About

Categories

Recent Posts

Archives

Subscribe to this blog's feed

Blogs

Organizations

Other Important Sites

Publications

RSS Feed

Blog powered by TypePad
Subscribe to my Podcast

« January 2007 | Main | March 2007 »

February 2007 entries

February 28, 2007

A Rational Voice Among the PCI Noise

This guy, Mike Rothman, knows what he is talking about. Mike's been going through his Daily Incite's for 2007 and yesterday he landed on PCI compliance.

If only securty standards and regulations were really taken seriously.

But, as Mike points out, there's...

1. No real enforcement
2. A lot of ambiguity on what's required
3. Too much confusion among CSO and Compliance people

As Mike said, CSOs, CISOs, CIOs, and compliance officers need to focus less on what will make them compliant and a whole lot more on what will make their enterprise secure.

Oh, and a lot more public outcry is going to be needed! Until the penalties for non-compliance are as weighty as the laws themselves are to read, there's really nothing to prevent more data breaches like the TJX's of the world.

Posted at 08:36 AM in PCI Compliance | | Comments (4) | TrackBack (0)

Technorati Tags: , , , ,

February 27, 2007

Was TJX Non-compliant with PCI at Time of Breach?

According to a story on ePayNews.com yesterday, an unnamed spokesperson at MasterCard is quoted as saying “TJX was not PCI-compliant at the time of the breach, as reported by its acquirer, but we understand that TJX was actively working toward compliance."

Now, I'm more than a little interested to see what MasterCard would say if approached to confirm this statement "on the record", but I've got a hunch someone at MasterCard shared this information.

It's not really a surprise though, is it? How many more TJX stories will it take for companies to take PCI seriously? Or, is Gartner VP Avivah Litan right when she's quoted in the same article on ePayNews.com that "“banks need to take more responsibility and start strengthening cardholder authentication" rather than waiting for the retailers to fix everything?

Ultimately, I think everyone involved - the credit card companies, financial institutions, processors, and retailers - together must all take responsibility for what they can improve and take practical steps to resolve gaps now.

As I've said before, and reinforced beautifully by yesterday's post by The Security Catalyst, Protecting Information is Not a Seasonal Event.

Posted at 11:12 AM in PCI Compliance | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , ,

February 26, 2007

Will Legislation from TJX Fallout Hold Retailers More Accountable for Breaches?

The growing magnitude of the TJX Companies, Inc. data breach brought out a whole new wave of headlines last week. I was contacted by a number of editors for my thoughts, having spent much of my professional career aiding companies in gaining enterprise configuration visibility to ensure their IT infrastructures are secure, compliant, and effective.

On Friday, Jaikumar Vijayan included my comments in two of his articles on Computerworld.com.   In one, I addressed why data breaches could occur over such a long time, as in the case of TJX. "When it comes right down to it, very few companies have put in place effective controls that enable them to monitor internal systems closely and ... follow the movement of data" on their networks. That makes it possible for such breaches to go unnoticed for a long time indeed.

"The underlying problem is that companies are treating security as a 'nice to have' as opposed to a 'must have.' TJX is just the tip of the iceberg. I think we are going to see many more. It's going to get a lot uglier before it get's any better "

Here's what I had to say in the other article on legislation introduced in Massachusetts to make retailers more accountable for breaches.

"It's impressive that Massachusetts has taken the first step forward in dealing with retail security issues. Unfortunately, in the retail community, they are all trying to keep a lid on any kind of expenditures and have paid scant attention to information security. I am very much for this legislation. I think it was inevitable."

Mark Reinertson posted comments last week that make some good points about the ignorance of some retailers to data security and what's it's costing us. Check it out. It gives good reason for why retailers need to be held more accountable.

Posted at 06:00 AM in IT News | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , ,

February 24, 2007

Political Data Abuse

I know politicians are easy fodder to pick on and probably some of it is undeserved, but when I read a recent copy of Computerworld, I just couldn't help myself.

The cover featured an article on the Governor of Arkansas, Mike Huckabee. Seems Governor Huckabee decided to do some house cleaning before leaving office to make life easy on his replacement - he ordered the destructuion of hard drives in nearly 90 computers before leaving office!

What makes matters worse is Governor Huckabee has declared himself a candidate for President in the 2008 election. Even if there was nothing scandalous on the hard drives, wouldn't you think destroying them as you're about to enter a campaign is just a little curious?

Ironically, the flip side of Governor Huckabee's "data disappearing act" was just a few pages away in an article on the Chicago Elections Board.

Seems a 2003 fire in the Cook County Administration Building led to the distribution of more than 100 CDs with the social security numbers and personal information of more than 1.3 million voters to aldermen and members of local ward committees. Not only could they access the information, they could actually make edits and delete information!

The irony of this in my mind, besides the incredible extremes of abuse, is the fact that the regulatory compliance burden on organizations is generally imposed by politicians.

Sounds like it's time for the politicians to get their own data under control(s).

Posted at 10:29 AM in IT News | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

February 23, 2007

The story on TJX gets uglier

Now we are learning that the TJX security breach went as far back as 2003. See a great article in InformationWeek We are in 2007!  What were they thinking? Was this a case of knowing and not disclosing? Or not knowing? I think not knowing. Amazingly, a post on the F. Curtis Berry & Company blog says Gartner analysts estimate less than 50% of Level 1 merchants are compliant with PCI. Maybe it's not knowing and not caring.

