Detecting data breaches through security awareness

Most data theft occurs by insiders.┬á These are the people who would usually be considered very trustworthy but some incident or life change occurs that motivates them to commit a crime.┬á An evaluation of cases of insider theft has provided statistics useful in identifying the types of employees who are most likely to threaten information security.┬á Surprisingly, itÔÇÖs not the underpaid computer guru working in the server room.┬á According to data from the Software Engineering Institute at Carnegie Mellon University, information theft is more likely to occur with those who serve in a managerial capacity in a non-technical role.┬á These individuals are usually between the ages of 26 and 40 and they are more likely to steal business data than Personally Identifiable Information (PII).

Equally important is that very few data thefts were discovered by the use of technology.  Rather, security awareness and incident response played a greater role in the detection of these crimes. Unfortunately, these competencies are neglected in many businesses.  The majority of cases were detected by employees who reported suspicious or unusual activity, customers who complained or by auditors.

So I have to ask; Do your employees know how to recognize suspicious activity?  Would they know who to contact?  Can they do so anonymously?  Lastly, does your company have an action plan for handling data theft incidents?

Data breach risk high for healthcare

Recent research shows that hospitals are the highest risk for data breaches.  The third annual benchmark study on patient privacy found that 45% of healthcare organizations have suffered more than five data breaches.  This is an increase from 29% in 2010.  In the majority of cases, 46%, the cause of the data breach was a lost or stolen computing device.  Employee carelessness and business associate mistakes were tied for the second most likely cause.

Healthcare IT News put together a list of the top 10 healthcare data breaches of 2012 listed below:

Utah Department of Health          780,000
Emory Healthcare          315,000
S.C. Department of Health and Human Services          228,435
Alere Home Monitoring, Inc.          116,506
Memorial Healthcare System, Fla.          102,153
Howard University Hospital            66,601
Apria Healthcare            65,700
University of Miami            64,846
Safe Ride Services            42,000
Medical Integration services, Puerto Rico            36,609

As I move into 2013, health care organizations can help prevent data breaches by maintaining tight control over organizational computing assets containing Protected Health Information (PHI) since this is the highest cause of breaches.  They should also be concerned with employee security training and requiring higher security standards of business associates.  Last but not least, HIPAA compliance is a must.

When a data breach or cyber security incident does occur, the impact can be minimized if clear direction for handling the breach has been given through incident response plans.  It is also important to know when to call for outside help.  Know providers of breach response services and computer forensic services and have their information at hand to minimize the scope and impact of a data breach or cyber security incident.

Early Breach Detection saves bits

A recent finding by Gartner titled ÔÇ£Using SIEM for Targeted Attack DetectionÔÇØ is that 85% of breaches go undetected.┬á Those that are detected often occur far after the attack has taken place.┬á Some are on the extreme such as NortelÔÇÖs network that attackers accessed for 10 years before it was discovered while others are detected days or weeks later.┬á The failure to detect breaches quickly is not limited to external breaches such as those from hackers.┬á Carnegie Mellon found that theft of data by insiders, when discovered, is revealed on average 31 days later.

As you would assume, the longer a breach is left undetected, the more data is stolen.┬á Undetected breaches also increase the damage done to consumers because attackers have increased opportunity to use the data they steal by creating fake identities, ordering goods with stolen credit cards, committing fraud with stolen credentials among a host of other activities.┬á This is yet another reason why customers and clients are unhappy with organization’s responses to data breaches.

Early detection of breaches can reduce the impact of the breach by preventing additional data from being stolen and depriving attackers from the time they need to monetize their stolen data.  It also makes it easier to identify attackers who have less time to cover their tracks.  Valuable data such as server logs are often overwritten over the course of time and it becomes harder for employees to remember details of the date and time in question.

Companies can improve response time by implementing real time monitoring solutions with alerting functions.  In order for real- time monitoring to be effective, the organization will need to have trained employees who will receive the alerts.  This may involve several shifts to cover the entire day or persons who are on call.  Of course, real-time monitoring can also be outsourced.

