Planet SCM

The impending release of the third version of the IT Infrastructure Library has a lot of people talking.

A recent edition of CIO offers  a story by Laurianne McLaughlin that serves as a good primer on the history of ITIL, the current version, and what improvements can be expected when the next version is released in June.

To boil it down, the article talks about ITIL being somewhat pigeon-holed as a best-practices framework for solving specific operational needs, as opposed to a strategic tool for adding business value through improved service delivery.

One of the flaws with the current version of ITIL in the eyes of people like Lee Hayes, vice president of enterprise technologies at SLM, the mortgage lender known as Sallie Mae, is it is "very descriptive, but not prescriptive."

The U.K Office of Government Commerce (ITIL's creator) hopes to remedy complaints like those with the new version. Trimmed down from the current eight books to just five core books, the updated version boasts more real-world examples, best-practice models and metrics - and emphasizes the entire IT lifecycle and ROI issues. The new version also addresses how to apply ITIL principles in outsourced operations, a growing facet of today's IT operations.

According to independent ITIL consultant Malcolm Fry, one of the benefits of implementing an ITIL framework is the ability to get to the bottom of an IT problem. "Looking for root causes is now important - you just can't keep fixing things," he said.

Overall, as George Spalding, a vice president for the consultancy Pink Elephant, stated, "ITIL drives the strategic direction that IT is about services, and it provides a definition of success."

If you are among the more than 97% of organizations that are either considering or are engaged in implementing the ITIL framework, the improvements in the third version should provide the additional guidance necessary to further accelerate your efforts.

I've taken a couple opportunities to express my concerns with the Real ID Law.

Wilson Dizard III shared this list in a recent edition of Government Computer News that I felt was worth sharing with you.

Ten Top Real ID Complaints

The Real ID law has met with a fusillade of criticism from state and federal lawmakers, privacy advocates, state executive branch officials and commentators. Opponents have cited dozens of potential technical problems, including:

10. Only one of the five national systems that state motor vehicle departments will need to implement the Real ID law is currently ready, according to the National Governors Association. DHS itself concedes that some federal “reference databases” aren’t yet complete.

9. Real ID calls for states to use a single array of security features for driver’s license cards, which could force states to abandon existing card issuance systems.

8. The federal government lacks a uniform naming convention that would facilitate states’ electronic verification between files.

7. The door remains open for creation of a de facto national identity database.

6. The draft Real ID rule doesn’t include a redress process, which likely will become a technical as well as a policy issue, because thousands of people now have driver’s licenses with faulty data.

5. The draft doesn’t require that data on the license’s machine-readable zone (MRZ) be encrypted. DHS has said that distributing encryption keys, or a single, common key to the 16,000 state and local law enforcement agencies that will need access to the MRZ data would pose an unacceptable challenge. The department said it would favor MRZ encryption if the practical problems could be solved and raised the possibility that the MRZ shouldn’t include the bearer’s address.

4. Some critics charge that Real ID magnifies privacy risks, partly by shirking the requirement that federally sponsored systems meet the standards of the Federal Information Security Management Act. The draft rule states that it doesn’t create a national database because it leaves the interstate data exchange decisions to the DMVs. That statement prompted Jim Harper, director of information policy studies for the Cato Institute, to posit that DHS was saying, “My car didn’t hit you—the bumper did.”

3. DHS has failed to require that the MRZ omit the race identifier field.

2. Real ID fails to take advantage of identity verification processes the federal government already carries out when it issues passports, military IDs, Transportation Worker Identification Cards and some federal employee credentials. The National Conference of State Legislatures has asked why, if individuals holding such documents can already board an airliner, they should be checked again to get a driver’s license.

1. Technical challenges, such as the apparently inadvertent omission of several categories of legal residents eligible for the credentials and the high cost to states of complying with the law, have spurred a vigorous rejection campaign in state capitals. Idaho and Maine already have enacted laws rejecting the Real ID requirements, and similar legislation is pending in dozens of additional states.

I'd like to hear your comments, pro or con, on this law.

In my post earlier this week on the latest FISMA ranks, I referenced a quote by Virginia Rep. Tom Davis.

