Archive

Archive for the ‘Identity theft’ Category

The Soylent Green of “Epic Hacks” – It’s Made of PEOPLE!

August 7th, 2012 3 comments

Allow me to immediately state that I am, in no way, attempting to blame or shame the victim in my editorial below.

However, the recent rash of commentary from security wonks on Twitter and blogs regarding who is to “blame” in Mat Honan’s unfortunate experience leaves me confused and misses an important point.

Firstly, the title of the oft-referenced article documenting the series of events is at the root of my discontent:

How Apple and Amazon Security Flaws Led to My Epic Hacking

As I tweeted, my assessment and suggestion for a title would be:

How my poor behavior led to my epic hacking & flawed trust models & bad luck w/Apple and Amazon assisted

…especially when coupled with what is clearly an admission by Mr. Honan, that he is, fundamentally, responsible for enabling the chained series of events that took place:

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

Those security lapses are my fault, and I deeply, deeply regret them.

The important highlighted snippets above are obscured by the salacious title and the bulk of the article which focuses on how services — which he enabled and relied upon — however flawed certain components of that trust and process may have been, are *really* at the center of the debate here.  Or ought to be.

There’s clearly a bit of emotional transference occurring.  It’s easier to associate causality with a faceless big corporate machine rather than swing the light toward the victim, even if he, himself, self-identifies.

Before you think I’m madly defending and/or suggesting that there weren’t breakdowns with any of the vendors — especially Apple — let me assure you I am not.  There are many things that can and should be addressed here, but leaving out the human element, the root of it all here, is dangerous.

I am concerned that as a community there is often an aire of suggestion that consumers are incapable and inculpable with respect to understanding the risks associated with the clicky-clicky-connect syndrome that all of these interconnected services brings.

People give third party applications and services unfettered access to services like Twitter and Facebook every day — even when messages surrounding the potential incursion of privacy and security are clearly stated.

When something does fail — and it does and always will — we vilify the suppliers (sometimes rightfully so for poor practices) but we never really look at what we need to do to prevent having to see this again: “Those security lapses are my fault, and I deeply, deeply regret them.”

The more interconnected things become, the more dependent upon flawed trust models and the expectations that users aren’t responsible we shall be.

This is the point I made in my presentations: Cloudifornication and Cloudinomicon.

There’s a lot of interesting discussion regarding the effectiveness of security awareness training.  Dave Aitel started a lively one here: “Why you shouldn’t train employees for security awareness

It’s unfortunate the the only real way people learn is through misfortune, and any way you look at it, that’s the thing that drives awareness.

There are many lessons we can learn from Mr. Honan’s unfortunate experience…I urge you to consider less focusing blame on one link in the chain and instead guide the people you can influence to reconsider decisions of convenience over the potential tradeoffs they incur.

/Hoff

P.S. For you youngsters who don’t get the Soylent Green reference, see here.  Better yet, watch it. It’s awesome. Charlton Heston, FTW.

P.P.S. (Check out the sentiment of all the articles below)

Enhanced by Zemanta

Generalizing About Security/Privacy as a Competitive Advantage is a Waste of Perfectly Good Electrons

September 4th, 2007 6 comments

Advantage
Curphey gets right to the point in this blog post by decrying that security and privacy do not constitute a competitive advantage to those companies who invest in it because consumers have shown time and time again that despite breaches of security, privacy and trust, they continue to do business with them.  I think.

He tends to blur the lines between corporate and consumer "advantage" without really defining either, but does manage to go so far as to hammer the point home with allegory that unites the arguments of security ROI, global warming and the futility of IT overall.  Time for coffee and some happy pills, Mark? ;)

Just for reference, let’s see how those goofy Oxfordians define "advantage":

advantage |ədˈvantij| noun a condition or circumstance that puts one in a favorable or superior position : companies with a computerized database are at an advantage | she had an advantage over her mother’s generation. • the opportunity to gain something; benefit or profit : you could learn something to your advantage | he saw some advantage in the proposal. • a favorable or desirable circumstance or feature; a benefit : the village’s proximity to the town is an advantage. • Tennis a player’s score in a game when they have won the first point after deuce (and will win the game if they win the next point). verb [ trans. ] put in a favorable or more favorable position.

