Look Who’s Watching … Webcams, Privacy and Common Sense

29 02 2012

by Mike Timko

While this is certainly not a new topic I believe it is an area that should garner more press and concern. As more and more homes add Internet based cameras to communicate with family members or to monitor what is going on when they are not there, the concern over privacy should be considered paramount – yet it appears to be much more of an afterthought. While there certainly is a category of users who wish to broadcast their webcams to any user or group, I am only focusing on the intentional hacking of a personal webcam of which the owner has no intention of public access.

Webcam Proliferation

More than 79% of laptops have webcams and that number continues to rise.[1]   Laptops, desktop computers and smartphones are not the only places webcams are being used. They are also not just being used for chatting or keeping in touch with family members. Increasingly people are adding home monitoring systems that can either be tethered to a webcam or operate independently via a Wi-Fi connection, thus making them easy to install them almost anywhere. Home video monitoring is not new, but with Internet capability, the ease of access to these cameras has greatly increased. Early on, this was a place that the home automation enthusiast or hobbyist dabbled in by hobbling together various components to create a home monitoring system with some sort of Internet connection. Now you simply have to do a search for home video monitoring and you can find inexpensive systems available at your local big box or office supply store. People that are concerned about the security of their home or need to monitor a location can install these systems in a very short time, which is part of the issue. The ease of setup makes securing webcams a secondary thought and many people simply accept the default configuration.  [2] Most people that buy these types of systems do not have the technical background to do more than connect the system, which is the appeal. There are an increasing number of smartphone apps that make access to these systems even easier. One that immediately comes to mind is iCam from SKJM.com. The app and related software allows you to legitimately control the webcams or Wi-Fi enabled cameras in your home or business with great ease. In fact there have been news stories of people who have stopped burglaries in action via quick utilization of this app. [3] I personally use this product and have liked the fact that I can monitor my home when not there.  I am however, concerned that others could try and do the same. Since this software requires the cameras to be on – the ubiquitous “green light”, is always lit and thus the awareness of the active status of the cameras is diminished.

Gaining Access

Do a simple search for “hacking a webcam” on the Internet and there are multiple results from simple techniques on how to break in to a webcam with actual tutorials, down to software that will assist the would-be hacker or voyeur.   While there is certainly no way to regulate the distribution of this information, it is clear that consumers need to be ever vigilant in securing against prying eyes.  There are some basic steps any user of webcams can take to be sure they are doing the most to secure their devices. It can be as simple as installing anti-virus software or enabling a firewall. Wi-Fi connections should always be secured with at least WPA to add an additional level of protection in accessing the camera. [4] A recent article in Wired magazine detailed how a hacker exploited a known vulnerability in a particular brand of webcam to the extent of listing all the detailed steps necessary and the related code to make it even easier. He was able to access and control cameras even if they were password secured using their net address and some clever hacking. [5] While the company will be issuing a firmware update to resolve this issue the very idea that this oversight could have occurred is very disturbing. This certainly raises the question of what other brands or devices can be remotely accessed even with basic security in place.

To the Forefront

An incident that has garnered much media attention was the spying of students in the suburban Philadelphia school district of Lower Merion. The school district asserts that the cameras are only activated on the school-owned laptops if there were reported stolen, however the investigation uncovered thousands of pictures from computers that were not reported missing by the student. [6] A class-action lawsuit was filed against the district alleging that the school invaded the students’ privacy. The fact that the school administrators could remotely take pictures was acknowledged by the district and may have actually tried to hide the fact that they were engaged in this activity. [7]  An issue with this case is the legal recourse the families have. According to Title III of the Omnibus Crime Control and Safe Streets Act of 1967 known as the “ Wiretap Act”, it is forbidden to record phone or personal conversations using a hidden microphone, but there is no provision for webcam regulation. An appellate court case in 1984 upheld that ”video surveillance does not ‘intercept’ any communication, and therefore held that Title III neither authorized nor prohibited the surveillance.” [7] In the time that has elapsed since the 1984 decision and subsequent recommendations, there has been no action to amend Title III. We need to have legislation that can protect us and take in to consideration existing technologies but be flexible enough to look forward as well.

