Risktical Ramblings

INFORMATION SECURITY PROFESSION TRAITS: TENACIOUS & FAITHFUL

This post is about my parents. My parents have been married for about 40 years and everyone in our family (parents, sister and I) still talks to one another!

My Dad is a Baptist minister; has been since I was like three years old or something. My mom currently works in the healthcare industry, but growing up she was a full-time Mom and as we got older she had some administrative jobs. People underestimate the demands placed upon ministers and their families. They get a lot of satisfaction from their profession. They give more then they earn- let alone take. Our family did not have excess but we were not poor either; the word optimal comes to mind.

TENACIOUS (Merriam Webster definition / synonyms)
My parents adhere to a way of life that was not always easy to understand growing up. I respect my parents for their resolve and desire to guard me (often against my desires) from situations that could have had undesirable consequences. However, I still managed to get myself in trouble on occasion. I would laugh when being corrected, once in awhile I made remarks that were not polite, I cut a girl’s hair “tail” off in the 6th grade, I liked flirting with girls- normal stuff…right?

Spanking – both in the home and in schools – was still a norm in the small town I spent the majority of my childhood in. Yep, I got spanked once in awhile – and to the best of my knowledge I deserved every one of them. I preferred the hand or a ping pong paddle instead of a wooden spoon or a real paddle. I also learned at some point that attempting to run away from or move in the paddling process could result in misplacement of the object striking me. Deep down inside I know my parents did not enjoy punishing me – they would probably never verbally admit they received some satisfaction from it – but if they ever read this – I bet you they would start to crack a smile…

Even though I do not share *all* of their political, social, or spiritual views – I respect – and even admire – them for their tenaciousness.

So how does this pertain to information security or risk management? From my perspective, it is not always easy to be in this profession. Between technology changes, doubters, binary IT mindsets, shortage of data sets, the nature of our work and a slew of other things – it is easy to become frustrated with our profession and leave. Our profession is not a one, two or three year stroll in the park that should reward folks with extra money because they passed the CISSP exam or know a list of acronyms. We are in a journey within a profession that is still evolving and that is slowly but surely integrating itself within business management. To that end is where I think tenacity comes into play.

FAITHFUL (Merriam Webster definition / synonyms)

When I reflect back on the first 18 years of my life – my parents are usually the first thought that comes to mind when I think about faithfulness.  With my Dad being a minister, I grew up seeing first hand how he and my mother served the church(s) he ministered to. The word ‘served’ is probably not an adequate word to describe his and her commitment to a group of people of which they would drop pretty much anything they were doing to be there in someone’s time of need – regardless of the circumstances.

So how does this pertain to information security or risk management? Well, there is a lot of randomness associated with the nature of our profession. We have very little control over externally initiated security incidents or even incidents that occur internally – no matter how awesome or weak our risk management programs are. Thus, we have to be there to deal with incidents and issues; 24×7. Faithfulness is applicable in many aspects of our lives; our personal relationships, our professional relationships, our employer, our profession and the list goes on. There are lots of times where we as information security professionals are not popular with the teams we are helping or non-information security people leaders in general. This is where faith comes into play. If you first stick to the principles of our profession and not get wrapped up in the emotions of others objections to what we are here to do – you will probably prevail.

The next SOTSOG post will be about the United States Marine Corps – feel free to drop down and give them 20, plus one for those currently getting shot at – just because!

Note: I started this post on 5/30/2010. A lot of things have happened since then that make me appreciate my parents even more. My Dad was having some chest pains and after a heart catheterization found out he had a 95% blocked artery in his heart; he had a stent put in the same day. Two days later he and my Mom made an emergency flight to Hilton Head to drive two of our relatives back to Ohio; one of which who had been admitted to the emergency room because of a blocked bowel. Yet another example of unselfish faithfulness.

You can select up to two answers. Thank you for participating!

This is no doubt one of many blog posts regarding the Verizon Business RISK Team “2009 Data Breach Investigations Supplemental Report” (DBISR). Below are a few of my thoughts.

1.    Quality of the Data. While it is neither the intent or spirit of the report to compare the usefulness of the information or the quality of the data to public data sources, I think it is important to recognize that the facts being collected by the Verizon team are generally more credible then the third-party sources that other public sources rely upon. In scenarios where I am trying to gather information about a breach or compiling a dataset for analysis – I am going to have a higher level of confidence in data / information from sources closer to the incident – then third parties just reporting on it. This does not mean that 3rd-party data is not legit – I am just suggesting the quality – from an accuracy and reliability perspective – is different and should be recognized.

