Sunday, 11 March 2007

Data Security - Part II

So, I've been quite safe so far and said that I agree with the CIA triad, and that it should be applied to the whole transaction:

User --> Application --> Storage

I have yet to hear an argument on that, so I will press on.
The transaction above translates directly to the 3 areas of security which we hear about most often in IT, User-centric security, Network security and Data-centric security.

Most of us know what AAA is, most of us know what a firewall is, so I will assume User-centric and Network security are wrapped up for now. What few people appreciate is the state of data-centric security today. We really need to be pushing it out of IT circles and into the outside world, but there's a backlash from inside, the very people who should be shouting about it don't want to because it's our last line of power - gone. We will no longer have the CEO's balls in a vice like grip, no longer get the respect of the whole company just for being techies.

Come on, do you really think so? We'll always have the CEO's balls, because he barely knows how to switch his PC on in the morning. We'll never have the respect of the entire company because we wear jumpers with patches on the elbows but drive better cars than them. That's how we wanted it. The geeks inherited the earth.

In the US they know where the importance of our data lies, and what to do about it being breached. In the US, if some data gets stolen and it belongs to someone else, the person responsible has to be beaten senseless live on National TV in their underpants. I think. More seriously, California Senate Bill 1386 is now applied in 37 states across America, soon to be passed as a national law. Section 2 states that if there is a data breach containing any private citizen's data, it must be publicly disclosed. This seemingly simple ruling has massive ramifications for companies holding US citizens' data.

Bank of America in 2005 lost 670,000 customer's details when an internal employee sold the information to various collection agencies. Before SB1386, implemented in July 2003, this might have gone unnoticed. The fact is, I don't have a statistic to tell you how, if and when this kind of thing happened before 2004... anyone remember it hitting the news before that? I don't. Sure I remember hacks and webpages being defaced, but nothing like this.

TJX is the latest breach to hit the news. This has apparently been going on since 2003, and they've only just noticed. OW!

Just think for a moment if you worked for BoA, TJX, BJs Wholesale (2004), CardSystems (2005), ChoicePoint (2005), etc. etc.

For a full list of US breaches see this excellent site:

If you were the sysadmin or security guy responsible for looking after that network, and even if you'd done nothing wrong, you would now be at best out of a job. You would probably be under arrest, under suspicion and would certainly find it hard to fnid another job. The publicity part of SB1386 is where it's real teeth are.

Financial penalties have never been an issue for banks and retailers. Look at PCI DSS in the UK: the more VISA and MC snarl and bear their teeth, the more the retailers polish their fingernails and wait. They know if they get bitten, it isn't going to even make a mark. Brand loyalty is a different matter.

So both personally and on a company level, these laws are bad news, but now imagine you are a customer - because you are. You are more likely to be a customer of the online banks and retailers just by the very fact that you are reading this, but just because you aren't online, doesn't mean your details aren't. Wouldn't you rather know the INSTANT your details were compromised?

I was taken for £3000, and I didn't know until it was slightly too late. I was in Germany at the time, and only found out when I got home a week later. A lady I worked for in the US had $10,000 taken from her account at roughly the same time. She found out immediately, the bank gave her back every last cent and she was fine, if a little shaken. I had to file a report at the local police station, walk to the bank, walk back to the police station, etc.. it took over a week to get it reported even. Then the bank grudgingly gave me back what they had mislaid. But it wasn't straightforward and I had to make a lot of noise about being an IT security professional, etc...

The good news is, disclosure rulings are on the horizon. They are set for discussion in Brussels in November this year. The bad news for us as techies is that it means PCI DSS will now have a big mean brute standing behind it smashing a fist into his hand. The good news for us as customers is that these laws in place to protect us can now be enforced in a way that really DOES hurt the people who lose our money.

But is there any good news for us as techies? I hear you cry... Well, we'll still have the CEO by the balls, but he won't really notice because so will all of his customers. He be watching us like a hawk, but he'll be more inclined to listen when we say we need a few more pennies for our networks...

No comments: