December is not only the shop ‘til you drop season, it’s also National Identity Theft Prevention and Awareness month, reminding retailers and businesses that they need to not only protect themselves from a data breach but also make their employees aware of identity fraud scammers who target seasonal help.  According to the Federal Trade Commission, identity theft is the number one type of consumer fraud in the U.S., resulting in about 9 million people annually having their identity stolen.  In 2011, eight percent of reported identity theft incidents were employment-related.  Thieves usually exploit their victims by impersonating them after stealing their Social Security number and credit card information or worse, selling valuable Social Security numbers on the black market.

Companies need to protect themselves from an identity theft “double whammy” in which cyber thieves attack hiring employers and job applicants at the same time through online job scams.  Fraudsters will first pose as a representative of a legitimate business and list fake job listings, sometimes even going so far as to create bogus websites in order to steal personal information of potential employees.  Cyber thieves take advantage of the fact that many times, job seekers are desperate for work and will give out personal information willingly in exchange for potential employment.

Here are some tips for employers to minimize data breaches when hiring:

1)       Avoid using Social Security numbers to identify applicants.

2)       Collect only essential personal information needed for the job application.

3)       Shred unnecessary documents on non-hired applicants and former employees, including temps and contract workers.

4)       For existing employees, do not keep medical records, EEO data, immigration forms and background check information in personnel files.

5)       Have a data breach response and notification plan in place. Act quickly if a data breach occurs.

Data security experts warn that simply having data protection and security policies are not enough.  The policies need to be taken seriously by everyone at the company and the regulations need to be firmly enforced.  In addition, the repercussions and cost of a data breach need to be explained to employees on every level since companies can be held liable for negligence in handling personal data and fined by the FTC and other government agencies.  All departments, including human resources and accounting should be well-trained in protection from identity theft procedures and data security information policies.  Employees who have access to personnel data should be carefully screened and pass a security clearance.  Businesses should also periodically review their data storage processes and determine whether or not to keep the information and how to keep it protected.

As we approach another season of shopping and consumerism, the retail industry should pay strict attention to the findings in the latest Verizon’s Data Breach Investigations Report (DBIR), an annual data breach information study conducted by the Verizon RISK Team (VERIS) with participation from the U.S. Secret Service and international national cyber security agencies in Australia, Holland, Ireland, and Britain. The study analyzed forensic evidence to examine how data breaches occurred in organizations, who caused the breaches, why they did it, how the victims responded, and how the breaches could have been prevented. 

 The 2012 DBIR focused on the retail industry which for the past two years has ranked only second behind hotel and food services as the business most plagued with data breaches.  The main reason for the high rankings of these two trades is that they use point of sale (POS) systems to conduct daily business activities, making them prime targets for criminals that exploit POS systems with weak security.  Point of sale generally refers to when money is transacted in exchange for goods or services. Retailers are especially easy targets for cyber criminals who can hijack credit card information from long distances and these kinds of attacks are low risk for the criminals who often disappear long before a data security breach is discovered.  In addition, fraudsters prefer to target small to medium businesses such as franchise owners that lack the resources and/or expertise to manage their own cyber security. 

 VERIS defines threat agents as the cause of data breach incidents and categorizes them as either external (originating outside the victim organization), internal (originating inside the victim organization) and partner (any third parties who share a business relationship with the victim.)  The report found that external threat agents were the most prolific with the majority of attacks originating fromEastern Europe, a hot bed of organized cyber crime.  Internal threats made up a smaller percentage of incidents and often involved criminals coercing retail staff to help them by either using a remote skimming device or swapping legitimate PIN entry devices and POS terminals with identical, counterfeit replacements that are rigged to capture payment card data. 

 Even though these cyber thieves can be insidious, especially during a busy holiday season, retailers can protect themselves by following a few simple data breach protection practices:

1)      Change passwords consistently on all POS systems since hackers constantly scan the web for passwords that are easy to guess.

2)      Implement a firewall on remote access/administration services.  

3)      Do not use POS systems to access the internet.

4)      Make sure your POS system is compliant with the Payment Card Industry Data Security Standard (PCI DSS) an information security standard for businesses that handles credit card information.

