Data breach threats of 2013

A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media, and Telecommunications (TMT) companies suffered a data breach.  88% of these companies do not believe that they are vulnerable to an external cyber threat such as hacking.  Rather, the three highest threats were:

  1. Employee errors and omissions
  2. Denial of service (DoS) attacks
  3. Security breaches by third parties

Employee errors and omissions

Awareness is a critical factor here, and Deloitte lists it as one of the top three security initiatives of 2013.  70% of TMT companies responded in the survey that employee mistakes were an average of high vulnerability.  The risks, as stated by Deloitte, include, “talking about work, responding to phishing emails, letting unauthorized people inside the organization, or even selling intellectual property to other companies.”  To counter this, companies are conducting awareness training, often through security firms with experience in the area, and creating materials that employees will see on a regular basis to remind them of their responsibility to protect the data they work with.

Denial of service (DoS) attacks

Denial of Service (DoS) attacks was also rated a high threat.  DoS attacks overload targeted information systems making them slow to respond to requests or taking them down entirely.  Due to the relative ease of conducting a DoS and the criticality of information systems to today’s businesses, it is no wonder that DoS makes the list.  These attacks are often triggered by saying something that irks a hacker group or by opposing a hacker group of their interests.  Organizations can protect themselves by monitoring the messages they are sending especially through social networking and by working out an incident response plan for handing a DoS attack that includes the public relations factors in addition to the technical ones.

Security breaches by third parties

Breaches by third parties are at the top of the listing party because the average company deals with so many third parties in the course of doing business.  In fact, 79% of respondents said the sheer number of third parties they deal with would be an average of high threat.  With so many third parties, it is difficult to determine if each has a sufficient level of security to protect adequately the data they work with and, as we all know, security is only as effective as the weakest link.  Organizations have responded by more thoroughly screening third parties and assigning them a risk rating for the type of data they will be working with through a process called vendor risk management.  The third party then needs to demonstrate security that is in line with the risk rating they have.  This process is required by regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and Health Information Portability and Accountability Act (HIPAA).

The threat landscape of 2013 continues to grow, and companies are tasked with more responsibility to protect the data they work with.  As can be seen from Deloitte’s survey, security awareness, denial of service and third party breaches are three major concerns for companies in 2013.  To protect themselves, businesses can conduct security awareness training, create incident response plans, and screen third parties who work with sensitive data.

Hospitals are the highest risk for data breaches

Recent research shows that hospitals are the highest risk for data breaches.  The third annual benchmark study on patient privacy found that 45% of healthcare organizations had suffered more than five data breaches.  This is an increase from 29% in 2010.  In the majority of cases, 46%, the cause of the data breach was a lost or stolen computing device.  Employee carelessness and business associate mistakes were tied for the second most likely cause.

Healthcare IT News put together a list of the top 10 healthcare data breaches of 2012 listed below:

Healthcare Data Breach Top 10

 

 

 

 

 

As we move into 2013, health care organizations can help prevent data breaches by maintaining tight control over organizational computing assets containing Protected Health Information (PHI) since this is the highest cause of breaches.  They should also be concerned with employee security training and require higher security standards of business associates.  Last but not least, HIPAA compliance is a must.

When a data breach or cyber security incident does occur, the impact can be minimized if clear direction for handling the breach has been given through incident response plans.  It is also important to know when to call for outside help.  Identify providers of breach response services and computer forensic services and have their information at hand to minimize the scope and impact of a data breach or cyber security incident.

Risk Homeostasis and its impact on risk reduction

Gerald Wilde had a theory called risk homeostasis.  This theory hypothesizes that people have a level of acceptable risk.  When they perceive that there is less risk, they will take more risky actions to bring them to an acceptable level and when they perceive more risk, they will be more cautious.  Information security is very concerned with managing risk and reducing it to an organizationally acceptable level.  However, an organization is made up of many people and they may have a different level of acceptable risk than the organization does.  If the theory of risk homeostasis is applied to information security, individuals will take riskier actions when the organization implements controls to make them safer or when they perceive the environment to be safer.