Boardroom Break-in

In a recent event, HD Moore of Rapid7, a computer security firm was able to write a computer program that allowed him to search the Internet and obtain the addresses of thousands of videoconferencing sites from major corporations to private legal discussions. The primary reason that he was able to gain access was the end users lack of concern involved with securing these systems. Most companies contacted simply wanted the systems to work and be easy to access by external entities with which they want to conference. What they did not consider was the presence of people trying to access these systems who have no legitimate reason. Mr. Moore was able at times to zoom and pan the cameras as well as listen to the conversations. [8]

One Final Thought

The lesson learned is a simple one – treat any web-connected camera as a portal to the outside world and protect that feature/vulnerability accordingly. The advent of even smaller cameras and wireless devices will only make securing them a higher priority. Considering the time it takes to amend laws, it is important that we look out for our best interest.

_______________

[1] “Webcam Penetration Rates & Adoption”, http://weareorganizedchaos.com/index.php/2011/07/05/webcam-penetration-rates-adoption/

[2] “How to Find Hidden Webcams on the Internet – For Free”, http://donatello.hubpages.com/hub/How-to-Find-Hidden-Webcams-on-the-Internet—For-Free

[3] “SKJM in the News”, http://skjm.com/news.php

[4] “Webcam Hacking: How to Protect Yourself”, http://voices.yahoo.com/webcam-hacking-protect-yourself-9045547.html?cat=15[5] “ Flaw in Home Security Cameras Exposes Live Feeds to Hackers” , http://www.wired.com/threatlevel/2012/02/home-cameras-exposed/

[6] “School District Allegedly Snapped Thousands of Student Webcam Spy Pics”, http://www.wired.com/threatlevel/2010/04/webcamscanda/

[7] “Video Laptop Surveillance: Does Title III need to be updated?”, http://www.judiciary.senate.gov/pdf/3-29-10%20Bankston%20Testimony.pdf

[8] “Cameras May Open Up the Board Room to Hackers”, http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html?_r=1&scp=4&sq=cameras&st=cse





Human Element in IT Security

28 02 2012

IT security has become critical component for the success of the business. Companies have successfully deployed multitude of technologies, policies, procedures, and other technical solutions to address their IT security challenges. However many companies have often underplayed role of humans in IT security. Rationales for such behavior include internal politics and surprising amount of chaos[1].

Companies must recognize that humans play a pivotal role (see Table 2) in ensuring success of IT security mechanisms. Following initiatives will enable companies to harness human capital to ensure success of IT security mechanisms:

  • Awareness:
    • Management must demonstrate commitment and support for the IT security.
    • Educate the need to be compliant with industry standards (see Table 1) and internal policies.
    • Repeat – Repeat – Repeat: Implement mandatory training program under supervision of C-suite executives.
    • Setup constant communication emphasizing the importance of the IT security.
  • Execution:
    • Based on security risk analysis, focus on the highest threat first and deliver role based training. Avoid one-size-fit all when training employees across organization[2].
    • Setup central service center to address security concerns and clarify policy and procedures.
    • Develop mechanisms to monitor and review effectiveness of the security mechanism in place.

In addition to the above tactics, company must encourage a collaborative environment to develop a culture of teamwork to ensure data confidentiality, integrity and availability (CIA).

In summary, rapid pace of changing technologies, coupled with human’s inherent resistant to change and close monitoring are key roadblocks for a successful security strategy. As discussed above, awareness, tailored education and cultural changes can be important enablers to ensure successful implementation of IT security mechanisms.

Table 1: Information Security Regulation[3]

Table 2: Root Cause of Information System Failure[4]


[1] The Importance of Defining and Documenting Information Security Roles and Responsibilities By Charles Cresson Wood, http://www.informationshield.com/papers/SecurityRolesAndResponsibilities.pdf

[2] The People Dimension of Security and Privacy – Eight training and awareness habits of highly effective organizations; Deloitte http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_consulting_PeopleDim_Security%20Privacy062309.pdf

[3] The Importance of Defining and Documenting Information Security Roles and Responsibilities By Charles Cresson Wood, http://www.informationshield.com/papers/SecurityRolesAndResponsibilities.pdf

[4] The People Dimension of Security and Privacy – Eight training and awareness habits of highly effective organizations; Deloitte http://www.deloitte.com/assets/Dcom-UnitedStates/Local%20Assets/Documents/us_consulting_PeopleDim_Security%20Privacy062309.pdf





Risk Assessment: Guiding Responsible Information Security Spending

27 02 2012

by Saad Noman

What assets do we protect? What do we need to protect the asset from? How much do we spend on protecting the asset? These are some of the questions that form the basis of information security and it is a domain covered under risk assessment. The risk assessment program is an on-going process that allows organizations to continually identify critical infrastructure/data, discover vulnerabilities and threats and develop associated treatment plans.  The aim of this process to have a clear roadmap of what needs to be done to mitigate risks and thus move towards building a secure environment in a budget friendly way. As United States General Accounting Office highlights– “risk assessments provide a basis for establishing appropriate policies and selecting cost-effective techniques” [1].

