Iowa State University reported an information security breach yesterday.  Officials stated that 5 network attached storage (NAS) devices were hacked.  These devices were departmental devices and used to store social security numbers for students who took certain courses between 1995 and 2012.  You can find out if you are impacted at this link.

I’ve read through the official statement and there are two issues which are concerning to me.  The first issue is why the individual departments had a need for student social security numbers.  SSN has not been allowed as an identifier by most colleges in Iowa for over two decades.  The student ID number replaced the SSN.  I was a CIO at a community college in Iowa more than 10 years ago and the SSN was not used as an identifier.  What was the purpose of the initial request for these social security numbers and why was it stored for so long?

Read more: 5 Network Attached Storage Devices Hacked at ISU

We, the internet using community, have been bitten by the Heartbleed bug.  It came fast and the implications are serious.  Integrity’s team of security professionals has been working with customers over the past several days to identify vulnerable systems and determine a course of action.

This vulnerability in the implementation of OpenSSL should teach us a few things.

  1. Theory is great, but how that theory is implemented will determine long term success or failure.  The encryption methods of OpenSSL weren’t bad, there was simply a mistake in the code which caused all the problems.

  2. We need to stop treating the internet as if it is just the “Internet of Things”.  It is not.  It is critical infrastructure.  We all agree that power grids, banking systems, transportation systems, etc. are critical.  What if we couldn’t trust common security systems used on the internet?  E-commerce would fail and economies across the world would have severe impacts.  The internet is critical infrastructure whether we care to admit it or not.  We need to take security seriously.

  3. How security and technology vendors responded to Heartbleed should tell you a lot about how that company deals with risk management and security.  Did they notify you of the vulnerability quickly?  Did they provide updates and patches in a timely fashion?  If they were slow getting to the party, one has to wonder why.  Don’t be afraid to ask your firewall vendor why they were the last major vendor to supply a patch. 

There will be consequences of this vulnerability.  Systems were hacked.  Data was stolen.  We may not know for a while what the full impact was but there was an impact.  If you’ve been worried about zero-day threats but not been able to get management to understand the risks, this incident should help.

If you need more information on the Heartbleed bug, you can follow the developments on CVE-2014-0160 at the NIST National Vulnerability Database.

I want to clear some things up on the Target breach front.  There are hundreds of bloggers making accusations and assumptions that are unfounded and simply incorrect.  I get I’m just going to give you a list here.  No fluff, no opinion, just fact.

False Statement #1: Target couldn’t have been PCI compliant because attackers stole CVV numbers and storing of numbers violates PCI.

Facts: Nowhere have I read a factual account from Target or law enforcement that says the CVV was being stored.  The CVV is read from the magnetic stripe at the PIN pad and transmitted to the POS.  It could have been intercepted during transmission.  Now, the data transmission between the PIN pad and POS is typically encrypted so we can assume that the data was probably stored somewhere and stolen.  If you are going to make assumptions, state them in your post or article.

False Statement #2:  Target couldn’t have been PCI compliant because it took them 18 days to discover the breach.  They obviously weren’t doing their daily security monitoring.

Facts: Networks are complex. Applications are complex.  Attacks are complex.  Obviously there was some security monitoring going on.  Sometimes it takes time to recognize an attack, investigate it and address the issues.  This isn’t Hollywood.  We don’t save the world in a 42 minute episode.  Is it likely that Target will need to change their security monitoring procedures?  Yep.  Can anyone say they weren’t monitoring at all?  Nope.

False Statement #3:  This breach was timed specifically for the holiday shopping season.

Facts: Did the hackers themselves proclaim this?  While it is entirely possible that this was a timed breach, it’s also just as likely that the hackers were simply lucky.  Hackers strike while they can.  It only takes one patch to foil a well-planned breach attempt. I’m not saying the intent may have been to hack during the holiday season but we don’t know that for certain just because it occurred during the holiday season. 

In essence, I’ve been very frustrated with the coverage of all this over the past 10 days.  Expert after expert has been on this news program and that claiming all these “facts” when in fact all they have at this point are opinions.  Oh…and because it’s sensational news, the journalists are calling them out on it.  They let the opinions stand as fact.  What has become of journalistic integrity?

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 was recently introduced into the House this past week.  While I applaud the attempt to push cybersecurity awareness, I have concerns with the bill at a very high level.  Granted, I haven’t fully read all 56 pages yet but here is my first concern.  The following sectors are going to be classified as critical infrastructure.

(1) Chemical.