2.    Data Overlap. On page 23 – is a table comparing the Verizon IR breaches and records lost to the equivalent DataLossDB values (keep in mind these are point in time values). The question I have is, how many of the 592 breaches in Verizon’s dataset are accounted for in the DataLossDB dataset? The reality is that in some US states (assuming all the breaches were in the US), data breach notification is not required, so an event can occur that does not result in breach notification to the consumer or the applicable State Attorneys General. If there were a difference between Verizon and DataLossDB – it only strengthens my confidence in their data because it contains credible data points not represented elsewhere (private consortium data aside).

3.    Threat Action “Profiles”. If you have not printed pages 5-21 and posted them on your cubicle / office wall – or recommended to your peers or other information security professionals – why not? Seriously. Threat actor / threat community profiles are such a valuable resource for security / risk practitioners to quickly reference, especially when we are dealing with dozens of threats and hundreds of controls. I can assure you that I will probably incorporate some of the DBSIR “threat action” profiles for some work I am doing in this same space with my employer – good job Verizon!

4.    Industry. My final observation is related to the industry and size of companies where breaches have occurred. I have blogged about this recently and I only mention this to remind folks that not every data point whether it is from Verizon, DataLossDB, PrivacyRights.Org, or other public / private data sources may be relevant to your industry or your company. The reality is that there are different expectations and regulatory requirements between industries and you have to keep that in mind while in the process of drawing conclusions from these types of reports.

Overall, two thumbs up to the Verizon Business RISK team. I commend them on their willingness to share this information and their desire to influence our industry as a whole.

In early October I began reviewing three external data repositories containing “loss event” data. I think it is important to state that what you are about to read is the result of me being guided by a real risk modeler at the company I work for. Modelers are very methodical, consistent, and have high expectations of quality – sort of like engineers. I understand information security, he understands modeling. I get to do the mundane work – he gets to build the mathematical relationships and distributions. No matter what though – I have to be able to explain everything in the model as well as maintain it moving forward. Thus, in this series, I want to share some observations and lessons I learned from the “gathering external” data exercise.

Really understand what you are looking to get from the data. It is too easy to jump into these data sets, perform some simple statistical calculations and then communicate outrageous findings to an audience. For me and my employer’s purpose we wanted to use “some” of this external data for use in a loss model. Specifically, to help establish a distribution of possible number of records that could be lost and potential loss magnitude per event in various types of security incidents. (Notice I said possible, not probable). The reality is that most companies do not have dozens let alone hundreds of loss events to develop loss models without needing to use external data. So, one of the benefits of using external data in a loss model is that it can really help understand worst-case loss magnitude also know as “tail risk”. Internal data may more influence the mean value of a loss model. For two of the data sources – dataloss.org and privacyrights.org – the number of records lost was the key data point. For the third and non-public data consortium source, the cost of security related events (not necessarily data loss events) was the most useful. Below are some considerations for narrowing down the number of data points in data set from all to “some”.

a.    Time. Technology and the regulatory landscape changes quickly. Thus, it is preferable to time limit data points to a period where a minimum level of technology was assumed as well as a consistent expectation of regulatory / industry standard requirements. For our purposes, we only chose data points dating back to 2005. Again, this time range will vary from model to model, person to person, company to company and industry to industry.

Note 1: One record in the dataloss.org set goes back to 1903. Seriously.

Note 2: In the dataloss.org data set dated 9/30/2010. There were 2013 data points. Using only records from 2005 to 9/30/2009; reduced the set down to 1945.

b.    Good Fit. Not all data points are a good fit to be included in your analysis. Security control expectations vary from industry to industry. Thus you need to have a way of methodically reviewing data points to determine which are a good fit. Below are just a few considerations:

i.    Industry. Most data sets are not industry specific – so they contain data points spanning all kinds of industries. The transportation industry has a different value proposition then the financial services industry. So, depending on your model – points outside your industry may not be relevant.

ii.    Service or Value Proposition. Somewhat related to industry but some services and value propositions are shared between industries. I think of health care insurance and property and casualty insurance. Both industries have to protect confidential information. This does not mean that if I am in the financial services industry that I would include ALL healthcare industry data points – it just means that I am acknowledging there is a shared value proposition and that some data points – depending on the loss form – can be used for my purposes.

iii.    Loss Form Categories. When I talk about loss form categories, I am referring mostly to BASEL II Operational Risk Categories (Level 1); “Internal fraud”, “External fraud”, “Employment Practices and Workplace Safety”, “Clients, Products & Business Practices”, “Damage to Physical Assets”, “Business Disruption and System failures” and “Execution, Delivery & Process Management”. Most data loss events will only map to a few of these categories and in some instances these categories may not even be applicable to your needs, your company or your industry – but classifying each data point to one of these categories or another category framework more relevant for your company / industry can allow you to refine your data set in a methodical and unbiased manner.

