Archive for March, 2014

How IT security services respond to a cyberattack can make a major impact on whether or not the attack is thwarted, . In one case, a company was hacked through one of its servers, which led to a fast response by the IT security team. However, the team failed to discover the Trojans that had been installed on the other servers that existed in the system.

In the end, the team had to clean up all the servers on the network.

"We knew the Trojan on that [first] system, but we missed out on a couple of other machines, "one of the emergency response specialists said to Dark Reading. "As soon as we cleaned up the one machine, there they were the next day. They had moved laterally and installed two completely different backdoors, so IOCs [indicators of compromise] and signatures were useless."

According to Dark Reading, the response a company makes when it is hacked is becoming just as important as the work that goes into preventing hacks in the first place. Many have begun to accept that hacks are becoming an inevitable part of the cybersecurity industry - that hackers are becoming so sophisticated that the question is not if a hack will happen but when it will happen and what the response will be.

Dark Reading reports that in a survey conducted by Arbor Networks and The Economist, two-thirds of respondents believed that a proper, thorough response to a cyberattack would actually promote a company's reputation rather than harm it.

Target Fails to Respond Adequately
However, it can sometimes be difficult to respond properly even when the right safety checks are in place. Even Target was warned of a potential data breach ahead of time. Its cybersecurity team in charge of detecting the attack worked perfectly, but Target ignored the information that came from the team, .

Target had installed a security breach detecting tool that was build by the firm FireEye. Target had also hired a team of security specialists in Bangalore who would keep track of any unusual findings and notify Target's central security operations department in Minneapolis in case it detected anything unusual. When the hackers who broke into Target uploaded their malware that would download credit card information and send them to servers in Russia, the FireEye software detected it and notified the team in Bangalore. The Bangalore team received this information and then sent it to the security department in Minneapolis. However, Minneapolis did not respond to Bangalore, and the hacking proceeded as if Target had not even installed FireEye​'s security solution at all.

This should emphasize the importance of using the tools that are available for preventing hacks and responding appropriately.

breach emotions

Smart business people know that they must secure their systems to withstand the most determined and persistent physical, as well as cyber, attacks. They must minimize their risk of exposure by deploying the most sophisticated security and anti-malware software, using outside firms to frequently penetration-test their cyber defenses, continuously training their employees to comply with the most stringent security protocols, investigating every vendor and installing state-of-the-art physical security equipment. They must obsessively monitor all of the above. And then, be prepared to manage the damage when the all-too inevitable breach occurs. But in between the technology, training and tracking, it’s all too common to forget one key factor: preparing to deal with the emotions of those customers or employees whose data have been compromised.

(more…)

Many companies are taking advantage of cyber insurance to ease the blow of security breaches by hackers, . Ever since Target was hacked, sales of these insurance policies have picked up.

Schools are one group that has taken cyber insurance seriously, but every company with confidential data such as payroll information might consider getting insurance. The insurance often covers account monitoring services, making it less expensive to hire third party security groups.

"You hear in the news of all those things happening, and we just wanted to make sure that our employees would be covered in case of a breach," said Nancy Hoover, a school-district finance official.

Target Slowly Recovers
Business is beginning return to Target, which has reassured investors,  in Februrary.Shares had fallen by 11 percent since the news of the breach made the news, but after optimistic reports of Target's first quarter, stocks rose by 6.8 percent.

According to Reuters, the data breach led to hackers stealing 40 million credit and debit card records, along with 70 million other records containing customers' personal information including addresses and phone numbers.

Initially, after the first news of the breach reached the public, there was a 46 percent drop in net profit during the holiday quarter. And the costs associated with the breach totaled $61 million.

The data breach "took the wind out of Target's sails – and unfortunately sales," said Sandy Skrovan, U.S. Research Director at Planet Retail.

Many Companies Are Beginning to Invest in Policies
Aon PLC, an insurance company, estimates that premiums for insurance that covers cyber-related risks in 2013 totaled $1 billion, which is a major increase from $675 million the year before.

Recently, the state of New York judged that in order for a policy to cover cyberattacks, it must explicitly be cyber insurance instead of ordinary liability insurance. Sony had argued that its regular insurance should cover some of the fallout from a 2011 hack of its online game store. This further encouraged companies to purchase cyber insurance, as it is their only method of protecting against the financial burden of a successful hacking attempt.