A well-defined incident response plan will also aid in quickly and effectively addressing a data breach when it does occur.  Identify persons inside the organization and consultants or outside experts who can help when the breach occurs.

Feel free to download the early breach detection ribbon below as a reminder.

Early-Breach-Detection-Ribbon-215x300

 

Retaining customer confidence after the breach

Government regulation, including the well-known HIPAA and GLBA, are quite clear on the notification requirements for businesses suffering a data breach but simply adhering to the regulations is not enough to keep your customers.  The responses to recent breaches show that customers are unhappy with organizations such as the South Carolina Department of Revenue, Adobe, ADPI and Nationwide Mutual Insurance for their poor response.

In the 2012 consumer study on data breach notification, it was found that 72% of respondents were disappointed in the way notification was handled.  67% says the notification did not provide enough details about the breach.  Furthermore, data breaches have an impact on whether the organization can keep its customers.  Following the breach, 15% will terminate relationship and 35% say the relationship depends on whether the company suffers another breach.

Ponemon institute provides some guidance on how organizations can better handle data breach notification.  First, notify customers quickly following a breach.  If you are unclear about the entire scope of the breach, explain that the investigation is still underway.  Next, provide that notification in a way that differentiates it from junk mail.  Notification letters should be short and easy to understand with specifics about the breach and what the impact is to the customer.

Social Media ÔÇô After the Breach | American Bar Association

Considerable effort can go into stealing personal and company information, but more and more individuals are just giving it away. Today, communication in the workplace has moved to Facebook walls and office gossip is tweeted around the world. YouTube videos portray ÔÇ£behind the scenesÔÇØ footage giving the entire world a glimpse into what once was restricted to employees and an occasional guest. Cast out into the Wild West of time and space that we call the Internet is all manner of private information, both personal and corporate. Telephone numbers, important contacts, addresses, social security numbers, banking and financial data, birth dates, private medical information, and even corporate decisions and strategy are readily and easily available. Moreover, comments made in a personal, trusting setting are now sent into the vast beyond, where they can remain permanently. Read more in the article published in the ABA by me and Timothy Opsitnick.

Hack Back: Eye for an eye in cyberspace

Like paparazzi on celebrities, hackers pound on our organizational doors almost every second of the day.  It makes us want to hack them back; take them out of the game and cease this never-ending battery of my systems.  This is especially tempting following a data breach.  Despite this temptation, most restrain themselves because of laws that prohibit the use of computer programs and systems to attack others such.  However, increases in damages and loss due to computer hacking has caused some to question this restraint.

At the 2012 RSA conference, Paul Asadoorian and John Strand proposed fighting back by frustrating hackers with systems that waste their time, tracking attackers, and then disabling them.    Unfortunately, many times attackers use other systems to perpetrate their attacks so the act of disabling their systems could take down a company that has no knowledge of the attack.

Some argue that since the systems used by attackers are vulnerable, they are contributing to the problem and that disabling those systems is simply part of the overall solution to make us safe.  The loss of availability for one company is a benefit to the community.

So far these arguments have focused on reacting to an attack but Symantec proposed taking it a step further in their article Malicious Malware: attacking the attackers.  They suggested stopping attackers before they issue an attack.  Some methods including distributing hacker tools that track the attacker to taking control of hacker botnets would put the hackers on the defensive.

There are people on both sides of the fence such some such as John Pescatore, head of GartnerÔÇÖs Internet security practice and former NSA and Secret Service agent, doubting whether it can really help.┬á Pescatore says ÔÇ£There is no business case for it and no positive outcome.ÔÇØ┬á Others like cyberwar researcher Sandro Gaycken, believe that governments who have the sanction to attack back, have not been doing enough.┬á He believes hacking back can help and that it is justified.┬á ┬áGaycken says, “Vigilantism could seem justified. ItÔÇÖs that way with self-defense: if the state is not there, and IÔÇÖm attacked, I can hit back.”

In response to concerns about legality, Asadoorian and Strand recommended modifying system banners and warnings to include a statement that by accessing this system you agree that information such as location would be collected on those and that your system will be subject to a security check.  In this way, attackers would be allowing you to collect information on them and to run tools to analyze their systems.  However, attackers are not authorized to make such a decision on behalf of those whose systems he or she has compromised so statements like this may be of little value.

