Saturday, August 29, 2009

(ISC)2 Nominations and Election

If you are a CISSP, or hold any other (ISC)2 certification, read on- the elections are coming up.  Just like in real life, I don't want to hear you whine about the state of things if you don't take the time to vote.  There are three candidates who are not on the official slate, they each need 633 "signatures" to get onto the ballot.  Jack Holleran, Claude Williams, and Seth Hardy are trying to get on the ballot and I encourage you to look into their positions and sign/vote as you feel appropriate.  Remember, signing a petition does not commit you to voting for the candidate, it simply helps get them on the ballot.

Seth has a website outlining his positions.  I took a look, liked what I saw, signed his petition, and plan to vote for him.  Seth is an active and engaged member of the security community, the kind of person I believe may be able to help steer (ISC)2 in a direction I would like to see.

"Signing" actually means sending an email from the address of record with (ISC)2 (or including the address of record in the email), including your member number, and stating that you are signing the candidate's petition.  (This assumes you are a member in good standing).

 

Jack

Friday, August 28, 2009

Links for a Friday

I need time to calm down before commenting further on this, but I believe this Slate article may be one of the stupidest and most irresponsible things you read on technology this year.

On the other hand, this 147k, 20 page PDF from NIST, their draft of NISTIR 7621, Small Business Information Security: The Fundamentals is one of the best things I've seen recently.  Nothing earth-shattering, but it is a very good document on small business security.  It is readable, explains the rationale for its recommendations, and while 20 pages isn't short, it is a quick read.  By the way, some people wonder why I dwell on small businesses so much, this quote from 7621 may help you understand:

"In the United States, the number of small businesses totals to over 95% of all businesses.  The small business community produces around 50% of our nation’s Gross National Product (GNP) and creates around 50% of all new jobs in our country.  Small businesses, therefore, are a very important part of our nation’s economy.  They are a significant part of our nation’s critical economic and cyber infrastructure."

 

Jack

Thursday, August 27, 2009

Cheatsheets Galore

I don't usually just highlight someone else's blog posts, but sometimes...

A couple of weeks ago Jeremy over at PacketLife updated his cheat sheets, and they are great.  Then, John at the Security Monks blog put together a huge list of cheatsheets including those from PacketLife and more from SANS, OWASP, and several individual contributors.  Check them out, there is a lot of great information out there.

 

Jack

Tuesday, August 25, 2009

A few days later, a little calmer now

It has been a few days since the latest amendment and delay evisceration of 201 CMR 17.00 was announced and it is time to take another look and give it a fair review.  Besides the raw documents I recently posted, I strongly urge you to head over to David Navetta's post at InfoSecCompliance.com, he makes some very good points and OCABR Regulatory Office?clears up several changes.  While you're there, review their redlined PDF version of the regulations- I think you'll agree that red is appropriate given they way the 201CMR17.00 has been butchered over time.

There are several points which frustrate me in the updated version, but I will limit my comments to a few (I tried for a few, it appears several is a better description of the result).  Note that emphasis in text excerpts is mine, added to highlight my points.

First, the definition of encryption has changed from:

"the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key, unless further defined by regulation by the Office of Consumer Affairs and Business Regulation."

to

"the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key."

"Confidential process" and "cryptography" is a pairing destined for failure, and a password is a key, right?  You and I may understand the difference between "encrypted" and "password protected", but I assure you that this will lead to many people blurring the two and not encrypting their data when required, or doing it badly- and the state has provided them with a plausible excuse by this definition.

Second, the previous version stated in 17.03 (1)

"Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program..."

It now states

"Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written..."

While the words "stores or maintains" are missing, I think those are covered adequately elsewhere- it is the loss of the word "monitor" which concerns me.  Make a plan, print it out, and put it on the Shelf of Neglect with the others.  Sure, the FAQ says you need to monitor your plan, but the regulation doesn't, and that's what counts.

The next one might not be that bad, 17.03 (3) 5. before:

"Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records, including deactivating their passwords and user names."

And after, 17.03 (2) (b) 3. (e)

"Preventing terminated employees from accessing records containing personal information."

Or, the removal of strong language might give the impression that "immediately" "physical and electronic" aren't that important. That would be bad.

