I recently came across a couple of interesting articles on the difficulty of securely wiping data from solid state disks.
Both articles are based on a paper [pdf] from a University of California team that tested sanitizing both an entire disk and individual files on SSDs using standard ATA commands.
The outcome? Full disk sanitization was usually (but not always!) effective, while single file sanitization "consistently fail(ed) to remove data from the SSD".

Interesting stuff!

With SSDs rapidly dropping in price, and becoming more and more common in a wide vaiety of devices (especially portable devices) the paper is well worth a read for those tasked with protecting sensitive data from loss.

Lush Cosmetics seem to be the latest Australian retailer to have suffered a credit card breach.

From the article:

"Yesterday we were contacted by the web hosting provder to say there had been an unauthorised access of the website and data had been downloaded," he said.
"That was picked up by some extra monitoring that we had put in place.
"Once we got that information, we got the ball rolling trying to get a hold of a forensic investigator to help us understand, what was going on, and (we began) talking to banks and credit card holds and working through the process of how to address the problem and what steps we need to take."

"We would hope that by being upfront and open as soon as possible customers would see we are an ethical business and we are upfront and we will make the enhancements required."

 While I do applaud the company's reaction of going public immediately and contacting their 39,000 Australian customers, I do find it a little disturbing that security comes under "enhancements" - it does make it sound like a luxury add-on (eg: leather car seats) as opposed to a pretty fundamental requirement (eg: seatbelts or airbags).
Real details on the breach are scarce, so there's no indication if they were storing credit card numbers in cleartext (hello PCI-DSS!) or if they suspect the bad guyshad just pwned the server and were capturing transactions as they occurred.

I guess the good news it that it is hitting the major news sites down under - so other businesses may review their web security and ask themselves "have we done enough?"

Care of Slashdot I saw this post on the potential ramifications of breaching an Acceptable Use Policy based on a recent judgement [pdf]  in Western Australia.

The defendant was a Police Officer, who would normally be held to a higher standard than Joe Public, and the system in question was a Police database, but as the blog post points out: "Ms Giles wasn't convicted for breaching police secrecy, or improper disclosure of information --- she was convicted for common cracking. She used the restricted-access system other than in accordance with her authorisation"

Nick Gifford in his book "Information Security: Managing the Legal Risks" (which I have mentioned before) describes AUAs (Acceptable Use Agreements) as "a contractural mechanism for managing the risks to the organisation associated with granting user access rights" and as a contract I can understand that there would be a legal risk to those who would breach that contract.

What about your company's Acceptable Use Policy? Is it up to date and consistent with employee duties?
Have all of your users read your organisation's AUP? What about those staff who have been there 10, 15 or 20+ years? Has your AUP changed over that period, and have those users acknowledged those changes? Do they have to re-acknowledge the AUP regularly? (yearly?)
Does it explicitly state that there should be no expectation of privacy when using email, browsing the internet or storing data on comapny assets? Does it allow for monitoring employees and clearly state potential penalties for breaches?

While it's a little late for New Year's resolutions (maybe a Chinese New Year resolution?), make it a priority to look into your AUP and how you track acknowledgement and ensure compliance. And if you don't have an AUP, the ever-useful SANS website has a sample [pdf] to help get you started.

I came across an article on PCWorld entitled "7 Cyber Crime Facts Executives Need to Know" and thought I'd add some comments:

Cyber crimes are far more costly than taking steps to harden an environment beforehand
Prevention is always cheaper than cure (cheaper in time, resources and dollars!). This doesn't just go for security, but other areas such as software development as well. Retro-fitting is always difficult, always expensive and never as good as if you'd 'done it right the first time'. The quote:
"the appointment of a single top executive responsible for enterprise risk management, a la a Chief Security Officer, or better still, a Chief Risk Officer is a critical factor for success" is an interesting one, as in my experience (and from talking with peers) many CROs in Australia are still primarily focused on financial and operational risk, with little understanding or appreciation of Information Risk. Perhaps it's a bit different in the US however (and I hope the trend is slowly changing here as well....thanks Julian Assange!)


