Posted by: Eric Vanderburg | Posted on: May 10th, 2013 | 0 Comments
On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft. The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.
Hackers gained unauthorized access to credit card processing companies and conducted what hackers term “unlimited operation”. Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed. In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world. These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATM machines.
We have spoken of the increase in coordination of cyber-attacks many times and this is an excellent example. In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City. A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.
The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks. Anomalous behavior monitoring is valuable no matter where the next attack comes from and it is useful in other industries as well.
Posted by: Eric Vanderburg | Posted on: May 2nd, 2013 | 0 Comments
The Electronic Frontier Foundation issued a report on 18 web and technology companies that routinely handle data. The study looked at the following six security policy and practice areas related to how the company responds to requests for user information.
- Does the company require a warrant before releasing information?
- Does the company inform users of requests for data?
- Are statistics published on how often data is provided to requesting agencies?
- Does the company have a policy outlining how they respond to information requests?
- Does the company stand firm when information requests are too broad in scope?
- Does the company support revisions to electronic privacy laws?
Some of the results of the study are surprising. Dropbox, Linkedin, Sonic.net and Twitter were some who ranked the highest. Others such as Amazon, Apple and Yahoo ranked towards the bottom and Verizon and Myspace were the lowest.
Posted by: Eric Vanderburg | Posted on: April 17th, 2013 | 0 Comments
Answer this short poll on which security risks concern you most and see how others have voted.
Posted by: Eric Vanderburg | Posted on: April 3rd, 2013 | 0 Comments
Salem State University in Massachusetts issued a data breach warning to faculty and students on March 11. The warning informed them that information for over 25,000 persons including social security numbers had been breached. The breach was caused when malware, identified as Vobfus, infected the university’s human resources database.
Malware is often seen as a nuisance or a productivity inhibitor but an infected computer can pose a much great risk to organizations and it should not be overlooked. Malware gets behind the organization’s perimeter and it can act with the credentials of legitimate users including administrators. Just because a system is behind a firewall or in a demilitarized zone doesn’t mean it is safe as threats from the inside are just as virulent as those from the outside. Recently, malware has been the cause of a number of recent data breaches including supermarkets, banking institutions and retailers.
Antivirus software is essential but it is only the first step in protecting against malware. New malware and revised versions of existing malware are continually being released and antivirus signatures will miss some malware, potentially even the most dangerous ones. Understand what normal traffic looks like on your network so that abnormalities can be quickly identified. Take notifications from users about suspicious activity seriously and consider implementing technologies that utilize behavior based scans to detect viruses and intrusions. Lastly, know what to do and who to call if there is a data breach
Posted by: Eric Vanderburg | Posted on: March 20th, 2013 | 0 Comments
I will be presenting at the ISACA CPE & Social Event – Cyber Forensics & Cleveland Cavaliers vs. Miami Heat Basketball Outing today at 3:00 PM. The topic is “Cyber Forensics: Collecting evidence for today’s data breaches” and it should be an enjoyable talk.
Many forensic techniques focus on obtaining data from local machines, servers or data storage equipment but evidence for modern attacks often resides in many places and the techniques for obtaining this data go beyond those used in the typical forensic investigation. In this presentation, ISACA members will learn about:
· Detecting intrusions
· Network evidence
· Attack pattern analysis
· Statistical flow analysis
· Traffic analysis
View the ISACA event.
Posted by: Eric Vanderburg | Posted on: March 13th, 2013 | 0 Comments
On March 8, 2013, a contractor working for North Carolina’s Department of Health and Human Services (HHS) billing department stored unencrypted data of 50,000 Medicaid providers on a thumb drive that was to be transferred between facilities. However, the drive was lost along with the data it contained which includes names, social security numbers, dates of birth and addresses of the 50,000 providers.
In last week’s article titled, data breach threats of 2013, we cited breaches by third parties as one of the top three highest rated threats in the Deloitte survey of technology, media and telecommunications companies and here is a perfect example of a third party data breach. As mentioned last week, organizations can conduct vendor risk management to reduce this threat. The vendor risk management process begins by evaluating the security of third parties that work with sensitive data, controlling what data they have access to and conducting periodic audits to ensure that they maintain the same security standing.
Unfortunately, the North Carolina HHS assumed that their contractor, Computer Sciences Corporation (CSC), was taking adequate security precautions. HHS Secretary Aldona Wos said, “We expect our vendors to maintain the security of information.” However, N.C HHS is only now requesting validation of these assumptions. Wos stated “I have instructed CSC that North Carolina expects an independent third-party assessment to assure CSC’s adherence to required security standards.”
Posted by: Eric Vanderburg | Posted on: March 7th, 2013 | 14 Comments
A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media and Telecommunications (TMT) companies suffered a data breach. 88% of these companies do not believe that they are vulnerable to an external cyber threat such as hacking. Rather, the three highest threats were employee errors and omissions, denial of service attacks and security breaches by third parties.
Awareness is a critical factor here and Deloitte lists it as one of the top three security initiatives of 2013. 70% of TMT companies responded in the survey that employee mistakes were an average of high vulnerability. The risks, as stated by Deloitte, include, “talking about work, responding to phishing emails, letting unauthorized people inside the organization, or even selling intellectual property to other companies.” To counter this, companies are conducting awareness training, often through security firms with experience in the area, and creating materials that employees will see on a regular basis to remind them of their responsibility to protect the data they work with.