Now for a series of outright attacks on security fundamentals and common sense guidelines, 17.03 (3) 7. stated

"Limiting the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected; limiting the time such information is retained to that reasonably necessary to accomplish such purpose; and limiting access to those persons who are reasonably required to know such information in order to accomplish such purpose or to comply with state or federal record retention requirements."

The corresponding section of the current regulations is

Missing

That's right, the common sense suggestion to only keep the data you need is gone.  Forget the logic of "you can't lose what you don't have", go ahead and keep anything you want.

Also missing is the section corresponding to 17.03 (3) 8.

"Identifying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information, except where the comprehensive information security program provides for the handling of all records as if they all contained personal information."

This is an absolute fundamental tenet of any kind of security/protection program, and has always been- if you don't know what you have and where it is, you cannot protect it.  Read through breach reports and you will find that data is routinely lost from places that weren't documented.  Yes, a data inventory and classification project is likely to be painful, expensive and imperfect.  That doesn't make it any less fundamental or necessary.

Section 17.03 (3) 9. went from

"Reasonable restrictions upon physical access to records containing personal information, including a written procedure that sets forth the manner in which physical access to such records is restricted; and storage of such records and data in locked facilities, storage areas or containers."

To this in 17.03 (2) (g)

"Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers."

Because the old political advice of "never write what you can say, and never say what you can wink" is the best way to handle policies, too.  Or not.

Some of the items removed from 17.03 are listed in the computer security sections, 17.04- but that means those protections are not required for the physical world, only the digital.

As long as I am on a roll, let's poke at the FAQ, too.  Besides confirming some of the above, the FAQ offers a few items I find especially problematic.  First,

"Technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used."

Odd that a regulation which has been altered to "ease the burden" on businesses doesn't provide an economic escape clause- as written "technically feasible" includes solutions which may be prohibitively expensive.  But don't worry, there are enough weasel words in this to allow an out somewhere.

Also from the FAQ, two truly horrifying things:

"Must I encrypt my email if it contains personal information?

If it is not technically feasible to do so, then no."

Per the previous definition of "technically feasible", email encryption is absolutely feasible.  Also, this fails to address the simple solution of encrypting the sensitive information and attaching it to a message.  Between the ubiquity of Microsoft Office and the free and cross-platform availability of OpenOffice, there is no excuse for not encrypting PII sent via email.  Reality and intent aside, expect to see this used to shoot down email encryption proposals on a regular basis.

And this nonsense:

"Do all portable devices have to be encrypted?

No. Only those portable devices that contain personal information of customers or employees and only where technically feasible The "technical feasibility" language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iphones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops."

It scares me to think someone in state government wrote this.  Starting with the obvious targets- BlackBerries can be encrypted with minimal effort from the handset or via policy using a BlackBerry Enterprise Server.  Nothing to it, really.  Netbooks have BIOS and drives just like "real" computers- from the free and Open Source TrueCrypt through many commercial offerings, they are easy to encrypt.  Other devices can get tricky, but Symbian-based phones support encryption.  iPhones, well, Apple would tell us "there's an app for that", and even though we have learned that the built-in encryption for iPhone 3gs is nearly worthless, it probably still meets the requirements as currently written.  Once again, reality notwithstanding, expect this blurb as a counterstrike to any suggestion of portable device encryption.

Maybe I need to look at it fresh, as if there had never been prior versions.  Perhaps then it would look like a good start?  Since the trigger for getting the parent law, 93H, passed was the TJX breach, would the current 201CMR17.00 have done anything to prevent that attack?  No, it wouldn't.  WEP is encryption, and this mess has enough wiggle room that I expect even the sadly broken WEP could stand up to 201's feeble scrutiny.  What about other high-profile cases, such as Heartland?  201 doesn't require competent CEOs, web application code review, or web application firewalls; even the much-maligned PCI-DSS requires two of those three, and stopping simple SQL injection would have at least slowed down many recent attacks.

Now, for an immodest proposal, with no chance of passing (passing, as it would require a change in the law, 93H): forget all the prescriptive regulations and create specific and substantial penalties (financial and imprisonment) for failure, and make sure private lawsuits are expressly allowed.  Let's put the RISK into this risk-based approach.  (Yes, I understand that would drive some to try to keep their failures secret, but it will never happen anyway).  I didn't suggest what I really want for iStock_000010243464XSmallpunishment, though...

