"Password protected" again

The BBC reported that over 38,000 patients' confidential health records have gone missing on a backup tape from an NHS Health Centre on the Isle of Wight. The tape was lost by a courier firm en route back to the centre after having been checked for integrity. Though the centre was clearly concerned about data integrity, confidentiality seems to have been further down their priority list:

"The risk of the tape being misused is extremely small," the trust spokesman added. "The tape requires specialist computer equipment to run it and the data is password-protected. Highly advanced computer skills and/or access to a specialist programme only normally used by GPs and the data verification company are needed to make any sense of the information on the tape."

The 'specialist computer equipment' is presumably some sort of tape drive. OK, so it's not the kind of thing that everyone has laying around in their bedroom but some do, and specialist data recovery firms almost certainly have them. The 'highly advanced computer skills' needed to read the data are probably not beyond the average IT geek, especially a hacker with sufficient motivation to explore the tape.

But the real strange comment is that "the data is password-protected". IF the spokesman meant that the data were encrypted with a trustworthy encryption algorithm and a strong, long key, why didn't he say so? "Password protected" is normally how missing laptops are described if they don't use encryption. I don't understand how one would 'password protect' a tape.

So, this looks to me like yet another serious personal data breach in the UK, one evidently involving medical data that could well be more sensitive than, say, credit card numbers.

Desperate for data on 25m Brits FINAL UPDATE?

The BBC reports that a substantial reward is on offer for the return of two CD-ROMs that went missing in the post en route between two Government offices. They have searched numerous offices (including TNT, a well-known courier company) and at least one rubbish tip, and have completed some forensic analysis (presumably looking to see if individuals implicated in the incident might have something to hide), but these all came up blank. Having forlornly scaled down the search, a cash reward is now on offer and the British populace is warned to keep an eye out for identity theft or similar incidents.

The report notes several other personal information breaches at the Department concerned, and low staff morale as a result of the latest one. Given the sorry history of incidents, heads should roll. If public servants cannot be trusted to protect sensitive information provided to them by the public they serve, the public have every right to withhold information - but the civil disruption this would cause has far-reaching consequences.

UPDATE 19th Jan: more stories of improper disclosure of personal information by officials are adding to the Government's woes, and more importantly increase the risk of identity theft of British residents. Today we read that (1) a Ministry of Defence laptop, stolen from a car (doh!), contained personal details on 600,000 applicants to join the forces, some of whom will have provided the full nine yards necessary to undergo security clearance; and (2) papers containing personal data on benefits claimants were found strewn across a West country roundabout, for at least the second time in two months. The man who discovered the latest batch of papers found and reported a similar load at the same place in November. We don't know if any more papers might have been lost or abandoned there and discovered by criminals during the last two months, or indeed previously or subsequently. ['Strewn across a roundabout' is a rather extreme example of "unstructured data". An article in December 2007's ISSA Journal on managing unstructured data patiently explains how to get a grip on unstructured data in ten steps, most of which are virtually impossible to do any Real World organization and all of which ignore paper records. Data Leakage or Loss Protection (DLP), another security industry buzzword, likewise deals with a small part of the problem, and not very well at that. \rant]

Who will be held accountable for these security screwups? Will anyone lose their job, be fined or end up in prison as a result? Somehow I doubt it. It is the British Government after all. A press release on AccountingWeb says:

"The Information Commissioner, whose office was established to protect personal information and take appropriate action where the law is broken, described the scale of the loss as “unprecedented” and stated that data protection laws have almost certainly been breached. This loss of information serves as a timely reminder to businesses and organisations that they are legally obliged to ensure the safety of personal information relating to individuals."

UPDATED Jan 20th: a USB stick lost by a hospital worker had personal details of thousands of patients but apparently it's OK because "The loss was an accident rather than any systematic failing in management and governance". I assume from the BBC item that the data on the memory stick were not encrypted. What's more, "diaries containing patients' names and addresses were stolen from staff cars in two separate incidents in June." There are two good examples of "a systematic failure of management and governance", and here's a third: local management evidently decided not to inform the patients about the loss of their personal data because, in their estimation, the data could not be used for identity theft. I hope the patients concerned will complain and the Privacy Commissioner will prosecute the hospital under the Data Protection Act.

