10 Things I Know About… Mass. data security rules

10. You need a WISP.

A written information security policy, or WISP, is vital. Make sure there’s a person in charge of enforcing it.

9. Always encrypt data.

Sensitive data, especially personally identifiable information, must be encrypted at all times, from the server, to the cloud, to a laptop or USB drive.

8. Check your firewall

Simply having a firewall isn’t enough – it needs to be kept up-to-date, and you should consider unified threat management (UTM).

7. Update your security software.

You need to have up-to-date protection against malware, and the latest patches and virus definitions to guard against intrusion. Implement an update schedule.

6. Employees must be aware.

It’s not enough to have systems and policies; you must also educate staff and boost user awareness. Employees should be trained and sign off on security awareness at least annually.

5. Vendors must meet standards.

Make sure security expectations are clear in your contracts, and always perform due diligence.

4. Secure access control.

Make sure employees only have access to data that’s vital for them to perform their duties.

3. Review regularly.

View this as a continuous process, not a finite task. You must review your security procedures at least once a year to ensure they’re up to the task.

2. Compliance is cheaper.

If you’re resisting the allocation of proper security resources, you should be aware that the state will levy serious fines for compromising regulations.

1. Don’t get complacent.

Just because you have complied with the regulation doesn’t guarantee your data is safe. It’s a solid foundation for the information security program you should continue to build.

Why every business needs a WISP

Non-compliance is a risk, and the Attorney General’s office carries a big stick for those who don’t follow the rules.


If you don’t have a written information security program (WISP) in place for your business, then you could be risking data theft, legal action, and punitive fines. The law in many states now dictates that you must take steps to safeguard personal information. They vary in strictness, but there are nearly 50 different regulations you need to cater for if you’re doing business across the United States.

You can’t afford to bury your head in the sand and assume it will never happen to you. Research from the Identity Theft Resource Center (PDF) shows an alarming rise in incidences of personal data theft every year since they started recording. They report 783 breaches last year, compared to just 157 in 2005.


A WISP is not optional

The need to have a WISP is made clear in one of the most stringent of the regulatory bunch, the Massachusetts Data Security Regulations, 201 CMR 17.00 (PDF). Abide by this, and you will probably abide by your own state’s data privacy laws.

The Commonwealth of Mass states:

“Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards.”

That doesn’t just apply to businesses operating in Massachusetts; it applies if you have a single customer living there. If you have a data breach and personal information is stolen, you won’t just have the clean-up and reputational damage to worry about, the Attorney General is liable to levy serious fines.

Despite the serious risk of financial penalty, there are still companies without a proper WISP in place. According to a Protiviti survey on data security (PDF) from last year, a third of companies don’t have a WISP at all and over 40% lack a data encryption policy.

If you need an idea of the size of the potential risk here, consider that IBM’s Cost of Data Breach Study for 2015 put the average consolidated total cost of a data breach at $3.8 million. That’s an increase of 23% just since 2013.


Creating a solid WISP

There are lots of things to consider when you create a WISP. Think about how you protect data in transit and at rest. Encryption at all times is vital. Consider the level of access your employees have and what your authentication procedure is. Remember to take into account what happens with personal devices, especially in light of the mobility and BYOD trend. You also need to have a good firewall, anti-virus, and anti-malware protection in place, and it should be updated regularly.

Something that’s often overlooked is the importance of applying the same rules to your third-party vendors. Make sure that they comply with your WISP, particularly if you are using a lot of cloud-based services and storing data offsite.

This concern isn’t limited just to large organizations. Small businesses are liable too. That’s why Massachusetts has a handy guide (available in a PDF here) to help small businesses or individuals handling personal information to get started on a WISP.


Educating and reviewing

Creating a WISP isn’t going to kill the risk of data breach stone dead – you need to educate your employees about it and make sure that they review it regularly and sign off on it. User awareness is a key component here, and ignorance will never be accepted as an excuse by your customers or by the law. As we mentioned before, that awareness and sign-off should extend to your contractual relations with third-parties.

You also need to review the program internally and ensure risks are reevaluated as your business evolves. Consider the impact of new systems, devices, software, partners, and employees. The absolute minimum frequency for review and sign-off on your WISP is annual, but in certain circumstances it will make sense to review more frequently than that, especially when there are changes in the business that might impact on it.

Make sure that all the roles and responsibilities are clearly delineated in your WISP, and that employees are empowered to take action when they encounter a problem. There must be a designated person in charge that the buck stops with.

One final consideration that’s worth keeping in mind is that your WISP is not a magic bullet for cybersecurity threats. Compliance will not guarantee that your data is safe, but it’s a good opportunity to start building a really solid information security program.


This article was recently published in Network World.

Imagery credit: cutcaster

Towerwall Security/Vulnerability Alert Vol 13.96

 The “Stagefright” hole in Android – what you need to know

Provided by Paul Ducklin at Sophos, Inc.