Keep that in your back pocket for a minute.

OK, Mark, I’ll bite:

Many security vendors army of quota
carrying foot soldiers brandish their excel sheets that prove security
is important and why you should care. They usually go on to show
irrefutable numbers demonstrating security ROI models and TCO. I think
its all “bull shitake”!

…and those armies of security drones are fueled by things like compliance mandates put forth by legislation as a direct result of things like breaches, so it’s obviously important to someone.  Shitake or not, those "someones" are also buying.

You’ve already doomed this argument by polarizing it with the intractable death ray of ROI.  We’ve already gone ’round and ’round on the definition of "value" as it relates to ROI and security, so a good majority of folks have already signed off an aren’t reading past this point…yet I digress.

Wired has the scoop;

Privacy
is fast becoming the trendy concept in online marketing. An increasing
number of companies are flaunting the steps they’ve taken to protect
the privacy of their customers. But studies suggest consumers won’t pay
even 25 cents to protect their data.

Why should consumers pay anything to protect their data!? Security and privacy are table stakes expectations (see below) on the consumer front.  Companies invest millions in security and compliance initiatives driven by legislation brought on by representatives in local, state and federal government to help make it so.  Furthermore, given the fact that if someone utilizes my credit card to commit fraud, I’m not responsible; it’s written off!  If you change the accountability model, you can bet consumers would be a little more concerned with protecting their data.  I wager they’d pay a hell of a lot more than $0.25 for it, too.

They aren’t, because despite being inconvenienced, they don’t care.  They don’t have to.  But before you assume I’m just agreeing with your point, read on.

After the TJX debacle I remember seeing predictions that people will vote with their feet. Of course they didn’t, sales actually went up 9%. The same argument was made for Ruby Tuesdays who lost some credit cards. It just doesn’t happen. Lake Chad and disasters on a global scale continue to plague us due to climate change yet still people refuse to stop buying SUV’s.

See previous paragraph above.   When bad things happen, consumers expect that someone will put the hammer down and things will get better.  New legislation.  More safeguards.  Extended protection. They often do. 

Furthermore, with your argument, one could suggest that security/privacy have become a competitive advantage for TJX now since given their uptake and revenues, the following definition seems to apply:

Competitive advantage (CA) is a position that a firm
occupies in its competitive landscape. Michael Porter posits that a
competitive advantage, sustainable or not, exists when a company makes economic rents,
that is, their earnings exceed their costs (including cost of capital).
That means that normal competitive pressures are not able to drive down
the firm’s earnings to the point where they cover all costs and just
provide minimum sufficient additional return to keep capital invested.
Most forms of competitive advantage cannot be sustained for any length
of time because the promise of economic rents drives competitors to
duplicate the competitive advantage held by any one firm.

It looks to me that based upon your argument, TJX benefited from not only their renewed investment in security/privacy but from the breach itself!  I think the last statement resonates with your Carr’s commentary (below)  but you aren’t talking about "sustainable" competitive advantage.  Or are you?

Right, wrong or indifferent, this is how it works.  Corporate incrementalism is an acceptable go to market strategy to overall bolster one’s strategy over a competitor; it’s the entire long tail approach to marketing.  You can’t be surprised by this?

This is why we have hybrid SUV’s now…

Nicholas Carr discusses this in IT Doesn’t Matter.
To start with technologies can become competitive differentials like
the railroads or the telephone. But once everyone has it, the paying
field levels and it becomes table stakes. Its a competitive
disadvantage if you aren’t in the game (i.e. insecure) but the economic
cost of developing a service or technology that is so compelling as to
become an advantage ain’t on the radar (for the most part).