UPDATE 22nd Jan: the MoD (that's Ministry of Defence, yes, Defence, Her Majesty's Government department charged with, and paid vast amounts of taxpayers' money to protect the Realm and maintaining the freedom of her people) has now revealed that it has lost laptops with sensitive personal data on potential recruits at least twice before. With typical British understatement, shadow defence secretary Liam Fox called it a "dreadful mess". He really is awfully, awfully sorry.

"Data on the laptop stolen in Edgbaston on 9 January included passport, National Insurance and driver's licence numbers, family details and NHS numbers for about 153,000 people who applied to join the armed forces. Banking details were also included for around 3,700 people ... It is clear that the database files were not encrypted, in breach of MoD procedures ... Some 68 MoD laptops had been stolen in 2007, 66 in 2006, 40 in 2005 and 173 in 2004."

The same BBC news story reports that:

"The new rule on laptops comes in an e-mail from the Civil Service chief, Cabinet Secretary Sir Gus O'Donnell, to all government departments. It said: "From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises. Please ensure that this is communicated throughout your organisation and delivery bodies and implemented immediately, and that steps are taken to monitor compliance."

New rule? NEW RULE! From now on!! Someone has evidently been asleep at the wheel. The situation is completely out of hand in the UK. Government departments cannot ignore the law and have a clear duty to protect the personal information entrusted to them by citizens. They need to be held to account. If not, citizens will, quite justifiably, withhold their information from public bodies, like for example the tax office and social security department ... and there lies the route to anarchy.

UPDATE Jan 26th: The BBC reports that:

"Marks and Spencer has been found in breach of data protection rules after the theft of a laptop containing the personal details of 26,000 employees. The Information Commissioner's Office (ICO) said the data on the laptop, which was stolen from the home of an M&S contractor, was unencrypted. The ICO has ordered M&S to make sure all laptop hard drives are fully encrypted by April 2008."

So it would appear that laptop encryption is now mandatory in the UK for any organization handling personal data!

UPDATE 5 Feb 15th: 5,000 patients of a Dudley hospital face anxiety over possible identity theft thanks to the theft of a laptop. We're told the laptop was "password protected" which, as we all know, is spin on "not encrypted".

"A spokesman for the trust said the laptop and database were protected with two separate passwords, making it very difficult to access. He added: "We would like to apologise for any concern this matter has caused those patients affected and would like to reassure them that the information on the database is unlikely to be recoverable."

Yeah, right.

UPDATE #6 22 Feb 08: personal medical records on 3,000 patients in Bolton were dumped in landfill. Eee, it's grim up North.


UPDATE #7 Leapday: some good news at last! A laptop and CD which appears to have belonged to the Home Office has been recovered by Police after it was purchased on eBay and sent to a repair shop. Even better news is that the CD and laptop were encrypted. Police are investigating how it ended up there. The repairman should be congratulated for reporting it. As to whether Al Qaida is now moving into the laptop repair business, we can only speculate.

UPDATE #8 - the final update? With no end in sight, I'm getting bored of this blog item, so it's time to close with perhaps just a little hope for the future. I've just chanced across a Liberal Democrat's blog listing several security/privacy incidents that I've mentioned here and a few more for good measure. The blogger, Frank Little, describes himself as a semi-retired hack computer programmer. I'm not entirely sure if that's hack as in journo or hack as in hacker, but at least he has an obvious interest in the UK's data protection mess. Vote wisely at the next election!

A modern Doomsday

Middle-Eastern Internet services have been severely disrupted by the failure of an undersea cable linking Egypt to Italy. There are backup connections, of course, including satellite and other cable connections but their capacity is limited, hence Internet traffic in some countries in the region is experiencing delays and probably failed connections due to timeouts.

