Human errors are the most common threats to exposing a person’s personal information to data breaches according to an analysis of reported data breaches by Rapid7, a security intelligence company. Rapid7 compiled the data breach information for the report based on the number of reported public information data breaches from January 2009 to May 2012 in the Chronology of Data Breaches maintained by the Privacy Rights Clearinghouse, a nonprofit privacy advocacy group.

The data breach statistics from the report totaled 268 incidents affecting 94 million people.  The biggest factor responsible for the largest number of breaches of data was unintended disclosure due to negligence and clerical errors. 78 incidents led to exposing almost 12 million records of private information.  The next highest number was 51 incidents due to the loss of a portable data storage device which resulted in breaching almost 82 million personal records.  Hacking was low on the list, adding up to 40 incidents exposing about 1 million records.   

What can be done about this alarming problem?

Security experts advise implementing nationally mandated data breach protection protocols and developing effective breach response programs in conjunction with cyber security training for employees who handle sensitive public data.  Employing technology such as encryption is another method to counter human error since it is inexpensive, simple to administer and highly effective in protecting data.  Using management software that can track and monitor which devices are being used, monitor downloaded data and has the ability to remotely wipe the memories of lost or stolen devices is another data protection tool.

Some experts even go so far as to suggest that all these initiatives need to be backed by a law that punishes workers who fail to follow these protocols with either firing them from their jobs or jail time, depending on the severity of the data breach.  The bottom line is that protecting the public’s most private information is serious business and those who are entrusted with such sensitive information need to recognize that they have a responsibility to protect the public’s privacy.  And in turn, it’s a responsibility that we, the people must ensure that they take seriously.

According to EMC’s November 2012 fraud report, online holiday shopping is projected to account for 24% of the year’s total  e-commerce sales which is good news for retailers and unfortunately, it can also be good news for online con artists.  If 2012 is anything like 2011, retailers will need to increase their data protection and security measures in order to avoid illegal online activity.  Of the 1.4 billion dollars spent in online sales during 2011’s holiday shopping season (November 1 to December 31), $82 million of those dollars were identified as fraudulent, resulting in a 219% increase from 2010.  Cyber Monday alone accounted for $2.5 million of online fraud.

Most web-based fraud activity is due to stolen credit cards and since identity theft is at an all time high, online merchants of all sizes need to implement fraud protection procedures and be proactive in watching for signs of unscrupulous activity.  Early detection is the key to stopping con artists who like to prey on new, inexperienced online businesses.  However, if they discover a merchant has implemented active data security procedures, fraudsters generally won’t waste their time and will most likely move on to their next victim.  The best way for businesses to protect themselves from fraud is to be diligent in watching out for signs of suspicious activity.  These include bulk orders for items that are not usually bought in bulk, orders for multiple high end items, international orders and several orders placed by the same person within a short time.  Con artists try to make as many purchases as possible before a fraud alert is sent to the real owner so they tend to order as much merchandise as they can.

Although it’s impossible to erase online credit card fraud, here are several strategies to reduce it:

1. Use an Address Verification Service (AVS) to make sure the billing address entered online matches the cardholder’s billing information. Institute a policy that merchandise will not ship unless the addresses match.
2. Always ask for the Card Verification Number (CVN) on all credit card orders. The number must be read from the actual card so more than likely the person has the card in his possession. Although it’s not a guarantee that he is its rightful owner, this step provides a small measure of protection.
3. Send a confirmation email or letter to customers when you send an item telling them their order has shipped and when they can expect it to appear on their bill. This can help flag any illegal activity and enable the customer to report credit fraud to the proper authorities before the perpetrator has a chance to do any further credit damage. It will also help businesses to reduce complaints and chargebacks from people who sometimes simply forget they placed an order.

Retailers should keep in mind that once an order has been sent, it is very difficult to regain any loss so prevention is the number one way to combat online fraud.

Smaller business, bigger risks

Perhaps not so surprisingly, researchers also uncovered a greater prevalence of human factor risks among small to medium sized businesses (SMBs), compared with enterprise-sized organizations. In every risk factor category polled, SMBs fared worse than their larger counterparts–as high as 19% worse, in such basic breach prevention measures as:

• Credential management (changing usernames/passwords frequently)
• Deleting spammy or suspicious email attachments
• Avoiding websites deemed by management as ‘off limits’
• Secure, responsible use of social media
• Masking computer screens in public venues
• Deleting unused data files and performing regular backups

Staying off the evening news

Headlines constantly remind us why businesses—large and small—need to be proactive and intentional about deterring outside threats. But, as the study shows, internal policies and practices may also need attention.

