Security News, Vulnerabilities, Data Breaches, Website Security
Compliance
When will Vendors provide Risk Assessments of their products?
Feb 17th
- Image via Wikipedia
If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday. Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook.
As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.” The biggest companies are culprits.
So what are we do to about buggy software? May scream “I’m mad as hell and I am not going to take it anymore!” Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector!
As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:
- Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
- Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
- Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.
Related articles by Zemanta
- Apple vs. Microsoft: Making Platform Enemies and Friends (seekingalpha.com)
- Adobe Reader And Acrobat Get Yet Another Security Update (ghacks.net)
- Microsoft investigates new Internet Explorer flaw (news.cnet.com)
- Google readies Flash for Android devices (infoworld.com)
Gary Bahadur
http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=5940a61e-7193-4971-a98b-6547400ef860)
What is the value of a Data Breach?
Jan 27th
- Image by Getty Images via Daylife
SC magazine just reported that the Ponemon Institute has determined the cost of a data breach is $204 per record. “Data breaches last year cost organizations $204 per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual “Cost of Data Breach” study released on Monday by the Ponemon Institute… The study, which examined the experiences of 45 U.S. companies that suffered breaches last year, also found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent in 2009. In addition, data breaches caused by malicious attacks cost organizations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches.” There are a number of ways to protect your data in transit such as PGP Encryption but when the companies looses data, there isnt much the end user can do to protect themselves.
Thats a lot of money. If we look at the data breach of Heartland, which was over 100 million records, that, well let me do the math, may take a minute. Its $20,400,000,000. Thats a lot of money. Condidering I was a shopper mostlikely of Heartland, I do not recall getting a check from anyone for $204. I will not hold my breath for that. We all asked if the retailers like Heartland and TJ Max had a PCI Audit done. Would this have protected our information?
So far, I am pretty sure I recieved a letter offering me free 2 year credit monitoring from Chase, Citibank, Bank of America and Countrywide because thet lost my records. I am waiting for my check for $204 from each of those companies. Also, over the past few years I have had to have my credit cards replaced with Chase, American Express, and several Visa versions. So I am still waiting for those $204 checks. Maybe in total I am owed about 9x$204=$1,836. That will be a nice check when I get it.
Security Requirements
So what can a company do to help reduce these data breaches? The easy answers, yet not implemented, include:
1) Encryption of back-up data and tapes
2) Conduct yearly Vulnerability Assessments
3) Conduct Quarterly or Monthly Vulnerability Scanning
4) Implement a Data loss prevention solution
5) Go through a PCI Audit or HIPAA Security Assessment yearly
Related articles by Zemanta
- Data breach costs continue to rise (v3.co.uk)
- Survey: Data breaches from malicious attacks doubled last year (news.cnet.com)
- Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
Regards
Gary Bahadur
http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f1ed6c34-1f2a-4642-b40c-ac12e03f3b45)
Ponemon Institute Cyber megatrends – Some Additions Needed
Nov 28th
Ponemon Institute recently released their Cyber megratrends as listed below. While I agree with these I think there were a couple that could easily be added to the list. First, I would either add or modify Web 2.0 into Web 3.0. Lets look to what is going to happen versus what is happening. Incremental change may not be the trend. Secondly, I suggest adding Vendor Risk Management. The vendor does not have to be offshore to pose a problem. Vendors are so integrated into companies and business processes that they are like an employee but are not subjected to the same Network Security Assessment requirements in many cases.
Its a difficult thing to try and forecast. The good thing about it is that no one really remembers your forecaste anyway.
Regards
Gary Bahadur
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
++++++++++++++++++++++++++++++++++++++++++++++++
Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009
Related articles by Zemanta
- Think Tank Study Shows Top Web Trends Are Security Risks (readwriteweb.com)
- The cloud is a powder keg (myventurepad.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=b7fe4b47-d582-49fc-8e62-74349ac6b73d)
FTC’s Additional Rules for HIPAA Security
Aug 23rd
FTC’s Additonal Rules for HIPAA Security
The Federal Trade Commission (FTC) recently issued a rule which gives more scope to the data breach notification rules as part of the Health Insurance Portability and Accountability Act (HIPAA). The addition targets companies that provide health info in an online storage facitlity. Things like Google Health or Healthvault would fall under this category.