Thanks to packet switching technology and multiple routes, the Internet as a whole is highly resilient. Undersea cables can often be repaired within days or weeks. But imagine what would happen if the Internet went down, and stayed down. Not 'stayed down for a few minutes' or hours or even days, but for an extended period perhaps indefinitely.

There are various horrific scenarios that could cause this to happen e.g.:
- Widespread technology failure, disrupting the packet switching backbone;
- Deliberate action by one or more nation states in wartime, severing critical connections and/or injecting massive amounts of spurious traffic at multiple points to disrupt;
- Natural events such as solar flares/X-ray emissions from the sun, storms etc. damaging critical equipment and links;
- Cyberterrorist attacks on the Domain Name Systems or other critical elements of the Internet, perhaps combined with conventional terrorist attacks on key nodes, cables and satellite ground stations;
- Worms or other malware, in other words, software agents swamping or damaging the network;
- "Something else" - the classic contingency planning scenario. We don't know exactly what might happen. It could be something completely novel and unanticipated or a chance combination of more than one type of event, known as 'bad luck'. For true contingency planning purposes, the exact cause and nature of the incident is irrelevant: we need to be ready to cope with whatever actually happens.

With a moment's thought, the horrendous consequences of such an incident start to become clear. The developed nations are highly reliant on the Internet and would suffer economic and social consequences very quickly. Developing nations are also actively using the Internet for eCommerce and communications with the rest of the world. The Internet has penetrated even the least developed third-world countries, and disruption to first world aide programs would have consequences there too.

We're hardly on the same scale as Google, eBay and Amazon but at a local level, our own small business would suffer within days if the Internet went down. We use the Internet for marketing and promotion, sales and delivery, research and communications. There are fallback delivery mechanisms - sending CD-ROMs in the post or direct dial-up access - both of which are limited, wouldn't work very reliably and would increase our costs. We could resort to old-fashioned research methods but would miss the ready, free access to up-to-date information security news from around the globe. Our marketing and sales would suffer the most as conventional print, TV and radio advertising is far more expensive and limited in scope. That, in a nutshell, is our own risk assessment.

Larger e-enabled businesses (such as the entire financial services industry) would su=ffer immediate problems, others might hardly notice at first, at least until their suppliers, partners and/or customers started to fail. Government departments and utilities would suffer quite quckly, causing knock-on effects as the national infrastructures started to unravel. If petrol companies and airlines were disrupted, well we'd have to get used to walking or cycling to work, if indeed work existed. Civil disruption could have serious consequences for personal safety and security.

We're just a few paragraphs into this very brief overview but the 'worst case scenario' is shaping up badly. This is starting to sound like one of those science fiction doomsday stories.

On the upside, TV, radio and print media would be severely disrupted too so we might not get to hear too much about the civil disruption outside our barricaded front doors. Some of us will retreat to our caves.

What kind of contingency plans would or could you make for "the Internet is down"? Some of the more obvious things might be to retain or stockpile ordinary modems (assuming that the telephone networks are running ... but, oh dear, they are using VOIP and, no doubt, sharing a lot of the Internet technologies and links) and generally retain (or rather rebuild) the ability for non-electronic commerce and communications.

More resourceful organizations might build their own private networks to run in parallel with the Internet - such as the financial services, military and other special purpose networks. These are expensive but the greater concern is to ensure they are adequately isolated from the Internet in fact. Supposedly private bank ATM networks have been known to crash due to Internet worms so finding and closing those worm-holes must be a priority. That's definitely something we can do today.

What else would you suggest in the way of contingency measures? Any ideas you'd like to share? Just post a comment ... while your Internet connection is still running, please.

Plan B

Despite our best intentions and investment in a range of preventive security controls, serious incidents and disasters may still interrupt IT systems and impact the business processes which they support. As some say, **it happens. Just when everything is running sweetly, something unanticipated occurs, revealing that Plan A is not quite so perfect after all.

