Security News, Vulnerabilities, Data Breaches, Website Security
What is the value of a Data Breach?
Jan 27th
- Image by Getty Images via Daylife
SC magazine just reported that the Ponemon Institute has determined the cost of a data breach is $204 per record. “Data breaches last year cost organizations $204 per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual “Cost of Data Breach” study released on Monday by the Ponemon Institute… The study, which examined the experiences of 45 U.S. companies that suffered breaches last year, also found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent in 2009. In addition, data breaches caused by malicious attacks cost organizations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches.” There are a number of ways to protect your data in transit such as PGP Encryption but when the companies looses data, there isnt much the end user can do to protect themselves.
Thats a lot of money. If we look at the data breach of Heartland, which was over 100 million records, that, well let me do the math, may take a minute. Its $20,400,000,000. Thats a lot of money. Condidering I was a shopper mostlikely of Heartland, I do not recall getting a check from anyone for $204. I will not hold my breath for that. We all asked if the retailers like Heartland and TJ Max had a PCI Audit done. Would this have protected our information?
So far, I am pretty sure I recieved a letter offering me free 2 year credit monitoring from Chase, Citibank, Bank of America and Countrywide because thet lost my records. I am waiting for my check for $204 from each of those companies. Also, over the past few years I have had to have my credit cards replaced with Chase, American Express, and several Visa versions. So I am still waiting for those $204 checks. Maybe in total I am owed about 9x$204=$1,836. That will be a nice check when I get it.
Security Requirements
So what can a company do to help reduce these data breaches? The easy answers, yet not implemented, include:
1) Encryption of back-up data and tapes
2) Conduct yearly Vulnerability Assessments
3) Conduct Quarterly or Monthly Vulnerability Scanning
4) Implement a Data loss prevention solution
5) Go through a PCI Audit or HIPAA Security Assessment yearly
Related articles by Zemanta
- Data breach costs continue to rise (v3.co.uk)
- Survey: Data breaches from malicious attacks doubled last year (news.cnet.com)
- Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f1ed6c34-1f2a-4642-b40c-ac12e03f3b45)
Regards
Gary Bahadur
http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning
Ponemon Institute Cyber megatrends – Some Additions Needed
Nov 28th
Ponemon Institute recently released their Cyber megratrends as listed below. While I agree with these I think there were a couple that could easily be added to the list. First, I would either add or modify Web 2.0 into Web 3.0. Lets look to what is going to happen versus what is happening. Incremental change may not be the trend. Secondly, I suggest adding Vendor Risk Management. The vendor does not have to be offshore to pose a problem. Vendors are so integrated into companies and business processes that they are like an employee but are not subjected to the same Network Security Assessment requirements in many cases.
Its a difficult thing to try and forecast. The good thing about it is that no one really remembers your forecaste anyway.
Regards
Gary Bahadur
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
++++++++++++++++++++++++++++++++++++++++++++++++
Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009
Related articles by Zemanta
- Think Tank Study Shows Top Web Trends Are Security Risks (readwriteweb.com)
- The cloud is a powder keg (myventurepad.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=b7fe4b47-d582-49fc-8e62-74349ac6b73d)
HIPAA Vendor Compromised Healthcare Records
Nov 12th
This is story that is several months old, but as I came across it, i thought it would make a good point. A vendor handling healthcare records has lost social security numbers of people in March of 2009. In this case, Health insurer Aetna, Inc., is reportedly providing 65,000 individuals with free credit monitoring for a year after its job application Web site was breached, the Associated Press has reported.
The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.
The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn’t know how many were copied, but the site has been disabled and is undergoing a “thorough forensic review” or you can say network security audit by an outside company.
So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.
As noted in the article “This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee’s laptop computer containing certain personal member information was stolen from a car in a public parking lot.”
If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=d25ea83e-d17c-440a-b00c-2001ab64b257)
HIPAA Compliance Data Breach with a Foreign Supplier
Nov 3rd
Recently, the Economic Times Report in India discussed a successful “Sting operation by a UK agency in which some health related data was bought from a medical transcription company” . What this means is all that perosnal and HIPAA confidential data that was being transfered for transcription got stolen in the most likely scenario. There have been few stories of this type of Data Breach so far. The Suppliers to US companies have not made the headlines but this might be just the begining fo that wave. The two components of HIPAA Security are Logical and Physical Security. Remote partners can easily breach your logical security controls.
