Passwords and Lattes

CNN Money has published an article wherein individuals describe losing money via the Starbucks application on their phones.  They describe finding out about it after receiving alerts on their phones as well as emails about the transactions.  Apparently the new hotness is for thieves to obtain passwords to the accounts and add new cards, transferring money to them from the bank account, PayPal, or credit cards linked by the account owner.

Obviously, this is bad, but is it a Starbucks issue?  Let’s take a deeper look at the article and see.

From CNN, the methods used to obtain the victims’ passwords is unknown, but they didn’t come from Starbucks; they report having no breaches taking place.  Nor has any security issue been reported with the current versions of the Starbucks app.  At least one user admits to re-using the password on their Starbucks account with another system, which is an InfoSec no-no.  Starbucks does enforce password complexity, requiring uppercase, lowercase, and numbers (and allows but does not require symbols), but only allows passwords from 6 to 16 characters in length.

We know from the victims that Starbucks sends email alerts as well as alerts via the app when the Starbucks card is reloaded.  We don’t know if it does when a new Starbucks card is added to the account.  Starbucks offers a feature that will automatically add a predetermined amount of money to a Starbucks card when the account goes below another predetermined amount, and we don’t know if turning that feature on or off generates an alert as well.

We know that the victims in the CNN article were able to pursue refunds of the fraudulent transactions through the typical channels, i.e. their bank or Paypal.

We know that once the victims changed their passwords, the fraud stopped.

Given this information, what can we conclude?  Users with weak, easily guessed passwords, or passwords they used on other sites, had their login information stolen, not due to any inherent weakness in the Starbucks app or site, but due to bad personal security practices.  That they were alerted to the transactions and able to act on them shows that the system Starbucks put in place to protect them worked, and their losses were minimized by the compensating control.  We cannot place all of the blame for these losses on Starbucks any  more than we could blame Master Lock for failing to protect our house from robbers if our keys are stolen.  The users were made whole by following the well established anti-fraud practices implemented by banking institutions.

Can Starbucks take additional steps to protect our accounts?  Yes, although in many cases that security will come at the cost of user convenience.  They could lock out accounts after a number of failed login attempts, if customers don’t mind having to reset their passwords when that happens–and they can do so using a mobile web page if they’re caught away from a computer.  They could send out emails every time a new card is added (the article doesn’t say if they do now or not).  They could require users to change their passwords every 90/180/365 days–but that tends to encourage both weak passwords and re-use.  They could institute two-factor authentication, but say goodbye to automatic reloads.  (Is it “automatic” if I have to approve the transaction every time? )

While there is certainly room for improvement in Starbucks’s account security, they are pretty well within the industry standard.  Regardless of the level of security offered by a website or mobile app, the onus for securing our data falls on us as well:

  • Create passwords that are complex, and as long as you can easily remember.
  • Change them regularly.
  • Don’t re-use them.
  • Enable 2FA whenever it is available.
  • Pay attention to alerts. They send them for a reason, and it’s not always to sell you something.
  • Watch your credit card and bank balances, and know how to report fraudulent information.

By following these basic guidelines you can be reasonably certain that the money going into your Starbucks accounts is going into your latte, instead of into a stranger’s pocket.


Lessons from Anthem

The fallout from the Anthem breach continues to precipitate throughout the business and security realms.  While experts discuss potential lawsuits, policy changes, and similar repercussions, it’s important for any CISO or CSO to review the largest breach in the Healthcare industry to date for any lessons learned.  Here are a few that I came up with:

1. Regulations are a floor, not a ceiling.  This, and “compliant companies get hacked” are a constant mantra for me, and should be for you as well.  Based on what is publicly available, we have every reason to believe that Anthem was compliant with HIPAA and PCI regulations when the breach occurred.  Nor are they the only one.  A company that encourages a climate merely of compliance is begging to be a target.  Instead, focus on risk, with an eye to decrease it as much as possible while still enabling the business to continue and grow.

