7 Sources of Data Breaches You’ll Never Hear About: Your Phone

Smart phones are now portable computers which just happen to make calls. Licensed from Stock Exchange.

This post is the first in a series about preventable data breaches. Most Americans have received a letter, telling them that their personal information has been breached. But there are many breaches you’ll never hear about, and many of them are right under your nose. The first source we’ll explore is Your Phone and Personal Computing Device.

[Read more…]

Into the Breach – Audio Series – Chapter 11 (Outsource with Security and Success)

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 11)

Outsourcing makes sense for a lot of organizations and continues to gain in popularity. Does this drive to outsource and partner actually increase security and protection of information?

By leveraging the strategy and concepts shared in Into the Breach, learn how to build a firm foundation for success – including how to measure the effectiveness of the partner and ensure mutual and lasting benefit from the arrangement.

  • Learn how to establish appropriate and measurable criteria upon which to make better decisions
  • Understand how to assess potential partners and providers to ensure appropriate fit and mutual success
  • Gain insights into verifying and building relationships based on trust and mutual understanding

If outsourcing and working with partners is part of the process, then this chapter is a must listen.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

  1. Engage with Michael on twitter (http://twitter.com/catalyst)
  2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
  3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Into the Breach Audio Book Chapter 10: Reducing the Cost of Compliance

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

In this episode (Chapter 10)

Compliance is not a commodity that can be purchased. And demonstrating compliance at a point in time does not mean information is being protected properly. There is a growing chorus of practitioners that suggest compliance is not security; however, proper security can and often does lead to effective compliance.

The key in managing risk and demonstrating compliance is to engage people in the process of assessing and protecting information – with and without the use of technology and controls.

In this chapter, I share some personal experiences and research that demonstrate the difference between a reactionary approach to compliance and a more mature process that addresses many needs at once.

If you find yourself drowning in compliance – or are trying to convince others of a different approach – this chapter is written for you.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

  1. Engage with Michael on twitter (http://twitter.com/catalyst)
  2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

Into the Breach – Audio Series – Chapter 6 (Implementing The Strategy to Protect Information)

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 6)

Chapter Six is where Michael explains how to customize and implement the Strategy to Protect Information. The information he shares is designed for immediate results by harnessing the power of people. By asking the right questions — in the right way — people are connected to the consequences of their actions and share information about known and unknown risks about the information they use every day.

The elements of this chapter are the building blocks to what is now called The Catalyst Methodâ„¢ — what Michael teaches, guides and uses to help organizations get results that improve awareness assessments and help deliver Awareness that Worksâ„¢.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

  1. Engage with Michael on twitter (http://twitter.com/catalyst)
  2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
  3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

    Into the Breach – Audio Series – Chapter 5 (The Strategy to Protect Information)

    Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy.

    This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

    What you’ll find in episode 6, Into the Breach: Chapter 5 (The Strategy to Protect Information)

    Chapter 5 is the introduction to Part II of Into the Breach — where the focus shifts to looking at what needs to be done. I outline a powerful, yet simple, approach dubbed “The Strategy to Protect Information.”

    Key is the focus on information, not data, and the three steps that any organization must follow in order to be effective. The balance of Part II explains how – but just learning and understanding the three part strategy is transformative.

    After listening to this chapter, you will know the strategy and be able to apply it to your current challenge — small and tactical or larger and organizational.

    Put the power of Into the Breach to work for you…

    After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

    1. Engage with Michael on twitter (http://twitter.com/catalyst)
    2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
    3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

    Securing the Toughest Times

    by Ron Woerner59962_the_axe

    Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks.  Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff.  One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources.  This is especially hard when you know those affected.  However it’s critical that this tough job be done.

    The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure.  The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage.  Luckily, the Fannie Mae sys admin found the malicious script.

    You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs.  [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]

    Before the announcement

    Just as in any project (and this is a project), planning and coordination are key.  Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process.  Delays increase risk to the organization.  While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management.  Security needs to know who is affected in order to know what needs to be protected.  Security can also help properly protect the “list” prior to the official announcement.

    Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs.  On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive.  Security officers should be trained and ready to handle potential conflicts and workplace violence.

    Information security personnel should identify single points of (security) failure and high risk areas.  This includes administrators with expanded ability, authority or access.  Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs.  Management should address these critical points well before the announcement to prevent any unexpected denials of service.

    Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place.  This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences.  (No one likes to find out that their position is eliminated by having their network or badge access disabled.)  Also, this cannot occur too long afterward, for obvious security reasons.  Ensuring the correct timing requires pre-planning.

    As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts.  This could be before the actual lay-offs.  Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.”  Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others.  This could occur on the network or off.  It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.

    During the announcement

    With your planning complete, it is now time to enact and follow those processes.  As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access.  The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN).  The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.

    Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available.  This is to maintain contact with clients or customers.  Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access.  It needs to be reassigned to the responsible manager or his/her delegate.  Allowing permanent access is not a good idea.  There should be a set timeframe for this access to remain active before it is disabled.

    Also, consider any shared accounts used by the separating employees.  Do they know the UNIX root or Windows administrator password?  Whether it’s that or any other password for a service account, make sure the password is changed ASAP.

    Physical security personnel need to be watching and ready in case the affected people become upset.  Normally, you don’t need a physical security presence to escort them.  That can be accomplished by the manager and/or HR representative.  However, Security should be ready in case things turn ugly.  Additionally, they should be watching what property is leaving.

    Part of your process should include the retrieval of any assets used by or assigned to the separating employee.  This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents.  When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization.  Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.

    Lastly, while the separations occur, continue to monitor online access and activities.  You never know the mindset or attitude of those who depart.  The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites).  Your IDS/IPS should be watching those external network assets and you should be ready to take action.

