cyber security

Virtual Chief Security Officers getting small businesses ahead

Eric Vanderburg

Security remains a complex discipline.  This ever-changing challenge grows in complexity daily as new threats emerge and compliance requirements increase.  Several regulations including HIPAA require organizations to have a person whose role is to ensure compliance within the organization.  This is why organizations need a designated person with primary responsibility for security and compliance.  This person is the Chief Security Officer (CSO).

The Role of a Chief Security Officer

A Chief Security Officer or CSO is first and foremost a business leader in the organization.┬á He or she sets the organizationÔÇÖs security vision and ensures that it is in line with other business objectives.┬á The CSO works with other business leaders such as the senior financial manager such as a Chief Financial Officer (CFO), business owner, senior partners, or Chief Executive Officer (CEO), senior IT executive such as the Chief Information Officer (CIO) and Chief Operating Officer (COO) to implement security and compliance initiatives throughout the company.

Some CSO activities may include:

  • Establishing and evangelizing the security vision
  • Defining security strategy and goals
  • Determining the level of acceptable risk
  • Defining and implementing security and compliance governance
  • Coordinating compliance activities and communicating with regulatory groups
  • Creating, publishing and maintaining security policies
  • Ensuring security awareness of risks and of organizational security policies
  • Coordinating incident response activities (e.g. data breach, IP theft)
  • Ensuring physical security for company facilities including offices, sites and datacenters.

Challenges

The CSO role is still relatively new and it has seen some challenges in implementation.  Information security involves much cooperation from Information Technology (IT) and compliance requirements include many sections on technical controls so it is understandable that IT is often seen as the group responsible for security but this is not ideal because security and compliance both involve much more than just technical controls.  The actions of people including employees and outside actors are essential to maintaining security and compliance and this requires someone or a group with more than the technical skills.

Some chief security roles may be given to IT, legal, or HR, employees. However, this approach often results in these individuals handing security as a secondary role so security does not get the priority it is due.  Furthermore, a central point of contact is lacking in the organization in this approach.

The Role of a Virtual CSO

A virtual CSO performs the same activities a CSO would but they do so on a part time basis.  The role may actually be comprised of several persons to cover a company even when a person is on vacation or otherwise unavailable.  Virtual CSOs allow organizations to utilize highly specialized skill sets by provides companies with expert resources in security. This is made possible without the high fixed cost of adding dedicated security executives.

Virtual CSOs are able to assist organizations by developing effective strategies essential to evaluate and mitigate risks, maintain operational continuity and secure the organization. Virtual CSOs address areas of security needs whether these are on personnel issues, timely employee background checks, technology, rehabilitation or procedures and policies to designing.

Virtual CSOs partner with businesses to understand how core information assets have been deployed. They work hand in hand with organizations as they study the security placed around the assets and what improvements can further be made. Virtual CSOs provide assistance in integrating security into organizational strategies and processes and they help companies develop tailor-made delivery plans that are fitting to their needs and budget.

Ideal Traits

Ideal virtual CSOs should be well-versed at understanding exploits, attacks, controls, countermeasures and vulnerabilities. They should have a thorough understanding of technology such as operating systems, virtualization, storage and networking but business and leadership skills are even more important for this role.  Security and compliance is more about people than it is about technology so the virtual CSO should be able to interface and direct people and lead change efforts.

Virtual CSOs need to be able to translate risk to data, information or computers, into the risk to business. They should be able to determine the how to respond to risks including mitigating, accepting, transferring or avoiding risk.

Summary

The Chief Security Officer role is more vital to companies of all sizes than ever before.  CSOs are in high demand but for those who do not need a full time person and the expense that goes with it, a virtual CSO may be the answer.  Sometimes this role is added to a pre-existing role within the organization but this can lead to compliance being treated as a secondary activity and it does little to protect organizational information security.