So getting back to what I thought was your original premise, and escape the low-earth orbit of the affliction of the human condition, global warming and ROI… :(

For the sake of argument, let’s assume that I agree with your lofty generalizations that security and privacy do not represent a competitive advantage.  Please turn off your firewall now.  Deactivate your anti-virus and ant-spam.  Turn off that IDS/IPS.  Remove those WebApp firewall-enabled load balancers…

Yes, IT (and security/privacy) are table stakes (as I established above) but NOT having them would be a competitive disadvantage. THAT is the point.  It’s a referential argument and a silly one at that.

…almost as silly as suggesting that you shouldn’t try to measure the effectiveness of security; it seems that people want to hang language on these topics and debate that instead of the core issue itself.

The threat models dictate how investments are made and how they are perceived to be advantageous or not.  They’re also cyclical and temporal, so over time, their value depreciates until the next wave requires more investment.  Basic economics.

Generalizing about security and privacy as not being competitive advantages is a waste of time.  I’d love to see an ad from a company that says they’re NOT investing in security and privacy and that their Corporate credo is "screw it, you don’t care, anyway…"

I’m going to get on my bike and ride down to the store to buy a cup of coffee with my credit card now…

/Hoff

Wells Fargo System “Crash” Spools Up Phishing Attempts But Did It Also Allow for Bypassing Credit/Debit Card Anti-Fraud Systems?

August 22nd, 2007 3 comments

Wellsfargo
Serendipity is a wonderful thing.  I was in my local MA bank branch on Monday arranging for a wire transfer from my local account to a Wells Fargo account I maintain in CA.  I realized that I didn’t have the special ABA Routing Code that WF uses for wire transfers so I hopped on the phone to call customer service to get it.  We don’t use this account much at all but wanted to put some money in it to keep up the balance which negates the service fee.

The wait time for customer service was higher than normal and I sat for about 20 minutes until I was connected to a live operator.  I told him what I wanted and he was able to give me the routing code but I also needed the physical address of the branch that my account calls home.  He informed me that he couldn’t give me that information.

The reason he couldn’t give me that information was that the WF "…computer systems have been down for the last 18 hours."  He also told me that "…we lost a server somewhere; people couldn’t even use their ATM cards yesterday."

This story was covered here on Computerworld and was followed up with another article which described how Phishers and the criminal element were spooling up their attacks to take advantage of this issue:

August 21, 2007   (IDG News Service)  — Wells Fargo & Co.
customers may have a hard time getting an up-to-date balance statement
today, as the nation’s fifth-largest bank continues to iron out service
problems related to a Sunday computer failure.

The outage knocked the company’s Internet, telephone and ATM banking
services offline for several hours, and Wells Fargo customers continued
to experience problems today.

Wells Fargo didn’t offer many details about the system failure, but
it was serious enough that the company had to restore from backup.

"Using our backup facilities, we restored Internet banking service in about one hour and 40 minutes," the company said in a statement today. "We thank the hundreds of team members in our technology group for working so hard to resolve this problem."

Other banking services such as point-of-sale transactions, loan
processing and wire transfers were also affected by the outage, and
while all systems are now fully operational, some customers may
continue to see their Friday bank balances until the end of the day,
Wells Fargo said.

I chuckled uneasily because I continue to be directly impacted by critical computer systems failures such as two airline failures (the United Airlines and the TSA/ICE failure at LAX,) the Skype outage, and now this one.  I didn’t get a chance to blog about it other than a comment on another blog, but if I were you, I’d not stand next to me in a lightning storm anytime soon!  I guess this is what happens when you’re a convenient subscriber to World 2.0?

I’m sure WF will suggest this is because of Microsoft and Patch Tuesday, too… ;)

So I thought this would be the end of this little story (until the next time.)  However, the very next day, my wife came to me alarmed because she found a $375 charge on the same account as she was validating that the wire went through.