2. Encrypt everything, everywhere.  In an age when attackers can infiltrate wired, wireless, and even cellular networks, encryption at rest just doesn’t cut it.  Encrypt your databases, encrypt the VLANs used to isolate your databases, encrypt the communication between the database and the web client.  Use different keys.

3.  The login as we know it is dead.   All of the security in the world won’t protect you from a stolen credential if all you have is username/password combinations protecting you.  Of all the changes that are likely to be proposed to HIPAA and PCI, manding the use of two-factor authentication is the one I would most get behind.  While it used to be a complex beast to master, companies such as RSA and Duo Security are making it extraordinarily simple to implement 2FA in production environments.

4. Humans are your greatest weakness, and your greatest resource.  We don’t know yet how attackers may have gotten credentials for Anthem’s systems, but it’s probable that it was due to a social engineering attack.  There are no firewalls that we can put in place to protect people from phishing attacks; with enough persistence and clever engineering they are bound to be successful.  At the same time, it was a person that noticed the breach was occurring for Anthem; the IDPs, log management, SIEM and other tools were humming merrily along, completely unaware that anything nefarious was happening.  Both of these reflect on the need for good security awareness training; it will minimize your risk while empowering your employees to become your greatest “detectors” of bad activity.

5. Don’t just protect, react.  Breaches are an inevitability in today’s environment.  The savvy CISO/CSO knows this, and prepares an incident management plan that provides quick reaction to detection events, minimizing the damage and assessing potential liability as soon as possible, so that the determination to report or not can be made as soon as possible.  Anthem was able to report the breach within six days of discovery, bringing them not only public goodwill but potentially avoiding repercussions by acting in good faith.  It’s also just good business citizenship.

We’re not done with Anthem, not by a long shot.  As the weeks and months go by, we will see reactions from governmental and private entities, vendors attempting to use the breach to sell their latest whizbang tool, lawsuits from people whose credit histories are compromised, maybe even job changes at Anthem itself.  I’m sure that there will be more lessons learned.  Focusing your attention on this list will give you a head start on adapting to what we discover as the investigations, explanations, and pontifications continue.

A Statement on Mission Statements

My employer is updating our intranet, and I was recently asked to review and update my team’s vision statement and mission.  This started me thinking about mission statements in general, and their applicability to InfoSec.

Why have a mission statement for your team?  Infosec is a broad –some might say overly broad–discipline, and an Infosec team may go in one or several different directions.  Red team, blue team, governance, compliance:  it can be bewildering to someone on the outside just trying to determine what it is you do!  A mission statement can help provide focus for the business, as well as direction for the team.

An organizational mission statement is designed to differentiate the company from its competitors, explain the values that drive the company, and provide some information on its overall direction.  An internal mission statement has slightly different goals.  An internal mission statement shows how a department, team, or division is aligned with the corporate mission, explain its focus, and provide goals and direction both for its members and the groups it interacts with.

For this reason, when developing a mission statement for your Infosec team you want to be sure you know and understand the corporate mission and values.  An Infosec team with a mission that is too far from the rest of the organization’s will appear to be out of touch with the rest of the company, and give the impression that the team is a group of “lone gunmen”.  The mission statement is an opportunity to show how your team is a business enabler, and the value that you add to the organization as a whole.

Creating a mission statement can be an opportunity for collaboration and education among the team.  Franklin Covey has a tool here (registration required) that can be used to generate team mission statements.  It walks you and your team through the brainstorming, prioritization, and draft steps of building a mission statement.  I also recommend this article at for useful information on developing mission statements.  The article is written with corporate/small businesses in mind, but the concepts apply to team statements as well, especially the four questions:

  • What do we do?
  • How do we do it?
  • Whom do we do it for?
  • What value are we bringing?

A mission statement won’t increase your budget or improve your security metrics.  It will help your team understand how their work promotes the goals of the company, and the business to understand the value your team provides.