 

Jack

Monday, August 24, 2009

Another Episode of Security Anecdote Theater

It's been a while, but while vacationing in Texas I was inspired to write a new installment of Security Anecdote Theater for you.iStock_000001796802XSmall

In the early days of the Republic of Texas, President Sam Houston felt that Austin wasn't an appropriate capital and wanted his namesake city of Houston to become the new capital of the young republic.  Houston claimed that Austin's isolated, western location was insecure, and that Houston would be a much more appropriate seat of power.  Austin's real hold on power was the fact that it held the government archives.  When persuasion failed to win the cause, Houston resorted to sending armed thugs a military unit to Austin to steal retrieve the archives under cover of darkness.  They quickly loaded the archives into AEberlywagons, and might have gotten away- but for innkeeper Angelina Eberly.  Mrs. Eberly  discovered the men loading the wagons- she knew she couldn't stop them, so she ran to the town cannon and fired it off ("ventilating" the Land Office building in the process), thus alerting the townsfolk.  The alarmed and alerted citizens of Austin rallied and chased down the escaping men and wagons, retrieved the archives, and secured Austin's role as capital of Texas.

Sometimes all you can do about a problem is fire the town cannon- now we just need to work on getting the "townsfolk" to respond quickly and decisively when we raise alarms in Information Security...

 

Jack

Friday, August 21, 2009

Security B-Sides Las Vegas 2009 Audio

I still want to do more work to them and release them as a podcast series, but for now- all audio from the Security B-Sides Las Vegas event is up on a SkyDrive folder. See the schedule on the B-Sides site for more information on the talks. Note that parts of Jennifer Jabbusch's and HD Moore's talks, and none of Valsmith's talk were not recorded at the request of the speakers.

On the topic of B-Sides, there will be events in San Francisco (coinciding with the RSA Conference) and in Boston (following the SOURCE Boston Conference).

Jack

Thursday, August 20, 2009

Recent podcasts

I have been on a couple of podcasts lately, and it is a testament to their hosts and producers that they managed to make me sound coherent.  Well, almost coherent.

I'm a bit late on the first one, I filled in for Rich Mogull on the Network Security Podcast episode 153 with Martin McKeay.  I was very happy to be on Martin's show, he has been blogging and podcasting for quite a while, and is one of the people who inspired me to start blogging myself.

More recently I spoke with Amrit Williams on his Beyond the Perimeter podcast, episodes 40 and 41. We talked about BlackHat, DefCon, Security B-Sides, and the importance of addressing the fundamentals of security, not just the "sexy" attacks.

 

Jack

Monday, August 17, 2009

Press Release on 201 CMR 17.00 changes

For immediate release, Aug. 17, 2009

CONTACT:

Jason Lefferts

(617) 973-8767

Small-Business Considerations Reflected

in Massachusetts’ Revised ID Theft Regulations

Changes balance consumer protections with business concerns

BOSTON – Aug. 17, 2009 – In keeping with Governor Deval Patrick’s commitment to balancing consumer protection with the needs of small business owners, Massachusetts Undersecretary of the Office of Consumer Affairs and Business Regulation Barbara Anthony today announced adjustments to Massachusetts’ identity theft regulations that maintain protections and also reinforce flexibility in compliance by small businesses.

The updated regulations will take effect March 1, 2010. The regulations make clear that their approach to data security is a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers. Under a risk-based approach, a business, in developing a written security program, should take into account its size, nature of its business, the kinds of records it maintains, and the risk of identity theft posed by its operations.

“In listening to the concerns of small business leaders, we understand there were issues regarding the impact these regulations have on those companies,” said Undersecretary Anthony. “These updated regulations feature a fair balance between consumer protections and business realities.”

New language in the regulations recognizes that the size of a business and the amount of personal information it handles plays a role in the data security plan the business creates. The new language requires safeguards that are appropriate to the size, scope and type of business handling the information; the amount of resources available to the business; the amount of stored data; and the need for security and confidentiality of both consumer and employee information.

The changes, Anthony said, make clear the regulations are risk-based in implementation, not just in enforcement as had been the case in earlier versions of the regulations. In addition, the regulations are technology neutral and acknowledge that technical feasibility plays a role in what many businesses, especially small businesses can do to protect data. The overall approach is more consistent with federal law, she said.