Is there any real view that the US can export the security laws such as HIPAA Security to all parts of the world that handle US customer data? How do you monitor the activities of your suppliers once the data has left yoru network? In the US, a company can control all the security devices such as Firewalls, Intrusion Detection Systems, Antivirus on Servers and Patch Management of servers hosting confidenial data. There are all parts of most security regulations including PCI, SOX, GLBA and more. But the endpoint of security has left these shores and resides in India, China, South America, Vietname and anywhere else you have a supplier.
As your data now resides in a foreign country, what are the reporting requirements of a breach? HIPAA security policy has timeframes, reporting requirements and penalties. The only real penalty a company oversea may face is loss of the contract. Few governments are upt o enforcing security rules outside of actual hacker activity.
So what are some steps you can take to implement Supplier Security?
1) Conduct a Vulnerability Assessment of your connectivity to your Suppliers’ networks
2) Define process and policy controls that the Supplier has to have in place in order to hold your data
3) Assign risk ratings to all data the Supplier handles
4) Conduct an risk assessement of the impact of losing the data
5) Develop a Incident Response plan for the Supplier losing your data
6) Asses the supplier security procedures on a yearly basis
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
IPhone Apps Every Road Warrior Entrepreneur Needs
Oct 22nd
The Blackberry has been the mainstay of the business world for years. But as we know, the IPhone is eating away at market share. There are over 75,000 apps for the IPhone now and growing steadily. For those who have Blackberry Thumb, you can probably look forward to IPhone Index Finger at some point in the future as you switch away from the Blackberry.
Why should you switch from the Blackberry? Well there may not be a good reason. The Blackberry has a number of apps and it is secure, it has encryption and has been beaten up on the security front like network security assessment and application security testing. It’s ingrained in businesses and Blackberry Enterprise Server is well known to many IT administrators.
The Entrepreneur can use both devices. Let’s assume there are at least some people using the IPhone, what apps should they have in their toolkit? Of the thousands of apps, how can you pick a few that would be beneficial to the Entrepreneur Road Warrior? Well the way I picked them is through word of mouth , that are of benefit to me and comes with network security assessment tools. I travel, work in my car, have meetings at all times of day, I am away from the office for days or weeks.
Take these with a grain of salt and do not send any flame emails. But please send in the apps that you think should be shared with the world or at least readers of this Blog.
Urban Spoon
First up is Urban Spoon. You are thinking, well that’s not some kind of spreadsheet or financial app. What is the business purpose? The lifeblood of the Entrepreneur is networking , managed security services, application security risk assessment and deal making. Where deal making most of the time involves some kind of meal. Urban Spoon can find you restaurants by cuisine, by neighborhood, by cost, by distance. Everything you need for a meeting is the most random city.
AroundMe
In the same vein as Urban Spoon, is AroundMe . Say you are on your way to an important lunch you have setup with a restaurant you found on Urban Spoon but you are almost out of gas. Use AroundMe to find the closed gas station. Or if you need cash to pay for that gas because your Amex Card has been cancelled, find the closest bank.
GoogleMaps
Well this is pretty obvious. But when you are traveling and maybe forgot to bring your Garmin GPS and do not feel like paying the rental company an extra $11.99 a day to rent their GPS , this is just as good.
ReQall
This is a pretty useful app. The developers were one of the www.TiE.org Top 50 companies this year at TiECon. The app captures your voice, translates it to text, organizes your calendar based on your voice messages, integrates into Outlook or Google Calendar and provides memory assistance. It’s great when you have no pen or driving in a car or need a memory reminder.
FlightAware
For the true Road Warrior, there is no road, there is the sky. So when you are rushing to the airport or think you need to rush to the airport, track down what is going on with your flight. Check out FlightAware to get an update and help you plan that trip to the airport.