This seems like it should be an obvious thing to do. Why would you let any entity keep your health information without following strict regulatory requirements? It is definitely a good thing to force companies that keep your health information to notify consumers following a data security breach if the breach involves more than 500 people or even 5 people. The question is how do you track down all these companies that store health information and force the the company notify customers? How do you know when a smaller companay has lost information? We still struggle with this question for the hospitals and healthcare organizations that currently have to comply with the HIPAA regulations or the Hipaa Security Rule. CVS recently had to pay $2.5 million in fines. I wonder what that is in comparison to the cost to consumers who have problems with their data being stolen. (I wouldn’t use the term “lost”)
Part of the changes coming from the FTC is the utilization of mobile devices that capture, use, transmit and store data. What are the hospital security requirements of these devices? Does a mobile hand scanner or a mobile device that stores info have to have a built in firewall and antivirus as would a laptop? The only real way to deal with this is to conduct Hipaa Risk Assessment but how many companies actually do it properly?
Have you seen the list of breaches on Privacyrights.org? I like this recent one in particular. You cant find such a list on the FTC site.
“ July 31, 2009 Jackson Memorial Hospital: (Miami, FL) A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.”
Is every company required to do network security assessment and register their device if it captures, uses, transmits any kind of health information? Is any website that does the same required to register with the FTC? But I wonder if you had such as database and hackers got into it, how much more trouble would we be in? Check out our HIPAA Top 5 Steps to Compliance for some fun reading.
I do not think I came to any real conclusions with this post. Isn’t blogging wonderful?Gary Bahadur
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Miami, Fl
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*Website Security Assessment
Credit Card Theft Put Miami on the Map
Aug 19th
Miami is a fun place to live and work (there are actually people who work here). Its a great vacation spot, people enjoy the nightlife and now we have something else to crow about. The largest credit theft ring was based here!
According to Bloomberg, “Albert Gonzalez, a 28-year-old Miami resident, and two hackers living “in or near Russia” were indicted yesterday by a federal grand jury in Newark, New Jersey, for stealing data from Heartland Payment Systems Inc., 7-Eleven Inc., Delhaize Group’s Hannaford Brothers Co. and two unidentified national retailers.”
It always amazes me when really smart computer folks insist on hacking from the US. Why not just head down the the Caribbean and hack from there, let likely to get caught.
My question about this is whats the value of regulations such as PCI or HIPAA. A PCI Security Audit and Hipaa Security policy are supposed to prevent this type of thing when the companies being hacked usually come out after the fact and say they were compliant?
Privacyrights.org has this list of breaches in the month of August alone. I wonder what the compliance or network security audit was like for these companies? I dont suppose there really is a good answer to what to do about compliant companies getting breached. They will just keep giving you a year of free credit monitoring I guess.
| Aug. 1, 2009 | Williams Cos. Inc. (Tulsa, OK) |
A laptop containing personal and compensation information for more than 4,400 current and former employees was stolen from a worker’s vehicle. The computer had names, birth dates, Social Security numbers and compensation data for every Williams employee since Jan. 1, 2007. | 4,400 |
| Aug. 3, 2009 | National Finance Center (Washington DC) |
An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed. | 27,000 |
| Aug. 4, 2009 | New Hampshire Department of Corrections (Laconia,NH) |
A 64-page list containing the names and Social Security numbers of about 1,000 employees of the state Department of Corrections ended up under the mattress of a minimum security prisoner. The prison contracts with vendors to shred documents and investigators are trying to find out why documents were not destroyed. | 1,000 |
| Aug. 11, 2009 | Bank of America Corp. (Charlotte, NC) |
Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Account information from certain Bank of America debit cards may have been compromised at an undisclosed third-party location. Bank officials are not certain if this is a new breach or a previously disclosed one. | Unknown |
| Aug. 11, 2009 | Citigroup Inc. (New York City, NY) |
Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Citigroup told credit-card customers in Massachusetts “your account number may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use.” Bank officials are not certain if this is a new breach or a previously disclosed one. | Unknown |
| Aug. 11, 2009 | University of California-Berkeley School of Journalism (Berkeley, CA) |