“Whether it’s a small amount of employee paperwork, or a large amount of consumer information kept on an electronic database, each requires its own appropriate level of security and protection,” Anthony said. “The changes we are making reflect that reality without exposing companies or consumers to a heightened risk of theft.”

The regulations are a product of the identity theft prevention law signed by Governor Deval Patrick. Governor Patrick signed an executive order last September requiring all state agencies to implement security measures consistent with the requirements in the regulations.

The Office of Consumer Affairs and Business Regulation today sent to the Secretary of State notice of public hearing on the changes. That hearing will be held on Tuesday, Sept. 22, at 10 a.m. at the Transportation Building, 10 Park Plaza, Boston.

For more information about identity theft protection, visit the Office of Consumer Affairs and Business Regulation website, www.mass.gov/consumer.

NOTICE OF PUBLIC HEARING (September 22)

Pursuant to the provisions of M.G.L. c. 30A, and the authority granted to the Undersecretary of the Office of Consumer Affairs and Business Regulation under M.G.L. c. 93H, the Office of Consumer Affairs and Business Regulation will hold a public hearing in connection with the promulgation of 201 CMR 17.00, concerning the protection of personal information of residents of the Commonwealth. The public hearing will commence at 10:00 a.m. on Tuesday September 22, 2009, in Room No. 5-6, Second Floor of the Transportation Building, Ten Park Plaza Boston, Massachusetts 02116.

The purpose of the public hearing is to afford interested parties an opportunity to provide oral or written testimony regarding 201 CMR 17.00, Standards for the Protection of Personal Information of Residents of the Commonwealth. The purpose of 201 CMR 17.00 is to implement the provisions of M.G.L c. 93H relative to the standards to be met by those who own or license personal information about a resident of the Commonwealth. The regulation establishes standards for safeguarding such information, in paper and electronic records, in order to protect its security and confidentiality in a manner consistent with industry standards, to protect against threats and hazards to the security of such information, and to protect against unauthorized access to or use of such information in a manner that may result in substantial harm or inconvenience to any consumer.

Interested parties will be afforded a reasonable opportunity at the hearing to present oral or written testimony. Written comments will be accepted up to the close of business on September 25, 2009. Such written comments may be mailed to: Office of Consumer Affairs and Business Regulation, 10 Park Plaza, Suite 5170, Boston, MA 02116, Attention: Jason Egan, Deputy General Counsel, or e-mailed to Jason.Egan@state.ma.us.

Copies of the proposed regulation may be obtained from the Office of Consumer Affairs and Business Regulation website, or by calling (617) 973-8700.

August 17, 2009 /s/ Barbara Anthony, Undersecretary

Office of Consumer Affairs and Business Regulation

Frequently Asked Question Regarding 201 CMR 17.00

What are the differences between this version of 201 CMR 17.00 and the version issued in February of 2009?

There are some important differences in the two versions. First, the most recent regulation issued in August of 2009 makes clear that the rule adopts a risk-based approach to information security, consistent with both the enabling legislation and applicable federal law, especially the FTC's Safeguards Rule.  A risk-based approach is one that directs a business to establish a written security program that takes into account the particular business' size, scope of business, amount of resources, nature and quantity of data collected or stored, and the need for security.  It differs from an approach that mandates every component of a program and requires its adoption regardless of size and the nature of the business and the amount of information that requires security. This clarification of the risk based approach is especially important to those small businesses that do not handle or store large amounts of personal information.  Second, a number of specific provisions required to be included in a business’s written information security program have been removed from the regulation and will be used as a form of guidance only. Third, the encryption requirement has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Fourth, the third party vendor requirements have been changed to be consistent with Federal law.

To whom does this regulation apply?

The regulation applies to those engaged in commerce. More specifically, the regulation applies to those who collect and retain personal information in connection with the provision of goods and services or for the purposes of employment. The regulation does not apply, however, to natural persons who are not in commerce.

Does 201 CMR 17.00 apply to municipalities?

No. 201 CMR 17.01 specifically excludes from the definition of “person” any “agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.”  Consequently, the regulation does not apply to municipalities.

Must my information security program be in writing?

Yes, your information security program must be in writing. The scope and complexity of the document will vary depending on your resources, and the type of personal information you are storing or maintaining. But, everyone who owns or licenses personal information must have a written plan detailing the measures adopted to safeguard such information.

