Doug Buchanan | Business First
Nationwide is notifying customers of a data breach that compromised personal information.
Nationwide Mutual Insurance Co. says the personal information of more than 1 million people was compromised in October when a hacker accessed the company’s computer network.
Nationwide is not revealing many details of the breach, but a spokeswoman called it a “sophisticated attack” from overseas on a network used by Nationwide Insurance and Allied Insurance.
On Oct. 3, a hacker attacked the Columbus-based insurer’s computer network, compromising the name, Social Security number, driver’s license number and date of birth of some customers, according to a notice posted to its website. The marital status, gender, occupation and the customers' employer information also might have been compromised in the attack.
Nationwide spokeswoman Liz Gianetti said about 1.1 million people were affected, but she could not say whether the company has evidence that the data were downloaded and not simply compromised because that detail is part of an ongoing investigation by Nationwide and the FBI.
Nationwide began notifying those affected by the breach on Nov. 16, the same day it posted a notice to its website, she said. It does not have evidence that the data have been misused, according to the notice.
The company is offering those affected free credit monitoring and identity theft protection for a year, including up to $1 million in identity fraud expense coverage.
Rick Rouan covers banking, capital markets, insurance, logistics, nonprofits, area airports and air travel for Business First.Follow Your Favorites with My News
My News is a way to create a customized news feed based on companies and industries that matter to you.
Companies Mentioned
- Nationwide Mutual Insurance Co. Nationwide Mutual Insurance Co. Latest from The Business Journals Nationwide hit by hacker, more than 1M customers affected by breachNationwide says 1.1M customers affected by data breachColumbus’ advantages helped reel in IBM analytics center Please Sign In or register to follow
- Federal Bureau of Investigations Federal Bureau of Investigations Latest from The Business Journals Nationwide says 1.1M customers affected by data breachEight Austin bars still in limboMilton man cops to scamming his own church for $500K Please Sign In or register to follow
Relevant Industries
- Insurance Insurance Latest from The Business Journals Delta Dental of California wins five-year $2.6B Defense Department contractState offers online portal to lodge health plan complaintsNorthwestern's future includes growth in Franklin and Milwaukee Please Sign In or register to follow
- Technology Technology Latest from The Business Journals City National Bank debuts Bay Area tech practice Cloudera raises $65 millionSEC targets Netflix, Reed Hastings over Facebook, blog posts Please Sign In or register to follow
- Legal Services Legal Services Latest from The Business Journals Fort Capital affiliate merges with The Surf Club for $116MGrifphon hedge fund case expandsH. Lee Moffitt joins Adams and Reese Please Sign In or register to follow
Home > IT News Blog > Small Medical Offices Most Likely to Disclose PHI, Get Hacked
Small Medical Offices Most Likely to Disclose PHI, Get Hacked
December 06, 2012 at 6:49 PM
According to a new analysis of health care related data breaches, small medical and physician offices claim the infamous crown of "worst offender." For this specific analysis, conducted by the Health Information Trust Alliance (HITRUST), 495 breaches were evaluated. Overall, these incidents involved 21 million patient records and cost in the neighborhood of $4 billion. Why are these offices targeted, and what can be done to improve the situation?
Lack of IT Security Resources
Certainly, with a lack of proper security controls in place, these smaller doctor's offices are easy pickings for malicious individuals out to steal Protected Health Information (PHI).
Did you know? Protected health information (PHI) is defined as "any information about health status, provision of health care, or payment for health care that can be linked to a specific individual."
PHI contains a wealth of sensitive information that can used for identity theft purposes, and is actually valued more on the black market than credit card numbers. A medical firm with fewer than 100 employees (considered 'small' in this analysis), may not have the resources to conduct a proper HIPAA Security and Privacy assessment or implement the various controls and policies required to keep data safe these days.
Another reason for the increased focus on smaller practices has to do with the fact that larger companies are experiencing a dramatic decline in PHI disclosures. Big hospitals and major health care plans enjoyed a 46% decline in data breaches in 2010-2011, and HITRUST estimates that there will be an additional 36% decline for 2012.
Multiple Threat Points
While "hackers" or other external agents will continue to be a thorn in the side of medical practitioners, the biggest source of PHI disclosures came from stolen laptops. However, incidents of unauthorized access to health care servers, phishing schemes and corporate espionage are expected to increase by 50% next year. Basic security awareness training around the proper handling, storage and processing of PHI is something that even the smallest firm should be addressing to reduce these statistics and protect patients.
With that said, what of the emergence of electronic health records and cloud storage? According to the report, this could lead to even more data breaches.
"The adoption of electronic health records technology among hospitals has led to ‘community health records’ where physicians utilize a local hospital’s EHR system instead of purchasing their own. This now exposes the hospital to the same risks as the connecting practices, which often lack antimalware, have insecure or no firewalls, and share passwords. These issues in turn may lead to more breaches implicating both parties in the future.”
Are Increased Fines the Solution?
Third party vendors and health care providers alike are increasingly required to comply with HIPAA standards or face stiff penalties and fines. Last year, several large health care organizations were hit with penalties ranging from $1 million to over $4 million for failing to protect their records. This should encourage management to invest the time and money required to properly secure their entire network environment, provide security awareness training to staff, and put policies in place that address this very real threat.
If you own or manage a small medical practice or health care company, we would love to hear your opinion on these matters. What challenges do you currently face and how do you propose to solve them? Sound off in the comment section below.
Learn More from Megaplan-IT:
Previous Security Insights:
Tags: HITRUST data breach PHI data breach how to protect patient information how can a small medical office comply with HIPAA
Category: HIPAA Compliance
Please add your bio info through your member profile page, or through your dashboard.
For various reasons, the current Congress hasn't passed any federal cybersecurity legislation. Because of this, the most important consumer-related cybersecurity rules are the data-breach notification laws in force in most states.
That's not to say there isn't any federal regulation regulating data breaches. But what there is regards very specific industries.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and modifications to it under the American Recovery and Reinvestment Act of 2009 require the health-care industry to notify affected patients and the government if patient information is compromised. That's one reason hospital data breaches often make news.
Under the Gramm-Leach-Bliley Act of 1999, some financial institutions are subject to similar guidelines regarding client information.
That’s a start, but for most industries and organizations, there are no federal guidelines. Regulation and enforcement are left up to the states.
States' rights
Despite the Internet having no borders, and the likelihood that a resident of one state will have his or her information stored in a data center in another state, there is no consistency in the state data-breach notification laws.
In fact, there's nothing compelling a state to enact any type of data-breach notification law at all. Alabama, Kentucky, New Mexico and South Dakota have none.
So what exactly do the laws in the other 46 states set out to do?
According to the Better Business Bureau's website, "data-breach notification statutes generally require businesses that have personal information about residents within a state to notify those residents if someone who is not authorized acquires that information."
Note the phrase, "residents within a state." If you are a resident of the state where the breach occurred, and if the state has a data-breach notification statute, then the company needs to notify you within the time frame dictated by the law.
But what if you happen not to live in the state where the breach occurred? It's not clear.
"The laws of the states where a consumer does not live do not apply," said David Duncan, director of software and security solutions at Imation, a data-storage and data-security provider in Oakdale, Minn.
"It is the businesses' responsibility to notify the state in which a customer is a resident — based on the information that the company has of a consumer's location," Duncan said.
[How to Protect Yourself from Data Breaches]
From hot to cold
Imation has developed an online "heat map" that shows how strict the data-breach laws are in each state, plus the District of Columbia, Puerto Rico and the Virgin Islands.
For the general consumer, a quick look at the map will give an idea how his or her state ranks. A resident of Virginia, for example, might be happy to learn that the state's laws are the most stringent on the books.
The state data-breach laws cover everything from the amount of time a company has to notify customers after the discovery of a data breach to what kind of information needs to be encrypted.
What makes a data-breach law strong or weak is what the law actually covers, said Justin Sulhoff, director of security services with Megaplan-IT, a data-security provider and consultancy in Lake Bluff, Ill.
"Major differences include encryption rules, what data falls within scope of the laws, notification of data loss [or] theft, destruction of sensitive data and, of course, fines for non-compliance," Sulhoff said.
Varying statistics
Why does it matter if a state has strict or weak individual laws? It matters because states differ wildly in rates of data breaches.
"Companies in the computer-software, IT and health-care sectors accounted for 93 percent of the total number of identities stolen in 2011," said Sulhoff, citing figures from Symantec's Internet Security Threat Report of April 2012.
“Back in 2009, HIPAA architects established a breach-notification rule, so the health-care industry provides the best data to answer this question," said Sulhoff. "States with a high population, like California and Texas, accounted for the most data breaches overall, but things change if you look at the rate per 1,000 people.
"In that case, Virginia, Utah, D.C., New Hampshire and Tennessee are the top five worst states for health-care data breaches," he said. "In 2011, Maine and Vermont had zero breaches."
However, there's no financial incentive to set up shop in a state that mandates less security or has weaker laws.
"Unless you're planning to circumvent the law, there is no added benefit to working with a data center in one of the few states that have no such notification laws," said Sulhoff.
"It's important to note that most regulatory compliance frameworks transcend state boundaries," he said. "While data-breach laws (or privacy laws) may be derived from the state or federal level, there are other governing bodies (i.e. payment card brands and the PCI Security Standards Council) that develop standards that companies need to comply with regardless of where they do business in the U.S."
Wish lists
Consumers can usually easily learn what their state laws say. If you believe you are a victim of a breach, the Federal Trade Commission provides a list of actions you can take, from requesting credit scores to contacting government agencies.
As for actual federal data-breach laws, national cybersecurity legislation likely won’t be discussed again until the next session of Congress.
Whenever it is, Duncan has a list ready of what he'd like to see established by a federal law:
— Definition of what constitutes non-breach loss of personal information, such as a storage device that is misplaced but not known to be lost or stolen
— Minimum thresholds to trigger notification of consumers
— Lesser thresholds that result in alternative notifications or remediation (for example, a free report from a credit-reporting service)
— Maximum amount of time allowed before consumers must be notified
— Consistent requirements for federal, state and local reporting and notification
— A uniform set of penalties
If such a federal law ever comes to pass, the onus of protecting oneself from corporate or government cybersecurity breakdowns may no longer fall on innocent consumers who have no control over how their personal data is stored.
Identity Theft Quiz: Know Thyself
From stolen credit-card numbers to fraudulent bank accounts, the consequences of identity theft can be vast and expensive. Test your identity-theft knowledge to see if you might be next.
0 of 10 questions complete
Visa Launches Real-Time Transaction Analysis Solution
November 28, 2012 at 8:47 AM
By Anthony Petruso, Director of Compliance Services
Available in all Visa markets immediately, the new Consumer Authentication Service is intended for issuers and is designed to reduce online eCommerce fraud. Visa's new solution offers real-time analysis of transactions, and works in conjunction with the Three Domain Secure (3-D Secure) program. Now, issuers can verify the authenticity of transactions on the fly.
