Vanderburg was recently listed as the number 10 information security leader to follow on Twitter in Information Security Buzz’s 25 Information Security Leaders to Follow on Twitter.
You can follow Eric Vanderburg on Twitter @evanderburg
Security remains a complex discipline. This ever-changing challenge grows in complexity daily as new threats emerge and compliance requirements increase. Several regulations including HIPAA require organizations to have a person whose role is to ensure compliance within the organization. This is why organizations need a designated person with primary responsibility for security and compliance. This person is the Chief Security Officer (CSO).
The Role of a Chief Security Officer
A Chief Security Officer or CSO is first and foremost a business leader in the organization. He or she sets the organization’s security vision and ensures that it is in line with other business objectives. The CSO works with other business leaders such as the senior financial manager such as a Chief Financial Officer (CFO), business owner, senior partners, or Chief Executive Officer (CEO), senior IT executive such as the Chief Information Officer (CIO) and Chief Operating Officer (COO) to implement security and compliance initiatives throughout the company.
There are so many ways to share on social media today and users, especially the younger generation, are sharing almost everything. The problem is that some data is not meant to be shared. A culture of sharing is developing that can be quite harmful for businesses and the confidential information they hold. It is even more important in this day and age to educate employees on what they can and cannot share. Consider implementing a social media policy that specifies sharable data and data that must remain confidential along with sanctions for those who violate the policy. Make sure that all employees are aware of the policy and why it is in place. Lastly, make sure the policy is enforced through both technical and procedural controls.
On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft. The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.
Hackers gained unauthorized access to credit card processing companies and conducted what hackers term “unlimited operation”. Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed. In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world. These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATM machines.
We have spoken of the increase in coordination of cyber-attacks many times and this is an excellent example. In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City. A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.
The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks. Anomalous behavior monitoring is valuable no matter where the next attack comes from and it is useful in other industries as well.
The Electronic Frontier Foundation issued a report on 18 web and technology companies that routinely handle data. The study looked at the following six security policy and practice areas related to how the company responds to requests for user information.
- Does the company require a warrant before releasing information?
- Does the company inform users of requests for data?
- Are statistics published on how often data is provided to requesting agencies?
- Does the company have a policy outlining how they respond to information requests?
- Does the company stand firm when information requests are too broad in scope?
- Does the company support revisions to electronic privacy laws?
Some of the results of the study are surprising. Dropbox, Linkedin, Sonic.net and Twitter were some who ranked the highest. Others such as Amazon, Apple and Yahoo ranked towards the bottom and Verizon and Myspace were the lowest.
The Florida Department of Juvenile Justice (DJJ) had a mobile device containing 100,000 youth and employee records stolen on January 2, 2013. The device was unencrypted and not password protected despite a policy by the DJJ requiring both encryption and password protection on mobile devices. This latest breach further demonstrates the importance of encrypting mobile devices but more importantly, it shows that a policy alone is not enough. Organizations and government agencies need to make sure that employees are aware and adhering to their policies. Without this, such policies are worthless.
Do you have a mobile device encryption policy? If so, do you know if employees are following it? Don’t let this happen to you.
Answer this short poll on which security risks concern you most and see how others have voted.
Salem State University in Massachusetts issued a data breach warning to faculty and students on March 11. The warning informed them that information for over 25,000 persons including social security numbers had been breached. The breach was caused when malware, identified as Vobfus, infected the university’s human resources database.
Malware is often seen as a nuisance or a productivity inhibitor but an infected computer can pose a much great risk to organizations and it should not be overlooked. Malware gets behind the organization’s perimeter and it can act with the credentials of legitimate users including administrators. Just because a system is behind a firewall or in a demilitarized zone doesn’t mean it is safe as threats from the inside are just as virulent as those from the outside. Recently, malware has been the cause of a number of recent data breaches including supermarkets, banking institutions and retailers.
Antivirus software is essential but it is only the first step in protecting against malware. New malware and revised versions of existing malware are continually being released and antivirus signatures will miss some malware, potentially even the most dangerous ones. Understand what normal traffic looks like on your network so that abnormalities can be quickly identified. Take notifications from users about suspicious activity seriously and consider implementing technologies that utilize behavior based scans to detect viruses and intrusions. Lastly, know what to do and who to call if there is a data breach
I will be presenting at the ISACA CPE & Social Event – Cyber Forensics & Cleveland Cavaliers vs. Miami Heat Basketball Outing today at 3:00 PM. The topic is “Cyber Forensics: Collecting evidence for today’s data breaches” and it should be an enjoyable talk.
Many forensic techniques focus on obtaining data from local machines, servers or data storage equipment but evidence for modern attacks often resides in many places and the techniques for obtaining this data go beyond those used in the typical forensic investigation. In this presentation, ISACA members will learn about:
· Detecting intrusions
· Network evidence
· Attack pattern analysis
· Statistical flow analysis
· Traffic analysis
View the ISACA event.
On March 8, 2013, a contractor working for North Carolina’s Department of Health and Human Services (HHS) billing department stored unencrypted data of 50,000 Medicaid providers on a thumb drive that was to be transferred between facilities. However, the drive was lost along with the data it contained which includes names, social security numbers, dates of birth and addresses of the 50,000 providers.
In last week’s article titled, data breach threats of 2013, we cited breaches by third parties as one of the top three highest rated threats in the Deloitte survey of technology, media and telecommunications companies and here is a perfect example of a third party data breach. As mentioned last week, organizations can conduct vendor risk management to reduce this threat. The vendor risk management process begins by evaluating the security of third parties that work with sensitive data, controlling what data they have access to and conducting periodic audits to ensure that they maintain the same security standing.
Unfortunately, the North Carolina HHS assumed that their contractor, Computer Sciences Corporation (CSC), was taking adequate security precautions. HHS Secretary Aldona Wos said, “We expect our vendors to maintain the security of information.” However, N.C HHS is only now requesting validation of these assumptions. Wos stated “I have instructed CSC that North Carolina expects an independent third-party assessment to assure CSC’s adherence to required security standards.”