What about the computer security requirements of 201 CMR 17.00?

All of the computer security provisions apply to a business if they are technically feasible. The standard of technical feasibility takes reasonableness into account. (See definition of “technically feasible” below.) The computer security provisions in 17.04 should be construed in accordance with the risk-based approach of the regulation.

Does the regulation require encryption of portable devices?

Yes. The regulation requires encryption of portable devices where it is reasonable and technically feasible. The definition of encryption has been amended to make it technology neutral so that as encryption technology evolves and new standards are developed, this regulation will not impede the adoption of such new technologies. 

Do all portable devices have to be encrypted?

No. Only those portable devices that contain personal information of customers or employees and only where technically feasible The "technical feasibility" language of the regulation is intended to recognize that at this period in the development of encryption technology, there is little, if any, generally accepted encryption technology for most portable devices, such as cell phones, blackberries, net books, iphones and similar devices. While it may not be possible to encrypt such portable devices, personal information should not be placed at risk in the use of such devices. There is, however, technology available to encrypt laptops.

Must I encrypt my backup tapes?

You must encrypt backup tapes on a prospective basis. However, if you are going to transport a backup tape from current storage, and it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer. If it is not technically feasible, then you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information. For example, if you are transporting a large volume of sensitive personal information, you may want to consider using an armored vehicle with an appropriate number of guards.

What does “technically feasible” mean?

“Technically feasible” means that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used.

Must I encrypt my email if it contains personal information?

If it is not technically feasible to do so, then no. However, you should implement best practices by not sending unencrypted personal information in an email. There are alternative methods to communicate personal information other through email, such as establishing a secure website that requires safeguards such as a username and password to conduct transactions involving personal information.

Are there any steps that I am required to take in selecting a third party to store and maintain personal information that I own or license?

You are responsible for the selection and retention of a third-party service provider who is capable of properly safeguarding personal information. The third party service provider provision in 201 CMR 17.00 is modeled after the third party vendor provision in the FTC’s Safeguards Rule.

I have a small business with ten employees. Besides my employee data, I do not store any other personal information. What are my obligations?

The regulation adopts a risk-based approach to information security. A risk-based approach is one that is designed to be flexible while directing businesses to establish a written security program that takes into account the particular business's size, scope of business, amount of resources and the need for security. For example, if you only have employee data with a small number of employees, you should lock your files in a storage cabinet and lock the door to that room. You should permit access to only those who require it for official duties. Conversely, if you have both employee and customer data containing personal information, then your security approach would be more stringent. If you have a large volume of customer data containing personal information, then your approach would be even more stringent.

Except for swiping credit cards, I do not retain or store any of the personal information of my customers. What is my obligation with respect to 201 CMR 17.00?

If you use swipe technology only, and you do not have actual custody or control over the personal information, then you would not own or license personal information with respect to that data, as long as you batch out such data in accordance with the Payment Card Industry (PCI) standards. However, if you have employees, see the previous question.

Does 201 CMR 17.00 set a maximum period of time in which I can hold onto/retain documents containing personal information?

No. That is a business decision you must make. However, as a good business practice, you should limit the amount of personal information collected to that reasonably necessary to accomplish the legitimate purpose for which it is collected and limit the time such information is retained to that reasonably necessary to accomplish such purpose. You should also limit access to those persons who are reasonably required to know such information.

Do I have to do an inventory of all my paper and electronic records?

No, you do not have to inventory your records. However, you should perform a risk assessment and identify which of your records contain personal information so that you can handle and protect that information.

How much employee training do I need to do?

There is no basic standard here. You will need to do enough training to ensure that the employees who will have access to personal information know what their obligations are regarding the protection of that information, as set forth in the regulation.

What is a financial account?

A financial account is an account that if access is gained by an unauthorized person to such account, an increase of financial burden, or a misappropriation of monies, credit or other assets could result. Examples of a financial account are: checking account, savings account, mutual fund account, annuity account, any kind of investment account, credit account or debit account.

Does an insurance policy number qualify as a financial account number?

An insurance policy number qualifies as a financial account number if it grants access to a person’s finances, or results in an increase of financial burden, or a misappropriation of monies, credit or other assets.

I am an attorney. Do communications with clients already covered by the attorney-client privilege immunize me from complying with 201 CMR 17.00?

