EquifaxThe aftermath of the Equifax breach continues.  First, the Ugly:

Music Major?  Really?

The hoi palloi apparently find it offensive that Equifax’s Chief Security Officer, fired in the breach’s wake, had a music degree. The implication is that someone formally trained long ago in music is clearly incompetent to have a career in IT or Infosec, much less to be a CSO. That must be a surprise to Jennifer Widom (data management researcher, computer science professor, and Dean of Stanford University’s School of Engineering), who somehow, despite her undergraduate music degree, managed to help lay the foundations for active database systems architecture, crucial for such uses as security monitoring.  Or to countless others who came to Infosec after formal education in other disciplines – check out #unqualifiedfortech on Twitter.

Yesterday’s thoughtful Washington Post piece was well-titled: Equifax’s security chief had some big problems. Being a music major wasn’t one of them. And if your ironic sensibility remains unsated, see the 10/20/2016 article Musicians May Be the Key to the Cybersecurity Talent Shortage.

Next, the Bad: Continue Reading Equifax breach – the good, the bad, and the ugly

Worried couple checking credit account onlineThe grousing began within 24 hours of Equifax’s announcement, last Thursday, of its massive data breach that compromised personal data of over 140 million U.S. consumers.  I’m generally unsympathetic about such complaints (“We’re shocked – SHOCKED – that in a breach affecting 140+ million people, we’re having trouble immediately reaching a live person at the phone bank!  And the breach website is not operating smoothly!”). Usually only Louis CK’s masterpiece “Everything’s Amazing – and Nobody’s Happy” can coax me out of my grumpy place.

But as post-announcement events have unfolded, some of the initial criticism appears to have legs: Continue Reading Equifax breach – hot mess, or simply the world we live in?

Dark Territory: The Secret History of Cyber WarIn the early 1990s, NSA Director Mike McConnell created a brand-new position at the National Security Agency: Director of Information Warfare.  McConnell appointed Rich Wilhelm, with whom McConnell had worked closely on U.S. counter-command & -control intelligence operations during the first Iraq war.  After just a few weeks settling into his new job, Wilhelm walked into Director McConnell’s office and said “Mike, we’re kind of f***ed here.”

The problem?  The U.S. could penetrate and disrupt foreign adversaries’ increasingly computerized military, government, and civic infrastructures, and it was already clear that future conflicts would turn upon what would only later be dubbed cyber warfare.  But whatever we could do to our adversaries, they could do to us.  Making matters worse, the U.S. military, civilian governmental agencies, and private businesses were rapidly connecting everything in computer networks, with no meaningful attention paid to network security.  We’d be throwing rocks from the largest glass house on the planet.

In Dark Territory: The Secret History of Cyber War, Pulitzer Prize-winning journalist Fred Kaplan adroitly distills over one hundred key player interviews –  from U.S. cabinet secretaries, generals, admirals, and NSA directors, to analysts, aides, and officers in the trenches – into a riveting narrative that tracks the debut, developments, and dilemmas of cyber warfare.

Kaplan’s book is a cyber roller coaster ride spanning three decades.  Here are some notable highs and lows: Continue Reading The TAO of Cyber Warfare: Dark Territory

Young woman who's forgot her passwordAt last!!!  A good reason not to create dozens of hard-to-remember passwords!  The updated National Institute for Standards and Technology guidance on creating passwords has been out for a while now, but the word has been slow in trickling down to end users.  It’s time to pay attention, because the recommendations represent a huge departure from standard practice.  First, the good news:

The good

NIST is part of the US Department of Commerce and an authoritative standards-making body.  It is the entity that wrote the primer on how to create all those complex and hard-to-remember passwords in the first place. You know, passwords like *Pa$$w)rd3!  NIST now acknowledges through this publication that the old rules affected usability negatively. It also turns out that passwords composed of a few common words strung together are far stronger than upper-lower-numbers-characters passwords, so the old way was less secure than we thought.

It’s big news then that NIST has seen the error of its ways and now recommends creating passwords we can remember.  Even more important, it also now recommends that a password not be changed unless there is an indicator it has been compromised or forgotten by the user.  Of course, being the government, calling a password a password is just too hard.  The term in NIST SP800-63B 2017 is “Memorized Secret Authenticator.”  Whatever you choose to call it, user guidance is simple: Continue Reading dyktthctgohtcp?

Manually digging a holeLate last month in Mirmina v. Genpact, the Honorable Sarah Merriam of the United States District Court for the District of Connecticut properly confirmed that it remains permissible to manually preserve and collect discoverable email.  Her opinion was concise and spot-on, swatting away the plaintiff-movant’s speculative “concern” that defendant must have “withheld communications” that were responsive to the case’s discovery protocols.  Citing Zubulake V, Magistrate Judge Merriam accepted defendant’s detailed affirmation that in-house counsel appropriately coordinated and supervised the manual search for reponsive email by defendant’s ESI custodians, and she therefore denied plaintiff’s motion to compel.

