As some of you may know, the Stuxnet worm (and Conficker) has been running amok on both private and corporate networks. The malware spreading via USB devices is always the source of new threats. The latest development of Stuxnet exploits zero day vulnerabilities to target supervisory control firms and data acquisition (Scada) and other industrial systems. Such systems are being used to control pipelines’ pressure or motor work rates on industrial factory floors. Typical environments can be oil pipelines and power-plants, factories etc.
Conficker/Stuxnet detects platforms with Scada systems installed on and uses Windows vulnerabilities to gain access and spread through the network. In the light of current events and the continuous spread of the worm through USB ports and USB portable devices, endpoint security and data loss prevention solution developer CoSoSys has created a four-step strategy against Stuxnet that’s extremely easy to implement: Read more
At the RSA Conference 2008 taking place in San Francisco, IBM stated they are going to leave the security business to start providing sustainable solutions instead. This declaration has been given by Val Rahamani, general manager of IBM ISS and of security and privacy for IBM Global Technology Services and then quoted by Dark Reading:
The security industry is flying by the seat of its pants,” Rahamani said. “Security infrastructure has been dictated by the bad guys… as new threats arise, we put new products in place. This is an arms race we cannot win.”
So, how does IBM define the creation of sustainable business?
Business sustainability is all about building security into systems and processes, she said. “If we really want to get ahead of the threat, we need to start thinking about re-engineering our businesses and processes. We need to make them more secure and compliant by design, and we need to move more security and compliance technologies into the fabric of our standard infrastructure and application environments.”
“It’s time to give up on the fantasy that education and antivirus will cure consumer security woes. It is not up to consumers to protect themselves. It is not their problem. It is our problem, because online commerce is not sustainable if it is not inherently secure. And the only way to make it inherently secure is to take ownership of the security problem.”
Fighting Trojans, worms, insider attacks, and outsider attacks one by one is futile, she said.
Interesting approach indeed! However, I can’t help noticing how the security industry is limited to antivirus applications (antispam solutions are not even mentioned). In a technological world where most security solutions are moving towards standard compliance, where niche security fields, such as endpoint security, stress the need to manage threats and benefit from advantages instead of blocking threats and benefits alike, the IBM position seems to come a bit late. IT security is definitely more than trying to keep viruses away, maybe someone should tell IBM about it.
The FTA decision in the ValueClick case opens the door for enterprises to be held responsible for negligence and for failing to implement the required security measures to achieve the user data protection they promise.
“The FTC ruling sends a powerful message to the business community,” says Scott Kamber, a partner at Kamber Edelson LLC, a legal firm that specializes in cyber security law.
“In the past, companies that failed to protect customer data have argued that they are immune from prosecution unless consumers can directly prove that they suffered harm from the breach of their personal information,” Kamber explains. “Given that hackers are generally pretty good at covering their tracks, this argument — if accepted — would mean that few companies would have to account for their negligence.”
With the ValueClick settlement, Kamber says, “the FTC has made clear that common sense will prevail over technical legal arguments, at least when it comes to governmental sanctions. We believe the FTC’s ruling will help with the current cases we are prosecuting, as well as future ones we are contemplating.”
With laws imposing clear requirement for companies, they will no longer be able to hide behind vague security claims and data loss prevention will become a major concern for all those dealing with private records. Hopefully, these laws, supported by international standards, will help prevent fraud, data loss and theft and other types of security breaches.
A supermarket chain based on USA’s East Coast has recently discovered and contained a security breach that exposed over 4 million credit and debit card numbers and let to 1,800 fraud cases.
According to a Hannaford Bros. grocery chain statement cited by Yahoo News, the card numbers were stolen during the card authorization process and about 4.2 million unique card numbers were exposed. Given the scale of the exposed data, this is one of the largest data breaches ever reported, although it is still far from the top leader, the TJX incident.
Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn’t contained until March 10, said Carol Eleazer, Hannaford’s vice president of marketing in Scarborough.
“We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement released Monday. “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”
The breach affected all about 300 chain stores and independent groceries that sell Hannaford products. No other information such as names or addresses have been exposed, but the account numbers were enough to commit frauds for over 3 months. The names or aims of those responsible have not been disclosed, both state security agencies and MasterCard/Visa representatives giving limited comments on the issue.
Although US government agencies fall short when it comes to protecting private data, apparently their level of security has been improved throughout 2007 according to their compliance analysis to the Federal Information Security Management Act (FISMA) of 2002. This is the core finding of a report recently issued by the Office of Management and Budget and quoted by ScurityFocus.
The Inspectors General for 22 of the 25 agencies required to comply with FISMA inventoried at least 80 percent of their systems in 2007, compared with 20 agencies that had reached that milestone in 2006. While an improvement over the previous year, only two-thirds of the IGs claimed that their auditing processes were rated “satisfactory” or better.
The increased awareness of their systems have also caused the agencies to report more attacks, the report stated. In 2007, incidents reported to the US Computer Emergency Readiness Team (US-CERT) jumped to 12,986, an increase of 150 percent over the previous year. While nearly a third of the incidents were alarms created by the US-CERT’s EINSTEIN network monitoring system and remain uncategorized, about a quarter were classified as improper usage and about 15 percent classified as unauthorized access, according to the OMB report.
OMB identified the four stars of the compliance efforts as being the National Aeronautics and Space Administration (NASA) and the Departments of State, Treasury and Defense, all doing a great job at complying to FISMA. The Department of Defense however did not do that great. It looks like security policies and compliances fall short for this particularly important agency.