Earlier this month, Security Insights posted some helpful tips for retailers to secure their eCommerce websites this Holiday season. Well, we will need to edit that post to include Visa's new card verification service. By authenticating card users before a purchase is authorized, Visa Consumer Authentication Service provides an additional security layer to the purchasing process. During the checkout phase, Visa's service performs a real-time risk analysis of the transaction in question. This analysis takes several factors in to account, including transaction history and device information. With this solution in place, eCommerce merchants can stop verifying customers through intrusive or cumbersome methods, like redirecting users to the Verified by Visa page to enter an account password. Issuers interested in learning more or signing up should contact their Visa representative.
Program Details
Visa Consumer Authentication Service is a hosted access control server that provides issuers with the following capabilities:
- Sophisticated risk-based authentication. Visa Consumer Authentication Service's risk-scoring model takes into account enhanced inputs, including critical information about the device, transaction information and spending profiles. This data will enhance issuers' decision-making ability to identify potential fraud and prompt for verification only when necessary.
- Dynamic methods of authentication. Visa Consumer Authentication Service supports a wide range of account holder authentication methods. This means higher-risk transactions may be verified by the issuer in a variety of ways including more secure, dynamic methods such as one-time passwords or hardware tokens.
- Support for mobile. Visa Consumer Authentication Service can be integrated to function through a range of devices including mobile phones and tablets, to ensure consumers have a secure, efficient and reliable payment experience when shopping through another channel beyond the PC.
- Rules for strategy refinement. Visa Consumer Authentication Service provides issuers with the tools to write additional rules to further refine risk decisioning capabilities.
If you are an eCommerce retailer or issuer, will you be using Visa's new service? Please share with us below.
Previous Security Insights:
Tags: visa visa authentication new visa service card
Category: News
Anthony Petruso
As Director of Compliance Services, Mr. Petruso has developed Megaplan-IT's core practice methodologies for regulatory compliance standards such as PCI DSS, HIPAA Security and Privacy, SSAE 16, ISO 27001 & 27002, and Security Architecture. He can be reached at apetruso(at)megaplanit.com
Posted on 27 November 2012.
The new year will see greater adoption of advanced technology to meet changing demands of enterprises while increasing productivity and creating new experiences for customers, according to Verizon's top business-tech trends for 2013.
"As companies look to transform their businesses in the year ahead, Verizon is zeroing in on the most meaningful opportunities for our enterprise and government clients worldwide," said David Small, senior vice president and chief platform officer for Verizon Enterprise Solutions. "Next year, we are continuing to sharpen our focus on harnessing the power of our advanced technology platforms to deliver industry-specific solutions that unlock productivity and value for our clients, their customers and society."
Here are the Verizon Enterprise Solutions five top business-tech trends:
1. The Forecast Is Bright for Hybrid Clouds
Distributed data centers and the intelligent wired and mobile networks that connect them now represent a viable alternative to traditional virtual private network (VPN) methods that long have formed the backbone of distributed enterprise communications for a generation. Next year, there will be a significant shift from VPNs to public, private and, importantly, hybrid clouds. "By 2013, more than 60 percent of all enterprises will have adopted some form of cloud computing," according to a Gartner report.
"To keep up with the changing demands of today's enterprise, the ideal platform needs to be secure and easy to use and configure," said Small. "In 2013, if you can't switch workloads between public and private clouds, you won't be competitive. This next year will require a bold approach to embracing change and re-engineering networks in support of cloud-based applications."
Examples of recent cloud advancements include health care clouds that help the health care industry address the privacy requirements under the federal Health Insurance Portability and Accountability Act (HIPAA); clouds that help retail and other business transactions comply with Payment Card Industry standards; and clouds that help the public sector comply with the Federal Information Security Management Act.
2. The Mobile Majority Is Taking Charge
According to Forrester, "a full 66 percent of employees now use two or more mobile devices for work" - and that has far-reaching implications.
"Employees and the customers they serve have less and less separation between their work and private lives," Small said. "Enterprises in 2013 must accommodate and prioritize this new demand for efficiency and productivity, and information technology departments will play a key role in meeting the growing appetite for professional mobility on a personal level."
As a result, companies will increasingly adopt cloud-based enterprise mobility strategies creating "personal clouds" where employees can use enterprise applications to do their jobs more effectively. In addition, companies will be more proactive in tackling the challenges associated with dealing with the division of employees' personal and professional lives, by using mobile-device management and private application storefronts to create a more secure, mobile work environment.
3. Connected Machines Drive New Insights
The "Internet of Things" has arrived, and it will continue to grow to meet specific industry requirements. According to a Gartner report, "In 2011, over 15 billion things on the Web with 50 billion+ intermittent connections will grow by 2020 to over 30 billion connected things, with over 200 billion with intermittent connections."
Machine-to-machine (M2M) connections now cover much more than smart energy delivery and smart cars. For example, elaborate networks of sensors with direct machine-to-machine connections now underpin connected health care and the first consumer-ready wave of automotive telematics.
"Verizon's acquisition of Hughes Telematics will help fuel this evolution," said Small. "In 2013, this dramatic growth will extend to retail, finance and manufacturing."
The ability to collect, store and analyze overwhelming volumes of data will define which enterprises extract the best insights and make the most agile decisions, to their competitive advantage. As a result, all enterprises both business and government will need to work with vendors having strong and global ecosystems.
4. Networks Will Be Smarter Than You and Invisible
An intelligent fabric that connects everything and everyone will render underlying networks invisible to end users, even as overall IP traffic grows at a compound annual growth rate of 29 percent through 2016, according to the Cisco Visual Networking Index.
"Improvements in network reliability and resiliency, coupled with intelligent end points, serve as the foundation for connecting smart machines and smarter people," Small said. "We will see a shift in 2013 to more dynamic networks, pervasive IP connections, and purpose-built networks that serve businesses, consumers and society.
"From retail transactions to high speed trading to the digital signs that communicate with us on a daily basis, the network is omnipresent in the background. It continues to grow in importance, as well as just how much we take it for granted."
5. Security is the New Arms Race
In 2013, security will move out of the specialist realm and become a mainstream IT must-have. Security breaches span access, infrastructure and apps. They happen on fixed and mobile networks. They impact physical, intellectual and financial capital. And the scope is global, according to the"Verizon 2012 Data Breach Investigations Report."
"We expect identity security to be a much more prevalent issue in 2013," Small said. "Two-factor authentication is already gaining adherents, but it won't be enough to counteract the increasing amount and intensity of criminal activity pursuing both intellectual property and financial gain."
"The race is on to protect every endpoint, every device and everything connected to the Internet. While the Internet affords us countless opportunity it also comes with a price. No longer is strong security an option; it's a mandatory requirement for all organizations to protect their intellectual and physical capital, customer identities and society at large," Small said.
Posted on 28 November 2012.
"Colleges and universities are becoming more aware of the fraud threats they face, but there is still a lot of room for educating the educators," says James Gifas, head of Treasury Solutions at RBS Citizens.
"Education ranks as one of the top 5 industries in the country as far as number of reported cases of occupational fraud, and colleges just like for-profit businesses are at risk with the spread of cybercrime," says Mr. Gifas. "These and other internal and external fraud threats present a complex array of crimes that college and university financial offices are trying to get their heads around."
Mr. Gifas, who spoke recently on the topic of fraud to the Association of Independent Colleges and Universities of Massachusetts (AICUM), explains some of the risks for college financial offices:
Fraud puts more squeeze on the bottom line: "Across industry lines, a typical organization loses 5 to 7% of its revenues to fraud each year, according to the Association of Certified Fraud Examiners, and 40 to 50% of affected organizations do not recover any of their fraud-related losses. With budgets tighter than ever, colleges can't afford these kinds of losses."
Internal threats slow detection and negative impact on reputation: The Chronicle of Higher Education reported that an employee of a college in New York state defrauded the school of $80,000 a year for ten years until the fraud was detected in 2012. This type of occupational fraud is all too common, says Mr. Gifas. "According to the American Bankers Association, 60% of all fraud incidents within a business involve employees," he says. "And the reputational damage from internal fraud seriously affects prospective students, faculty, donors, and administrative and regulatory bodies."
Hacking and social engineering loopholes in network security: "While hackers look for vulnerabilities in the technology, fraudsters using social engineering look for vulnerabilities in people," says Mr. Gifas. "These perpetrators convince employees to reveal passwords and challenge credentials, allowing the fraudster to enter the computer system. This is a reminder that even the strongest network security safeguards can be rendered useless if passwords are freely given away.
Electronic payments on the rise: "More and more of colleges' vendors are asking to be paid via wire and ACH and the upside is ease-of-use, speed, and greater visibility. The downside of these tools is that bank account information and wire instructions are being exchanged more frequently, so it's more critical than ever to safeguard these transactions.
Checks still a risk in an online payment world: "Despite the increase in electronic payments, check fraud is still at the top of the list of targets, just second to credit card fraud," says Mr. Gifas. "Today, 70% of business-to-business payments are still made by check, and 85% of organizations experienced actual or attempted check fraud in 2012, according to the Association for Financial Professionals' latest fraud survey. We've seen colleges dealing with everything from fraudsters tampering with real checks to a criminal ring creating forged checks modeled after the real thing."
"To effectively combat these fraud risks requires a 1-2-3 punch of awareness, banking tools, and technology security," Mr. Gifas explains. "Common sense about safeguarding credentials and implementing approval protocols is the first tier. Using banking tools such as Positive Pay which ensures that only authorized checks are paid is the second tier. And then making sure your technology security systems are completely up-to-date rounds out your defenses. Any one of these in isolation won't work a layered approach is essential to staying ahead of fraudsters, who are working night and day to game the system."
Anonymous-Based Cyber Attacks Increasing Against Israel
November 20, 2012 at 12:40 PM
Israel claims that since the outbreak of violence in the Gaza Strip, 44 million cyber attacks have been launched against various Israeli government websites. Although the attackers have only been able to knock a few sites offline, the sheer volume of attempted incursions indicates that the element of cyber war will part of our real wars from here on out.
Wide Ranging Scope
Anonymous-related hackers seem to be the culprits behind the sudden increase in Distributed Denial of Service (DDoS) attacks against the websites. Anonymous declared "OpIsrael" was responsible for disrupting service on dozens of sites, including the website for the Bank of Jerusalem and the local servers for news outlet MSN and search engine Bing. Overall, they say 10,000 sites were targeted.
"One hacking attempt was successful and took down a site for a few minutes," Carmela Avner, the Chief Information Officer at the Finance Ministry, told ABC News. Avner said the website in question belongs to a "small unit of one of the ministries," but declined to comment further.
Israeli Finance Minister Dr. Yuval Steinitz ordered the government CIO unit to operate in emergency mode but said he remains confident in its abilities.
"We are reaping the fruits on the investment in recent years in the development of computerized defense systems, but we have a lot of work in store for us," he told reporters during a visit to the Government Computing Center in Jerusalem."
Additionally, Anonymous created a "Gaza Care Package" that contained instructions on how to shield IP addresses from Israeli intelligence and how to set up alternative WiFi connections in lieu of an internet shutdown.