Virtual CSOs work across business and functional lines. They see through the complete deployment of strategic and holistic approaches in dealing with specific business issues. This is done by carefully assessing risks related to the organizationÔÇÖs reputation, information, assets and all people involved. Such is crucial especially for businesses that are looking at long-term sustainability and expansion.

Fraud techniques revealed in recent debit card case

Eric Vanderburg

On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft.  The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.

Hackers gained unauthorized access to credit card processing companies and conducted what hackers term ÔÇ£unlimited operationÔÇØ.┬á Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed.┬á In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world.┬á These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATM machines.

I have spoken of the increase in coordination of cyber-attacks many times and this is an excellent example.  In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City.  A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.

The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks.  Anomalous behavior monitoring is valuable no matter where the next attack comes from and it is useful in other industries as well.

Florida Department of Juvenile Justice Data Breach

Eric Vanderburg

The Florida Department of Juvenile Justice (DJJ) had a mobile device containing 100,000 youth and employee records stolen on January 2, 2013.  The device was unencrypted and not password protected despite a policy by the DJJ requiring both encryption and password protection on mobile devices. This latest breach further demonstrates the importance of encrypting mobile devices but more importantly, it shows that a policy alone is not enough.  Organizations and government agencies need to make sure that employees are aware and adhering to their policies.  Without this, such policies are worthless.

Do you have a mobile device encryption policy?┬á If so, do you know if employees are following it?┬á DonÔÇÖt let this happen to you.

 

Vobfus malware steals 25,000 student social security numbers

Eric Vanderburg

Salem State University in Massachusetts issued a data breach warning to faculty and students on March 11.┬á The warning informed them that information for over 25,000 persons including social security numbers had been breached.┬á The breach was caused when malware, identified as Vobfus, infected the universityÔÇÖs human resources database.

Malware is often seen as a nuisance or a productivity inhibitor but an infected computer can pose a much great risk to organizations and it should not be overlooked.┬á Malware gets behind the organizationÔÇÖs perimeter and it can act with the credentials of legitimate users including administrators.┬á Just because a system is behind a firewall or in a demilitarized zone doesnÔÇÖt mean it is safe as threats from the inside are just as virulent as those from the outside.┬á Recently, malware has been the cause of a number of recent data breaches including supermarkets, banking institutions and retailers.

Antivirus software is essential but it is only the first step in protecting against malware.  New malware and revised versions of existing malware are continually being released and antivirus signatures will miss some malware, potentially even the most dangerous ones.  Understand what normal traffic looks like on your network so that abnormalities can be quickly identified.  Take notifications from users about suspicious activity seriously and consider implementing technologies that utilize behavior based scans to detect viruses and intrusions.  Lastly, know what to do and who to call if there is a data breach

Unencrypted data at HHS exposes 50,000 Medicaid providers

Eric Vanderburg

On March 8, 2013, a contractor working for North CarolinaÔÇÖs Department of Health and Human Services (HHS) billing department stored unencrypted data of 50,000 Medicaid providers on a thumb drive that was to be transferred between facilities.┬á However, the drive was lost along with the data it contained which includes names, social security numbers, dates of birth and addresses of the 50,000 providers.

In last weekÔÇÖs article titled, data breach threats of 2013, I cited breaches by third parties as one of the top three highest rated threats in the Deloitte survey of technology, media and telecommunications companies and here is a perfect example of a third party data breach.┬á As mentioned last week, organizations can conduct vendor risk management to reduce this threat.┬á The vendor risk management process begins by evaluating the security of third parties that work with sensitive data, controlling what data they have access to and conducting periodic audits to ensure that they maintain the same security standing.

