Hong Kong, Sentara Hospitals, & Global Cops – #SCW9

Jeff Man, Josh Marpet, and Scott Lyons discuss current events in information security and compliance.

Recorded 12.2.2019

STATS: Jeff 41% | Scott 35%| Josh 24% 

PCI Counter: 8

Jeff Man 0:19
Welcome back to Security and Compliance Weekly. I’m your host, Mr. Jeff Mann along with Scott Lyons and Josh Marpet, a couple announcements and then we’ll jump into the news, there is still time to register for our final webcast of the Year for 2019, which will feature core security, discussing the top penetration testing challenges and how to overcome them. Go to securityweekly.com click on the webcasts tab, and then drop down and select registration. Also, if you’ve missed any of our previously recorded webcasts, you can go to the same spot, click on the on-demand library and watch any of our previous previously recorded webcasts. And don’t forget, you can earn one CPE credit per webcast. And finally, don’t forget, we are currently running our annual listener feedback survey which is again on securityweekly.com. And there’s a survey tab, click on that and it’ll come up 2019 listener survey, we very much look forward to your responses and feedback. So please go and fill out our survey. I believe it’s up through the end of the year, if I’m not mistaken. But there’s no time like the present. Alright, enough of that. Let’s jump into the news. roulette wheel spinning Josh, what story would you like to start off with?

Josh Marpet 0:20
Oh, goodness, there’s so many good ones on this list today. If it’s one of mine, I’d like to start off with the Hong Kong securities and future commission announcing work for regulating virtual asset trading platforms.

Jeff Man 0:20
Alright, let’s do it.

Josh Marpet 0:38
So the cool part is, is that Hong Kong, which as we know, is having a teensy bit of problems with democracy right now just a teensy bit. They’ve actually, they’re now building a regulatory framework for cryptocurrency and from Bitcoin to whatever, but these are the trading platforms. So if you want to build out a cryptocurrency trading platform, they now have a regulatory framework to do it. And if you’re gonna trade cryptocurrency, and not use the one of the trading platforms, or not our platform operator that chooses not to be regulated, you can’t do securities or futures contracts. So the great part is, is they’re saying, you’ve got to be regulated, you’ve got to be licensed, if you choose not to be licensed. It can’t be a security under some loose measure that well, frankly, is not that that easy to understand. So this is an interesting point. Do we trust a…, Well, problem or troubled, troubled nation, shall we say, to build a regulatory framework for things that will affect everything around the world?

Jeff Man 0:42
Are we talking this about the US now? Or…

Josh Marpet 0:43
Awww nicely done, sir? No, Hong Kong. But it’s, it’s a problem. So where do we go from here? Well, who do we trust to build regulatory frameworks?

Jeff Man 0:45
That’s actually a very interesting question. Who do you trust to build regulatory frameworks? I would think that a regulatory framework would be sort of independent enough whether it’s geopolitical or vendor centric, or whatever, you know, maybe anti trust centric, that anybody should be able to look at it and say, Now, these makes sense. But it, it still begs the question. It’s an interesting question.

Well, there’s even a bigger question. You know, we’ve had so many regulations and frameworks come out in the last couple of years, that everybody’s sitting back saying, Well, where do we go with these? Right? They’re saying, why can’t we have one framework to rule them? All? Right. And people have tried to do that, you know.

If only we had a simplified framework that sort of combined the best of the best.

Scott Lyons 1:23

Josh Marpet 1:23
Yeah, anything with PCI.

And it should starts on end with PCI.

You know, and your point is valid. There. There’s so many different frameworks. There’s so many different regulatory bodies, there’s so many different things. Some of them make sense. Health Data is different than than credit card data, I get it. Okay. And some of the things that you handle data are different. But in the in the scheme of things, data is data. Now, how do we handle that data? Well, there’s different levels of handling data. There’s different protection levels, there’s different classification levels. These are all valid and relevant pieces, but they could all be handled in one framework.

Scott Lyons 3:16
Well, well, the intuitively there should be but in practice, data is either valuable or not, at least in the commercial world, in the private sector. You know, data is generally lump. Generally data is all lumped together, we care about it or we don’t Where regulatory frameworks come in like HIPAA or PCI, where they actually call out a particular data set, and say you have to protect it. You know, that’s where everybody starts to bitch and complain, because they, they, and this has been a, you know, frequent speaking from a PCI perspective, this has been a years long process for the industry. But in order to protect the data, you first have to know where it is. And there’s been several iterations of how do we how do we help the customers that have to provide security to this particular type of data, either figure out where it is, or a spin off of that is, or let’s eliminate it, so they’re not storing it in so many places? And then if they’re not storing it, they don’t have to worry about it.

