Saturday, September 25, 2010
Thursday, March 11, 2010
TJX Hacking Conspirator Gets 4 Years
sentenced Thursday in Boston to 46 months in prison and fined $75,000
http://ping.fm/iuqkF
sentenced Thursday in Boston to 46 months in prison and fined $75,000
http://ping.fm/iuqkF
Sunday, March 7, 2010
Can you protect yourself on Social Media?
One of the greatest challenges to privacy and security in the next several years is Social Networks and Social Media. Sites like Facebook, Twitter, LinkedIn, MySpace and others can be the downfall of valuing information. The ability to share and provide information is completely the opposite of network security requirements. This is really encouraging people to do things that are not security conscious activities. Social media encourages:
- Lack of privacy
- Encouraging information sharing
- Giving away answers to security questions
- Social engineering
As we have seen recently, a lot of spam, spyware and malware is attacking social network. Just in the past week I have probably gotten a 100 requests to be my friend on Facebook from people who i do not know and funny enough, all the message have the exact same personal message. Malicious people are attracted to social networks because of the ease of gaining trust and availability of data for social engineering. Relationship building is easier through social media which can easily lead to phishing attacks.
With these sites, people install applications without knowing what goes on in the background, and its easy to download malicious code to your computer. There are no external third party audits of these applications before the make it to your Facebook application. Your computer can be easily infected by a virus or spyware.
What does the Social Media user to to protect their information?
No Personal information - This is anti-social network, but there are things you can limit about what you post. Don't post your Birthday! Or your address, or your mothers middle name or any really personal data.
Limit who can view and contact you - Don't let your profile be truly public, restrict to people you know for requested users. Remember you can't retract information you put out there.
Dont trust strangers - Your mother was right, don't open the door to strangers. Limit who you accept chat or friend requests from and well as even communicate with.
Trust no one - People lie, its sad but true. So profiles lie, they might say they went to your college or high school. They might be interested in your groups, so dont take anyone at their word.
Restrict your privacy - There are a some configuratin setting in all the social media applications that can allow you to turn on some restrictions on your privcay. Take a minute to actually look at them. One easy example is in Facebook you can creat groups that you can place friend in, you don't want business people seeing what your friends are posting.
Password management - An oldie but a goodie, always use a strong password and don't share it. And change it periodically.
Layers of protection - You should be running a personal firewall and antivirus software on the machine you are viewing social networks. This will help if a malicious piece of software tries to download something to your machine. Keep your protection software up to date as well and run the patch management software on your machine, this is especially important for you Windows users.
Child protection software - You should have some kind of child protection software running on machines where children under 13 are using. This will help with all that shady software that is out there.
Gary Bahadur
http://twitter.com/kraasecurity
Address: 200 Se 1st St #601 Miami FL 33131
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
Related articles by Zemanta
- Half of Online Adults Use Social Networks at Least Monthly (seekingalpha.com)
- Firms worry about social networks, but don't block access (arstechnica.com)
- Google Buzz proves problems with single online identities (thewayoftheweb.net)
- Are Consumers Becoming More Suspicious of Social Networks? (marketingvox.com)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=6e138ad0-af9e-40d2-ab77-da1094d4aa21)
Wednesday, January 27, 2010
What is the cost of a Data Breach?
SC magazine just reported that the Ponemon Institute has determined the cost of a data breach is $204 per record. "Data breaches last year cost organizations $204 per exposed record on average, which represents an almost two percent increase over 2008, according to the fifth annual "Cost of Data Breach" study released on Monday by the Ponemon Institute... The study, which examined the experiences of 45 U.S. companies that suffered breaches last year, also found that the number of data breaches that were caused by malicious attacks and botnets doubled from 12 percent in 2008 to 24 percent in 2009. In addition, data breaches caused by malicious attacks cost organizations 30 to 40 percent more on average than those caused by human negligence or by IT system glitches." There are a number of ways to protect your data in transit such as PGP Encryption but when the companies looses data, there isnt much the end user can do to protect themselves.
Thats a lot of money. If we look at the data breach of Heartland, which was over 100 million records, that, well let me do the math, may take a minute. Its $20,400,000,000. Thats a lot of money. Condidering I was a shopper mostlikely of Heartland, I do not recall getting a check from anyone for $204. I will not hold my breath for that. We all asked if the retailers like Heartland and TJ Max had a PCI Audit done. Would this have protected our information?
So far, I am pretty sure I recieved a letter offering me free 2 year credit monitoring from Chase, Citibank, Bank of America and Countrywide because thet lost my records. I am waiting for my check for $204 from each of those companies. Also, over the past few years I have had to have my credit cards replaced with Chase, American Express, and several Visa versions. So I am still waiting for those $204 checks. Maybe in total I am owed about 9x$204=$1,836. That will be a nice check when I get it.
