocation of rights once an employee no longer needs access to a system. After Siddiqui's arrest, GTA spent significant time hardening its authorization processes and procedures and tightening access to sensitive data.
"You still have to stay vigilant, even with long-term employees, and do so in such a way that employees understand and appreciate what you're doing," says GTA director of security Mark Reardon. "Employees have to appreciate they are in positions of trust. With that comes extra scrutiny. They have to understand that."
There were many layers to Siddiqui's theft, starting with the fact that it dated to 2002 when he was working on the state's driver's license and state health benefits plan systems. He had no legitimate reason to still be logging into those servers last April when an admin noticed he had recently been on the systems and reported it to management. His access rights had never been revoked, making him the most dangerous kind of intruder--one with legitimate access to sensitive data.
Furthermore, GTA did not have a policy of conducting background checks when Siddiqui was hired in 2001. That was another major policy adjustment post-breach, especially for employees with access to sensitive data. In addition, state agency information security officers now review data on every IT system according to NIST and FISMA guidelines. Data is given a rating of low, moderate or high security. New hires working with data rated moderate or higher must undergo an initial financial and criminal background check, as well as periodic checks throughout their employment.
Employees are also required to sign non-disclosure agreements, indicating they will not share or make use of any of the information they handle.
Reardon said a renewed focus on employee awareness will include intranet sites that educate employees about information security and their responsibilities with data.
"It's a lot of, frankly, unexciting basic blocking and tackling," Reardon says. "From an information security perspective, we have to make sure we have an understanding of what information is where and how it's protected, and make sure agencies responsible for data believe in the controls that are in place."
The theft also put additional focus on GTA's need for a new data center to replace its "ancient" facility, according to Joyce Goldberg of the GTA Office of Communications. The new facility has strong authentication requirements--including biometric access controls--redundant system failover and environmental controls.
"We are looking to be in a mode of constant improvement, and it isn't going to be one person; it's going to be a cultural change," Reardon says.
Security Survivor All-Stars
Reparations to ChoicePoint's flawed customer credentialing processes--and, more importantly, its reputation--were well under way in January when along came the Federal Trade Commission with a $15 million reminder that life for the data collector will never be the same.
Survival and recovery may forever be relative terms for ChoicePoint, whose infamous data breach, reported in February 2005, led to its FTC fine. Ironically, the penalty was levied the same day ChoicePoint reported record revenues of $1.1 billion for 2005, a "milestone year" according to CEO Derek V. Smith.
It may be a cold day in Hades before Smith hears any adulation for those numbers. The breach, which exposed more than 160,000 people to identity theft, has led to at least 800 confirmed cases and unprecedented scrutiny.
This is the environment in which Carol DiBattiste operates. Hired shortly after the breach was made public, the former deputy administrator and chief of staff at the Transportation Security Administration leads an independent office that reports to the ChoicePoint board of directors' privacy committee. Her mission is to clean up the means by which ChoicePoint credentials its customers, align security and privacy within the company's four walls, and concentrate on implementing a steady stream of checks and balances to ensure a breach like the one that started 2005's firestorm never happens again.
"I stay up at night thinking about how to beat bad guys from getting our data, and making sure the people who access our data are who they say are," DiBattiste says.
Olatunji Oluwatosin, a 41-year-old Nigerian national living in California, exploited those weaknesses. He posed as legitimate enterprises to set up more than 50 bogus accounts and gain access to ChoicePoint's trove of personal data, including names, addresses and Social Security numbers. He was arrested in February 2005, and was later sentenced to 10 years in prison and ordered to pay $6.5 million in restitution.
DiBattiste's first priority was to shore up the lax vetting of customers. She and her team immersed themselves in each of ChoicePoint's business units to learn their security and privacy processes and procedures in an attempt to marry the two disciplines. She hired consultants from Ernst & Young's privacy team to introduce industry best practices to ChoicePoint and tailor them around its business model. Each of these activities came under the umbrella of a new risk mitigation model, which was the focus of more than 50 outreach events internally and externally that DiBattiste coordinated before the end of 2005.
"Customers are thrilled because it's a business imperative for us," she says.
Credentialing procedures for new customers were ramped up, starting with the hiring of more than 40 individuals dedicated to checking customers and verifying who they are, the legitimacy of the companies they represent and whether they are, in fact, agents of the company. Existing customers will also be recredentialed, an exercise DiBattiste expects to continue through August.
Checklists vet customer identities through various sources, including bank references. Site visits are mandated for customers seeking access to the most sensitive ChoicePoint information stores. A quality control board then reviews the credentialing teams to ensure no human error was introduced during the vetting process and that each of the multiple verifications was done properly.
"There are certain things on our checklist that, if you don't pass, it's a hard fail and you're not going to be one of our customers," DiBattiste says. "I think our credentialing process is one of the best out there. It goes through a lot of checking of who you say you are, and whether you are going to use data in a manner that is permissible under law."