Contingency planning (Plan B) puts us in a better position to survive any disaster by:
1) Managing the immediate crisis professionally and confidently;
2) Keeping the organization’s essential processes and systems running despite the event through resilience and continuity planning; and
3) Recovering non-essential processes and systems as soon as possible thereafter disaster recovery planning.

The time to plan for a disaster is now, when things are going well: planning during a disaster will be too late.

As always, this month’s NoticeBored module provides a range of high quality security awareness materials aimed at staff, managers and IT pro’s. We found it relatively easy to write a detailed 9-page white paper on Disaster Recovery for IT and a 5½-page management briefing on Plan B. Crunching the key facts into one page staff, management and technical briefings was harder, and doing so without losing the plot was quite tough. Our solution was to put the subject in context for each audience:
- We encourage ordinary employees to find out about their department’s contingency plans and draw up their own personal Plan B;
- For managers we point out their governance responsibilities and highlight the risk management advantages of thinking ahead and preparing for the worst;
- Technical aspects of high availability systems architecture and DR are of interest to IT people, and it doesn’t hurt to emphasize IT’s critical role in keeping the average corporation on the air.

And yet another bad office day

A woman mistakenly thinking she was about to be fired allegedly took revenge on her employer by going into the office late one evening and deleting data files worth $2.5m. Although the deleted data were later retrieved (whether from backups or by 'undeleting' them is not stated), the potential remains for trusted insiders with access to corporate IT assets to cause enormously costly damage by sabotage.

Deliberate or accidental sabotage by backup operators are tough threats to control against. They have both physical and logical access to servers and their data, often work unsupervised out-of-hours, and are mostly relatively junior staff. Trust is the primary control, though many would argue that it is no control at all, merely blind faith in many cases. The risks can be reduced by various security control measures, such as:
- Alternating backup operators
- Combining on- and off-site backups
- Tightly controlling physical access to backup storage and especially archives
- Closer management supervision and/or physical monitoring of trusted employees working in the data center
- Better training and automation of backup processes, reducing the need to give backup ops unrestricted logical access to data
- Better HR processes for monitoring employees in such trusted positions and more respect for the valuable jobs they perform.

Another bad day at the office

A software error during routine maintenance caused an ISP, Charter Communications, to delete the contents of 14,000 customer email accounts.

"Charter gives each new Internet user a free e-mail account, but some customers opt to use other accounts instead. So every three months the company deletes inactive accounts, Lamont said. "During this maintenance we erroneously deleted active accounts along with the others," Lamont said. "It's never happened before. They are taking steps to make sure it never happens again."

The news article doesn't mention whether the "software error" was an unfortunate and evidently untested change to the maintenance scripts (indicating a hole in their change management processes), a genuine bug in the code (possible I guess), or a simple human error by an operator/systems manager (seems entirely possible). Since the lost email accounts disappeared forever in a puff of logic, it seems the ISP had no backups of customer data - not just 'no recent backups' but 'no backups whatsoever' (a gaping hole as far as their customers are concerned but no doubt a legitimate money-saving measure from the ISPs perspective).

This incident cost the ISP $50 credits to the affected customers, presumably rather less than 14,000x$50 ($700k) as some will defect before using up all their credit. The reputational damage could be even costlier, although the truth is that such unfortunate incidents can and indeed occasionally do strike most organizations.

The Silicon Valley piece ends rather lamely with "Computer experts advise backing up all important e-mail.", implying in effect that customers are to blame for losing their emails. In some ways that is true (presumably any small businesses or power users will have been using local emaiil clients such as Outlook to download and read their emails and so should have local backup copies) but I would advise Charter Comms to look long and hard at its information security arrangements.

Having a bad day at the office?

An IT systems administrator, fearing that he was about to be laid off, planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway. Fortunately for all concerned, bugs in the code prevented it working properly. In court, he was found guilty, sentenced to 30 months' jail time and found liable for $81,200 in restitution.