Just like in Software Development Life Cycle where you spend time on designing the application before coding/implementing, in information security too we need to first understand what environment is our organization operating in i.e. what the culture is, what are the mission critical processes/applications, and what are the threats. Only then can we establish an effective information security program that will address realistic scenarios that are likely to occur and have high business impact consequences.

Without having risk assessment, organizations are likely to overspend on security controls and yet completely miss out on the easiest penetration scenarios. For example, I’ve seen in my organization where we focus on protecting the infrastructure from outside threats (with DMZ, network penetration etc.), but there is no policy of protecting critical databases from internal employees. Currently, someone from development team can easily access a production machine using the application login id from their desktop – there is actually no security control around this.

Having a proper risk assessment framework yields valuable information and action-driven tasks that helps guide an organization how to approach security spending by understanding the magnitude of how risks can potentially harm the business. Risk assessment results provide a solid basis for building strong quantitative business case for security initiatives that otherwise may be difficult to justify to a Finance team that often say “we want to optimize budget” and “why is this necessary? we are doing just fine without it”.

To conclude, I think Sun Tzu perfectly stated in The Art of War that directly refers to the importance of proactive risk management:

“The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” [2]

________________

[1] United States General Accounting Office. “Information Security Risk Assessment.” November 1999.

http://www.gao.gov/special.pubs/ai00033.pdf

[2] Sun Tzu, The Art of War quotation – http://thinkexist.com/quotation/the_art_of_war_teaches_us_to_rely_not_on_the/149712.html





Mobile Device Security: Android vs. iOS

27 02 2012

Introduction

Mobile devices are becoming more and more prevalent in our daily lives.  They are replacing many of the operations that in the past were done primarily on PCs, such as surfing the internet and checking email.  Another reason they are so popular is because of the large number of applications that can be downloaded and used on the devices.  But how secure are these devices and what are the risks to personal data when using a mobile device?  The two most popular operating systems that run on these devices in the market today are Google’s Android and Apple’s iOS.  I will discuss some of the security features associated with each OS and also some of the security flaws.

Security Traits common to both Android and iOS

Both operating systems have based their systems off of the following five security principles [1]:

  1. Access Control – Traditional password protection and ability to lock the device
  2. Encryption – Data Encryption on the device
  3. Isolation – Limit the applications ability to access resources and data on the device
  4. Application Provenance – Use of digital signatures to authenticate application authors
  5. Permission based access control – Users have control over what data an application can access.

Although each OS has used these 5 security principles the implementation of the security features are different for each OS as discussed below.

Apple iOS Security Highlights

Apple only allows its users to get apps from the Apple App Store, and Apple is able to screen apps using a rigorous process.  Included in this process is the application provenance referenced above.  Only the apps that Apple deems as safe are allowed to be sold in the App Store, and users are ensured the authenticity of the developer.  Although this process does eliminate many of the malicious applications, it is not perfect and Apple has had to remove applications from their market after they were offered to users.

Apple iOS incorporates a number access control features into their devices.  A user can enable password protection on their device as well as choose the length of the password and the number of incorrect attempts before the device will wipe itself clean.  In addition, iOS also employs a locating feature that allows you to pin point the location of the device from your PC.  The user can also protect the data of a lost or stolen device by remotely wipe the data the device.

Flaws

iOS takes advantage of the permissions based access control mentioned above; however, the user is not asked if he would like to allow the app access until after the app is downloaded and installed, and many of the applications will stop working if the user selects “no” when asked to give access to the data[2].

Apple was in the news last year for an SSL Man-in-the-Middle attack flaw, but has fixed the flaw with an update to the iOS software.  However, many iOS devices cannot be updated to the newer version and are left vulnerable to this type of attack [3].