TweetDeck
Social Media, the latest buzz word, actually has some teeth. Small companies and the Entrepreneur have to be connected to the work whether you like it or not. Twitter is a way of life these days even if people seem to be twittering their lives away. How do you tell your followers that you are stuck in an airport in Baltimore? Try using TweetDeck.
These Apps don’t seem very business-like, but the Entrepreneur is practical, cheap, requires network security audit tools and has to get things done today . These help you achieve your million tasks on a timely basis.
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=c11b7e79-5319-48b5-aa18-9890ccf96cfb)
Information Devaluation Through Phishing
Sep 25th
- Image via Wikipedia
Information Devaluation Through Phishing
The value of information has been decreasing over time. How do you see this isn the real world? There are two ways, one can be seen from the user perspective and the other from the attacker/bad guy perspective.
From a user point of view, the most obvious method to see information devaluation is Facebook, Twitter, MySpace, Linkedin etc. These may be seen as good ways to keep in contact, but look at all the personal data stored in these sites. Enough to authenticate to your bank account with such pieces of data as Name of Dog, Elementary School, Parents Lastname. Everything for secret question authentication. There was just a theft from a bank (http://www.networkworld.com/news/2009/092409-construction-firm-sues-after-588000.html) where the challenge questions were successfully answered.There are many Network security assessment tools to prevent such phishing ways to get the answer to these challenge questions.
The attackers are focusing Phishing efforts on Twitter and Facebook much more these days. Its pretty obvious why, so much information is available here. KRAA Security a Network security audit tool provider twitters, but we try to keep personal things off there. But many people lives their lives on twitter so much, its a mind boggling concept.
The Washington post just had an article where the list Facebook as the top phished site (http://voices.washingtonpost.com/securityfix/2009/04/facebook_among_top_phished_web.html). Part of this is the information people post and the Applications developed for it have many ways of phishing your information. Thus a Information security risk assessment is a necessity.
So is there is a solution the phishing problem in Social Media? Probably a security penetration test for such websites. Even though the phishing problem will probably get such more extensive as Social Media expands, takes over more aspects of our lives and invades every information dissemination media. Doomed I say.
This was a cheerful post.
Gary Bahadur
http://twitter.com/kraasecurity
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=359ec324-8ddc-4ec6-9b2e-cc633e4a3c18)
FTC’s Additional Rules for HIPAA Security
Aug 23rd
FTC’s Additonal Rules for HIPAA Security
The Federal Trade Commission (FTC) recently issued a rule which gives more scope to the data breach notification rules as part of the Health Insurance Portability and Accountability Act (HIPAA). The addition targets companies that provide health info in an online storage facitlity. Things like Google Health or Healthvault would fall under this category.
This seems like it should be an obvious thing to do. Why would you let any entity keep your health information without following strict regulatory requirements? It is definitely a good thing to force companies that keep your health information to notify consumers following a data security breach if the breach involves more than 500 people or even 5 people. The question is how do you track down all these companies that store health information and force the the company notify customers? How do you know when a smaller companay has lost information? We still struggle with this question for the hospitals and healthcare organizations that currently have to comply with the HIPAA regulations or the Hipaa Security Rule. CVS recently had to pay $2.5 million in fines. I wonder what that is in comparison to the cost to consumers who have problems with their data being stolen. (I wouldn’t use the term “lost”)
Part of the changes coming from the FTC is the utilization of mobile devices that capture, use, transmit and store data. What are the hospital security requirements of these devices? Does a mobile hand scanner or a mobile device that stores info have to have a built in firewall and antivirus as would a laptop? The only real way to deal with this is to conduct Hipaa Risk Assessment but how many companies actually do it properly?
Have you seen the list of breaches on Privacyrights.org? I like this recent one in particular. You cant find such a list on the FTC site.
“ July 31, 2009 Jackson Memorial Hospital: (Miami, FL) A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.”
Is every company required to do network security assessment and register their device if it captures, uses, transmits any kind of health information? Is any website that does the same required to register with the FTC? But I wonder if you had such as database and hackers got into it, how much more trouble would we be in? Check out our HIPAA Top 5 Steps to Compliance for some fun reading.