He posted further comments on the Hill Blog Monday that are worth reading. He lets the Department of Homeland Security off the hook a bit, but really expresses frustration with the Department of Defense.

Good to hear directly from our legislators, rather than in a press clipping.

Today is tax day in the United States. Procrastinators will be spending time wrapping up their returns, either on-line or racing to the local post office.

But, is the information you provide the IRS secure?

According to a recent article in Computerworld, your information is probably not as protected as we'd like to think. "In an audit by the Treasury Inspector General for Tax Administration, found that between January 2, 2003, and June 13, 2006, a 'large number' of laptops were stolen from the vehicles and homes of IRS employees, while 111 were stolen from various agency facilities", according to the story.

A separate test on laptop computers currently in use by employees found 44% contained unencrypted sensitive data, including taxpayer data and employee personnel data. Most disappointing is these findings mirror those found in a similar July 2003 report.

As the report indicated, "the IRS had not taken adequate corrective actions." The article includes a response from IRS Commissioner Mark Everson where he says, "Our systems have extensive protection from outside penetration", but that seems to indicate a failure to recognize the threat of not only laptops theft, but other insider data threats.

The IRS expects a great deal from taxpayers when we prepare our returns. It's time for taxpayers to expect more from the IRS when it comes to protecting our privileged information.

The latest grades are out for the Federal Government when it comes to information security. According to Government Technology, Rep. Tom Davis, ranking member of the House Government Oversight and Reform Committee, gave the federal government an overall grade of C-minus when it comes to safekeeping information on government computer systems. After being mired with D's for the past three years, a C- shows some improvement, but still leaves a lot of room for growth.

While the Department of Justice and the Department of Housing and Urban Development showed the most improvement, with Justice jumping from a D to an A-minus, and HUD from D-plus to A-plus, there were also some significant declines. NASA fell from B-minus to D-minus and the Department of Education, which fell from C-minus to F.

As Rep. Mike Turner, ranking member of the Information Policy, Census and National Archives subcommittee, said in the Government Technology article, "It's troubling that some of the agencies with the most sensitive information continue to score poorly on this. The report identifies problems in federal agencies which include the Department of Defense, the Department of State, and the Nuclear Regulatory Commission."

However, on closer inspection, two of the biggest grade improvements came as a result of simply documenting the inventory of systems. You'd think this was a very elementary step to take for securing sensitive data.

As the article points out, "more improvement is needed in how systems are configured from a security standpoint and for training for employees with significant information security responsibilities."

Nobody in government IT should be satisfied with this improvement. Average compliance scores are one thing, but they most likely mean better than average vulnerability to exploits.

According to headlines on ComputerWorld yesterday, the largest spam attack in the past year is well underway.

"Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the "Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers," according to the article by Gregg Keizer.

Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through e-mail. Spam rates have jumped as well; Postini said 79% of all e-mail is now spam, according to Adam Swidler, senior manager of solutions marketing at Postini, who was quoted in the article.

This attack is certainly a good reminder that systems need to have anti-virus and anti-spam software installed and operating, but, perhaps even more than that, it's a great reminder to use common sense and don't open emails or attachments unless you know their source. 

The Health Insurance Portability and Accountability Act, better known by its acronym (HIPAA), was passed by Congress way back in 1996. Yet, in spite of its being on the record books as long or longer than almost any other major regulatory compliance mandate facing IT departments, it has clearly been the proverbial "red-headed stepchild" when it comes to enforcement.

The Office of Civil Rights is actually tasked with enforcement of the law. According to a post by Rebecca Herold, "The Department of Health and Human Services (HHS) Department Office of Inspector General (OIG) appears to be making movement on their promise in their Fiscal Year 2007 Work Plan to 'review HIPAA privacy and security implementation under Medicare and Medicaid to identify key issues in the HHS information technology initiative.'"

Herold cites two references in the April 9 issue of Privacy and Law Report, from the Bureau of National Affairs (BNA, a subscriber site) as potential signs of increased enforcement. The report states auditors will reportedly assess Piedmont' Hospital in Atlanta's compliance with the HIPAA security rule and indicates the Centers for Medicare & Medicaid Services (CMS) are also planning increased enforcement.

