Tag Archives: security breach

Don’t let it happen to you

This is a time of year when we reflect on our personal and professional lives, and think about the coming years and what we want to accomplish. I’ve been thinking about this over the past couple of days… yesterday, an important news story about the 2013 Target security breach was published. The article states that Judge Paul A. Magnuson of the Minnesota District Court has ruled that Target was negligent in the massive 2013 holiday shopping season data breach. As such, banks and other financial institutions can pursue compensation via class-action lawsuits. Judge Magnuson said, “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur.” I have provided a link to the article at the end of this message.

Clearly, this is really bad news for Target. This legal ruling may have a chilling effect on other merchant and retail organizations.

I don’t want you to experience what Target is going through. I changed jobs at the beginning of 2014 to help as many organizations as possible avoid major breaches that could cause irreparable damage. If you have a security supplier and service provider that is helping you, great. If you fear that your organization may be in the news someday because you know your security is deficient (or you just don’t know), we can help in many ways.

I hope you have a joyous holiday season, and that you start 2015 without living in fear.

http://www.infosecurity-magazine.com/news/target-ruled-negligent-in-holiday/

The security breaches continue

As of Tuesday, September 2, 2014, Home Depot was the latest merchant to announce a potential security breach.

Any more, this means intruders have stolen credit card numbers from its POS (point of sale) systems. The details have yet to be revealed.

If there is any silver lining for Home Depot, it’s the likelihood that another large merchant will probably soon announce its own breach.  But one thing that’s going to be interesting with Home Depot is how they handle the breach, and whether their CEO, CIO, and CISO/CSO (if they have a CISO/CSO) manage to keep their jobs. Recall that Target’s CEO and CIO lost their jobs over the late 2013 Target breach.

Merchants are in trouble. Aging technologies, some related to the continued use of magnetic stripe credit cards, are making it easier for intruders to steal credit card numbers from merchant POS systems.  Chip-and-PIN cards are coming (they’ve been in Europe for years), but they will not make breaches like this a thing of the past; rather, organized criminal organizations, which have made a lot of money from recent break-ins, are developing more advanced technologies like the memory scraping malware that was allegedly used in the Target breach. You can be sure that there will be further improvements on the part of criminal organizations and their advanced malware.

A promising development is the practice of encrypting card numbers in the hardware of the card reader, instead of in the POS system software.  But even this is not wholly secure: companies that manufacture this hardware will themselves be attacked, in the hopes that intruders will be able to steal the secrets of this encryption and exploit it. In case this sounds like science fiction, remember the RSA breach that was very similar.

The cat-and-mouse game continues.

A perspective on endpoint security

I’m preparing a webinar on endpoint security and was thinking about the problem while on a flight to Chicago. Consider it this way: in an organization with 10,000 employees, you’ve got your servers in the data center managed by IT. But you’ve got 10,000 more machines with the same – or more – complication than those servers. These machines also have access to sensitive data and often store it themselves.

But there’s more. Those 10,000 machines are managed by non-technical people who have the same system-level privileges as trained and certified system engineers. And not only that, but those 10,000 machines are not in your data center but out of your physical control, often operating in external environments away from really important network security controls such as firewalls, data leakage prevention, command & control detection, and intrusion prevention systems.  These are our endpoint systems. Is it any wonder we are living in the era of colossal security breaches?

This is insanity, but there is a way out.

Why the security war will never be won

At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.

How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?

The information security war will never be won.

Never.

As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.

In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what?  It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.

In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.

There are times when it proves very challenging to break directly in to information systems.  That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.

Why do intruders persist?  Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on.  Your defenses will only slow down a determined intruder, and maybe only be a small margin.

  • We must protect all systems. An intruder will attack the system of his choosing.
  • We must protect from all types of attacks. An intruder will use an attack method of his choosing.
  • We must protect our systems at all times. An intruder will attack at a time of his choosing.
  • We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
  • We must obey all laws when defending our systems. An intruder may break any law of his choosing.
  • The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
  • Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.

Not if, not when, but how many times

Bookmark This (opens in new window)

There have been so many large security breaches this year that affect so many sectors of the U.S. population, that I’m beginning to wonder how many times has my identity been compromised. There’s the Veteran’s Administration, TSA, Chicago Board of Elections, Los Angeles County Child Support Services, and TJ Maxx alone, and so many more that I’ve lost count.