Cyber crimes are pervasively intrusive and increasingly common occurrences
Recent high-profile events such as Wikileaks and the recent Vodafone breach have probably helped raise some awareness about Information Security and the 'reality' of cyber-crimes, although your less tech-savvy executives may think that having anti-virus installed = magical cyber-crime prevention forcefield.

The most costly cyber crimes are those caused by web attacks and malicious insiders
Web attacks I agree with, but I think there has always been some controversy about the real threat of insiders. While they can't be discounted (OK Wikileaks again....), they shouldn't be overestimated either. Insiders know they're more likely to get caught than the anonymous hacker in Russia or some other place with no extradition laws....
IMHO your web stuff is more likely to get attacked than you are to suffer an internal breach, especially with the rush to throw as much as possible onto the internet.

At onset, rapid resolution is the key to reducing costs  
Rapid identification and handling of incidents is a must in order to reduce damage and cost. Like point #1, preparation is the key and will make all the difference when the bits hit the cyber-fan.
Oh and notice I mentioned identification - you can't handle or resolve that you don't know about!

Loss of information due to theft represents the highest external cost, followed by the costs associated with the disruption to business operations
This may vary industry to industry and country to country as laws such as breach disclosure are different across the world. But in general, if it was worth breaking in and stealing, it must be worth something to someone - a competitor, a rival government, etc. Resuming operations is certainly easier than retrieving data posted on the Internet or consumer confidence in the face of a privacy breach.

All industry verticals are susceptible to cybercrime
If you have data worth something, then you're a potential target. Whether you're in medical, finance or widget manufacture, you may be a target for cybercrime. Unfortunately it's a fact of life today. Of course some industries (like finance) are far more likely to be targeted.

If you deal with senior or Executive Management in your organization, these make great starting points to present some information to them. Use sites like datalossdb to find incidents in your area or industry to emphasize your points. Don't assume they know these things, go out there and educate them!

What's wrong with this picture?

(Thanks to Richard for the pic)

I came across a copuple of interesting reads over at the UK-based Cloud Legal Project site (which is part of the Cenre for Commercial Law Studies, Queen Mary University of London).

The first is a survey of Cloud vendor contracts ('Terms of Service Analysis for Cloud Providers'), which highlights risks such as the vendor right to change ToS at any time without niotification, cancellation of accounts for disuse or AUP violations and limited liabilities for loss of data.

The second paper is on Information Ownership ino the Cloud, which highlights the need for strict definitions in contracts as to who retains the ownsership rights of various data types.

Both papers are well worth a read.

Vodafone - one of the world's biggest telecommunication companies - has been hit with an embarrassing data breach here in Australia. While the details are in dispute (some stories say the data was open to everyone, others say not), they all acknowledge that there has been a significant breach at a time when the company is already reeling from negative press about poor reception and data transfer speeds on their network.

To quote Vodafone:

"Customer information is stored on Vodafone's internal systems and accessed through a secure web portal, accessible to authorised employees and dealers via a secure login and password,"

Well it must be secure. They used the word secure twice!

Seriously though, while I can understand with all the partners and shops nation-wide that Vodafone found the easiest way to provide CRM access was to use the internet; it is a serious lapse in judgement for Vodafone to not require multifactor authentication on their web portal. What were they thinking?*


The Australian points out that it's likely that Vodafone won't get more than a public 'slap on the wrist' as the Privacy Commissioner currently has no power to act on breaches of the Privacy Act. Gah!

Adopting security is often about incentives. If the Privacy Commissioner can't 'punish' the company for the breach and implementing something like multifactor authentication can't be sold as a customer benefit ("Sign up with us and your data won't be stolen again!") then we're left relying on the company to 'do the right thing' - which has been shown again and again to not be a great incentive to businesses (it could be argued that if 'doing the right thing' was a sufficient incentive, Vodafone would have already used multifactor authentication on their CRM portal - I imagine someone inside of Vodafone is saying "I told you so" today...).


*probably that usernames and passwords are cheaper than multifactor authentication. Which they are, just not safer...