ChoicePoint customers can also expect periodic audits of their account activities-- some scheduled, some without notice. Hun-dreds of accounts have already been cut off because of suspicious behavior, DiBattiste says.
Customer privacy training is also a priority for 2006, in addition to mandatory online privacy training for employees.
"We want to get customers aware of what their obligations are with the data," DiBattiste says. "That's a heavy lift. All of this is key to our risk mitigation model. With this combination of site visits and rigorous checklists, we hope to keep another incident from happening."
Security Survivor All-Stars
Paying the price
Joe Christensen walked in the doors at CardSystems Solutions last July, charged with establishing a program to help the beleaguered payment processing company earn compliance with the Payment Card Industry (PCI) security standard.
Talk about a tall order.
Not only had CardSystems reported two months prior that hackers had stolen 263,000 customer credit card numbers and exposed 40 million more, but Visa and MasterCard threatened to terminate it as a transactions processor. The death watch was on, something CEO John Perry confirmed before Congress where he said his company faced "imminent extinction" because of Visa and MasterCard's action.
Stress, fear and uncertainty were palpable inside CardSystem's Atlanta offices. Somehow, Christensen, the new vice president of security and compliance, didn't high-tail it out the door.
CardSystems, if not doomed, was at least ripe for an acquisition. But that would not happen without information security and PCI-compliant processes in order. In fact, to facilitate an acquisition, Visa and MasterCard twice extended compliance deadlines, first to Oct. 31, 2005, then Jan. 31.
Fortunately, Christensen says, a compliance effort was well under way. CardSystems had hired AmbironTrustWave to perform a forensic analysis and consult on compliance; there was a solid understanding of weaknesses and priorities. Christensen's first priorities were to understand where card data was kept and how it was accessed, and to ensure that the hack could not be replicated.
In September 2004, hackers dropped a malicious script on the CardSystems application platform, injecting it via the Web application that customers use to access account information. The script, programmed to run every four days, extracted records, zipped them and exported them to an FTP site. Its function was to search servers for only track data--the name, credit card number, expiration date and CVV code contained on the magnetic strip on the back of a credit card. Perry told Congress the only time data was successfully exported was May 22. The exported data--records of failed transactions that were kept for research purposes--was in readable form, a PCI violation.
For too long, Christensen says, CardSystems concentrated on delivering its core business to market--routing transaction authorization requests from POS terminals to a payment card network, then facilitating payments to merchants--without enough regard for the way data was kept safe. Security was a function of IT, and the dearth of dedicated security personnel was especially glaring post-breach. "Awareness of the things you have to do to maintain systems securely was not at a level it needed to be," Christensen says. "[CardSystems didn't have] a culture of security, which isn't unusual."
That drastically changed in the ensuing months. Backed by senior management, Christensen and his team fully encrypted the company's backend systems--one of the few transaction processors to do so, he says. They also put in place procedures where all coding was tested against the Open Web Application Security Project's top 10 critical Web application vulnerabilities before being put into production. Monthly vulnerability scanning and centralized patching systems were ramped up. Internal access controls that severely restrict who can get at customer accounts were also set in stone. Laptop security was addressed, and a consolidation security policy was adopted for future acquisition targets.
Going forward, Christensen plans to address a move from tape backup to remote encrypted digital-vault backups. He also wants to beef up employee awareness, with new-hire training, annual refresher courses, security awareness days and fresh policies on how to handle data, especially papers left in the open on desks and fax machines.
All of this helped make CardSystems PCI compliant (avoiding a Visa and MasterCard shutdown) and preserve value in its assets. This made the company attractive to PayByTouch, which agreed to acquire it in October 2005.
"What happened has completely changed the culture," Christensen says. "[PCI] is the bottom line to maintain; that's the floor, not the ceiling."
This was a lesson learned too late for old CardSystems.
Security Survivor All-Stars
8 tips to ensure Your customers' personally identifiable Information stays safe.
Plan for one layer of your security controls to be bypassed: A stolen employee password should not provide the keys to the castle.
Review and understand data retention rules. Do not retain personal information longer than required; ensure your practices are safe and within policy.
Conduct annual third-party security audits: Audits help you understand gaps and reduce risk. Implement suggested changes. If an audit sounds scary, your security is inadequate.
Employ need-to-know access: Allow access to data on a need-to-know basis; record and audit that access.
More information from SearchSecurity.com
Larry Ponemon, of The Ponemon Institute, explores why companies who ignore data breaches are also ignoring risk management.
Learn how to avoid making headlines due to a privacy breach.
Review the important elements of a data protection strategy.
Protect from the inside out: Often, the same controls that prevent employees from acting beyond their privilege will also prevent an attacker from gaining elevated access.
Prioritize risks: Classify data as sensitive and critical to the organization. Secure the database where it lives.
Encrypt backups: One of the most common losses of data results from missing backups.
Verify partner security standards: Ensure that service providers maintain security best practices in line with industry and organizational standards.
Sources: Jon Orbeton, Check Point Software Technologies, Zone Labs division; Adrian Lane, IPLocks