Note 3: After applying my good fit criteria, the total number of dataloss.org data points I am using for my model has been reduced from 1945 (note 2 above) down to 84.

Note 4: Of those 84 data points: 9 data points were categorized as “Internal Fraud”, 37 were categorized as “External Fraud” and 38 were categorized as “Execution, Delivery, and Process Management”.

c.    Duplicate Records. When you are using multiple data sets, you have to assume there is duplication of data points between data sets. This was definitely the case for the dataloss.org and privacyrights.org data sets. To compound matters, just expect that for a certain percentage of duplicate data points – the details might differ. This is not a super big deal – just understand that you will have duplicate data points and will have to choose one of the data points.

Note 5: Ok, there could be some duplicates where the variance in details is so wide and there is neither time to determine which one is more correct or there is not a valid source to determine which one is more accurate; you could throw them both out.

d.    Consistency. You have to be consistent in your approach to reviewing data points. Distributing the work between numerous people could be problematic if they are not all properly aligned on the goals of what you are doing and properly calibrated on determining if a data point meets the criteria for inclusion.

In the next post, I will focus more on “right-sizing” data points. In other words, adjusting data points to be commensurate with your particular company.

Note 6: Please do not take any of my remarks about dataloss.org or privacyrights.org having errors to be an attack against the fine folks that are maintaining those data sets. My intent for raising these points is related to taking personal responsibility for knowing the data points you are using to derive information from. It is too easy for our business partners and even others in the security industry to raise the “garbage in garbage out” argument when trying to understand risk or loss models.

***
Up front props:
1.    In the “risk universe” square, I used the “evolving change categorizations” from a Joshua Corman blog post found here.
2.    I heard the term “risk ecosystem” from Microsoft’s Mark Curphey in a video related to a risk repository web app they recently released called “Risk Tracker” (either here or here). I found the term to be valuable in the context of this blog post.
3.    The approach to the image above was not solely mine, I just embellished and sanitized on someone’s idea here at my employer.
***
Some terminology declarations:

I am using the word risk in a variety of capacities in this post.

In some cases, it is being used in the context of a threat (storm heading in my direction).

In other cases is being used in the context of a derived value; the probable magnitude and frequency of loss; $.

I am using the term “risk issue” or “risk finding” to mean a documented risk that requires a decision from management to either assume or mitigate.

Finally, in the database symbol titled “Risk Rep.” – that is short for “risk repository”.
***

I have recently been in a few conversations related to when a “risk” (or threat) becomes a “risk issue”. Most of these conversations have been with information security risk management executives; which implies “philosophying”, evangelizing, white boarding, and of course – excessive use of non-risk management analogies to reflect risk management concepts. In the end, these conversations turned out to be valuable because if forced the group to really understand when a risk (threat) becomes a risk issue in our environment. In other words, what are the various lenses we analyze threats or risk through to determine that we need to document a risk finding?

I will let you noodle the image and underlying concept on your own. However, below are a few parting points I would like to make.

1.    There is a difference between grandstanding on risks (threats) that pose no threat to your company versus managing risk issues within your own risk ecosystem. Think “solar storm heading directly to Mars” versus “a storm cell that is 10 miles away with 65 mile per hour winds headed directly towards us”.

2.    If a risk (threat) is important enough to grandstand on AND to begin mitigating – then it is no longer a risk, but a risk issue – and should be managed as such.

3.    Emerging risks – or threats – somewhat fall in between the two above. You may want to let management know about some potential exposure – but there is nothing that needs to be addressed today.

Feel free to share any thoughts you have!

Happy Birthday Mom!

My previous post was in early August (2009); a two post series on reputation risk. Since then, my professional and personal life has been pretty busy. Here is a quick update that will hopefully set some context for some upcoming (and hopefully more meaningful) posts between now and the end of the year.