I do not think I came to any real conclusions with this post. Isn’t blogging wonderful?Gary Bahadur
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Miami, Fl
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*Website Security Assessment
Credit Card Theft Put Miami on the Map
Aug 19th
Miami is a fun place to live and work (there are actually people who work here). Its a great vacation spot, people enjoy the nightlife and now we have something else to crow about. The largest credit theft ring was based here!
According to Bloomberg, “Albert Gonzalez, a 28-year-old Miami resident, and two hackers living “in or near Russia” were indicted yesterday by a federal grand jury in Newark, New Jersey, for stealing data from Heartland Payment Systems Inc., 7-Eleven Inc., Delhaize Group’s Hannaford Brothers Co. and two unidentified national retailers.”
It always amazes me when really smart computer folks insist on hacking from the US. Why not just head down the the Caribbean and hack from there, let likely to get caught.
My question about this is whats the value of regulations such as PCI or HIPAA. A PCI Security Audit and Hipaa Security policy are supposed to prevent this type of thing when the companies being hacked usually come out after the fact and say they were compliant?
Privacyrights.org has this list of breaches in the month of August alone. I wonder what the compliance or network security audit was like for these companies? I dont suppose there really is a good answer to what to do about compliant companies getting breached. They will just keep giving you a year of free credit monitoring I guess.
| Aug. 1, 2009 | Williams Cos. Inc. (Tulsa, OK) |
A laptop containing personal and compensation information for more than 4,400 current and former employees was stolen from a worker’s vehicle. The computer had names, birth dates, Social Security numbers and compensation data for every Williams employee since Jan. 1, 2007. | 4,400 |
| Aug. 3, 2009 | National Finance Center (Washington DC) |
An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed. | 27,000 |
| Aug. 4, 2009 | New Hampshire Department of Corrections (Laconia,NH) |
A 64-page list containing the names and Social Security numbers of about 1,000 employees of the state Department of Corrections ended up under the mattress of a minimum security prisoner. The prison contracts with vendors to shred documents and investigators are trying to find out why documents were not destroyed. | 1,000 |
| Aug. 11, 2009 | Bank of America Corp. (Charlotte, NC) |
Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Account information from certain Bank of America debit cards may have been compromised at an undisclosed third-party location. Bank officials are not certain if this is a new breach or a previously disclosed one. | Unknown |
| Aug. 11, 2009 | Citigroup Inc. (New York City, NY) |
Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Citigroup told credit-card customers in Massachusetts “your account number may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use.” Bank officials are not certain if this is a new breach or a previously disclosed one. | Unknown |
| Aug. 11, 2009 | University of California-Berkeley School of Journalism (Berkeley, CA) |
Campus officials discovered during a computer security check that a hacker had gained access to the journalism school’s primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009. | 493 |
| Aug. 13, 2009 | National Guard Bureau (Arlington, VA) |
An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. on the stolen laptop contained personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive payment amounts and payment dates. | 131,000 |
| Aug. 14, 2009 | American Express (New York, NY) |
Some American Express card members’ accounts may have been compromised by an employee’s recent theft of data. The former employee has been arrested and the company is investigating how the data was obtained. American Express declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection controls on the accounts at issue. | Unknown |
| Aug. 14, 2009 | Calhoun Area Career Center (Battle Creek, MI) |
Personal information from 455 students at Calhoun Area Career Center during the 2005-2006 school year was available online for more than three years. The information included names, Social Security numbers, 2006 addresses and telephone numbers, birth dates and school information. There were about 1,000 students at the career center during that time, but an investigation by the Calhoun County Intermediate School district found that information for 455 students was available. | 455 |
| Aug. 15, 2009 | Northern Kentucky University (Highland Heights, KY) |
A Northern Kentucky University employee’s laptop computer – which contained personal information about some current and former students — was stolen from a restricted area. The personal information stored on the employee’s computer included Social Security numbers of at least 200 current and former students. | 200 |
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=35eba444-2f1a-45f5-96c1-29393cdf719c)
Stolen laptop with employee information- yet again
Aug 7th
Stolen laptop with employee information- yet again
The Associated Press reported that a Williams Cos. Inc. laptop containing personal and compensation information was stopen from a workers vehicle. The laptop had over 4,400 current and former employees records. Information like names, birth dates, Social Security numbers and compensation data was on it. How many times have wee seen this story?
