I want to clear some things up on the Target breach front.  There are hundreds of bloggers making accusations and assumptions that are unfounded and simply incorrect.  I get I’m just going to give you a list here.  No fluff, no opinion, just fact.

False Statement #1: Target couldn’t have been PCI compliant because attackers stole CVV numbers and storing of numbers violates PCI.

Facts: Nowhere have I read a factual account from Target or law enforcement that says the CVV was being stored.  The CVV is read from the magnetic stripe at the PIN pad and transmitted to the POS.  It could have been intercepted during transmission.  Now, the data transmission between the PIN pad and POS is typically encrypted so we can assume that the data was probably stored somewhere and stolen.  If you are going to make assumptions, state them in your post or article.

False Statement #2:  Target couldn’t have been PCI compliant because it took them 18 days to discover the breach.  They obviously weren’t doing their daily security monitoring.

Facts: Networks are complex. Applications are complex.  Attacks are complex.  Obviously there was some security monitoring going on.  Sometimes it takes time to recognize an attack, investigate it and address the issues.  This isn’t Hollywood.  We don’t save the world in a 42 minute episode.  Is it likely that Target will need to change their security monitoring procedures?  Yep.  Can anyone say they weren’t monitoring at all?  Nope.

False Statement #3:  This breach was timed specifically for the holiday shopping season.

Facts: Did the hackers themselves proclaim this?  While it is entirely possible that this was a timed breach, it’s also just as likely that the hackers were simply lucky.  Hackers strike while they can.  It only takes one patch to foil a well-planned breach attempt. I’m not saying the intent may have been to hack during the holiday season but we don’t know that for certain just because it occurred during the holiday season. 

In essence, I’ve been very frustrated with the coverage of all this over the past 10 days.  Expert after expert has been on this news program and that claiming all these “facts” when in fact all they have at this point are opinions.  Oh…and because it’s sensational news, the journalists are calling them out on it.  They let the opinions stand as fact.  What has become of journalistic integrity?

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 was recently introduced into the House this past week.  While I applaud the attempt to push cybersecurity awareness, I have concerns with the bill at a very high level.  Granted, I haven’t fully read all 56 pages yet but here is my first concern.  The following sectors are going to be classified as critical infrastructure.

(1) Chemical.

(2) Commercial facilities.

(3) Communications.

(4) Critical manufacturing.

(5) Dams.

(6) Defense Industrial Base.

(7) Emergency services.

(8) Energy.

(9) Financial services.

(10) Food and agriculture.

(11) Government facilities

(12) Healthcare and public health.

(13) Information technology.

(14) Nuclear reactors, materials, and waste.

(15) Transportation systems.

(16) Water and wastewater systems.

(17) Such other sectors as the Secretary determines appropriate.

Don’t get me wrong, I agree with a lot of this.  And classifying sectors for the purpose of information sharing isn’t a bad idea.  There could be some unintended consequences of pushing this information security measure though.

First, if everything is critical, nothing is critical.  It seems these sectors would include a vast majority of the business ventures in the US.  We don’t have the time or resources to apply information security controls to everyone and everything.  There’s always going to be an element of risk.  We need to be careful that we’re not trying to eliminate all risk.

The second is that once something is deemed critical infrastructure, it will be very easy to regulate it in the future.  Much in the same way Business Associates are now regulated under HIPAA, many of these sectors could come under the scope of say the Federal Information Systems Management Act, FISMA with one small change to a bill in a future legislative session.

On one hand this bill is too general and on another it’s too specific.  Sounds crazy but think about it.  Do you really want your local deli to have to follow information security guidelines similar to a bank just because they got swept into the Food & Agriculture sector?  Think something crazy like wouldn’t happen?  Just think about how many unintended consequences laws like the Affordable Care Act (Obamacare) have had.

As we close out National Cyber Security Awareness month, I wanted to remind parents to check in on your children’s online activity.  Yes, even those teenagers still need some wisdom and guidance even if they balk.

Ask your kids these three simple questions today.

1.       Tell me what you saw on the internet today.

2.       Did you read any text, IM or emails that made fun of someone for the way they looked, where they’re from or other reasons?

3.       Do you know what privacy means and how our online actions can jeopardize our privacy?

Our kids are smarter than we give them credit for.  I’m willing to bet that if you asked these questions, your kids may have others of their own.  If you need help talking with your kids about online safety, check out the website http://www.netsmartz.org/Parents for videos and other aids for kids of all ages.

As I attended the ISSA International Conference in Nashville last week I was a little surprised at the number of security professionals that were using location based services.  Typically this is a fairly paranoid crowd.  All of the smartphone apps, the tweeting and other forms of location based services in use were astonishing. 

Now, if you check my Twitter feed, you’ll see a few posts from me as well.  It’s expected that a Fellow with the organization should help promote our major conference event of the year.  What you won’t see are pictures tagged with GPS coordinates, “check in” posts at a restaurant, my travel itinerary on TripIt or other excessive information about my coming and going while in Nashville.  I actually went down a day early and spoke to a group in Birmingham, AL.  You won’t find that information posted to any social media sites though.

I sat in on one session at the conference that touched on location based services in our vehicles.  I decided right then and there that our next webinar at Integrity would be on the privacy issues with the use of location based services.  (You can register here) I think the webinar is well timed because guess what, as soon as I returned to work I had a meeting with a new client that is using automated license plate readers to look up vehicle owner information with the Department of Transportation and match it to a consumer profile.  They will then sell the aggregated analytical data to whoever will buy it.  Wow…I couldn’t have timed that any better.

Location based services are really cool and allow us to do and see things we never have before.  However we’ve been down this path before.  Something comes along and everyone thinks it’s great.  Only 10, 20, 50 years later we realize we should have done more research into the long term impacts before we as consumers ate everything that was put in front of us.

So take inventory of all the location based services you use and come listen to our webinar on 10/30/2013.  Remember that there may also be location based services used to track you that you’re not even aware of.  If someone had access to all of those sources of information, what could they do with it?

The age old battle of insider threat vs. external threat rages on between information security professionals.  The recent publicity around information security in the Pvt. Manning and Richard Snowden cases has brought the topic up in various forums over the past month or so.  Where do you stand?  Are you more worried about information security threats from internal or external sources?

First look at the facts.  The Verizon Data Breach Investigation Report indicates that organizations are much more likely to experience a breach from an external source.  Some of you will say "Hah...case closed, told you so."  You may not be wrong in saying that.  But the same report also shows that the cost of an internal breach is more than the average external breach.  This is where the other side says "Take that...I knew we were right."  So who is really correct in their argument?

Read more: Internal vs. External Threats - Which One Worries You More?

Is your IBM iSeries (AS/400) included in your enterprise security information and event management (SIEM) strategy?  Many times the iSeries is an island unto itself and left out of various enterprise plans for lack of understanding.  Join Townsend Security and Integrity on Wednesday 8/28 at 11am CST for a webinar on how to get iSeries security logs off the island and into the enterprise SIEM.

Register Now

DDoS attacks were used in a bank heist targeting the wire transfer switches at several banks.  There are two primary things to take away from this.  You can read about the attacks here.

  1. Diversions to siphon resources away from the actual attack are not new.  They've been common place in both the physical and cyber worlds for a long time.  We need to remember that our efforts during incident response can't be so full and swift that our our ability to detect and respond to new attacks is weakened.
  2. Monitoring only a few "critical" systems isn't enough.  We need to monitor multiple points along any path that data traverses to ensure we have a holistic view of our data security.

The bad guys are getting smarter, more organized and more patient.  Our defense tactics need to evolve with these changes.  Are you adapting or still relying on what worked last month?

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724