She asked me if I made a purchase on the WF account recently and I had not as we don’t use this account much.  Then I asked her who the vendor was.  The charge was from Google.com.  Google.com?

Huh?  I asked her to show me the statement; there was no reference transaction number, no phone number and the purchase description was "general merchandise."

My wife immediately called WF anti-fraud and filed a fraudulent activity report.  The anti-fraud representative described the transaction as "odd" because there was no contact information available for the vendor.

She mentioned that she was able to see that the vendor executed both an auth. (testing to see that funds were available) followed then a capture (actually charging) but told us that unfortunately she couldn’t get any more details because the computer systems were experiencing issues due to the recent outage!

This is highly suspicious to me.

Whilst the charge has been backed out, I am concerned that this is a little more than serendipity and coincidence. 

Were the WF anti-fraud and charge validation processes compromised during this "crash" and/or did their failure allow for fraudulent activity to occur?

Check your credit/debit card bills if you are a Wells Fargo customer!

/Hoff

No excuse for not shredding those credit card offers…Hamster Powered Shredder!

April 11th, 2007 1 comment

Hamstershredder1Saw this on Boing-Boing. Click on the picture.

There’s now no excuse for not shredding those unsolicited
credit card offers that show up in the mail.  This works on
report cards, too, kids!

It’s eco-friendly, makes its own bedding/toilet, entertains
your kids, able to turn vege-left overs into leveraged mechanical advantage, and gosh-darn it, it’s so damned cute!

That’s right, folks.  The coolest hack, evah!  Hamster-powered shredder!

That’s Web2.0, baby…

A Funny Thing Happened at the Museum Of Science…

February 21st, 2007 No comments

Mos_logo
One of the benefits of living near Boston is the abundance of amazing museums and historic sites available for visit within 50 miles from my homestead.

This weekend the family and I decided to go hit the Museum of Science for a day of learning and fun.

As we were about to leave, I spied an XP-based computer sitting in the corner of one of the wings and was intrigued by the sign on top of the monitor instructing any volunteers to login:

Img00225

 

Then I noticed the highlighted instruction sheet taped to the wall next to the machine:

Img00226

 

If you’re sharp enough, you’ll notice that the sheet instructs the volunteer how to remember their login credentials — and what their password is (‘1234′) unless they have changed it!

"So?" you say, "That’s not a risk.  You don’t have any usernames!"

Looking to the right I saw a very interesting plaque.  It contained the first and last names of the museum’s most diligent volunteers who had served hundreds of hours on behalf of the Museum.  You can guess where this is going…

I tried for 30 minutes to find someone (besides Megan Crosby on the bottom of the form) to whom I could suggest a more appropriate method of secure sign-on instructions.  The best I could do was one of the admission folks who stamped my hand upon entry and ended up with a manager’s phone number written on the back of a stroller rental slip.

(In)Security is everywhere…even at the Museum of Science.  Sigh.

/Hoff

A chronology of privacy breaches…

July 7th, 2006 2 comments

Headup
What a staggering number of individuals who have had the privacy of their personally-identifiable information compromised:

    88,795,619

This information comes from the Privacy Rights Clearinghouse and presents a chronology of breaches since the Choicepoint incident in February, 2005. 

I don’t remember seeing or hearing anything about most of these incidents…imagine the many more than none of us do!

Wow.

Chris

[O]ffice of [M]isguided [B]ureaucrats – Going through the Privacy Motions

July 4th, 2006 No comments

Larrymoeandcurly
Like most folks, I’ve been preoccupied with doing nothing over the last few days, so please excuse the tardiness of this entry.  Looks like Alan Shimmel and I are suffering from the same infection of laziness ;)

So, now that the 4 racks of ribs are in the smoker pending today’s festivities celebrating my country’s birth, I find it appropriate to write about this debacle now that my head’s sorted.