This has far reaching ramifications for those in information security because the perceptions of risk by the individual may differ greatly from the actual risk.  Despite awareness of information security breaches in the news and the overwhelming statistics that a data breach is likely, people still have difficulty accepting that a breach could happen to them.  It all comes down to perceptions.  With Wilde’s theory, if a high risk is perceived then users will be more cautious and that is where the security minded organization wants to be.  So the question is, does the risk homeostasis theory hold water and if so, how do organizations manage perceptions in information security?

 

Is Your TV a Security Risk? Embedded Devices May be the Next Target.

The latest televisions and Blu-Ray players come equipped with more than HD video and audio.  Internet access and a host of new applications are being built in to run directly on these “smart” TVs and DVD players.  A popular built-in feature is wireless access which enables the user to avoid plugging in an Ethernet cable.  Accessing the internet and your favorite apps directly from your TV is convenient.  However, what security risk does it pose?

Are Smart TVs and Blue Ray Players a Security Risk?

The primary question is, “Are these devices a security risk?” Examining the features of smart TVs and Blu-Ray players and comparing them to existing systems that already have a risk profile will help answer this question.

To access the Internet, a device needs an Internet browser. Currently, manufacturers have decided not to develop their browsers but to use existing products that have proven effective on other platforms.  Some devices come equipped with a version of Opera while others utilize Google’s Chrome browser. Both browsers have been reasonably responsive in addressing security vulnerabilities and supporting the latest security standards.

Another feature offered by some devices is the ability to retrieve pictures, movies and music from networked computers by using Microsoft’s Windows “media extender technology.”  The default installation of the press center extender provides full access to most of the shared media on the network. This access could allow a compromised television or Blu-ray player to give access to files on the home network or office network.

Another consideration is the type of content that will be available on these devices.  In the past year, a significant number of exploits focused on Adobe Flash or Java.  Blu-ray players currently support Java to display content often included on Blu-ray disks, while some of the TV browsers support flash content.  Additionally, many of the applications available for these devices (like Hulu Plus) use Flash.

Smart TVs and Blu-Ray players are typically connected to the network for extended periods of time. This long-term connection poses another risk. These devices may be configured to automatically download or index programs for future use. Since these devices are rarely monitored and typically used throughout the day, a security breach may go unnoticed for an extended period of time.  The longer a security breach goes unnoticed, the more damage and harm are typically caused.

Although there have not been any reported vulnerabilities for televisions and Blu-ray players yet, do not expect it to remain this way for long.  (Update: A security firm did recently find a weakness in a Samsung TV.  For more information, click here.)  It did not take long for cell phones to be exploited after internet access and applications were ported to them. Similarly, as the internet capable televisions and Blu-ray players grow in popularity, they will become a more sought after target of hackers.

So What Can You Do? 

Since no vulnerabilities have been published, companies have not developed security patches to prevent unwanted breaches. In reviewing recent firmware update release notes from mainstream television and Blu-ray manufacturers, none of the release notes documented fixes for security vulnerabilities.   These updates only enhanced functionality, not security.

Companies who have adopted Internet capable devices should consider keeping them on a separate network segment.  Both home and business users can disconnect devices from the network if internet features are not needed.  By staying up to date on new vulnerabilities, corrective action can be taken when needed.

For added security, also consider turning off features that automatically index or download content.  This, combined with setting the device to turn fully off, will reduce the amount of time the device is potentially vulnerable each day.  When using the media center extender, consider cutting access from the default of full access to read only.  See this article for details on configuring tightened security for media center extenders (please be aware the article is rather technical).   Eventually, security patches for these internet capable devices will be released just like security patches are released for software applications and operating systems.  However, unlike computers, users are not familiar with the firmware update process, and not all companies make it easy to upgrade their products. In the future, companies will need to develop procedures for regularly updating devices.

In conclusion, a smart TV or Blue-ray player could be vulnerable once exploits are designed for these devices.  As the consumer usage for these devices increases, the likelihood of malicious code being developed will likewise increase.  The firmware on these devices can be upgraded, but manufacturers have not released any security updates for their devices. Until manufacturers address the invasions as they occur, the three best ways to protect a device from undisclosed vulnerabilities are:

  1. Disconnect the device from the network unless it is needed to use specific Internet features
  2. Allow the device to turn off and not download content automatically
  3. Configure tighter security on Windows media extenders.