There is a pretty decent web site that chronicles security breaches here (link below).

Identity thieves primarily want to steal enough elements of your identity to be able to establish credit in your name, which they use to obtain cash and marketable merchandise. They don’t pay the bills, but leave it to you, in whose name their credit cards were opened.

There are several things you can do to protect your identity, including:

  1. Set up a fraud alert with one or more of the three credit bureaus (Experian, TransUnion, Equifax). This will alert you to any changes in your credit file.
  2. Examine your credit report carefully at least once per year.
  3. Close credit accounts that you no longer use.
  4. Consider getting your mail at a PO Box or a Private Mail Box (PMB), to reduce the possibility of mail theft.
  5. Reduce or discontinue your use of credit.
  6. Pay cash.

Articles here:

http://www.yourcreditadvisor.com/blog/2007/07/how_many_times.html

http://www.privacyrights.org/ar/ChronDataBreaches.htm

TSA loses hard drive containing data on 100,000 employees

Submit: Add to your del.icio.us Digg This Slashdot GotNews StumbledUpon Reddit

The Transportation Security Administration, the branch of the U.S. federal government responsible for airline passenger safety, has reported that a hard drive containing personal data on about 100,000 employees has been lost and remains unaccounted for.

TSA management sent a letter to TSA employees on Friday, informing them of the potential breach of security.

It has not been determined whether the hard drive was lost, or stolen.

The FBI and the U.S. Secret Service have been asked to investigate.

TSA’s website has a new entry informing employees about the matter and directs them to information about identity theft.

TSA Employee Security Incident

Rep. Sheila Jackson Lee, D-Texas, whose Homeland Security subcommittee oversees the TSA, has indicated her desire to hold hearings on the security breach. She stated that Homeland Security buildings are part of the critical infrastructure the agency is charged with protecting.

Stories on this incident:

http://seattletimes.nwsource.com/APWires/headlines/D8OU71L80.html

http://news.yahoo.com/s/ap/20070505/ap_on_go_ca_st_pe/tsa_missing_data_19

Commentary:

This is another of a long series of mishaps in which computer-based data has been misplaced, lost, or stolen, resulting in the fear that such information may fall into the hands of identity thieves, resulting in costly and time consuming identity theft incidents that now plague millions of U.S. residents and millions more around the world.

No type of institution is immune to such incidents. Despite elaborate measures, sometimes we lose things. We started when we were children and we still struggle to keep track of our things. History is peppered with innumerable tales about lost and misplaced money, jewels, people, and objects of every size, shape, and type. I don’t think we’re going to solve this any time soon.

The latest identity theft risk…. copiers??!!

Bookmark This (opens in new window)

Back in olden times when copiers were just copiers, the biggest security risk was forgetting to pick up your copies – or walking away after the paper ran out with the last page still on the drum.

It’s all different now. Today, copiers are multi-function devices (MFD’s) that are a combination scanner, printer, and hard drive, connected to the office (or home) data network.

Did you say “hard drive”…??

Yes, the newest copiers have hard drives in them. Oftentime, copiers store images of what they’re copying or printing on the hard drive, and who knows how long those images are still there. But that’s not the biggest concern of mine.

As I mentioned, these copiers also function as network-connected printers, not unlike regular printers that are on the network. You open a file and click File > Print > and select that printer down the hall. Well, that printer is increasingly the office copier as well.

Here’s the risk: any time you connect a new sort of technology (like copiers) to a network, there is the risk that the device could have a defect or vulnerability that would permit a smart and malicious person to exploit the vulnerability. In the case of a copier, such a person would want to figure out how to get to the images that were stored on the copier’s hard drive, or worse yet, figure out how to break in to the copier (over the network) and get the copier to send to him (or her) everything that others are printing and copying.

Sound outrageous? It’s not. Such breakins have occurred with regularity over the past 30 years. Copiers are just computers, and I’m willing to bet that a copier with a hard drive is nothing more (or less) than a Windows or Linux system with special hardware. If I’m right, then there’s a decent chance that we’ll begin to hear about vulnerabilities and perhaps even exploits with copiers in the near future.

A very old copier The copier in this picture probably does not have a disk drive inside.