Yet, in the same post, Herold shares these paltry statistics from the Office forCivil Rights, the governing body responsible for HIPAA enforcement. "Through February 28 [the department] had closed 77% of the 25,662 complaints it had received. The OCR referred 373 of the complaints to the Justice Department for criminal investigation."

If my math serves me correctly, that means that, of the nearly 20,000 complaints the OCR "investigated", less than 2% were worth further action?  COME ON!!

Oh, and why is Health and Human Services promising any improvements if it's up to the Office of Civil Rights is the one that has got to be the ones to step up and make improvements in enforcement?

Sounds like a pretty empty promise to me.

Many companies are still taking a "wait and see" attitude on upgrading their Microsoft desktops and laptops to the Vista operating system. The most heavily touted improvements in Vista are focused around security.

We've all seen the Apple commercial poking fun at the constant security-related questions asked in Vista. So, what is the scoop on Vista security? Is it an improvement? Where does it still have room to improve.

This month's ISSA Journal has the first of a multi-part overview of Windows Vista Security from Edward Ray and E. Eugene Schultz. The first installment focuses on User Account Control (UAC), Windows Defender, and Windows Firewall.

With UAC, Windows Vista provides a method of separating Standard user privileges and tasks from those requiring Administrative access. According to Ray and Schultz, while this feature is not quite as good as simply logging on as a normal user, it is an additional layer of protection previously unavailable in Windows XP or Windows Server 2003.

One drawback to the UAC feature is it requires every interaction involving installation or execution of external code to be approved whether is was initiated by the user or a potentially malicious website. This leads users to face a litany of boxes to click continue or reject. Meanwhile, all other access freezes and the screen darkens until you've completely gone through the series of dialogue boxes. Pretty annoying, especially if you're the user trying to get something installed.

Windows Defender, also available for use with Windows XP or 2003, helps protect against pop-up ads, slow performance, and security threats due to spyware, adware, keyloggers and other unwanted software. Defender monitors in real time protected areas within the Windows Vista operating system that this unwanted intruder software targets, such as the Startup folder and the Autorun entries in the registry. However, in a test using a sample set of 25 spyware and malicious code samples, Defender failed to identify 84% of them. Organizations should in no way consider Windows Defender a substitute for third-party anti-spyware solutions.

Windows Firewall, the third area Ray and Schultz focused on, is configured by default in Vista to help protect user's computers as soon as Windows Vista boots. Unlike Windows XP, the Vista firewall can restrict both inbound and outbound traffic, although outbound filtering needs to be configured manually or using Group Policy. Like Windows Defender, Windows Firewall should be seen as a complement to third-party solutions, not a replacement.

Lisa Vaas has addressed these concerns in articles of the print edition of eWeek. March 5th, in an article entitled "Vista's security called into question", she wrote about how social engineering can derail the effectiveness of the UAC. In the March 19th edition, she addressed all of the security features mentioned in "Will Vista Swat Bugs?" She also touched on the Windows Security Center and BitLocker Drive Encryption.

As Ray and Schultz point out, Microsoft is moving in the right direction with Vista, but there are still questions. The biggest challenge is usability. Will the myriad of security prompts lead users to opt out of having to approve software downloads and other potentially dangerous events?

My hunch is they will...until Microsoft can find a way to distinguish where the request is originating from, so the process isn't such a pain.

Last week, Microsoft released an out-of-band patch for a vulnerability affecting the animated cursor, also known as ANI.

The vulnerability was identified by Determina back in December, who, in turn notified Microsoft. For some, like eWeek's Joe Wilcox,  the four month timeframe to get out the patch is unreasonably long.

Wilcox compares the ANI vulnerability to a Windows metafile bug that created problems back in late December 2005/early January 2006. "Both flaws affect the Windows graphics subsystem—or GDI—and were exploited without patches being available." Both flaws also led to the release of several other fixes to the GDI. However, the patch for the WMF vulnerability was available in weeks, not days.

