With a new presidential administration about to take office, many are hopeful that the “change” promised on the campaign trail will begin to take effect sooner than later.

When it comes to industry regulations and the variety of data breach laws on the books, some look to President-elect Obama and express confidence that he can garner the momentum to help bring some needed order to the disparate edicts on the books, regulating everything from patient health care records to financial data to retail customers’ credit card information.

The Obama platform has offered specific remedies to help the government and private industry to become more efficient, including more automating of data accumulation. But, some warn that it will likely take time for any meaningful legislation to make its way through the Congress.

“With the current budget, it may or may not happen,” one vendor of compliance tools told SC yesterday. “In the early part of the administation, a reform bill is not likely to come out early,” he said.

But, as the stock market rally the past two days may show, the reaction to Obama’s competency in putting together an economic team portends positive results for future initiatives.

Even though he may be forbidden – for state security reasons – to use his BlackBerry, it’s comforting to know that the person in charge has an acute awareness of technology. We can pretty well assume he will be a champion and strong advocate for procedures affecting the transmission of data.

As well, President Obama is likely to show more concern than the previous administration for the affairs of the nation’s citizens, meaning that he will likely work to protect consumers from data fraud and enact stronger punishments for those responsible for data breaches.

In the January issue of SC Magazine, our reporter Angela Moscaritolo speaks with several experts on how an Obama presidency will affect the IT security field, referencing Obama’s speech at Purdue University where he pointed out that our country’s system of information networks are the backbone of our economy.

We will also examine a brand new data breach law in Massachusetts, said to be the strictest in the nation. Will this become a model for federal legislation? Please check back, it’s an ever evolving stage.

As the Rolling Stones used to say, “What can a poor boy do?”

Despite taking all the prescribed precautions and having proper defenses in place, late last week, hotel chain Best Western allegedly suffered the indignity of a breach of its reservation system. Reportedly, the personal information of eight million customers was put up for sale on a pirate site (reportedly via a Russian mob), though the hotel issued a statement refuting this accounting.

While the facts at this point in the investigation are sketchy, a trojan placed on a computer within the chain is being cited as the hacker’s entry point. And this occurred even as the chain was doing everything it should to prevent such an intrusion. In a statement issued in response to a news report of the breach, the chain outlined all the steps it takes in its information security processes:

• “We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest’s reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.”

From this security profile, it’s reasonable to assess that Best Western was doing everything “right.” But the end result proves that “right” just might not be enough.

As we hear over and over again: compliance does not necessarily equal security. Experts repeat ad nauseum that compliance is useful (even if begrudged), but that other measures must also be put in place to build up a stronger defense against the loss of data, both from without and within.

This latest alleged exposure raises a number of issues: Was Best Western doing everything right to defend its database and network? Can it have done anything different to beef up its defense? Is it inevitable, as many say, that it’s impossible to stop a breach? And, the inevitable, what now?

Whether the accusations are accurate or not, whether the charge that the personal info of eight million customers was exposed is overblown, as some are saying (including the hotel chain), or whether that number turns out to be much smaller, almost doesn’t matter at this point. Beyond the need for a reassessment of its information security systems, it’s a PR nightmare for Best Western.

“So much public scrutiny as a result of the published report could be detrimental to Best Western’s brand,” Ed Moyle, manager, CTG, a firm that provides information technology staffing and solutions, told SCMagazine.com yesterday.

Whether Best Western is the victim of a hacker or of a campaign to besmirch its name, this week’s latest entry into security celebrity status unfolds as an illustration for the rest of us. Will this negative attention mean much to the public? How will Best Western handle the accusations and the tangible setup of its IT security systems and processes?

Clue: They might look to Hannaford, who handled the aftermath of its breach with transparency.

Human nature can rarely change, and when it does, it is mostly a reaction to environmental variation. This is Darwinism, and was famously reflected in Lincoln’s observation about human nature: “…repeal all compromises — repeal the declaration of independence — repeal all past history, you still can not repeal human nature.”