Unfortunately, the North Carolina HHS assumed that their contractor, Computer Sciences Corporation (CSC), was taking adequate security precautions. ┬áHHS Secretary Aldona Wos said, ÔÇ£We expect my vendors to maintain the security of information.ÔÇØ ┬áHowever, N.C HHS is only now requesting validation of these assumptions.┬á Wos stated ÔÇ£I have instructed CSC that North Carolina expects an independent third-party assessment to assure CSCÔÇÖs adherence to required security standards.ÔÇØ

Awareness, DoS and third party breaches top security concerns of 2013

Eric Vanderburg

A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media and Telecommunications (TMT) companies suffered a data breach.  88% of these companies do not believe that they are vulnerable to an external cyber threat such as hacking.  Rather, the three highest threats were employee errors and omissions, denial of service attacks and security breaches by third parties.

Awareness is a critical factor here and Deloitte lists it as one of the top three security initiatives of 2013.┬á 70% of TMT companies responded in the survey that employee mistakes were an average of high vulnerability.┬á The risks, as stated by Deloitte, include, ÔÇ£talking about work, responding to phishing emails, letting unauthorized people inside the organization, or even selling intellectual property to other companies.ÔÇØ┬á To counter this, companies are conducting awareness training, often through security firms with experience in the area, and creating materials that employees will see on a regular basis to remind them of their responsibility to protect the data they work with.

Denial of Service (DoS) attacks was also rated a high threat.┬á DoS attacks overload targeted information systems making them slow to respond to requests or taking them down entirely.┬á Due to the relative ease of conducting a DoS and the criticality of information systems to todayÔÇÖs businesses, it is no wonder that DoS makes the list.┬á These attacks are often triggered by saying something that irks a hacker group or by opposing a hacker group of their interests.┬á Organizations can protect themselves by monitoring the messages they are sending especially through social networking and by working out an incident response plan for handing a DoS attack that includes the public relations factors in addition to the technical ones.

Breaches by third parties are at the top of the list party because the average company deals with so many third parties in the course of doing business.  In fact, 79% of respondents said the sheer number of third parties they deal with would be an average of high threat.  With so many third parties, it is difficult to determine if each has a sufficient level of security to adequately protect the data they work with and, as I all know, security is only as effective as the weakest link.  Organizations have responded by more thoroughly screening third parties and assigning them a risk rating for the type of data they will be working with through a process called vendor risk management.  The third party then needs to demonstrate security that is in line with the risk rating they have.  This process is required by regulations such as Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS) and Health Information Portability and Accountability Act (HIPAA).

The threat landscape of 2013 continues to grow and companies are tasked with more responsibility to protect the data they work with.┬á As can be seen from DeloitteÔÇÖs survey, security awareness, denial of service and third party breaches are three major concerns for companies in 2013.┬á To protect themselves, companies can conduct security awareness training, create incident response plans, and screen third parties who work with sensitive data.

The value of ePHI (electronic Protected Health Information)

Eric Vanderburg

On Wednesday I blogged about how hospitals are the highest risk for data breaches.┬á Some have emailed me asking why criminals would even care about Protected Health Information┬á(PHI).┬á Sure, itÔÇÖs private information but what use is it to a criminal?┬á The Digital Health Conference last year discussed this question and a panel of cyber security specialists determined that a single PHI record is worth $50 on the black market.┬á This is the same value given by Pan Dixon, executive director of the World Privacy Forum in a 2007 interview.┬á So what makes these records worth $50, a value higher than that of social security numbers or credit card information?┬á Criminals can use a health record to make fake medical claims, purchase prescriptions or receive treatment under a false name.┬á Since medical information cannot be ÔÇ£canceledÔÇØ as easily as a credit card number, criminals have a much larger window in which to exploit the information.

For these reasons, PHI records are a tempting target for criminals, especially with the rising costs of health care.┬á So, yes, you should be concerned about the disclosure of your medical records because it does present a real threat to patients. This is why it is so important for organizations that handle PHI to have adequate security controls in place whether they’re clinics, medical billing, insurance providers, or business associates.┬á Adhering to HIPAA helps but being compliant doesn’t necessarily mean you are secure.