When I read this article several days ago regarding the standards that the OMB was "requiring" of federal civilian agencies, I was dismayed (but not surprised) to discover that once again this was another set of toothless "guidelines" meant to dampen the public outrage surrounding the recent string of privacy breaches/disclosures recently. 

For those folks whose opinion it is that we can rest easily and put faith in our government’s ability to federalize legislation and enforcement regarding privacy and security, I respectfully suggest that this recent OMB PR Campaign announcement is one of the most profound illustrations of why that suggestion is about the most stupid thing in the universe. 

Look, I realize that these are "civilian" agencies of our government, but the last time I checked, the "civilian" and "military/intelligence" arms were at least governed by the same set of folks whose responsibility it is to ensure that we, as citizens, are taken care of.  This means that at certain levels, what’s good for the goose is good for the foie gras…kick down some crumbs!

We don’t necessarily need Type 1 encryption for the Dept. of Agriculture, but how about a little knowledge transfer, information sharing and reasonable due care, fellas?  Help a brother out!

<sigh>

The article started off well enough…45 days to implement what should have been implemented years ago:

To comply with the new policy, agencies will have to encrypt all data
on laptop or handheld computers unless the data are classified as
"non-sensitive" by an agency’s deputy director.
Agency employees also
would need two-factor authentication — a password plus a physical
device such as a key card — to reach a work database through a remote
connection, which must be automatically severed after 30 minutes of
inactivity.

Buahahaha!  That’s great.  Is the agency’s deputy director going to personally inspect every file, database transaction and email on every laptop/handheld in his agency?  No, of course not.  Is this going to prevent disclosure and data loss from occuring?  Nope.  It may make it more difficult, but there is no silver bullet.

Again, this is why data classification doesn’t work.  If they knew where the data was and where it was going in the first place, it wouldn’t go missing, now would it?  I posted about this very problem here.

Gee, for a $1.50 and a tour of the white house I could have drafted this.  In fact, I did in a blog post a couple of weeks ago ;)

But here’s the rub in the next paragraph:

OMB said agencies are expected to have the measures in place within 45
days, and that it would work with agency inspectors general to ensure
compliance. It stopped short of calling the changes "requirements,"
choosing instead to label them "recommendations" that were intended "to
compensate for the protections offered by the physical security
controls when information is removed from, or accessed from outside of
the agency location."

Compensate for the protections offered by the physical security controls!?  You mean like the ones that allowed for the removal of data lost in these breaches in the first place!?  Jesus.

I just love this excerpt from the OMB’s document:

Most departments and agencies have these measures already in place.  We intend to work with the Inspectors General community to review these items as well as the checklist to ensure we are properly safeguarding the information the American taxpayer has entrusted to us.  Please ensure these safeguards have been reviewed and are in place within the next 45 days.

Oh really!?  Are the Dept. of the Navy, the Dept. of Agricultre, the IRS among those departments who have these measures in place?  And I love how polite they can be now that tens of millions of taxpayer’s personal information has been displaced…"Please ensure these safeguards…"  Thanks!

Look, grow a pair, stop spending $600 on toilet seats, give these joes some funding to make it stick, make the damned "recommendations" actual "requirements," audit them like you audit the private sector for SoX, and prehaps the idiots running these organizations will take their newfound budgetary allotments and actually improve upon rediculous information security scorecards such as these:

2005_govscorecard

I don’t mean to come off like I’m whining about all of this, but perhaps we should just outsource government agency security to the private sector.  It would be good for the economy and although it would become a vendor love-fest, I reckon we’d have better than a D+…

/Chris

Need a fake name, address, social security or credit card number?

