IT Best Practices and Compliance Reporting Information

TJX’s 10-K filing to the Security and Exchange Commission was made public Wednesday and has made for a whole new set of news stories, blog posting, and speculation.

The report seems to indicate that the TJX Companies, Inc. were employing encryption technology on their cardholder transactions and did delete confidential data on some sort of a regular basis. That’s the good news.

The bad news is the intruders apparently were able to capture the card information of 46 million users by installing software on the systems at TJX’s Framingham headquarters that copied the information prior to it being encrypted. TXJ also admitted that it appears the intruders had a copy of their encryption key, apparently as a back-up in case the software failed to work or the data was encrypted prior to the point where the software captured it.

Needless to say, the new questions will swirl around how rogue software was allowed to remain in their systems for so long without detection, as well as how the key was obtained.

The information in the 10-K only reveals TJX’s perspective of what happened. It will be interesting to see what is revealed as the SEC begins to dig into this further.

Have these latest revelations changed your perspective on the TJX breach at all? I’d be curious to hear whether these new details are swaying opinions, one way or the other.

A research paper due to be released this summer predicts that the two billionth data loss will take place by the end of 2007. In a story posted on ScienceDaily.com, Phil Howard, an Associate Professor of Communications at the University of Washington states that “electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year.”

Howard, along with Kris Erickson, a UW doctoral candidate in geography, will have their work published in the July edition of the Journal of Computer-Mediated Communication.

Howard and Erickson don’t place the blame for the escalation in data loss on hackers though; they put the blame on the shoulders of corporate America, citing research studies showing three out of every five data losses involving personal information are tied to corporate malfeasance.

A couple things to note. The numbers cited in the study were compiled from media stories. As Erickson indicates, this probably means their numbers are conservative. It certainly doesn’t cover unreported data loss or smaller incidents that may not have made headline news. Also, Erickson also acknowledges the role the California Notice of Security Breach law has played in increasing the number of breaches that have been publicized in the last couple years. That appears to be clearly indicated by the increase between their 2006 and 2007 numbers.

With these ominous statistics, it won’t be long before everyone in America has had their personal information compromised at least once.

Yesterday I called out the lack of action the Federal Trade Commission has taken against company’s who suffered a breach, in part due to gaps in the security controls in their infrastructure.

Seems only fair that I would give the FTC their due when warranted. A few weeks ago, the agency released a 24 page book entitled “Protecting Personal Information: A Guide for Business.” According to a post by Rebecca Herold, the free guide focuses on the following five themes:

“TAKE STOCK. Know what personal information you have in your files and on your computers.

SCALE DOWN. Keep only what you need for business.

LOCK IT. Protect the information you keep.

PITCH IT. Properly dispose of what you no longer need.

PLAN AHEAD. Create a plan to respond to security incidents.”

As Herold indicates, “this is a very good PII(personally identifiable information) protection primer.”

Mike Rothman also highlighted the guidance the guide gives to help organizations be pro-active about preparing for potential security incidents.

The FTC has come up with a beneficial free (using taxpayer money) tool that will give you some clear, basic guidance related to information security. A great start for anyone new to information security and a reasonable baseline for more experienced infosec professionals to cross-check their efforts against.

I’ve been on the road quite a bit the last few weeks, so I’ve been a little quieter on the blog front than I’d have liked.

In between my stops, I did pick up some of the fodder on the “Is PCI DSS Good or Bad” debate between Mark at Security Buddha and Michael at PCI Compliance Demystified. In full disclosure, I did attend the PCI Conference in San Francisco with Michael. I thought I had a pretty thorough grasp on PCI compliance, but Michael really knows his stuff.

A few points I’d like to make.

First, we have to remember the PCI Security Standards Council is still in its infancy as the standards body overseeing the PCI Data Security Standard. As a member of the Council, I had the opportunity to participate in a member webex. This was an initial effort to foster direct communication among the members of the group (who, by the way, make up a broad spectrum of the various constituencies the standard impacts (less consumers)).

Based on what I heard, I am confident there will be ample opportunity to communicate the weaknesses within the 1.1 version of the standard, so that continued improvements will be made. Can we say the same for Sarbanes-Oxley, HIPAA or GLBA? Who are the standards bodies (SEC, PCAOB, HHS, FFIEC, FTC) overseeing those compliancies soliciting for feedback? Anyone?

Second, and more importantly, while efforts to tighten up compliance standards so they will not just prove compliance, but a serious commitment to a secure environment, must continue, the real issue continues to be enforcement…and enforcement of penalties for non-compliance.

In pouring through some past issues of Network Computing, I came across Patrick Mueller’s article on some recent FTC action related to a data breach of an insecure e-commerce server. Now, there’s a lot of twists and turns to this particular story that are interesting, but the thing that stood out to me like a giant billboard was this: “It became the FTC’s 14th data-security case.” 1,400 wouldn’t have surprised me. I might have done a double-take at 140. But, 14??

We’re not even talking about non-compliance here. We’re talking about breaches. I don’t know about you, but I certainly read about a lot more than 14 of those…a month!

Once again, there is no accountability placed on organizations to take information security seriously.

I wrote a few weeks ago about the incredible abuses of data perpetrated by the Governor of Arkansas and the Chicago Elections Board. So, I just had to shake my head when I read Jim Rapoza’s column in eWeek.

Raposa calls out the schizophrenia that appears to be affecting Congress with the introduction of the Personal Data Privacy and Security Act of 2007 which is designed to provide prompt notification to victims when data breaches occur and to make companies accountable for the lack of security that may have led to the breach (think a national version of California SB 1386).

The flip side of this is Rep. Lamar Hunt’s Safety Law. It’s intent is to stop adults who exploit young people over the Internet. However, the law, if passed, would require ISPs and possibly every Web site to store all the data of Internet users just in case its needed in a future court case. There would potentially be no maximum time limit for this data to be retained. There’s even a possibility that this law could allow this data to be used for civil legal actions. Can you imagine the potential ramifications of that? Employers scouring over employee Internet use. Divorce cases with Internet activity disclosed.

Ironically, this same Rep. Smith was also the sponsor of the Telephone Records and Privacy Protection Act of 2006, which protects phone records and make pretexting illegal.

A reasonable balance needs to be found between individual privacy and the need to retain certain data necessary to identify illegal activity. But is Congress, with all of the various special interest groups pandering to them, the right people to find this balance?

In today’s final VMware ESX security tip, I’ll focus on one of the most important security considerations – documenting and monitoring configuration changes, especially security-related changes.

Find out why this is even more critical in a virtual environment than in a physical one.

Download Podcast_VMwareTip9.mp3

Securing VMware ESX servers isn’t enough when your securing a virtual environment. You need to make sure your Guest operating systems are secure as well. That’s the focus of today’s VMware Security Tip of the Day.

Download Podcast_VMwareTip8.mp3 (1946.2K)