Key security strategies for data breach prevention

If we have learned anything over the last few years about data breaches, it is that they are likely to happen.  However, data breach frequency can be reduced and its impact minimized with some key strategies.

Both response and prevention efforts are greatly impacted by organizational culture.  Organizational culture is formed over years as certain values and behaviors are reinforced or discouraged through a series of successes and failures.  Security is seen as important and vital to organizational success in positive security cultures while it is ignored or even discouraged in negative security cultures.

You can reinforce an existing security culture or bolster a lagging one with some of the same strategies.  The first strategy is to make the topic of security a common one.  Discuss risks in meetings and common decision-making situations.  Ensure that managers and knowledge workers are on the same page with risk, knowing how much risk is acceptable and how their decisions affect risk.  Employees also need to understand what it is they are trying to protect, such as customer information, trade secrets, or strategic business information.

Security awareness training can provide the skills and knowledge necessary to prevent data breaches and respond to those that happen.  It is also a crucial component of a security culture.  Security awareness training should be consistent and enacted for employees at all levels of the organization so that they can accurately recognize threats and understand their role in the response effort.  Since a large percentage of attacks target the human element in organizations, this training can equip employees with the skills to avoid such attacks.  Awareness training prepares employees for their role in incident response by teaching them about incident indicators and how to properly report an incident.

Incident response planning is also necessary to ensure that the response is performed correctly and in a timely manner.  An effective response can greatly minimize damages to both the organization and its customers.  Incident response plans should be regularly reviewed and updated, and those involved should participate in drills and exercises so that the response activities come naturally to them.

Leading all these efforts is a Chief Security Officer (CSO) or Chief Information Security Officer (CISO).  This individual should have the authority to interface at the highest levels of the organization to ensure that preparation and protections are placed appropriately throughout the organization.  Responsibility for security lies not only in IT but in the entire organization, from senior management to the factory floor; remote office workers to branch office managers; and from interns to HR.  They will also need a budget to perform these activities.

Choose your CSO or CISO wisely because they will be a driving force behind security initiatives.  They will need to be an effective communicator and leader with good vision and planning skills.  In a recent Modern Workplace webinar on cyber intelligence and data breaches, Vanessa Pegueros, DocuSign CISO, said that the CISO should have breach experience.  Breach situations are often high-stress, but the lessons learned are invaluable for a security leader.

Put the right strategies in place to bring about cultural change, increase awareness, refine and communicate incident response plans.  Then, equip a CSO or CISO with the authority, responsibility, and budget to make it all happen.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Point/counterpoint: Breach response and information sharing

Some breaches require notification such as those involving patient data or customer information, but sharing is optional. Of course, notification is just one form of information sharing. For example, February’s executive order encourages private sector companies to share information on cybersecurity threats.

There are advantages and disadvantages of sharing information with others, and here to talk about it are two information security influencers and Eric Vanderburg and Bev Robb. Vanderburg will be arguing for information sharing and Robb will discuss potential sharing woes that may arise from government and private sector collaboration.

Eric Vanderburg

Vanderburg: Attackers seek to maximize their return on the development or purchase of new exploits by targeting as many companies as possible. Additionally, just like crimes outside of cyberspace, cyber-criminals have established habits and proven methods that they rely upon to steal data or take over or destroy systems.

The resources of any individual company or person are limited. It takes coordination in order to combat today’s threats. It is essential to protect your company against data breaches but prevention alone does not stop attackers from trying again. The information shared can help track down and catch the bad guys.

I could argue the benefits all day but the main decision point is whether the benefits outweigh the threats so let’s look at some.

Robb: Many information-sharing initiatives proposed by the U.S. government make it slick for the private sector to share information with the government, but not vice versa. You scratch my back and I’ll scratch yours may not apply.

Though I am not completely against information sharing between government and companies in the private sector, some concerns are:

  •         The federal government’s track record in the realm of government data breaches and their ability to safeguard data.
  •         Private sector companies that have reported crimes to the government that rarely receive timely intelligence back (regarding threat actors).

Though it does take coordination and information sharing within the information security community to combat the current threat landscape there is still much room for improvement.

Information overload

Security professionals reading this may be feeling overwhelmed already by the information on vulnerabilities and threats they receive each day. So why should we burden them with even more information?

Vanderburg: It is actually for that very reason that they need this information. There are too many threats out there, and organizations need to know which threats are credible and which vulnerabilities are more likely to be exploited. Information sharing can provide a filter to the vast amount of information out there so that security practitioners can properly prioritize.

Robb: The government is not a knight in shining armor and is already steeped with so much data and myriad software programs that it would be difficult to analyze threat data without the use of “commonly shared tools” to aggregate and analyze all this threat data.

