Archive for September, 2014

3C Privleged Accounts

Companies have been distributing privileged accounts to employees and vendors for the past 20 years without considering the security ramifications.

Privileged accounts are logons that open access to desktops, laptops, servers, firewalls, databases, printers—any device with a microprocessor that’s connected to a company network.

But hackers and data thieves are abusing privileged accounts to breach highly protected networks and steal mountains of sensitive data. In fact 86 percent of large enterprise organizations either do not know or underestimate the number of privileged accounts incorporated into their networks, according to a survey from password security vendor CyberArk Software.

Follow these best practices for securing privileged accounts and sensitive data from .

1.  Reduce the number of privileged accounts. Every company has too many. This creates opportunities for accidental damage and breaches. And it increases the odds of an intruder gaining a foothold in your network.
2.  Reduce privileges of authorized users. Allow authorized users to make changes only to the parts of the infrastructure that they are assigned to manage. That is far better than giving them rights to make changes more broadly.
3.  Monitor, monitor, monitor. Record all logons and all activities. This process helps maintain compliance and ensures an easily reviewable audit trail exists. It also helps quickly identify intruders, as well as rogue insiders, or even sloppy or incompetent employees. Look into implementing advanced monitoring that will automatically alert you to anomalous activity.
4.  Use strong authentication and robust passwords. At one time it was ok for a limited group of people to share a single account password, but no longer, especially for systems carrying sensitive data.
5.  Get to know your data.  Account for sensitive data that may be backed up in multiple locations, or that may be stored in stray locations due to poor data hygiene practices.
6.  Assume you’ve been breached.  Begin with the assumption that a thief is in your midst.  Structure your network to reduce the impact of an attacker in any one area. Watch for unusual behavior of both people and systems. Focus on the people granted access to the sensitive data.
7.  Control physical access. Lock up desktops and take home or lock away laptops after hours. Locate servers in secure data rooms, not in branch offices, kitchens or closets. Monitor and manage access to data rooms.
8.  Regularly review access rights.  Assign managers and supervisors to periodically check subordinates’ access rights to assure users only have access to appropriate systems.
9.  Enforce Encryption. Apply appropriate levels of encryption to data at rest and data in motion.

Sources: IDT911 interviews with Brad Hibbert, Vice President, Product Strategy and Operations, BeyondTrust, a Phoenix-based supplier of vulnerability and privileged accounts management system, and Geoff Webb, Solution Strategy Senior Director at Houston-based identity management vendor NetIQ.

Two major government agencies in charge of cybersecurity have issued a warning about the rising threat of insiders who may cause data breaches or destroy sensitive information, . The warning released by the DHS along with the Federal Bureau of Investigation noted disgruntled or former employees may be the ones who take action to steal proprietary software or consumer information from their former workplace in order to benefit another company. 

The sources of these breaches may be cloud storage services, such as Dropbox, as well as personal email accounts, according to the DHS and FBI. Companies that are aware of this problem may want to look into deactivating former employees' access to corporate systems as the report said terminated employees may still be able to view information held on their IT networks via remote desktop protocol software. 

When insiders threaten the security of their past employers' systems, businesses may see increased disruptions and downtime. This may result from website malfunctions, cyberattacks and data breaches. The FBI estimated businesses affected by insider threats may see costs between $5,000 to as much as $3 million. 

Lack of Background Checks Endanger Taxpayer Data
Insider threats may be present in agencies that collect sensitive consumer information, including the Internal Revenue Service, . A report by the the Treasury Inspector General for Tax Administration (TIGTA) said the IRS did not implement certain controls to protect consumer data, including running background checks on government contractors. Workers who had access to sensitive but unclassified (SBU) information did not have background investigations done, which could put this information at risk for being used for fraudulent purposes. 

The report highlighted one incident where a contractor was given a compact disk holding 1.4 million taxpayer records, including their names, addresses and Social Security numbers. It was found that the workers hired by the contractor did not undergo background investigations.

In a separate incident, a long-time worker at the IRS was found guilty of identity theft after heading a tax fraud ring, . 

Recommendations for Increased Security
​TIGTA suggested the IRS conduct background checks before the contractors start work and that the staff is trained on contractor security requirements. Without the right internal controls, taxpayers may be vulnerable for fraud and identity theft due to contractors having access to taxpayer data. 

With other threats to consumer security and privacy, the DHS and FBI recommended agencies also change passwords to servers and networks once employees leave and prevent access to cloud storage websites. 

ITRC FTC pass it on

If you’ve ever had to help someone understand a new piece of technology or a new app or program, you can end up feeling like a one-person tech support team, but a new campaign is underway that can help you protect people around you when they’re online. The Federal Trade Commission’s campaign is aimed at making sure you are armed and ready to protect the people you care about from identity theft and online scams.

The very same people who constantly come to you with questions about downloading software or installing new components are the ones who need this information to come from a trusted source: you. The FTC has put together information sheets on identity theft and several scams so you can “pass it on” to friends and family members and help them avoid becoming a statistic when it comes to online fraud.