Future Implications
If at all effective, Anonymous' Operation could be a harbinger for similar engagements in the future. While DDoS attacks have been part of the Anonymous repetoire for years, more sophisticated and organized measures such as the Gaza Care Package represents a bold step into the light for a community that normally prefers to remain cloaked in shadow.
Megaplan-IT sympathizes with everyone impacted by this horrible violence. We hope for a quick end to the fighting and a brighter future for our friends in the Middle East. Where do you stand on this very sensitive issue?
Learn More:
Previous Security Insights:
Tags: Gaza cyber attack Israel anonymous OpIsrael Gaza Israel cyber war
Category: News
Please add your bio info through your member profile page, or through your dashboard.
November 14, 2012, 11:13 AM — Researchers from the Georgia Tech Information Security Center today released their official 2013 cyberthreats forecast, detailing what they say will be the most serious computer security issues in the coming year.
MORE ON SECURITY: Firefox users slowest to update browser, Kaspersky Lab finds
THE CLOUD
First on the list -- the use of cloud computing for malicious purposes. The same flexible provisioning capabilities that let legitimate businesses quickly add or subtract computing power could be used to instantly create a powerful network of zombie machines for a wide array of nefarious purposes.
"If I'm a bad guy, and I have a zero-day exploit and the cloud provider is not up on their toes in terms of patching, the ability to exploit such a big capacity means I can do all sorts of things," Microsoft Windows Azure Distinguished Engineer Yousef Khalidi said in the report.
SUPPLY CHAIN
Globalized supply chains pose another, potentially even more serious security problem, according to the Georgia Tech researchers. The ongoing controversy over possible security flaws in products manufactured by some Chinese companies like Huawei and ZTE has businesses worried that their systems could have a built-in back door, making them vulnerable to compromise. (The researchers cite reports from Washington think tanks, as well, noting that the Chinese are concerned about the same issue where U.S.-made products are concerned.)
RELATED: Huawei security chief: We can help keep U.S. safe from 'Net threats
It's difficult to address this problem, according to the report, given the expense and headache of constant, floor-to-ceiling monitoring -- one of the central reasons the researchers take it so seriously.
SEARCH POISONING
The danger of search engine poisoning, as well, was cited in the report as one that businesses would do well to pay attention to. While garden-variety black-hat SEO and straightforward compromises of legitimate websites are serious enough threats, the authors say that tampering with a user's search history provides a new attack vector.
Posted on 12 November 2012.
A Harris Interactive study, conducted online among over 2,300 U.S. adults, investigates the online habits and behaviors of Americans, including those who indicate that they will engage with the Internet and mobile devices while shopping this holiday season.
While Americans have become accustomed to shopping online, and will do so in droves, they are also using their mobile phones for more of their everyday activities.Among those Americans planning on using smartphones and/or tablets to purchase gifts this holiday season, over half (54%) are specifically planning to use apps for shopping and/or banking during the holiday season; as such, mobile devices have proven irresistible to cybercriminals, and now they are targeting mobile users through malicious applications.
- As 70% of those surveyed plan to shop online this holiday season, a surprising 1 in 4 (24%) of them plan to use their mobile devices, and while aware of the risks, they are willing to give away their personal information if they can get something they value in return.
- In fact, despite the fact that 87% of smartphone or tablet owners surveyed are at least somewhat concerned that their personal information could be stolen while using an app on a smartphone or tablet, nearly nine in ten of them are willing to provide some level of personal information in order to receive an offer that is of value to them.
With roughly three in ten (28%) American smartphone and/or tablet owners admitting they do not pay attention at all to app permissions and 36% paying attention but specifying they do not always do so, Cyber-Scrooge criminals are ready to pounce.
Tis the season for consumers to spend more time online - shopping for gifts. 88% of those Americans who plan on shopping online during the 2012 holiday season plan on using a personal computer to do so, and 34% will use a tablet (21%) and/or smartphone (19%). But with nearly half (48%) of Americans planning to shop online on Cyber Monday for sales (45% using a computer, 10% using a mobile device), here are the 12 Scams of Christmas, the dozen most dangerous online scams to watch out for this holiday season, revealed by McAfee.
1. Social media scams - Cybercriminals know social media networks are a good place to catch you off guard because were all friends, right? Scammers use channels, like Facebook and Twitter, just like email and websites to scam consumers during the holidays. Be careful when clicking or liking posts, while taking advantage of raffle contests, and fan page deals that you get from your friends that advertise the hottest Holiday gifts, installing apps to receive discounts, and your friends accounts being hacked and sending out fake alerts. Twitter ads and special discounts utilize blind, shortened links, many of which could easily be malicious.
2. Malicious mobile apps - As smartphone users we are app crazy, downloading over 25 billion apps1 for Android devices alone! But as the popularity of applications has grown, so have the chances that you could download a malicious application designed to steal your information or even send out premium-rate text messages without your knowledge.
3. Travel scams - Before you book your flight or hotel to head home to see your loved ones for the holidays, keep in mind that the scammers are looking to hook you with too-good-to-be-true deals. Phony travel webpages, sometimes using your preferred company, with beautiful pictures and rock-bottom prices are used to get you to hand over your financial details.
4. Holiday spam/phishing - Soon many of these spam emails will take on holiday themes. Cheap Rolex watches and pharmaceuticals may be advertised as the perfect gift for that special someone.
5. iPhone 5, iPad Mini and other hot holiday gift scams - The kind of excitement and buzz surrounding Apples new iPhone 5 or iPad Mini is just what cybercrooks dream of when they plot their scams. They will mention must-have holiday gifts in dangerous links, phony contests (example: Free iPad) and phishing emails as a way to grab computer users attention to get you to reveal personal information or click on a dangerous link that could download malware onto your machine.
6. Skype message scare - People around the world will use Skype to connect with loved ones this holiday season, but they should be aware of a new Skype message scam that attempts to infect their machine, and even hold their files for ransom.
7. Bogus gift cards - Cybercriminals can't help but want to get in on the action by offering bogus gift cards online. Be wary of buying gift cards from third parties; just imagine how embarrassing it would be to find out that the gift card you gave your mother-in-law was fraudulent!
8. Holiday SMiShing - SMiSishing is phishing via text message. Just like with email phishing, the scammer tries to lure you into revealing information or performing an action you normally wouldnt do by pretending to be a legitimate organization.
9. Phony e-tailers - Phony e-commerce sites, that appear real, try to lure you into typing in your credit card number and other personal details, often by promoting great deals. But, after obtaining your money and information, you never receive the merchandise, and your personal information is put at risk.
10. Fake charities - This is one of the biggest scams of every holiday season. As we open up our hearts and wallets, the bad guys hope to get in on the giving by sending spam emails advertising fake charities.
11. Dangerous e-cards - E-Cards are a popular way to send a quick thank you or holiday greeting, but some are malicious and may contain spyware or viruses that download onto your computer once you click on the link to view the greeting.
12. Phony classifieds - Online classified sites may be a great place to look for holiday gifts and part-time jobs, but beware of phony offers that ask for too much personal information or ask you to wire funds via Western Union, since these are most likely scams.
Using multiple devices provides the bad guys with more ways to access your valuable Digital Assets, such as personal information and files, especially if the devices are under-protected, said Paula Greve, director at McAfee Labs. One of the best ways for consumers to protect themselves is to learn about the criminals tricks, so they can avoid them. Beyond that they should have the latest updates of the applications on their devices in order to enjoy a safe online buying or other experience. We dont want consumers to be haunted by the scams of holidays past, present and future they cant afford to leave the door open to cyber-grinches during the busy holiday season.
Tips for Retailers to Secure Their E-Commerce Websites
November 19, 2012 at 9:07 AM
With Black Friday fast approaching, the holiday shopping season is well underway. In 2012, that means shoppers are hitting up your e-commerce website in the hunt for specials, savings, and once-in-a-lifetime deals. All of this holiday shopping buzz attracts a more malicious element: hackers and cybercriminals who are hunting for credit card numbers and user account databases. Previously, we've talked about the threats facing smaller merchants. Responsible owners take these threats seriously. Here are six tips to ensure a secure shopping experience for your customers.
Identifying the Biggest Threats to Website Security
The majority of website attacks come from Cross-site scripting (XSS), Cross-site request forgery (CSRF), and SQL injections.
Cross-site (XSS) attacks are dependent upon the trust developed between site and user. CSRF attacks exploit the trust that a site has for a particular user instead. These malicious security exploits can also be used to steal sensitive information such as user names, passwords and credit card details – without the site or user’s knowledge.
The following are some basic security tips to keep your customer's online shopping experience a safe one this holiday season.
Add SSL to Your Entire Website
Modern browsers feature built-in warning systems that will let a visitor know whether your site has a vulnerability, such as a non-functioning SSL certificate or a form that could be intercepted. Every website that accepts payments needs to have SSL in place. A graphic should prominently proclaim your SSL status, but said graphic should also be linked to a verification system that provides your visitors with validated hosting information provided by the SSL issuer. If your "Secured by SSL" graphic doesn’t link anywhere, it will appear as if it has been copied from another source. While SSL does not secure a web server from intrusion or attack, it does provide a solid foundation for reassurance. If your website incorporates third party plug-ins or widgets, make sure they are also secured by SSL on the back end.
Visit your website from various browsers and see if any warnings appear. The URL for your site should be HTTPS, not HTTP, and the verification information should reflect the correct credentials. As you can see below, Megaplan-IT's website has a valid SSL certificate issued by Cloudflare.
Clicking on Details or More Info will reveal information about the level of encryption offered by your website. You should have no less than 128 bit encryption.
To Do: Verify the status of your SSL connection on several browsers. Update your browsers to their latest versions and recommend that your customers do the same. Many new security features and threat warnings are added to new browser versions. While you’re at it, make sure your operating system, Flash, and Java plug ins are up to date as well.
Did you know:
21% of online shoppers abandon their shopping carts at the last minute due to security concerns.
Warn Customers About Unsecured Wireless Networks
While it’s safe to do some online ‘window shopping’ while sipping a latte at your local coffee shop, we don’t recommend conducting any sensitive business over a public or otherwise unprotected WiFi network - and neither should you! Add a disclaimer on your check out screen or some other obvious page on your website that warns visitors about proceeding with payment over public WiFi. Yes, it may delay the transaction until they get home, but you will have earned the trust of that shopper and possibly saved them a good deal of trouble. They'll thank you with repeat business!
Follow PCI DSS Requirements
The Payment Card brands have their own requirements for merchants to follow before they can safely process credit cards. These requirements are designed to ensure your customer's credit card information is being processed or stored in a responsible manner. Many ecommerce websites use a third party processing system to 'check out' customers and process credit cards, so make sure to verify that your platform complies with PCI DSS. >> Learn More about PCI DSS Compliance
To Do: Advertise your PCI DSS compliance somewhere on your website. Make it easy to find for those that are looking. Most websites proudly display their compliance status.
Did you know:
It is estimated that there are 10,000 payment card transactions made every second around the world. In 2011, 174 million records were compromised in 855 separate data breaches.