This story touches on quite a number of security topics:
- He was a trusted insider who went bad
- Logic bombs are a form of malware
- His office/day-job gave him privileged access to the company's IT assets
- Weak change management process controls did not prevent the bomb being installed
- The logic bomb had one or more bugs in the program/script
- Nevertheless it sparked a security incident
- He was called to account for the damage
- There was legal and presumably corporate policy noncompliance
- The risk of recurrence presumably remains

All in all, a nice multi-purpose security awareness case study.

PS The official US DOJ press release about the conviction is dated "Dec 8 2008", an integrity failure to boot.

Clarkson eats humble pie

Arrogant British motoring journo Jeremy Clarkson, star of Top Gear, pooh-pood the potential for identity theft after millions of benefit claimants' personal details were lost recently. He claimed personal information is freely available when people write cheques etc. and even published his own bank details in a newspaper to push the point home.
Well, someone evidently took up the challenge and committed Clarkson to a Direct Debit payment of £500 to a charity. Clarkson has now done a swift U-turn, admitting he was wrong and deserved to be punished. The BBC reports him saying:

"Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy."

Whether that is the end of his troubles remains to be seen. He's probably got that nagging identity theft victim's feeling that someone is still spending his money, living his life, opening lines of credit in his name ...

UK insurance firm fined for pretexting incidents

The UK's Financial Services Authority has fined insurer Norwich Union £1.26m as a result of inadequate protection of customers' personal data:

"The City watchdog says Norwich Union's life assurance unit did not have effective systems and controls in place to protect customers' confidential information and manage financial crime risks. These failings resulted in a number of actual and attempted frauds against policyholders. Slack call centre security allowed fraudsters to use publicly available information - including names and dates of birth - to impersonate customers and obtain sensitive customer data, says the FSA. In some cases criminals were able to ask for confidential customer records, such as addresses and bank account details, to be altered. The fraudsters then used the information gleaned to request the surrender of 74 customers' policies totalling £3.3 million in 2006. The FSA says its investigation found that Norwich Union Life failed to properly assess the risks posed by financial crime and as a result, its customers were more likely to fall victim to identity theft."

The official FSA report makes interesting reading, disclosing for instance that fraudsters were using information obtained legitimately from public records held at Companies House to respond to authentication questions.

The company has since smartened up its act with better policies, procedures and (hopefully) compliance activities but I doubt that even it would claim to be immune to social engineering risks. Pretexting is a relatively cheap and easy form of attack and the juicy personal data in such databases is clearly luring fraudsters.

Carelessness threatens privacy

Three stories from the BBC today demonstrate, as if demonstration were necessary, that carelessness with IT storage media can easily expose the personal data of thousands of individuals to the potential of identity theft:

1. The Driver and Vehicle Agency in Northern Ireland lost 2 disks containing details of 6,000 people en route to its headquarters in Swansea.

2. Leeds Building Society mislaid personal details of 1,000 employees while moving the HR department from one floor to another.

3. A Merseyside health care trust "accidentally" sent out personal details on thousands of staff to four medical organisations bidding to supply the trust.

If the data involved had been printed out, I suspect those involved would have taken more care with the filing cabinets or boxes of paper but CD-ROMs or DVDs seem so insignificant.

Security policies, procedures and guidelines, coupled with effective security awareness activities and staff training, are obvious controls for such situations, along with encryption of anything confidential and care over the encryption keys.

Info for SysAdmins/Infosec Managers on WPAD

A new Microsoft Advisory gives further details of the WPAD (Windows Proxy AutoDiscovery) vulnerability recently disclosed at Kiwicon, New Zealand's first hacker conference.

The vulnerability relates to the way that Windows systems set to autoconfigure their web proxy settings go looking for the configuration file. If they don't find one on the local network, they go up the DNS tree and, under some ciscumstances, end up looking for a host called wpad.co.nz or wpad.co.uk or whatever. If some enterprising haxor has registered one of these domains, they have the ability to create and offer malicious proxy configuration files, and can subsequently control the way vulnerable machines access the Web.