No More PCI. OK, not 100% true – but let me explain. From about June 2008 until September 2009 – I helped lead a large information technology program (enterprise level program; containing numerous projects) to enhance some payment transaction applications as well as better manage compliance with the PCI DSS standard. Helping lead this program was truly one of the highlights of my information security / risk management career. It is not often in a big company that you get to be dedicated to a program for so long – as well as get to dive so deep to ensure that the solution being developed is not only compliant –but also secure. I transitioned away from the PCI program in early September to help lead some information risk management capability projects. I am still doing some ad-hoc / historical knowledge PCI consulting here and there – but for the most, I am not focused on PCI – and I am enjoying it.

So what am I doing now?

There are three efforts I am primarily working on.

Risk Quantification Methodology. Around April / May of 2008, I wrote a small proposal to our security leadership about transitioning from qualitative risk assessments to quantitative risk assessments. In late Q3 of 2008 – I was given the green light to lead a proof of concept of what I proposed earlier in 2008 – in my “spare time” when not dealing with PCI stuff. The proof of concept extended into early 2009. In late Q1 2009, I presented the POC findings to security leadership and shortly thereafter, a decision was made to transition to quantitative risk assessments. Since I was still primarily working on the PCI-related program – the risk quantification strategy was put on hold. Fast forward to September and now I have time to implement the risk quantification methodology and all the goodness that come with it (training, process changes, reporting, awareness, oversight, etc…). The goal is to have the methodology implemented in 2009 and focus on the related deliverables of reporting and oversight in 2010.

Risk Optimization Decision Model. This is really exciting and also dates back to Q4 of 2008. Very high level – I am working with a wicked smart data modeler to help build what I will refer to as a risk optimization model. The main purpose of the model is to aid decision making for information security (risk-related) funding decisions. An example of its use could be: A company has a lot of risk associated with “external fraud” and “internal fraud”; for example access control / authorization. The company has a loss model serving as a baseline. The company wants to invest $x dollars in a mitigation control that it expects to reduce loss frequency for “internal fraud” by 2% and “external fraud” by 10%. Based off the expected loss frequency reduction – what is the difference between the baseline loss model and the new loss model? Is there a risk reduction? If so, is the cost of the mitigation control a sound investment based of the risk reduction? I think there will be some interesting posts coming up related to this effort.

Risk Alignment. Around April of 2009, I was asked to represent the information risk management group (job family at my employer) in a working group with other risk assessment groups in our enterprise (Internal Audits, Financial Reporting Controls, SEC / FINRA, Privacy and Legal). I consider it a huge privilege and an even bigger growth opportunity. We have all heard of integrated operational risk management – and this working group is the epitome of that. Since my involvement with this working group, I have learned so much more about the company I work for as well as how other risk assessment programs assess and manage risk. The goal is alignment across risk assessment programs. Does that mean that every program assesses and manages exactly the same way – of course not. But there are opportunities to align on vernacular, risk concepts, risk categories, and in some cases risk repositories. I anticipate publishing a few blog posts that have been heavily influenced by my involvement with this alignment working group.

Finally, below are some books I have read since I took my vacation in late July. These books have nothing to do with IT or Information Security Risk Management whatsoever.

Crossfire by Andy McNab – Body guarding a TV crew on the streets of war-torn Basra, ex-deniable operator Nick Stone’s life is saved by a reporter’s swift action as a roadside bomb explodes. When the man later vanishes, Stone is asked to find him. The trail leads from Iraq to Bermuda, London and Kabul, the dark and brutal city where governments, terrorism and big business inexorably collide. Caught in the crossfire, his nightmare is only just beginning, for the hunter has suddenly become the hunted. . .

Brute Force by Andy McNab – Days after his car erupts in a ball of flame, Nick Stone narrowly cheats death a second time when a gunman opens fire on him from the back of a motorcycle. Who knows his movements? Who wants him dead, and why? Stone’s only chance of survival is to carry the fight to his attackers – but first he must uncover a trail of clues that leads from his own dark and complex past into the heart of a chilling conspiracy that threatens us all…Nick Stone’s eleventh adventure is McNab at his explosive best.

