As companies accumulate vast amount of data to improve their business intelligence, the risks of data breaches accumulate accordingly.  While organizations are rapidly increasing their ability to store, process and analyze huge amount of information collected from social networks, sensors, IT systems and other sources, they’re often failing to consider that much of this data can be personal, sensitive and subject to regulation.  A recent Forrester report highlights the escalating security threats of this sort of “big data processing,” meaning the tools and techniques that handle extreme data volumes and formats.

The report underscores the importance of identifying the “toxic data” within these big data stores – in other words, the kind of data that will spell big trouble if it slips from an organization’s control.  This includes credit card numbers, personally identifiable information (PII) like Social Security Numbers, and personal health information (PHI) — and sensitive intellectual property, including business plans and product designs.  This is, of course, exactly the type of data that hackers and fraudsters are eager to steal.  Further, big data can include information that companies control but don’t own, such as customer and business partner data.  Big data can make a thief’s job easier by concentrating disparate toxic data in one place.

Forrester suggests a framework to help security and risk professionals control big data:

1) Define the data

Data discovery locates and indexes big data, while data classification catalogs data to make it easier to control. Classify data based on toxicity, which will determine where it is stored.  Implement strong policies regarding data handling, storage, and records management, which will preclude the storage of sensitive information on laptops and mobile devices.  Security professionals must continuously discover and classify data as users create it throughout the organization’s network.

2) Dissect and analyze the data

Experts can extract important data from big data sets that will help protect corporate assets; in other words, big data can be used to protect big data.  Analyzing this information is helpful in understanding how to protect big data.

3) Defend and Protect the data.

Limit access to all resources, strictly controlling the number of people that can access data and continuously monitoring those users’ access levels throughout their employment. ·Inspect data usage patterns so that you can detect potential abuses.  Dispose of data when it’s no longer needed, and “kill” data  – using data abstraction techniques such as encryption, tokenization, and masking – to devalue it for use on the underground market.

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

Continual testing is one of the main tenants of data breach prevention. Your network has to remain secure to ward off attacks. The typical security test, known as a penetration test, provides a point-in-time view of your security, limiting your scope of analysis.

To broaden that scope, today security and risk professionals are taking a cue from software engineers and using a type of testing known as attack surface analysis. Rather than focusing on a specific point in time like the penetration test, this test views the network as a fluid system.

Attack surface analysis uses an entry and exit point framework to identify the full extent of a system’s attack surface.  This analysis is done on either computing or business process resources. In either instance, the entry/exit points of a system are the ways through which data (or hackers) enters or leaves a system and are the basis for attacks.

Some attacks may even use both computing process and business process entry/exit points. For example, a hacker goes to a department store and applies for a job. While there, he inserts a USB thumb drive loaded with malware or auto-execute code into an unprotected USB slot on a nearby computer.

The malicious code executes and gives him a foothold into the enterprise systems that he can then exploit remotely. In this scenario, the hacker has essentially completed an attack surface analysis on the store’s business process and located an unprotected USB slot. He has also done the same for the computing process though, in this scenario, he has created a new attack surface rather than using part of the existing one.

As a CISO, I identify the most important data sets and map the attack surfaces to those data sets. For example, the personally identifiable information (PII) of your employees may be of primary concern to your enterprise. To conduct an attack surface analysis, I would look at the systems that contain this data AND how and by whom that data is used. Is the data static or does it move between enterprise systems? If so, what are the business processes that require this data movement and what are the pipelines through which it moves? Viewed in this fashion I see a more fluid attack surface with connected entry and exit points – not just a single one at a time.

Fortunately there are tools to assist with the process. As more and more enterprises use cloud-based or Web-based services, we can take advantage of the Open Web Application Security Project (OWASP) framework for Web applications. OWASP is highly respected in the information security space. Its open source tools identify all entry points into a program but do so in a well-structured manner that encourages analysis. It maps both roles and resources to each entry point. It is designed to be used throughout the lifecycle of the system under review. I use the concepts of OWASP to map roles and resources for the supporting business processes of these same applications.