Yeah. Go ahead, Jeff. Sorry.

Jeff Man 5:48
Well, just close the thought. I mean, what you were saying is correct, Josh, at least hype, hypothetically, hypothetically, that data has different perceived value. It certainly has different consequences if it’s compromised in terms of fines. But most companies don’t treat it separately. And differently, they see, we got we don’t understand where all the data is that we have to protect. So we just want to protect the infrastructure. It’s why we call it IT security, and not information security, which is a pet peeve of mine, we but the industry, the world is bought into let’s just, let’s protect all the systems and then whatever happens on the system’s, it doesn’t matter.

Scott Lyons 6:33
You know, to add another layer of abstraction to this conversation, and to almost take it into a different, a different part of the atmosphere, if you will, of risk governance, risk management, it’s going to be real fun when we start to see these frameworks include cyber insurance, and which types of cyber insurance go with which framework and the policy levels and how much you have to pay to be covered. And, you know, it’s just, it’s just a whole nother can of worms.

Josh Marpet 7:03
I call next episode on that!

Jeff Man 7:05
Of these one of the days, we’re gonna have to talk about cybers cybersecurity insurance. We’ll get there. I think we have interviews booked for the next several weeks, but we will get there next. Next free slot, we’re talking cyber insurance.

Scott Lyons 7:18
The reason I bring that up is because it lower down in the article, it talks about insurance and insurance policy covering risks associated with client virtual assets. Right. And it’s, it’s, it’s funny, because when we actually do get into cyber risk and cyber insurance, right, and how the two of them come together, there’s going to be fireworks around this because it’s an uncharted territory that a lot of people are not paying attention to. You know, so when you see PCI come out and say, Well, your error and omission policy needs to be $10 million, you’re a small business, but you fall under PCI, your stack is gonna hit the roof, you know? How in the heck do you pay for something like that and justify it to potential investors that might come down the road? So anyway, I just wanted to point that out. That’s all.

Josh Marpet 8:07
No, no, I like it. I like it. I like it. You know, we’ve gone over a lot of different topics about the regulatory frameworks and how they should be working together and how maybe they can’t. And at the costs of doing multiple regulatory frameworks, now companies are ignoring multiples, and saying just lump everything together. This is fascinating stuff. This is something that, you know, our last guest, Matthew Gore’s just talked about building a simplified framework, so he could explain to executives, it really ties in very nicely. So.

Jeff Man 8:37
And if it were, if it were my company, it would be in the form of a comic book, just saying it would be illustrated. Hey, what we’re saying is it’s complicated. And Facebook also says data is complicated. thoughts on that article, Josh or Scott?

Josh Marpet 8:57
Oh, dear. So data is complicated? And my answer is No, really? It’s it’s what they’re saying specifically is and I realized this behind a paywall. It’s a wall street journal article. But what they’re saying is don’t treat data as a simple resource like oil. So don’t treat data like a commodity, keep it as a treated something that’s more complex that can be shared and kept at the same time. Remember, with digital data, you can copy it and still keep a copy of it. With a car, I have to sell a car, I get rid of the car, I don’t get to keep a copy of it, unless I have a really good 3d printer. Okay. But since we don’t have those yet, in my house, I mean, not yet. But I’m working on a darnit you have a problem. You can keep copies of the data, you can use that data and still sell it. And you can sell it to third parties. You can sell it to partners, you can rent it, you can lease it, you can do all sorts of things. As a matter of fact, I’ve been predicting for several months or years now that we’re gonna start seeing data laundering because of GDPR. We’re going to start seeing companies that are holding data, then leasing it back to them. parent companies just said that if the fine comes down, that little tiny data holding company is the one that gets whacked, not the parent company.

Jeff Man 10:08
So I’m confused. And I don’t see the whole article because I haven’t paid for a subscription. And I guess I used up my monthly allotment. But I guess my question is, what is the definition of a commodity? Cuz, you know, there they go on for the little bit that I can see about new data being used to be able to sell it and trade it and such, and so on and so forth. I thought that’s what a commodity is. So defined terms, if you will.