The Last Templar by Raymond Khoury – The war between the Catholic Church and the Gnostic insurgency drags on in this ponderous Da Vinci Code knockoff. The latest skirmish erupts when horsemen dressed as knights raid New York’s Metropolitan Museum of Art, lopping off heads and firing Uzis as they go. Their trail leads FBI agent Sean Ryan and fetching archeologist Tess Chaykin to the medieval crusading order of the Knights Templars. Anachronistic Gnostic champions of feminism and tolerance against Roman hierarchy and obscurantism, the Templars, they learn, discovered proof that Catholic dogma is a “hoax” and were planning to use it to unite all religions under a rationalist creed that would usher in world peace.

Moscow Rules by Daniel Silva – The death of a journalist leads Israeli spy Gabriel Allon to Russia, where he finds that, in terms of spycraft, even he has something to learn if he wants to prevent a former KGB colonel from delivering Russia’s most sophisticated weapons to al-Qaeda.

The Defector by Daniel Silva – Six months after the dramatic conclusion of Moscow Rules, Gabriel has returned to the tan hills of Umbria to resume his honeymoon with his new wife, Chiara, and restore a seventeenth-century altarpiece for the Vatican. But his idyllic world is once again thrown into turmoil with shocking news from London. The defector and former Russian intelligence officer Grigori Bulganov, who saved Gabriel’s life in Moscow, has vanished without a trace. British intelligence is sure he was a double agent all along, but Gabriel knows better. He also knows he made a promise. “If an injury has to be done to a man it should be so severe that his vengeance need not be feared.”

This past April I had an opportunity to cross paths with a public relations business called Levick Strategic Communications (Levick) and its company leaders. A couple of things stood out to me about Levick that led up to this blog post.

1.    Reputation Risk. While I do not consider myself a public relations industry expert – I have had enough exposure to the industry to understand that Levick’s  subject matter expertise on brand and reputation risk is a significant differentiator of skill expertise compared to larger public relations shops and most of the professional consulting firms. In addition, given their location within Washington DC – you can have a high level of confidence in assuming that Levick is dealing with companies and news events that we hear, see or read about on a daily basis.

2.    Informative Blog. I really like Levick’s blog called “BulletProof”. The blog posts are informative, short, and relevant. Granted, they may not be information security or infosec risk management related – but most of the posts can be associated with the loss form we characterize as “reputation risk”.

It is truly my professional and personal pleasure to introduce to the readers of this blog, Mr. Richard Levick, the CEO of Levick Strategic Communications. Mr. Levick has agreed to answer some questions I prepared about reputation risk. The intent of this blog post is to bring some clarity to what reputation risk is and for Mr. Levick to offer some practical feedback that we as information security professionals can consume and apply in our daily activities.

Thank you Mr. Levick for agreeing to participate in this question and answer blog post.

Note: Mr. Levick’s answers to my questions were provided on July 14th, 2009. Ten questions were posed to Mr. Levick. The questions and answers will be split between this blog post and an additional post in the coming days.

1. What led you to participate in this blog post?

Richard Levick: Simply put, blogs are news. People are looking in the windshield for the day that digital media overtake traditional media when they should be looking in the rear-view mirror. Just a few weeks back, Zogby released a poll that shows the Internet has overtaken television, newspapers, and radio not only in terms of relevance; but reliability. Let me reiterate how critical that is: The Internet is where we go for truth. In a world where digital news sources are more widely read and more widely trusted, you’ve got to treat blogs with the same respect you would show The Washington Post, The New York Times, or The Wall Street Journal. Today, digital media is media.

2. What is reputation risk?

Richard Levick: Reputation risk is one of two things. It is either the ways in which internal or external forces are negatively impacting your brand right now or how they will. What are today’s risks? What are our likely future risks?

Today, companies are operating in a reputational perfect storm. First, the new President and Congress are clearly intent on regulating where they feel the past Administration and Congress have been lax. Sarbanes-Oxley represents the first half of the equation – transparency. Today, we are living through the more painful second half of the equation – accountability. Second, the explosion of digital media has created a world in which there are virtually no secrets. Speed has been redefined to moments, not news cycles. Third, the plaintiff’s bar, mommy bloggers (articulate and empowered consumers), and even regulators are a full Internet generation ahead of companies facing crisis.

Bottom line: companies must immediately stop and rethink they way they think about their brand, their reputation, risk, and crisis. The cheese has moved. What got you here won’t get you through tomorrow.

3. What are the key components of a reputation?

Richard Levick: That’s a great question – because it’s where most board members, CEOs, and corporate communications professionals most often make mistakes in crisis. Too often companies think that the key component of reputation is how they view their brand when it is actually how the brand is perceived by the company’s target audiences. You’ve got to take a Buddhist approach to reputation management; seek first to understand, and then be understood.