While technology undoubtedly has made accessing medical information much easier and faster, it also has also provided an increased potential for medical data breaches especially as health personnel begin to use unsecure mobile devices for personal and work use.  With an increase in health care employees using their own tablets and smartphones in the workplace, many healthcare companies are considering adopting a Bring Your Own Device (BYOD) policy.  However, many companies have failed to implement mobile data breach protection, breaking the HIPAA Security Rule which requires healthcare companies to perform a risk analysis of the processes by which they protect the confidentiality of electronic patient health information maintained by their organization.  Companies are required to use the information gathered from the analysis to take measures to ensure the confidentiality of patient data and to reduce risks to a reasonable level.  If companies don’t comply and there is a data security breach, they can be heavily fined by the U.S. Department of Health & Human Services.

Just recently, a teaching hospital and medical practice associated with a large university was fined $1.5 million in a data breach of patient information when a laptop computer containing unencrypted data on 3,621 patients and research subjects was stolen.  Hospital and practice officials were found guilty of violating the HIPAA Security Rule by not implementing data protection and security on their mobile devices.  The loss of laptops, portable storage gadgets like thumb drives and cell phones have already cost insurance companies, drugstores, medical practices and even a government health and social services department, millions of dollars in fines.

Unfortunately, this troubling trend doesn’t just affect the medical industry.  In August 2012, Coalfire (a firm that provides IT audit and risk assessment) surveyed 400 individuals across North America covering a variety of industries about their company’s mobile device security practices. The data revealed that many organizations lack policies addressing mobile cyber security threats.

Key statistics from the survey:

• 84 percent use the same smartphone for personal and work usage.
• 47 percent don’t have a password on their mobile phone.
• 51 percent said their companies cannot remotely wipe data from mobile devices if they are lost or stolen.
• 49 percent said their IT departments have not discussed mobile/cyber security with them.

Clearly, companies are not doing enough to protect themselves and their employees from the expensive cost of a data breach.  As mobile devices become popular and less expensive, workers will naturally want to use them for their jobs.  Therefore, it is prudent for companies to adopt business data breach protection and security policies to protect not only their company data but also their pocketbook.

Internet safety isn’t just for the employees who handle your most sensitive data. It’s for each and every one. With June being National Internet Safety Month, it’s the perfect time to brush up on exactly what that means for your employees and business.

In a recent study, 78% of organizations had experienced at least one data breach due to the actions of a careless or malicious employee.¹ It’s important to educate and empower your employees to do their part for data security, and that means being safe online.

Anyone who uses the Internet in your office needs to be mindful of Internet safety. Even if someone doesn’t handle sensitive data directly, his/her actions could infect your network with a virus that leads to data loss.

One of the obstacles to Internet safety is that cyber risk is so intangible it doesn’t seem like an immediate threat at all.  Cyber threats are oftentimes the opposite. A virus could slowly siphon data from your network for weeks, months or longer without anyone knowing.

Because cyber risk is often veiled, regular educational sessions with your employees are vital. Be sure they know and follow your Internet usage policy. Don’t have one in place? National Internet Safety Month is the perfect time to organize and implement your guidelines. You can find examples online to help shape your own policies.

Here are a few things to consider addressing:

Personal Internet Use
Blocking employees from logging in and using their personal accounts at work isn’t just an issue of lost productivity. It’s also a security issue. Links, videos and attachments online and in emails can contain unseen threats, such as a virus or malware that undermines the security of your data. That could include your employees’ own personal data. Be sure they understand that the precautions are for their benefit as well as for the stability of the business and their jobs. You can use the honor system for off-limit sites or use software that blocks unsecure and other URLs.

Software Downloads
Have your IT team handle all software downloads and ensure operating systems and software are updated regularly. Automatic updates implemented across the entire network at once help ensure there isn’t a weak link, an outdated computer, in your system. Again, you can use the honor system and ask employees not to install any software themselves or block them from doing so for added security. After all, accidents and human error do occur.

Email Dos and Don’ts
Some employees handle a hundred or more emails a day. Considering the high volume and the ease of communicating by email, mistakes are bound to occur. Sensitive data sent to the wrong email address could be detrimental for your business and customers. Be sure your employees understand what type of data is and isn’t permissible to send by email. And that they don’t open any attachments, click on any links or respond to any requests for sensitive data if the source is not verified.