They said the laptop was password protected. Well then lets not worry eh? A password, run for Ze Hillz! They did not say whether other security measures like application security risk assessment and network security audit tools were used in place other than the PGP Whole Disk encryption , or of any kind of remote wiping utility was in place or even if a hard disk password was used. The people with stolen data can only hope this might be the case.
So not we have the hoke pokey dance of checking credit, getting free one year membership to credit monitoring, buring down the barn now that the horse was stolen, all that good stuff.
Here is a list fo some recent thefts
| records | date | organizations |
|---|---|---|
| 1,084 | 2009-08-06 | Colorado Department of Corrections |
| 131,000 | 2009-08-04 | United States Army National Guard |
| 1,000 | 2009-08-04 | New Hampshire Department of Corrections |
| 4,400 | 2009-07-31 | Williams Companies, Inc. |
| 766 | 2009-07-28 | University of Colorado CO Springs |
| 573,928 | 2009-07-25 | Network Solutions |
| 900 | 2009-07-24 | Hampton Redevelopment and Housing Authority |
| 1,000 | 2009-07-23 | American International Group (AIG), American Life Insurance Co Japan |
| 180,000 | 2009-07-22 | HSBC Holdings plc, HSBC Life |
| 1,917 | 2009-07-22 | HSBC Holdings plc, HSBC Actuaries |
The main problem with these events is that the user is uneducated when it comes to security and don’t bother to go for a security penetration test or information security risk assessment. No matter what kind of technology you put in place, the user can find a way around it to compromise your security. First educate them, then worry about technology to protect them from their own stupidity.
Gary Bahadur
http://twitter.com/kraasecurity
o:888-KRAA-911, c: 917-568-7917, f: 866-633-6601
Address: 20801 Biscayne Blvd, Suite 403, Aventura, FL 33180
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=a7d51bbc-cded-482e-8325-d419759ee940)
Forget Information Security, someone work on airport delays
Jul 30th
Forget Information Security, someone work on airport delays
My posts are all usually information security related. Some interesting things on web security, vulnerability assessment, risk assessment, all that good stuff. Well today I cannot blog about that. As much as I love it, get a probably un-natural excitement about it, I can’t do it.
I have been sitting in BWI airport since 7pm. Its about 11pm and I am still waiting for the plane to get here. Or it might be here and we can’t get on, not v ery clear on that. So there was a light sprinkle of rain in the BWI area. All up and down the east coast there was storms. And Boston got whacked. When Boston has problems, everybody has problems. Something like the Regan trickly down theory.
Its about 11:20pm now and I just heard the announcement that the flight landed from Portland and potentially I might get home to Miami sometime around 3am. I am not a newbie to travel and being stuck in an airport is old hat. I recall being stuck in Amsterdam on Thanksgiving in the airport for about 11 hours. Patience Grasshopper.
So whats so new about this experience? Well I was thinking that the algorithims to route planes around the country were developed 30 or 40 years ago. So think about all the changes, all the potential of planes these days and not updating how planes are handled. Or maybe I am wrong since I am not an airline expert and they have all new routing plans. Probably. But my view of the world, well I see it as really sucking. So I make the assumption that there needs to be a (cringe) “paradigm shift” in how planes are handled. Maybe we need an Airport Czar.
My other problem with the waiting thing is that the Bar closed at 9:30pm!!!! My flight will not leave until about Midnight. When will the hurting stop?!!?!?
This was obviously not of any value to anyone except me to channel my airport anger.
I usually have a list of things in my posts. Here is my list which is pretty much of no value
1) when sitting in the bar in an airport that closes at 9:30, listen for last call
2) Never take the later flight out in the day if you can avoid it
3) Avoid BWI
4) Never believe the monitors about if your flight is on time
5) Actually speak to people at the bar, keeps things entertaining
6) Girls wearing short shorts shouldn’t lie down, knees akimbo at the airport
7) Never pass up a trip to Vegas to for a trip to Baltimore
The restaurants close early at BWI, eat early
9) BWI sucks
10) BWI sucks
Recent Comments