    After the separations

    While the major threat may have passed when the laid-off employees have left, it is not completely gone.  There are specific post-separation activities that need to occur to ensure risks stay low.

    One of the most critical activities is the inspection of online and paper files left behind by the employee.  Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed.  This can be time consuming and tedious, but it can’t be ignored.  The benefit is the freeing of storage space.

    The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business.  This person also needs to determine the retention period for any material that needs to be kept.  This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.

    Another post-separation activity is inspecting online files for potentially malicious content.  This is especially important for any systems administrators who were let go.  There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind.  Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs.  Failure to take this step could be devastating for the firm.

    Lastly, use this time to document what went right during the process and where you have room for improvement.  Take time to learn from the experience and enhance the process.

    Conclusion

    Staff reductions are a part of corporate life.  As painful as they are, they are often critical to keep the organization functioning at full capacity.  Security needs to be an active participant in the lay-off process to ensure the risks are kept low.   The removal of access is only one of the many areas requiring the attention of Security.  They also need to be actively monitoring both the physical and on-line activities of the separating associates.  This isn’t to be intrusive, but to ensure the continual protection of the organization.

    Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring.  The tips in this article will aid you in the development of your security model so you are ready when the time comes.

    Checklist of Security Items to Consider with Lay-Offs

    Before
    Planning / Establish processes
    Disabling access
    Communications
    Establish trusted contacts
    HR
    Legal
    Security
    Management
    Identify single points of (security) failure
    Employees who pose a danger (to themselves or others)
    Administrators
    Associates with access to sensitive or confidential data
    Identify risks
    Intellectual property
    Confidential data
    Property

    During
    Disable regular individual access
    Logical
    Physical
    Phone
    Email
    Remove access to shared accounts
    Administrator accounts
    Service accounts
    Other shared passwords
    Asset retrieval
    Computers (laptops)
    USB drives
    2 Factor authentication
    Cell phones / PDAs / pagers
    Paper documents
    Enhance monitoring
    IDS/IPS
    Logs
    Physical surveillance

    After
    Continued vigilance
    Review of assets “left behind”
    Online documents, files, and shared storage
    eMail
    Papers
    Check for backdoors, Trojan horses, logic bombs
    Unix
    Windows
    Databases
    Network devices
    Lesson’s learned
    What went right?
    What could be done better?
    Process improvements

    Into the Breach – Audio Series – Chapter 1 (Breach: A Human Problem)

    Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

    What you’ll find in this episode (Chapter 1: Breach: A Human Problem)

    Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected.

    Update from Michael: the updated approach is to focus on the human paradox – introduced in this segment – that points out the unintentional, but systematic, disconnection of people from the consequences of their actions. This means “breach” and information protection is less a human problem than a paradox; my focus is on connecting people back to the consequences of their actions and presenting solutions that turn the cost of working with people into an investment.

    Put the power of Into the Breach to work for you…

    After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

    1. Engage with Michael on twitter (http://twitter.com/catalyst)
    2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
    3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

      When a Breach Hits Home

      by Michael Starksdoor

      Bloggers and writers often lament the challenge of finding new material. When we do write about a topic, it is often a second-hand story, perhaps commenting on the big news of the day. This month is different, thanks to Gexa Energy, an electricity provider based in Houston, Texas.

      Last month, my wife received a letter from Gexa Energy informing her that a data breach may have involved her non-public personal information. I guess they weren’t entirely sure. The letter describes how their monitoring systems alerted them to the intrusion on April 30, 2008, the date of the incident. The breach was contained and there is no evidence of any improper use of her information (had her information ever actually been involved). They even caught the person responsible and are prosecuting them, Gexa says.

      Did you notice the timeframe between the discovery of the breach and the notification? I didn’t, until I read about it again in a news story. Almost a year passed before they let anyone know. But don’t worry, law enforcement told them not to tell anyone.

      The letter went on to list the types of information that might have been accessed, which included the usual suspects: drivers license number, social security number, date of birth and so on. The next underlined sentence emphasized that no credit card numbers or bank account numbers were compromised.

      Gexa was even helpful enough to point my wife to some sources for credit monitoring and reports, although these are already free resources. Finally, they created the ironically titled http://www.gexaenergy.com/dataprotection site to help everyone feel better about the whole thing. The letter closed with the usual statement of how they take things real serious-like and how they deeply regret her concern. No one signed the letter.

      How a company responds after a breach is a strong indicator of their commitment to protecting your information. In this case, Gexa failed miserably. They:

      1. Failed to accept personal responsibility for the breach by not having an executive sign the letter.
      2. Failed to conclusively state what information had been accessed, and when.
      3. Made no offer to pay for personal credit monitoring.
      4. Used emphasis in the letter to minimize their culpability and responsibility.
      5. Made the inexcusable and legally questionable decision to wait almost a full year before notifying affected people of the breach.

      Breaches happen. In today’s world, that’s a fact. With this breach, Gexa’s response only serves to remind us that honesty is the best policy. Passing the buck and failing to take personal responsibility will only alienate customers who might otherwise have been willing to forgive you.

      Michael Santarcangelo Interviewed at Microsoft Small Business Summit (Segment 2)

      Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this second segment, Michael continues the explanation of the steps businesses must take to protect information, then reveals how the Catalyst Method(tm) explained in his book allows businesses to reduce costs and even increase revenue!

      Michael Santarcangelo Interviewed at Microsoft Small Business Summit (Segment 1)

      Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this segment, Michael discusses the impact of security breaches, the hidden damages and explains his personal experience in how these events can happen to anyone. The segment ends with Michael outlining 5 steps every business must take to protect information.