Josh Marpet 10:39
Of course, a commodity is a thing, orange juice, oil, pork bellies, I think of the classics, silver, gold,

Jeff Man 10:48
Oh! Trading Places. That’s very frozen orange, frozen orange juice.

Josh Marpet 10:54
Trading. Exactly. Well said that’s a commodity. So as a commodity, it is a thing that you can trade that you can buy that you can sell oil on the futures market as a commodity, various things like that. And if I’m wrong, please forgive me. I’m not a stock trader. Okay. But the idea is that they’re saying that a commodity is a physical thing, you can buy it, you can sell it, you can assume the price will go up or down over time, you can make money on the arbitrage of prices, etc. Okay, so far, so good.

Jeff Man 11:22
So far, so good.

Josh Marpet 11:23
They’re saying that data is not that data has a value that is inherent, and data has a value that the value may go up or down based on external forces, externalities, such as was this data hacked? Was this data sold? Was this data bought was the status shared and appropriately left in an on secured insecure, S3 bucket or whatever. So there are a lot of things about dat…,

Jeff Man 11:48
The light bulb, starting to glimmer. Is what they’re saying, essentially, that data isn’t something that’s a physical commodity in the sense that only one person or entity possesses it at one time. So it’s not something you just you hold, or you sell it, because you can hold it and sell it and still hold it and sell it again, and hold it some more and sell it again. Is that what they’re getting at?

Josh Marpet 12:14
That’s the simplistic answer of what they’re getting at. Yes. But I think there’s more to it data is complicated, as we all know, I mean, we have an entire podcast based around effectively data and regulation. There’s infinite numbers of companies based on data and regulation. Data centricity is a huge topic. Data is complex, how do you handle it? How do you hold it? How do you store it? How do you protect it? How do you treat it? Is it radioactive? Or is it merely, you know, a little bit, you know, it’s very difficult to maintain data properly, without an understanding of the data. And that’s much more complex than, hey, it’s a barrel of oil, you know, a barrel of data, much works much more complex with..

Scott Lyons 13:01
And if you want government regulation, this is how you get government regulation, right? Especially around data and data portability, right? A lot of these social network services have a phenomenon going on, as described as data lock in, right, where you can’t move your data from one platform to another. You know, for those of you who are listening on the podcast, there are there’s a paragraph in here that I want to read. And I want us to talk about it, because it’s very, very inherent and very crucial to this argument. And it says this data portability is a crucial feature in a thriving digital economy. But Facebook’s announcement fails, falls short of creating the conditions for a more competitive social network market, this half-baked solution, which will not make a significant change in the way people engage with social networks. And that was a quote from a Gustin Raina, head of legal and economic affairs and EU consumer rights group, right. So what we’re talking about here is the movement of data, right? If you’re able to move a commodity, right, right, right. If you’re able to move a commodity, then you can create a marketplace for it. Right. But if you’re doing data lock in, right, there’s no movement of data you’re holding on to it. It’s not going anywhere. Right. There’s a big conflict that’s going on right now between the big privacy laws that have come out like GDPR and CCPA plus the need for a market to be created. Right? There’s there’s a mismatch going on here. Right? So what Facebook is doing is saying, Well, I’m going to make it as sticky as possible for somebody to not go and switch to another service. Right? So they’re trying to stifle it looks like and this is my take, you guys can totally chew me out. On this, but it looks like Facebook is trying to say we hold all of the data, we own the social media market, nobody else can, you know, can do anything about it. Right. Whereas privacy regs are trying to say, well watch what you’re doing when you transfer the data, either whether it’s between a broker, as Josh is saying, or how you handle the data inside of the application itself.

Jeff Man 15:29
Alright, let’s talk about gloom and doom. Go for it. Well, I have a couple of articles, we can kind of lump them all together. First one had to do with 4 million stolen credit cards being attributed to four restaurant chains in the US. So it’s a PCI thing. And then there’s a hospital having to pay a $2.2 million settlement for undisclosed data breaches. And then a third one true dialogue, providing supposedly secure SMS services for companies leak six 600 gigabytes of personal data, which is an interesting question, given our you know, the Hong Kong article, how do you put a value on 600 gigabytes of personal data that affects millions? And what kind of fines does that company expect to have to pay?