Campus officials discovered during a computer security check that a hacker had gained access to the journalism school’s primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009. | 493 |
| Aug. 13, 2009 | National Guard Bureau (Arlington, VA) |
An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. on the stolen laptop contained personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive payment amounts and payment dates. | 131,000 |
| Aug. 14, 2009 | American Express (New York, NY) |
Some American Express card members’ accounts may have been compromised by an employee’s recent theft of data. The former employee has been arrested and the company is investigating how the data was obtained. American Express declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection controls on the accounts at issue. | Unknown |
| Aug. 14, 2009 | Calhoun Area Career Center (Battle Creek, MI) |
Personal information from 455 students at Calhoun Area Career Center during the 2005-2006 school year was available online for more than three years. The information included names, Social Security numbers, 2006 addresses and telephone numbers, birth dates and school information. There were about 1,000 students at the career center during that time, but an investigation by the Calhoun County Intermediate School district found that information for 455 students was available. | 455 |
| Aug. 15, 2009 | Northern Kentucky University (Highland Heights, KY) |
A Northern Kentucky University employee’s laptop computer – which contained personal information about some current and former students — was stolen from a restricted area. The personal information stored on the employee’s computer included Social Security numbers of at least 200 current and former students. | 200 |
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=35eba444-2f1a-45f5-96c1-29393cdf719c)
Forget Information Security, someone work on airport delays
Jul 30th
Forget Information Security, someone work on airport delays
My posts are all usually information security related. Some interesting things on web security, vulnerability assessment, risk assessment, all that good stuff. Well today I cannot blog about that. As much as I love it, get a probably un-natural excitement about it, I can’t do it.
I have been sitting in BWI airport since 7pm. Its about 11pm and I am still waiting for the plane to get here. Or it might be here and we can’t get on, not v ery clear on that. So there was a light sprinkle of rain in the BWI area. All up and down the east coast there was storms. And Boston got whacked. When Boston has problems, everybody has problems. Something like the Regan trickly down theory.
Its about 11:20pm now and I just heard the announcement that the flight landed from Portland and potentially I might get home to Miami sometime around 3am. I am not a newbie to travel and being stuck in an airport is old hat. I recall being stuck in Amsterdam on Thanksgiving in the airport for about 11 hours. Patience Grasshopper.
So whats so new about this experience? Well I was thinking that the algorithims to route planes around the country were developed 30 or 40 years ago. So think about all the changes, all the potential of planes these days and not updating how planes are handled. Or maybe I am wrong since I am not an airline expert and they have all new routing plans. Probably. But my view of the world, well I see it as really sucking. So I make the assumption that there needs to be a (cringe) “paradigm shift” in how planes are handled. Maybe we need an Airport Czar.
My other problem with the waiting thing is that the Bar closed at 9:30pm!!!! My flight will not leave until about Midnight. When will the hurting stop?!!?!?
This was obviously not of any value to anyone except me to channel my airport anger.
I usually have a list of things in my posts. Here is my list which is pretty much of no value
1) when sitting in the bar in an airport that closes at 9:30, listen for last call
2) Never take the later flight out in the day if you can avoid it
3) Avoid BWI
4) Never believe the monitors about if your flight is on time
5) Actually speak to people at the bar, keeps things entertaining
6) Girls wearing short shorts shouldn’t lie down, knees akimbo at the airport
7) Never pass up a trip to Vegas to for a trip to Baltimore
The restaurants close early at BWI, eat early
9) BWI sucks
10) BWI sucks
Web Security Testing has come of age
Jul 20th
Website security is the one of the most dangerous places for a company. If you look at a layered security approach, we start out with the internal network. There we have host security, patch management, host IDS and other server based technologies. Next we have the network security layers, network intrusion detection, network monitoring and firewall protection. So if we have the internal servers secured, the network protection place, what is left is that an attacker can possibly get into a secure environment?
The website is the open frontdoor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?
So on Linkedin, I asked the quesion “what are the Web security tools” that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.