If you own or license personal information, you must comply with 201 CMR 17.00 regardless of privileged or confidential communications. You must take steps outlined in 201 CMR 17.00 to protect the personal information taking into account your size, scope, resources, and need for security.

I already comply with HIPAA. Must I comply with 201 CMR 17.00 as well?

Yes. If you own or license personal information about a resident of the Commonwealth, you must comply with 201 CMR 17.00, even if you already comply with HIPAA.

What is the extent of my “monitoring” obligation?

The level of monitoring necessary to ensure your information security program is providing protection from unauthorized access to, or use of, personal information, and effectively limiting risks will depend largely on the nature of your business, your business practices, and the amount of personal information you own or license. It will also depend on the form in which the information is kept and stored. Obviously, information stored as a paper record will demand different monitoring techniques from those applicable to electronically stored records. In the end, the monitoring that you put in place must be such that it is reasonably likely to reveal unauthorized access or use.

Is everyone’s level of compliance going to be judged by the same standard?

Both the statute and the regulations specify that security programs should take into account the size and scope of your business, the resources that you have available to you, the amount of data you store, and the need for confidentiality. This will be judged on a case by case basis.

201 CMR 17.00: STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH

Section:

17.01: Purpose and Scope

17.02: Definitions

17.03: Duty to Protect and Standards for Protecting Personal Information

17.04: Computer System Security Requirements

17.05: Compliance Deadline

17.01 Purpose and Scope

(1) Purpose

This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. The objectives of this regulation are to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer.

(2) Scope

The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth.

17.02: Definitions

The following words as used herein shall, unless the context requires otherwise, have the following meanings:

Breach of security, the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth. A good faith but unauthorized acquisition of personal information by a person or agency, or employee or agent thereof, for the lawful purposes of such person or agency, is not a breach of security unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.

Electronic, relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.

Encrypted, the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key.

Owns or licenses, receives, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.

Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.

Personal information, a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

Record or Records, any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.

Service provider, any person that receives, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to this regulation; provided, however, that “Service provider” shall not include the U.S. Postal Service.

17.03: Duty to Protect and Standards for Protecting Personal Information

(1) Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

(2) Without limiting the generality of the foregoing, every comprehensive information security program shall include, but shall not be limited to:

(a) Designating one or more employees to maintain the comprehensive information security program;

(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:

1. ongoing employee (including temporary and contract employee) training;

2. employee compliance with policies and procedures; and

3. means for detecting and preventing security system failures.

(c) Developing security policies for employees relating to the storage, access and transportation of records containing personal information outside of business premises.

(d) Imposing disciplinary measures for violations of the comprehensive information security program rules.

(e) Preventing terminated employees from accessing records containing personal information.

(f) Oversee service providers, by:

1. Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations; and

2. Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information; provided, however, that any contract a person has entered into with a third party service provider prior to March 1, 2012, shall be deemed to be in compliance herewith, notwithstanding the absence in any such contract of a requirement that the service provider maintain such protective security measures, so long as the contract was entered into before March 1, 2010.

(g) Reasonable restrictions upon physical access to records containing personal information,, and storage of such records and data in locked facilities, storage areas or containers.

(h) Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.

(i) Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

(j) Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.

17.04: Computer System Security Requirements

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

(d) restricting access to active users and active user accounts only; and

(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

17.05: Compliance Deadline

(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

REGULATORY AUTHORITY

201 CMR 17.00: M.G.L. c. 93H

Massachusetts 201 CMR 17.00 amended and delayed, yet again

Yes, watered down and delayed once again. Makes me sick.

The next four blog posts will be converted from the documents I have recently received from the Massachusetts Office of consumer Affairs and Business Regulation (OCABR).

If you care about data protection and are in Massachusetts, September 22 should be on your calendar, there will be a hearing on the mew regulations.

Sorry for the blog flood- here goes...

Jack

Tuesday, August 11, 2009

Thank you for your support

Security B-Sides and Neighborcon Las Vegas were great events. They happened because of the people who put them together, those who pitched in to help, and the people who participated -and- because of individual and corporate sponsors who made a lot of the niceties possible (beer is a nicety, right?).

When the idea was first floated, Astaro was eager to help get things rolling, then more sponsors joined in. One of the other early supporters was WiKID Systems, there's a great post on their blog explaining why they sponsored, their reasons are very similar to my reasons for enlisting Astaro's help.