Companies that sell products online, including small companies, "have many of the same exposures as a company like Target, just on a smaller scale," said Robert Hartwig, president of trade group Insurance Information Institute.

The insurance can be expensive. One policy is $35,000 a year for $1 million of coverage. However, sales of this insurance policy will likely rise as many companies are waking up to the threat of cyberattacks.

Customers should ensure the mobile apps they get from companies like Wal-Mart or Starbucks are secure. In fact, a recent investigation showed Starbucks's app left data about customer usernames and passwords in plain text, . And Wal-Mart's app exposed passwords, email addresses and geolocation details for anyone to read if they knew how to hack the application. The information on the app was completely unencrypted, and anyone logging into public Wi-Fi was at risk for being hacked, .

Among other security holes in the Wal-Mart app, the program included an extensive list of products that have been scanned by the device, so hackers would know what customers recently looked at and purchased.

Additionally, it allowed hackers to access Wal-Mart's development server password, which has since been deactivated. The username was "Mobile," and the password was "1111." The developer credentials were "[email protected]," and the password was "password."

Computerworld notes Wal-Mart's cyber-defense gaps could be due to a lack of security testing. In other words, companies like Wal-Mart and Starbucks (as well as many others with easily hacked apps) do not hire people to try to hack their devices in order to find bugs and glitches before releasing them for public use. In fact, Wal-Mart seems to have been using scripted programs to simulate hacking attempts, according to Computerworld.

Wal-Mart since corrected many of the problems in updates to its software.

Starbucks Was Another Company With an Unsecured App
It would seem Starbucks might have been running into the same issue with a lack of proper testing. PCMag reported Starbucks's app stored names, email addresses and passwords in clear text. Hackers could access the information by plugging a smartphone with the Starbucks app into a PC and looking at the files on the app.

Starbucks maintains its systems were not breached by any known users of the application. Additionally, the company said it found a way to fix the problem, although it hasn't explained which method it used.

"While we are aware of this report, there is no known impact to our customers," a Starbucks spokesperson said in a statement. "To further mitigate our customers' potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way."

Starbucks since released an updated version of the mobile app for iOS, which includes password protection and other security measures.

Since news outlets have reported the extent of the National Security Agency's surveillance activity monitoring U.S. citizens, some consumers may be uneasy about the thought of agents looking over their emails. However, many tech companies have begun to fight back with added encryption techniques. Google, for example, has begun to encrypt all of its traffic between email users, email servers and data centers, .

Users can check the security of a site for themselves by looking at the website's URL. If a website has HTTPS:\ in front of it, than that means it is using encryption to keep hackers from spying on your data.

Google made encryption between data servers a priority after the revelations last summer when it was revealed the NSA kept surveillance on Internet sites like Gmail to read emails.

"Our commitment to the security and reliability of your email is absolute, and we're constantly working on ways to improve," said Nicolas Lidzborski, Gmail security engineering lead.

HIPAA Compliance and Google
Encryption is crucial for keeping data secure in the health care industry, as health companies must comply with privacy rules derived from the Health Insurance Portability and Accountability Act. Google has been making major advances in compliance practices that are specific to the health care industry, . This time, the tech company has added features to its cloud service, allowing for business associate agreements between health care industry users and the Google cloud. Google first added HIPAA-compliance BAAs to its services last year in October, . Google's website indicates it offers BAAs for Gmail, Google Calendar, Google Drive and the Google Apps Vault.

Previously, the Oregon Health and Science University (OHSU) was reprimanded when it stored HIPAA-protected data into Google without signing a BAA. Google has since created a streamlined process for signing a BAA.

The process has Google asking the following questions:

  1. Are you a covered entity (or Business Associate of a Covered Entity) under HIPAA?
  2. Will you be using Google Apps in connection with protect health information?
  3. Are you authorized to request and agree to a Business Associate Agreement with Google for your Google Apps domain?