Microsoft offers workarounds pending a proper fix of the wpad logic. Turning off wpad is one solution, though I'm not sure whether this can be configured for all machines in a domain using Group Policy, so it may require each machine to be configured. Similarly, there's a registry hack that needs to be applied on every machine. Another fix is to create a wpad server and offer a legitimate proxy config file ... but make sure it is a high-availability machine since a denial-of-service attack on it would presumably reopen Pandora's box.

Good luck!

Credit card numbers posted on eBay forum

Someone appears to have posted a load of personal data including credit card numbers on an eBay discussion forum, paradoxically one on trust and safety. Around 1,200 eBay users' details may have been compromised.

Why anyone would do this remains a mystery. Is it just some sort of publicity stunt, or a hacker's brag?

eBay shut down the forum and pulled the pages about an hour after being informed of the incident. There's more about the incident on an eBay blog.

"eBay spokesperson Nichola Sharpe said Tuesday afternoon that posts made on the Trust & Safety board early this morning contained name and contact information for 1,200 eBay members and called the person posting the information a "malicious fraudster." She said the incident was not the result of a security breach from eBay and could have been obtained as part of an account takeover."

It's possoble that a merchant's account may have been compromised, I guess.

Viagra spam from Pfizer computers

A story in Wired shows that even major corporates are vulnerable to hackers and spammers. At least 138 Pfizer computers have been blacklisted for distributing spam for drugs such as Viagra, a Pfizer product, and Cialis, a competitor's product. The computers have presumably been taken over as 'bots' or 'zombies', remotely controlled by the hackers and used to distribute spam. It is entirely possible that the compromised machines have access to Pfizer's valuable proprietary information. Previous stories about Pfizer employees using peer-to-peer software, for example, indicate the kinds of information security weaknesses that could have led to the infections but, not surprisingly, Pfizer is not saying much about it.

McLaren fined $100m

The McLaren-Ferrari industrial espionage incident is drawing to a close with McLaren being fined $100m by the FIA and losing all their points in the constructors' championship. McLaren's drivers who top the drivers' championship have been spared the whip, thanks in part to their cooperation with the FIA's investigation.

Awareness through incidents

Educational Security Incidents (ESI) is a blog comprising brief summaries of (mostly privacy related) security incidents culled from the news media. These are intended to be used for security awareness purposes: analysis and deconstruction of the incidents can indeed be used for case studies or just to pep-up other awareness materials.

There are of course zillions of similar sources on the Web, from the regular news media to assorted blogs, mailing lists (such as RISKS-List) and discussion fora (such as CISSPforum and Security Catalyst), plus books such as Dear Valued Customer, You Are A Loser and those by Ira Winkler and Kevin Mitnick.

Stories of security incidents from within the organization are even more powerful, although in highly political organizations they are quite likely to be suppressed by those involved. I know of at least one Internal Audit function that uses incidents in this way, regardless of the company politics: they produce an annual booklet describing chosen incidents, in each case outlining the background to the situations and the impacts, and usually they add some subsequent commentary about how the controls were (belatedly) changed for the better. The booklet becomes a control, governance, security and fraud education resource for management. Nice!

Security awareness success in the US Army

Details of audits of US Army websites and blogs run by soldiers, disclosed under the Freedom of Information Act, reveals that far more security policy breaches occur on official Department of Defense websites than on blogs. The audits were conducted by the Army Web Risk Assessment Cell, a special unit with a remit (evidently) to minimize unauthorized disclosure of sensitive military information via the Web.

It seems to me the Army was absolutely right to highlight the information security risks relating to blogging. I believe the audit results reflect the outcome of a highly successful security awareness program. If this issue had not been addressed so effectively, I'm convinced there would have been far more noncompliance issues, in other words this is a lesson to us all.

In respect of security awareness programs and policy compliance, 'the military' have a significant advantage over most of us in that the workforce is specifically trained to respect authority and follow orders - or at least, that is the classical view. In fact, I understand modern soldiers are increasingly being taught to think for themselves and operate autonomously, albeit within a highly structured (literally 'regimented') operating framework and, when necessary, at gunpoint. The traditional approach to the blogging security issue would presumably have been to send out an order banning blogging. What actually happened was more subtle: Army bloggers were instructed to register their blogs with commanding officers and pre-clear what they publish. 'Blog responsibly' is a rather softer message but the audit results seem to indicate its effectiveness in this situation.

