Archive by Author

Privacy Bill of Rights – Right to Accountability, part 2

Title I of the Commercial Privacy Bill of Rights Act of 2011 is comprised of two rights – the Right to Security and the Right to Accountability. This posting focuses on the second part, the Right to Accountability.

Similar to the Right to Security, this section is short. In essence it says that each “covered entity” (see the previous post for what that entails), shall:

1. Have reasonable accountability for the adoption and implementation of policies consistent with this Act;

2. Develop a process for responding to non-frivolous individual complaints about how their personally identifiable information (PII) is collected, used and managed;

3. And lastly, document and communicate how it complies with this Act upon request from an authorized party, such as the FTC.

What this section really says can be narrowed down to one word: POLICY

Legislation aside, if your businesses or organization manages sensitive data, you should already have a formal, written policy as to how information is safeguarded, managed and accounted. So for many, this requirement is nothing new to what they should already have in place.

That being said, there are many SMB organizations that would be affected by this Act and do not have a security policy in place. It follows then, that for this reason, requiring businesses to have a security policy in place may be extremely beneficial for businesses and consumers.

And the easiest way to make a policy? Borrow from the Deming Wheel.

The Deming Wheel

Here is a brief outline to writing any business process or policy:

* PLAN – put your plan in writing, assign an owner, and define how your business will comply with this Act;

* DO – put your plan in place, test it, train others on it and make it known in the organization;

* CHECK – make a checklist, regularly audit the process, verify and document results;

* ACT – improve on the process where possible.

In summary, the whole issue of accountability boils down to putting data security policies in place that are “proportional to the size and structure” of your business or organization. Even if this Act does not become law, creating a formal security policy is certainly the prudent thing to do for any business.

The next post will be on Title II, the Right to Notice and Individual Participation.

Privacy Bill of Rights – Right to Security and Accountability, part I

In the latest Draft of the “Commercial Privacy Bill of Rights Act of 2011,” the first Title, “Right to Security and Accountability” is actually quite short – in fact, the Right to Security section contains just 53 words. The key provision reads, “…to require each covered entity to impose reasonable security measures to protect covered information it collects and maintains.”

First, what is a “covered entity?” The Act defines a covered entity to be: any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period. Keep in mind; a “person” can also be a corporation, non-profit organization, or any other entity that the Federal Trade Commission has authority over.

What this says is that the Act will affect just about every size and type of organization that collects records on more than 5,000 people a year. That is huge in terms of scope!

Next, what is “reasonable security?” This is fairly easy to define, although it may seem vague. In law, the “reasonable standard” is often deemed to be a standard for what is fair and appropriate under usual and ordinary circumstances.

Here, the industry (both hackers and security vendors) will play a significant role in helping to define what is “reasonable security.” Certainly having a firewall is a start. But, is a firewall from 2003 “reasonable” by today’s standards? Possibly not. Given that hackers are more sophisticated than ever and utilize extremely nefarious techniques that constantly evolve, the traditional firewall from even a few years ago may not be sufficiently capable to meet today’s reasonable security needs.

Next we answer what is “covered information.” Covered information means personally identifiable information (PII), unique identifier information (UII) and any information that is collected, used or maintained in connection with PII or UII that may be used to identify an individual.

Some industry regulations, such as PCI DSS, have similar requirements, so for many businesses this is nothing unusual. The Act specifies that home addresses, email addresses, telephone numbers, cookies, user IDs, as well as the usual suspects of social security numbers or other government issued identifiers are all “covered information.”

Bottom line: Personal privacy is worthy of protection, which is exactly what this Act aims to achieve. The scope of this Act will certainly mean that nearly every business will have to, at a minimum, reexamine their security posture to ensure that they are reasonably secure. In the wake of the Epsilon breach, the “Right to Security” seems unquestionable. What remains, then, are the questions of the other provisions in this Act, and what they mean to consumers and businesses.

More to come on part two, where we examine the second half of Title I, “Right to Security and Accountability.” There we analyze the impact of “accountability.”