Don’t Store Credit Card Information
Company owners want repeat business and will often ask to store their customer's personal information to make “check out easier.” True, storing credit card information, addresses and shipping preferences will save users a few seconds upon their next visit – but it can also lead to trouble. What happens to the sensitive information on file? Where is it stored and for how long? What happens if your company gets sold or goes out of business? While you very well may have everything under control, your customer's don't know that and they have no reason to blindly trust you. Explain to them why your site doesn't store credit card information, and they will appreciate the fact that you're concerned and proactive about website security.
To Do: Instead of storing information, consider offering only a one-time guest check out option. Also, remind your customers that most credit card issuers offer temporary or ‘virtual credit card’ numbers (tied to a real account) that buyers can use for a single purchase. After the shopping session is finished, the numbers become useless to hackers.
Use a Secure and Trusted Payment Service
Why bother with credit card numbers at all if you don’t have to? Offering your customers a way to pay via third party payment services can help reduce their online visibility. Of course, PayPal is the 800-pound gorilla in the online payment space, but other services like Amazon Payments and Serve are good alternatives. While generally reliable, there can be additional costs involved with using these services.
To Do: Consider one of these services, especially if you are a small merchant or vendor that does not accept credit cards or is otherwise unsure about website security.
Make Yourself Transparent and Easily Contactable
Even your well-managed website can run into security issues that might temporarily knock off your SSL status. When in doubt, visitors may want to contact your company directly. There should be easy to find contact information on every page – legitimate websites want you to contact them, so make sure you can be contacted by phone or email. A security policy page that outlines your SSL status and PCI compliance will reassure visitors that you are taking steps to protect their information. Also, pay attention to the design and content of your site. Sloppy layout, misspelled words and broken images can be a warning sign that your site isn't regularly maintained.
To Do: Add contact information and a security policy. Edit your website and correct typos or broken images.
Are you a merchant concerned about ecommerce security? Please share your own tips or stories below.
Learn More:
Previous Security Insights:
Tags: secure shopping ecommerce security retail website security safe holiday shopping
Category: Security Tips
Justin Sulhoff
Justin Sulhoff serves as Megaplan-IT’s Director of Security Services. He maintains all compliance standards and Application Assessments while providing recommendations to protect sensitive data and determine cost-effective remediation. Contact Mr. Sulhoff: jsulhoff(at)megaplanit.com
Add Pingback
Please add a comment
Posted by admin on Nov 19th, 2012
Yes i think a security policy page is a good idea. It's hard to know what the site is doing otherwise. I avoid entering my information on any website and would prefer to use paypal but doesn't that cost money to use?Posted by Megaplan IT on Nov 19th, 2012
Hi Carol,Paypal transactions with a Personal account are free, but you'll need a Premier or Business account to accept debit or credit card payments, for which you'll pay a small fee. Opening a Paypal account and withdrawing money to a U.S. bank account are free.
Happy Holidays!
Megaplan IT
[Jason Sachowski is a security professional at ScotiaBank. His content is contributed through the auspices of the (ISC)2 Executive Writers Bureau.]To understand security -- and the risks and threats that your organization faces -- you need information. This information, collectively known as "security intelligence," is becoming more critical to enterprises as attackers become more sophisticated in their exploits.
What is security intelligence? In a blog posted last year, security vendor Q1 Labs offered this definition:
"Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of security intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization."
The concept of security intelligence is evolving rapidly, but it seems likely to following much the same pattern as the evolution of criminal intelligence in law enforcement. The first approach was to remove the criminal entities (the tactical approach). Next, there was an effort to analyze how crime was being committed (the operational approach). Today, there is a focus on building effective defenses (the strategic approach).
Until recently, most organizations' efforts in security have been focused more on stopping the threat than on analyzing attacks and threats. To make the leap from tactical/operational approaches, enterprises need to take a more strategic approach to collecting and analyzing security intelligence. Here's a look at five of the key steps in this transition.
1. Planning
Perhaps the most important step of developing a security intelligence initiative is defining what information it will provide -- and how that information relates to the business. Before going out and identifying data sources for input, consider the multiple outputs that will come from building this service. Three of the most important outputs are threat intelligence, risk trending, and due diligence.Threat intelligence is the first and foremost piece of information that will be obtained from your security intelligence initiative. Threat intelligence allows your enteprise to meet tactical and operational needs through the real-time alerting of threats. With good threat intelligence, organizations are also in a better position to recognize the most serious threats and build strategic defenses to address them.
Risk trending -- a key component of security planning and decision making -- becomes more effective as the amount of threat intelligence data increases. By capturing and storing data from internal and external sources, security intelligence can help identify threat and vulnerability trends that might impact the organization's specific business functions.
Due diligence is the the case-by-case evaluation of business partners -- such as contractors and vendors -- to determine the potential security risks associated with business relationships. Ultimately, threat intelligence data can help the business make good security choices when evaluating potential partners.
It's important that the planning process include not just short-term threats, but longer term trends. By placing greater emphasis on building long-term solution (strategic approach), organizations will be able deliver more consistent business defenses that distinguish strategic security intelligence gathering from tactical and operational practices.
2. Collection
IT security professionals spends much of their time reading security-related news, conducting independent research, and attending various training sessions. These efforts mostly provide information that's nice to know, but not always directly relevant to the security pro's specific organization.Most security professionals need to re-direct their efforts toward more substantial and relevant data – including threat intelligence sources, open source information, industry contacts, and law enforcement. By focusing more closely on directly-relevant sources of information, organizations will collect less redundant information and keep interested parties more accurately informed.
Collecting security intelligence data is something like a loose thread on a sweater; the more you pull, the bigger it gets. But if you've defined specific goals during the Planning stage, you should be able to narrow down your list of data sources. Security information and event management [SIEM] tools, open source information (such as news feeds), industry sources (such as Gartner or Forrester), and professional peers at other organizations may all be useful sources in the information-gathering effort.
3. Analysis
Your security intelligence can be used to support further research, investigations, and defensive measures. It's not enough to aggregate, normalize, and present data -- you must analyze it to ensure its accuracy, reliability, and usefulness to the organization.A security intelligence analyst should be able to apply critical thinking efforts to truly understand the collected data, perform comparisons against other known data, and format it into meaningful reports that support the business' needs.
4. Information Distribution
Communicating security intelligence data to non-technical people can be difficult, primarily because the data does not translate very easily to business operations. More often than not, intelligence data communicated in reports is viewed as a snapshot in time -- it becomes outdated quickly and no action is taken.Intelligence reporting should be business-focused and targeted at primary stakeholders, including executives and non-technical decsion makers. It should include analytical data that can be easily understood and used to make informed business decisions. Those decisions will only be as good as the data you provide.
5. Prioritization
With the right data in hand, organizations can move on the the final step: determining the next set of priorities. While some intelligence is focused on a single security issue (start/middle/end), there are other times when intelligence becomes a cycle (wash/rinse/repeat) of collecting, analyzing, and reporting.Security intelligence is a key source of information for making security decisions, but it is only one point of discussion. The data and analyses must be combined with other information, both on the IT and business sides, and considered in context.
The most effective security intelligence-gathering efforts are done on a strategic level, taking longer-term trends, risks, and business issues into account. This is not to say that tactical and operational intelligence are declining practices – they remain critical for understanding the organization's security and risk posture.
By placing greater emphasis on strategic, long-term threat intelligence, organizations will be able deliver more consistent security defenses that are flexible enough to deal with changing requirements and protect the business as threats evolve.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
CSO —
You've got all the bells and whistles when it comes to network firewalls and your building's security has a state-of-the-art access system. You've invested in the technology. But a social engineering attack could bypass all those defenses.
Say two fire inspectors show up at your office, show their badges and ask for a walkthrough—you're legally required to give them access to do their job. They ask a lot of questions, they take electrical readings at various wall outlets, they examine wiring under desks. Thorough, aren't they? Problem is, in this case they're really security consultants doing a social engineering 'penetration test' and grabbing access cards, installing keystroke loggers, and generally getting away with as much of your business's private information as they can get their hands on. (See How to rob a bank for details from this real-world example.)
FREE download: CSO's Ultimate Guide to Social Engineering
[13-page PDF - free CSO Insider registration required]Social engineers, or criminals who take advantage of human behavior to pull of a scam, aren't worried about a badge system. They will just walk right in and confidently ask someone to help them get inside. And that firewall? It won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend.
In this article, we outline the common tactics social engineers often use, and give you tips on how to ensure your staff is on guard.
Last updated September 27, 2012.
What is social engineering?
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, although the idea and many of the techniques have been around as long as there have been scam artists of any sort. (Watch the video to see social-engineering expert Chris Nickerson size up one building's perimeter security)
Through a Social Engineer's Eyes
Social Engineering expert Chris Nickerson reveals what criminals are looking for when it comes vulnerabilities in building security.
How is my company at risk?
Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. In the example given above, once a social engineer has a trusted employee's password, he can simply log in and snoop around for sensitive data. Another try might be to scam someone out of an access card or code in order to physically get inside a facility, whether to access data, steal assets, or even to harm people.
Chris Nickerson, founder of Lares, a Colorado-based security consultancy, conducts 'red team testing' for clients using social engineering techniques to see where a company is vulnerable. Nickerson detailed for CSO how easy it is to get inside a building without question.
In one penetration test, Nickerson used current events, public information available on social network sites, and a $4 Cisco shirt he purchased at a thrift store to prepare for his illegal entry. The shirt helped him convince building reception and other employees that he was a Cisco employee on a technical support visit. Once inside, he was able to give his other team members illegal entry as well. He also managed to drop several malware-laden USBs and hack into the company's network, all within sight of other employees. Read Anatomy of a Hack to follow Nickerson through this exercise.
In What it's like to steal someone's identity professional pen tester Chris Roberts, founder of One World Labs, says he too often meets people who assume they have nothing worth stealing.
"So many people look at themselves or the companies they work for and think, 'Why would somebody want something from me? I don't have any money or anything anyone would want,'?" he said. "While you may not, if I can assume your identity, you can pay my bills. Or I can commit crimes in your name. I always try to get people to understand that no matter who the heck you are, or who you represent, you have a value to a criminal."
Home > IT News Blog > MasterCard's "DisplayCard" Features Built-in Display and Keypad
MasterCard's "DisplayCard" Features Built-in Display and Keypad
November 12, 2012 at 8:57 AM
Move over NFC, MasterCard's futuristic-looking credit card (aka, "DisplayCard") is back in the news. The company has been heralding the advanced plastic as the "next generation of payment cards" since 2010, and has released products to Turkey and Romania. Now, it's Singapore's turn. While DisplayCard retains the same size as a traditional credit card, the design features a LCD display and touch-sensitive buttons that allow a user to enter a one-time security password.
Standard Chartered Bank Singapore is the latest bank to take advantage of the tech. Starting in January 2013, all Standard Chartered Online Banking or Breeze Mobile Banking users will use the new security token card for certain high-risk transactions, such as adding third party payees, making payments above a certain threshold, or altering personal account details.