Lurid job ads

"Hackers stole information from the U.S. Department of Transportation and several U.S. companies by seducing employees with fake job-listings on advertisements and e-mail, a computer security firm said."

The Reuters correspondent explains that victims were lured to a site with [fake] job advertisements and (presumably) phishing emails, only to have their systems infected with malware. The malware apparently evaded detection by the standard antivirus tools. Nasty.

I've long said that narrowly-targeted/custom malware is a particular threat if it slips under the antivirus silver bullet. Imagine the power of being able to select your target organization and inject your data extraction device and suck out your fill of an organization's lifeblood, with little chance of detection or prosecution. Imagine now that you are a Foreign Power or Criminal Mastermind with the money to buy such malware or the resources to recruit and train your own black squadron of evil hackers ...

Sleep well. Don't have nightmares. Leave that to us professional paranoiacs.

The business case to protect PII

I'm impressed by a Ponemon Institute study into the business costs incurred through US data breaches involving disclosure of Personally Identifiable Information PII. Ponemon investigated around 80 reported braches, analyzing costs that are often hard to quantify such as customer defections. The results are fascinating: an average breach costs over $4m or ~$180 per record lost. Customer defections (and presumably a reduction in the number of new customers) are the main impact.

Incident costs within IT are negligible - the costs fall primarily on the rest of the business. In extremis, it could be said that IT doesn't care about privacy breaches. Therefore, the onus is very firmly on the rest of the business, not IT, to cost-benefit justify investment in better privacy controls. If the budget is forthcoming, I'm sure IT will happily evaluate, select and implement better privacy controls: if not, they won't. It's that easy.

This clearly demonstrates the distinction between IT security, a function sitting within IT and working on behalf of IT to secure the IT infrastrucutre and services, and information security, a function with responsibilities across the entire organization to protect information assets, not just technology.

Best of all, the Ponemon report provides useful data to build the business case for control improvements. Let's say we anticipate one notifiable serious data breach involving PII every 5 years, at $40m per incident that makes an average cost of $8m per year. So, controls costing up to $8m per year are justified. $8m would buy a lot - it's probably more than enough to implement whole disk encryption for laptops, for example. It's WAY more than enough to implement a security awareness program focusing on protection of PII.

What the white hats are up against

In its usual tongue-in-cheek fashion, The Register describes the Black Hat world through ten features:
1. The Black Hats form a well integrated community that shares knowledge effectively
2. Becoming a Black Hat is a career option even for those who are not super geeks.
3. There are even specialist virus tools designed to circumvent specific AV products.
4. There are SDKs for the more advanced hackers.
5. There's a market for your data.
6. There are botnets to rent.
7. Some rogue websites are very subtly managed.
8. Good hackers know how to stay safe (they stay abroad)
9. The banking system has its channels
10. Not all businessmen are entirely averse to the odd hack (on a competitor)

In the sense of "know your enemy", the article presents an interesting perspective.

VA privacy breach leads to significant security improvements

A decidedly up-beat Computerworld article identifies 5 significant security improvements that were spurred on, if not triggered, by the theft of a U.S Department of Veterans Affairs laptop and external hard drive containing personal data on 26.5 million vets and active-duty military personnel:

1. A greater focus on data encryption within government
2. Stronger breach notification guidelines within agencies
3. More attention to data retention, classification and minimization
4. Stronger remote access policies
5. More authority for agency CIOs

The piece is so positive in style, it almost smacks of wishful thinking or marketing spin but even if only partly true, these are all indeed worthwhile changes, especially if they are as widespread in US Government circles as the journalist says.

It is a shame, of course, that it took a massive security breach (ex facto rather than a priori risk analysis) to prompt the changes but nevertheless this is a good example of closing the circle on an incident.