UN SecCouncil Requires PNR Sharing

Somehow or other, the US managed to get the Security Council to approve the sharing of Passenger Name Records (PNR) of travelers with other countries.  As with much of what happens in the U.S. these days, other events have obscured this meaningful news. Yes, the rest of the world has expressed their displeasure with our stated desire to move our Israeli embassy to Jeruselum.  But then the Security Council voted to support this US proposal.



DNS Security

This article, describing how a Brazilian Bank with $27 Billion in assets and hundreds of branches was taken over by a criminal hacking group for a single day in 2016, illustrates the need to secure your web resources all the way back to the registrar.  The undisclosed bank in question had all of its DNS traffic redirected to a clone of the bank’s actual website.  Customers used the site the entire day, entering their password and account information into the fake site – resulting in an undisclosed but likely significant loss of funds for the affected individuals, the bank and the Brazilian government’s insurance fund.

DNS Security is an overlooked component in the chain of digital services required to deliver internet services.  If you are interested in ensuring you maintain control over your domain, you need to evaluate the security of your domain registrar.  Like any other third-party service provider, they need to meet your security expectations.  You need to assess their service offerings and their ability to protect your data.

While not an endorsement on my part, CloudFlare has announced they intend on meeting this emerging market.  They have started offering their services as a Registrar and include a handful of features designed to ensure domains are protected from hijacking.  I assume Registrars will look at these new offerings and see the market opportunities they represent.  Like many other services, until they become commodities, the provider can charge a premium.  I’m hoping these offerings will become ubiquitous and affordable for all website operators.

Until then, you should consider using CloudFlare’s security tool to understand the features you need to enable to ensure your website is secure.

Lavabit Suit As a Precedent?

“The government’s citation of the Lavabit case, and their description of its outcome, is disturbingly disingenuous,” Levison wrote on Facebook. “The language used [in the footnote] is incredibly misleading, as it insinuates a precedent unsupported by the appellate court’s ruling…. This verbiage suggests the seizure of third party encryption keys was found lawful by the appellate court, which is wholly unsupported by the appellate court’s opinion.”

NIST 800-53 Rev 5

NIST intends to roll out revision 5 of the 800-53 standard (FISMA) in 2016.  They want your feedback.  If you (like I) have to endure the implementation of these controls, give them your feedback.  Help your fellow practitioners.

Some interesting elements from the Pre-Draft Call for Comments:

  • Addition of Keywords
  • Addition of hyperlinks to related documents

I really think these are good additions to the standard and hope the body goes forward with their inclusion.

Taylor Communications

I work for a new company.  This past week my employer changed its name from Standard Register Incorporated to Taylor Communications.  This is the third company I have worked for in the past six months – all without leaving my seat. The last time I went through this many employers was in 1986 when I worked for Dart & Kraft, Whirlpool and Emerson all in one day.

In March of 2015, The Standard Register Company declared bankruptcy. On August 1st, the company name was changed to Standard Register Incorporated (a Taylor Corporation company).  People bemoaning the name change and the loss of a Dayton-based institution ignore the first transition.

I am excited by the name change and the opportunity it represents.  The Standard Register Company has had cycles of success and failure over the past fifteen years – but serving a contracting market ultimately resulted in more failures than success. The leadership team in that period worked hard to ‘rewire the plane in flight’ and transition the company to a different marketplace. This name change signals Taylor’s ambition – which I welcome.

The loss of the company name does sadden me.  It is hard to work for a company as long as I have and not have a sense of loss.  Part of my identity has been attached to the company name.  I understand the business imperative behind the name change and accept it – but I will take some time for me to transition to the new world.

Data Breach Settlement Insufficient

Breaches, breaches everywhere but not a consequence to be found – until now.

Data Breaches Passe


The Target data breach settlement negotiated by Mastercard has been refused by the three largest participating banks

Data breaches are (almost) no longer newsworthy. Exploited companies publish bland notices to the community indicating a breach has been reported and they are cooperating with authorities. Cyber security experts investigate.  The exploited company publishes the boilerplate list of exploited vulnerabilities. Occasionally a CISO or CIO’s employment is terminated.  And so on.

People complain about credit card interest rates but don’t correlate that experience to data breaches. It turns out a cause of high-interest rates is the result of card issuers recovering the costs associated with credit card data breaches. And guess what? That cost of doing business matters to the card issuers. The tide is turning and the accountability for data breaches is going to shift.  In their own self-interest, the major banks are pushing back – and we will eventually benefit.