(more…)

itrc data breach victim

Everywhere you turn these days, it seems as though there is another news story about another data breach. The stories help educate the public about how vulnerable their personal information is and how to protect themselves, but they also cause confusion.

Each week, the Identity Theft Resource Center publishes a , sponsored by IDT911, that lists the latest data breaches, the type of personal information involved, and the number of records exposed. This report has become a resource for reporters covering issues such as privacy and identity theft. This identity theft part is where we run into trouble.

(more…)

Home Depot client
Home Depot customers who shopped there this summer must take steps to protect their credit card accounts. The home improvement retailer that the account information for 56 million cardholders was compromised when hackers breached the company’s cash register networks at stores in the United States and Canada.

The affected registers have been removed and the hackers’ access has been closed off. The company said there is no evidence that debit card PINs or online customers were compromised. But consumers should be aware of how to secure their identities.

Why do thieves steal this data? To websites to criminals who run as many fraudulent transactions before the bank closes or replaces the account.

What You Should Do

(more…)

Former employees of Home Depot said they voiced their criticism of the company's security vulnerabilities years before its massive data breach, but the company did not respond quickly enough, . Sources close to the company said they began raising concerns in 2008. Fast forward to 2014, Home Depot confirmed a data breach affecting 56 million credit and debit cards swiped throughout the company's U.S. locations.

Companies like Home Depot may be lacking in both prevention and detection of cyber threats, the Times reported. Without these abilities, firms are vulnerable to attacks on their systems, which could result in data breaches.

Home Depot said the breach lasted between April and September, .

One of the procedures IT security experts suggest for data theft prevention is regular scans of systems with the latest technology. However, sources familiar with Home Depot's cybersecurity procedures said the company did not use up-to-date software to protect customer information, according to the Times.

"Scanning is the easiest part of compliance," said Avivah Litan, a cybersecurity analyst at research firm Gartner, according to the Times. "There are a lot of services that do this. They hardly cost any money. And they can be run cheaply from the cloud."

Future of Home Depot Security
The company removed the malware present on its systems and will improve its security through updating its encryption software starting in 2015. However, it appears the damage may have been done as millions of patrons may be vulnerable to identity theft and credit card fraud. 

Of the 56 million payment records exposed in the Home Depot breach, more than 282,000 credit and debit card numbers stolen in Wisconsin stores were for sale on black markets online, .

"When they're 100 percent valid, that's an indicator that the merchant hasn't fixed the problem yet," Brian Krebs, cybersecurity reporter at KrebsOnSecurity, told the Journal Sentinel. "It's a live breach."

This development shows cybercriminals are hoping to profit off this stolen information by offering payment data for sale, which is similar to the aftermath of the Target breach when hackers packaged data to be sold on the black market.

Home Depot may begin to see the same consequences as Target after the data breach discovery, which could include drops in stocks and sales. With the rollout of the new encryption system, Home Depot may improve its data theft prevention, but the company's slow response to the breach shows more needs to be done to avert future financial disasters. 

When he was a master identity thief in the 1960s, Frank Abagnale said he used to make his own fraudulent ID cards and forge checks, . Immortalized in the critically acclaimed film "Catch Me If You Can," Abagnale later turned his life around and became a respected anti-fraud expert. Now he is warning that lack of action from leaders in the federal government may be endangering consumer information because it has become easier to steal data today. 

State laws have typically governed how businesses notify consumers about data breaches. California has some of the strictest cybersecurity and privacy laws in the nation, recently passing the kill switch law to install remote-locking capabilities on phones and the eraser button law, allowing younger Internet users to remove embarrassing photos on social media sites. While states have had some success in guarding against cyberattacks and maintaining consumer privacy, some have criticized the federal government for not being as active in protecting consumers from identity theft and other data-related crimes. 

Abagnale said federal government agencies have not been leaders in securing consumer information as they should. He gave the example of having to convince the U.S. Internal Revenue Service not to display Social Security numbers on tax return mailing labels. Identity thieves have been known to steal mail right out of mail boxes to access consumers' valuable information. 

Flaws in Government's Handling of Taxpayer Data
Abagnale does have a point that government agencies and leaders should step up their fight against identity theft after a government watchdog earlier this year called the IRS "an institution in crisis," according to a February blog by IDT911.

A recent report said there were also flaws pointed out in the agency's handling of taxpayer data. The report said the IRS does not ensure that personnel who process consumer information have had background checks, which may put this data at risk for theft, .

Recently, the federal government has shown signs it is willing to improve its leadership regarding data security, most notably by calling for a federal law to standardize data breach notifications. While there support for this legislation has been growing, some believe the government may not be able to finalize this type of law, .

"I'm not sure when, or whether, the federal government will want to jump into this particular thicket," said Lori S. Nugent, a partner with law firm Wilson Elser Moskowitz Edelman & Dicker L.L.P, in reference to a federal data breach notification law, according to Business Insurance. 