June 29th, 2006 2 comments

Gatesbooking
I don’t know exactly how I stumbled across this, but I found a website that purports to offer a "public service" by providing a fake identity generator complete with social security and credit card numbers.  In reading the FAQ, the utility of this "service" as offered is:

There are a ton of uses for this service. Here are a few examples:

  • "Generate excellent test data quickly and cheaply" DB2 News & Tips
  • Persons living outside of the U.S. can use this information to gain
    access to websites that do not support their country’s addresses.
  • Use fake information when filling out forms to avoid giving out personal information.
  • Generate a false identity to use as your pseudonym on the internet.
    This allows you to keep your real life and your internet life seperate.
  • Get ideas for names to use for characters in a book or story.
  • Generated credit cards can be used to test basic
    client-/server-side validation techniques without accidently processing
    a real card.

How about one more?  Give illegal immigrants, people fraudulently attaining employment, criminals, identity thieves, and miscreants yet another avenue to more easily do things they shouldn’t.  You can even order in bulk, with SOCIAL SECURITY NUMBERS.

I suppose that by linking to this site I am attracting even more attention to it, but I just can’t understand how Corban Works whose website says they are "…dedicated to creating family-friendly websites" and makes references to the LDS (Mormon church) thinks this is a good idea?

[Editors note: I removed this link because my stats/hit counter for this post was going crazy — seems every scumbag on Earth looking for hits on ‘fake social security numbers" and the like from Google was pulling this entry up.  I don’t want to make it any easier for these idiots to do what they do.]

If news of more data breach floats your boat…

June 26th, 2006 No comments

Sinkboat
U.S. Navy: Data Breach Affects 28,000

It looks like we’re going to get one of these a day at this point.  Here’s the latest breach-du-jour.  I guess someone thought that our military veterans were hogging the limelight so active-duty personnel(and their families, no less) get their turn now.  From eWeek:

Five spreadsheet files with personal data on approximately 28,000 sailors and family members were found on an open Web site, the U.S. Navy announced June 23. 

The personal data included the name, birth date and social security
number on several Navy members and dependents. The Navy said it was
notified on June 22 of the breach and is working to identify and notify
the individuals affected.

"There is no evidence that any of the data has been used illegally.
However, individuals are encouraged to carefully monitor their bank
accounts, credit card accounts and other financial transactions," the
Navy said in a statement.

Sad.

Why are people so shocked re: privacy breaches?

June 25th, 2006 4 comments

Shocked
This is getting more and more laughable by the minute.  From Dark Reading:

JUNE 22, 2006 | Another
day, another security breach: In the last 48 hours, Visa, Wachovia,
Equifax, and the U.S. Department of Agriculture have joined a growing
list of major companies and government agencies to disclose they’ve
been hit by sensitive — and embarrassing — security breaches.

The organizations now are scrambling to assist customers and
employees whose personal information was either stolen or compromised
in recent weeks. They join AIG, ING, and the Department of Veterans
Affairs, all of which have disclosed major losses of sensitive data in
the last few weeks.

Each of the incidents came to light well after the fact.

Disclaimer: I am *not* suggesting that anyone should make light of or otherwise shrug off these sorts of events.  I am disgusted and concerned just like anyone else with the alarming rate of breach and data loss notifications in the last month, but you’re not really surprised, are you?  There, I’ve said it.

If anyone has any real expectation of privacy or security (two different things) when your data is in the hands of *any* third party, you are guaranteed to be sorely disspointed one day.  I fully expect that no matter what I do, that some amount of my personal information will be obtained, misappropriated and potentially misused in my lifetime.   I fully expect that any company I work for will ultimately have this problem, also.  I do what I can to take some amount of personal responsibility for this admission (and its consequences) but to me, it’s a done deal.  Get over it.

The Shimster (my bud, Alan Shimel) also wrote about some of this here and here.

Am I giving up and rolling over dead?  No.  At the same time, I am facing the realities of the overly-connected world in which we live and moreso the position in which I choose to live it.  It isn’t with my head in the sand or in some other dark cavity, but rather scanning the horizon for the next opportunity to do something about the problem.

Anyone who has been on the inside of protecting the critical assets of an Enterprise knows that isn’t "if" you’re going to have a problem with data or assets showing up somewhere they shouldn’t (or that you did not anticipate) but rather "when" … and hope to (insert diety here) it isn’t on your watch.