The debate is going on right now with serious cyber security discussions on whether hacking back should be officially allowed in the United States.  What are your thoughts?

Alternative security uses for eDiscovery software

A recent breach at the Memorial Sloan-Kettering Cancer Center called attention to the fact that you canÔÇÖt protect data from a breach if you donÔÇÖt know what data your organization possesses.┬á This may sound simple but many organizations do not have a good grasp on what data exists in their organization and whether that data should be protected against disclosure.┬á This makes it difficult to detect a breach and thus, breached data persists in the wild much longer than it could if organizations had a better understanding of the data they manage.

An interesting solution, documented in Data Breach Today, is being used by Franciscan Health System (FHS) in Washington State.┬á FHS has started using an eDiscovery tool, typically used to gather, filter, prepare and evaluate data use in litigation, to gain a big picture on the data they have on their systems.┬á eDiscovery tools allow users to search across a large amount of data to find data of a specific type.┬á In litigation, lawyers ask, ÔÇ£What data is relevant to my case?ÔÇØ and in information security and privacy, the question is, ÔÇ£what sensitive data exists in my company?ÔÇØ ┬áFCS and others have found another use for eDiscovery tools in the information security field.┬á These tools are much further along on the maturity cycle than some recently developed tools.┬á Some eDiscovery tools allow for data visualization such as the Attenex document mapper from FTI that shows a picture of the data in the system by using a series of circles of varying sizes connected together.┬á The circles and connections picture the classifications and relationships between data.

There may be many in an organization that are creating content and some sensitive information may accidentally or intentionally be included in a document.┬á eDiscovery software evaluates the content of files to help identify the data that may be hiding within a document and it can be used for cyber security in addition to litigation.┬á In the case above, Memorial Sloan-Kettering Cancer Center had unencrypted patient information in a set of Microsoft PowerPoint slides that were available online.┬á WhatÔÇÖs worse is that the information was available for six years before it was found.┬á An eDiscovery system could have alerted them to this data breach much sooner.

South Carolina Department of Revenue loses 3.6 million Social security numbers

On October 10, the Secret Service’s electronic crimes task force discovered that the South Carolina Department of Revenue’s systems were breached in one of the largest government data breaches recorded.┬á 3.6 million Social security numbers along with 657,000 businesses taxpayer records and 387,000 credit and debit card numbers were stolen.

We could be facing a much bigger problem though.┬á Larry Ponemon, chairman of the Ponemon Institute believes that other States are just as susceptible to the attack as South Carolina.┬á In an interview with The Post and Courier, he said, ÔÇ£One of the reasons, based on my research, is that the security posture of government organizations tends to be inferior of that of commercial organizations.ÔÇØ

Those investigating the data breach found that most of the data was not encrypted and the attacker had penetrated the network for over a month before the intrusion was detected. Think of your systems and cyber security in light of this incident.  Is there sensitive information on your network that is not encrypted?  Would you know if there was an intrusion?  What would you do if a data breach occurred?

Incident response and information security culture

A while back, I┬á published a white paper on security culture for JURINNOV.┬á An organizationÔÇÖs culture in relation to information security determines how receptive employees will be to security initiatives.┬á Culture can make the difference between security that is embedded into the organization versus security that is simply an afterthought or even worse, ignored.

Culture is formed through a series of successes that reinforce the underlying assumptions behind those successes.┬á Alternatively, failures diminish assumptions associated with the failure.┬á There are many actions an organization can take to being the process of instilling a culture of security.┬á┬á A recent example at Seattle ChildrenÔÇÖs Hospital shows how the organizationÔÇÖs security culture was improved through incident response planning.

In an interview with Information Week, Cris Ewell, Chief Information Officer for Seattle ChildrenÔÇÖs Hospital stated that employees have recognized that breaches will happen even with the best preventative measures now that they have implemented incident response plans.┬á They also realized that some incidents require outside help.┬á┬á It is important to know who to contact ahead of time because time is precious following an incident.