With the IRS working to improve its internal processes and ramp up prosecutions of identity theft crimes, it might be a matter of when – instead of if – consumers will see results from increased protections from cyberattackers and identity thieves. 

checklist

The breach at is only the most recent in a torrent of high-profile data compromises. Data and are at record levels. Consumers are in uncharted territory, which raises a question: Is it time to do for data breaches and cybersecurity what the nutritional label did for food? I believe we need a Breach Disclosure Box, and that it can be a powerful consumer information and education tool.

Once a cost of doing business, today data breaches in the best-case scenario can sap a company’s bottom line, and at their worst represent an extinction-level event. The real-world effects for consumers can be catastrophic. Because there is a patchwork of state and federal laws related to data security—some good, some bad, all indecipherable—and none that work together, it’s impossible to know just how safe your personally identifiable information is, and has been, at the places where you shop and the companies and professional organizations with which you do business.

(more…)

Rather than setting their sights on computers, cybercriminals are increasingly targeting point of sale systems to steal valuable customer information. With attacks against in-store systems growing, the payment industry is fighting back. The Payment Card Industry Security Standards Council (PCI SSC) recently overhauled its guidance document to curb data breaches and security flaws in payment systems, . Although the PCI SSC has updated its recommendation for payment system security, some IT professionals are questioning whether these methods are enough to stop cybercriminals from getting their hands – and servers – on customer data.

Recently, the PCI SCC unveiled version 3.0 of the Payment Card Industry Data Security Standards (PCI DSS), Mark Burnette, partner with LBMC Security & Risk Services, . The newest update focuses on testing to ensure systems are not vulnerable to outsider attacks. With greater risk management, companies may be able to prepare for hacking incidents before they happen. 

PCI SSC warns that POS systems are vulnerable to hacking methods and other attacks – from malware infections to skimming cards to steal information. To combat against these tools and techniques, the organization said organizations should become aware about how cybercriminals steal information. Not only can hackers physically install skimmers to siphon information from payment cards, but they can also steal data from a wireless infrastructure and near field communication readers. 

Updating Systems for Compliance
Although the guidelines for PCI compliance went into effect on Jan. 1 of this year, companies will be able to ready themselves for a year before the standards are enforced. 

With the variety of hacking methods that could exploit vulnerabilities in POS systems, companies may have a difficult time complying with the new standards in preparation for all of these types of attacks. Concerns surrounding payment systems are retailers have grown after the data breaches were revealed at Target last year and the more recent breach at Home Depot. 

Although companies may be compliant with security standards set by PCI, there is the risk that cybercriminals will have infiltrated POS systems to infect terminals with malware or other hacking tools without firms knowing for months – enough time for thieves to put customer information for sale on black markets that are later used for identity theft purposes.

While the danger of cybertheft has increased, companies should ensure they are maintaining their systems and updating their technology as often as they need to. Although the cost of switching to new technology is huge, not spending the money and dealing the widespread financial impact of a data breach will be even more costly. 

While consumers are tired of being bombarded with ads every day, a more dangerous threat could be lurking in the background on webpages and their personal devices. Malicious advertising, also known as malvertising, is an emerging way cybercriminals are infecting new computers with malware, . This technique poses a great risk to cybersecurity because it exploits the popularity of social media sites as cybercriminals may spread malware exponentially through social networking advertising.

When users encounter a website with a malicious advertisement, they are sent to a different site that may download malware onto their computer or other device. The malicious software might mask as a regular download so the users do not suspect their systems are being infected.

"The attackers are purely relying on social engineering techniques, in order to get the user to install the software package," CIsco researchers said. "No drive-by exploits are being used thus far. The impressive thing is that we are seeing this technique not only work for Windows, but for Mac operating systems alike."

Researchers traced the malware attacks to the "Kyle and Stan" group, which includes domains that are spreading the malware. Even the most popular sites on the Web aren't safe, as Yahoo, Amazon and YouTube have become breeding grounds for malvertising. Other sites are also known for their video and media-playing capabilities, which make it easy to get users to click on ads. 

Why Amazon is the Biggest Source for Malware on the Internet
In listing the sites known for malvertising, Amazon has widely been named as a major source of malicious ads. And this is not a surprise for IT security professionals. 

The U.S. was a top destination of malware in the world in the fourth quarter of 2013, . And the main reason for this ranking? Amazon Web Services (AWS) hosted four of the biggest malware-hosting sites, which represented 6 percent of all malware in the fourth quarter of 2013. 

Of the global hosting providers, Amazon had the biggest concentration of malware. Although Amazon has tried to stop malware from being distributed through its hosting network, cybercriminals are still using Amazon's cloud service to not only host malware but to also crack passwords.

The past high-profile attacks made on Amazon's hosting services including the incident faced by social network LinkedIn in which personal information was stolen from millions of LinkedIn users, according to the Post.

As consumers see advertisements on the Internet, they should be careful to prevent malware from being downloaded onto their device by enabling security scanning for websites within the Kyle and Stan network.