Sad but true.  We’ve seen corporations with every capability at their disposal show up on the front page because they didn’t/couldn’t/wouldn’t put in place the necessary controls to prevent these sorts of things from occuring…and here’s the dirty little secret: there is nothing they can do to completely prevent these sorts of things from occuring.

Today we focus on "network security" or "information security" instead of "information defensibility" or "information survivability" and this is a tragic mistake because we’re focusing on threats and vulnerabilities instead of RISK and this is a losing proposition because of these little annoyances called human beings and those other little annoyances they (we) use called computers.

Change control doesn’t work.  Data classification doesn’t work(* see below.)  Policies don’t work.  In the "real world" of IM, encrypted back channels, USB drives, telecommuting, web-based storage, VPN’s, mobile phones, etc., all it takes is one monkey to do the wrong thing even in the right context and it all comes tumbling down.

I was recently told that security is absolute.  Relatively speaking, of course, and that back in the day, we had secure networks.  That said nothing, of course, about the monkeys using them.

Now, I agree that we could go back to the centralized computing model with MAC/RBAC, dumb networks, draconian security measures and no iPods, but we all know that the global economy depends upon people being able to break/bend the rules in order to "innovate" and move business along the continuum and causing me not to put that confidential customer data on my laptop so I can work on it at home over the weekend would impact the business…

The reality is that no amount of compliance initiatives, technology, policies or procedures is going to prevent this sort of thing from happening completely, so the best we can do is try as hard as we can as security professionals to put a stake in the ground, start managing risk knowing we’re going to have our asses handed to us on a platter one day, and do our best to minimize the impact it will have.  But PLEASE don’t act surprised when it happens.

Outraged, annoyed, concerned, angered and vengeful, yes.  Surprised?  Not so much.

Until common sense comes packaged in an appliance, prepare for the worst!

/Chris

P.S. Unofficially, only 3 out of the 50 security professionals I contacted who *do* have some form of confidential imformation on their laptops (device configs, sample code, internal communications, etc.) actually utilize any form of whole disk encryption.  None use two factor authentication to provde the keys in conjunction with a strong password.  See here for the skinny as to why this is relevant.

*Data Classification doesn’t work because there’s no way to enforce its classification uniformly in the first place.  For example, how many people have seen documents stamped "confidential" or "Top Secret" somewhere other than where these sorts of data should reside.  Does MS Word or Outlook force you to "classify" your documents/emails before you store/print/send them?  Does the network have an innate capability to prevent the "routing" of data across segments/hosts?  What happens when you cut/paste data from one form to another?

I am very well aware of many types of solutions that provide some of these capabilities, but it needs to be said that they fail (short of being deployed at aterial junctions such as the perimeter) because:

  1. They usually expect to be able to see all data.  Unlikely because anyone that has a large network that has computers connected to it knows this is impossible (OK, improbable)
  2. They want to be pointed at the data and classify it so it can be recognized.  Unlikely because if you knew where all the data was, you’d probably be able to control/limit its distribution.
  3. They expect that data will be in some form that triggers an event based upon the discovery of its existence of movement.  Unlikely because of encryption (which is supposed to save us all, remember ;) and the fact that people are devious little shits.
  4. What happens when I take a picture of it on my screen with my cameraphone, send it out-of-band and it shows up on a blog?

Rather, we should exercise some prudent risk management strategies, hope to whomever that those boring security awareness trainings inflict some amount of guilt and hope for the best.

But seriously, authenticating access *to* any data (no matter where it exists) and then being able to provide some form of access control, monitoring and non-repudiation is a much more worthwhile endeavor, IMHO.

Otherwise, this exercise is like herding cats.  It’s a general waste of time because it doesn’t make you any more "secure."

I’m getting more cynical by the (breach) minute…BTW, Michael Farnum just wrote about this very topic…