MasterCard says that "at present, banking institutions that necessitate a higher level of security for their online banking services require the use of a separate authentication token or device. The innovative 2-in-1 device, which combines the functionality of a standard payment card with a state-of-the-art security token, currently reflects the customer’s OTP. In future, this card could incorporate additional functionalities and be able to indicate other real time information such as available credit balance, loyalty or reward points, recent transactions, and other interactive information."
While smartphone makers continue pushing "Near Field Communication" apps, merchants have been slow to adopt the payment technology. MasterCard isn't waiting around for the revolution, as evidenced by the DisplayCard.
Learn More:
Previous Security Insights:
Tags: MasterCard DisplayCard future MasterCard LCD display credit card
Category: PCI Compliance
Anthony Petruso
As Director of Compliance Services, Mr. Petruso has developed Megaplan-IT's core practice methodologies for regulatory compliance standards such as PCI DSS, HIPAA Security and Privacy, SSAE 16, ISO 27001 & 27002, and Security Architecture. He can be reached at apetruso(at)megaplanit.com
So far, 2012 has been the year for skeletons falling out of the IT security closet. The headlines have been hopping with stories of companies whose networks and databases were thoroughly owned by hackers for months and years at a time, often undetected until government agents came to let them know they'd been compromised and had been for a while. Many organizations go to great lengths to keep news of these kinds of breaches under wraps if no regulated PII is stolen, but this year many haven't kept the light of day from shining on their deep, dark security inadequacies. Dark Reading took a look at some of the most impactful long-term compromises brought to light in the past year and what these events mean to security pros.1. U.S. Chamber Of Commerce
In the waning days of 2011, news broke that the U.S. Chamber of Commerce fell victim to a year-long attack from Chinese hackers -- a common origin for many of the long-term hacks described here. In this instance, the FBI told the chamber that attackers were using servers in China to steal information from its network. The organization could never pinpoint an initial point of entry, but as it investigated it found that attackers had booby-trapped its entire network with backdoors to better steal from its data stores.The publicity of this attack gave us food for thought through the New Year about the way hackers had upped their game in strategic targeting against organizations of all types. It showed a "new level of sophistication," Joe Gottlieb, president and CEO of Sensage, told Dark Reading.
"The hackers were able to choose the targeted organization -- the U.S. Chamber of Commerce. They were able to choose the people within that organization that mattered to them -- the individuals known to be working on Asia policy," he says. "They were able to obtain all email content, including attachments, exchanged between these individuals and other organizations, several of which must have been relevant to the matters of interest."
2. Nortel
If one year of unfettered compromise of network and database resources seemed bad, how about ten times that? The security industry had its worst suspicions confirmed about how long attackers could hold onto corporate infrastructures when The Wall Street Journal published insider information that shed light on Nortel's decade spent under the thumb of Chinese hackers prior to the company's parceling itself out to Avaya and several other tech firms in fire sales over the course of 2009 and 2010. Interestingly, Nortel did have a whiff of the unmitigated takeover of its network, but never let on to its acquirers about the bad news.[Are we lying to the CEOs or are they lying to themselves about database security? See Lies We Tell Our CEOs About Database Security.]
Security experts say Nortel no outlier in corporate America.
"The sad reality is that it's highly likely that Nortel isn't the only company that has been breached for a long time and is just now deciding to disclose it, Marcus Carey, security researcher for Rapid7, told Dark Reading.
The WSJ story heavily featured a former employee who led internal investigations about the attacks who was continually blown off by executives as someone "who cried wolf." This scenario truly highlights the necessity of consensus building and skilled communication coming from the security department in order to truly catalyze the change necessary to detect and stop the pwnage in its tracks.
3. Japan Finance Ministry
This July, the Japan Finance Ministry let slip that it had been the target of a two-year-long incursion into its networks in 2010 and 2011 by hackers using a remote access Trojan. The malware wasn't discovered until well after it was active, but Japanese officials said its initial investigation this summer uncovered 123 of 2,000 computers checked were infected.The long-term viability of a Trojan on Japanese government PCs offers a good example of how today's attackers are using obfuscated malware to conduct stealthy attacks.
"To get at the root of the problem, security professionals must leverage a great many tools and employ in-depth (and often manual) analysis of log files, network traffic and program code," wrote Stephen Cobb, author of the recent InformationWeek Report, "How Did They Get In? A Guide to Tracking Down the Source of APTs" (PDF).
4. Coca-Cola
Any industry vet would tell you that one of the most favorite example scenarios presented at security conferences about IP theft inevitably wander toward analogies that involve Coca-Cola. "If you were Coke and your IP was stolen, what would that mean to your business?" is the type of hypothetical that plenty of speakers have bandied about. But this week the hypothetical was shown to actually have some basis in fact when a report by BloombergBusinessWeek uncovered an attack on Coca-Cola in 2009 that cut so deep into intellectual property and secret company data that insiders say it played a hand in scuppering the beverage giant's bid to buy a Chinese drinks conglomerate.Security experts say the attack once again shows the critical need to lock down privileged accounts, as reports show that the Coca-Cola compromise came about first through spearphishing and then got worse through the use of attack targets' legitimate network credentials.
"Whether they're called hard-coded passwords, admin passwords, or privileged accounts, they're all privileged access points that provide a direct -- and often anonymous -- route to an organization's most sensitive data and infrastructure," Adam Bosnian, executive vice president of Americas and corporate development for Cyber-Ark, told Dark Reading.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
CSO - The chief financial officer of a Missouri firm discovered that cyber thieves had withdrawn $180,000 from the company's bank accounts overnight described it as "a helluva wake-up call" to security blogger Brian Krebs.
Largest banks under constant cyberattack, feds say
But that loss might have been avoided if the company, Primary Systems, had paid better attention to the risks of electronic banking. The warnings, and examples, of cyberheists in the hundreds of thousands -- and even millions of dollars -- have been around for years.
Krebs reported this week that the company became a victim of "a single virus-laden email that an employee clicked on [that] let the attackers open a digital backdoor, exposing security weaknesses that unfortunately persist between many banks and their corporate customers."
In this case, a payroll batch worth about $180,000 was drawn from Primary Systems' bank accounts, paid to "money mules" and eventually sent to recipients in Ukraine.
The transactions were irregular -- highly irregular. They took place on a Tuesday, while the company had always processed its payroll on Friday mornings. They called for payments of between $5,000 and $9,000 to 26 people in almost that many different states who had never had any prior connection to the firm and who were added to the Primary Systems payroll that day.
But, even though it was six times the normal payroll, the total came in below the $200,000 threshold that would have triggered a call from the bank to get permission for the payouts.
None of this is new to electronic banking. One of the more prominent cases dates to May 2009 in Sanford, Maine, where Patco Construction, a small property development and contractor discovered that its banker, Ocean Bank (later acquired by People's United Bank), had authorized six fraudulent withdrawals totaling $588,851, even after the bank's security system had flagged each transaction as high-risk. The bank was able to block or recover $243,406 of that total.
That incident led to a lawsuit against the bank that is reportedly headed for a negotiated settlement at the prodding of a federal Appeals Court judge. But it illustrated the same risks as the theft from Primary Systems -- ones that all businesses conducting electronic banking should be aware of.
First, a business is not protected at the same level as an individual. Different laws govern each. A bank has to reimburse an individual customer for losses due to fraudulent transactions, as long as the fraud is reported promptly. For commercial customers, a bank must simply have a security system that is "commercially reasonable," and electronic transactions must be made in "good faith."
In virtually all cases, that means the customer is on the hook for losses. So it has more of a default obligation to provide its own security by monitoring its accounts.
Joram Borenstein, senior director of global product marketing at NICE Actimize, said there is anecdotal evidence that one response to this is some small companies are "misleading their own financial institution" by registering accounts as consumer accounts instead of ones designed for small businesses.
Cybersecurity
10 tips to keep data secure
Halloween is scary, but for the federal government, few things scare more than a security breach.
Despite recent high-profile incidents shining a light on the problem, reports show that agencies continue seeing a dramatic upward trend in cyberattacks – and hackers are bent on stealing sensitive information, information useful to identity thieves and anything else they can get their digital hands on.
A Government Accountability Office official testified in April that cases involving leaked or compromised sensitive data reported by federal agencies to the U.S. Computer Emergency Readiness Team skyrocketed nearly 680 percent from 2006 through 2011.
Cyberattacks overall are also costing the nation a pretty penny. According to a report in The New York Times, National Security Agency Director Gen. Keith Alexander has said the U.S. loses up to $338 billion in financial theft. Numbers from the Commerce Department also indicate $250 billion is lost every year in intellectual-property thefts.
Alexander, who serves as the commander of the U.S. Cyber Command, also in July expressed little confidence in the nation’s ability to thwart outside intrusions.
“If we were to be completely candid here, the reality is that industry is getting hacked [and] government is getting hacked," he told the audience at the Aspen Institute’s annual security forum. "What we need to do is come together and form best practices. When we put together this ability for our nation to work as a team in cyberspace, what that allows us to do now is do things that other countries aren’t capable of doing in defending the nation.”
In support of the National Cyber Security Awareness Month, information risk and security performance management company nCircle released an e-book that offers an array of tips to help improve online security. The suggestions are written in fewer than 140 characters to promote sharing on social media, including Twitter when using the hashtag #securitytips.
Here are 10 of those tips for staying cyber secure – modified for feds:
Look beyond antivirus programs: A virus scanner is not much use once a computer has been infected. By being proactive and keeping your systems current and programs patched, you can prevent malware from infecting your computer.
Many CIOs and chief information security officers are struggling to adapt security practices to a changing environment that includes cloud computing, social media and tablets , according to a survey of 1,850 such IT pros.
The Ernst & Young 2012 Global Information Security Survey published today found cloud computing to be one of the main drivers of business model innovation and IT service delivery, with 59% of respondents saying they use or plan to use cloud services. But 38% admitted they have not taken any measures to mitigate risks.
Use of social media in business is prevalent, but 38% of the CIOs and CISOs surveyed say they don't have a coordinated approach to address risks, such as defending the organization's brand or determining how employees use work time to engage in social media.
The Ernst & Young survey indicated that 31% of respondents said they saw an increase in the number of security incidents compared to the previous year.
SECURITY: DDoS attacks against banks raise question: is this cyberwar?
Another technology game-changer, use of mobile devices, such as tablets and smartphones, is compelling "policy adjustments," according to over half of these IT professionals who hail from the financial industry, insurance, high-tech, government, and various industrial, retail and utility sectors from all around the world.
More than one-third say that company-owned mobile devices have been adopted but use of personal devices is not allowed for business. The survey found that 36% have acquired mobile-device management software and 31% now have a "governance process to manage the use of mobile applications." Encryption plays a central role for 40% of CIOs and CISOs surveyed.
In terms of budgets for the next 12 months, 30% said they expect information security funding increasing from 5% to 15%, while 9% of respondents anticipate a budget increase of 25% or more. Security budgets are expected to remain the same for 44%. About a third said they spend at least $1 million per year on information security.