As part of your Internet usage policy and National Internet Safety Month, impart on your staff the importance of not only being mindful and careful but also sounding the alarm when anything goes wrong. The sooner you know about threats to your network, the sooner you can protect your data and business.

1 The Human Factor in Data Protection, Ponemon Institute (2012)

As companies accumulate vast amount of data to improve their business intelligence, the risks of data breaches accumulate accordingly.  While organizations are rapidly increasing their ability to store, process and analyze huge amount of information collected from social networks, sensors, IT systems and other sources, they’re often failing to consider that much of this data can be personal, sensitive and subject to regulation.  A recent Forrester report highlights the escalating security threats of this sort of “big data processing,” meaning the tools and techniques that handle extreme data volumes and formats.

The report underscores the importance of identifying the “toxic data” within these big data stores – in other words, the kind of data that will spell big trouble if it slips from an organization’s control.  This includes credit card numbers, personally identifiable information (PII) like Social Security Numbers, and personal health information (PHI) — and sensitive intellectual property, including business plans and product designs.  This is, of course, exactly the type of data that hackers and fraudsters are eager to steal.  Further, big data can include information that companies control but don’t own, such as customer and business partner data.  Big data can make a thief’s job easier by concentrating disparate toxic data in one place.

Forrester suggests a framework to help security and risk professionals control big data:

1) Define the data

Data discovery locates and indexes big data, while data classification catalogs data to make it easier to control. Classify data based on toxicity, which will determine where it is stored.  Implement strong policies regarding data handling, storage, and records management, which will preclude the storage of sensitive information on laptops and mobile devices.  Security professionals must continuously discover and classify data as users create it throughout the organization’s network.

2) Dissect and analyze the data

Experts can extract important data from big data sets that will help protect corporate assets; in other words, big data can be used to protect big data.  Analyzing this information is helpful in understanding how to protect big data.

3) Defend and Protect the data.

Limit access to all resources, strictly controlling the number of people that can access data and continuously monitoring those users’ access levels throughout their employment. ·Inspect data usage patterns so that you can detect potential abuses.  Dispose of data when it’s no longer needed, and “kill” data  – using data abstraction techniques such as encryption, tokenization, and masking – to devalue it for use on the underground market.

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

Continual testing is one of the main tenants of data breach prevention. Your network has to remain secure to ward off attacks. The typical security test, known as a penetration test, provides a point-in-time view of your security, limiting your scope of analysis.

To broaden that scope, today security and risk professionals are taking a cue from software engineers and using a type of testing known as attack surface analysis. Rather than focusing on a specific point in time like the penetration test, this test views the network as a fluid system.

Attack surface analysis uses an entry and exit point framework to identify the full extent of a system’s attack surface.  This analysis is done on either computing or business process resources. In either instance, the entry/exit points of a system are the ways through which data (or hackers) enters or leaves a system and are the basis for attacks.

Some attacks may even use both computing process and business process entry/exit points. For example, a hacker goes to a department store and applies for a job. While there, he inserts a USB thumb drive loaded with malware or auto-execute code into an unprotected USB slot on a nearby computer.

The malicious code executes and gives him a foothold into the enterprise systems that he can then exploit remotely. In this scenario, the hacker has essentially completed an attack surface analysis on the store’s business process and located an unprotected USB slot. He has also done the same for the computing process though, in this scenario, he has created a new attack surface rather than using part of the existing one.

As a CISO, I identify the most important data sets and map the attack surfaces to those data sets. For example, the personally identifiable information (PII) of your employees may be of primary concern to your enterprise. To conduct an attack surface analysis, I would look at the systems that contain this data AND how and by whom that data is used. Is the data static or does it move between enterprise systems? If so, what are the business processes that require this data movement and what are the pipelines through which it moves? Viewed in this fashion I see a more fluid attack surface with connected entry and exit points – not just a single one at a time.

Fortunately there are tools to assist with the process. As more and more enterprises use cloud-based or Web-based services, we can take advantage of the Open Web Application Security Project (OWASP) framework for Web applications. OWASP is highly respected in the information security space. Its open source tools identify all entry points into a program but do so in a well-structured manner that encourages analysis. It maps both roles and resources to each entry point. It is designed to be used throughout the lifecycle of the system under review. I use the concepts of OWASP to map roles and resources for the supporting business processes of these same applications.

