If you’re one of the 145 million eBay users who was notified to change your password after a security breach was discovered, raise your hand.  If you were affected by the Target breach, raise your hand.  Michaels breach?   The hack on Iowa State University?  The University of Northern Iowa’s information security breach?

I think you’re starting to see the trend here.  Iowans typically think of themselves as living in a safe community.  Even the capital city of Des Moines has low crime rates when compared to many other areas of the country.  I still know people who don’t lock their doors or leave keys to the car on the seat with absolutely no thought that they’ll be a victim of crime.

Read more: Cybercrime Hits Home - Even in Iowa

eBay has a long history of taking information security seriously.  In 2003 they hired Howard Schmidt as their CISO.  Mr. Schmidt is considered to be one of the leading authorities on cyber security.  He led Microsoft’s effort and served as the head of cyber security for both President George W. Bush and President Barak Obama. 

I have no doubt that Ebay has a very robust and mature information security program.  Still, they were hacked.  You can read their statement here.  Is this the new norm?  Are we becoming numb to the events?  It’s like living in another part of the world where physical violence is a part of everyday life.  Do we simply learn to deal with it

I don’t think that’s the answer.  When organizations that take security seriously are breached on a regular basis, something needs to change.  The way we do business; the way we store data; the expectations we have on data custodians; the punishment we hand down for criminals.  Something.  Everything.  Change is needed.

Iowa State University reported an information security breach yesterday.  Officials stated that 5 network attached storage (NAS) devices were hacked.  These devices were departmental devices and used to store social security numbers for students who took certain courses between 1995 and 2012.  You can find out if you are impacted at this link.

I’ve read through the official statement and there are two issues which are concerning to me.  The first issue is why the individual departments had a need for student social security numbers.  SSN has not been allowed as an identifier by most colleges in Iowa for over two decades.  The student ID number replaced the SSN.  I was a CIO at a community college in Iowa more than 10 years ago and the SSN was not used as an identifier.  What was the purpose of the initial request for these social security numbers and why was it stored for so long?

Read more: 5 Network Attached Storage Devices Hacked at ISU

We, the internet using community, have been bitten by the Heartbleed bug.  It came fast and the implications are serious.  Integrity’s team of security professionals has been working with customers over the past several days to identify vulnerable systems and determine a course of action.

This vulnerability in the implementation of OpenSSL should teach us a few things.

  1. Theory is great, but how that theory is implemented will determine long term success or failure.  The encryption methods of OpenSSL weren’t bad, there was simply a mistake in the code which caused all the problems.

  2. We need to stop treating the internet as if it is just the “Internet of Things”.  It is not.  It is critical infrastructure.  We all agree that power grids, banking systems, transportation systems, etc. are critical.  What if we couldn’t trust common security systems used on the internet?  E-commerce would fail and economies across the world would have severe impacts.  The internet is critical infrastructure whether we care to admit it or not.  We need to take security seriously.

  3. How security and technology vendors responded to Heartbleed should tell you a lot about how that company deals with risk management and security.  Did they notify you of the vulnerability quickly?  Did they provide updates and patches in a timely fashion?  If they were slow getting to the party, one has to wonder why.  Don’t be afraid to ask your firewall vendor why they were the last major vendor to supply a patch. 

There will be consequences of this vulnerability.  Systems were hacked.  Data was stolen.  We may not know for a while what the full impact was but there was an impact.  If you’ve been worried about zero-day threats but not been able to get management to understand the risks, this incident should help.

If you need more information on the Heartbleed bug, you can follow the developments on CVE-2014-0160 at the NIST National Vulnerability Database.

I want to clear some things up on the Target breach front.  There are hundreds of bloggers making accusations and assumptions that are unfounded and simply incorrect.  I get I’m just going to give you a list here.  No fluff, no opinion, just fact.

False Statement #1: Target couldn’t have been PCI compliant because attackers stole CVV numbers and storing of numbers violates PCI.