Just over half said the area of highest priority for them is business continuity, including management and disaster recovery. But one surprise, the report states, is that the second-highest priority is "a fundamental redesign of their information security program."
This appears to reflect on the security gaps that these CIOs and CISOs acknowledge exist in their organizations adopting cloud computing and tablet adoption. 55% said they plan to spend more to secure new technologies, while 63% acknowledged that they felt they had "no formal architecture framework in place, nor are they necessarily planning on using one." The Ernst & Young study indicated these IT professionals may feel they have "a patchwork of non-integrated, complex and fragile defenses" that creates gaps in their security.
Those that did have a defined security architecture pointed to the Open Group Architecture Framework, the ANSI/IEEE 1471:ISO/IEC 42010 standards, and other references such as defense department frameworks defined in the U.S. and the United Kingdom.
Best Practices for Protecting Health Information
November 05, 2012 at 9:47 AM
Millions of patient health records have been stolen over the past decade, and that number is sure to climb higher in the coming years. While data breaches may not be a thing of the past quite yet, there are many steps an organization should take to protect sensitive information. Here is some advice garnered from a panel of experts brought together by the American Hospital Association.
Planning and Preparation
Many organizations are choosing to perform regular Security Awareness Training for staff as part of an overall breach prevention strategy. Equally important is the development of an Incident Response Plan to help organize departmental response to a data breach or other incident that may affect data integrity. Natural disasters, like Hurricane Sandy, are also good cause to form an Incident Response Plan.
Marcy Wilder, co-chair of the Global Privacy and Information Group at Hogan Lovells, suggested that "prevention efforts, preparation, and a well-executed response plan can go a long way toward mitigating the financial, legal and reputational harm that a security incident involving patient information can cause. Whether a breach begins with an external attack, employee malfeasance or an innocent mistake, an organization's initial response can help minimize harm to affected individuals and manage the risks to which an institution is exposed. To start, have a written post-breach response plan ready and tested before a breach happens."
Start your own Planning and Preparation today.
Compliance
Adhering to regulations, like the Health Information Portability and Accountability Act (HIPAA), helps to create an overall system of effective security controls.
Doug Pollack, CIPP/US, chief strategy officer, recommends annual HIPAA assessments. "A key action for your healthcare organization to reduce your risks of being fined by the Office for Civil Rights (OCR) is to have a privacy and security compliance assessment carried out every year, and to clearly document the remedial actions that you've taken to address the most severe patient data privacy risks that were identified."
Learn more about HIPAA security and privacy assessments.
Of course, identifying gaps or vulnerabilities in your network environment is crucial. Make sure your compliance vendor performs a Gap Assessment as part of their HIPAA security and privacy program.
Does your organization do things any differently? What works best for you? Leave us a comment with your thoughts below.
Previous Security Insights:
Tags: HIPAA PHI protection HIPAA breach patient information security tips for HIPAA HIPAA fines
Category: HIPAA Compliance
Justin Sulhoff
Justin Sulhoff serves as Megaplan-IT’s Director of Security Services. He maintains all compliance standards and Application Assessments while providing recommendations to protect sensitive data and determine cost-effective remediation. Contact Mr. Sulhoff: jsulhoff(at)megaplanit.com
The South Carolina Department of Revenue fell victim to a cyberattack that resulted in the theft of 3.6 million Social Security numbers and the details for 387,000 credit and debit cards, Gov. Nikki Haley announced this afternoon (Oct. 26).
Haley said that the attack, which occurred Oct. 10, originated from outside of the United States and that the announcement was only made now in order to give law enforcement time to conduct an investigation.
The investigation revealed that hackers attempted to breach the DOR's website several times between August and September.
"This is not a good day for South Carolina," Haley said. "I want this person slammed against the wall."
[Asking for Identity Theft: The Risks of Social Security Number Overuse]
Haley suggested that all who have filed a tax return in South Carolina since 1998 take steps to protect their identity and monitor their credit accounts. Those who have issues because of the incident will be assisted by the state, Haley said.
"This is the responsibility of the state to protect the taxpayers," she added.
Follow Ben on Twitter @benkwx.
Mobile Malware: The Smartphone Security Quiz
With cybercriminals now targeting mobile devices, securing smart phones is more important than ever. Test your knowledge of how safe your mobile devices are.
0 of 10 questions complete
Thousands of Android apps in the Google Play store are flawed in ways that make supposedly secure connections vulnerable to meddling from third parties, who could steal personal and financial information.
A study of more than 13,000 popular free apps found that 17 percent of the apps had weak and insecure SSL/TLS connections — something absolutely essential when sending sensitive information, such as in a mobile banking app.
Attackers can exploit these flaws with man-in-the-middle (MITM) attacks that intercept data as it travels wirelessly.
To test the concept, the German study team, comprised of six researchers from Philipps University in Hamburg and Leibniz University in Hannover, managed to obtain credit-card numbers and account-login details in ways that it should not have been able to, Kaspersky's Threatpost security blog reported.
The team created a proof-of-concept app, dubbed MalloDroid, that's meant to sniff out exploitable SSL bugs. It netted nearly 1,100 of them.
"These 1,074 apps represent 17 percent of the apps that contain HTTPS URLs," the researchers said in their report, referring to apps that link to material from secure Web sources. "We have captured credentials for American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, remote servers, bank accounts and email accounts.
"We have successfully manipulated virus signatures downloaded via the automatic update functionality of an anti-virus app ... It was possible to remotely inject and execute code in an app created by a vulnerable app-building framework."
"The findings of our investigation suggest several areas of future work," the team, who will make MalloDroid available to consumers, said. "There seems to be a need for more education and simpler tools to enable easy and secure development of Android apps."
In other words, the affected apps should not be trusted with sensitive details such as credit-card numbers and login credentials. Unfortunately, Threatpost did not name the affected apps, and the academic paper that might list them is behind a paywall.
A synopsis of the paper said only that the apps had been installed by "between 39.5 [million] and 185 million users."
According to Threatpost, the researchers suggested that an Android-specific implementation of the Electronic Frontier Foundation's HTTPS Everywhere browser plug-in might solve the problem.
Follow Ben on Twitter @benkwx.
Facebook Security Quiz: Are You Safe?
With more than 900 million users, Facebook is easily the most popular social networking site. But how safe are those who use it? Test your knowledge of Facebook security.
0 of 10 questions complete
US governmental agency FBI is alerting smartphone users to the growing threat of malware. Its Internet Crime Complaint Center has issued a warning to people whose handsets run the Android operating system about two newly identified threats Loozfon and FinFisher, as well as offering advice and guidance about keeping their smartphones and their contents safe from potential attacks.
Generic: Senior, woman, shopping, mobile phone, smartphone The FBI has published advice and guidance to help protect smartphone users from the risk of malware attacks ©Yuri Arcurs/shutterstock.com
Loozfon can steal contact details from a user's address book if they click on a link contained in an email that promises a work-from-home opportunity.
FinFisher can give hackers remote control of one's smartphone if they visit a web link or open a text message that is disguised as a system update.
Malware threats to the Android operating system are not new. Back in August 2010, Kaspersky Lab identified the first Trojan virus aimed at Android devices but the threat of viruses and malware is increasing because an increasing number of consumers own smartphones and use them to surf the net and manage aspects of their lives like agendas and email.
As Android is the leading operating system, it is also the most likely to be targeted. Since Apple doesn't license its operating system to third parties, iPhone users are less vulnerable to attacks, but that doesn't mean that they are immune. On October 12, the FBI has provided the following tips that should help keep all smartphone users, Android and Apple alike, safe from harm.
• When purchasing a Smartphone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.
• Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user's personal data in the case of loss or theft.
• With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application first.
• Review and understand the permissions you are giving when you download applications.
• Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device. In conjunction with the passcode, enable the screen lock feature after a few minutes of inactivity.
• Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that helps protect your device from rogue applications and malware.
• Be aware of applications that enable Geo-location. The application will track the user's location anywhere. This application can be used for marketing, but can be used by malicious actors raising concerns of assisting a possible stalker and/or burglaries.
• Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cell phone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime a user, application or service runs in "unrestricted" or "system" level within an operation system, it allows any compromise to take full control of the device.
• Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
• If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.
• Smartphones require updates to run applications and firmware. If users neglect this it increases the risk of having their device hacked or compromised.
• Avoid clicking on or otherwise downloading software or links from unknown sources.
• Use the same precautions on your mobile phone as you would on your computer when using the Internet.http://www.ic3.gov/media/2012/121012.aspx
Try buying & selling goods and properties 24/7 in our classifieds which has high purchasing power local & expatriate audience from within Thailand and around the world.
Share or reprint this article:
Latest stories in this category:
The national coordinator for health IT told an audience of health IT executives that they will be wasting their time if they achieve meaningful use of electronic health records without using the tool to achieve “population health management, information exchange and patient engagement," according to a report by FierceHealthIT.
Speaking this week at the fall meeting of the College of Healthcare Information Management Executives in Indian Wells, Calif., Dr. Farzad Mostashari also contended that health IT innovation can help drive down health care costs, according to the report.
“We're going to create disruptive innovation … evolutionary innovation. And we're going to do it through the one thing known to create reliably faster, better and cheaper [health care], which is technology," he was quoted as saying. "The idea is that we would bring the same brilliance, the same power, that has transformed everything else and bring that to health care."
And while doctors and nurses might be most likely to come to mind when thinking of health care heroes, Mostashari argues that health IT teams are heroes, too, reports ModernHealthcare.
“As best I can tell, you are the best candidates for filling the roles of heroes for this incredible journey that we’re on,” he said, according to the report. “It’s the most important thing that we could be possibly doing, getting a health care system that will get us better health care at lower costs.”
Mostashari cited examples of hospitals using health IT to improve quality of care while patients are still hospitalized, rather than after the fact as lessons learned. “That’s a meaningful use,” he said, according to ModernHealthcare.
John Pulley has written the Health IT Update blog since May 2011. Prior to becoming a regular contributor to Nextgov, he covered technology for Federal Computer Week and Government Health IT magazines. He has written about government for Federal Times and Air Force Times, as well. Pulley has worked in journalism for more than 20 years. He began his career covering local government for regional newspapers. In addition, he served as a writer and senior editor at The Chronicle of Higher Education for seven years. In 2006, he founded The Pulley Group, an editorial services agency.
As consumer devices and services increasingly outstrip their corporate competitors in power, productivity and cachet, Bring Your Own Device (BYOD) has become the latest so-hot-you'll-melt trend in the world of corporate IT. But plenty of IT departments see it as a demon to be exorcised from the cubicle farms - or an opportunity to dump the responsibility for hardware upkeep on their internal customers. Rather than struggle with BYOD, some companies are turning the whole concept of BYOD on its head in favor of Corporate Owned, Personally Enabled (COPE) policies.
The idea behind BYOD is to let end users choose the devices, programs and services that best meet their personal and business needs, with access, support and security supplied by the company IT department - often with subsidies for device purchases.
But BYOD places new burdens on IT as it tries to deal with an infinite variety of platforms and profiles. COPE takes the opposite approach - instead of making corporate functions work on personal devices, it sets up a framework to support and allow personal uses of company devices.