1) Foundstone http://www.foundstone.com
2) Acunetix WVS http://www.acunetix.com
3) Scrawlr https://h30406.www3.hp.com/
4) N-Stalker http://www.nstalker.com/
5) Nikto http://cirt.net/nikto2
6) Scarab http://www.owasp.org
7) WebInspect http://www.hp.com
Fiddler - http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT - http://www.security-database.com
11) W3af http://w3af.sourceforge.net/
12) CORE Impact http://www.coresecurity.com/content/web-app-pro
13) Appscan http://www-01.ibm.com/software/awdtools/appscan/
Having listed these and of course there a re a number of other tools, we can begin to secure the environment. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, I am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.
The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls
Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.
Gary Bahadur
http://twitter.com/kraasecurity
Data Breaches are still misunderstood
Jul 19th
The Ponemon Institute and Ounce Labs (www.ouncelabs.com) released a study on the view CEOs have regarding data protection in their environment. In the study of 213 CEOs and other senior executives, CEOs did not share the same view on how secure their organization is with their executives. 92 percent of respondents said they were attacks. Who has the more realistic view of data security? Could it also be the fault of the executives who usually do not share all the bad information with the CEO? That is probably part of the security education challenge the CEO faces.
The study also found that 33 percent of C-level executives replied that attacks happened “hourly or more often,” while only 17 percent of CEOs said the same thing. That’s a pretty big difference of opinion. Whose responsibility is it to manage, monitor and report on hacker activity? Obviously tactically speaking it fall under IT, the CIO or maybe even the Chief Compliance Officer. But ultimate responsibility in any company falls to the CEO. If a data breach happens such as in the case of TJ Max, it’s the CEO who has to appear on television to explain what happened and answer to their customers.
How do you apply security metrics to report appropriately to the CEO? That magic “Dashboard” is what everyone is after and no one gets right. A good Compliance dashboard that you may want to check out comes with the reports from RiskWatch software (www.riskwatch.com). Its worth a look.
The category of technology CEO’s need to focus on these days is Data Loss Prevention (DLP). Every major company in security has a DLP product and the reason is probably because the education is finally in the market around the necessity of looking at all inputs and output of data in the organization. A data breach can be caused by lack of proper firewalls, no antivirus, no browser protection, not malware protection, lack of patch management or no vulnerability management. Or it could be a hundred other things. A CEO needs to know these terms, how data flows and what the data life cycle really means if they are to truly grasp the threat to their environment.
Prevention is really worth more than detection. If the CEO doesn’t bridge the gap to thinking they might be secure to understanding that they are under attack ever day and perhaps every minute, data breached will continue to occur.
Gary Bahadur
CEO KRAA Security, baha@kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Technorati Tags: data breach, data loss
HIPAA Assessments are the next wave
Jul 12th
In February, CVS was ordered to pay a fine of 2.5million dollars by the FTC. This fine was because their employees threw out personal information about patients. Who knew poor recycling programs could cost so much? HIPAA has been around for a number of years but not until recently did we see that it has teeth and companies are going to be held accountable. CVS has to have an assessment every other year now for 20 years. And assessments are not cheap! Assessments based on the Security Rule cover many areas of technology controls such as Firewall protection, Antivirus, Encryption, Vulnerability Scanning and much more. I am sure conducting an assessment rather than getting fines would have been much cheaper for CVS.
The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments.
There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, http://www.riskwatch.com Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments.
For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place.
Regards
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
US to set out cyber security plan -Baha to the rescue
May 29th
Why did it takes us over 2 decades to really approach the cybersecurity topic. When I started in informatio security in in 1994, it was the wild west. People were creating processes, developing security frameworks and growing a whole new industry. I like to think I played some part in being on the early team at PriceWaterhouse and we had the first ever corporate “Hacking Lab” in NJ to test our clients security weaknesses. Those were Good time. Now we are just in Regular times.
So what can we expect from the Czar?
The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.
Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is “untenable”.
Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.
Good plan right?
My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.
We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUST have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.
Baha – new Cybersecurity Czar
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.
In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House. Both US government and military bodies have reported repeated interference from hackers in recent years.
In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said. Mr Obama will not discuss the Pentagon plan during Friday’s announcement, the newspaper said.
But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.
Recent Comments