Who decides which threats are credible and which vulnerabilities are more likely to be exploited? If it is the government that makes this decision, what is the ETA before the private sector is notified? My crystal ball tells me that the private sector will get the short end of the stick again, while daydreaming for actionable intelligence to arrive.

Damage to reputation

Vanderburg: An organization’s reputation can also be damaged by what it withholds. We see this especially when an incident occurs that later turns out to be much larger in scope than originally thought. At this point, the damage is much greater and public opinion is set against the company because they took so long to identify the threat and act on it. However, if the information on the incident had been shared, similar incidents could have offered more insight into which systems should be analyzed and related threats that might require investigation. This could potentially reveal and resolve other threats sooner, both minimizing the damage to the company and its customers but also preserving its reputation.

Robb: We’ve all learned over time, that government often takes an exceptionally long time to identify their own security threats and to act upon them. With most government data breaches shrouded in secrecy there is often miniscule acknowledgement of any accountability for weak security practices.

Information to attackers

Vanderburg: Sharing information publicizes the successful attack vectors used in an attack. If this information is shared before the vulnerability has been remediated, other attackers could exploit the same weakness. However, attackers already share information on successful attacks with others. It is likely other attackers will find this information not through security information sharing networks but rather through their own communities. As a general rule, security through obscurity (something is secure because it is unknown) is not a viable strategy because such things generally stay unknown for a short amount of time.

Robb: Deep web hacking communities and forums abound with information on exploits, hacking tutorials, intelligence on business websites (many that are vulnerable to SQL injection), and the like. Hackers are frequently applauded and esteemed when they share knowledge of data breaches they participated (or are currently targeting). They do not need to pay attention to “breach information sharing” because most of these bad boys just want to quickly monetize their hacks. You can bet your bottom line that they will find the means to infiltrate their target(s) with or without any knowledge of “collaborative threat intel”.

—————————–

Though there is the sharing of threat intelligence within industry-specific sectors such as the Cyber Threat Alliance, ES-ISAC (Electricity Sector Information Sharing and Analysis Center) and NERC (North American Electric Reliability Corporation) – sharing threat intelligence is still in its infancy.

When you locate a data breach, what steps do you take to report it? Who do you go to? How do you tell a company that they’ve been breached if they are unaware? Curious? Be sure to check back next month for another Vanderburg-Robb data breach conversation.

Continue reading

Data Security Breaches at Retailers

Security breaches and identity theft are becoming an increasing concern for consumers as hackers continue to target large retailers. Target, Sally Beauty Supply, Neiman Marcus, Home Depot, Michaels, Dairy Queen and Kmart are among retailers recently hacked. These incidents have resulted in stolen personal information such as phone numbers, addresses, emails, and credit card information. As a result of these breaches, affected consumers are more likely to fall victim to identify theft.

The following is a summary of retailers who recently suffered a data breach. Reports suspect hackers were able to infiltrate these stores by installing malware on their point-of-sale systems. Information was then stolen when credit cards were swiped at the store during checkout. The data stored on the magnetic strip of the credit cards, such as the number and expiration date, was then used to make replicas and sold on the black market.

Target

Target’s security breach occurred late in 2013. Reports concluded that 110 million people were victims of stolen personal information due to the breach. Credit card numbers, names, addresses, phone numbers, and emails were included in the theft.

Sally Beauty Supply

Sally Beauty Supply detected a breach in February of 2014. During this hack, nearly 25,000 customer’s credit card information was stolen, including the 3 digit CVV numbers.

Neiman Marcus

Hackers began infiltrating Neiman Marcus as early as July of 2013, and were not stopped until January of 2014. Neiman Marcus reported that up to 1.2 million credit and debit card users were potentially affected by the security breach.

Home Depot

In September 2014, Home Depot confirmed that they were the latest victims of a data breach. Home Depot began investigating transactions from April of 2014 through September. The scope of the breach is still being verified. At this time, debit PIN numbers are not expected to have been compromised, just credit card numbers. It is highly likely that Home Depot was hacked by the same malware that breached Target’s systems in 2013.

Home Depot has confirmed that brick and mortar stores in the United States and Canada are affected. There is no evidence that the stores in Mexico and transactions through HomeDepot.com have been affected.

The size of the breach appears to be more than Target’s data breach that occurred late in 2013. Target’s breach cost the company an estimated 148 million dollars. The Home Depot breach is expected to have affected more than Target’s breach, which included at least 40 million credit cards and 70 million other parts of customer data.

Michaels Stores

In January of 2014, Michaels Stores suffered a data breach. The attack occurred between May 2013 and January 2014. Roughly 3 million customers were subject to theft. During the attack, hackers stole credit and debit card numbers, as well as expiration dates. Luckily, PIN numbers and card holder’s names were not suspected to have been compromised.