COPE essentially works like this: the organization buys the device and still owns it, but the employee is allowed, within reason, to install the applications they want on the device, be it smartphone or traditional computer.
For BYOD, the question for IT is "How do I secure information on a device that I don't own?" With COPE, the question becomes, "How can I loosen my grip for my employees to use their devices for personal use?"
That's how Philippe Winthrop, VP of Strategy at VeliQ, framed the questions for me. He's passionate about COPE, even though his work at VeliQ, the mobility Platform-as-a-Service company he recently joined, isn't even centered on it.
COPE vs. BYOD
According to Winthrop, COPE offers big cost benefits. Under BYOD, employees buy and expense the devices and services they need, while the employer may reimburse all or a portion of these costs, based on preset policies.
But that can leave companies paying retail prices. COPE lets IT departments keep their sweet corporate discounts. With BYOD, Winthrop said, "CFOs see a way to save a couple hundred bucks on CapEx [capital expenditures]. They're missing an opportunity to save far more on OpEx [operational expenditures]."
Keeping data where it belongs is the other big problem within BYOD. Worries about misplaced and insecure devices or malware-infected machines keeps the IT folks reaching for the antacid.
Not only are employee-owned devices at greater risk, but sometime laws can hamper what a company can do to help itself. In the European Union and South Korea, for instance, laws specifically forbid a company from wiping data from equipment it doesn't own. So, if a smartphone gets left in the airliner's seat pocket, any data on that phone is out in the wild.
COPE neatly circumvents challenges like this. If the company owns the device, it can yank data back regardless of regulations. And, since they can preconfigure the device before handing it to employee, IT can easily insert security and application-management protocols.
"With COPE, it's all about balance," Winthrop explained. "When I said 'loosen my grip,' I didn't say 'let go.'"
COPE also eases support issues by deploying the same hardware to every employee. In the BYOD scenario, IT might not even be able to repair all the possible devices, and vendor or third-party support services may not be completely secure.
To be fair, there are ways of mitigating the BYOD issues. Many companies that support BYOD maintain lists of approved devices, and let employees choose only from lists of approved devices and engage trusted third-party service and support vendors. Others keep all secure company data and access in a cloud-based virtual desktop or profile, reducing the risk if the device is compromised.
What's Keeping COPE Back?
Still, COPE has many benefits compared to BYOD, at least from the IT perspective. So why aren't more IT shops adopting the COPE model? It's those darn users.
Winthrop attributes the fixation on BYOD to the GenY-ers, staffers who insist on wanting to do everything their way and their way only.
"You could call it the Frank Sinatra Syndrome," Winthrop joked. (Clearly not a Sex Pistols fan, then.) Faced with these attitudes, many IT departments seem to think their only options are caving entirely or completely stonewalling user requests.
It doesn't have to be that way. By embracing COPE, IT can reassert the control it must have to keep data and work processes secure, while still giving employees the shiny toys they so desperately want.
Image courtesy of Shutterstock.
Facebook users who have associated a mobile phone number with their accounts in order to enable the "Login Approvals" security feature can no longer be found on the website based on those phone numbers, the company said Monday.
Facebook's search system provides reverse lookup functionality that allows users to find other people on the website by searching for their phone numbers or email addresses instead of their names.
"As we constantly iterate on our security tools to better protect our users, we have disabled the reverse lookup functionality for those using Login Approvals until we can provide new systems to make this functionality optional," a Facebook spokeswoman said Monday via email.
Facebook "Login Approvals" is a two-factor authentication feature that requires users to input special codes sent to their mobile phones in addition to their regular passwords when attempting to authenticate from a new device. The feature is designed to prevent account abuse in cases where the user's password is compromised.
The new restriction only applies to mobile phone numbers used for two-factor authentication, not every phone number added by users in the "Contact Info" section of their profile pages, the Facebook spokeswoman said.
Last week, Facebook limited the rate at which phone numbers can be searched on its mobile website in order to block a phone-number harvesting method disclosed by a security researcher.
Suriya Prakash, an independent security researcher from India, publicly reported on Oct. 5 that Facebook's reverse lookup feature can be abused to search for thousands of sequential phone numbers in order to find any Facebook profiles associated with them.
Users can associate multiple phone numbers with their Facebook accounts and can specify if they should be visible to the general public, their friends or only to themselves. However, restricting who can find them on the website by searching for those phone numbers is done from a different option under "Privacy Settings" > "How You Connect" > "Who can look you up using the email address or phone number you provided."
The default setting for this option is "Everyone," but it can be changed to "Friends" or "Friends of Friends." There is no option to disable it completely.
The search restriction for "Login Approvals" phone numbers is temporary and the company is working on implementing a system that will allow users to decide if they want to make them searchable. However, the company did not clarify whether the upcoming system will allow users to prevent other people from finding them based on any of the phone numbers they added to their profiles.
The PCI DSS was written with IPv4 in mind and it requires that NAT be used to protect servers containing cardholder information. IPv6 networks do not need NAT and, in fact, use of NAT is less than ideal. The PCI DSS does not address the use of IPv6, and some organizations have concerns that their PCI auditor will require them to perform NAT when they start using IPv6.
The credit card companies have collaborated on a program that guides merchants, processors, service providers and other organizations that handle cardholder data to secure that sensitive cardholder information. Visa, MasterCard, American Express, Discover and JCB have collaborated on requirements for their banks to transfer risk down to merchants for operating insecure systems that lead to compromised cardholder data. The goal is to create a set of minimum standards and requirements that banks, merchants and service providers must follow to ensure that the integrity of their payment systems are maintained.
The Payment Card Industry's Data Security Standard (PCI-DSS) documents the 12 focus areas for standards that help secure cardholder data. The first area within the Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures (Version 2.0, October 2010) is about how PCI-compliant organizations should "Build and Maintain a Secure Network" to protect systems that hold cardholder data.
Let us examine one particular section of the PCI DSS document within the section titled "Requirement 1: Install and maintain a firewall configuration to protect cardholder data." Within the current PCI DSS version 2.0 (page 23, section 1.3.8) there is a mandate for the use of NAT for IPv4 servers containing sensitive information. Here is a quote from that document:
"PCI DSS Requirements 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. Note: Methods to obscure IP addressing may include, but are not limited to: - Network Address Translation (NAT) - Placing servers containing cardholder data behind proxy servers/firewalls or content caches, - Removal or filtering of route advertisements for private networks that employ registered addressing, - Internal use of RFC1918 address space instead of registered addresses. Testing Procedures 1.3.8.a Verify that methods are in place to prevent the disclosure of private IP addresses and routing information from internal networks to the Internet. 1.3.8.b Verify that any disclosure of private IP addresses and routing information to external entities is authorized."
This means that servers containing cardholder data should use RFC 1918 IPv4 addresses and be sequestered behind firewalls, IPSs, and other security controls.
If we try to get deeper insight into this requirement we can look to the Payment Card Industry (PCI) Data Security Standard (DSS) Navigating PCI DSS, Understanding the Intent of the Requirements (Version 2.0, October 2010) document. The guidance for this section 1.3.8 states the following.
"Restricting the broadcast of IP addresses is essential to prevent a hacker "learning" the IP addresses of the internal network, and using that information to access the network. Effective means to meet the intent of this requirement may vary depending on the specific networking technology being used in your environment. For example, the controls used to meet this requirement may be different for IPv4 networks than for IPv6 networks. One technique to prevent IP address information from being discovered on an IPv4 network is to implement Network Address translation (NAT). NAT, which is typically managed by the firewall, allows an organization to have internal addresses that are visible only inside the network and external address that are visible externally. If a firewall does not "hide" or mask the IP addresses of the internal network, a malicious individual could discover internal IP addresses and attempt to access the network with a spoofed IP address. For IPv4 networks, the RFC1918 address space is reserved for internal addressing, and should not be routable on the Internet. As such, it is preferred for IP addressing of internal networks. However, organizations may have reasons to utilize non-RFC1918 address space on the internal network. In these circumstances, prevention of route advertisement or other techniques should be used to prevent internal address space being broadcast on the Internet or disclosed to unauthorized parties"
At least this document acknowledges IPv6 and gives a hint that things may be different for IPv6, but it does not give any more deeper explanation. Outside of this one mention of IPv6, the next-generation Internet protocol is not mentioned anywhere else in the document.
PCI Council Board of Advisors and Special Interest Groups (SIGs) sometimes provide additional guidance to organizations seeking compliance. An example of this is the Wireless SIG that provides additional information for environments that use wireless LANs. However, there is no PCI SIG that has been covering the topic of IPv6.
Furthermore, if we do a search on "IPv6" on the PCI website, we get no additional information on the use of IPv6 in PCI-accredited environments.
There are two issues here. The first and larger issue is that the PCI standards are not keeping up with the times and considering IPv6. Not all PCI-compliant organizations' internal server-farm servers will be IPv6-enabled right away, but over time dual-protocol will be the norm. The fact of the matter is that all modern computer operating systems have IPv6 installed by default and it often functions as the preferred protocol. The majority of all computers that contain cardholder data are running IPv6 without any IPv6 security measures in place.
The second issue here is that NAT is not used in IPv6 environments. You can read this other blog article on why NAT is not needed for IPv6 and the related issues. Organizations do not want to use NAT with their IPv6 deployments. Even if an organization wanted to use NAT for IPv6, Network Prefix Translation (NPT) configuration may not even be possible on many of today's firewalls or routers. Few devices support NPT today.
This raises the question: is it possible to acquire PCI compliance if an organization has deployed IPv6? For an organization to meet this requirement in section 1.3.8 if they are not using NAT, they must show that they are using "compensating controls." They must show that they have other security measures in place that essentially meet 1.3.8, but in other ways. Through diversity of defense, defense in depth, the use of IPv6-capable firewalls, using proxy servers or an SLB/ADC, Unicast Reverse Path Forwarding (Unicast RPF), access-lists, etc. A reverse proxy server could be placed in front of the PCI server in question and configured with an IPv6 VIP on the external-facing side and use RFC 1918 IPv4-only communication to the real-server on the inside interface. Maybe this is one way to meet the "spirit of the law" without actually deploying NPT.
Even if you have all manner of dual-protocol compensating controls, with your PCI auditor follow the letter of the law in section 1.3.8 of the current DSS and not signoff that requirement unless you are using NAT for IPv6. For large merchants within the Level 1 category, a Qualified Security Assessor (QSA) on-site review is required annually. If we look deeper at the "Testing Procedures" 1.3.8.a and 1.3.8.b within the PCI DSS, it would be possible to meet these objectives with an IPv6-capable system.
If your auditor insists that you implement NAT for IPv6, then you can simply refer them to this article and this article on NAT for IPv6 and explain to the auditor that your IPv6-enabled systems are secure without the use of NAT. The good news is that your organization gets to pick the QSA. Therefore, the next time you approach your annual review you should select a QSA that is IPv6-knowledgeable.
