As the Rolling Stones used to say, “What can a poor boy do?”

Despite taking all the prescribed precautions and having proper defenses in place, late last week, hotel chain Best Western allegedly suffered the indignity of a breach of its reservation system. Reportedly, the personal information of eight million customers was put up for sale on a pirate site (reportedly via a Russian mob), though the hotel issued a statement refuting this accounting.

While the facts at this point in the investigation are sketchy, a trojan placed on a computer within the chain is being cited as the hacker’s entry point. And this occurred even as the chain was doing everything it should to prevent such an intrusion. In a statement issued in response to a news report of the breach, the chain outlined all the steps it takes in its information security processes:

• “We comply with the Payment Card Industry (PCI) Data Security Standards (DSS). To maintain that compliance, Best Western maintains a secure network protected by firewalls and governed by a strong information security policy. We collect credit card information only when it is necessary to process a guest’s reservation; we restrict access to that information to only those requiring access and through the use of unique and individual, password-protected points of entry; we encrypt credit card information in our systems and databases and in any electronic transmission over public networks; and again, we delete credit card information and all other personal information upon guest departure. We regularly test our systems and processes in an effort to protect customer information, and employ the services of industry-leading third-party firms to evaluate our safeguards.”

From this security profile, it’s reasonable to assess that Best Western was doing everything “right.” But the end result proves that “right” just might not be enough.

As we hear over and over again: compliance does not necessarily equal security. Experts repeat ad nauseum that compliance is useful (even if begrudged), but that other measures must also be put in place to build up a stronger defense against the loss of data, both from without and within.

This latest alleged exposure raises a number of issues: Was Best Western doing everything right to defend its database and network? Can it have done anything different to beef up its defense? Is it inevitable, as many say, that it’s impossible to stop a breach? And, the inevitable, what now?

Whether the accusations are accurate or not, whether the charge that the personal info of eight million customers was exposed is overblown, as some are saying (including the hotel chain), or whether that number turns out to be much smaller, almost doesn’t matter at this point. Beyond the need for a reassessment of its information security systems, it’s a PR nightmare for Best Western.

“So much public scrutiny as a result of the published report could be detrimental to Best Western’s brand,” Ed Moyle, manager, CTG, a firm that provides information technology staffing and solutions, told SCMagazine.com yesterday.

Whether Best Western is the victim of a hacker or of a campaign to besmirch its name, this week’s latest entry into security celebrity status unfolds as an illustration for the rest of us. Will this negative attention mean much to the public? How will Best Western handle the accusations and the tangible setup of its IT security systems and processes?

Clue: They might look to Hannaford, who handled the aftermath of its breach with transparency.

Deb Radcliff filed this after attending RSA Conference 2008.

Everyone’s always asking those of us from the trade press about trends we see at RSA.

Some will tell you RSA this year was all about virtualization, which already seems like an old story with vendors like Blue Lane Technologies and Reflex Security stepping in to monitor the heretofore unwatchable layers created by virtual machine managers and their guests.

Others will say it’s all about data leakage protection, and we sure saw a lot of that at the conference this year, with Symantec, Trend Micro and others taking leakage protection to a more comprehensive level at the endpoint and gateway.

Unified authentication and use of federated identity frameworks are also gaining momentum, with Microsoft discussing its unified access approach, TriCipher announcing over 50 web applications (SalesForce, WebEx, Google, etc.) in its user single sign-on portfolio, and so on.

Ultimately (true to RSA President Art Coveillo’s Tuesday morning keynote), the overall conference boiled down to more holistic management of risk under the following bullet points:

• Looking at security from inside out instead of outside in (protecting data instead of the network)
• Driving protections deeper into the infrastructure to make it more of an operational function rather than a separate security function
• Using security as an enabler for new types of business

All good and necessary aspirations. But one theme that subtly carried across and outside the conference was this nuance of surveillance – surveillance of children (Symantec’s upcoming family security suite), surveillance of IP traffic, including through the ISPs.

The theme of being watched resonated outside the conference, starting with hotel rooms booked through the RSA block. On Monday night, little piles of colorful conference bling and fliers appeared on doorsteps of all RSA attendees who registered through that block. They know where you are, and so does everyone walking down the hallways looking at the bling in front of all those doors. RSA used a middleman to deliver the bling to the doors, according to a spokesperson, but that’s still creepy.

That same feeling also carried over to the end of RSA bash Thursday night, in which RSA Conference organizers put a lot of work and expense into setting up different forms of entertainment in the Marriott ballrooms. In the Karaoke room, for example, local entertainers set up a 20-foot black pyramid topped with a giant, 12 by 10-foot face-shaped screen with a nose protruding. Onto that screen was projected the face of a real person taking questions, acting all knowing like the Wizard of Oz, while looking ominously down upon them. (See my friend Liz Safran’s picture of said face here.)

Then there was the face painting room. With security and privacy blended so closely together, it was amazing how many security practitioners blithely stood in line to get barcodes painted on their foreheads. Not only did the fake barcodes wreck their coiffures, they made their bearers repulsive – every time one walked by it made you think of the ‘mark of the beast’ predicted in biblical revelations.

All in fun, one might say. But given the level of desensitization among this crowd, it looked more like a parody of things to come. — Deb Radcliff