 

Stop Hoarding! Improve Security, Efficiency and the Bottom Line through an Effective Data Retention Policy

Organizations are accumulating data at a pace that would cause a hoarder to blush.  Just like that old bicycle seat stored in the attic, data is often kept “just in case it may be needed someday.”  This practice, however, comes at a cost.

Some organizations think that it is inexpensive to store data, in particular with the steady decline in hard drive prices.  The fact is, however, data is expensive to keep.  Organizations spend a significant portion of time managing, archiving and securing data.  Data is housed on servers, each of which must be maintained.  Data is also archived regularly according to the organization’s backup schedule, and it is audited and secured against loss.  Each of these activities consumes the time (i.e. increases the cost) for those in information management.

Excessive data retention can also pose a risk to an organization regarding compliance and electronic discovery requirements.  Personally Identifiable Information (PII) that is lost could result in significant fines.  Also, old document drafts that may not provide organizational value could still damage the organization if disclosed.  Data related to litigation is costly to obtain, organize, and produce.  Searching through an organization’s legacy data adds additional complexity and cost.

For the above-stated reasons, it is important to remove unnecessary data.  A structured approach is necessary to avoid the loss of important data and to provide consistency throughout an organization.  The structure can be accomplished through a data retention policy.   A data retention policy should specify how long certain types of data such as emails, documents, drafts, instant message conversations, or even voice mails should be kept and how the data will be properly disposed of.

Contents

At a minimum, a data retention policy should contain a scope section that outlines the types of data covered.  Examples would be tax records, personal information, business records and legal documents. Also, the policy will need to spell out how long and in what form each type of document will be retained.  Some policies may include guidelines on removal of data – or this may be left to a data destruction policy.

Retention Term

One of the most difficult parts of defining a  data retention policy is specifying the length of time to retain certain types of documents.  Compliance requirements may determine the minimum or maximum length of time while business requirements may stipulate other terms.  Both the compliance and business requirements will need to be considered in defining the duration. The following are some best practices and can be used a starting point in the formation of a data retention policy:

  • Audit documentation and associated financial documents will need to be kept for at least seven years if there is a SOX requirement. The IRS requires that tax documents be retained for at least four years after they were due.
  • The list of hazardous chemicals provided by OSHA contains many substances common in the workplace and data retention policies should define how long documentation of hazardous chemical exposure data will be kept.  OSHA requires that such documents be retained for 30 years.
  • The Health Insurance Portability and Accounting Act (HIPAA) requires that information disclosure authorizations, patient requests, business associate contracts and other such covered documents be retained for at least six years from the last transaction or 2 years following the patient’s death.
  • Exceptions may be made to these recommendations when pending litigation or audits require an information freeze or legal hold for specific data.  In these instances, organizations will need to show that they have made reasonable efforts to prevent the destruction of discoverable information.

Businesses have a definite need for data retention policies.  The regulatory requirements mentioned here should be included in business retention requirements for those that fall under such regulations.   An effective data retention policy can go a long way in reducing data clutter, improving organizational efficiency and reducing risk.  However, defining the policy will not be enough.  Employees will need to be aware of the policy and motivated to follow it.

 

 

Protecting against data breaches and security incidents with cyber insurance

Data breaches and security incidents are a significant risk for organizations and some are using cyber insurance to transfer the risk similar to how many other business risks are transferred.  If you are considering cyber insurance, the first step is to identify the cyber risks you are facing to determine if they fall within you risk tolerance level or if they need to be addressed.  Security controls may need to be implemented to bring risks to an acceptable level.  There may be other risks where it is better to transfer the risk through cyber insurance.

Cyber insurance is still a relatively new concept so the offerings differ greatly between vendors.  Check with your vendor to see what they will cover.  Some of the costs of a data breach or security incident include:

  • Notification expenses such as those required under HIPAA
  • Investigation costs
  • Computer forensic services
  • Data restoration services
  • Public relations costs
  • Loss of business during the interruption
  • Loss of business following the interruption
  • Regulatory fines
  • Credit monitoring for impacted individuals

Insurance providers will want to know how risky a policy is so they will most likely have some questions on your security procedures before issuing a policy.  Cyber insurance is not a solution.  It needs to be pursued as part of the overall security governance of the organization along with security controls and other risk mitigation activities.

