Tuesday, January 30, 2007

TJX - They claim they closed the barn door...

I am at Logan Airport and I just heard CNN report that the CEO of TJX issued a statement that said that TJX waited to report the breach to better contain it.

That is the equivalent of saying 'The barn is secure, we have closed the barn door and put on new locks and hinges... The horses, however, are out of the barn.

This breach, the first one of the year, is a testament of what not to do. The good guys and the victims of data theft need to share information better than the hackers. Does TJX really think that this is the end of it? Do they actually believe that they contained and solved the problem?

In the world of Google, ask.com and other search engines, mass storage, etc. public is forever. Think about spam for a moment. The first time I published my email address back in 1994, I started receiving unsolicited email within a day. I still get at an email address that is 13 years old that I do not use, and have not used to receive legitimate mail since 1996.

My point? Once there is a leak and the info is out - it's forever (relatively speaking).

With all of the technology that's out there it is incomprehensible that company's cannot justify spending money on security. From General Clarke, Cyber terrorism expert, 'If your company spends more money on coffee than on security - you deserved to be hacked and by the way - you will be.'

The other thing I cannot comprehend is when a company says that spending thousands of dollars on security is too much money - they always find a way to spend millions on clean up.

identitystuff@gmail.com

Labels: ,

Friday, January 26, 2007

Another TJX Gem...

I was doing some further investigation last night and an article in Computerworld covered it:

The breach occurred as far back as mid-May 2006 but was discovered only in mid-December, said company spokeswoman Debra McConnell. The original statement from Framingham, Mass.-based TJX announcing the data compromise last week mentioned only the discovery of the breach in December and made no reference to when the breach actually happened.

Whoever the IT staff, the IDS and IPS vendors are might be hoping that they are NEVER identified. Seven months of free reign on a network of that size with so much data unprotected?

Yahtzee!!!!

TJX Ripples Go Global

I just read a new piece of news regarding TJX from the Massachusetts Bankers Association saying that there have been reported fraudulent activity in Florida, Georgia, and Louisiana AND in Hong Kong & Sweden.

There is absolutely no excuse for an industry group to be providing more information than the company whose records were breached. The silence from TJX has been deafening and the lack of information (including expressing concern for those effected) is simply breathtaking.

I hope that all of the colleges in New England use this case as the poster child case for what not to do in the event of a breach, what TO do to erradicate any sense of trust within the company itself or its customers, and to the lawyers who are likely in the midst of the trainwreck trying to manage through this - chalk this one up to WHAT NOT TO DO IN THE EVENT OF A BREACH file.

identitystuff@gmail.com

Thursday, January 25, 2007

TJX Breach Count at 200,000 or $36.4M

I was exchanging email with Jenn Abelson at the Boston Globe the past couple of days, as she is running point on the story. It was reported by her today that the tally stands at 200,000 card numbers. You know what the real story is:

This number was reported by Massachusetts Community Banks, NOT TJX!!!!

So watch this record number rise. And the associated costs.

By the way, the cost for this breach using the numbers computed by Dr. Larry Ponemon at the Ponemon Institute bring the cost to $36.4M to date. This is only the numbers that BANKS were able to figure out, not TJX or their contractors brought in to do the clean up.

Labels: ,

Wednesday, January 24, 2007

Virtualization – Virtual Security nightmare?

I keep hearing and reading about server virtualization, server consolidation, maximizing server resources, blah blah blah. The point of it is – I have a bunch of servers, that I paid for, not doing anything, so if I consolidate the underused servers onto a better or more efficiently used server I will save money in maintenance, capital costs, and power, A/C and all of the other data center costs.

The issue I see that drains the blood from every CIO’s face I’ve had the pleasure of discussing this with is – how are you going to manage access and secure all of those apps on the same server now? Identity management apps? VLANs? SSO? I thought you were trying to be more efficient...

There is better way. Here is what you do…

For 1,000 users, it will cost you about $100/user, which is less than the $182 per record it will cost you in a breach.

You install some software, two appliances, highly available and redundant in front of these virtualized efficiently humming boxes, and control who can SEE and who has access to each application based on who they are, what machine they’re using, and whether or not they’re at Starbucks, a hotel, or on your LAN.

Every user, every machine. Installed in 4 hours, policies set, audited and deployed in less than a week.

For about $100/user. No changes to your directory, no changes to your infrastructure, maintaining access control by app even when consolidated. Think I’m full of it?



You gotta ask yourself – in all this worrying about virtualization what did I do to my security program – did I cover myself. Well? Did I?

I have you covered - identitystuff@gmail.com

Thursday, January 18, 2007

TJX - The latest

Ok, Folks... I thought my open challenge to the US Navy at the end of last year would be enough for someone to email me and tell me I was full of crap, or the other more fun option - prove that you can do what you say. So here goes folks:

I double-dare any company who has had a breach to email me and challenge me to prove how I can stop future breaches from happening, shut off access to garbage (kits, scripts, and such) that was left behind, and at the end of a two week period be able to tell you who from what machine connected to what application and when they did it down to the sub second in real time. When I say 'From what machine' I mean the machine they used, not the MAC address or IP address.

In one day I will show you the top IP addresses connected to from your network, whether is World of Warcraft, or the World of Network Security. I will then, with the same piece of technology allow you to set a policy that that can't happen anymore. For that user. For that machine. For that user at that machine. For that user at that machine while on the LAN.

Don't believe me, email me at identitystuff@gmail.com and I'll prove it in 2 weeks or less. If it doesn't work, I take it back. If it works as advesrtised you pay me.

Folks, its cheaper and less embarassing to talk to Me than to the press, Wall Street, and your bosses who all won't tolerate the bad news nearly as well as I will.

Go ahead, I double dare you. You'll feel like Neo after he took the red pill... 'Remember, all I am offering is the truth and nothing more...'

Labels: ,

Monday, January 15, 2007

Simplicity - overlooked or over rated?

I was catching up on my reading this weekend and the global message that continues to resonate is that we have forgotten simplicity when trying to address complex business issues. It’s as if we need to be as or more complex with our solution to the problem than the problem itself.

Case in point… I was reading SC Magazine and in the For/Against column was discussing database security – 'The best approach to database security is monitoring traffic before it enters the database.' I have two issues with this:

1. Whoever crafted the question, missed the point, IMHO. What does ‘monitoring’ have to do with security, and actually preventing the unauthorized access to begin with which is what you want. The relative uselessness of monitoring as compared to actually PREVENTING access should be pretty obvious. When you can monitor the unauthorized activity, alert appropriate teams, and prevent access – now that’s useful. The ‘Against’ guy alluded to it (Dr. Murray Mazer from Lumigent).
2. Let’s keep it simple. The ‘For’ guy (Gautam Vij from Symantec) had a credibility issue from the get go, working for a security vendor with 1200+ SKU’s for their products. Note to Symantec – hire an offshore firm to tackle the integration problem, or get a new marketing and product management team to come up with more integrated offerings a la Acura. They had one option with the 2006 TSX – Nav system or not. Simple works. Simple sells.

The other thing I could help but think about was a conversation I had with a colleague about how convoluted and complex IDM has become. Why? The companies that I work with today are trying to solve the same problem the companies 5 years ago were trying to solve – managing users better post authentication and automating workflows. I still need to think through what happened but I believe that it’s akin to how IDM vendors got into their space – the directory was being asked to do things it was never intended to do, and they were propagating, proprietary, and proving to be a bear to implement. Is Identity Management at the application layer headed down the same road?

What happens when you add machine identity to the mix so that companies identify machines and maintain privacy at the same time? Look here for a possible solution.

identitystuff@ gmail.com