Too often, companies in crisis do the reverse; seeking to explain rather than focusing on what audiences want to hear – what you’re doing to solve the problems at hand, and what you’re doing to ensure that similar problems never arise again.

Let’s take the recent Washington Post crisis where they attempted to sell access. It is something other magazines in the Nation’s Capital can do because they are not the Washington Post. The Post’s reputation, their brand, is as the “investigative newspaper.” They birthed the modern age of investigative journalism with their brilliant coverage of Watergate. They can’t now be offering access to the highest bidder, no matter what the pressures of the Internet Age are. It violates their brand. So the first rule is “Understand your reputation.” It sounds so simple, but its not. GM forgot. Yahoo forgot. If you don’t understand it, you can’t protect it.

And then there is Wall Street. Too many very smart, very talented Wall Street executives and corporate communications professionals still think the problem is about communicating to their fraternity. But risk and crisis change your audience. You have to think differently about what you say, to whom, and how. We have seen time and time again that Wall Street, Detroit, and many marvelous brands are still thinking in terms of the traditional media paradigm and not the digital media paradigm. Talk about fighting the last war. So the second rule of protecting your reputation is to look forward, not backward.

4. How can reputation be impacted when there are IT security incidents?

Richard Levick: Data loss and theft is the issue du jour in the 21st Century marketplace, pitting privacy and commerce interests tet-a-tet. We all want the ease of commerce that the Internet provides, but are we willing to open up to the transparency it requires?

As a company that has handled many of the data loss cases, including, to date, the largest data loss in world history, we’ve seen time and again how reputations can be adversely impacted when the response isn’t adequate, or how they can be advanced when companies run to the light.

Companies must remember that they key issue isn’t that you’ve lost the data – stakeholders understand that they’ve traded an expectation of total privacy for the conveniences of the Digital Age. The issue is how the company behaves once a data breach is discovered. Did it demonstrate transparency by acting fast to notify the authorities and inform affected consumers of their precise exposures? Did it demonstrate accountability by addressing the problems that allowed a data loss to occur? If it hasn’t already, will it be implementing best security practices that limit the chances a data loss will ever occur again?

These are the issues at the heart of reputation management during an IT security incident because if they are handled well, they show concern for, commitment to, and action on behalf of those whose privacy may have been compromised. If they are handled poorly, brand credibility and trust suffer – and that’s a recipe for disaster in an e-commerce environment where trust trumps everything else.

5. Can reputation be measured or quantified in units of dollars?

Richard Levick: I think that is pretty tough to do. People can try, and I suspect a fluctuation in stock price can be one measure, as can value – but I think the true answer is ultimately no, and therein lies the problem. Inside and outside counsel can articulate likely exposures and potential associated costs. Investor Relations professionals can certainly identify market risks. Compliance officers can estimate the costs of non-compliance. And the list goes on. But can anyone really articulate the potential cost of loss of reputation? I think the end result is too often in a crisis very smart counselors save the arm but lose the patient.

Relatively speaking, it’s easy to quantify the legal exposure, losses in market share or stock price, or even declines in employee morale that can result from a particular corrective action during crisis. So when a CEO finds him or herself at the moment of truth, analysis paralysis usually sets in because there’s no concrete way to quantify the ways in which a particular corrective action – taken to strengthen brand reputation when it matters most – will positively impact the bottom line.

That’s why it’s so vitally important for the board to mandate courage in crisis situations. When the CEO is inundated with countless reasons not to act, he or she must have the freedom to look at all the risks at play and then decide which risks are acceptable in order to protect and preserve the brand.

I always look back to the marquee case study in crisis communications – the Tylenol tampering crisis of the early 1980s. Johnson & Johnson held two news conferences a day to keep its audience informed, without regard for the fact that each statement could potentially increase the pool of concerned stakeholders or legal liability. They took a calculated risk. They exercised courage and leadership by pulling all of their over the counter pain medications, not just Tylenol, without ever being asked to by any regulator or concern for stock price. As a result, Johnson & Johnson has enjoyed 30 years of being recognized as one of the top companies in the world and Tylenol is still the top pain-reliever on the market. What CEO wouldn’t trade that for one tough quarter?