The ediscovery blogosphere lit up once the Mirmina ruling was handed down – see here, here, here, here, here, and on and on.

What’s remarkable about this ruling is that a singularly unremarkable point has somehow become remarkable. Continue Reading Breaking news from Captain Obvious – it’s still OK to manually preserve and collect ESI

White WalkerA swarm of zombies, led by Byte Walkers, surges inexorably onward to penetrate a massive perimeter wall by force and stealth.  Sounds like Game of Thrones, right?  Instead, this is our cyberthreat reality. And in an ironic twist that would make George R. R. Martin blush under his beard, it’s now painfully real for HBO, which recently acknowledged suffering a massive cyber intrusion through which hackers claim to have stolen up to 1.5 terabytes of proprietary data, including Game of Thrones future epsodes.

First Sony, then Netflix, and now HBO – what’s a Westerosi to make of this? Continue Reading Game of Hacks

clouds and lightningIf you’re old enough, you’ll remember a time when businesses actually kept their own information (cue my adult children to roll their eyes).  How quaint.  We no longer keep most of our information – providers do that for us.  We store our data in the cloud, through cloud providers.  We outsource business applications to SaaS providers, and even entire systems as PaaS.  And we increasingly use service providers to handle key aspects of our business that we used operate internally, resulting in a robust flow of data out of our businesses to such providers, and also the providers generating, receiving, and retaining huge data troves on our behalf.

But we’re still accountable for our information in others’ hands:

  • Litigation – the scope of permissible discovery, and of the preservation duty, extends not only to data in our possession or custody, but also to data within our control.       
  • Data security – we’re generally responsible for data breaches suffered by our service providers.  Under most breach notification laws, including HIPAA and state breach notification statutes, our service providers must notify us of data breaches, but we are still responsible for providing notice to affected individuals and regulators.  Regardless, in the wake of a service provider data breach, we’re in the hot seat.
  • Business Continuity – if we need to promply restore data due to ransomware or other causes of business interruption, it doesn’t matter who’s the custodian – all that matters at that moment is timely and effective restoration.
  • Retention – third parties retaining information longer (or shorter) than our retention schedule cause us to be at best inconsistent and out of compliance with our information management policies.  At worst?  See Litigation, Data Security, and Business Continuity above.

Our litigation preservation duties do not vanish for information hosted elsewhere but still in our control; our data security obligations do not evaporate when we house protected data with a service provider; our imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and our records retention and destruction rules do not disappear if our data is hosted remotely. In other words, we still need to govern information compliance and risk for our data in other’s custody.

And this is a perfect example of the value of Information Governance. A key benefit of the IG perspective is that it enables organizations to take useful strategies from one established discipline and apply them more broadly. The importance of service provider controls is well-established in the data security discipline. For example: Continue Reading Why govern your information? Reason #4: Your information is in others’ custody … but you’re still responsible for it.

Hurricane between Florida and CubaHurricane season is in full swing.  As I write this, Tropical Storm Emily is drenching Florida, and the governor has declared a state of emergency.  Having lived in Florida myself, I know that most coastal residents do take hurricanes seriously.  There are always those, however, who either don’t grasp the possibility that if a hurricane hits they can suffer real damage, or simply play the odds that it won’t happen to them.  Hurricane readiness for them is a bottle of Cuervo Reserva and some DVDs for entertainment in case the power goes out.  And so, too, it goes with data breaches.

Breach readiness today ranges from total denial, through half-hearted attempts at maintaining current backups, to—for a minority—sophisticated IT security teams and technology ready to detect, respond, and recover.  Even the technologically prepared, though, have likely not planned beyond containment and recovery.  Consider our hurricane scenario.  Minimal readiness includes necessities for riding out the storm: an evacuation plan, water, food, flashlights, medical supplies, and so on.  Those things should get you through the first 48 hours, much like the immediate IT response to a data breach.  But what next?

Continue Reading It’s readiness season

Weapons of Math DestructionThe hand-wringing continues about robots, and for whose jobs they’re coming next. But the “robots” needn’t be tangible to transform our lives. Actually, they’re already here, in the form of big data algorithms – predictive mathematical models fueled by astounding computing power and endless supplies of data.

This doesn’t have to be ominous.  Well-designed models, properly applied, are a beautiful thing.  But some models are toxic, and such bad modeling has become ubiquitous, with far-reaching impacts on where we go to school; how we get a job and how we’re evaluated; how we get and maintain financial credit and insurance; what information we access online; how we participate in elections and civic life; and how we are treated by law enforcement and the judicial system.  That’s why Cathy O’Neil’s book Weapons of Math Destruction is such an important book for our time.  Continue Reading Big data gone bad: Weapons of Math Destruction