Dairy Queen

Dairy Queen released in October of 2014 that they were hit with a security breach. Malware on the registers stole customer’s credit card data from 395 different Dairy Queen Locations. There is no evidence that PIN numbers, social security numbers or email addresses were compromised. However, credit card numbers, expiration dates and customer names were exposed during this breach.

Kmart

On October 9, 2014, Kmart discovered that they had suffered from a security breach. No personal information such as social security numbers or PIN numbers are suspected to have been stolen. Credit and debit card numbers were the target of this particular breach.

Comparison of Security Breaches

Company Duration
People Affected Info. Stolen
Home Depot April 2014 – Sept. 2014 56 Million Card numbers
Target Nov. 27 – Dec. 2013 110 Million Card numbers, names, addresses, phone numbers and emails
Sally Beauty Supply Feb. – March 2014 25,000 Names, card numbers, and CVVcodes
Neiman Marcus July 2013 – Jan. 2014 1.2 Million Card numbers
Michaels Stores May 2013 – Jan. 2014 3 Million Card numbers
Dairy Queen Aug. 2014 – Sept. 2014 TBD Card numbers, names and expiration dates
Kmart Sept. 2014 – Oct. 2014 TBD Card numbers

How Consumers Can Protect Themselves from Hackers

Leading security experts recommend that consumers take the following steps to help protect themselves:

  • Check your credit card statements online daily. Regularly monitoring your account will minimize damages because fraudulent activity is more quickly identified.
  • If you become nervous or concerned that your information was stolen then get a new card. It is better to be safe than sorry.
  • Use your credit card as opposed to your debit card as much as possible. It is safer to use a credit card because it is not attached to your bank account and offers additional protection.
  • Invest in a credit monitoring service. Many are available for free to affected customers. These services are helpful because they will notify you when there is suspicious activity or if someone is trying to open a credit card in your name.
  • If you notice suspicious activity, call the credit card company immediately. The phone number is usually listed on the back of the card.

The breaches at Target, Sally Beauty Supply, Neiman Marcus, Home Depot, Michaels, Dairy Queen and Kmart are proof that even large retailers can be vulnerable to hackers. Unfortunately, it is impossible to forecast a data breach at any of your favorite stores. The bottom line is, security breaches will always be a threat. If you follow the steps to protecting yourself then  you can lessen your chances of becoming a victim.

Twas the Night before the Breach

Twas the night before the breach, when all through the place
Not an alarm was ringing, nor even a trace
That data was being pilfered, with the greatest of care
In hopes that its access would none make aware

The employees were off early, out for the day
Some to go shopping and others to play
Leaving the office empty, ‘cept for one man
Filling a thumb drive as fast as he can

The passwords he had, some from Susan, others Paul
One under the keyboard, another on the wall
So he gleefully posed as his oblivious colleagues
Obtaining the data while humming a melody

Till leaving the office, no clue he neglect
To remove with him lest someone start to suspect
Ill intentions from such an employee as he
Whose reputation was spotless as spotless could be

The holiday proceeded much as expected
Families gathered, read stories and collected
The gifts they desired but hardly touched after
Great feasts were consumed, songs sung with laughter

But one of them partook in much more than cheer
Anonymously he sold them, stolen secrets most dear
Highest bidder to win, take all you can handle
Spreadsheets, memos, personal and financial

Returning to work, the breach first went undetected
Till profits sagged much lower than projected
Our secrets were stolen, they cried in shock
Our competitors have knowledge of things they ought not

Companies with Virtual CSOs get ahead without losing an arm and a leg

Security remains a complex discipline.  This ever-changing challenge grows in complexity daily as new threats emerge and compliance requirements increase.  Several regulations including HIPAA require organizations to have a person whose role is to ensure compliance within the organization.  This is why organizations need a designated person with primary responsibility for security and compliance.  This person is the Chief Security Officer (CSO).

The Role of a Chief Security Officer

A Chief Security Officer or CSO is first and foremost a business leader in the organization.  He or she sets the organization’s security vision and ensures that it is in line with other business objectives.  The CSO works with other business leaders such as the senior financial manager such as a Chief Financial Officer (CFO), business owner, senior partners, or Chief Executive Officer (CEO), senior IT executive such as the Chief Information Officer (CIO) and Chief Operating Officer (COO) to implement security and compliance initiatives throughout the company.

Some CSO activities may include:

  • Establishing and evangelizing the security vision
  • Defining security strategy and goals
  • Determining the level of acceptable risk
  • Defining and implementing security and compliance governance
  • Coordinating compliance activities and communicating with regulatory groups
  • Creating, publishing and maintaining security policies
  • Ensuring security awareness of risks and organizational security policies
  • Coordinating incident response activities (e.g. data breach, IP theft)
  • Ensuring physical security for company facilities including offices, sites, and datacenters.