Head over to the Security B-Sides Las Vegas wiki page and check out all of the people and companies who helped make these events a reality. And thank them if you get a chance. Even if you aren't in a position to "buy one of each", follow the links, check out the companies and see what they do- maybe even take a few minutes and send a "Thank you" email to the companies. Believe it or not, companies do not sponsor events just to get people liquored up (OK, maybe IOActive does this occasionally)- a little appreciation will go a long way towards helping get sponsorships for future events. Yes, there will be future Security B-Sides events, keep an eye on the B-Sides website for details.

By the way, this applies to more than just these events. There are a lot of demands on personal and corporate finances, especially in this economy. A little gratitude can go a long way towards keeping you supplied with great security events. And free beer.

Jack

Saturday, August 8, 2009

Smart people saying dumb stuff, again.

A few weeks ago David Rice, the author of Geekonomics, was on Pauldotcom episode 160. There is no denying that he's a smart guy, but David Rice said some things that just don't work for me, and I feel compelled to address a few of them. Mr. Rice is a big proponent of some kind of testing/certification framework for software to insure security. This sounds good, but the devil is in the details, especially his.

He suggests the testing will need to start out with a low set of standards, and improve/evolve over time, getting tougher until they are a real measurement and enforcement of security. Again, this sounds good, but it is where things start to unravel. He points to IIHS and NHTSA testing as models; according to him they started nearly useless and evolved over decades- which is true to an extent, but fundamentally unsafe cars still pass the tests, and there are many real dangers which iStock_000005457511XSmallare not considered in the tests and ratings. Only a specific (and well known to the manufacturers) set of tests are performed, this leads to building cars to pass the test, not necessarily actually be safe (hey, that sounds familiar, doesn't it?). Let's blow auto safety testing out of the water, shall we?

I love Jeeps, and have had several over the years. From the first CJs through the current Wranglers, and it's easy to make the case that they are all horribly "unsafe". The old ones were underpowered, but short, skinny, and prone to rollovers. As they have grown longer and wider, the improved stability has been offset by increased power so they are still rollover-prone. Driven properly, the risks can be minimized, but that means trusting the end-user (we're screwed). But, they "pass" the tests. Maybe not the highest safety ratings, but passing. (By the way, there are no more real Jeeps, the morons at Daimler-Benz and now the current owners of the Jeep name have killed them. They have even put V-6 engines in them. V-6s were a mistake in the '60s and are a heresy now. I-6s belong in Jeeps, an I-4 or V-8 if you must. Bastards).

You need look no further than the lists of safety recalls to see how often and how badly testing fails, and the myriad of things not tested which endanger you, me and our families (real world injured or dead on the road, no buffer overflow nuisances). Improper child seat mounting, mis-welded steering columns, overheating electronics, motorcycles helmets which fail to meet the standards, tow bars (for above mentioned Jeep Wranglers), leaking fuel filters- and that's just the first page and a half (of eighteen pages) in the report for the single month of July 2009.

Think about it, how can slamming a car into a barrier tell you that the lower control arms are formed so that they will trap sand, salt, and moisture- then rust out in two years and cause your suspension to separate when you hit a pothole "just right". That takes a level of inspection and review we haven't gotten to yet, and probably never will. And I can shine a light on the arm and hit it with a hammer- try that with software testing. iStock_000002212115XSmall

One of my favorite examples of not testing for real-world safety is the moose. In limited parts of the world moose collisions are extremely common, and they are extremely dangerous wherever they happen. One of the primary problems is that cars are simply not designed to withstand an impact from the front against the a-pillars (the uprights between the front doors and the windshield), and they collapse easily. It is a known "defect", but it is not tested for, and the cost of correcting the defect is apparently not justified- and people die, avoidably, every year because of it.

Has that dampened your enthusiasm for automotive testing as a model for software assurance?