The Social Networking Threat

Social Networking is a godsend and concern, a help and a hindrance, an amazing feat and a terrible nuisance. While these descriptors apply to the individual, they are exacerbated multiple times for a corporation. A corporation needs to be concerned with everything from profits to people, and social networking websites like Facebook, Twitter, or the new Google+ among others have a tremendous impact on how a corporation looks at its priority list. Certain facets of social networking can be beneficial to businesses, for example, social networking provides a business with free publicity. In addition to publicity, social networking allows a business to into new markets and different demographics. Though networking brings many new possible clients and expands a business, it can also be riddled with potential pitfalls. For example, a business can divulge too much information via social networking. Also, privacy on sites like Facebook can be a little suspect, and thus put important corporate information at risk.

Now that a brief overview of the potential problems and possible benefits has been explored, a brief definition of Social Networking should be established. For this, the Wikipedia definition will suffice, “A social networking service is an online service, platform, or site that focuses on building and reflecting of social networks or social relations among people, who, for example, share interests and activities. A social network service essentially consists of a representation of each user (often a profile), his/her social links, and a variety of additional services.” This definition exemplifies that social networks are used for establishing links among people and while it is not explicitly stated corporations. However, it does not address the problems within social networking. This is a problem that cannot be overlooked or understated. Many dangers exist within the milieu of social networking, and they must be, explored.

Advantages

A few of the main goals of a corporation include the growth and sustainability of the company. Social networking provides a very advantageous solution to spreading the word about a company. Whether or not the company is a new up and coming or is looking to reformulate its image within the public eye, social networking can be beneficial. The client base is extensive, and the upkeep is at a low cost. With social networking corporations can hit multiple demographics and do it with an individualistic flair. Instead of a billboard advertisement trying to reach everyone, a corporation can use a Facebook post to reach a small population within the larger picture. Social networking can also be an option to solve communications problems. A recent news story that came out on July 6, 2011, discussed Facebook’s new chatting features, layout, and conference calling. As well as these new elements Facebook has also launched the ability to individually video chatting in a partnership with Skype. However, these new features are not the only ways that social networking affords corporations with regards to bridging the communication gap. Social networking could be used to reach the entire employee base within a corporation as a unifying force. Event notifications and shared calendars can ensure that projects be completed on time.

Disadvantages

Unfortunately not everything associated with social networking is positive. For a corporation, the adverse effects that social networking has on employee productivity can be a problem. People can spend company time on updating their Facebook profiles or checking their Twitter feed instead of working on valuable projects. Employees that would be working diligently are instead lured into complacency via social networking. A lack of productivity affects the company through the individual employee; however, social engineering and corporate espionage could compromise the entire corporation. In another blog, corporate espionage was discussed at length and its dangers. These risks are intensified through the use of social networking. People and employees can be seduced and compelled to divulge sensitive company information through social networking sites. Furthermore, once these secrets are published the ownership of the information is disputed. There is ambiguity within the law as to who owns responsibility for what is updated to these social networking websites. A study was done in Spain published on May 9, 2011, that dissected the problems with social networking. The study discussed where the blame falls about libel and slander cases. However, this study could also set a precedent that social networking sites by taking responsibility for the libel that could be posted on their websites also assume responsibility for anything posted on their sites including sensitive information or corporate secrets. From an information technology (IT) standpoint, social networking could have substantial costs due to the bandwidth required to manage these sites. The sites themselves may take up relatively small areas of bandwidth, but the problems ensue with the streaming of bandwidth-gobbling videos or music. This bandwidth shortage is problematic on an individual level because employees are less productive by looking at what their friends post, but also can be troubling to corporations heavily involved in publicizing itself via social networking sites. Corporations uploading promotional videos heralding their service or product on these sites can take up a lot of bandwidth traffic. This self-publicizing can create headaches for IT departments.

When it comes to maintaining friendships on the individual level social networking sites, provide tremendous opportunities. However, possible danger could exist for corporations and companies. These dangers include the possibility of a decline in worker productivity and the ability for social engineers to take advantage of employees otherwise known as corporate espionage. Although there are possible dangers to social networking, the possibilities afforded by networking are not entirely bleak. Many benefits can be extruded from the use of social networking sites. For example, a company can use sites like facebook and twitter to connect to specific demographics and reach out to them. In addition to that, the free publicity afforded by social networking sites is invaluable to corporations. The bottom line is social networking should be used but with extreme caution and assume.