Thus it is with security in the interconnected world. When we think of security at all, it is from a defensive standpoint. Our forebears built fences, walls, castles, forts, and each of those defensive measures waned in turn. In the great conflagrations of the 20th Century, only when strategy turned from defensive posturing to offensive maneuvering did the winning side prevail.

Could our current plight in the face of a constantly evolving threat state only be rectified with a transformation of human nature? Should we abandon all further hope of creating the decisive defensive weapon and simply go after the attackers?

It’s hard to imagine such a radical shift. The environmental variation has not sunk in – most of the industrial world seems only vaguely aware that a problem of security exists.

Thus, repealing human nature seems unlikely. The answer may be that threats must be preempted. And the only way to see that happen peacefully is through governmental cooperation, on a level that requires more than just police action.

Therein lies the rub. Governments are made up of humans, and Darwin, Lincoln, and your local DHS office are not going to repeal the defensive mood.

What am I driving at? Until everyone senses some kind of a worldwide criminal breakdown — chaos, anarchy, disorder, and monetary collapse — our defensive mentality is unlikely to change. The industry is safe for venture capitalists.

But if doomsday approaches, then survival may depend on a more proactive approach to the bad guys who thrive in the current setting. The pressure on governments, however reluctant, to cooperate in finding and eliminating cybercriminals behind their lines may push the cretins out of the picture.

But I’m not holding my breath.

It’s understandable that The TJX Companies would fire an employee for publicly discussing internal policies, but the clothing chain is likely to receive a good deal of backlash from the media for its latest action – it just fired a whistleblower for making public certain of its internal security policies.

Nick Benson, who was employed at a TJ Maxx in Lawrence, Kansas, frustrated that his warnings about lax information security were being ignored by his bosses, communicated his irritation on a hacker blog.

The University of Kansas student, posting with his hacker name CrYpTiC MauleR, pointed fingers at the company’s lax password policy, its server security settings, and the technicians with hardly a clue who came in to install firewalls at the company’s stores.

For example, Benson said, “I told an executive loss prevention manager about the username being the same as the password months before the breach occurred, of course he didn’t do anything.”

Not that the company can’t withstand some bad press. The breach Benson refers to, in Jan. 2007, was reported to have exposed as many as 94 million credit and debit card accounts, and cost the company tens of millions of dollars in legal settlements. But it seemed to have little effect on sales.

In fact, customers showed little concern following the transgression. Many were obviously more attracted to a sales offer the company issued along with an apology, than to any worries of having their credit card info stolen by hackers.

According to published reports, what led to the breach was the company’s failure to secure its Wi-Fi network. The Wired Equivalent Privacy protocol the company used has been shown to offer inadequate protection and opened the door for hackers — using a basic, telescope-shaped antenna and a laptop — to steal data flowing through a Wi-Fi network at one of the company’s units near St. Paul, Minnesota.
The hackers, said to be Romanian and Russian organized crime groups, also pierced the TJX central server in Framingham, Massachusetts, creating their own accounts.

Benson, while not disclosing specific workings of the company’s network in his postings, was obviously trying to do good by asking for help in fixing a problem that could affect TJX customers. But his approach did not go through the proper channels and he was guilty of transgressing company policy.
While TJX is repeatedly held up in the press as a poster child for data breach infractions, it has responded to legal requirements to ramp up security on its network, installing stronger firewalls.

The company might have benefitted by listening to CrYpTiC MauleR when he first approached them with his information.

One responder on the blog, had these words of advice: “Instead of stocking the shelves with the new spring fashion colors and designs, why don’t you step up and apply for an IT position where it would seem your skills be best suited. By the sounds of it they could use your help and it sounds like you have solid skills.”

Yes, Benson violated company policy by discussing internal policies, but hopefully he’ll end up in a better place — a place where IT warnings are heeded, where strategies can be found to respond to challenges, where corporate support is offered and where the security of customer information is considered a priority.