Posts

Interesting New Numbers on Data Breaches – The Numbers Will Stack Up Against YOUR Company

From Eric Levy: ITAD Sales, EPC, Inc.

EPC, Inc, now in it’s 30th year of business, continues to be a centerpiece of information in regard to Data Security. We have been offering companies of all sizes options that ensure compliance with specific industry standards to help protect companies reputation and information. A recent article from DataBreaches.Net shows just how important it is to be compliant.

“Nearly 1 in 4 data breach letter recipients became a victim of identity fraud, with breaches involving Social Security numbers to be the most damaging.”

This is a staggering number and cannot be overlooked. That means that if your company had an “average sized” Data Breach from a mishandled asset or drive of 554 leaked names*, you would have 139 customers or clients that now have had their entire identity taken from them. This is a process that can take from 3-7 years to reclaim not to mention the untold number of dollars that it will cost YOUR COMPANY to make this happen.

The next time you have retired assets that your boss told you to “get rid of” don’t just think of your potential feel good moment of running into that boss’ office and telling him you got rid of all of those “old” computers and were able to do it for no money. Think about that boss’ reaction when you have to tell him the guy that did it for free just stole you client’s identities and you now have to deal with the absolute costs associated with a breach – along with the unknown costs of lost business. EPC offers true, peace of mind and for very little time on your part. We offer fluid solutions to fit any company in any industry.

Contact EPC and learn more about our Industry-leading Data Security operations. We would love to help you review your protocols to make sure you are compliant within your industry.

*The data to describe an average size breach is from 2012. We expect the average size of a breach to continue to grow exponentially for the foreseeable future.

Please feel free to contact EPC and learn more about our Industry leading Data Security operations. We would love to help you review your protocols to make sure you are compliant within your industry.

Playbook security hole makes personal information available

RIM PlaybookResearch in Motion just cannot catch a break with their tablet, the Playbook. Not only are sales lagging behind Apple and Android offerings, forcing RIM to cut pricing to $299; but now security researchers have discovered email and other personal information could be stolen via malware. The security weakness is exploited using Playbook Bridge, a software designed to link to a Blackberry phone via Bluetooth. While Bridge protects information in transit, a file readable by any native application on the Playbook contains the users BBM username and password. A rouge application could potentially read this file and use the contained credentials to retrieve any information stored in the user’s BBM account.

RIM has acknowledged the vulnerability and promised a fix in the upcoming Playbook OS 2.0 update, which is due to be released in early February 2011. RIM has also recommended that users avoid installing applications from untrusted sources, which will reduce the risk of exposure.

Source: CIO.com – Email, Personal Information on PlayBook Left Vulnerable to Hackers

Do you know who your friends are?

It sounds like a plot out of  a summer spy movie, but security researcher Thomas Ryan tested what would happen when posting a fake profile of a real-life Abby Scuito. The results? Over 300 “friends” in the military, information security, and intelligence fields, a few job offers, and invitations to security conferences.

Ryan, the co-founder of Provide Security, said the goal of the study was to determine how effective social networking sites like Facebook, Twitter, and LinkedIn would be as tools in covert intelligence-gathering activities. He crafted “Robin Sage”, a 25 year old Navy cyber threat analyst who graduated from MIT. Even though the profile had some red flags, like a 25 year old having “10 years experience,” it took less than a month to make connections with many in security related fields. Virtual friends shared photos, personal information, invited Robin to conferences, and a few even expressed interest in hiring her.

If Robin were a foreign agent, she would have had access to a lot of very useful information, said Ryan, who is scheduled to present his findings at the upcoming BlackHat security conference in Las Vegas.

Even if you are not in the spy game, what can you learn from this?

  • Like your momma said, “If it sounds too good to be true, it usually is.”
  • If you don’t know them, don’t friend them.
  • Always be mindful of how information posted online could be used against you by identity thieves. For example, how many answers to your security questions for your bank account can be gathered from your Facebook profile?

Social networking has the potential to bring friends together regardless of distance, just be careful who you invite to the party.

Article Inspiration: CIO.com – Fake ‘Femme Fatale’ Shows Social Network Risks

Dealing with password fatigue

How many passwords do you have? According to a study done by the NTA Monitor in 2002 the average computer user has 21 different passworded accounts. Twenty One! And that was before Facebook, Twitter, or any other social networking tool. I personally have well over 100 distinct account credentials on various websites and servers.

It’s no wonder that many users resort to picking easily guessed words, put passwords on sticky notes, or use the same password for every service out there. A recent study even indicates that IT security professionals are suffering from password fatigue.

Password Managers

One solution to password fatigue is using a password manager. Many operating systems, like OSX and Windows 7 even include password management tools within. My personal favorite is KeePass, an Open-Source manager that was developed for Windows, but has been ported to OSX and Linux.

The main drawback with password managers is that they require extra effort to maintain. Every time you create a new account or change a password on an existing account you have to keep your password manager in sync. Over time it is easy to have the wrong password on file, or worse, not have the password you need on file.

Password Schemes

An alternative to password management tools is coming up with a consistant scheme for generating new passwords. The idea is that if you use the same rule for generating passwords, you can figure out what the password would be.  One scheme is to use a base password, then append something related to the service. So for example, your base might be ‘asdf’. So if you were creating an account on Yahoo you might use the password ‘asdfyahoo’ or ‘yahooasdf’.