He also mentioned public pressure and demand for safer vehicles as supporting the improved safety, but the two highest profile news stories I recall about auto safety were both fraudulent hype. First we had the "runaway Audis", which supposedly accelerated out of control on their own. Audi maintained that the drivers were simply mistakenly stomping on the gas instead of the brake in all of the events, but 60 Minutes did a segment where they showed the engine of an Audi racing away "by itself" and drove public panic and outrage (costing Audi and their dealers untold millions). The "runaway" car 60 Minutes showed? It had its transmission rigged to drive the throttle linkage and artificially accelerate the engine; Audi fixed the operator error by retrofitting the brake/shift interlock system we all take for granted on cars now. The other big one involved GM trucks with fuel tanks outside of the frame rails, something that WAS unsafe, but Dateline NBC felt the need for a bit of drama to make the point. They staged side-impact collisions with the trucks, but didn't get much more than a little fuel leakage. Needing more drama to sell their schtick, they attached small rocket motors to the fuel tanks and rigged the test to guarantee spectacular fires. In the aftermath of the stunt, the real dangers of the design were overshadowed by the fraudulent reporting. I have no need for Fox News, CNN, MSNBC, or any other pack of screaming dimwits driving the discussion about software security. If you like the idea, ask them what a "hacker" is and get back to me.

Moving on...
When Rice said "cars aren't as complicated as software", I lost it. Clearly, he misspoke; surely he cannot believe a automobile where an entire Windows Media Center entertainment system is an afterthought tossed into the dashboard is somehow LESS complicated than the afterthought itself. Even the simplest of automotive components are expected to be functional at a bewildering array of temperatures under a variety of loads and with near-constant vibration. Cars have had microprocessors for decades, and hydraulic computers for decades longer than that. (If you think transistors are clever, try doing similar switching of forces in a high-temperature hydraulic environment which makes your car go down the road at varying speeds, that's what automatic transmissions have done for over half a century).

Finally (for this rantbuttal), how the !@#$ is the idea of a testing/certification framework which starts out merely enforcing current expectations and slowly evolves and becomes more strict over decades (with inevitable stumbles and false starts) until it is as [fundamentally flawed] as automotive crash testing a unicorn-inducing wonderful idea when he suggests it for software...

but the exact same thing is a horrible and destructive idea if it is applied to cardholder data and we call it PCI? Rice thoroughly trashed PCI, dragging out all of the same misguided drivel about it without offering a better alternative or seeing the correlation to his own proposals. Listen to the episode and hold a mirror up to all of his arguments before you answer that. He did a phenomenal job of rebutting himself when he launched into his PCI rant, so I won't try to top him.

Jack

Friday, August 7, 2009

One more slidehow- with Squirrel!

I'll return to actually writing soon, but I just had to do this. If you don't get it, that's OK. If you are offended, that probably shows taste and character on your part.

Join us as our hero, the brave little squirrel (having recently escaped from Gunter's House of Squirrel and Kraut) travels to Las Vegas to battle cyber-criminals at BlackHat, Security B-Sides, DefCon, and wherever evil lurks.

Thursday, August 6, 2009

B-Sides Slideshow

Here are some photos of the inaugural Security B-Sides event in Las Vegas, July 2009. More to come on Black Hat, B-Sides, and DefCon,

Sunday, August 2, 2009

Announcing the Warzone Project

I've been eager to talk about this, but had to wait until the public announcement- three HackerSpaces have launched the The Warzone Project.  From the announcement:

"CCCCKC, Pumping Station: One and HacDC announced at the DEFCON Podcaster’s Meetup of the creation of the Warzone Project... The CCCKC network has a separate area dedicated to security research…both attack and defense. This separate section of the network was created so that members had a sandbox to attack and defend without worrying about compromising their own or someone else’s systems and information. The premise is that of assumed risk, neighborliness and numerous disclaimers to users looking to participate that they should know exactly what they are doing (or at least getting themselves into) by connecting to the network.

We were ecstatic when we were contacted by the Astaro corporation who loved the idea so much, they not only wanted their hardware on the network but that they wanted to help expand the Project nationwide by donating appliances to each of us."

I am especially pleased with Astaro's involvement (I may have had a little to do with that), here's an excerpt from the press release:

“Hacker spaces and the Warzone project are helping to combat the negative image hackers have acquired by demonstrating that most hackers are not engaged in criminal activity and are more interested in finding and sharing information; including possible network vulnerabilities,” said David Rogers, Vice President, Americas, Astaro Corporation. “Astaro is proud to be a part of initiatives like the Hackerspace Warzone project because they will help network administrators and security vendors create more secure environments.”

 

Jack