Josh Marpet 16:25
It depends, it depends on the data breach notification laws based on where they are, where those people are, where their headquarters are, what type of data it is, etc, etc, etc, like your hospital story. $2.2 million for multiple undisclosed data breaches, it’s supposed to be $1.5 million per breach. So they got off cheap. Apparently, if they had more than one breach.

Jeff Man 16:47
They have one had one and a half breaches, apparently,

Josh Marpet 16:51
apparently, yes. But I mean..

Jeff Man 16:53
If I’m doing the math in my head roughly correctly,

Josh Marpet 16:56
you’ve got a problem, because with 600 gigabytes of data, it could be worth nothing, it could just be the copies of Warren Piece over and over and over. Or it could be full credit reports and medical health insurance information for millions and millions of people. So you don’t know unless you read all of the information or data disclosed. And then at that point, well, it’s another breach. So you have to turn it over to the authorities and let them to determine a value. And that’s always a problem. Let’s be honest.

Jeff Man 17:25
Well, let me ask you guys a question based on this, and I’m sorry, Scott, I’ll let you jump in here…

Scott Lyons 17:31
Don’t worry about it.

Jeff Man 17:32
Um, you know, given that the the, the bad outcome for a company is a breach, and ultimately, fines, you know, some sort of monetary outlay, whether it’s fines or replacement costs, or, you know, paying for the compliance and security to get up to beef, so it doesn’t happen again, the bottom line for most companies is bad, something bad happens. They have to spend millions of dollars on, you know, getting told on toward millions of dollars. How do you factor that into a risk discussion? where, you know, most companies budgets really can’t account for that bad outcome? How do you factor in just in general? And maybe it depends on industry and what you’re beholden to from a compliance standpoint, but how do you make a reasonable risk decision based on the bad that could happen? I’ll leave it at that. Any thoughts?

Scott Lyons 18:32
It comes down to really, really, really good engineering. Okay, really good engineering principles, right? Like, encrypted database, right? Like, don’t just put everything all of your sensitive, valuable data, even if it’s encrypted into one database, right? spread it out over multiple databases, encrypt everything, don’t hold passwords in clear text, right? These are fundamental engineering issues. Right, that should have been addressed when the system was being built not as an afterthought. Right? A you talk about how do you put money towards risk and risk management, do it in the engineering process. So you know, when you start setting up systems, set them up in the most secure manner possible, and then start dialing it back little by little as the access requests come in? Right? Unfortunately, here with true dialogue, they that the database that we’re talking about was hosted in Azure, and it runs on Oracle, right? If you are not constantly checking your infrastructure, especially cloud, seeing the cloud is just someone else’s computer. Let’s be honest, right? If you’re not constantly checking, how your configuration and your configuration management is done, right, you’re going to open yourself up to this time after time after time, right I hope that answers what you were saying, Jeff?

Jeff Man 20:04
Well, it does. And, um, and, you know, I’m not looking for a right answer, I’m looking for thoughts and ideas. So, you know, because one of the problems I have with risk management or risk based solutions is very often I think that the potential monetary loss is is what the bad outcome is, the risk that you’re trying to avoid, isn’t really either articulated well, or properly quantified, so that you can make appropriate decisions. And even then, you know, what’s appropriate as a as a as a preventive measure? In terms of how much do you want to spend? Yeah, like, take the hospital 2.2 million. That might be a drop in the bucket forum, that could be, you know, half of their annual, you know, profit, or three quarters, or all of you, I don’t know what the number is. But, you know, let’s say that number, you know, to me, it seems significant, how much of that as a percentage should they spend on prevention, I think what you’re saying is, is sort of jumping to where to spend, because even the fundamental things that should have been done, assuming that they haven’t been done from the outset, you’ve got to go back and identify all the systems that are missing all the fundamental things that should be done, and figure out who’s going to do them and who’s going to hold people to accountability to make sure it gets done, what kind of automation or tools need to be purchased in order to facilitate that, what additional training needs to be done, you know, personnel need to be added or ramped up or brought up to speed to make sure these things happen and stick? You know, there’s costs associated with everything.

Scott Lyons 22:04
Yeah, even free has a cost associated to it.

