Why so much credit and "good" publicity for Heartland Mgmt for not practicing proper risk management?

Today in my in-box I got yet another invitation to attend a webinar that uses the Heartland Data Breach for some sort of benefit to the sponsoring organization. Yea, everyone is doing it. Just like we all did with TJX.

What annoys me is seeing those that were in IT Management (leading up to and at the time of the breach) being put up on a pedestal. Especially those that were ultimately responsible for the information security of the organization. It strikes me as odd that this occurred on their dime and they are now making dollars because of it. I'm not blaming them directly, at least I don't think I am.

Regardless of who ultimately turns out to be "the bad guy" in the whole Heartland breach fiasco, most breaches (the publicly disclosed ones anyways) are ultimately found to be avoidable. Most could have been avoided by having an information security program that's properly aligned with the organizations overall risk management program. The PCI DSS is supposed to promote this model, but many organizations jump right to focusing on meeting the minimum requirements of the DSS. Having a QSA (qualified security Assessor) wave his magical Report-On-Compliance wand and deem you PCI compliant isn't the solution.

Give me back my Login ID: How decoupling the Login ID and email address is better for security

Everyone seems to be talking about the recent email account compromises that have resulted in the disclosure of some sensitive documents (or at least some embarrassment). The latest one is that of a Twitter employee which is detailed in the following Twitter blog entries:

http://blog.twitter.com/2009/07/twitter-even-more-open-than-we-wanted.html#
http://blog.twitter.com/2009/07/someone-call-security.html#

All kinds of "experts" in the field are writing about these incidents and making suggestions to prevent things like this. Most suggest a stronger password and improving upon the security questions that you need to answer in order to recover your account if you forget your password.

First, I highly recommend that everyone read this article "The Anatomy of the Twitter Attack" from techcrunch. It's probably almost 6 pages long, but worth the investment.

Here is my take on this issue. I wrote in December 2005 about Web Security Getting Weaker as I started to see web sites transition to forcing users to use their email address as their login ID. I don't think this is a good idea since this means that a typical user will have the same login ID on practically every site they use. Once you have this info, then all that's left is to guess the password or try to recover it fraudulently by making guesses to the security questions. With more users signing up for SaaS services in the cloud, this literally means that if you have gained access to someones email account, you pretty much have everything.

What can be done to prevent these continued account compromises?

I suggest the following:

1. Change your login ID to something other than your email address. I am a firm believer that no one except you should know your login ID and your password. This means that it should not be your email address. If the web site or email service doesn't allow this, bug them to change this policy.

If you have no choice, you can create yourself another email account for the sole purpose of using it as the login name for web sites. Make it something that someone could not easily associate with you. It can be almost anything, although there are some character restrictions at most sites.

Set this new email address to forward to your real email account and set this password to something very complex. Write the login ID (email address) and password down and keep it somewhere safe and secure. You should not need to log in to this account often at all. Warning: Don't use an email service that disables your account after a certain period of inactivity. This is how the perpetrator in the latest gmail-twitter hack was able to reset the password of the victims Gmail account. Don't give this email address to anyone. Now, change your login name on the sites in question (webmail) to the one you just created. Remember to only change your login ID and leave the email address set to your primary (public) email address. While you're at it, you may as well change your password to something strong that you will remember.

2. Be creative when setting account recovery questions and answers. The security questions can be used to your advantage to further secure your account if done correctly. Let's look at an example. The above article mentions that one of Google's security questions is:

  • What was your first teacher's name?

Your answers to these questions can be ANYTHING you want them to be. Make something up! Set your first teachers name to 'monty python' or 'big iced coffee from starbucks' if you want. As long as you remember what you initially set, or store it securely somewhere, you are all set. If you don't have a very good memory, see item 3.

3. Use a secure password manager. Let's face it, we don't all have amazing memories especially as we get older. Do you really expect users to set a different complex password for each of the sites and services they use and change them on a regular basis to another complex password? It's a pipe dream. Anyone who does this is probably using one of the many available login ID and password management tools available.

One of the great things about such tools is that most of them have a strong password generator built-in. Once you are accustomed to using a password management tool, you will then find it very easy to start doing things like setting unique login ID's for each of the sites or services you use. There are some great solutions that will even synchronize with your mobile phone if you need access to login information when you are away from your PC.

I have tested and used many of these password management tools, and will post a follow-up that will provide an overview of my experiences.


Reminder: Check your credit reports

If you have not done so in the last 12 months, you should request your free annual credit reports from the three major bureaus. https://www.annualcreditreport.com





Signs of card data breach?

I am getting reports of some interesting unauthorized credit card transactions occurring in North Carolina. These are allegedly fraudulent 'card-present' transactions made at well-know retail establishments. The interesting part is that at least one of the affected people I spoke with is positive that they have the (only) card in their possession.

This tells me that it's likely related to a breach of stripe data, but I can't be sure yet. I wonder if we will be hearing about another breach soon?


Security awareness training...how to start.

Someone recently asked about how to get going on some training for their corporate users. I would approach it like this:

1. Internally 'publicize' some recent incidents to your user community. Reference such things as http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009 and break down how they occurred and where the mistakes were made. Pick some examples that are from companies in the same or similar businesses. Don't get overly technical here. The intent is to get everyone to understand that their actions, no matter how small, contribute to the company being able to stay out of the newspaper. An incident will hurt the company, and therefore could impact their job.

2. Put together some high-level (plain english) training material such as a Frequently Asked Questions on the areas in which you get the most questions from your participants from step 1. Make sure every question is clearly answered.

3. Follow this up with a more formal awareness program to help reinforce good decisions. Host a lunch-and-learn that breaks down your policies in plain english. Make this as interactive as possible. Add some role playing.