Google Android Security Highlights

Google’s approach to Permissions based access control is different from Apple’s in that permissions are granted at the time of application installation rather than at run time.  A user can decide before the app is ever downloaded how much control the app should have.  If the app requires more access than the user prefers to give, then the user can choose not to install the app.  In addition, users must accept an installation of an application before the app will actually install to the device, so it is impossible to install and run an auto erase or location type application from Android [2].  This can be a good thing in that the user will know what is being run on the device but bad in the event that the device is lost or stolen.

Flaws

Unlike Apple iOS’s App Store approach, Google has many market places for Android Applications.  These market places do not have the same rigorous processes for application selection like the App Store does.  Because there are fewer controls over which apps can be sold in these market places there is a greater risk for malicious applications.

Android is designed so that the service provider can modify the UI [2].  This means that the service provider can install additional software that the user doesn’t want or need and could create security holes that Google didn’t anticipate, leading to a less secure user interface.

Flaws Common to Both iOS and Android

Cloud computing is becoming more and more popular.  Mobile devices are being used to access email, calendars, and documents on the go.  Many of these applications require that you connect with a third party vendor which may not have a secure application or connection to protect your data [1].

Both Android and Apple devices can be modified to override the operating system and allow access to system settings that wouldn’t be allowed under normal circumstances.  This is known as rooting or jailbreaking.  Manipulating the device in this manner can void the support for the device and make software and firmware updates inaccessible.  Also, an attacker can hack the system in the same manner that the user did and gain access to information on the device.

How to Keep Your Device Secure

Here are some things you can do to protect yourself from mobile device security risks [2]:

  1. Change the phone and voicemail password
  2. Use a password/pin that is difficult for someone else to guess
  3. Set the device to be password protected after 5 minutes of inactivity
  4. Only enable the wireless connections that you actually use
  5. Only install applications from vendors that you trust
  6. Use mobile security software
  7. Use mobile device management software
  8. Back up your data
  9. Don’t view private data on public WiFi
  10. Install OS and firmware updates as soon as they made available.

______________

[1] “A Window into Device Security: Examining the Security Approaches of Apple’s iOS and Google’s Android”, Carey Nachenberg.  Retrieved Feb. 24, 2012 from: http://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Jun_worldwide_mobilesecuritywp

[2] Android vs. iOS Infographic. Retrieved Feb. 24, 2012 from: http://www.veracode.com/resources/android-ios-security

[3] Android Security vs. iOS Security, Alvin Ybanez.  Retrieved Feb. 24, 2012 from: http://www.androidauthority.com/android-security-vs-ios-security-46385/





A Framework for Information Security Architecture

26 02 2012

By Hong Zhang

Recently, I have been thinking about how to effectively and efficiently manage the overall information security in a large corporation.  Compounding the complexity of information security, government regulations and compliances with very large amounts of information and data in thousands of information systems located throughout hundreds of geographic locations and used by hundreds of thousands people internally and externally to a large global corporation makes information security management effort overwhelming.  Furthermore to understand the impact of new regulations and/or security standards to the underlying information, data, information systems, locations and people is very time consuming, while quite often the answers are needed in a short timeframe due to security threats.  Having a well-structured information security architecture framework for managing information security in a disciplined manner will be beneficial to information security managers as well as for the entire enterprise.  Since information security is largely tied to almost all information systems across the entire enterprise, information security architecture should be coupled with information systems architecture and also be a part of enterprise architecture.  A comprehensive framework for information systems architecture as well as for enterprise architecture is a natural place to start for defining information security architecture framework.

A Framework for Information Systems Architecture and for Enterprise Architecture

In his article published in IBM Systems Journal in 1987, Mr. John Zachman outlined a framework for information systems architecture.[1]  Later, John Sowa and John Zachman further extended and formalized the framework for information systems architecture in an article published in IBM Systems Journal in 1992.[2]  Since then, Mr. Zachman has applied the same framework to enterprise architecture by changing the target object being described from information systems architecture to enterprise architecture.  Although he has made a few refinements to the graphic representations of the framework to reflect his latest thoughts, the main concept of the framework remains the same.[3][4]

In the past, I had a number of opportunities to have lengthy and detailed discussions with Mr. Zachman relating to enterprise architecture framework and enterprise architecture models.  Through these discussions, I have developed a deep understanding and appreciation of the concept of the framework he created.  I will use the concept of that framework as an example for my discussions here relating to information security architecture framework.  Other enterprise architecture frameworks such as The Open Group Architecture Framework (TOGAF)[5], the EA3 Cube Framework [6], the Federal Enterprise Architecture Framework (EFAF)[7], and the Department of Defense Architecture Framework (DoDAF)[8] can be used as well.

Table 1 below outlines the concept of the framework for information systems architecture and for enterprise architecture created by Mr. Zachman:

 

Data

(What)

Function (How)

Network (Where)

People

(Who)

Time

(When)

Motivation (Why)

Scope

(Planner)

           
Enterprise Model

(Owner)

           
System Model

(Designer)

           
Technology Model

(Builder)

           
Components

(Sub-contractor)

           
Functioning Systems / Enterprise            

Information Security and Information Security Architecture

In U.S. Information Security Law, Section 3542[9], information security is defined as

(1) The term ‘‘information security’’ means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide—

(A) integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity;

(B) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and

(C) availability, which means ensuring timely and reliable access to and use of information.

The term “information security architecture” I used here means a representation of the overall structure for archiving the information security as defined above.

A Framework for Information Security Architecture

The term “information security architecture framework” I used here means a high level structure (a meta-model) for defining information security architecture.

Table 2 below outlines a framework for information security architecture:

 

Data

(What)

Function (How)

Network (Where)

People

(Who)

Time

(When)

Motivation (Why)

Scope

(Planner)

a list of all classes of information that must be protected a list of all classes of relevant activities a list of all classes of relevant locations a list of all classes of relevant people (roles) a list of all classes of relevant events a list of all classes of relevant goals and regulations
Enterprise Model

(Owner)

           
System Model

(Designer)

           
Technology Model

(Builder)

           
Components

(Sub-contractor)

           
Functioning Systems / Enterprise            

Row 1: Scope for Information Security Architecture

A list of all classes of relevant goals and regulations

We first have to understand “why” (in terms of goals and regulations) the information and information systems must be protected.  We may categorize all goals and regulations that the enterprise deals with into a complete list of classes of goals and regulations; then create a list of all goals and regulations that are relevant to information and information systems security.

A list of all classes of information that must be protected

Since information security is about protecting information and information systems, we have to understand “what” the information that must be protected based on the relevant goals and regulations.  We may first categorize all information that the enterprise deals with into a complete list of classes of information; then create a list of all classes of information that must be protected.  Some classes of information might not need to be protected.

A list of all classes of relevant activities

Once we know “what” information must be protected, we have to understand “how” the information is used in terms of activities.  We may categorize all activities that the enterprise involves with into a complete list of classes of activities; then identify all classes of activities that deal with any classes of information that must be protected.  This is a list of all classes of relevant activities.

A list of all classes of relevant locations

Once we know “what” information must be protected and “how” the information is used in terms of activities, we have to understand “where” the information is located and the activities are conducted.  We may categorize all locations that the enterprise deals with into a complete list of classes of locations; then identify all classes of locations that contain any classes of information that must be protected or conduct any classes of relevant activities.  This is a list of all classes of relevant locations.

A list of all classes of relevant people (roles)

Once we know “what” information must be protected and “how” the information is used in terms of activities, we have to understand “who” interacts with the information and/or perform the activities.  We may categorize all people (roles) that the enterprise deals with into a complete list of classes of people (roles); then identify all classes of people (roles) that interact with any classes of information that must be protected or perform any classes of relevant activities.  This is a list of all classes of relevant people (roles).

A list of all classes of relevant events

Once we know “what” information must be protected, “ how” the information is used in terms of activities, “where” the information is located and the activities are conducted, and “who” interacts with the information and/or perform the activities, we have to understand “when” (in terms of events) the information and the activities must be protected.  We may categorize all events (expected and unexpected) that the enterprise deals with into a complete list of classes of events; then identify all classes of events that deal with any classes of information that must be protected, any classes of relevant activities, any classes of relevant locations, or any classes of relevant people (roles).  This is a list of all classes of relevant events.

The above lists of classes of goals and regulations, information, activities, locations, people (roles), and events define the overall scope for information security architecture for a given enterprise.

The first row of the framework (scope) has been completed.  I will continue to discuss additional rows of the framework in the future.

________________

[1] “1987 IBM Systems Journal- A Framework for Information Systems Architecture” by John A. Zachman, http://www.zachman.com/images/ZI_PIcs/ibmsj2603e.pdf

[2] “1992 IBM Systems Journal- Extending and Formalizing the Framework for Information Systems Architecture” by John F. Sowa and John A. Zachman, http://www.zachman.com/images/ZI_PIcs/ibmsj1992.pdf

[3] “Zachman Framework 3.0” by John A. Zachman, 2011, http://www.zachman.com/

[4] “The Zachman Framework™ Evolution” by John P. Zachman, http://www.zachman.com/ea-articles-reference/54-the-zachman-framework-evolution

[5] “TOGAF® Version 9.1 – Enterprise Edition”, http://www.opengroup.org/togaf/

[6] “An Introduction to Enterprise Architecture EA3 – Second Edition” by Scott A. Bernard, 2005

[7] “Federal Enterprise Architecture Framework Version 1.1”, 1999, http://www.cio.gov/documents/fedarch1.pdf

[8] “The DoDAF Architecture Framework Version 2.02”, 2010, http://dodcio.defense.gov/sites/dodaf20/

[9] “U.S. Information Security Law, Section 3542”, http://www.gpo.gov/fdsys/pkg/USCODE-2008-title44/pdf/USCODE-2008-title44-chap35-subchapIII-sec3542.pdf





DLP: An Effective Approach or Just Another Finger in the Information Flow Dike?

25 02 2012

By Brett Vermette

Corporations around the world have become increasingly sensitive to protection of their ever growing portfolio of confidential intellectual property assets.  Research conducted by Gartner has revealed that increasing regulatory compliance requirements, protection of sensitive intellectual property, management of information mishandling risk and the need to gather evidentiary support in response to claims based on data loss are the key factors driving this increased focus on data loss prevention. [1]

What is Content-Aware DLP?

Content-aware DLP, or just DLP for short, is a combination of hardware and software technologies that are used to locate, detect, warn and in some cases prevent access to or movement of sensitive information.  Most DLP solutions provide the ability to define rules that are applied to examine data content and determine its level of sensitivity.  DLP solutions can provide a variety of mechanisms to protect sensitive data from accidental or deliberate disclosure.  These include the ability to inspect data either at rest or in-transit, identification of sensitive data based on customizable business rules, the ability to log and report on data movement and disclosure events and the ability to block transmission or copying of data determined to be sensitive.

Why is DLP Important?

As noted by Ben Rothke, enterprises commonly implement rigorous controls to manage valuable physical assets. [8]  However, it is much less common for organizations to have the same level of rigor when it comes to their information assets.  Chief Information Security Officers (CISOs) are under increasing pressure from organization stakeholders to protect these intangible assets.  Forrester Consulting recently published a report entitled “The Value of Corporate Secrets” in which they found that organizations classified sensitive data into two distinct categories; “secrets that confer long-term competitive advantage and custodial data assets that they are compelled to protect”.   Furthermore, Forrester found that secrets comprised two-thirds of the value of firms’ information portfolios and that most firms’ security programs remained focused on compliance driving an underinvestment in protection of secret information. [2]  In October 2011 Ernst & Young’s Insights on IT Risk Business Briefing cited a Ponermon Institute survey that determined that the average cost of a data breach had risen to $7.2M. [3]

While firms and their CISOs have been working to implement improved policies, procedures and tools to stem the exfiltration of sensitive information, investment in content-aware digital loss prevention (DLP) technologies have become a growing trend.  Ernst & Young’s 2011 Global Information Security Survey found that implementation of DLP processes and the supporting technologies “ranked second on the list of areas most likely to receive additional funding”. [3] The question of whether these technologies are necessary and sufficient to prevent deliberate and inadvertent data loss is worthy of examination.

The Benefits

Clearly, the primary benefit associated with DLP technologies lies in the mitigation of the risk of accidental disclosure or deliberate theft of confidential information.  DLP technologies can inspect data in-transit and warn or prevent copying or transmission.  DLP solutions can also be used to log events and provide CISO staffs with a view of key information movement events for appropriate response.  DLP technologies can also be used to examine data at rest and help an organization profile its information landscape, allowing development of additional and more effective controls.  With appropriate implementation DLP tools can provide the foundation for organizations to demonstrate that adequate controls are in place to prevent inappropriate handling and disclosure of their most sensitive information assets.

A key finding of the 2011 Gartner Study on Critical Capabilities for Content-Aware Data Loss Prevention noted that the DLP technology market is expected to grow at a rate of more than 20% on a year over year basis. [5] This significant growth profile, particularly during economically challenging times, is a clear indication of senior IT executives’ perception of DLP benefits.

The Difficulties

The deployment of DLP hardware and software can be an expensive endeavor, particularly for large, complex international organizations.  Gartner recently noted that the average cost of a content-aware DLP solution deployment ranged from $350k to $750k or higher. [6]  Additionally, organizations must also consider the cost of sustaining and effectively utilizing their DLP solution.  These include the resources required to monitor and react to disclosure events, the need to continuously maintain the rule set used to identify sensitive data and the inconvenience cost associated with data handling or storage activities interrupted by false positives.

In order to achieve maximum effectiveness DLP solutions must be implemented as part of an overall, business driven information security framework and program.  As Gartner noted in February 2012, DLP “can only be effective when implemented as a comprehensive process, rather than a ‘set and forget’ platform”.  They also noted that information security organizations commonly make the mistake of treating DLP implementations as technology projects rather than a business risk mitigation initiatives.  [7]

The increasing collection and use of unstructured data presents a unique challenge to DLP solution providers.  In general, DLP tools do not have adequate capabilities to profile, classify and appropriately handle data contained in unstructured formats such as audio, video and images.

Finally, deployment of a content-aware DLP solution in a large and complex international organization presents some unique difficulties.  Data discovery tools must be capable of dealing with multilingual information sources, including those that require double-byte representation.  Regulations and associated business rules regarding identification and handling of sensitive personal and financial information can vary widely across jurisdictions.  DLP solutions that must be deployed to end user devices can often require distribution to 100,000+ devices, resulting in significant deployment cost increases.

In Conclusion

In today’s environment of rapid information portfolio growth, increasing organizational complexity and swelling regulatory and organizational requirements to protect sensitive data, content-aware DLP solutions are an important component of a robust information security program.  However, DLP solutions alone are not sufficient to adequately mitigate the risks associated with data exfiltration.  Senior management must sponsor and encourage an organizational culture that promotes awareness, defines appropriate policies and requires active business participation in the protection of key information assets.  DLP can be an effective tool, but without adequate underlying support, processes and controls it will be just another finger in the information flow dike.

_________________________________________________

[1] McMillian, Rob and Eric Ouellet.  Four Factors Driving Interest in Content-Aware Data Loss Prevention: A DLP Spotlight.  Gartner, Inc.  2011.  Print.

[2] Forrester Research, Inc.  The Value of Corporate Secrets – How Compliance and Collaboration Affect Enterprise Perceptions of Risk.  Cambridge, MA.  2010.  Print.

[3] Ernst & Young.  Data Loss Prevention, Keeping Your Sensitive Data Out of the Public Domain.  2011.  Print.

[4] Ernst & Young.  Global Information Security Survey – Into the Cloud, Out of the Fog.  2011.  Print

[5] McMillian, Rob and Eric Ouellet.  Critical Capabilities for Content-Aware Data Loss Prevention.  Gartner, Inc.  2011.  Print.

[6] McMillian, Rob and Eric Ouellet.  Anticipate and Overcome the Seven Key Obstacles to Success in Content-Aware DLP Deployments.  Gartner, Inc.  2011.  Print.

[7] McMillian, Rob and Eric Ouellet.  Best Practices for Data Loss Prevention:  A Process, Not a Technology.  Gartner, Inc.  2011.  Print.