Microsoft provided there own explanation of the process involved in releasing the patch. Based on some initial feedback from SANS, the extra testing may pay off in ensuring the patch is effective and doesn't cause too many headaches. Larry Seltzer, another eWeek columnist, was one of many supporting Microsoft's decision to release the patch ahead of tomorrow's regular cycle, although he questioned the additional GDI patches being released with it. "By including it with this many other fixes they make it harder to test. Perhaps they should have left the rest of the update for next week," Seltzer said.

Mike Rothman, in one of his Daily Incite posts last week, didn't necessarily feel Microsoft handled the ANI vulnerability as well as they could, but found several signs of improvement in how Microsoft is handling issues in general. Like Mike, I found Rob Graham from Errata's explanation to be one of the more reasoned perspectives on the ANI vulnerability.

What did you think of Microsoft's effort? How do you think they could improve?

Publicly-traded companies in America have been through a couple rounds of SOX audits, but companies in other parts of the world will be getting their first taste of similar compliance requirements in the next year.

J-SOX, the Sarbanes-Oxley-inspired name for the Financial Instruments and Exchange Law, will go into effect in April 2008 for approximately 3,800 companies listed in Japan, along with their foreign subsidiaries. Like SOX, the Japanese regulation was also enacted in response to accounting scandals involving companies like Seibu Railway Co., Livedoor Co., and the Murakami Fund.

According to an article by Thomas Hoffman, some companies are already being proactive. Fuji's largest North American subsidiary is documenting its hardware, their IP addresses, and the software running on them. In addition, they are documenting the controls it has in place for several IT processes that could affect the company's financials. Tokyo Electron America, Inc., based in Austin, TX, is tracking and monitoring their global IT systems and documenting the security safeguards they have in place for each system.

If there is any lesson Japanese firms can learn from the first two years of SOX, it is to not procrastinate, particularly with getting the people, processes, and technology in place that will weave compliance into the overall fabric of daily activity in the IT department. Otherwise, it becomes an almost total interruption to the IT department's responsibility to overall business services.

Sounds like some American subsidiaries may be heeding the lessons learned from other American companies and passing it on to their Japanese counterparts...and that's a good thing.

It's always gratifying to post your thoughts in a blog and then see it validated somewhere else.

A few weeks back, I shared my thoughts on why the Real ID Act was a really bad idea. In a recent edition of GCN, columnist William Jackson offered similar opinions to mine.

In his commentary, Jackson makes these important points:

1. The Real ID Act is an unfunded mandata
2. While the deadline for implementation is May 2008, Homeland Security still has yet to release compliance regulations for the Act
3. The Real ID Act requires interconnected databases of personal information on each of the 245 million people receiving cards, with absolutely no safeguards on the data or how it can be used
4. The Real ID Act was passed without that debate - it was slipped into a spending bill that provided relief funding for troops and tsunami relief

While 25 states are either urging Congress to repeal or reform the law, only Maine has actually passed a resolution refusing to comply.

I agree with Jackson - the issue is not what can be done to delay or reshape the act, as some in both the House and Senate are attempting to do, but, is a national ID advisable at all?

We all must understand - this is legislation that has passed. Without action, it will be implemented in just over a year.

No one should let that happen...

Frank Hayes, senior news columnist at Computerworld, is one of those writers that makes you want to read a magazine from the back to the front. Hayes' column, Frankly Speaking, appears at the very back of each edition and is almost always a "must read."

Last week, Hayes' column, 8 Million Reasons, really struck a chord with me. Sometimes we spend so much time trying to blame somebody for problems, we fail to make the effort to identify ways to solve the problem.

One of the revelations coming from the TJX breach was the arrest of a Florida gang who had used some of the stolen cardholder information to obtain at least $8 million in Wal-Mart gift cards. Hayes' identifies two key areas where IT could have thwarted or at least minimized the gift card scam.

1. After credit cards are reported stolen and have been deactivated, retailers should use the list of stolen card numbers to automatically search its own recent transactions for suspicious activity - such as the sales of gift cards. If they find cards that were purchased with stolen cardholder information, they could deactivate the card and recover some of the money.
2. Even if gift cards purchased fraudulently have been used, those transactions could be flagged so that if the merchandise is brought back for a refund, the transaction should be flagged to be spotted at that point. Again, merchandise is recovered and there is no further cash loss from providing a refund.