Another government data breach weakens public confidence

Eric Vanderburg

Two weeks ago hackers took control of 14 servers and 20 workstations at the U.S. Department of Energy (DOE), obtaining personal information including names, social security numbers, driverÔÇÖs license numbers, pictures, fingerprint and handwriting samples, dates of birth and family information for hundreds of DOE employees.┬á The hackers did not gain access to classified information which investigators believe was the target of the attack.

Until yesterday, the hacker group Anonymous was viewed as a potential perpetrator since one of their factions, Parastoo, claimed responsibility on pastebin.  However, the posted information was dated and investigators believe Parastoo is not responsible for the attack.  According to an article published on February 4 in the Washington Free Beacon, unnamed government officials confirmed that the attack involved a foreign nation state.  This nation state is most likely China based on repeated attempts by Chinese hackers to gain access to DOE information and the value such information has to Chinese efforts.  If so, this employee information will probably be used to launch further attacks and gain the confidence of DOE employees with access to sensitive information.

The DOE and FBI are still investigating the incident but speculation abounds as to how the attack on their systems took place including weak server security configurations, poor user training and an over-reliance on outdated methods.  The security of DOE systems has certainly been called into question and some suggest that government agencies such as the DOE should rely more on the help of industry experts and security firms.

What the changes in HIPAA Omnibus mean for you

Eric Vanderburg

The Department of Health and Human Services (HHS) released the HIPAA Omnibus rule on January 17, 2013 designed to give patients additional rights to their health information and increase penalties to organizations that fail to protect Personal Health Information (PHI).  The rule goes into effect on March 26, 2013 and it includes some changes to data breach response requirements.

HIPAA required covered entities to conduct a risk assessment when a data breach occurs.  The risk assessment would determine whether the breach impacted an individual enough to require notification.  If the risk assessment determined that the risk was low then the covered entity did not need to notify the individuals nor the Office of Civil Rights (OCR).  According to HITECH Answers, the HIPAA Omnibus rule now requires that covered entities retain documentation on the risk assessment performed that could be provided to the OCR if their decision not to notify is called into question, in other words, a burden of proof.  If the OCR finds that the covered entity did not meet the burden of proof, it may find the covered entity to be negligent and fine them accordingly or require them to perform corrective action.  The rule also adds new requirements for determining the harm to the individual.

Also of interest to HIPAA data breaches is the revised language that broadens the definition of business associates to include more downstream providers who touch PHI.  This increases the number of companies that will need to adhere to the HIPAA requirements.  These companies will need to become compliant before the rule takes effect but many may not even be aware that they will soon be subject to HIPAA.

Discussions continue on “hack back”

Eric Vanderburg

Back in November, I blogged about the hack back initiative here in the United States.  Well, similar debates are taking place in Canada.  In January of 2012, Public Safety Canada commissioned a report on hacking, specifically hacking related to online protesting and activism known as hacktivism.  The report recommended several exemptions to existing legislation to allow researchers, investigators and even journalists to hack into other computers.  Some of the hack back recommendations included allowing security researchers to attack and reverse engineer software in order to determine security concerns (Montreal Gazette), investigators to take additional actions in investigating attacks such as data breaches and malware and reporters to break into private computers to obtain information in the interest of public welfare (Postmedia).

Over the past year, a discussion has taken place between Public Safety Canada and the ministerÔÇÖs office on this subject resulting in a decision by Public Safety Canada on January 16, 2013 to reject the recommendations.┬á This is by no means a complete loss for those supporting hack back since such large scale initiatives often take years to implement.┬á Alana Maurushat, the author of the report wrote, ÔÇ£no surprise that there is no inclination to take up recommendationsÔǪthese things often take decades of slow changes.ÔÇØ┬á The past year of discussion will increase awareness of the hack back initiative and I will most likely see other proposals in the future that will address the shortfalls of this proposal which Public Safety Canada has not provided.