For a more risk-based view of attack surface analysis, I use the Open Source Security Testing Methodologies Manual (OSSTMM) tool, run by Pete Herzog and his team in Spain. It is exactly what it states – an open source community providing an entire security testing framework. OSSTMM is the tool created and maintained by the Institute for Security and Open Methodologies (ISECOM). I’ve personally used this framework for many years in a wide range of enterprises. Its beauty is the completeness of the OSSTMM with framework, templates worksheets and Risk Assessment Value (RAV) spreadsheet.

The RAV is what assists us in attack surface analysis. The RAV provides a mechanism where you can place risk values for all of the computing and business process attack entry/exit points. The RAV spreadsheet then provides an overall risk score that aids in prioritizing your attack surface resolution action plan. While the risk scores may not be perfect at times, it is an excellent tool to guide your actions and give you a more holistic view of your system and its weaknesses.

It’s that time of year again when people near and far get ready to celebrate the most wonderful holiday of them all.

OK, perhaps it isn’t exactly Christmas, but Data Privacy Day – observed on January 28th in 2012 – is no less a celebration; it’s just that this one is designed to promote best practices and awareness around privacy.  The “holiday” was begun in Europe in 2007 and continues to be observed in 30 countries as Data Protection Day.  In the U.S., National Data Privacy Day is managed by the National Cyber Security Alliance (NCSA), a non-profit public-private partnership which estimates that through media and other activities its messages regarding cybersecurity reached 175,000,000 people last year, all in the service of promoting a digital society that can best leverage the five c’s: content, community, communication, commerce and connectivity.

As our world becomes ever smaller and more networked, Data Privacy Day provides information to consumers about the ways in which personal information is collected, stored, used and shared. The international privacy promotion also helps businesses understand the laws and regulations to which they’re subjected and offers guidance about how to best shield themselves from risks.  Above all, the event is designed to foster a dialogue between different entities – citizens, private organizations and public institutions – about how to balance innovation, progress and growth with the need for privacy protection.

Since privacy is our shared responsibility, how can you contribute to this security festivity?  Train your employees, or consider hosting an event or sponsoring NPD.  If you have kids or teach them, turn to the Teens and Young Adults page, the Parents and Kids page, or the Educators page, which offer guidelines such as how to update your Facebook privacy settings, resources such as videos on how to protect your personal information and privacy, as well as your children’s.  Data Privacy Day activities will include presentations, conferences, technology demonstrations, webpage and video competitions, instructional videos, workshops, and regional events, so there are plenty of ways to get involved; for more information, turn to  www.dataprivacyday.org.

And remember to stay tuned to Experian’s Data Breach Resolution blog, where every day is data privacy day.

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

I’ve been actively involved in InfraGard for many years. InfraGard is a public/FBI partnership with a primary mission of protecting critical infrastructure.  Because of this partnership, I began to wonder if the U.S government had anything I could leverage in my own business operations. The answer is, “yes.”

I’ve used the guidelines from the National Institute of Standards and Technology (NIST) for many years as a basis for building information security programs around the world. While these are excellent building blocks, they don’t address my training needs in preparing for a cyber attack. So I also leverage resources from the Department of Homeland Security (DHS) and other agencies.

Here’s a look at some of the resources I find useful in testing and training for a data breach:

NIST Computer Security Handling Guide
In the back of this document (special publication 800-61) are table-top exercises to help train your incident response team.
While a bit limited in scope, they are an excellent starting point at no cost to you.

DHS/FEMA Certified Cyber Security Training
The online Domestic Preparedness Campus is a portal for
10 courses that address three demographics of your enterprise: Non-technical, Technical and Business Professional. While they are perhaps a bit broad and general at times, they are an excellent starting point for your enterprise.

The different courses include:

• Information Security for Everyone
• Cyber Ethics
• Cyber Law and White Collar Crime
• Information Security Basics
• Secure Software
• Network Assurance
• Digital Forensics Basics
• Business Information Continuity
• Information Risk Management
• Cyber Incident Analysis and Response

Homeland Security Exercise and Evaluation Program

This program from the DHS provides a standardized method of creating cyber security exercises. You work with a member of the DHS team to create and ultimately execute a testing program. My organization is currently setting up a tabletop exercise with DHS for all 23 of our organizational Information Security Officers next spring. For your company, I expect that the Training Exercises portion will prove the most valuable.