Jeff Man 22:07
Sure. So, uh, you know, all that to say is, you know, and going back to why we have this program, you know, most companies start with, okay, what do we do in, in the answer to the What do we do is what do we have to do? And that’s when they start looking at the regulatory and compliance standards that they’re, that they’re subject to? And the question that I didn’t get a chance to ask Matthew. And I think it’s a rhetorical question, but I’m not sure if it is. I’ll run it by you, Scott. Right. See if you have any thoughts, and this will be sort of the closing Thought for the Day is, you know, Matthew made a statement very early on about, you know, a lot of companies pursue compliance, that and they invest a lot, you know, assuming they’re doing it, right. They do whatever compliance standard that they’re, you know, accountable to follow, to follow. And then he said something about that, but that doesn’t always make them secure. Or that doesn’t always mean that they’re secure. So my question is, it could be PCI, or any of them, it doesn’t really matter. What if companies follow, and they do a reasonable job in trying to do the best they can to follow and they think they’re doing a good job of following whatever compliance or regulatory standard they’re subject to. And that doesn’t make them secure. What in your experience, have you seen from your customers has been missing, that would fall under the category of security? You know, with the assumption that security is something more than compliance, which I think most people, at least on the security side of the world seem to think security is so much more than compliance? Compliance is a bare minimum,

Scott Lyons 24:06

Jeff Man 24:08
What more needs to happen? What is missing, that the compliance just meeting the compliance standards doesn’t address?

Scott Lyons 24:17
Well, there’s, there’s always been an inherent juxtaposition between security and compliance. Right? I think we can agree on that. Right? Yeah. Just because you’re compliant, doesn’t mean you’re secure. But compliance is where you should start. Right?

Jeff Man 24:31
That is the mantra and I’m asking what else? What else then? What else? We agree with that assertion. What else is there?

Scott Lyons 24:41
The five pillars that Matthew was talking about earlier, are very key in being able to understand what goes where within a security program and a security and compliance program, right. But what it fails to address is how you market that throughout the rest of the organization, how you market Get that with the C-levels and the board members to say, we’re doing our due diligence across all of these substantial areas of the organization, right? A lot of what we see are security teams that are so down in the weeds that they don’t see the big picture, they don’t see the rest of the organization and see where the risk is for what they do and how it applies to the rest of the organization. Right. So as a security professional, I would always say, understand the big picture, don’t just put your head in the sand and say, you know, what was me? You know, there’s always something that can be done to move an initiative forward or manage risk of another area. Even if the area doesn’t know it’s a thing, right? Or they say, no, that’s not a risk to us. There are always controls that can be put in place, you know, a lot of what we do is put emphasis on policies, procedures, and control implementation, right. And we feel that if you hit those three areas, not only are you hitting compliance, but you’re also hitting security, security at the same time, policies, procedures and control implementation, right? So yes, for example, right? The NIST RMF, right? If you take care of your policies, which is derived by your sea levels, your procedures, which is the live derived by airline managers, and then how you implement the controls right down into the weeds, right, we believe that if orgs take that approach, that there’ll be further along, right now, the five pillars that we were talking about earlier, was a great way to set the gap, right? To start looking at the pieces in the business, right? But it’s more than just five pillars, right? Five Pillars, that might be a starting point, right? Unfortunately, most orgs, you know, people who work in the orgs, they just want to go in, do their job and go home, right? Or they want to go in get paid go home, or they may work for a toxic leader in that case, you know, go in hope you get fired, right? And then go home. You know, it’s very rare that you find an organization that has leadership that is willing to invest into its people, its resources to be able to better manage risk. Right? And unfortunately, that’s what we see.

Jeff Man 27:22
Yep. It’s interesting answer, and I was trying to jot down some of my thoughts to answer my own question, as you were talking, and it was, it was interesting, because you pretty much captured just about everything that I wrote down just to bullet form, you know, just sort of, you know, understanding the big picture, getting executive level, executive level buy in, I wrote down accountability and enforcement, which translates to consequences. But then bottom line is understanding and what I think is interesting, and we’ll close on this note for the day, and it’s been a good discussion. None of the things that we’re describing as being critical aspects of how do you get to security, beyond compliance are technical controls, they’re all more managerial, managerial, procedural, organizational culture type of things. Right. It’s almost fascinating. Yeah, yep. All right. Well, anyway, good discussion. Good interview today. Let’s call it for the day and hope to see you all next time. This is Jeff and, and Scott. I think Josh had to drop for, you know he had work or something to do. But until next time, let’s be secure. Let’s be compliant and let’s figure out how they both work together.


Translate »