Israeli Software

switched.com is having trouble understanding the attack vector of a data breach.  They apparently believe that  software vulnerabilities can be mitigated by consumers “actively protecting their information”.

Hackers recently attacked WellPoint, a health insurer which reportedly covers 34 million people. As a result of the breach, the company notified 470,000 individual customers that confidential information, including medical records and credit card numbers, may have been compromised. It’s imperative that consumers actively protect their information (sic), because cyber-criminals have accessed at least 358,400,000 records belonging to U.S. citizens over the past five years. [From: CBS News]

I recommend treating passwords like  cash, but give me a break. If over 350 million credit card records have been breached, then active protection measures are useless since your credit card is already disclosed.

Together with gems of  security naiveté in the American press,  we can add another round of US-European political infighting over who has a bigger schlong.

The Solvency II European insurance supervision directive is “not as comprehensive and transparent” as US regulation, according to New York’s state insurance regulator. Jim Wrynn, superintendent of the New York State Insurance Department, also criticised efforts by stakeholders in the process of the European regulatory overhaul to deny equivalence status to the US while its state-based regulation remains in place…Wrynn was critical of (the Solvency II) approach, and described the current US model as “a well-tested and comprehensive regime”. [From: risk.net]

I suppose that AIG and Wellpoint don’t count.

Reading through the trade press, DLP vendor marketing collateral and various forums on information security,  the conventional wisdom is that the key threat to an organization is trusted insiders. This is arguable – since it depends on your organization, the size of the business and type of operation.   However -

This is certainly true at a national security level where trusted insiders that committed espionage have caused considerable damage.  MITRE Corporation – Detecting Insider Threat Behavior

There are three core and interrelated problem in modern data security:

You may say – fine, let’s spend more time observing employee behavior and educate supervisors for tell-tale signs of change that may indicate impending involvement in a crime.

However – malicious outsiders (criminals, competitors, terrorists…) that may exploit employees in order to obtain confidential data is just another vulnerability in a whole line of business vulnerabilities.  Any vulnerability must be considered within the context of a threat model – the organization has assets that are damaged by threats that exploit vulnerabilities that are mitigated by countermeasures.   The organization needs to think literally  outside the box and at least attempt to identify new threats and vulnerabilities.

The issue is not that employees can be bought or manipulated, the issue is that government and other hierarchical organizations use a fixed system of security controls.  In reducing the organization’s security to passive executives of defense rules in their procedures and firewalls, we ignore the extreme ways in which attack patterns change over time. Any control policy that is presumed optimal today is likely to be obsolete tomorrow.  It is a fair assumption that an organization that doesn’t change data security procedures frequently – will provide an insider with  enough means, opportunity and social connectivity to game the system and once he or she has motivation – you have a crime.

Learning about change and changing your security systems must be at the heart of day-to-day security management.