[8] Rothke, Ben.  The Need for DLP Now.  Clearswift Publications.  New York, NY.  2011.
<http://www.slideshare.net/Benrothke/the-need-for-dlp-now-a-clearswift-white-paper >





SEC Disclosure Guidelines for Cybersecurity

24 02 2012

In a recent article, the Wall Street Journal reported that though Nortel had been aware of a long term security breach and had conducted its own investigation into the situation, they chose not to disclose the incident or investigation to any of its potential buyers.   The security breach was discovered in 2004 when an employee noted that a senior leader appeared to be downloading what was considered to be an unusual set of documents.  When questioned, the executive said he had not downloaded the documents.  The security investigation showed that the incident was a result of hackers who had acquired the passwords from seven senior leaders including a previous CEO.  Using Chinese-based Internet addresses, the hackers had had access to the Nortel network and its equipment starting as early as 2000.   Since its bankruptcy in 2009, Nortel has been in the process of selling off its business in pieces.  In statements from Ericsson, Ciena, and Avaya, the new owners of Nortel’s business areas indicated that they had not been made aware of the security breach prior to their purchases of Nortel business and equipment potentially infiltrated by the hackers. (Gorman, 2012)

This lack of disclosure is indicative of companies’ lack of knowledge of the existing requirement to disclose security risk areas and specific security incidents in their annual Securities and Exchange Commission (SEC) filings.  To this point, the SEC felt it necessary to create a memo that provides guidance on the type of cybersecurity incidents that need to be disclosed and the associated financial information to be included.  In October 2011, the Division of Corporation Finance within the Securities and Exchange Commission published a memo with disclosure guidelines related to cybersecurity risks and incidents.  The memo points out that these types of events have always been in scope of the disclosures required by law as they are considered important information for a potential investor, so disclosures about cybersecurity risk or incidents are not a new requirement.   (Division of Corporation Finance, 2011)

Legal advisors from Mintz Levin issued their 2012 Securities Memorandum, siting the new SEC cybersecurity guidance development to be one of the “key considerations to keep in mind as you embark upon the year-end reporting process in 2012.” (Gates & Greene, 2012)

With respect to disclosing cybersecurity risk and/or events, legal advisors such as Gibson Dunn are providing guidance to their clients to complete the following activities:

  1.  Perform an assessment of materiality for significant areas of security risk or for security incidents that have occurred to determine if disclosure is warranted.
  2. Review what other companies have included in their cybersecurity disclosures to the SEC.
  3. Be prepared to disclose the appropriate information (remediation efforts, business impact, financial impact, legal implications) if a security breach occurs.
  4. Monitor legislation for additional requirements related to cybersecurity. (Goodman, Ising, Mueller, & Southwell, 2011)

However, disclosing areas of security weakness and specific security breaches will be difficult for companies to begin to include in their SEC filings.  A Washington Post article covering the introduction of the SEC guidance document explains one reason for companies’ reluctance is the fear that their images will be tarnished in the eyes of all their current and potential investors.   The article continues to point out that the ability to be able to assess damages and associated costs tied to the cybersecurity risks will challenge the current capabilities of companies. (Nakashima & Hilzenrath, 2011)

In conclusion, in light of the increases of significant security incidents, companies will need to provide careful consideration and analysis of the risk related to cybersecurity and ensure compliance to the SEC requirements by bringing to light significant security risk and/ or incidents and their associated business impact.

________________

Division of Corporation Finance. (2011, October 13). CF Disclosure Guidance: Topic No. 2. Retrieved February 19, 2011, from http://www.sec.gov: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm#_edn2

Gates, M. N., & Greene, P. B. (2012, January 19). Preparation for 2011 Fiscal Year SEC Filings and 2012 Annual Shareholder Meetings. Retrieved from http://www.mintz.com: http://www.mintz.com/newsletter/2012/Advisories/1596-0112-NAT-SEC/index.htm

Goodman, A., Ising, E. A., Mueller, R. O., & Southwell, A. H. (2011, October 17). SEC Issues Interpretive Guidance on Cybersecurity Disclosures Under U.S. Securities Laws. Retrieved February 19, 2012, from http://www.gibsondunn.com: http://www.gibsondunn.com/publications/Pages/SECGuidance-CybersecurityDisclosuresUnderUSSecuritiesLaws.aspx

Gorman, S. (2012, February 14). Chinese Hackers Suspected In Long-Term Nortel Breach. Retrieved February 17, 2012, from online.wsj.com: http://online.wsj.com/article/SB10001424052970203363504577187502201577054.html

Nakashima, E., & Hilzenrath, D. S. (2011, October 14). Cybersecurity: SEC outlines requirement that companies report cyber theft and attack. Retrieved February 19, 2012, from http://www.washingtonpost.com: http://www.washingtonpost.com/world/national-security/cybersecurity-sec-outlines-requirement-that-companies-report-data-breaches/2011/10/14/gIQArGjskL_story.html