Denial of Service (DoS) attacks was also rated a high threat. DoS attacks overload targeted information systems making them slow to respond to requests or taking them down entirely. Due to the relative ease of conducting a DoS and the criticality of information systems to today’s businesses, it is no wonder that DoS makes the list. These attacks are often triggered by saying something that irks a hacker group or by opposing a hacker group of their interests. Organizations can protect themselves by monitoring the messages they are sending especially through social networking and by working out an incident response plan for handing a DoS attack that includes the public relations factors in addition to the technical ones.
Breaches by third parties are at the top of the list party because the average company deals with so many third parties in the course of doing business. In fact, 79% of respondents said the sheer number of third parties they deal with would be an average of high threat. With so many third parties, it is difficult to determine if each has a sufficient level of security to adequately protect the data they work with and, as we all know, security is only as effective as the weakest link. Organizations have responded by more thoroughly screening third parties and assigning them a risk rating for the type of data they will be working with through a process called vendor risk management. The third party then needs to demonstrate security that is in line with the risk rating they have. This process is required by regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and Health Information Portability and Accountability Act (HIPAA).
The threat landscape of 2013 continues to grow and companies are tasked with more responsibility to protect the data they work with. As can be seen from Deloitte’s survey, security awareness, denial of service and third party breaches are three major concerns for companies in 2013. To protect themselves, companies can conduct security awareness training, create incident response plans, and screen third parties who work with sensitive data.
Posted by: Eric Vanderburg | Posted on: February 20th, 2013 | 0 Comments
The EU Information Commissioner’s Office (ICO) has stated with its recent fine for Sony of £250,000 that lack of knowledge of a data breach is no longer an adequate defense. This fine was given not because of actions Sony took on breaches they knew about but on their lack of knowledge of breaches that the EU deems they should have known about due to the technical knowledge and resources available at Sony.
To claim that you cannot act on vulnerabilities that you do not know of has been a common defense and one that seems rational and logical to most companies, but the ICO’s recent fine suggests that it is unlikely to work in the future. This sort of thinking would be an inhibitor to security initiatives because once you know about a problem, you have to make a determination as to the risk it presents and how you will deal with it.
So how do you know what you don’t know? This has been a question for centuries but in this case, the expectation is that companies will perform activities such as regular risk assessments based on data collected from vulnerability scans to identify security controls that can reduce risks to an acceptable level and that they will monitor equipment to detect anomalous behavior. The tools to perform these activities are easily available and various open source options can be implemented at a low cost to the company. However, it will take someone experienced with risk assessment and the tools used to make the data obtained from them actionable. Consider using a security consultant if this is not a skill your company has in-house.
Posted by: Eric Vanderburg | Posted on: February 14th, 2013 | 0 Comments
President Obama signed an executive order on February 12, 2013 that requires federal agencies to share information on cyber threats with each other and private companies. This will include unclassified information on activities of known criminals and terrorists and cyber-attacks and some classified information for owners of critical infrastructure. The order does not require private companies to share data with the government which alleviates some of the privacy concerns present in the Cyber Intelligence Sharing and Protection Act (CISPA).
Information will be collected and shared through two national critical infrastructure centers operated by the Department of Homeland Security (DHS); one for physical infrastructure such as fences, gates and checkpoints and the other for cyber infrastructure such as intrusion prevention systems, application gateways and firewalls. These DHS centers will also assist with incident response and restoration efforts related to cyber-attacks.
Aspects of the executive order are unclear but there will be some requirement for owners of critical infrastructure to establish security metrics and guidelines as specified by the DHS and federal agencies. Meanwhile, the National Institute of Standards and Technology (NIST) has been tasked with coming up with a preliminary framework for federal agency actions that are “prioritized, flexible, repeatable, performance-based and cost-effective.” (Sec. 7b)
This executive order is not the same as a law but it does show that the Obama administration is concerned about cyber security and it will impact further legislation in this area. Upcoming legislation may carry this to the next phase and establish a long-term program of cyber security information sharing and awareness.
Posted by: Eric Vanderburg | Posted on: February 5th, 2013 | 0 Comments
Two weeks ago hackers took control of 14 servers and 20 workstations at the U.S. Department of Energy (DOE), obtaining personal information including names, social security numbers, driver’s license numbers, pictures, fingerprint and handwriting samples, dates of birth and family information for hundreds of DOE employees. The hackers did not gain access to classified information which investigators believe was the target of the attack.
Until yesterday, the hacker group Anonymous was viewed as a potential perpetrator since one of their factions, Parastoo, claimed responsibility on pastebin. However, the posted information was dated and investigators believe Parastoo is not responsible for the attack. According to an article published on February 4 in the Washington Free Beacon, unnamed government officials confirmed that the attack involved a foreign nation state. This nation state is most likely China based on repeated attempts by Chinese hackers to gain access to DOE information and the value such information has to Chinese efforts. If so, this employee information will probably be used to launch further attacks and gain the confidence of DOE employees with access to sensitive information.
The DOE and FBI are still investigating the incident but speculation abounds as to how the attack on their systems took place including weak server security configurations, poor user training and an over-reliance on outdated methods. The security of DOE systems has certainly been called into question and some suggest that government agencies such as the DOE should rely more on the help of industry experts and security firms.