Protecting Employees From The Ho-Ho-Hackers

The holiday shopping frenzy has begun in earnest, and alongside it comes the identity theft elves.  This is a great opportunity for Infosec practitioners to review and refresh the security awareness training for their organizations.

Of course, many Infosec shops are reviewing their programs in the light of results from the National Information Security Awareness Month just past, but the holiday gives us an additional opportunity to provide guidance with a personal touch.

One of the barriers to successful awareness is the apparent lack of applicability.  For many of us, awareness training consists of the recitation of work policies, password limitations, and the dire warnings against violating those rules.  Dry stuff to say the least.  It doesn’t have to be that way.

We know that the practices we advocate at work are useful everywhere.  A strong password is a strong password, no matter if it’s applied to a work account or an Amazon account.  We also know that people are more likely to practice good security behaviours at work if they do so at home as well.  So, why not create a program that encourages security in the home?

As “Cyber Monday” approaches, now is  a great time to put out an email newsletter on how to be sure the website you’re visiting is encrypted, or how to make a strong password.  Remind folks that they should use different passwords on their favorite shopping sites than they use for their bank, so that if one is stolen the other remains safe.

Not everything needs to correlate directly to your business needs, either.  Take this time to remind people to watch their credit card statements, and how to report discrepancies to the major companies.  If you have a credit protection service available to employees as a benefit, this is a great time to promote that as well.

By encouraging employees to practice good cyber security at home, you are making it much more likely they will bring that practice into the workplace as well.  And a little extra goodwill at the holidays doesn’t hurt, either!

Knowing Normal

I’d like to start this post with what may sound like an odd question:

What does “normal” look like in your company?normal namebadge

One of the pitfalls of the current trend towards one-size-fits-all toolboxes to secure our enterprises is that one size does not, in fact, fit all–or any.  From that new next-generation firewall to the Security Incident and Event Manager, systems are being sold and installed with a number of default rules and responses in place.  If you do not take the time to fully understand your data network and what normal activity looks like, however, these tools will be of limited use to you at best, and actively disruptive at worst.

This is especially true as overworked CISOs continue to purchase and install systems that not only alert to potential risks, but take action on them, blocking connections, sending emails, and opening trouble tickets for helpdesks and IRTs to respond to.  DLP systems will quarantine suspect emails, Web Application Firewalls block outbound data connections; the list is as varied as the tools being sold today.  Every one of these is capable of significant impact on your business.  It’s vital, then, to take the time to ensure that the impact is as positive as possible.

Doing so will take a deeper understanding of the data flow in your organization than is supplied by a network diagram, however.  I am a near constant advocate of the InfoSec practitioner becoming a partner to the business, and this is no exception.  By working with the individual business units in the organization, you will come to a greater understanding of how the IT systems in place are used in a normal day.  You will know what “normal” looks like, and thus be better positioned to detect and act upon “abnormal”.  This work can take place informally, through discussions and meetups, or through more formal audits and project meetings.  If you have taken the time to build a solid relationship with the company inside as well as outside of the IT department, departments will want to come to you to protect their process flows.

This work may also provide you and the company with an opportunity to review business processes.  Have you recently implemented an ITIL process initiative?  This may be a great time to look at procedures.  Preparing for ISO certification?  Business process is a part of those as well.  Federal contracting?  FISMA as well as other legal frameworks require regular evaluation of the business, not just IT, processes in use.  This can be a way to kill several birds with one stone, making even the process of better securing your environment a value-add.

Talk about your win-win!


New Tools Don’t Fix Old Problems

In the wake of Target, JP Morgan, and other prominent companies suffering data breaches, it has become commonplace to look at current Information Security techniques with a jaundiced eye.  Passwords, firewalls, regulations–all have come under increased scrutiny, and it’s challenging to call that anything but good.

The issue comes from the assumption that because these tools and techniques were in use at breached organizations that the tools themselves are somehow flawed, insufficient.  After all, if the systems and tools worked, these breached wouldn’t happen, right?

