TSA plays Russian roulette, yet again…

A quick disclaimer: I have nothing against TSA, despite the fact I’ve missed a flight in the past due to long lines at the security check… They are a symptom of a greater problem rather than the problem itself.

Now that we’ve put it aside let’s observe TSA’s mission statement (http://www.tsa.gov/who_we_are/mission.shtm):
“The Transportation Security Administration protects the Nation's transportation systems to ensure freedom of movement for people and commerce”

And vision statement:
“The Transportation Security Administration will continuously set the standard for excellence in transportation security through its people, processes, and technology.”

Sounds like TSA are heavy duty on security, right?

Well, I will not discuss transportation security (though debatable by some); however history tells us a slightly different story when it comes to information security…

Looking at the past 4 years:

2007 (http://bit.ly/aoChfI) – External hard drive containing data from approximately 100,000 archived employment records went missing from a controlled area at TSA.

2009 (http://bit.ly/5REHBu) – TSA accidentally posted a document containing highly sensitive information on its airport screening procedures on a government website.

2010 (http://bit.ly/dc2Nbu) – Poor security protocols lead to TSA fired worker sabotaging TSA’s databases containing information tied to the war on terror and other law enforcement activities.

While some might argue this is an unfortunate collection of non related incidents, I would seriously doubt it. With no intent of being harsh with TSA, this comedy of errors is an indication how security is perceived at TSA.

Starting point:
It will never happen to us! (Therefore no real controls, procedures or C-level directives are necessary)

Post incident #1:
Oops, it did happen. Ok, it will never happen to us AGAIN! (Must be a random statistic glitch, our current strategy is proving itself!)

Post incident #2:
Not again, No way! (Hmmm, at least we placed on each page of the manual the following: NO PART OF THIS RECORD MAY BE DISCLOSED TO PERSONS WITHOUT A 'NEED TO KNOW.')

Post incident #3:
Doh! Let’s bring in a data breach response services company to clean out the mess (http://bit.ly/c0loLq). (Addressing the collateral damage is probably going to solve the problem!)

Most of these types of incidents can be addressed today with existing controls. These are not operator errors, but a depressing example of the overall organizational/C-Level failure to enact security policies (much which are seemingly common procedures) that secures data and protects sensitive assets.

If C-level execs don’t get it they can simply view it as an insurance policy (ensuring bad things don’t happen). People get an insurance policy not because they plan to use it on a daily basis, but mainly because if something happens it can be substantial.

Another way to look at the statistics is organizations play a game of Russian roulette, assuming it will not happen to them (there is only one bullet and five empty chambers).

With the case of TSA - it looks like the cylinder is practically full…

Today I was riding with the four horsemen of the apocalypse, so I’ll finish with a positive tone:
Spring is here, happy (belated) equinox (http://bit.ly/2qHKU1)!

Brain dump

Last week I’ve participated in the RSA conference representing Cyber-Ark. It turned out to be a pretty busy week (your sympathy is appreciated).

This week as a slightly different exercise, we will switch roles (let’s call it un-blog post). Instead of me describing my insights, I will provide some raw data from the conference in a form of a brain dump. If any of this makes any sense to you please comment or ping me with your insights.

As with any brain dump - no order, priority or importance, just partial list of raw numbers/”facts”:

• Server Virtualization penetration in enterprise is estimated at 25%
• 6% of ID theft comes from password guessing
• IT spend 2/3 of their budgets on maintenance
• CIO survey – for 51% security is the greatest concern surrounding cloud computing adoption
• Information growth - 60% per year
• 1B mobile devices will be accessing the internet by the end of the year
• Survey of 2,100 companies (CIO, IT, CSO, etc.):

          - Over the last 12 months 75% experienced cyber attack
          - 100% experienced cyber lose in 2009
          - Top 3 stolen “items”:

                   1. Theft of IP

                   2. Financial/credit card data
                   3. Customer PII

• During 2008 – 1.6M signatures (like previous 17 years combined)
• During 2009 – 2.9M signatures
• Customers said from their entire data only 1% matters
• 40% of employees private machines access work resources
• 10% of private machines are the primary working machine
• Some organization promoting personal devices for work (subsidize)
• Per Gartner – organization can save 9-40% on equipment cost
• Data breach - average loss per record is $204
• Data breach - average loss per incident is $6.75M
• 70% of physicians are afraid to place customer data in the cloud
• 56% of the malware written today is designed to steal data
• 42% of data breaches involve a 3rd party (service provider, consultant, etc.)
• Since 2008 there are more mobile devices accessing the internet than “fixed” devices
• By the end of 2011 there will be 5B users out of 6.8B people in the world…
• Projected data traffic increased 2009-2014 is by 3900%
• Videos will be 66% of mobile traffic by 2013
• Organization leveraging Amazon cloud services usually have one super admin account to purchase and manage their infrastructure:

          - It is a shared account
          - It is a standard Amazon account and can be used to purchase books or anything else…

As an epilogue to get your CPU working a quote by Marc Benioff:

“Why isn’t all enterprise software like Facebook?” It was the next iteration of the question he asked in 1999 (that spawned salesforce.com), “Why isn’t all enterprise software like Amazon.com.”