Author Archives: Eddie Block

What qualifies a CISO?

Since the Equifax breach a screenshot of the CSO’s music degrees has been floating around the Internet.

 

As a Classical Civilizations undergrad, I take issue with the implications.  During college I built networks and databases and worked on systems of all types.  I also spent my summers on archaeological sites in Israel.

After graduating from college, I worked helpdesk support, moved into system administration, started securing systems and networks.  I eventually became a full time pentester.  Midcareer, I dropped out of InfoSec and went to law school.

After law school I went back into security doing product security, working with DoD networks, and securing a $20 billion enterprise.  I eventually served as the Chief Information Security Officer for the State of Texas.

So I was the CISO for a state of 28 million people with degrees in Classical Civilizations and Law.  Does that make me unqualified for my job?  Should I have stuck with my life in archaeology?

I know a loooottttttt of people in InfoSec with no or unrelated degrees.  In fact there was almost no university offering a security degree when I or my friends were in college.

What makes a security person?  Curiosity.  Grab all the degrees and certifications you want, without a natural curiosity of how things work (and more importantly break) you won’t make it in InfoSec.  Making things work in unintended ways is the fundamental tenant of security.  The most important word in InfoSec is “Huh?”.

So was Ms. Mauldin qualified to lead Equifax’s security program?  I don’t know, but I won’t make that judgment base of her degrees.

Does data protection still matter?

Yesterday Equifax (you know the folks that sell credit monitoring services) announced that they were breached.  143 million Americans (or 44% of all Americans) had their personal information exposed.

The 143 million Americans exposed by Equifax, the 22 million exposed in the 2015 OPM breach, the 1.5 billion records exposed by Yahoo would seem to indicate that there is no data left to breach.  The chickens are out of the henhouse.  So where do we go now?

Security is a series of layers.  Physical protection, perimeter protection, system protection… Preventative, detective, and corrective controls… Compensating controls for when any of those fail.  Security is hard.  It is easier to tear something down than to build something up.  The time I spent breaking into systems and networks was a lot easier (and more fun) than the time I spent trying to protect them.

So do the victims get a free pass?  No!  Because they aren’t the victims, we are.  The information that is lost is ours.  We entrust our personal information to these companies – in the case of Equifax and the other credit reporting companies we don’t have much say in the matter.  They have a duty to protect our information from the threats we know are out there.

They need to do the hard work.

Hey, the good news is that Equifax is offering credit monitoring services for the people affected by the breach of their own systems.  That certainly makes me feel more secure.

Interested in liability protections? Learn about the Safety Act.

The “Support Anti-terrorism by Fostering Effective Technologies Act of 2002 or Safety Act (no, I don’t know where the “Y” came from) seems to have flown under the radar for the past 15 years with few buyers or sellers of cybersecurity technologies taking advantage of the Act and its liability protections.

Passed in the wake of the terrorists attacks on September 11, 2001, the Act’s stated intent is to incentivize the development and deployment of Qualified Anti-Terrorism Technologies (QATT), including cybersecurity technologies, in a couple very specific ways.

First, the Act limits the Seller of a QATT’s financial liability to an amount determined by the Office of SAFETY Act within the Department of Homeland Security.  In exchange for carrying the required insurance, the seller’s liability is limited to the amount of that insurance (6 CFR Part §25.7(a)).  Additionally, no punitive, exemplary (§25.7(b)(1)), or noneconomic damages, “unless the plaintiff suffered physical harm” are available to the plaintiff (§25.7(b)(2)).

This is all great news for the Seller of a QATT, but what about their customers?  Section 25.7(d) extends these liability protections downstream:

“There shall exist only one cause of action for loss of property, personal injury, or death for performance or nonperformance of the Seller’s Qualified Anti-Terrorism Technology in relation to an Act of Terrorism. Such cause of action may be brought only against the Seller of the Qualified Anti-Terrorism Technology and may not be brought against the buyers, the buyers’ contractors, or downstream users of the Technology, the Seller’s suppliers or contractors, or any other person or entity. In addition, such cause of action must be brought in the appropriate district court of the United States.”

So putting it all together, any cause of action resulting from an Act of Terrorism regarding a QATT has exclusive federal jurisdiction, has a cap to awards, cannot include punitive, exemplary, or noneconomic (with exceptions) damages, and can only be brought against the Seller, not their subcontractors, suppliers or buyers.

What is an Act of Terrorism?  The determination of an Act of Terrorism is left to the Secretary of Defense (or their designee), but the requirements are that the Act:

  1. Is unlawful;
  2. causes harm; and
  3. uses methods designed or intended to cause mass destruction.

There is no requirement that the Act of Terrorism have a political basis.  Many attacks against public and private sector enterprises could fall under this umbrella.

Of course, this is a very high-level overview of a 10 page regulation, but with so many benefits for themselves and their customers, companies are tripping over themselves to get to the Office of Safety Act right?

Actually, according to the Approved Awards Search site only around a dozen companies have earned awards for cybersecurity related technologies.  In a world where over 300 vendors exhibited at the most recent BlackHat conference, it would seem that the ability to offer your customers any level of liability protection would make a great differentiator.

 

WOW! It’s been a while

It has been way to long since I’ve posted anything here.  For the diligent, thank you for sticking with me.  I’m back on the train and will get back to regular posts.

My practice has been picking up, so I’ve been a bit busy.  For those that don’t know, my legal practice is centered around cybersecurity issues.  Primarily:

  • Mergers and Acquisitions diligence
  • Risk Assessment
  • Security and privacy policy creation and review
  • Breach planning and response
  • Cyber-insurance
  • PCI-DSS, HIPAA HITECH, GDPR analysis and review
  • Negotiating Technology Agreements
  • Terms of Use
  • End User License Agreements
  • Helping startups address security issues
  • IT Counseling
  • Calling out Security “snake oil” salespeople

It is a fun and interesting way to spend my days.  I get to play with all the areas of my firm’s practices, I get to meet cool and interesting people, and I get to solve problems.

There is a great essay from Eric S. Raymond called “How to Become a Hacker“.  It is one of my favorite pieces of writing on what hackers are and the ethos.  I need to reread it every year or so to remind me that there are people like me and how I need to focus my attention.  Everyone should read the essay. The 5 attitudes ESR calls out, that have become my mantras are:

1. The world is full of fascinating problems waiting to be solved.

2. No problem should ever have to be solved twice.

3. Boredom and drudgery are evil.

4. Freedom is good.

5. Attitude is no substitute for competence.

My practice really does let me find “fascinating problems waiting to be solved” and I feel really enthused every time I get to find that solution.

Anyway, more to come.