Hayes points out that IT has the ability to make this all possible automatically and continuously. The data is there, but the software and database performance isn't.

It's easy to point fingers in a case like TJX. The hard part is to do something about it. Taking steps to blunt the gift card scam is one really positive way to help blunt the value of stolen cardholder data.

Gary Min is the 43 year-old former senior scientist from DuPont who pled guilty to misappropriating $400 million worth of proprietary information. Min was due in court this past Thursday to receive his sentence.

In a Computerworld story, Jaikumar Vijayan identifies six steps to take to mitigate the risks of insider threats and keep track of what's going on inside the firewall.

1. Get a handle on the data
2. Monitor content in motion
3. Keep an eye on databases
4. Limit user privileges
5. Cover those endpoints
6. Centralize your intellectual property data

Clearly, a list like this simplifies the real challenge each point represents, but it does remind us that we need to know what we have for data, when it changes, who can access it, and where it's located. All of this requires constant visibility into your enterprise, down to the configuration level.

In the case of Min, it is now known that he downloaded and accessed more than 15 times as many documents as the next most active user of the system. Information like this can and should be tracked far sooner than it was in the DuPont's case. Min's activities were not discovered until he was already working for a rival company.

Read Vijayan's article and see how well you're doing following his six points...and how many more you might add to his list!

TJX's 10-K filing to the Security and Exchange Commission was made public Wednesday and has made for a whole new set of news stories, blog posting, and speculation.

The report seems to indicate that the TJX Companies, Inc. were employing encryption technology on their cardholder transactions and did delete confidential data on some sort of a regular basis. That's the good news.

The bad news is the intruders apparently were able to capture the card information of 46 million users by installing software on the systems at TJX's Framingham headquarters that copied the information prior to it being encrypted. TXJ also admitted that it appears the intruders had a copy of their encryption key, apparently as a back-up in case the software failed to work or the data was encrypted prior to the point where the software captured it.

Needless to say, the new questions will swirl around how rogue software was allowed to remain in their systems for so long without detection, as well as how the key was obtained.

The information in the 10-K only reveals TJX's perspective of what happened. It will be interesting to see what is revealed as the SEC begins to dig into this further.

Have these latest revelations changed your perspective on the TJX breach at all? I'd be curious to hear whether these new details are swaying opinions, one way or the other.

A research paper due to be released this summer predicts that the two billionth data loss will take place by the end of 2007. In a story posted on ScienceDaily.com, Phil Howard, an Associate Professor of Communications at the University of Washington states that "electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."

Howard, along with Kris Erickson, a UW doctoral candidate in geography, will have their work published in the July edition of the Journal of Computer-Mediated Communication.

Howard and Erickson don't place the blame for the escalation in data loss on hackers though; they put the blame on the shoulders of corporate America, citing research studies showing three out of every five data losses involving personal information are tied to corporate malfeasance.

A couple things to note. The numbers cited in the study were compiled from media stories. As Erickson indicates, this probably means their numbers are conservative. It certainly doesn't cover unreported data loss or smaller incidents that may not have made headline news. Also, Erickson also acknowledges the role the California Notice of Security Breach law has played in increasing the number of breaches that have been publicized in the last couple years. That appears to be clearly indicated by the increase between their 2006 and 2007 numbers.

With these ominous statistics, it won't be long before everyone in America has had their personal information compromised at least once. 

Yesterday I called out the lack of action the Federal Trade Commission has taken against company's who suffered a breach, in part due to gaps in the security controls in their infrastructure.

Seems only fair that I would give the FTC their due when warranted. A few weeks ago, the agency released a 24 page book entitled "Protecting Personal Information: A Guide for Business." According to a post by Rebecca Herold, the free guide focuses on the following five themes:

"TAKE STOCK. Know what personal information you have in your files and on your computers.

SCALE DOWN. Keep only what you need for business.

LOCK IT. Protect the information you keep.

PITCH IT. Properly dispose of what you no longer need.

PLAN AHEAD. Create a plan to respond to security incidents."