Google and Email Security
Google is now successfully able to prevent nearly all email account data breaches, according to Dark Reading. It has so far reduced the number of Google account compromises by 99 percent as of last year. According to Mike Hearn, a security engineer with Google, there is a system of risk analysis in place that determines the likelihood that the one signing into Google is truly the person who owns the Google account. This system uses 120 variables and occurs every single time someone logs into Google, whether it is every five minutes or every month.

Join IDentity Theft 911 (@IDT911) and the Identity Theft Resource Center (@ITRCSD) on Thursday, April 3 at 2 p.m. ET for #IDTheftChat!

IDT9112

The topic: SCAMS. They’re everywhere – your smartphone, email inbox, and mail slot, and consumers are becoming victims every day.

Identity theft is on the rise again, according to Javelin Strategy and Research. The firm, which does an annual survey of identity theft victims, estimates that 13.1 million U.S. adults were hit by ID theft in 2013, an increase of 500,000 victims from 2012. (more…)

Family IDT

Most people assume identity thieves are super-sophisticated hackers sitting in front of banks of blinking computer screens. The more vigilant among us might be shredding every document in sight, jealously guarding sensitive information from unknown callers or online “frenemies” and installing the most sophisticated firewalls and security software on our mobile devices and computers. But sometimes you really never see it coming and the identity thief who ruined your credit and turned your life upside down is actually your mom or dad.

(more…)

Med idt

If recent disclosures regarding the massive wave of breaches suffered by retailing icons Target, Neiman-Marcus and Sally Beauty haven’t scared you enough, try to wrap your brain around the new Ponemon Institute Patient Privacy and Data Security study. The study has found a 100% increase in criminal attacks on health care organizations since 2010. But if that weren’t enough, they also found something far more disturbing.

(more…)

Only about one out of every three companies report data breaches, . Additionally, nearly two-thirds (57 percent) would not voluntarily give out information about being hacked if they were not already bound to do so because of disclosure laws.

According to a report by Arbor Networks and The Economist Intelligence Unit, 77 percent of 360 respondents said they had been hacked in the past two years.

"Only a third of companies are willing to share information about incidents with other organizations … But these days, the only way to defend is sharing," said Dan Holden, director of Arbor's ASERT. 

Attorney General Eric Holder wants to make it a legal requirement for all companies to disclose data breaches when they occur, . As of now, there are no federal laws that force industries to tell customers they have been hacked, although some state laws exist.

"A strong, national standard for quickly alerting consumers whose information may be compromised … would empower the American people to protect themselves if they are at risk of identity theft," Holder said. "It would enable law enforcement to better investigate these crimes – and hold compromised entities accountable when they fail to keep sensitive information safe. "

Sen. Patrick Leahy, D-Vermont, has recently proposed a bill that will force companies to reveal breaches.

How to Catch a Hacker
Many police investigations depend upon keeping breaches hidden so that experts can watch as the hackers try to gather more sensitive data, according to CNN. Law enforcement authorities can use this information to track down the criminals.

However, after the investigation is concluded, according to Dark Reading, intelligence sharing is thought to be the best way to defend other companies from future attacks.

"The only way to defend is sharing." said Holden.

CNN reports that cybercrime has increased in recent years. According to Verizon, there were 621 confirmed breaches in 2012, and those are only the ones that have been reported. According to Federal Bureau of Investigation Director James Comey, cybercrime will soon be as dangerous to the U.S. as terrorism.

According to Dark Reading, 60 percent of organizations that responded to the Arbor Networks poll have an internal incident response team in case of hacking. The majority (80 percent) of large organizations and 70 percent of companies in general have a third party company with IT specialists that handle security breaches. However, only 17 percent of executives believe they are fully prepared, and 40 percent believe they would be more prepared if they had more knowledge of malicious activity on the Internet.

Sound Off Shouting

Thousands of police officers are wearing small body cameras to record their dealings with the public, but the nationwide rollout raises privacy concerns.

A big reason why? The “lack of clear guidelines on the cameras’ use could potentially undermine departments’ goals of creating greater accountability of officers and jeopardize the privacy of both the public and law enforcement officers,” according to a .

The small cameras fit on an officer’s lapel, sunglasses or chest. The intention is to record the daily interactions officers have with the public in an effort to reduce false complaints and costly litigation.

(more…)