For a more risk-based view of attack surface analysis, I use the Open Source Security Testing Methodologies Manual (OSSTMM) tool, run by Pete Herzog and his team in Spain. It is exactly what it states – an open source community providing an entire security testing framework. OSSTMM is the tool created and maintained by the Institute for Security and Open Methodologies (ISECOM). I’ve personally used this framework for many years in a wide range of enterprises. Its beauty is the completeness of the OSSTMM with framework, templates worksheets and Risk Assessment Value (RAV) spreadsheet.

The RAV is what assists us in attack surface analysis. The RAV provides a mechanism where you can place risk values for all of the computing and business process attack entry/exit points. The RAV spreadsheet then provides an overall risk score that aids in prioritizing your attack surface resolution action plan. While the risk scores may not be perfect at times, it is an excellent tool to guide your actions and give you a more holistic view of your system and its weaknesses.

Just as technology is continuously evolving, so are the wily ways in which fraudsters circumvent the safeguards for changing technologies.  Symantec’s study Internet Security Threat Report offers a review of where cyber thieves are finding new opportunities and, accordingly, where experts believe the thorniest security trouble spots lie.

According to Symantec, here are the top five threats to beware of:

1. Targeted attacks continue to evolve.  While targeted attacks on the large infrastructures of corporations are attempted almost every day, companies are increasingly being attacked to specifically gain access to their intellectual property.  A prominent example of this would be last year’s “Hydraq” attack on Google, a suspected politically motivated attack to steal sensitive information from Gmail accounts, which prompted Google to threaten to pull its operations out of China.  Given that this attack wouldn’t have been successful without convincing recipients that links and attachments in an email were from a known source, the lesson for future attackers is that the biggest security vulnerability to exploit is our trust of friends and colleagues.

2. Social networks + social engineering = compromise.  Hackers are getting better at learning who we are through social media outlets and posing as friends.  So-called social engineering attacks are becoming more sophisticated and harder to detect.

3. Hide and seek (zero-day vulnerabilities and rootkits).  In order to be successful, targeted attacks must penetrate an organization and remain undetected for as long as possible.  So-called “zero day vulnerabilities” help hackers maintain a game of hide and seek.  Zero days occur when a hacker discovers (and exploits) a security vulnerability in a software program before the program’s engineers do, although some believe that the fear of these vulnerabilities as a basis for attacks are worse than the reality.  Rootkits, software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications, are also helpful in keeping hackers undetected.

4. Attack kits get a caffeine boost.  Hackers are profiting on security vulnerabilities by packaging their discoveries into easily downloadable attack kits that are sold in the underground fraud economy.  Symantec believes that these kits played a role in creating over 286 million variants of malware last year.

5. Mobile threats increase.  With the explosive usage of smart phones and other mobile devices, hackers are naturally becoming ever more drawn to this territory as a platform for fraud.   Sophisticated operating systems mean that vulnerabilities are plentiful, and Trojans hidden in legitimate applications sold on app stores offer an effective means to multiply the damage.

Fraudsters will never stop finding ways to capitalize on security weaknesses and wreak havoc on privacy and bottom lines, which is why every business should work with security experts to stay ahead of these threats.

It’s that time of year again when people near and far get ready to celebrate the most wonderful holiday of them all.

OK, perhaps it isn’t exactly Christmas, but Data Privacy Day – observed on January 28th in 2012 – is no less a celebration; it’s just that this one is designed to promote best practices and awareness around privacy.  The “holiday” was begun in Europe in 2007 and continues to be observed in 30 countries as Data Protection Day.  In the U.S., National Data Privacy Day is managed by the National Cyber Security Alliance (NCSA), a non-profit public-private partnership which estimates that through media and other activities its messages regarding cybersecurity reached 175,000,000 people last year, all in the service of promoting a digital society that can best leverage the five c’s: content, community, communication, commerce and connectivity.

As our world becomes ever smaller and more networked, Data Privacy Day provides information to consumers about the ways in which personal information is collected, stored, used and shared. The international privacy promotion also helps businesses understand the laws and regulations to which they’re subjected and offers guidance about how to best shield themselves from risks.  Above all, the event is designed to foster a dialogue between different entities – citizens, private organizations and public institutions – about how to balance innovation, progress and growth with the need for privacy protection.