Big Banks Push Back

Citigroup, Capital One Financial Corp. and J.P. Morgan Chase & Co. have each rejected the $19 million settlement negotiated on their behalf by Mastercard with Target Inc. More than $350 million has been spent addressing all of the issues associated with the 40 million cards affected by the data breach. An untold number of dollars has been stolen by the thieves associated with the Target breach with an estimated 9 billion US lost to thieves industry-wide last year. Small card issuers receive only pennies on the dollar for their losses.  They get their money after the big firms get theirs.  In that context, it’s not surprising that the major banks behind the card issuers are taking a firmer stand.

But how much is enough and how much can Target afford to spend compensating these firms for their lax controls? At what point does the consequence pass beyond termination of a senior executives employment and affect the stockholders of a company? When they care – we’ll benefit.  Target reported net revenue of 72 billion dollars in 2014.  While the settlement figure might affect stock prices temporarily, it’s not going to have a lasting effect.  Hopefully, the banks can raise the stakes and make the settlement meaningful for Target’s stakeholders – so we benefit.

Standard Register’s Decline to Bankruptcy

SR Stock Price Decline

SR stock price free fall since May of 2014

Foreshadowed since their December 8K Filing, Standard Register has announced they are filing for Chapter 11 Bankruptcy.  The Dayton Daily News has the most comprehensive coverage starting with the news in January, through the de-listing from the NYSE and the transition of the company’s CFO and the placement of an external Restructuring Officer until finally the news this past week that the company had finally filed for Chapter 11 bankruptcy.  As the week closed, the company had successfully presented motions to the bankruptcy court.
In August of 2013, Standard Register acquired another local company – Workflow One which had gone through a bankruptcy filing of their own.  The purchase was facilitated and in part funded by Silverpoint Holdings – a large Hedge Fund specializing in distressed companies.  That acquisition carried covenants associated with the funding which were triggered in December when Standard Register was unable to make the necessary loan payments.

The opportunity that exists through this Chapter 11 restructuring process is that we can focus on our balance sheet and improve the indebtedness of our business to put us in a position to take advantage [of] the transformative things that have happened with our portfolio over the last number of years. – Joe Morgan

The underlying challenge is the pension fund funding requirements held by many U.S. Corporations (PDF).  The historically low interest rates and the growing funding obligations associated with the increasing life expectancy of the pension holders has essentially flipped the company’s priorities away from market.

While informal information appears to be shared, it’s hard to assume any of the comments represent reality.  Until now, the only information here is what has been shared publicly.


AnthemThe financial industry has been at the forefront of reported breaches for several years – it is where the money is after all.   As the Health Care Info Security site infographic depicts, the pace of breaches in the healthcare industry is picking up.  In my experience, the healthcare market security practice trails the financial market by a large margin.  Speakers will talk about the industry abiding by ‘compliance obligations’ but not addressing security issues.  The cynic in me has a hard time hearing that argument without retorting “you mean you got the auditors to go away by checking a box without addressing the underlying risk”.  I am not surprised to see the volume of breaches in the healthcare industry increasing.

Many of my coworkers are impacted by the Anthem breach recently reported by the company.  After the fact, there’s not much to do other than await a full accounting of how the breach occurred.  Early reports indicate that the credentials of a privileged account were obtained and used to navigate within the Anthem technical environment to locate and secure confidential information.  Commercial cloud storage services were used to push the data outside (or ex-filtrate as they like to say) the Anthem environment.  The company does not believe the loss of credentials was purposeful (not an inside job) but rather the result of a spear-phishing attack.

What lessons can we glean from this event?  Unfortunately, there’s nothing new here.  Absent details, these are the same events that appear to unfold every month.  Administrators, like the rest of us can still be deceived in to clicking on links and/or revealing passwords.  When companies encrypt data, they still provide ready access to accounts with elevated privileges.  And finally, avenues to exfiltrate data are still permitted in companies believing the access is necessary to business functions.

Investigators now believe the hackers somehow compromised the credentials of five different tech workers, possibly through some kind of “phishing” scheme that could have tricked a worker into unknowingly revealing a password or downloading malicious software.

The larger issue is the disproportionate value proposition that exists.  The level of effort invested by these organized crime and nation states greatly exceeds the level of effort most companies are willing to invest to protect there critical resources – there intellectual property and the information entrusted to them by their customers.  Sadly, until consumers step forward and demand changes from their service providers, we will only see companies prioritizing profit over security. It is after all why they are in business.  Until we demand a higher standard – and perhaps even pay for it – we’ll see our credit card, our social security and our other private information shared with people we likely would run away from if we saw them on the street.

Reward companies willing to differentiate themselves based on how they secure your information – or keep doing what you’ve been doing and get more of the same.