The following is an excerpt from my Norwich MSIA Seminar 4 final paper. Obviously, these are my own opinions about the future of IA, so don’t bet the farm on any of these predictions.
I would love to hear what you think, so leave a comment and let me know how you think things will turn out.
The Future of Information Assurance
Techniques to Build Trust by Managing Risks
“May you live in interesting times” is a well-known Chinese curse. Information Assurance (IA) practitioners and C-level business leaders are definitely living in interesting times. There is tremendous pressure on businesses to drive down costs, improve efficiency, and provide convenient connectivity and payment methods for customers. The only way businesses can meet these demands is to store sensitive customer, employee, and business data, and to make that data available to computing devices connected to public and private computer networks. The paradox is the systems that are supposed to lower costs and improve efficiency have created new costs to protect sensitive data from criminals both inside and outside the business.
Even if there somehow were a way that data were suddenly protected from theft or harm, the IA practitioner would still have much to do. They would have to insure the business systems remain available, that there is a continuity and recovery plan in place and tested in case of disaster, and they would have to make sure that the company’s employees know their roles and responsibilities regarding the company’s computing assets. The remainder of this report will look at these topics in more detail, and will attempt to predict how IA might evolve.
Trust
Trust is the cornerstone of commerce, but trust is a very fragile thing. Trust is why IA is so important to businesses, whether today’s business leaders realize it or not. More and more business is being conducted online and businesses, health care providers, and social networks are storing more and more personal information on their networks. Cloud computing, which is the sharing of computing resources that are managed by a provider, is expected to make managing IT easier and more cost effective. These trends raise serious questions about security.
“Almost daily there are reports of massive exposures of personally identifiable information (PII), identity theft, distributed denial of service (DDoS) attacks, theft of thousands or millions of credit card numbers, botnets, malware, and other security breaches in electronic systems” (True “The Future of Information Assurance: A Prediction by a MSIA Student.” 3). Yet businesses continue to put themselves and their customers at risk by collecting, transmitting and storing sensitive information in an open format rather than encrypting it. They purchase or create software that is vulnerable to well-known exploits such as SQL injections or Cross Site Scripting (XSS). They neglect to patch computer operating systems and software applications. They allow their data to leave the company through employee email or portable storage devices. They do not adequately isolate systems storing or processing sensitive data, putting these data at risk. One might logically conclude that the general state of IA is not very effective.
Why would a business, any business, operate with this much risk? There is no single answer, but possible answers include not understanding the problem, or a willingness to accept the risks, or some combination of both. Regardless of why business leaders have decided to operate with this level of risk exposure, they need to begin to think about the consequences:
• According to one security firm in the UK, “Almost half of Brits claim they wouldn’t purchase goods or services from a company that had suffered a security breach.”
• “Research by CoreBrand assessing the impact of a negative incident on brand equity and shareholder value suggests that upwards of 10 percent of shareholder value can be tied to brand.”
Based on these statements, a company can establish a real competitive advantage if they are perceived as more secure and trustworthy than their competitors. Conversely, a business may lose considerable market share and shareholder value if they choose not to reduce their risk exposure.
The Heartland Payment Systems Breach
“The CEO of Heartland Payment Systems, the company that suffered a data breach that exposed up to 100 million credit and debit cards, recently said in an interview, “…we certainly didn’t understand the limitations of PCI and the entire assessment process. PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusions.”
Mr. Carr, the CEO of one of the biggest credit card processing companies in the world, did not understand the assessment process and that attaining PCI compliance does not mean that they were secure. Instead of taking responsibility for knowing his business and managing its risks, he blames the auditors. Such statements cannot inspire his customer’s trust in his company” (True “The Future of Information Assurance: A Prediction by a MSIA Student.” 4).
Details of this breach are just coming out, mostly from the indictment of the defendants in the case. Here is security researcher, Rich Mogull’s analysis of the breach based on what is known today:
• The attacks on Hannaford, Heartland, 7-Eleven, and the other 2 retailers used SQL injection as the primary vector.
• In at least some cases, it was not SQL injection of the transaction network, but another system used to get to the transaction network.
• In at least some cases custom malware was installed, which indicates either command execution via the SQL injection, or XSS via SQL injection to attack internal workstations. We do not yet know the details.
• The custom malware did not trigger antivirus, deleted log files, sniffed the internal network for card numbers, scanned the internal network for stored data, and exfiltrated the data.
Somehow the people responsible for IA at one of the largest credit card processing companies in the world failed to protect their systems from a well-known and understood attack, and if Mr. Carr is to be believed, they failed to adequately educate him about the difference between compliance and security.
What steps could and should Heartland have taken to secure their business and customer data?
• Perform vulnerability assessments
• Perform intrusion detection
• Perform egress filtering
• Create policies and an awareness program
Next time: Vulnerability Assessment and Intrusion Detection
Bibliography
True, Becki. (2009). The Future of Information Assurance: A Prediction by a MSIA Student.
Skinner, Carrie-ann. “Brits Won’t Use Firms Involved In Security Breaches”. Network World. 8/15/2009 <http://www.networkworld.com/news/2009/072809-brits-wont-use-firms-involved.html>.
Johnson, Brian. “How Much is Your Customer’s Trust Worth”. Free Online Library. 8/15/2009 <http://www.thefreelibrary.com/How+much+is+your+customer%27s+trust+worth%3F%28CONTACT+CENTER…-a0149302404>.
Brenner, Bill. “Heartland CEO on Data Breach: QSAs Let Us Down”. CSO Online. 8/15/2009 file://localhost/<http/::www.csoonline.com:article:499527:Heartland_CEO_on_Data_Breach_QSAs_Let_Us_Down%3Fpage=1>.
Mogull, Rich. “Heartland Hackers Caught: Answers and Questions”. Securosis. 8/21/2009 <http://securosis.com/blog/heartland-hackers-caught-answers-and-questions/>.