(2) Commercial facilities.

(3) Communications.

(4) Critical manufacturing.

(5) Dams.

(6) Defense Industrial Base.

(7) Emergency services.

(8) Energy.

(9) Financial services.

(10) Food and agriculture.

(11) Government facilities

(12) Healthcare and public health.

(13) Information technology.

(14) Nuclear reactors, materials, and waste.

(15) Transportation systems.

(16) Water and wastewater systems.

(17) Such other sectors as the Secretary determines appropriate.

Don’t get me wrong, I agree with a lot of this.  And classifying sectors for the purpose of information sharing isn’t a bad idea.  There could be some unintended consequences of pushing this information security measure though.

First, if everything is critical, nothing is critical.  It seems these sectors would include a vast majority of the business ventures in the US.  We don’t have the time or resources to apply information security controls to everyone and everything.  There’s always going to be an element of risk.  We need to be careful that we’re not trying to eliminate all risk.

The second is that once something is deemed critical infrastructure, it will be very easy to regulate it in the future.  Much in the same way Business Associates are now regulated under HIPAA, many of these sectors could come under the scope of say the Federal Information Systems Management Act, FISMA with one small change to a bill in a future legislative session.

On one hand this bill is too general and on another it’s too specific.  Sounds crazy but think about it.  Do you really want your local deli to have to follow information security guidelines similar to a bank just because they got swept into the Food & Agriculture sector?  Think something crazy like wouldn’t happen?  Just think about how many unintended consequences laws like the Affordable Care Act (Obamacare) have had.

As we close out National Cyber Security Awareness month, I wanted to remind parents to check in on your children’s online activity.  Yes, even those teenagers still need some wisdom and guidance even if they balk.

Ask your kids these three simple questions today.

1.       Tell me what you saw on the internet today.

2.       Did you read any text, IM or emails that made fun of someone for the way they looked, where they’re from or other reasons?

3.       Do you know what privacy means and how our online actions can jeopardize our privacy?

Our kids are smarter than we give them credit for.  I’m willing to bet that if you asked these questions, your kids may have others of their own.  If you need help talking with your kids about online safety, check out the website http://www.netsmartz.org/Parents for videos and other aids for kids of all ages.

As I attended the ISSA International Conference in Nashville last week I was a little surprised at the number of security professionals that were using location based services.  Typically this is a fairly paranoid crowd.  All of the smartphone apps, the tweeting and other forms of location based services in use were astonishing. 

Now, if you check my Twitter feed, you’ll see a few posts from me as well.  It’s expected that a Fellow with the organization should help promote our major conference event of the year.  What you won’t see are pictures tagged with GPS coordinates, “check in” posts at a restaurant, my travel itinerary on TripIt or other excessive information about my coming and going while in Nashville.  I actually went down a day early and spoke to a group in Birmingham, AL.  You won’t find that information posted to any social media sites though.

I sat in on one session at the conference that touched on location based services in our vehicles.  I decided right then and there that our next webinar at Integrity would be on the privacy issues with the use of location based services.  (You can register here) I think the webinar is well timed because guess what, as soon as I returned to work I had a meeting with a new client that is using automated license plate readers to look up vehicle owner information with the Department of Transportation and match it to a consumer profile.  They will then sell the aggregated analytical data to whoever will buy it.  Wow…I couldn’t have timed that any better.

Location based services are really cool and allow us to do and see things we never have before.  However we’ve been down this path before.  Something comes along and everyone thinks it’s great.  Only 10, 20, 50 years later we realize we should have done more research into the long term impacts before we as consumers ate everything that was put in front of us.

So take inventory of all the location based services you use and come listen to our webinar on 10/30/2013.  Remember that there may also be location based services used to track you that you’re not even aware of.  If someone had access to all of those sources of information, what could they do with it?

The age old battle of insider threat vs. external threat rages on between information security professionals.  The recent publicity around information security in the Pvt. Manning and Richard Snowden cases has brought the topic up in various forums over the past month or so.  Where do you stand?  Are you more worried about information security threats from internal or external sources?

First look at the facts.  The Verizon Data Breach Investigation Report indicates that organizations are much more likely to experience a breach from an external source.  Some of you will say "Hah...case closed, told you so."  You may not be wrong in saying that.  But the same report also shows that the cost of an internal breach is more than the average external breach.  This is where the other side says "Take that...I knew we were right."  So who is really correct in their argument?

Read more: Internal vs. External Threats - Which One Worries You More?

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724