Challenges

The CSO role is still relatively new, and it has seen some challenges in implementation.  Information security involves much cooperation from Information Technology (IT) and compliance requirements include many sections on technical controls, so it is understandable that IT is often seen as the group responsible for security, but this is not ideal because security and compliance both involve much more than just technical controls.  The actions of people including employees and outside actors are essential to maintaining security and compliance, and this requires someone or a group with more than the technical skills.

Some chief security roles may be given to IT, legal, or HR, employees. However, this approach often results in these individuals handing security as a secondary role, so security does not get the priority it is due.  Furthermore, a central point of contact lacks in the organization in this approach.

The Role of a Virtual CSO

A virtual CSO performs the same activities a CSO would but they do so on a part-time basis.  The role may be comprised of several persons to cover a company even when a person is on vacation or otherwise unavailable.  Virtual CSOs allow organizations to utilize highly specialized skill sets by provides companies with expert resources in security. This is made possible without the high fixed cost of adding dedicated security executives.

Virtual CSOs can assist organizations by developing effective strategies essential to evaluate and mitigate risks, maintain operational continuity and secure the organization. Virtual CSOs address areas of security need whether these are on personnel issues, timely employee background checks, technology, rehabilitation or procedures and policies to designing.

Virtual CSOs partner with businesses to understand how core information assets have been deployed. They work hand in hand with organizations as they study the security placed around the assets and what improvements can further be made. Virtual CSOs provide assistance in integrating security into organizational strategies and processes, and they help companies develop tailor-made delivery plans that are fitting to their needs and budget.

Ideal Traits

Ideal virtual CSOs should be well-versed at understanding exploits, attacks, controls, countermeasures, and vulnerabilities. They should have a thorough understanding of technology such as operating systems, virtualization, storage, and networking but business and leadership skills are even more important for this role.  Security and compliance are more about people than it is about technology so the virtual CSO should be able to interface and direct people and lead change efforts.

Virtual CSOs need to be able to translate risk to data, information or computers, into the risk to business. They should be able to determine the how to respond to risks including mitigating, accepting, transferring or avoiding risk.

Summary

The Chief Security Officer role is more vital to companies of all sizes than ever before.  CSOs are in high demand but for those who do not need a full-time person and the expense that goes with it, a virtual CSO may be the answer.  Sometimes this role is added to a pre-existing role within the organization but this can lead to compliance being treated as a secondary activity, and it does little to protect organizational information security.

Virtual CSOs work across business and functional lines. They see through the complete deployment of strategic and holistic approaches in dealing with specific business issues. This is done by carefully assessing risks related to the organization’s reputation, information, assets and all people involved. Such is crucial especially for businesses that are looking at long-term sustainability and expansion.

Ineffective Security Policy Adherence Results in Another Data Breach

The Florida Department of Juvenile Justice (DJJ) had a mobile device containing 100,000 youth and employee records stolen on January 2, 2013.  The device was unencrypted and not password protected despite a policy by the DJJ requiring both encryption and password protection on mobile devices. This latest breach further demonstrates the importance of encrypting mobile devices but more importantly, it shows that a policy alone is not enough.  Organizations and government agencies need to make sure that employees are aware and adhering to their policies.  Without this, such policies are worthless.

Do you have a mobile device encryption policy?  If so, do you know if employees are following it?  Don’t let this happen to you.

 

Malware behind university data breach

Salem State University in Massachusetts issued a data breach warning to faculty and students on March 11.  The warning informed them that information for over 25,000 persons including social security numbers had been breached.  The breach was caused when malware, identified as Vobfus, infected the university’s human resources database.

Malware is often seen as a nuisance or a productivity inhibitor but an infected computer can pose a much great risk to organizations and it should not be overlooked.  Malware gets behind the organization’s perimeter and it can act with the credentials of legitimate users including administrators.  Just because a system is behind a firewall or in a demilitarized zone doesn’t mean it is safe as threats from the inside are just as virulent as those from the outside.  Recently, malware has been the cause of a number of recent data breaches including supermarkets, banking institutions, and retailers.

Antivirus software is essential but it is only the first step in protecting against malware.  New malware and revised versions of existing malware are continually being released and antivirus signatures will miss some malware, potentially even the most dangerous ones.  Understand what normal traffic looks like on your network so that abnormalities can be quickly identified.  Take notifications from users about suspicious activity seriously and consider implementing technologies that utilize behavior based scans to detect viruses and intrusions.  Lastly, know what to do and who to call if there is a data breach