Wednesday 27 August 2008

The "greatest cyber-heist in world history" -- how many did get away?

There has been a raging public debate about how many records were stolen at Best Western. Was it 10 to 12 users' records as claimed by Best Western or was it 8 million as reported in the Scottish Herald? What should we believe about the claimed potential loss calculation of £2.84bn ($5.68bn)?

Best Western was compliant with the PCI DSS -- but how was this achieved? Were they considered a single organization processing 6 million or more credit cards per year putting them in the Level One band requiring quarterly assessments or are they operated like a set of franchises where each hotel is treated as a single PCI entity of less than 6 million credit cards per year (putting them into the annual assessment band of Level Two)?
The reality is that PCI DSS compliance provides a low bar for computer security. Don't get me wrong -- it is far better than nothing, but the threats and technology move at a frantic pace. The prescriptive compliance standards do not change fast enough to keep up with attackers.

Data security is about complete control of data. With a strong security system in place Best Western will know what data assets were compromised -- 10 or 8 million.

Sunday 24 August 2008

Who can we trust?

I saw this today and sighed. Another embarrassing example of data loss from a government department; in the UK this time. Encryption of the data was provided at source, yet it is strange that encryption was not enforced throughout the complete data processing chain.

Management of sensitive data continues to be imperative. This sensitive data loss highlights the inappropriate attitude with regard to security and clearly shows that data security remains out of control. There is a distinct requirement for all government employees to protect the storage of data, including limiting the need for physical transportation, through the implementation of strict guidelines. Sensitive data should be held only where it can be kept most secure, and not downloaded to numerous portable devices or hard copy unless there is a well-justified need to do so – a need that is set out in, and enforced by, corporate guidelines.

If the government sector doesn't sort its house out, I fear we are going to see more high-profile breaches. Leaving us all with the uncomfortable question: if we can't trust the government with our information, who can we?

Steve Moyle

Thursday 14 August 2008

Compliance is not security

IT Security professionals want systems that provide strong controls to protect their organization's assetts. They often find that they are competing for budget from compliance demands.

Compliance is tradiationally a procedure based process that does not necessarily tie into a technological control. There are examples of 'compliant' systems not providing security (e.g. PCI compliant Hannafords).

There is now a trend to deploy Data Leakage tools -- not to prevent data leakage -- but rather so that when (not if) a data leak occurs a record of what has been lost can be used to comply with the growing number of Breach Notification Laws, by contacting those whose records have been 'lost'.

Surely implementing controls that prevent data leakage would be a more proactive approach. Strong security also provides compliance.