The question in the end will be, who really paid the price for the TJX data breach?  Well, it's not the credit card company. They're protected. The banks who have to pay $30 for every replacement card certainly think they're a victim - hence the line of lawyers lurking outside some courthouse near TJX headquarters in Massachusetts.

Evan Schuman makes an interesting point on who is the REAL victim in his StorefrontBacktalk post.

What do you think of all this?

Posted at 04:00 AM in IT Security | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , , , ,

February 22, 2007

Compliance should be integrated...not an event

Wouldn't it be nice to always be in compliance? Why should an audit always be an event where everyone has to drop everything important they were doing to franticially start preparing for anything the auditor might throw at them?

In today's world of explonentially growing compliance regulations, organizations must automate their compliance-readiness activities. It just becomes part of the business. This is the only way for organizations to get beyond the time-consuming event compliance audits are today. To read more on the value of automating compliance reporting, David Greene of BMC has a nice article addressing this issue on itworld.com this week.

Posted at 08:54 AM in IT Compliance | | Comments (0) | TrackBack (1)

Technorati Tags: , , , ,

ITIL Update is Good News for IT

You've got to love a story that starts out with a solid value proposition. In Patrick Thibodeau's story on the upcoming ITIL update, he begins by sharing that the IT Department at Raymond James Financial Inc. was able to reduce Help Desk tickets by 25% in the 18 months after implementing ITIL. Now that's a statistic that should get some attention!

The reality is, if organizations are able to see these benefits from the existing ITIL framework, they should realize even greater benefits from ITIL 3.0. This latest update, due out in April, holds a lot of promise, particularly with the addition of security to the library. Today, a gap exists between thesecurity world and the CMDB world, yet there is one unified IT infrastructure that should be the concern of all parties.

I am also pleased to see outsourcing addressed in this update. If you are going to switch teams. you have to have your servers well-documented. Sorry for the shameless plug here, but Ecora has been documenting servers since 1999. Without documentation, all this knowledge remains in people's heads. How do you transfer that information to "other heads"? You've got to write it down. The trouble is, who has the time? That's why automated documentation software like Ecora is the only way it will ever get done and stay current.

Posted at 08:05 AM in IT News | | Comments (2) | TrackBack (0)

Technorati Tags: , , , , , ,

February 21, 2007

Top 10 Recommendations for Improving VMware ESX Security

People can argue all day about the pros and cons of VMware ESX security, but I want to give you 10 specific recommendations you can implement today. At VMWORLD 2006, I offered these 10 recommendations to improve ESX security in your shop.

  1. Use Firewall and Antivirus software for COS. Just as in any other operating system, this provides basic protection
  2. Use VLANs to segment the physical network so only machines that are required to see each other are able to do so
  3. When installing ESX, use security=high
  4. Do not allow root level access over SSH and use secure commands
  5. Disable all unnecessary services in console OS
  6. Use VirtualCenter to help you manage granular security access
  7. Stay current with ESX patches
  8. Harden Guest Operating Systems
  9. Control User Level Access using VirtualCenter
  10. Document and monitor configuration changes in your environment, especially changes in security settings

You can download a PDF of my presentation materials here.

Hope these recommendations provide you with a more secure virtual environment.

Alex

Posted at 06:41 PM in VMware Security | | Comments (19) | TrackBack (5)

Technorati Tags: , , ,

February 20, 2007

A Call To Revamp FISMA

I will continue with my posts on securing VMware ESX servers tomorrow, but wanted to give some attention to the recent comments made by Alan Paller of SANS on the need to overhaul how government assesses security - starting with FISMA.

Paller offers two broad fixes for the security challenge facing government. The first is to stop blaming the user for problems, and require that vendors ship well-designed products that are securely configured by default. He also called for using "attack-based" metrics in measuring security compliance.

Overall, I agree with Alan's approach. Certainly, the poor grades federal agencies have received the last few years on their FISMA report cards make it clear something needs to change. It is refreshing to see his recognition that configuration settings play in security. I do have to take some issue with the idea of "products securely configured by default."

The reason for configuration settings, by their very nature, is because "one size fits all" doesn't work when it comes to how IT environments operate in different organizations. It is simply impossible to expect any product to come "securely configured out of the box." It's automating controls around configurations and the ongoing changes to them that is critical to improving security and, in the case of the federal government, compliance audit results.

Posted at 09:25 PM in IT Compliance | | Comments (0) | TrackBack (1)

Technorati Tags: , , , ,

February 19, 2007

Security in VMWARE ESX

With over 95% of IT Shops adopting virtualization technology in the Data Center, there is a growing debate going on about security and virtualized servers. Are they more secure or less secure? At VMWORLD 2006, I gave a presentation on this very topic. To answer the question, let's take a look at the underlying architecture of the ESX server.

First, kudos to the programmers and architects at VMWARE. They smartly designed the hyperviser kernel with the absolute minimum set of public interfaces. In fact, the only way to communicate to the hyperviser is via the network interface.

VMWARE does a good job of tightly controlling the network traffic using VLANs and VNICs. All virtual machines are isolated from each other by using hardware support in the chips.

So far, their architecture is no worse than in physical servers. More on virtualization and security tomorrow.

==================================================================================

For an interesting look at how virtualization is aiding IT in securing infrastructures, as well as how hackers are making use of virtualization, I urge you to check out Simpson Garfinkel's article from CSO magazine. It's a thought-provoking read.

Posted at 09:37 PM in VMware Security | | Comments (0) | TrackBack (0)

Next »