Or would they?  Closer examination of these stories as they are published shows us a slightly different story.

Not only should those alarms have been impossible to miss, they went off early enough that the hackers hadn’t begun transmitting the stolen card data…

According to an article on Businessweek, Target received alerts from their malware detection system well before the breach occurred.  Was the system poorly designed?  Was it badly installed or managed?  Evidence suggests not; the company that provided the system is an industry leader, and the system worked exactly as designed.  Instead, management at Target decided to ignore the warnings, doing nothing while attackers gathered credit card data and transferred it out of the country.

Home Depot was breached by a variant of the same malware as hit Target.  While there is no information on their malware strategy in the linked article, they are only now taking steps to encrypt the credit card data they possess, something they should have done some time ago.

In both cases, the organizations that suffered from security breaches did not do so because of failed security tools.  They were breached because they failed to properly utilize the tools they had, or to implement the necessary tools in the first place.

When businesses focus on tools, instead of people and processes, to provide security, when the tools fail the response is to look for new tools, to claim that the paradigm is broken.  They replace tools that are well understood and designed to integrate with existing business processes with new ones that are not fully vetted, less compatible with their systems, and are supported by companies that do not have the experience or reliability of existing security vendors.

Instead of throwing the baby out with the bathwater, businesses should be considering the following points:

  • Tools are not security.  Tools are just that–tools.  They assist skilled InfoSec professionals in securing an organization and its data.  By themselves, they are little more than blinking lights.
  • Compliant is not the same as secure.  Target knows this well; they were certified as PCI compliant shortly before their own breach.  Compliance rules and regulations are designed to be a floor, not a ceiling.  Businesses must aim higher to protect their data.
  • You must be able to respond to incidents, not just prevent them.  Any comprehensive security strategy must take the potential of incidents into account.  After all, there are many more of “them” than there are of “us”!  A properly designed and implemented response strategy would have prevented the Target breach.

That’s not to say we should forgo developing new tools to protect our data, such as pin-and-chip technologies for credit cards or new anti-malware systems.  But businesses that rely on new tools without good practices are making the same old mistakes and hoping for new results.

SecureWorld Detroit Presentation

I presented at my first SecureWorld in Detroit a couple of weeks ago.  It was very successful, despite the traffic preventing some folks from arriving in time!

My presentation was on a subject that I think is appropriate for this blog, so I am sharing the contents of the presentation through SlideShare.  This presentation points out some of the social pitfalls that we InfoSec professionals sometimes fall prey to, and some methods to avoid them, thereby turning what are often business adversaries into true InfoSec allies.

Patches Stop Leaks

By now, you will have heard about the Community Health Systems data breach.  The health care organization lost data on 4.5 million patients.  That’s an undisclosed number of records per patient, mind you–while no medical data was lost, plenty of personally identifiable information (PII) was.   The data was lost, they claim, to an undisclosed hacker or hacker group in China, who exploited the Heartbleed vulnerability to gain access to Community Health servers.  While this is currently the largest data breach that is being associated with Heartbleed, nor is this the first (or last) time fingers will be pointed at China, the underlying problem is one that I’ve seen time and again in organizations:

A patch for the Heartbleed vulnerability was available at the time the breach occurred.

Timely patching is one of the most effective ways of reducing organizational risk.  That exploits are commonly developed after a patch is published is so well known that the day after Microsoft’s “Patch Tuesday” is often called “Exploit Wednesday”.  As the value of our company’s data and reliance on the Internet to conduct business increases, the window of time between published patch and usable exploit shrinks.  So, too, does the time you have available to obtain, test, and deploy those patches. Continue reading

Measuring Your Metrics

Metrics.  The word can bring even the most hardened of Infosec professionals to hysterics.  But used correctly, metrics can not only help justify the existence of your department, but can help your department align themselves with the business.