As Herold indicates, "this is a very good PII(personally identifiable information) protection primer."

Mike Rothman also highlighted the guidance the guide gives to help organizations be pro-active about preparing for potential security incidents.

The FTC has come up with a beneficial free (using taxpayer money) tool that will give you some clear, basic guidance related to information security. A great start for anyone new to information security and a reasonable baseline for more experienced infosec professionals to cross-check their efforts against.

I've been on the road quite a bit the last few weeks, so I've been a little quieter on the blog front than I'd have liked.

In between my stops, I did pick up some of the fodder on the "Is PCI DSS Good or Bad" debate between Mark at Security Buddha and Michael at PCI Compliance Demystified. In full disclosure, I did attend the PCI Conference in San Francisco with Michael. I thought I had a pretty thorough grasp on PCI compliance, but Michael really knows his stuff.

A few points I'd like to make.

First, we have to remember the PCI Security Standards Council is still in its infancy as the standards body overseeing the PCI Data Security Standard. As a member of the Council, I had the opportunity to participate in a member webex. This was an initial effort to foster direct communication among the members of the group (who, by the way, make up a broad spectrum of the various constituencies the standard impacts (less consumers)).

Based on what I heard, I am confident there will be ample opportunity to communicate the weaknesses within the 1.1 version of the standard, so that continued improvements will be made. Can we say the same for Sarbanes-Oxley, HIPAA or GLBA? Who are the standards bodies (SEC, PCAOB, HHS, FFIEC, FTC) overseeing those compliancies soliciting for feedback? Anyone?

Second, and more importantly, while efforts to tighten up compliance standards so they will not just prove compliance, but a serious commitment to a secure environment, must continue, the real issue continues to be enforcement...and enforcement of penalties for non-compliance.

In pouring through some past issues of Network Computing, I came across Patrick Mueller's article on some recent FTC action related to a data breach of an insecure e-commerce server. Now, there's a lot of twists and turns to this particular story that are interesting, but the thing that stood out to me like a giant billboard was this: "It became the FTC's 14th data-security case." 1,400 wouldn't have surprised me. I might have done a double-take at 140. But, 14??

We're not even talking about non-compliance here. We're talking about breaches. I don't know about you, but I certainly read about a lot more than 14 of those...a month!

Once again, there is no accountability placed on organizations to take information security seriously.

I wrote a few weeks ago about the incredible abuses of data perpetrated by the Governor of Arkansas and the Chicago Elections Board. So, I just had to shake my head when I read Jim Rapoza's column in eWeek.

Raposa calls out the schizophrenia that appears to be affecting Congress with the introduction of the Personal Data Privacy and Security Act of 2007 which is designed to provide prompt notification to victims when data breaches occur and to make companies accountable for the lack of security that may have led to the breach (think a national version of California SB 1386).

The flip side of this is Rep. Lamar Hunt's Safety Law. It's intent is to stop adults who exploit young people over the Internet. However, the law, if passed, would require ISPs and possibly every Web site to store all the data of Internet users just in case its needed in a future court case. There would potentially be no maximum time limit for this data to be retained. There's even a possibility that this law could allow this data to be used for civil legal actions. Can you imagine the potential ramifications of that? Employers scouring over employee Internet use. Divorce cases with Internet activity disclosed.

Ironically, this same Rep. Smith was also the sponsor of the Telephone Records and Privacy Protection Act of 2006, which protects phone records and make pretexting illegal.

A reasonable balance needs to be found between individual privacy and the need to retain certain data necessary to identify illegal activity. But is Congress, with all of the various special interest groups pandering to them, the right people to find this balance? 

In today's final VMware ESX security tip, I'll focus on one of the most important security considerations - documenting and monitoring configuration changes, especially security-related changes.

Find out why this is even more critical in a virtual environment than in a physical one.

Download Podcast_VMwareTip9.mp3

Securing VMware ESX servers isn't enough when your securing a virtual environment. You need to make sure your Guest operating systems are secure as well. That's the focus of today's VMware Security Tip of the Day.

Download Podcast_VMwareTip8.mp3 (1946.2K)