Since privacy is our shared responsibility, how can you contribute to this security festivity?  Train your employees, or consider hosting an event or sponsoring NPD.  If you have kids or teach them, turn to the Teens and Young Adults page, the Parents and Kids page, or the Educators page, which offer guidelines such as how to update your Facebook privacy settings, resources such as videos on how to protect your personal information and privacy, as well as your children’s.  Data Privacy Day activities will include presentations, conferences, technology demonstrations, webpage and video competitions, instructional videos, workshops, and regional events, so there are plenty of ways to get involved; for more information, turn to  www.dataprivacyday.org.

And remember to stay tuned to Experian’s Data Breach Resolution blog, where every day is data privacy day.

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

I’ve been actively involved in InfraGard for many years. InfraGard is a public/FBI partnership with a primary mission of protecting critical infrastructure.  Because of this partnership, I began to wonder if the U.S government had anything I could leverage in my own business operations. The answer is, “yes.”

I’ve used the guidelines from the National Institute of Standards and Technology (NIST) for many years as a basis for building information security programs around the world. While these are excellent building blocks, they don’t address my training needs in preparing for a cyber attack. So I also leverage resources from the Department of Homeland Security (DHS) and other agencies.

Here’s a look at some of the resources I find useful in testing and training for a data breach:

NIST Computer Security Handling Guide
In the back of this document (special publication 800-61) are table-top exercises to help train your incident response team.
While a bit limited in scope, they are an excellent starting point at no cost to you.

DHS/FEMA Certified Cyber Security Training
The online Domestic Preparedness Campus is a portal for
10 courses that address three demographics of your enterprise: Non-technical, Technical and Business Professional. While they are perhaps a bit broad and general at times, they are an excellent starting point for your enterprise.

The different courses include:

• Information Security for Everyone
• Cyber Ethics
• Cyber Law and White Collar Crime
• Information Security Basics
• Secure Software
• Network Assurance
• Digital Forensics Basics
• Business Information Continuity
• Information Risk Management
• Cyber Incident Analysis and Response

Homeland Security Exercise and Evaluation Program

This program from the DHS provides a standardized method of creating cyber security exercises. You work with a member of the DHS team to create and ultimately execute a testing program. My organization is currently setting up a tabletop exercise with DHS for all 23 of our organizational Information Security Officers next spring. For your company, I expect that the Training Exercises portion will prove the most valuable.

In total, they offer seven exercise types broken down into training and operational exercises.

Training Exercises
1. Seminar – A seminar is an informal discussion designed to orient participants to new or updated plans, policies or procedures.
2. Workshop – A workshop resembles a seminar but is employed to build specific products, such as a draft plan or policy.
3. Tabletop Exercise (TTX) – A table top exercise involves key personnel discussing simulated scenarios in an informal setting.
4. Games – A game is a simulation of operations that often involves two or more teams, usually in a competitive environment using rules, data and procedure designed to depict an actual or assumed real-life situation.

Operations-based Exercises
5. Drill – A drill is a coordinated, supervised activity usually employed to test a specific operation or function within a single entity.
6. Functional Exercise (FE) – A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers. A functional exercise does not involve any “boots on the ground.”
7. Full-Scale Exercises (FSE) – A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exercise involving functional and “boots on the ground” response.

Cyber Storm
Cyber Storm is a biennial exercise that provides the framework for a government-sponsored cybersecurity exercise. It is a combination of international government agencies, national and state government agencies and private industry. Its stated aims are to:

• “Examine organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects
• Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures
• Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information
• Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.”

Cyber Storm III was used to hone and tune the latest U.S National Cyber Incident Response Plan released early in 2011. The 2010 exercise had 60 companies participating across many industry sectors.It also tested the newly formed National Cybersecurity and Communications Integration Center, which is the “boots on the ground” hub for national cybersecurity coordination.

Managing your enterprise security and privacy risk posture can be a daunting task at times. Hackers are more sophisticated and coordinated in their attacks. It’s pretty tough out there right now but new tools, processes and procedures will ultimately gain the upper hand. You are not alone. There are a wide range of resources freely available to help build the skill sets of our teams. I remain encouraged and look forward to the battle with new hope and fortitude.