Ponemon experts suggest these measures to mitigate insider risk:

• Increase security awareness. Spend more time educating employees (and anyone with insider access) about breach prevention and security best practices.
• Audit your policies. Regular reviews of data protection and governance policies can expose previously hidden gaps and vulnerabilities. Update policies to require immediate reporting of a lost or stolen laptop or mobile device.
• Neutralize the social media threat. Create or strengthen policies that explicitly govern the use of social media at work.
• Review credentials. Ensure that those who have privileged data access really need it, and regularly remind users of their personal charge to handle data responsibly.

Poet Alexander Pope reminds us that to err is human. With greater security awareness and training, companies can reduce the risks that human errors cause. And that’s good news for everyone.

Like Blanche Dubois in A Streetcar Named Desire, we’d all like to think that we can depend upon the kindness of strangers.  Unfortunately, Symantec recently reminded us (in case there was any doubt) that strangers are bound to let you down.

In its Smartphone Honey Stick Project, Symantec intentionally “lost” 50 smartphones, all programmed with fake corporate and personal information.  The phones included a tracking device so Symantec could monitor what happened once the devices were found.  The purpose of the test was to assess the human threats to a lost smartphone’s data and the connected corporate systems.  Specifically, Symatec set out to assess the following circumstances: 

● Likelihood of a finder attempting to access data on the smartphone
● Likelihood of a finder attempting to access corporate applications and data
● Likelihood of a finder attempting to access personal applications and data
● Likelihood of attempted access to particular types of apps
● Amount of time before a lost smartphone is moved or accessed
● Likelihood of a finder attempting to return a device to its owner
 
On every count, the results were a disappointment to anyone hoping for better from their fellow mankind.  Bottom line: if you lose your business-connected mobile device, there’s more than an 80% chance that an attempt will be made to breach corporate data and/or networks.  A total of 83% of the devices showed attempts to access corporate-related apps or data, and attempts to access a corporate email client occurred on 45% of the devices.  A file titled “HR Salaries” was accessed on 53% of the phones and another titled “HR Cases” was accessed on 40% of the devices.

The study underscored yet again that businesses must impress upon employees the importance of adhering to strict security guidelines regarding their mobile devices.  What does that look like?  Here are five key reminders:
   
1. Require that employees use password protection on all electronic devices especially if they use it to access work related files and email.
2. Implement software that allows you to use remote wiping so a device can be killed if its lost or untraceable.
3. Invest in employee training and education about data breaches and the impact it has not only on the business but also on the employees themselves since most people also program their personal information into business devices.
4. Account for every device that has access to your company’s networks and take inventory often so nothing slips through the cracks or gets lost.
5. Use business security software for all your electronic devices and implement a security management program. When a device is lost or stolen, have a recovery system in place so employees know what to do immediately in order to prevent any lost of data.

For a company, a data breach can seem like it comes out of the blue. Yet, according to analysis by the Identity Theft Resource Center (ITRC), the three primary causes of data breaches have remained the same since 2009:

• Hacking
• Data on the move
• Insider theft

ITRC has been releasing an annual Breach Report since 2007. For the first time, hacking outpaced all other triggers to account for just more than a quarter of the 419 breaches in 2011. Incidents of hacking rose from 17.1% in 2010 and, the previous high, 19.5% in 2009 to 25.8% in 2011.

Data on the move* was the second highest trigger, accounting for 18.1% of the breaches in 2011. Insider theft, falling slightly from 2010, caused 13.4% of the breaches as the third trigger. ITRC further counts hacking and insider theft together as a malicious attack, adding up to nearly 40% of breaches in 2011.

The numbers make it clear that companies can’t rely on one form of data breach prevention alone. The 2011 Breach Report further illustrates that no company is immune. Of the entities reporting data breaches, 47% fell into the business category. Both business and educational entities experienced an upswing in data loss incidents in 2011.

The report also considers government/military, financial/credit and health/medical entities, the third of which accounted for 20.5% of the breaches in 2011.

Among the more alarming findings is that 61.6% of the reported breaches in 2011 exposed Social Security numbers (SSN), one of the most valuable pieces of personal data an individual has. Such exposure can leave a consumer vulnerable to identity theft indefinitely. Individuals can’t easily exchange their SSN for a new number like they can with credit or debit cards. (Loss of credit and debit card data was a factor in 26.5% of incidents in 2011.)