The conference circuit can be a competitive arena, especially when there are multiple parallel streams.

For example, back in 2010, I was at Black Hat in Las Vegas, and I attended the talk next door to the late Barnaby Jack’s now legendary “ATM Jackpotting” talk.

Jack famously made unmodified ATMs that he bought off eBay cough up banknotes live on stage.

Those of us next door had to wait until the ovation and commotion died down before our presenter could continue lecturing to his meagre audience. (At least there was a good choice of seats.)


Exploit Disclosure Silly Season

So it’s not surprising that July tends to be Exploit Disclosure Silly Season.

Presenters at Black Hat and Def Con try to convince the media to tell the world that theirs is the talk to choose, stressing the severity of the hole they’ve found without giving too much away.

There’s nothing wrong with that: good talks based on solid reverse engineering aren’t easy to put together, and if you’re prepared to do a live demo to go with it, you’re entitled to your “jackpot” moment.

So, imagine that you’ve got exploit talks accepted at Black Hat and Def Con, that your hack is a remote code execution hole in the world’s most widespread mobile operating system, and, best of all…

…that the operating system component in which you found the bug is called “Stagefright”.

That’s a better name for an exploit than POODLE or LOGJAM – heck, it’s a better name than Heartbleed‘ (although the bugs don’t really compare at all, whatever you may have read).

You can use a name like “Stagefright” in your press releases without being accused of hyperbole.

Unsurprisingly, then, that’s what researchers at Zimperium have done.

They found a bunch of security holes, now designated with seven different CVE numbers (CVE-2015-1538, -1539, -3824, -3826, -3827, -3828 and -3829).

It’s become the “Stagefright” hole.


Multimedia Messaging System

The bugs are in an unfortunate part of Android: a part that is used by the Multimedia Messaging System, or MMS.

Remember MMS?

Like SMS but with videos, sounds, pictures, and no annoying 160-character limit?

It’s an aging system that doesn’t get a lot of attention these days, because internet-based programs like WhatsAppSnapchat and Instagram have swept it aside.

But most Android phones are still set up to receive MMS messages, and will process them automatically by default.

Technically speaking, an MMS arrives as a link, so that the actual content of the message (which might cost you money) is fetched only later on, when you decide that you want to look at it

That’s a bit like email clients that fetch only subject lines at first, so you can ignore or delete unimportant messages without racking up download charges.

But the default SMS/MMS apps in Android 4.4 (KitKat) and 5.x (Lollipop) areMessaging and Hangouts respectively, and their default configuration is to download MMS content in the background as soon as the messages arrive.


Remote Code Execution

Unfortunately, the bugs found by Zimperium allow shellcode – executable instructions disguised as harmless multimedia data – to take control of your device as soon as the content of a booby-trapped message is downloaded.

So, you may be able to trigger malicious activity as soon as a victim’s device receives your poisoned message, even if they later decide to delete it.

That’s what’s known as a Remote Code Execution (RCE) vulnerability, almost always the worst sort.

The bug has been around for some time, and Zimperium is claiming that 950,000,000 devices may be at risk.

(That precise sounding number seems to be simply a 95% vulnerability rate multiplied by a round one billion Androids.)


Patches coming

Google knows about the bugs, and has prepared patches.

Indeed, if you have a Google Nexus, and you have updated recently, it sounds as though you are already safe.

Sadly, we can’t be sure which other device vendors have already patched, unless they choose to say so, because Zimperium is keeping the exploits under wraps until Black Hat, when the whole world will find out about them (and presumably, how to exploit them) at the same time.

It also sounds as though rebuilding Android from the open source project (AOSP) won’t help yet.

Google told The Guardian:

This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users.

As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at BlackHat.


What to do?

  • Try asking your device vendor whether a patch is available already. You may be able to get ahead of the game.
  • If you can’t get a patch right now, find out when to expect it so that you can apply it as soon as you can.
  • If your messaging app supports it (Messaging and Hangouts both do), turn off Automatically retrieve MMS messages.
  • If your device supports it, consider blocking messages from unknown senders if you haven’t already.
  • If your SMS/MMS app doesn’t allow you to turn off Automatically retrieve messages, consider simply switching back to Android Messaging, which does.


Unless your digital lifestyle hinges on MMS, we think that you will be able to live without it, and that blocking the auto-download of potentially booby-trapped MMS content is a great start.

Of course, even if you’ve turned MMS auto-downloading off, you still need to avoid clicking on suspicious MMSes – doing so would initiate the potentially dangerous download anyway.

So, if you see an MMS from a sender who’s never communicated with you before, consider deleting it.

And don’t forget that “Stagefright” isn’t specific to MMS messaging, but rather to the way Android renders the sort of content typically delivered by MMS.

Firefox for Android, for example, has recently been updated; it too was apparently vulnerable via web pages containing booby-trapped videos.

So, keep your eyes peeled for those patches!