Tag Archives: cyber security

Security remains a complex discipline.  This ever-changing challenge grows in complexity daily as new threats emerge and compliance requirements increase.  Several regulations including HIPAA require organizations to have a person whose role is to ensure compliance within the organization.  This is why organizations need a designated person with primary responsibility for security and compliance.  This person is the Chief Security Officer (CSO). The Role of a Chief Security Officer A Chief Security Officer or CSO is first and foremost a business leader in the organization.  He or she sets the…

Continue reading

On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft.  The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million. Hackers gained unauthorized access to credit card processing companies and conducted what hackers term “unlimited operation”.  Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed.  In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins…

Continue reading

The Florida Department of Juvenile Justice (DJJ) had a mobile device containing 100,000 youth and employee records stolen on January 2, 2013.  The device was unencrypted and not password protected despite a policy by the DJJ requiring both encryption and password protection on mobile devices. This latest breach further demonstrates the importance of encrypting mobile devices but more importantly, it shows that a policy alone is not enough.  Organizations and government agencies need to make sure that employees are aware and adhering to their policies.  Without this, such policies are…

Continue reading

Salem State University in Massachusetts issued a data breach warning to faculty and students on March 11.  The warning informed them that information for over 25,000 persons including social security numbers had been breached.  The breach was caused when malware, identified as Vobfus, infected the university’s human resources database. Malware is often seen as a nuisance or a productivity inhibitor but an infected computer can pose a much great risk to organizations and it should not be overlooked.  Malware gets behind the organization’s perimeter and it can act with the…

Continue reading

Eric Vanderburg I will be presenting at the ISACA CPE & Social Event - Cyber Forensics & Cleveland Cavaliers vs. Miami Heat Basketball Outing today at 3:00 PM.  The topic is "Cyber Forensics: Collecting evidence for today’s data breaches" and it should be an enjoyable talk. Many forensic techniques focus on obtaining data from local machines, servers or data storage equipment but evidence for modern attacks often resides in many places and the techniques for obtaining this data go beyond those used in the typical forensic investigation.  In this presentation,…

Continue reading

On March 8, 2013, a contractor working for North Carolina’s Department of Health and Human Services (HHS) billing department stored unencrypted data of 50,000 Medicaid providers on a thumb drive that was to be transferred between facilities.  However, the drive was lost along with the data it contained which includes names, social security numbers, dates of birth and addresses of the 50,000 providers. In last week’s article titled, data breach threats of 2013, we cited breaches by third parties as one of the top three highest rated threats in the…

Continue reading

A recent study by Deloitte, titled Blurring the lines: 2013 TMT global security study, shows that 59% of Technology, Media, and Telecommunications (TMT) companies suffered a data breach.  88% of these companies do not believe that they are vulnerable to an external cyber threat such as hacking.  Rather, the three highest threats were: Employee errors and omissions Denial of service (DoS) attacks Security breaches by third parties Employee errors and omissions Awareness is a critical factor here, and Deloitte lists it as one of the top three security initiatives of…

Continue reading

Some have emailed me asking why criminals would even care about Personal Health Information (PHI).  Sure, it’s private information but what use is it to a criminal? The Digital Health Conference last year discussed this question and a panel of cyber security specialists determined that a single PHI record is worth $50 on the black market.  This is the same value given by Pan Dixon, executive director of the World Privacy Forum in a 2007 interview.  So what makes these records worth $50, a value higher than that of social security…

Continue reading

Two weeks ago hackers took control of 14 servers and 20 workstations at the U.S. Department of Energy (DOE), obtaining personal information including names, social security numbers, driver’s license numbers, pictures, fingerprint and handwriting samples, dates of birth and family information for hundreds of DOE employees.  The hackers did not gain access to classified information which investigators believe was the target of the attack. Until yesterday, the hacker group Anonymous was viewed as a potential perpetrator since one of their factions, Parastoo, claimed responsibility on Pastebin.  However, the posted information…

Continue reading

The Department of Health and Human Services (HHS) released the HIPAA Omnibus rule on January 17, 2013, designed to give patients additional rights to their health information and increase penalties to organizations that fail to protect Personal Health Information (PHI).  The rule went into effect on March 26, 2013, and it includes some changes to data breach response requirements. HIPAA required covered entities to conduct a risk assessment when a data breach occurs.  The risk assessment would determine whether the breach impacted an individual enough to require notification.  If the…

Continue reading