In total, they offer seven exercise types broken down into training and operational exercises.

Training Exercises
1. Seminar – A seminar is an informal discussion designed to orient participants to new or updated plans, policies or procedures.
2. Workshop – A workshop resembles a seminar but is employed to build specific products, such as a draft plan or policy.
3. Tabletop Exercise (TTX) – A table top exercise involves key personnel discussing simulated scenarios in an informal setting.
4. Games – A game is a simulation of operations that often involves two or more teams, usually in a competitive environment using rules, data and procedure designed to depict an actual or assumed real-life situation.

Operations-based Exercises
5. Drill – A drill is a coordinated, supervised activity usually employed to test a specific operation or function within a single entity.
6. Functional Exercise (FE) – A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers. A functional exercise does not involve any “boots on the ground.”
7. Full-Scale Exercises (FSE) – A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exercise involving functional and “boots on the ground” response.

Cyber Storm
Cyber Storm is a biennial exercise that provides the framework for a government-sponsored cybersecurity exercise. It is a combination of international government agencies, national and state government agencies and private industry. Its stated aims are to:

• “Examine organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects
• Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures
• Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information
• Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.”

Cyber Storm III was used to hone and tune the latest U.S National Cyber Incident Response Plan released early in 2011. The 2010 exercise had 60 companies participating across many industry sectors.It also tested the newly formed National Cybersecurity and Communications Integration Center, which is the “boots on the ground” hub for national cybersecurity coordination.

Managing your enterprise security and privacy risk posture can be a daunting task at times. Hackers are more sophisticated and coordinated in their attacks. It’s pretty tough out there right now but new tools, processes and procedures will ultimately gain the upper hand. You are not alone. There are a wide range of resources freely available to help build the skill sets of our teams. I remain encouraged and look forward to the battle with new hope and fortitude.

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

The number of breaches reported so far in 2011 is down from 2010, yet 2011 is still considered by many to be yet another “Year of the Breach”.    Several high profile events throughout the year have kept the spotlight on the issue of data exposures, especially those where millions of consumers information was obtained by malicious hackers.  Although the information involved, emails and passwords, does not rise to the level of a “personal identifying information” (PII) breach, it is definitely troubling that such a large number of consumers may become targets of phishing and related attacks, which do attempt to get consumers PII.

More and more entities are now tracking data breach occurrences by:

• Industry sectors (categories): Business, educational, government, medical, financial
• Breach “type” (method of access): hacking, insider, portable device (“data on the move”), accidental exposure, subcontractor, and lost or stolen.  In some cases, discarded paper documents.
• various attributes: paper or electronic, encrypted, password-protected, number of records unknown or published

While most definitions and terms are relatively consistent between these monitoring sources, there are some notable differences.  Differing filters applied by each monitoring entity as to what qualifies as a data breach on any given list create some divergence in comparison of breach lists.  These filters may range from whether the incident involves specific types of exposed PII to whether a designated minimum number of records have been compromised (i.e. 10 or 500 minimum).

Often it is how a “record” is defined that yields the greatest disparity in determining the number of “records” exposed.  Many breach analysts consider “records” to those persons whose sensitive personal identifying information (PII), such as Social Security numbers, debit or credit card numbers, financial account numbers, medical record numbers, and driver’s license or state identification numbers have been exposed.  How then, does one then account for compromised non-PII information, such as email addresses, user names, or other non-financial account information?

Many hacking incidents this past year didn’t target personal identifying information, but instead focused on emails addresses, passwords and other pieces of non-sensitive personal information.   The challenge for many who analyze breach incident statistics is how to “quantify” the number of breached records that do not involve PII.  Should emails and passwords be counted as “records” in the same way as Social Security numbers and financial account numbers?   As of now, most state laws do not include non-sensitive personal information as triggers for breach notification therefore there is no obligation to report the incident.

“The law only requires that an entity notify those who had sensitive information compromised, like Social Security numbers,” says Lisa Sotto, a managing partner for New York-based law firm Hunton & Williams, in a recent interview with BankInfoSecurity.   “But now we know other things, like e-mail addresses, can lead to compromise through social engineering and phishing.

The challenge then for the incidence response team is determining if a breach notification is required.  If so, “what happened?”, “who needs to be notified”, “what specifics are required?”, “when do we do it?”, “how did it happen?”, and “what have we done to make sure it won’t happen again?”  The answers to these questions should all be part of an established Breach Response Plan.  Other pieces of this plan should include best practice protocols, procedures, corporate training guidelines and employee education.  In addition, an organizational ethic must be created so that all employees realize the importance of protecting personal information.  A corporate environment must be maintained which fosters and strengthens information security awareness at all levels of the organization.

Another important issue to consider in your company’s incident response plan is whether it is in the best interest of the company to report a data breach incident when there is no legal obligation to do so.  Under these circumstances, it is critical that the response team identify the best notification and crisis management tactics before a breach ever occurs.   Those companies with strong incident response plans are able to react more quickly and accurately, prevent further data loss (and potential fines), and present factual reporting to the public that minimizes customer backlash and negative publicity.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.

With the flood of online shoppers comes the accompanying tidal wave of fraudsters washing over the cheerful holiday landscape.  Hidden behind the online mistletoe, cyber-thieves lurk with seasonal scams, virtual Scrooges with plans to spoil holiday shopping for consumers and retailers.

Here, according to McAfee, are 12 common holiday scams to beware of:

1. iPad scams.  Watch out for bogus offers for free iPads on social media sites and via spam.

2. “Help! I’ve been robbed” scam. Fraudsters send emails appearing to come from the account of friends which state that they’ve been robbed while traveling abroad and need money to be wired in order to get home.

3. Fake gift cards. With these scams, cybercriminals promise fake gift cards in exchange for personal information that can be used for identity theft.

4. Holiday job offers. Fake, high-paying, work at home jobs are offered in exchange for personal information.

5. “Smishing.” Scammers “phish” via text message, or smish, often posing as a bank or online retailer requesting personal information to address a problem with a target’s account.

6. Holiday rental scams. Fake, attractive rental properties at low prices are advertised on phony websites in order to lure deposits via wire transfer.

7. Recession scams.  Financial “help” is offered to targets in the form of pay-in-advance credit schemes and pre-qualified low-interest loans, all in exchange for an upfront processing free.

8. Grinch-like Greetings. Fake e-cards are loaded with links to computer viruses and other malware.

9. Low price traps. Auction sites and phony websites are used to offer too-good-to-be-true prices on holiday gifts; the scammers walk away with information and/or money.

10.  Charity scams. Solicitations for phony charities play on the spirit of holiday giving and philanthropic generosity.

11. Dodgy holiday downloads. Watch out for holiday-themed jingles, screensavers and animations distributed via downloads, spam or dubious websites – they could contain malware.

12. Hotel and airport Wi-Fi. During this season of high travel, Wi-Fi hotspots are criminal hangouts, with scammers eager to hack into unprotected networks.

This holiday season, make sure that you, your employees and your customers are on high alert for the seasonal scams that turn up with the regularity of fruitcake…and are just as unwanted.

Everywhere you turn these days there’s word of a new data breach.  Your old college – archives hacked.  Your dentist’s office – files stolen.  The local retailer – credit cards skimmed.  Government offices – accidental posting of information online.

In the course of our lifetime, our “personal identifying information (PII)” is shared with hundreds of companies, governmental agencies, educational facilities, businesses and healthcare providers.  Social Security Numbers, account numbers, birthdates, and other identifiers are diffused into thousands of databases, each with its own risk of exposing our PII.

These are all areas that the ITRC recognizes as areas “beyond your personal control”.  While you make every effort to protect your personal identifying information, the same cannot always be said for those who hold it in their possession.

Data breaches (the inadvertent or malicious exposure of our sensitive personal information) are a fact of modern life as evidenced by the many high profile data security breaches which have occurred throughout 2011.  Late in 2010 the ITRC predicted an increase in breaches aimed at email lists which would lead to more social networking scams and malware attacks.  This has indeed come to pass.

The harsh reality is that our personal information is simply available in too many places to ensure a high level of security over a long period of time.  So what can a consumer do to minimize their risk in these areas which are beyond our control?  Before you provide your personal information, ask the following questions:

• Why do you need my Social Security number? 
• What will happen if I don’t provide it?
• Is there an alternative identifier you can use instead? 
• How is it going to be used?
• Do you have published policies about data protection?

Depending on the answers, you may have a decision to make.  You can decide to continue with that company, or find one that will provide acceptable answers.  It’s your data they will control.

Businesses have both an ethical and legal responsibility to protect personal identifying information and control access to such information.  Businesses should clearly identify their specific need to collect sensitive personal information and to ensure that those within a company, who access this information, have a recognized need for such access

Additionally, consumers need to make the case with businesses that data protection is a critical issue.  This point can be made by alerting businesses that access to an individual’s SSN should never be taken lightly.

Our guest blogger this week is Paul Luehr, Managing Director, General Counsel, Stroz Friedberg, LLC - a global digital risk management and investigations firm.

All data breaches have two things in common: the need for prompt resolution and the need for a robust preparedness plan. Healthcare institutions especially should heed the call for an incident response plan because it provides the best preventive medicine to minimize financial and reputational risks.  So PLAN, keeping in mind:  People, the Law, and Action, with No time to waste.

People – Define the responsibilities of a coordinated incident response team. Don’t act alone. A good response team should include key internal players (In-house Counsel, IT, Compliance/Security, HR and Public Relations), as well as outside experts who confront data breaches on a regular basis (trusted Attorneys, Forensic Analysts and Fraud Monitors). These external experts can help restore key business functions, preserve crucial forensic evidence, strengthen data security, address victims’ needs, and communicate effectively with regulators and the public.

Law – Track fast-changing data breach laws, privacy regulations, and notification mandates before a breach should occur.  This can help your organization identify protected health or personally identifiable information (PHI/PII which may trigger liability), navigate the HITECH Act and state law, understand reporting timelines, and effectively reach select constituents (i.e. Health and Human Services, victims, law enforcement and/or the media).

Action – Outline clear action items to accomplish within the first seventy-two hours. One early misstep can destroy crucial evidence, delay an effective response, and trigger government penalties or class-action lawsuits.

No time to waste – Remember that time is of the essence. Once a breach is identified, the clock starts ticking and may require immediate notice to regulators and/or notification to individual victims within 60 days.  

A comprehensive preparedness plan can promote extraordinary efficiencies when a breach threatens a healthcare entity. So, create your PLAN now.

A recent study by Trend Micro indicates data loss is a growing concern for small businesses. The 2010 Corporate End User Study found that close to 60% of business respondents feared that data loss would be the result of data-stealing malware or by intentional or unintentional data leaks outside the company network.  Even though data loss is a big concern, a majority of the surveyed small businesses indicated that they did not have data loss policies or loss prevention education in place.

The lack of data loss policy creates risk for both the small business and the customer.  As I mentioned earlier, a breach may result in reduced customer trust, lost revenue and substantial costs associated with resolving the crisis.  If a small business has limited cash flows, addressing a breach may be what drives the business to close.

Additionally, new data security and notification legislation has been introduced to Congress. The legislation proposes that all businesses that handle personally identifiable information (PII) be required to implement security policies and procedures to protect this information and provide notice in the event of a data breach.  Businesses that do not comply would face substantial penalties.

Recent news indicates the government’s current interest to levy fines against companies that do not follow current law.  The Indiana attorney general’s office is suing health insurer WellPoint for waiting several months before notifying customers of a data breach.

The best approach to avoid violating these new laws is to be proactive. Get a data breach resolution plan in place…before a breach occurs.