Drawing on what’s known about how breaches occur, companies can plan ahead to prevent and respond to incidents in order to protect themselves and the consumer data they use and collect. A comprehensive prevention and response plan should account for all of the various ways, including accidental exposure and subcontractor loss, that breaches occur.

Staying aware of vulnerabilities can only help companies strengthen their defense. Data breaches are here to stay, so there’s no time like the present to take prevention and preparation seriously.

*“Data on the move” refers to data that has left its usual place of rest, i.e. its proper storage place. This includes data in transport to a new storage location as well as data that has left an office on an electronic drive, a mobile device or paper.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

As an organization specializing in monitoring and tracking data breaches, the ITRC has come across varying degrees of breaches and reasons for notification due to the varying types of compromised information. We would like to take this opportunity to address some of the differences and provide some insight into our approach for tracking data breach incidents.

According to most state laws, a data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.  Note that under these state breach laws, non-personal identifying information is not included.

Next, let’s consider hacking.  By definition, “hacking” is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer.  Hacking efforts target all types of information – from high level intellectual property down to individual personal information, both sensitive and non-sensitive information.  Taken together, these two situations result in nearly 26% of the “reported breaches” included on the 2011 Identity Theft Resource Center Breach List.

This brings us to the definition of “reported breaches”.  ITRC only publishes breach incident information which is available from credible, public resources.  Breach incidents are tracked daily from sources such as state Attorneys General offices, a variety of media sources, and other well-recognized and respected entities that track and capture this information from publicly available sources.  This approach means that the ITRC Breach Report only reflects the tip of the iceberg.

In 2011, 41% of the breaches on the ITRC report show the number of records exposed as “unknown.”  In addition, ITRC is aware of a significant number of breaches that are not made public.  As a result, it is not possible to provide truly accurate numbers – either for the number of breaches or the number of records.

The majority of “reported breaches” included in the list are those which have met “breach notification triggers” established by the various state laws regarding this issue.  Usually these incidents are electronic in nature, and must also expose information identified as PII, such as first and last name combined with a social security number, driver’s license or state identification number and/or financial account numbers (including debit and credit cards).   Some states have expanded this “trigger” definition to include medical and healthcare information.  This situation leaves large loopholes for breaches to remain unreported.

Currently we know that –

• An indeterminable number of breaches go unreported, even when notification should have been triggered according to the applicable state laws.
• Many breach notifications (at least what is disclosed by the entity) underreport the number of records
• Many breach notifications also do not clearly define the types of information exposed.
• Public information is often incomplete in detailing how the breach occurred
• Many breaches involving non-PII, such as email addresses, user names, and passwords, are not reported because they do not meet “breach notification triggers” as established by various state laws

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

Continual testing is one of the main tenants of data breach prevention. Your network has to remain secure to ward off attacks. The typical security test, known as a penetration test, provides a point-in-time view of your security, limiting your scope of analysis.

To broaden that scope, today security and risk professionals are taking a cue from software engineers and using a type of testing known as attack surface analysis. Rather than focusing on a specific point in time like the penetration test, this test views the network as a fluid system.

Attack surface analysis uses an entry and exit point framework to identify the full extent of a system’s attack surface.  This analysis is done on either computing or business process resources. In either instance, the entry/exit points of a system are the ways through which data (or hackers) enters or leaves a system and are the basis for attacks.

Some attacks may even use both computing process and business process entry/exit points. For example, a hacker goes to a department store and applies for a job. While there, he inserts a USB thumb drive loaded with malware or auto-execute code into an unprotected USB slot on a nearby computer.

The malicious code executes and gives him a foothold into the enterprise systems that he can then exploit remotely. In this scenario, the hacker has essentially completed an attack surface analysis on the store’s business process and located an unprotected USB slot. He has also done the same for the computing process though, in this scenario, he has created a new attack surface rather than using part of the existing one.

As a CISO, I identify the most important data sets and map the attack surfaces to those data sets. For example, the personally identifiable information (PII) of your employees may be of primary concern to your enterprise. To conduct an attack surface analysis, I would look at the systems that contain this data AND how and by whom that data is used. Is the data static or does it move between enterprise systems? If so, what are the business processes that require this data movement and what are the pipelines through which it moves? Viewed in this fashion I see a more fluid attack surface with connected entry and exit points – not just a single one at a time.

Fortunately there are tools to assist with the process. As more and more enterprises use cloud-based or Web-based services, we can take advantage of the Open Web Application Security Project (OWASP) framework for Web applications. OWASP is highly respected in the information security space. Its open source tools identify all entry points into a program but do so in a well-structured manner that encourages analysis. It maps both roles and resources to each entry point. It is designed to be used throughout the lifecycle of the system under review. I use the concepts of OWASP to map roles and resources for the supporting business processes of these same applications.

For a more risk-based view of attack surface analysis, I use the Open Source Security Testing Methodologies Manual (OSSTMM) tool, run by Pete Herzog and his team in Spain. It is exactly what it states – an open source community providing an entire security testing framework. OSSTMM is the tool created and maintained by the Institute for Security and Open Methodologies (ISECOM). I’ve personally used this framework for many years in a wide range of enterprises. Its beauty is the completeness of the OSSTMM with framework, templates worksheets and Risk Assessment Value (RAV) spreadsheet.

The RAV is what assists us in attack surface analysis. The RAV provides a mechanism where you can place risk values for all of the computing and business process attack entry/exit points. The RAV spreadsheet then provides an overall risk score that aids in prioritizing your attack surface resolution action plan. While the risk scores may not be perfect at times, it is an excellent tool to guide your actions and give you a more holistic view of your system and its weaknesses.

Just as technology is continuously evolving, so are the wily ways in which fraudsters circumvent the safeguards for changing technologies.  Symantec’s study Internet Security Threat Report offers a review of where cyber thieves are finding new opportunities and, accordingly, where experts believe the thorniest security trouble spots lie.

According to Symantec, here are the top five threats to beware of:

1. Targeted attacks continue to evolve.  While targeted attacks on the large infrastructures of corporations are attempted almost every day, companies are increasingly being attacked to specifically gain access to their intellectual property.  A prominent example of this would be last year’s “Hydraq” attack on Google, a suspected politically motivated attack to steal sensitive information from Gmail accounts, which prompted Google to threaten to pull its operations out of China.  Given that this attack wouldn’t have been successful without convincing recipients that links and attachments in an email were from a known source, the lesson for future attackers is that the biggest security vulnerability to exploit is our trust of friends and colleagues.

2. Social networks + social engineering = compromise.  Hackers are getting better at learning who we are through social media outlets and posing as friends.  So-called social engineering attacks are becoming more sophisticated and harder to detect.

3. Hide and seek (zero-day vulnerabilities and rootkits).  In order to be successful, targeted attacks must penetrate an organization and remain undetected for as long as possible.  So-called “zero day vulnerabilities” help hackers maintain a game of hide and seek.  Zero days occur when a hacker discovers (and exploits) a security vulnerability in a software program before the program’s engineers do, although some believe that the fear of these vulnerabilities as a basis for attacks are worse than the reality.  Rootkits, software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications, are also helpful in keeping hackers undetected.

4. Attack kits get a caffeine boost.  Hackers are profiting on security vulnerabilities by packaging their discoveries into easily downloadable attack kits that are sold in the underground fraud economy.  Symantec believes that these kits played a role in creating over 286 million variants of malware last year.

5. Mobile threats increase.  With the explosive usage of smart phones and other mobile devices, hackers are naturally becoming ever more drawn to this territory as a platform for fraud.   Sophisticated operating systems mean that vulnerabilities are plentiful, and Trojans hidden in legitimate applications sold on app stores offer an effective means to multiply the damage.

Fraudsters will never stop finding ways to capitalize on security weaknesses and wreak havoc on privacy and bottom lines, which is why every business should work with security experts to stay ahead of these threats.

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

I’ve been actively involved in InfraGard for many years. InfraGard is a public/FBI partnership with a primary mission of protecting critical infrastructure.  Because of this partnership, I began to wonder if the U.S government had anything I could leverage in my own business operations. The answer is, “yes.”

I’ve used the guidelines from the National Institute of Standards and Technology (NIST) for many years as a basis for building information security programs around the world. While these are excellent building blocks, they don’t address my training needs in preparing for a cyber attack. So I also leverage resources from the Department of Homeland Security (DHS) and other agencies.

Here’s a look at some of the resources I find useful in testing and training for a data breach:

NIST Computer Security Handling Guide
In the back of this document (special publication 800-61) are table-top exercises to help train your incident response team.
While a bit limited in scope, they are an excellent starting point at no cost to you.

DHS/FEMA Certified Cyber Security Training
The online Domestic Preparedness Campus is a portal for
10 courses that address three demographics of your enterprise: Non-technical, Technical and Business Professional. While they are perhaps a bit broad and general at times, they are an excellent starting point for your enterprise.

The different courses include:

• Information Security for Everyone
• Cyber Ethics
• Cyber Law and White Collar Crime
• Information Security Basics
• Secure Software
• Network Assurance
• Digital Forensics Basics
• Business Information Continuity
• Information Risk Management
• Cyber Incident Analysis and Response

Homeland Security Exercise and Evaluation Program

This program from the DHS provides a standardized method of creating cyber security exercises. You work with a member of the DHS team to create and ultimately execute a testing program. My organization is currently setting up a tabletop exercise with DHS for all 23 of our organizational Information Security Officers next spring. For your company, I expect that the Training Exercises portion will prove the most valuable.

In total, they offer seven exercise types broken down into training and operational exercises.

Training Exercises
1. Seminar – A seminar is an informal discussion designed to orient participants to new or updated plans, policies or procedures.
2. Workshop – A workshop resembles a seminar but is employed to build specific products, such as a draft plan or policy.
3. Tabletop Exercise (TTX) – A table top exercise involves key personnel discussing simulated scenarios in an informal setting.
4. Games – A game is a simulation of operations that often involves two or more teams, usually in a competitive environment using rules, data and procedure designed to depict an actual or assumed real-life situation.

Operations-based Exercises
5. Drill – A drill is a coordinated, supervised activity usually employed to test a specific operation or function within a single entity.
6. Functional Exercise (FE) – A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers. A functional exercise does not involve any “boots on the ground.”
7. Full-Scale Exercises (FSE) – A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exercise involving functional and “boots on the ground” response.

Cyber Storm
Cyber Storm is a biennial exercise that provides the framework for a government-sponsored cybersecurity exercise. It is a combination of international government agencies, national and state government agencies and private industry. Its stated aims are to:

• “Examine organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects
• Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures
• Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information
• Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.”

Cyber Storm III was used to hone and tune the latest U.S National Cyber Incident Response Plan released early in 2011. The 2010 exercise had 60 companies participating across many industry sectors.It also tested the newly formed National Cybersecurity and Communications Integration Center, which is the “boots on the ground” hub for national cybersecurity coordination.

Managing your enterprise security and privacy risk posture can be a daunting task at times. Hackers are more sophisticated and coordinated in their attacks. It’s pretty tough out there right now but new tools, processes and procedures will ultimately gain the upper hand. You are not alone. There are a wide range of resources freely available to help build the skill sets of our teams. I remain encouraged and look forward to the battle with new hope and fortitude.

With the flood of online shoppers comes the accompanying tidal wave of fraudsters washing over the cheerful holiday landscape.  Hidden behind the online mistletoe, cyber-thieves lurk with seasonal scams, virtual Scrooges with plans to spoil holiday shopping for consumers and retailers.

Here, according to McAfee, are 12 common holiday scams to beware of:

1. iPad scams.  Watch out for bogus offers for free iPads on social media sites and via spam.

2. “Help! I’ve been robbed” scam. Fraudsters send emails appearing to come from the account of friends which state that they’ve been robbed while traveling abroad and need money to be wired in order to get home.

3. Fake gift cards. With these scams, cybercriminals promise fake gift cards in exchange for personal information that can be used for identity theft.

4. Holiday job offers. Fake, high-paying, work at home jobs are offered in exchange for personal information.

5. “Smishing.” Scammers “phish” via text message, or smish, often posing as a bank or online retailer requesting personal information to address a problem with a target’s account.

6. Holiday rental scams. Fake, attractive rental properties at low prices are advertised on phony websites in order to lure deposits via wire transfer.

7. Recession scams.  Financial “help” is offered to targets in the form of pay-in-advance credit schemes and pre-qualified low-interest loans, all in exchange for an upfront processing free.

8. Grinch-like Greetings. Fake e-cards are loaded with links to computer viruses and other malware.

9. Low price traps. Auction sites and phony websites are used to offer too-good-to-be-true prices on holiday gifts; the scammers walk away with information and/or money.

10.  Charity scams. Solicitations for phony charities play on the spirit of holiday giving and philanthropic generosity.

11. Dodgy holiday downloads. Watch out for holiday-themed jingles, screensavers and animations distributed via downloads, spam or dubious websites – they could contain malware.

12. Hotel and airport Wi-Fi. During this season of high travel, Wi-Fi hotspots are criminal hangouts, with scammers eager to hack into unprotected networks.

This holiday season, make sure that you, your employees and your customers are on high alert for the seasonal scams that turn up with the regularity of fruitcake…and are just as unwanted.