Crises demand action. Companies shouldn’t shy away from that fact simply because reputational strength isn’t something that shows up on a balance sheet.

TO BE CONTINUED…

The Summary

It is time to wrap this scenario up. If you are landing here directly with no knowledge of the three previous posts, the hyperlinks are below:

Part 1 – The Scenario
Part 2 – TCOMM A
Part 3 – TCOMM B

The risk assessments for both threat communities (malware and Initech Novelty, Inc.) resulted in risk ratings of MEDIUM. This scenario is different from others in that we performed a risk assessment for two threat communities. Not all scenarios will require this nor is it always practical from a time perspective. When it comes to performing multiple risk assessments for multiple threat communities, the question that usually comes up is: “Which risk rating should I use for the scenario as a whole if the risk rating for each TCOMM is different?”. This is a great question and not one that I will spend a lot of time in this post – but here is how I would reconcile: I would assign the “higher” qualitative risk rating to the scenario. There is a relationship between LEF, PLM and the RISK rating. The risk rating is more reflective on annualized exposure; so I would error on the side of the higher.

Back to this scenario, both FAIR assessments resulted in a risk rating of MEDIUM. Having both of these as MEDIUM somewhat makes gauging the risk for the scenario itself somewhat easier. However we still need to summarize the risk for the decision maker(s) responsible and accountable for the payment application as well as the decision maker accountable for INI’s compliance with PCI-DSS requirements.

Here is how I would summarize the risk:

***

A vulnerability in our e-commerce application was reported to us by one of our customers. The vulnerability was validated by the security group, assessed for risk and has been categorized as a MEDIUM risk. The vulnerability results in the customer’s payment card information being persisted in HTML files that are cached on their PC after making a purchase from our site. It is possible for the payment card information (credit card number, expiration date, and CVV2 code) to be retrieved the HTML files.

There are two threats that we have identified that introduce exposure to the consumer, Initech Novelty Inc., or both. The first is zero day malware, while we believe that most of our customers are Internet security aware, there is not enough information to gauge the effectiveness of the security controls on their PC. We are estimating that our average consumer will encounter a form of zero day malware at least once a year. There is no guarantee that the customer’s cached payment card information would be compromised as a result of the malware but we also cannot guarantee that it would not be compromised. Second, confirming this vulnerability makes INI non-compliant with PCI-DSS requirement 6.5.7; which is related to developing and maintaining secure systems and application. We need to update our Self Assessment Questionnaire to indicate non-compliance with this requirement and report it to our payment processor. Finally, some contributing factors that should be considered as part of this risk assessment are: customer privacy, INI’s obligation to be compliant with PCI-DSS, and INI’s reputation as a result of any incidents related to this vulnerability.

We have estimated INI’s exposure to be between $5,000 and $10,000. This estimate includes both hard and soft dollars encompassing multiple loss forms: our internal response to any reported incidents, costs associated with providing protections to the consumer should there be loss of their payment card information, and the cost to INI to mitigate the risk at a later date if the decision is made to assume the risk. We estimate that the cost to mitigate the risk to an acceptable level (fix the application) is approximately $3,000 soft dollars (internal resource effort).

***

There is one last topic I wanted to write about as part of this scenario series and that is mitigation solutions. Below are some quick hit solutions and recommendations that I would present to an application team.

1.    Use the appropriate HTTP header directives that tell the browser not to store or cache the page being loaded.

2.    Do not use hidden fields to facilitate session management – especially with the confidential information. Use a session database. (BTW, use of hidden fields is not recommended by OWASP – which PCI-DSS references as a source of secure coding guidelines).

3.    Have all payment application changes reviewed by security prior to releasing into production.

***

Feel free to share your thoughts – I welcome the feedback!

Recently I was assigned to a special project to be the information risk management representative for a payment card processing provider RFP.

One of the vendors was an organization based out of a prominent US city with loads of financial institutions. I will refer to this vendor as N; of which one of their subsidiaries – referred to a n – is the actual business unit that provides the actual card processing services. So, for practical purposes – n does the real work; but N is responsible for the big RFP responses and on-site sales pitches. For blog purposes, I will refer to the combined entity as Nn – sort of like me and mini-me…bad attempt at humor – but you get my point.

As to be expected Nn showed up in force. Color coded apparel, great shoes, smiles, and the type of financial savviness one would expect from a reputable financial services provider. I was pretty impressed and to be honest, a show in force like this is what I expect given the size of the company I work for and the attention PCI-DSS commands. After the typical hand-shaking niceties and genuine attempts to find commonality between each other – the love fest started.

