Getting through that Compliance-Only Mindset

December 1, 2016

We all need to work with leaders and other influencers who hold “compliance” as their prime (sometimes, only) risk management driver.   Sure, that is tiring and sometimes disheartening, but they are not going away…  In the course of your efforts to advance effective information and operations security motivating these individuals can be a challenge.  Because large scale financial services enterprises in the United States do business across the country, it is sometimes helpful to be able to demonstrate the scope of legislation (not regulation) that applies to various aspects of information and cyber security.  Below is a collection of lists of laws on related information security topics from the National Conference of State Legislatures (http://www.ncsl.org/aboutus.aspx) that may help you on that front.  I’ve included a couple of global resources as well, but that information is far more limited than is available to me about U.S. state laws.

At the story-telling level, one might use this list to demonstrate why it is critical to create, acquire, evolve and maintain ________ (this may be context-specific, use whatever is applicable: software, networks, servers, endpoints, databases, appliances, etc…) that are audit-ready, resilient and resistant to attack, and that protect sensitive resources & transactions while delivering the intended levels of service while under attack.  I am not a lawyer and this is not legal advice!  But I believe given the scope and complexity of the laws involved, along with the velocity of change, attempting to achieve and maintain tight compliance alignment with all applicable laws & regulations would be vastly more expensive than focusing on fielding safe-enough software, infrastructure, and operations.

What do you think?

List of U.S. Security Breach Notification Laws:

Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information.
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

A running list of U.S. security breach-related legislation by year (2010 to present):

http://www.ncsl.org/research/telecommunications-and-information-technology/overview-security-breaches.aspx

List of U.S Data Disposal Laws:

At least 31 states and Puerto Rico have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.
http://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx

List of U.S. Identity Theft Laws:

http://www.ncsl.org/research/financial-services-and-commerce/identity-theft-state-statutes.aspx
Identity theft occurs when someone uses another person’s personally identifying information, like a person’s name, Social Security number, or credit card number or other financial information, without permission, to commit fraud or other crimes.
This chart summarizes the identity theft criminal penalties, restitution and identity theft passport laws. Every state has a law regarding identity theft or impersonation. Twenty-nine states, Guam, Puerto Rico and the District of Columbia have specific restitution provisions for identity theft. Five states—Iowa, Kansas, Kentucky, Michigan and Tennessee—have forfeiture provisions for identity theft crimes. Eleven states—Arkansas, Delaware, Iowa, Maryland, Mississippi, Montana, Nevada, New Mexico, Ohio, Oklahoma and Virginia—have created identity theft passport programs to help victims from continuing identity theft.

List of U.S. Cybersecurity Legislation for 2016:

http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2016.aspx
Cyber threats have enormous implications for government security, economic prosperity and public safety. States are addressing cybersecurity through various approaches, such as:

  • Requiring government or public agencies to implement security practices
  • Offering incentives to the cybersecurity industry
  • Providing exemptions from public records laws for security information
  • Creating cybersecurity commissions, studies or task forces
  • Promoting cybersecurity education.

Same for 2015:
http://www.ncsl.org/research/telecommunications-and-information-technology/cybersecurity-legislation-2015.aspx

List of U.S. Computer Crime Statutes:

http://www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx
Computer crime laws encompass a variety of actions that destroy or interfere with normal operation of a computer system including hacking, unauthorized access, and malware, among others.

List of U.S. State Laws Associated with Phishing:

http://www.ncsl.org/research/telecommunications-and-information-technology/state-phishing-laws.aspx
Through 1/9/2015.
Phishing is a scam where fraudsters send spam or text messages or create deceptive websites to lure personal or financial information from unsuspecting victims.

U.S. State Spyware Laws

http://www.ncsl.org/research/telecommunications-and-information-technology/state-spyware-laws.aspx
Last update: 12/3/2015
Spyware, also sometimes called adware, is software that can track or collect the online activities or personal information of Web users, change settings on users computers, or cause advertising messages to pop up on users’ computer screens.  Web users are often unaware that spyware has been downloaded to their computers, and even when found, it can be very difficult to remove.
Twenty states, Guam and Puerto Rico have laws targeting spyware. Other states have laws that address computer crime, fraudulent or deceptive practices or identity theft and that possibly could apply to some practices involving spyware.

Also:

Perkins Coie’s list of U.S. State Security Breach Notification Laws:

https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html
(Last Revised June 2016)
Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification.  The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements.  Lawyers, compliance professionals, and business owners have told Perkins Coie that the chart has been helpful when preparing for and responding to data breaches.
This resource includes more detail than most of the links listed above.

DLA Piper “Data Protection Laws of the World”

Interactive Map Of Notification Status and more.
https://www.dlapiperdataprotection.com/index.html#handbook/world-map-section
Interactive map highlighting breach notification rules and regulations (per country). The colors of the countries below represent a data breach risk index. Red is the highest, orange is high, yellow is elevated, blue is general, and green is low risk.
There is also an on-demand PFD version of “Data Protection Laws of the World” available from DLA Piper at:
https://www.dlapiperdataprotection.com/system/modules/za.co.heliosdesign.dla.lotw/functions/export.pdf?country=all
When downloaded on November 29, 2016, this was a 510 page document covering the following 98 countries: Angola, Argentina, Australia, Austria, Belarus, Belgium, Bosnia and Herzegovina, British Virgin Islands, Bulgaria, Canada, Cape Verde, Cayman Islands, Chile, China, Colombia, Costa Rica, Brazil, British, Bulgaria, Canada, Cape, Cayman, Chile, China, Colombia, Costa, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Germany, Ghana, Gibraltar, Greece, Guernsey, Honduras, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Jersey, Latvia, Lesotho, Lithuania, Luxembourg, Macau, Macedonia, Madagascar, Malaysia, Malta, Mauritius, Mexico, Monaco, Montenegro, Morocco, Netherlands, New Zealand, Nigeria, Norway, Pakistan, Panama, Peru, Philippines, Poland, Portugal, Romania, Russia, Saudi Arabia, Serbia, Seychelles, Singapore, Slovak Republic, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Thailand, Trinidad and Tobago, Turkey, UAE – Dubai (DIFC), UAE – General, Ukraine, United Kingdom, United States, Uruguay, Venezuela, and Zimbabwe.

This page below provides a brief summary of the requirements of each of the 47 U.S state data breach notification laws as of August 2014.
http://www.itgovernanceusa.com/data-breach-notification-laws.aspx


5 Ways InfoSec Adds Value

November 28, 2016

Effective information and operations security is essential for all global financial services enterprises.

Even so, in my workplace it seems like we rarely summarize ways that it delivers value in that arena.

Last week Identity Solutions Strategist at Micro Focus, Travis Greene shared his list:

#1 IT security saves money
#2 IT security retains customers
#3 IT security improves productivity
#4 IT security will help you keep your job
#5 IT security is ethical

Take a look at the full article to see why he poses these assertions.
http://www.securityweek.com/five-reasons-be-thankful-it-security

REFERENCES:

Five Reasons to be Thankful for IT Security
http://www.securityweek.com/five-reasons-be-thankful-it-security
By Travis Greene


This Just In: Water is Wet

November 10, 2016

I received a link this morning from a colleague about office space.  it was an entertaining and interesting diversion from the all too often inward-focused grind.

It reminded me that other fields, not only Information Security, seem to suffer from unproductive, unbusiness-like amounts of “hope as a strategy”, unearned & misplaced trust, faith-based belief systems, flimflam, misdirection, puff, raw emotion, as well as lots of hype & hype-sters.

The article linked below is a quick read about alternative ways to frame some of the current blather about how reshaping the office environment necessarily leads to business benefits.  If you find this topic of interest, it appears to be the focus of some adult attention & analysis — see your favorite search engine for more.  If you are really interested, search on “herd behavior” and on “cognitive traps.”  There are many paths to broadly shared beliefs in “solutions” that are both unsupported by and contradicted by what often seem to be easy to grasp facts.  We still face lavish challenges.

REFERENCE:
“The Myths behind Brainstorming, Open Office Plans, and Collaboration.”
By Linda Hayes – November 3, 2016
https://www.techwell.com/techwell-insights/2016/11/myths-behind-brainstorming-open-office-plans-and-collaboration


DataLoss Eye Candy – Enhance Your Message

October 31, 2016

It is still important to deliver messages that influence…

Good visuals have a way of imprinting, and of adding context that sticks with a good argument.

A collection of researchers, along with some design & coding help just released an update to their “World’s Biggest Data Breaches” graphic.  It uses color, size, location along a timeline, and additional interactive data to document selected data loss greater than 30,000 records between 2004 and October 2016.

It seems like one of those resources that will be useful in a number of contexts.  [For example: Have you ever been asked “Why do I have to change my password — again…?  — One answer: Because in a world where humans too often reuse passwords across systems, passwords are no longer ‘durable.’  Look at this illustration to see how many have been stolen over the last decade…]

Use it to help goose up your risk management stories:

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks .

REFERENCES:

“World’s Biggest Data Breaches — Selected losses greater than 30,000 records.”
(updated 15th Oct 2016 Version 1.095)
Research: Miriam Quick, Ella Hollowood, Christian Miles, Dan Hampson; Design & concept: David McCandless; Code: Tom Evans.
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks

A static version from early 2015: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-static/


Protect Your USB

September 19, 2016

Physical and logical PC controls still matter.

Just one more reason to resist the shared madness of “bring your own device” and/or “anywhere/anytime/any-endpoint” in global Financial Services.  We hold trillions of dollars for our customers (under the guise of a broad and evolving range of relationships)!  To add value to those relationships, we turn that money into units that are inter-business (and Internet) friendly to enable complex webs of financial transactions and services.  The concentration of “cash” and its transformation into bits results in an attractive target for hostile parties of many types.  How could endpoint anarchy ever be a risk-appropriate behavior for any but a microscopically few roles within our ranks?  It seems like something we should expect to fail the “reasonable person” test.

I was just catching up on some of my random reading and bumped into this demonstration of Windows credential stealing with just 15 seconds of access to a PC’s USB port.

15 seconds of social engineering is not that hard to pull off, so all you have left are serious controls administering the use of your USB ports, physically destroying your USB ports (yes, that is a serious option), along with multi-layer physical & logical security to the location of the PC at any given time.

Take a look st the video below along with the supporting paper.  Then voice your professional opinion and conscience wherever appropriate to resist elevated risk endpoint behaviors.  And if your role permits, ensure that your Financial Services organization has the goals and resources to effectively deal with attacks like the ones enabled by this automated, USB enabled assault.

REFERENCES:

15 Second Password Hack, Mr Robot Style
Video:
https://www.hak5.org/episodes/season-21/hak5-2101-15-second-password-hack-mr-robot-style
Supporting Paper
https://www.hak5.org/blog/15-second-password-hack-mr-robot-style


4 Agile Security Principles

August 30, 2016

Yesterday Citigal proposed a set of principles to complement the Agile Manifesto.  Authors of the Agile Manifesto emphasized:

  1. Individuals and interactions over processes and tools
  2. Working software over comprehensive documentation
  3. Customer collaboration over contract negotiation
  4. Responding to change over following a plan

Cigital offers four principles to help address inefficiencies that too often slow application security. They intent that these four principles will “guide and inspire us to build secure software in an agile way.”

  1. Rely on developers and testers more than security specialists.
  2. Secure while we work more than after we’re done.
  3. Implement features securely more than adding on security features.
  4. Mitigate risks more than fix bugs.

I assume that Citigal built their list in the Agile Manifesto model, as an expression of their valuing the items on the right — just not as much as they value the items on the left.  Not only do these principles align with and extend the original Agile Manifesto, it seems like they may also help information and software security organizations scale their efforts.  None of us has all the resources we need.  Sensitive use of the “Cigital four” listed above may help us build capacity…

These seem like an excellent resource for those leading secure software efforts as well as for architects, designers, product owners — anyone attempting to influence software quality while managing software induced risks to appropriate levels.

RESOURCES

Cigital: https://www.cigital.com/

The Agile Manifesto: http://agilemanifesto.org/

Cigital’s 4 Principals: https://www.cigital.com/resources/ebooks-and-whitepapers/agile-security-manifesto-principles/

There is no single “Agile” way: https://en.wikipedia.org/wiki/Agile_software_development#Agile_methods

 


DevOpsSec Report from OReilly

July 10, 2016

O’Reilly continues to support secure software efforts — and by extension secure options on the Internet.  Last month they released “DevOpsSec: Securing Software through Continuous Delivery” by Jim Bird.

The Agile and Dev Ops Sec worlds have a lot of intersection & overlap, and the challenges of emitting risk-appropriate applications remain for both.  This 86 page report includes adult content for using infrastructure, specific development & operations practices, security-centric development resources, and code to satisfy your risk management obligations, along with recommendations for “proving” that your apps are “secure-enough.”  At 86 pages this report is not comprehensive, and it does not attempt to be.  Like many other aspects of Agile activities, it attempts to help us quickly learn somethings about how to move our position closer to “secure-enough.”

It is also “free” [for a name and email address].  For anyone involved in Financial Services software development, I strongly recommend this quick read.

REFERENCES

DevOpsSec: Securing Software through Continuous Delivery. http://www.oreilly.com/webops-perf/free/devopssec.csp

O’Reilly: http://www.oreilly.com/

 


%d bloggers like this: