Search This Blog

Saturday, January 29, 2011

EM835 week VI Infosecurity Lawyers

     I have to begin with the fact that when first reading this chapter; I felt I was not going to like it. In fact, disdain it, the pages and even the ink on the pages. After all, in my former career, an attorney was involved in every transaction that we were involved with and compliance was a department that was locked away in a secret place. I have heard every attorney joke that exists. Basically, attorneys were a necessary evil.


     Then I did a search on security breaches and found a website from a non-profit organization called Privacy Rights Clearinghouse listing every U.S. security breach bought to litigation from 2005 until its updated date of today’s writing (January 29th, 2011). Up to this date, of all cases that were litigated, the total amount was 512,334,164. (Clearinghouse, 2011)It included items such as breaches of securities by doctors signing off on patient files that they never saw, billing them and leaving their files unsecure to a simple laptop stolen from a University that contained students information, including address and social security numbers.

     My idea on security breaches were mostly going to be in large corporations that were hacked and 40 million credit card numbers were stolen, or maybe a government server was attacked that contained vital U.S. security information. Ironically in local news, Wikileaks is which immediately came to mind. It actually was in fact started as a wiki but not longer accepts edits to its sites. (Editorial, 2011) This site has been blacklisted by most web hosting companies, banks and viewed as a national threat to many countries. Those are the major items that I believe most people think of, on this type of grand scale. It is staggering to think about the amount of money that is lost, or should I say not realized lost, due to security breaches.

     The chapter 12 of Beautiful Security lists a case that went before a judge in 1944 where a barge that was unmanned, broke loose in NY Harbor and caused damage. The judge came up with a formula to determine what the liability of this case would be. The formula B is less than P times L, where B is the burden, P is the probability and L is the injury. Therefore, the burden (B) would be based on if it is lower than P times L. The author translates this case to state that “the burden on an organization to prevent an information security breach or lapse is less than the probability of that breach multiplied by the damages that could result, that organization should seriously consider taking on that burden.” (Oram & Viega, 2009) They then go on to say on how should they determine the return on security investment (ROSI). Does the organizations security dollars match their potential liability? Without going into detail of the ensuing formula, my initial thoughts were how you determine the ROSI in 2009, when a new security breach possibility arises in 2010, then re-determining the ROSI in 2010 for a new breach to raise its ugly head in 2011 and so forth. I would expect that based upon the solution cost or the cost of mitigation, the ROSI will have to be re-visited on a regular basis.

     Does an organization take a pragmatic approach to their potential security breach exposure, or wait until there is an actual problem and attempt to mitigate the problem then? I believe that the latter was the norm in early technology years and the former is now the driving forces of both IT and compliance departments. An organization can follow all of the rules and guidelines so as to comply with their state and federal regulations and still be breached, just as a company that does not comply with the laws, and remain unscathed. It is apparent to me that if an organization is going to flourish in today’s changing worlds; IT and compliance have to be best friends, even if they are a necessary evil.

References

Clearinghouse, P. R. (2011). Chronology of Data Breaches Security Breaches 2005-Present

from Privacy Rights Clearinghouse: http://www.privacyrights.org/data-breach#CP

Editorial. (2011). Wikileaks. New York Daily News. Retrieved from http://www.nydailynews.com/topics/WikiLeaks.org

Oram, A., & Viega, J. (Eds.). (2009). Beautiful security: O'Reilly Media, Inc.










EM835 week V

     In the chapter Beautiful Log Handling, the author states “Today’s growing log standard efforts (such as MITRE’s Common Event Expression or CEE) will lead first to the creation of log standards and ultimately to their adoption.” (Oram & Viega, 2009) In fact, the author’s example of MITRE Corporation already currently provides and partners security efforts such as Malware (MAEC), Attack Patterns (CAPEC) and Vulnerabilities (CVE) among other standards that are partnered with and/ or co-sponsored by such agencies as the National Cyber Security Division of the U.S. Department of Homeland Security. (Mitre, 2011) In fact, if not for the threat of malicious attacks on the part of other countries (in regard to the security of the U.S.), attacks on retail competitors (as an example) and the important data that is stored, how the logs are handled is critical. In fact, an example that the author uses is the need to abide by laws such as the Health Insurance Portability and Accountability Act. (HIPPA, 2011)


     It might seem obvious to have log standards that would account for any deviations among items such as public servers of an organization that are placed in a DMZ so as to separate their Internet presence from their LAN, thereby not compromising the integrity of data within the rest of the organization. Then I began to think about why in today’s technology world, why would large companies have an issue with maintaining proper logs. Using a retail example as the author did in Beautiful Security, I thought of the merger in 2005 of Sears Roebuck and Kmart stores. Without having specific knowledge of their issues of combining the data into one source, I am sure that both of them operated on two very different legacy systems that had issues with converting the data, thereby making accurate logs virtually impossible.

     There is a very large Healthcare facility in the town that I live in with over 100 doctors of various practices. This facility is owned and operated by a larger corporation, which owns other such facilities. They grew this large by acquisition of other practices and like facilities. There is no doubt that there had to be a major undertaking to have all of the data merged into one system so as to abide by the HIPPA law. I tried to find an example of a major intrusion of a corporation due to improper log information, but that data seemed to be too vague since I wasn’t exactly sure what I was looking for. So, in the case of the local healthcare facility, I am sure that their IT staff is highly trained in the conversion of data and the challenges with keeping accurate logs.

     In any case, world governments and Fortune 100 companies realize the need to rid themselves of the legacy systems of their past, and get the data onto one platform so that proper logging can take place to not only prevent an invasion, abide by certain laws but to also perform due diligence in identifying the culprit of the attack.

References

HIPPA. (2011). Health Information Privacy. 2011, from http://www.hhs.gov/ocr/privacy/

Mitre. (2011). A Standardized Common Event Expression (CEE) for Event Interoperability. 2011, from http://cee.mitre.org/

Oram, A., & Viega, J. (Eds.). (2009). Beautiful security: O'Reilly Media, Inc.