About 90 minutes into vendor Nn’s presentation, I asked some of my basic due diligence questions. Now keep in mind from previous posts, that I consider information risk management professionals to be intelligence analysts – always gathering intelligence about threats, attack vectors, etc. For a vendor not to think that potential clients are not checking up on them is mind-boggling – but more on that later.

One of my typical questions for any vendor that I assess for risk is: “How does your information security organization manage information security risk?” It is a fair question from my perspective and acceptable answers can be very simple or very complex. I prefer simple but complex is OK as long as they answer it and try not to dodge the question. In this case, vendor Nn answered the question sufficiently. But I still had some reservations regarding the big N and the little n. So, the follow-up question was this:

“In 200X your company (N) suffered a security breach. What has company N done to ensure the same vulnerability does not exist or cannot be exploited moving forward within company N and its subsidiary n?”

Well my friends (a McCain’ism), the love fest came to a halt right then and there.

The talking stopped!

The deer in the head lights look overcame the faces of the team representing Nn.

Nervous glances started being cast.

The Nn sales team lead responded with the following: “What breach?”

My response: “The breach in 200X that shows up in a simple Google search phrase “Nn security breach PCI”.

Nn sales team lead response: “I am not aware of that!”

My response: “We would like a formal statement regarding the security breach, the business unit impacted, and what has been done to prevent a repeat occurrence within the impacted business unit and any other business units owned by N.”

Nn sales team lead response: “Let us follow-up with you!”

My response: “Thank you!”

At this point, the Nn sales team broke out their Blackberry arsenal. And over the next 60 minutes there was more Blackberry thumbing then I have ever witnessed in a 60 minute period. The love fest had migrated to the sales team, their Blackberries, and other entities miles away; though deep down inside I would not be surprised if there were one or two messages between the Nn sales team to each other talking about the new A-hole they just stumbled upon.

Two hours later…during a break… (the love had still not returned to its original levels…)

Nn sales team member X: “I am sorry we could not speak to your question earlier today.”

My response: “That’s OK. I appreciate any follow-up responses you can provide.”

Nn sales team member X: “Well, we really did not know about this security breach, but our legal and PR departments will prepare a response. We really did not know about this.”

My response: “Thank you, we look forward to receiving it! You know, there is a neat Google service that let’s you set up email alerts based on keywords you define. I use it all the time to keep tabs on my company as well other companies. It is a great sales information tool.”

Nn sales team member X: “Thanks I will look into that!”

A few hours later, and some more Blackberry thumbing, the Nn sales team left. Only half of the team bothered saying bye to me and shaking my hand. I cannot blame them – I understand the frustration. In a previous consulting role (that included sales engineer responsibilities) – I saw my share of blown sales pitches and uncomfortable situations.

So here are a few thoughts:

1.    Companies that experience security breaches – of which the acknowledgment that it occurred is public – need to educate their sales team / marketing folks (the entire company it can be argued) that their reputation matters and that they could face tough questions. To not think that other financial services companies or companies looking to use their card payment services will not ask them about recent breaches is ludicrous.

2.    The fact that Nn recently suffered a breach but could not speak to it right then and there does NOT disqualify them from further consideration. It is important to point this out and underscores the importance of being objective and looking at all aspects of one’s security posture. In addition, this underscores the power of taking a risk-based approach to assessing risk.

3.    Ever heard the term “hate the sin, not the sinner”. It is somewhat applicable here. I honestly believe the Nn sales team did not know about the breach. A simple Linked-In search on the Nn sales team (at least three of them) confirms they were with Nn at the time of the breach – but that does not mean they had privileged knowledge of it.

4.    Don’t be afraid to be the friction point – by asking tough questions. Tough questions can be asked – but asking with a sense of humility and tact goes a long way. The reality is that sometimes, tough questions cannot be asked unless you are direct and to the point. A lot of us are getting paid good money to perform an appropriate level of due diligence – let’s earn it.

5.    At the end of the day, there are a few things the Nn might say they learned from their trip:

1. A-hole’s company cares about security.
2. We need to be better prepared to know about security in our company and how to speak to past incidents.
3. Just because we are PCI compliant does not make our sales efforts easy.
4. We need to stop at the airport bar before the flight takes off.

So there you have it. Another day, another dollar – I love my job.