The “Privacy Bill of Rights” – A WatchGuard Perspective

“Whenever industry fails to self-regulate, government will fill the void with legislation.” You can quote me on that.

Currently, the security industry fights a war on many fronts. On one end of the spectrum, we have industry regulations, such as PCI DSS, which helps mandate how credit card/payment card information is secured. On the other end, we have government regulations, such as CIPA (Children’s Internet Protection Act) or HIPAA (Health Insurance Portability and Accounting Act), which regulate data protection for schools, libraries and health care providers.

Now, we face one of the largest government acts of its kind, the “KerryDraft – Privacy Bill of Rights.” Although it is not law now, should it become law, businesses and consumers will see broad and sweeping changes to how consumer data is managed and protected.

Here are the key tenets of the Privacy Bill of Rights:

• Right to Security and Accountability
• Right to Notice and Individual Participation
• Right to Purpose Specification; Data Minimization; Constraints on Distribution; Data Integrity
• Voluntary Enforceable Codes of Conduct Safe Harbor Programs
• Co-Regulatory Safe Harbor Programs
• Application with other Federal Laws
• Development of Commerce Data Privacy Policy in the Department of Commerce

Obviously, this is a lot to digest for businesses and consumers. Here, I will break these points out in greater detail and provide in-depth analysis and commentary so that you can better understand the impact of this Act.

A year ago, Senators Kerry and McCain would have faced an uphill battle in pushing this legislation forward, but given the latest high-profile security fumbles (need I say Epsilon?), it follows that this Act may very well become the next big regulatory change for the industry. Stay tuned!

Richard Stiennon Interviews WatchGuard’s Aarrestad

Richard Stiennon, chief research analyst with IT-Harvest and industry luminary, talks with WatchGuard VP, Eric Aarrestad about the latest trends in IT security, UTMs, web-based threats, Application Control and more…


Interview with Eric Aarrestad, VP Marketing, WatchGuard from Richard Stiennon on Vimeo.

If you ever wanted to get an in-depth perspective on WatchGuard or wondered what industry analysts are asking about the company and its products, then this is a video for you.

Around the 11:00 minute mark, Richard asks Eric about WatchGuard’s platform – and one thing that Eric hits upon is how the company leverages the latest and greatest from Intel.  Unlike other vendors who use old, proprietary chipsets, or “you-buy-cheap” silicon, WatchGuard values the solid reliability, consistency and enterprise-class performance gained by using Intel-based processors in its security appliances.

This is something that WatchGuard doesn’t make a lot of noise about, but it’s a great example of the little things that WatchGuard does right in moving security forward.

Security and Voice over IP

Today, WatchGuard announce that it was teaming up with Mitel to provide voice over IP (VoIP) protection for Mitel’s unified communications (UC) solutions.  So, why does this matter?

Expectations are that half of small-to-medium sized businesses and two-thirds of all enterprise organizations are using VoIP.  Because of its ubiquity, VoIP has emerged as a substantive threat vector to businesses large and small worldwide.

The following are the leading threats to VoIP/UC networks:

  • Denial of Service (DoS) – Similar to DoS attacks on data networks, VoIP DoS attacks leverage the same tactic of running multiple packet streams, such as call requests and registrations, to the point where VoIP services fail. These types of attack often target SIP (Session Initiation Protocol) extensions that ultimately exhaust VoIP server resources, which cause busy signals or disconnects.
  • Spam over Internet Telephony (SPIT) – Much like the majority of e-mail spam, SPIT can be generated in a similar way with botnets that target millions of VoIP users from compromised systems. Like junk mail, SPIT messages can slow system performance, clog voicemail boxes and inhibit user productivity.
  • Voice Service Theft – VoIP service theft can happen when an unauthorized user gains access to a VoIP network, usually by way of a valid user name and password, or gains physical access to a VoIP device, and initiates outbound calls. Often, these are international phone calls to take advantage of VoIP’s toll by-pass capabilities.
  • Registration Hijacking – A SIP registration hijack works by a hacker disabling a valid user’s SIP registration, and replacing it with the hacker’s IP address instead. This allows the hacker to then intercept incoming calls and reroute, replay or terminate calls as they wish.
  • Eavesdropping – Like data packets, voice packets are subject to man-in-the-middle attacks where a hacker spoofs the MAC address of two parties, and forces VoIP packets to flow through the hacker’s system. By doing so, the hacker can then reassemble voice packets and literally listen in to real-time conversations. From this type of attack, hackers can also purloin all sorts of sensitive data and information, such as user names, passwords, and VoIP system information.
  • Directory Harvesting – VoIP directory harvesting attacks occur when attackers attempt to find valid VoIP addresses by conducting “brute force” attacks on a network. When a hacker sends thousands of VoIP addresses to a particular VoIP domain, most of the VoIP addresses will “bounce back” as invalid, but from those that are not returned, the hacker can identify valid VoIP addresses. By harvesting the VoIP user directory, the hacker now gains a new list of VoIP subscribers that can be new targets to other VoIP threats, such as SPIT or vishing attacks.
  • Vishing (Voice Phishing) – Vishing mimics traditional forms of phishing – attempts to get users to divulge personal and sensitive information, such as user names, account numbers and passwords. The trick works by spamming or “spitting” users and luring them to call their bank or service provider to verify account information. Once valid user information is given, criminals are free to sell this data to others, or in many cases, directly siphon funds from credit cards or bank accounts.

Why WatchGuard for VoIP and UC protection?

Easy.  WatchGuard was the first UTM vendor to seamlessly integrate SIP and H.323 proxy technologies into its firewalls.  This means IP voice packets can be just as secure as everything else on the network, which explains why Mitel and other VoIP and UC vendors trust WatchGuard to protect their systems.

Rising Costs of Data Loss

One of the challenges that businesses regularly face is how to balance the known costs of network, application and data protection against the unknown costs of a data breach or series of breaches.  Often, business owners or IT staff are left to guess or worse, fail to acknowledge the costs and consequences of a significant breach of information.

Thanks to the Ponemon Institute, new research data is available to help provide guidance on the costs of a data breach.  Some key facts from their research shows:

  • 7% – the increase of data breach costs in 2010
  • $214 – the average cost per individual record compromised
  • $7.2 million – the average organizational cost of a data breach

Additionally, this research shows that malicious acts were the root cause of 31 percent of the data breaches studied, which is significantly up over the last two years.  But, the leading cause of data breaches is negligence – a whopping 41 percent of breaches are due to negligence in protecting and safeguarding sensitive data.

What can a business glean from this?  Take this recent example from the University of South Carolina where 31,000 individual’s private information, including social security numbers, was exposed online.  When applying the $214 cost per record, a quick calculation shows that the University is facing a potential cost of $6.6 million.

But, obviously not all data breaches cost the same.  Maybe a better example is the recent settlement made public in Massachusetts.  Here, the Massachusetts Attorney General reached a $110,000 settlement with a restaurant group that allegedly failed to protect patrons’ personal information.

The Briar Group LLC, the owner and operator of the Boston-based restaurants and bars, allegedly failed to take proper steps to keep payment card information safe.  In addition to civil penalties, the Briar Group must comply with state data security regulations, payment card security standards (PCI DSS), and it must establish and maintain an enhanced computer network security system going forward.

If one applies the Ponemon cost per record to the Briar Group, the $110,000 settlement would mean that the organization only lost 514 customer records.  Keep in mind, the period of the breach lasted eight months.  It seems unlikely that in eight months only 514 records were compromised.  The actual number of compromised records is certain to be much higher.

In the spectrum of data breach costs, the $110,000 settlement appears to be on the very low end of the scale.  What is not accounted for is the loss of public trust and the brand damage to the Briar Group and their restaurants and bars.  It’s hard to say what those damages will be.

Bottom line: data breach costs are going up. With an average cost of $7.2 million per data breach event, the expenditures to protect networks, applications and data suddenly appear to be miniscule.  As Benjamin Franklin said, “an ounce of prevention is worth a pound of cure.”  Too bad that the Briar Group didn’t take that advice.


Get every new post delivered to your Inbox.

Join 8,241 other followers

%d bloggers like this: