Tag Archives: Information assurance

The connection between porn, fraud and data breaches

Are organizations with higher exposure to online porn and gambling more likely to have a higher incidence of data breach incidents?

On the heels of recent Israeli credit card breach incidents, the reports of suspected fraud and money laundering at ICC CAL are bad timing at the very least for Israeli security and compliance.

Last week the Israeli business daily Globes reported that Boaz Chechik, former CEO of ICC (Israel Credit Cards Corp. – a major Visa issuer and acquirer in Israel) was held for questioning by The Israel Police National Fraud Squad on suspicions of fraud and money laundering.

The Israel Police National Fraud Squad today questioned Boaz Chechik, the former CEO of Israel Credit Cards-Cal Ltd. (ICC-Cal) (Visa) and chairman of ICC-Cal International Ltd. on suspicion of filing false corporate documents, violating the Prevention of Money Laundering Law (5760-2000), fraudulent receiving, breach of trust, and violating Bank of Israel procedures and international credit card regulations in 2006-09.

The investigation was opened after the discovery of false corporate documents of ICC subsidiary ICC International. The documents concealed the character of foreign gambling and pornography companies, whose charges may not be cleared under ICC regulations. The investigation raised suspicion that ICC International made hundreds of millions of shekels in profits from the forbidden operations.

Is there a  correlation between fraud, porn and data breaches?

As Rich Mogull noted on his Securosis blog back in 2008 Breach notification statistics don’t tell us anything, at all, about fraud or the real state of data breaches.

The statistics we’re all using are culled from breach notifications- the public declarations made by organizations (or the press) after an incident occurs. All a notification says is that information was lost, stolen, or simply misplaced. Notifications are a tool to warn individuals that their information was exposed, and perhaps they should take some extra precautions to protect themselves. At least that’s what the regulations say, but the truth is they are mostly a tool to shame companies into following better security practices, while giving exposed customers an excuse to sue them.

But notifications don’t tell us a damn thing about how much fraud is out there, and which exposures result in losses.

The IT Law Wiki reports that according to a June 2007 GAO report, there is no clear correlation between data security breaches and identity theft:

The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft. However, available data and interviews with researchers, law enforcement officials, and industry representatives indicated that most breaches have not resulted in detected incidents of identity theft, particularly the unauthorized creation of new accounts.

So there is no data. What are you going to do now?

Not having data, I do what any sensible physicist does given a limited amount of time and resources and lack of hard data: build a hand-waving argument based on a simple-minded 3 parameter model.

My hand-waving argument shows that there is a correlation between fraud, porn and data breach; i.e. an organization that has one type of violation will be likely to have other types of violations on satisfying 3 conditions:

  1. High porousness of the enterprise network:   A porous corporate network simply invites attackers in and trusted insiders to take good stuff out.
  2. Low level of ethics of top executives: Executives should be taking leadership positions in security and compliance as an example to the rest of the employees and as proof that they believe that good security is key to protecting customers. When a top executive doesn’t let internal risk management guidelines get in the way of his personal goals, it sets the stage for additional fraud at lower echelons and fosters an environment where it’s OK to take company documents, just as long as you don’t get caught.
  3. Minimal network monitoring:  Organizations with minimal network monitoring are living a life of ignorance that is bliss. If there is a porous network and lack of security and compliance leadership, then even if there is a fraud event, violation of company policy in regards to fraud, online gambling or sexual harassment in the workplace; it will not be detected.   Security and fraud violations that are not detected cannot be used for corrective action and future deterrence.

So – if your organization has 2 out of 3 of the above, you stand a higher likelihood of fraud and data loss.

Conversely, if you have a tightly managed network, management leadership and strong network monitoring including monitoring for outbound data loss events, you will probably not run into any executive colleagues at the offices of  the National Fraud Squad.


Tell your friends and colleagues about us. Thanks!
Share this

The effectiveness of access controls

With all due respect to Varonis and access controls in general (Just the area of Sharepoint is a fertile market for data security), the problem of internally-launched attacks is that they are all done by the “right” people and / or by software agents who have the “right” access rights.

There are 3 general classes of internal attacks that are never going to be mitigated by access controls:

Trusted insider theft

A trivial example is a director of new technology development at a small high-tech startup who would have access to the entire company’s IP, the competitive analyses, patent applications and minutes of conversations with all the people who ever stopped in to talk about the startup’s technology. That same person has access by definition but when he takes his data and sucks it out the network using a back-door, a proxy, an HTTP GET or just a plain USB or Gmail account – there is no way an Active Directory access control will be able to detect that as “anomalous behavior”.

Social engineering

Collusion between insiders, gaming the system, taking advantage of friends and DHL messengers who go in and out of the office all the time with their bags.

Side channel attacks

Detecting data at a distance with acoustic or Tempest attacks – for example. or watching parking lot traffic patterns….

Tell your friends and colleagues about us. Thanks!
Share this

Data security metrics

Anything can be measured. As  Bertrand Russell wrote –

All exact science is based on approximation. If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man.

This is one of the talks I gave at our weekly Thursday seminar – register here for the Webinar

The talk discusses how data security metrics can be used in a value-based approach to security, providing examples of security metrics and a number of practical measurement techniques.  The talk also shows how security metrics are used in quantitative risk modeling in order to calculate Value at Risk of information assets and justify security investments by reducing risk at lower costs.

Tell your friends and colleagues about us. Thanks!
Share this