Hopefully the next version of the PCI DSS significantly updates its guidance for IPv6-enabled systems. It would be insufficient if the new version of the PCI DSS had a simple statement in the footnotes that states: "all of these requirements are valid for IPv4 and IPv6 systems." IPv4 and IPv6 are different from each other in subtle ways and this needs to be addressed, without ambiguity, in the standards. Leaving room for interpretation by auditors who are unaware of the nuances between IPv4 and IPv6 will only lead to overly conservative PCI audits or audits that completely ignore IPv6 and lead to security vulnerabilities.
Scott
Home > IT News Blog > What are the Advantages to Completing an ISO 27001/27002 Risk Assessment?What are the Advantages to Completing an ISO 27001/27002 Risk Assessment?
October 10, 2012 at 10:28 AM
BY JUSTIN SULHOFF, DIRECTOR OF SECURITY SERVICES
For most organizations, spending money on information security is based on “need only.” If accepting credit cards is vital to your business, then complying with PCI DSS is simply the cost of doing said business. If you store or handle sensitive health care data, then HIPAA Compliance will always be on your annual to-do list.
However, convincing upper management to expense a proactive program like ISO 27001/27002 requires a bit more explanation as to the potential return on investment (ROI). Unlike PCI DSS or HIPAA, the ISO 27001/27002 Risk Assessment is designed to improve the confidentiality, integrity and availability of all data assets regardless of classification. By assessing and improving the overall information security management system, a company will reap several benefits that includes better marketability, reduction in future compliance costs, and improved internal efficiency.
Preparing for PCI DSS and HIPAA
If your organization must already comply with various regulations, an ISO Risk Assessment makes a lot of sense. Essentially, ISO creates and maintains an information security methodology that is applicable to protecting financial or health care related data. The scope of your next assessment will be reduced; thereby reducing the length of time an auditor needs to complete the assessment. Depending on the size of your organization, the resources saved in this one area alone may be enough to justify an annual ISO Risk Assessment and ISMS audit.
Marketing Your Proactive Security Posture
These days, businesses are getting serious about verifying the security of the service providers they contract with. Complying with the ISO standards gives any company a distinct market advantage.
Better Managed Business
The whole point of an ISO Risk Assessment is to prepare and/or improve the security framework that controls compliance initiatives, security controls, objectives and future plans. By defining roles and responsibilities, ISO improves business efficiency and response to an incident. Employees enjoy a more reliable data access environment, with fewer work interruptions and far less frustration.
Speak with a Megaplan-IT consultant today to find out if your company is right for the ISO 27001/27002 Risk Assessment program.
Learn More:
Previous Security Insights:
Tags: ISO 27001 ISO 27002 ISO risk audits ISO 27k vendor
Category: Compliance
Justin Sulhoff
Justin Sulhoff serves as Megaplan-IT’s Director of Security Services. He maintains all compliance standards and Application Assessments while providing recommendations to protect sensitive data and determine cost-effective remediation. Contact Mr. Sulhoff: jsulhoff(at)megaplanit.com
A group that took credit for a cascade of successful September cyber attacks on U.S. banks issued a new warning this week of further attacks on financial-services companies.
In a statement posted on Wednesday, the group, “Izz Ad-Din al-Qassam Brigades,” once again blamed a YouTube video released last month that mocked Islam and created a stir around the world.
“Money is your glory...money is your existence; money is your honor; money is everything for you…Hence, attacks...will...continue soon,” the group said in the post.
It added that the attacks “will continue as long as the insult remains.”
While the “Izz Ad-Din al-Qassam Brigades” took credit for the successful attacks last month, some believe Iran’s Qods force was actually behind the incidents.
There is also no way to confirm the online group is tied to Izz ad-din Al qassam Brigades, which is the military wing of Hamas.
Last month a slew of U.S. banks were hit with denial of service, or DDoS, attacks that flooded their websites, blocking or slowing access for millions of customers.
Among the banks believed to have been affected by the attacks were Bank of America (BAC), J.P. Morgan Chase (JPM), PNC (PNC), U.S. Bancorp (USB) and Wells Fargo (WFC). The NYSE Euronext's (NYX) New York Stock Exchange was also believed to have been a target.
The latest threat from the group came on Wednesday, the same day that Iranian infrastructure and communications companies were reportedly hit by cyber attacks.
“Yesterday we had a heavy attack against the country's infrastructure and communications companies which has forced us to limit the Internet,” Mehdi Akhavan Behabadi, secretary of the High Council of Cyberspace, told the Iranian Labour News Agency, according to Reuters.
Meanwhile, reports indicate U.S. national security officials place blame for the September attacks on U.S. banks on Iran, which remains mired in a proxy war with the West over its nuclear program.
“I don’t believe these were just hackers,” U.S. Sen. Joe Lieberman told C-SPAN last month. “I believe this was done by Iran and the Qods force, which has its own developing cyber attack capacity. And I believe it was in response to the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions.”
Through its semi-official Fars news agency Iran denied any involvement in the cyber attacks.
Intelligence gathering network Flashpoint Partners sent out an alert on Wednesday about the latest statement from Izz Ad-Din al-Qassam Brigades.
October 03, 2012 — CSO — A federal court has stopped the operations of several companies that allegedly used telemarketers masquerading as computer technicians to scare tens of thousands of consumers into buying unneeded antivirus services.
The order, issued late last month in New York at the request of the Federal Trade Commission (FTC), also froze $180,000 of the defendants' assets.
Most of the alleged scams were based in India and targeted English speakers in the U.S., the U.K., Canada, Australia, Ireland and New Zealand, the FTC said on Wednesday in unsealing the case.
Con artists often use online ads to lure victims to websites with fake antivirus scanners that pretend to fine malware and then sell software to remove it. In the latest cases, the use of boiler-room telemarketing blended old school tactics with the digital world.
"The tech support scam artists we are talking about today have taken scareware to a whole other level of virtual mayhem," FTC Chairman Jon Leibowitz said in a statement.Â
Five of the companies used telemarketers, while the sixth placed ads with Google, so they would appear on results when a person searched for their computer company's tech support number, the FTC said.
[See also: Organized cybercrime revealed]
In the telemarketing scams, con artists claimed to be with legitimate companies, such as Dell, Microsoft, McAfee and Symantec's Norton antivirus unit. They then directed consumers to a utility area on their computers and pretended to detect malware. The scammers then offered to remove the software for fees ranging from $49 to $450.
Consumers who agreed to pay were sent to a website to enter a code to download a program that gave the telemarketers remote access to their victims' computers. Once in the systems, they pretended to remove the non-existent malware and download otherwise free programs.
The defendants tried to hide from law enforcement authorities by using virtual offices that were actually mail-forwarding facilities, as well as 80 different domain names and 130 different phone numbers, the FTC says.
The alleged swindlers have been charged with unfair and deceptive commercial practices, violating telemarketing sales rules and calling numbers on the Do Not Call Registry. The FTC is seeking a permanent shutdown of the operations and restitution to victims.
The six companies named in the FTC complaint include Pecon Software Ltd., Finmaestros LLC, Zeal IT Solutions Pvt. Ltd., Virtual PC Solutions, Lakshmi Infosoul Services Pvt. Ltd. and PCCare247 Inc. The FTC has also named 14 corporate defendants and 17 individual defendants.
The FTC says it is increasing efforts with international regulators to go after scammers that use scare tactics to get consumers to buy unneeded security software. In the latest case, the FTC worked with authorities in Australia, Canada and the U.K. Microsoft also assisted in the investigation.
Separately, the FTC said on Tuesday that a federal court fined the last defendant in a scareware scam $163 million. In 2008, the FTC charged defendant Kristy Ross with taking part in an operation that used fake online computer scans to pretend to find malware on computers and then sell software to remove it for $40 to $60.
Ross and six other defendants duped more than 1 million consumers in the scam, the FTC says. Victims were lured to the scareware sites through online advertising.
Â
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
October 03, 2012 — Computerworld — A hacking group that calls itself Team GhostShell this week claimed credit for breaking into servers at 100 major universities from around the world, including Harvard, Stanford, the University of Pennsylvania and the University of Michigan.
In a message posted on Pastebin, the group said it accessed and publicly posted about 120,000 records from the breached servers.
The group, which recently claimed creditfor several major hacking incidents, said it attacked the university systems to focus attention on what it called a failing educational standards around the world.
A Computerworld review of a small portion of the publicly posted data showed what appeared to be names, phone numbers, email addresses, login credentials and other data from some of the breached servers.
In some cases, the hackers appear to have breached multiple servers at the same university.
At least some of the publicly posted data appeared to be innocuous.
In its Pastebin message, Team GhostShell claimed that it deliberately leaked little information from the hacked servers.
"We tried to keep the leaked information to a minimum, so just around 120,000+ accounts and records are here, leaving in their servers hundreds of thousands more," the message said.
"When we got there, we found out that a lot of them have malware injected. No surprise there since some have credit card information stored," it added.
A spokeswoman from Stanford University today confirmed that two of its departmental websites had been improperly accessed.
However, information security officers at the university consider the breach to be minor, she said. "No restricted or prohibited data was compromised, nor was any sensitive or other personal information that could lead to identity theft."
"The breach was discovered (Tuesday) night and the sites and their servers have been secured," the spokeswoman added in an emailed comment.
A University of Michigan spokesman confirmed that Team GhostShell had gained access to three servers.
"However there was no sensitive data or passwords accessed," he said in emailed comments. "What they gained access to was data that is generally available to the public on our website."
Officials at Harvard and Penn did not respond to a request for comment on the reported intrusions.
In a blog post, Identity Finder, a New York-based provider of data leak prevention software, said that its analysis of the leaked data suggests that the hackers spent about four months aggregating the information.
The leaked data includes more than 36,000 unique email addresses, and thousands of usernames and passwords -- some of them stored in hashed form and some in plain text format.
The compromised data also included thousands of names, addresses, and phone numbers, "several" dates of birth, and also information on citizenship, ethnicity and marital status of staff, students and alumni.
The compromised information did not include credit card information, Social Security Numbers or bank information, the blog added.
Aaron Titus, privacy officer at Identity Finder, said that based on the company's evaluation, the breach is not very serious.
"The quality of the leaked information is not very sensitive. It is very diverse, but sometimes there's no sensitive information at all," Titus said. "But I hasten to add that for any one person, the exposure of their username and password can be devastating."
Titus said that all of the leaked information appears to have been culled from small departmental servers and subdomains.
All of the attacks on the university servers appear to have been SQL injection attacks. "The output of the attacks suggest a very straightforward SQL dump. That is very typical of SQL attacks," he said.
No central university server appears to have been breached, according to Identity Finder's evaluation. The intrusions once again highlight the unique challenges that many universities face in protecting data, Titus noted.
"Universities are very decentralized. Every department is its own fiefdom. Academic freedom means these entities make their own rules," even around information security, he said.
As a result, it's not unusual to find sensitive data often stored on numerous insecure departmental servers across a university, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, send e-mail to jvijayan@computerworld.com or subscribe to Jaikumar's RSS feed .
Read more about security in Computerworld's Security Topic Center.
Don't worry, we won't post anything.
5
140