Facts: Nowhere have I read a factual account from Target or law enforcement that says the CVV was being stored.  The CVV is read from the magnetic stripe at the PIN pad and transmitted to the POS.  It could have been intercepted during transmission.  Now, the data transmission between the PIN pad and POS is typically encrypted so we can assume that the data was probably stored somewhere and stolen.  If you are going to make assumptions, state them in your post or article.

False Statement #2:  Target couldn’t have been PCI compliant because it took them 18 days to discover the breach.  They obviously weren’t doing their daily security monitoring.

Facts: Networks are complex. Applications are complex.  Attacks are complex.  Obviously there was some security monitoring going on.  Sometimes it takes time to recognize an attack, investigate it and address the issues.  This isn’t Hollywood.  We don’t save the world in a 42 minute episode.  Is it likely that Target will need to change their security monitoring procedures?  Yep.  Can anyone say they weren’t monitoring at all?  Nope.

False Statement #3:  This breach was timed specifically for the holiday shopping season.

Facts: Did the hackers themselves proclaim this?  While it is entirely possible that this was a timed breach, it’s also just as likely that the hackers were simply lucky.  Hackers strike while they can.  It only takes one patch to foil a well-planned breach attempt. I’m not saying the intent may have been to hack during the holiday season but we don’t know that for certain just because it occurred during the holiday season. 

In essence, I’ve been very frustrated with the coverage of all this over the past 10 days.  Expert after expert has been on this news program and that claiming all these “facts” when in fact all they have at this point are opinions.  Oh…and because it’s sensational news, the journalists are calling them out on it.  They let the opinions stand as fact.  What has become of journalistic integrity?

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 was recently introduced into the House this past week.  While I applaud the attempt to push cybersecurity awareness, I have concerns with the bill at a very high level.  Granted, I haven’t fully read all 56 pages yet but here is my first concern.  The following sectors are going to be classified as critical infrastructure.

(1) Chemical.

(2) Commercial facilities.

(3) Communications.

(4) Critical manufacturing.

(5) Dams.

(6) Defense Industrial Base.

(7) Emergency services.

(8) Energy.

(9) Financial services.

(10) Food and agriculture.

(11) Government facilities

(12) Healthcare and public health.

(13) Information technology.

(14) Nuclear reactors, materials, and waste.

(15) Transportation systems.

(16) Water and wastewater systems.

(17) Such other sectors as the Secretary determines appropriate.

Don’t get me wrong, I agree with a lot of this.  And classifying sectors for the purpose of information sharing isn’t a bad idea.  There could be some unintended consequences of pushing this information security measure though.

First, if everything is critical, nothing is critical.  It seems these sectors would include a vast majority of the business ventures in the US.  We don’t have the time or resources to apply information security controls to everyone and everything.  There’s always going to be an element of risk.  We need to be careful that we’re not trying to eliminate all risk.

The second is that once something is deemed critical infrastructure, it will be very easy to regulate it in the future.  Much in the same way Business Associates are now regulated under HIPAA, many of these sectors could come under the scope of say the Federal Information Systems Management Act, FISMA with one small change to a bill in a future legislative session.

On one hand this bill is too general and on another it’s too specific.  Sounds crazy but think about it.  Do you really want your local deli to have to follow information security guidelines similar to a bank just because they got swept into the Food & Agriculture sector?  Think something crazy like wouldn’t happen?  Just think about how many unintended consequences laws like the Affordable Care Act (Obamacare) have had.

As we close out National Cyber Security Awareness month, I wanted to remind parents to check in on your children’s online activity.  Yes, even those teenagers still need some wisdom and guidance even if they balk.

Ask your kids these three simple questions today.

1.       Tell me what you saw on the internet today.

2.       Did you read any text, IM or emails that made fun of someone for the way they looked, where they’re from or other reasons?

3.       Do you know what privacy means and how our online actions can jeopardize our privacy?

Our kids are smarter than we give them credit for.  I’m willing to bet that if you asked these questions, your kids may have others of their own.  If you need help talking with your kids about online safety, check out the website http://www.netsmartz.org/Parents for videos and other aids for kids of all ages.

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724