Metrics can include more than patches installed, percentage of systems with antivirus, or days gone without an incident.  It can include less tangible points, such as overall security awareness, customer reputation, and the like.  The metrics you choose can help determine the overall perception of your security team, so be sure that you are looking at metrics that show progress and alignment with the business, and that make sense for the duties of your particular team.

Indeed, many of the metrics commonly loved by Infosec professionals are ones that a Board of Directors find the least interesting.  Aside from compliance requirements, very few Boards want to know the mean time to patch, for instance–and even then they don’t care, except to know that you are within compliance requirements.  Board members are rarely excited over spam filter counts, and most of them will see your issues log as a source of annoyance instead of progress.

So what metrics will show business value for Information Security?  In many cases you’ll be measuring the same or similar things, but presenting them against a different scale.  Instead of listing the incidents detected and breaches avoided, show the Board the potential cost of those breaches, presenting them as a cost savings, thanks to your team.  Show how increased Security Awareness training has decreased the number of lost passwords, reducing expensive calls to the Helpdesk.  Measure the increase in customer approval due to the added security of multi-factor authentication on your client website.  Metrics like these will get the Board’s attention, and ensure they see the value that Information Security adds to the business when engaged as a partner.

That doesn’t mean you neglect the mean time to patch, antivirus coverage, and other operational metrics, of course.  These are still valuable to you and your team, and show that you have a solid grasp of the fundamentals, the necessities to protecting your company’s data.  By moving beyond these, you have the opportunity to show your team as more than a necessity, but as a valuable partner in enabling and growing the business.

Branding the Infosec Professional

I recently attended a conference in Detroit that was designed to bring hackers, developers, and executives together.  I think it was an excellent first year, and am looking forward to watching it grow.  I spent most of my time in the executive track, and so noticed a trend among the talks –including my own– that were given.

Information Security professionals tend to have a branding problem.

We are seen as roadblocks, as cost centers, as people to deal with, rather than partner with.  At best, we’re tolerated with good humor (and a joke or two), at worst we’re worked around; this last is so common we have the term “shadow IT” to refer to systems, from cell phones to application deployments, that have not gone through whatever is the authorized vetting process.

Brands are what people say about you when you’re not in the room… –John Battelle

Clearly we need to change our perception –our brand– within our organizations.  There are a number of different approaches to this, each with their own focus dependant on the type of business, your personal executive style, and your own position within the company.  All of them share some concepts, however:

Understand the Business:  If you do not have a solid understanding of your business you will find it difficult, if not impossible, to advance any of your programs or goals.  In order to integrate Information Security into the business, you need to understand what your company is in business to do.  What they make, how they make it, their target customers and corporate culture are all important to know.  Having a solid grasp of the organization’s 12/24/36 month plan will help you to tune your own initiatives to match the areas of growth, enabling the company to proceed in a secure fashion.

Engage on Their Level:  If you’re talking to technicians, be technical.  If you’re talking to project managers, speak to them in terms of their projects.  Engaging means more than understanding the jargon; it means understanding the needs and goals of each group, and tuning your message to show how you can help meet those goals.

Avoid Fear-Based Security:  A common pitfall in Information Security is to talk about all the bad things that may happen if our suggestions aren’t followed.  Boogeymen like hackers, Office of Civil Rights, and other potential monsters may work for awhile, but if the business ever decides not to implement your chosen control and they aren’t immediately harmed, you will lose credibility.  Nor, as we know, will any control guarantee security.  Instead, focus on a clear discussion of risk, ensuring that the decision makers have an understanding of the reasonable outcomes from any action or inaction.

Share the Successes:  Whenever a security initiative succeeds, no matter how small, publicize it!  If you have a corporate newsletter, make sure to write a notice.  If you report to a board, make the project’s results a part of your next presentation.  Include metrics whenever possible, so that people have solid numbers to point to.

Branding is more than a logo or snazzy slogan.  Branding is about the perception of you and your team by others in the company.  As they say, “Branding is how other people talk about you when you’re not in the room.”  Make sure that you like what they’re saying about you.