The drawback with this approach is that each site has its own password guidelines. Some require alpha and numeric characters, some require a combination of upper case and lower case, and others require extended characters like ‘$’ or ‘&’. Coming up with a scheme that supports all the requirements is a challenge. And what about services that require your password to change regularly. Either you have to create multiple base passwords or multiple service keywords – and once you do that you are back to keeping track of individual passwords.

Choosing Memorable Passwords

A third option is picking passwords that are easy to remember. The challenge is in picking a password that is both easy to remember and secure. For example, while everyone can remember ‘password,’ it is not a very secure choice.

One trick is to pick a phrase that can be remembered such as ‘The fox jumped over the tall hedge’ and use the first or last characters from each word. So in our example phrase you might use the passwords ‘tfjotth’ or ‘exdrele.’

While this approach makes passwords easier to remember, you still should not use the same password for every service, so it makes sense to pick a few phrases that can be remembered and cycle through them.

How do you deal with the many passwords in your life?

Links of the Week: Data Security Edition

There were some great articles on CIO.com this week relating to Data Security. Here they are plus a selection of the best IT Data Security articles in the last week:

  • Heartland CEO: QSAs Let Us Down
    In the review of what led to the Heartland credit card breach, Heartland’s CEO Robert Carr points to the PCI compliance auditors that passed the company before the breach – “PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusions.”
  • Opinion: Heartland CEO Must Accept Responsiblity
    A counter point to the previous article. Mike Rothman asserts that by attempting to blame the QSAs for the data breach they are learning nothing, and not addressing the root issue – “To be clear, you cannot outsource thinking. You cannot outsource security.”
  • 8 Dirty Secrets of the IT Security Industry
    Are IT Security vendors really interested in improving your network’s security? Joshua Corman from IBM’s Internet Security Systems division details 8 trends in the IT Security market that help undermine a network’s security.
  • Social Engineers’ 9 Favorite Pick-Up Lines
    Social Engineers leverage the trust people have in the familiar to gain access to facilities and networks. These 9 examples illustrate how easy it is for that trust to be abused. How many would you (or your employees fall for)?
  • Hackers have Social Networking sites in their crosshairs
    In a recent study Breach Security, hackers are attacking Social Networking sites with increased frequency, accounting for 19% of online attacks in 2009.
  • Twitter used to control botnet
    It was a matter of time, but Jose Nazario of Arbor Networks discovered a botnet that used Twitter for its command and control infastructure. While the account in question is obviously not a person, how long before a botnet writer creates an account that looks legitimate at first glance?

Buy a used hard drive on eBay, get government secrets for free!

Imagine it, you purchased a computer on eBay, plug it in, and find top secret missle defense secrets. What would you do? This is the situation a research group at Longwood University found themselves in after purchasing a used hard drive from the popular auction site.

This hard drive reportedly contained files from Lockheed Martin, a large US military contractor. The data recovered included: test launch procedures for the Terminal High Altitude Area Defense (THAAD) ground-to-air missile defense system, security policies, blueprints of facilities and social security numbers for individual employees.

A representative from Lockheed Martin is quoted in the article as saying:

Lockheed Martin is not aware of any compromise of data related to the Terminal High Altitude Area Defense program. Until Lockheed Martin can evaluate the hard drive in question, it is not possible to comment further on its potential contents or source.

Fortunately, this drive as purchased as part of a controlled study to see what information could be recovered from used hard drives and did not fall into the wrong hands. The study also uncovered other sensitive information including bank account details, medical records, confidential business plans, financial company data, personal id numbers, and job descriptions.

The drives were bought from the UK, America, Germany, France and Australia by BT’s Security Research Centre in collaboration with the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US.

A spokesman for the project said they found 34 per cent of the hard disks scrutinized contained ‘information of either personal data that could be identified to an individual or commercial data identifying a company or organization.’

Even though the information in this case did not fall into the wrong hands, this story illustrates the importance of having a controlled data destruction process in every organization. Ask yourself this: can you track every computer, every hard drive after it is pulled from production? Do you know for a fact that every hard drive is wiped or destroyed? If you cannot answer yes to both questions, you owe it to yourself to work with a vendor that can fill this gap.

A hat tip to ExportLawBlog for their analysis of the incident.

Stimulus Bill significantly modifies HIPAA regulations

Buried within the huge American Recovery and Reinvestment Act (a.k.a, the “Stimulus Bill”) are a few changes to HIPAA’s Privacy and Security Rules, increasing the scope of coverage to include Business Associates. This means data security providers, contractors, and partners can be directly fined for informational security breaches that occur on their watch. The bill also increases the penalties for some of the violations.

Previously, Business Associates were required to comply only with a written business associate agreement. Now Business Associates are subject to many of the same requirements hospitals and medical providers are. They will be required to appoint a security official, develop written policies and procedures pertaining to data leakage, and training its workforce in electronic data protection.

In addition, breach notification requirements were increased. If a breach occurs, the specific business entity that has the breach will be required to notify every individual affected by the security breach. If current contact information is not available, the entity may be required to post notification on their website or in some other broadcast medium (television, newspapers). The bill also provides for the creation of a website by the Health and Human Services department to list information about these breaches.

Source: Stimulus Bill dramatically modifies HIPAA rules