Security Requirements
So what can a company do to help reduce these data breaches? The easy answers, yet not implemented, include:
1) Encryption of back-up data and tapes
2) Conduct yearly Vulnerability Assessments
3) Conduct Quarterly or Monthly Vulnerability Scanning
4) Implement a Data loss prevention solution
5) Go through a PCI Audit or HIPAA Security Assessment yearly
Related articles by Zemanta
- Data breach costs continue to rise (v3.co.uk)
- Survey: Data breaches from malicious attacks doubled last year (news.cnet.com)
- Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=f1ed6c34-1f2a-4642-b40c-ac12e03f3b45)
Regards
Gary Bahadur
http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning
Monday, November 30, 2009
Ponemon Institute Cyber Mega Trends
Ponemon Institute recently released their Cyber megratrends as listed below. While I agree with these I think there were a couple that could easily be added to the list. First I would either add or modify Web 2.0 into Web 3.0. Lets look to what is going to happening versus what is happening and just changing. Secondly, I suggest adding Vendor Risk Management. The vendor does not have to be offshore to pose a problem. Vendors are so integrated into companies and business processes that they are like an employee but are not subjected to the same network security assessment requirements in many cases.
Regards
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
++++++++++++++++++++++++++++++++++++++++++++++++
Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009
The Cyber Security Mega Trends Study was conducted by Ponemon Institute and sponsored by CA to better understand if certain publicized IT security risks are, or should be, more or less of a concern for organizations in the federal sector. We believe the results of our study will be helpful to organizations struggling to understand how they should allocate resources to help ensure their information systems are adequately protected.
Based upon in-depth interviews with IT security experts of Application security risk assessment and prior Institute research, we focus on 10 cyber security mega trends in this study. Each mega trend is believed to affect significantly an organization’s security ecosystem.
Cloud computing – refers to distributed computing solutions that can be owned by thirdparties on data center locations outside the organization’s IT infrastructure.
Virtualization – refers to enabling technologies that allows end-users to access multiple secure networks from a single computer, wherein the PC or laptop essentially acts as the authenticating device.
Mobility – refers to a workforce with access to information no matter where they work or travel and wherein employees can use mobile devices when they travel or work at home: laptops, smart phones, PDAs, memory sticks and more.
Cyber crime – usually describes criminal activity in which the computer or network is an essential part of the illegal criminal activity. This term also is used to include attacks in which computers or botnets are used to enable illicit activity such as data theft or denial of service attacks.
Cyber terrorism – is a specific form of cyber crime in which the end goal is to disrupt or harm a targeted country or region of the world. This term also is used to describe attacks that attempt to steal national secrets including information that minimizes a nation’s defense or economic posture.
Open source – is computer software for which the source code and certain other rights normally reserved for copyright holders are provided under a software license that is in the public domain. This permits users to change, improve the software, and redistribute software in modified or unmodified forms.
Data breach – is defined as the loss or theft of information about people and households. A majority of U.S. states now require organizations to notify individuals when their information is lost or stolen.
Unstructured data – is electronic information on file servers and other storage devices that are not stored in a database or other structured formats, usually resulting from workplace collaboration tools such as SharePoint.
Outsourcing – usually pertains to the transfer of sensitive and confidential information to third parties for data processing or other activities. Outsourcing is done to reduce processing costs and improve operating efficiencies.
Web 2.0 – refers to a plethora of Internet tools that enhance information sharing and collaboration among individuals. These concepts have led to the evolution of web-based communities and hosted services, such as social networking, social messaging, wikis and blogs.
Regards
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
++++++++++++++++++++++++++++++++++++++++++++++++
Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009
The Cyber Security Mega Trends Study was conducted by Ponemon Institute and sponsored by CA to better understand if certain publicized IT security risks are, or should be, more or less of a concern for organizations in the federal sector. We believe the results of our study will be helpful to organizations struggling to understand how they should allocate resources to help ensure their information systems are adequately protected.
Based upon in-depth interviews with IT security experts of Application security risk assessment and prior Institute research, we focus on 10 cyber security mega trends in this study. Each mega trend is believed to affect significantly an organization’s security ecosystem.
Cloud computing – refers to distributed computing solutions that can be owned by thirdparties on data center locations outside the organization’s IT infrastructure.
Virtualization – refers to enabling technologies that allows end-users to access multiple secure networks from a single computer, wherein the PC or laptop essentially acts as the authenticating device.
Mobility – refers to a workforce with access to information no matter where they work or travel and wherein employees can use mobile devices when they travel or work at home: laptops, smart phones, PDAs, memory sticks and more.
Cyber crime – usually describes criminal activity in which the computer or network is an essential part of the illegal criminal activity. This term also is used to include attacks in which computers or botnets are used to enable illicit activity such as data theft or denial of service attacks.
Cyber terrorism – is a specific form of cyber crime in which the end goal is to disrupt or harm a targeted country or region of the world. This term also is used to describe attacks that attempt to steal national secrets including information that minimizes a nation’s defense or economic posture.
Open source – is computer software for which the source code and certain other rights normally reserved for copyright holders are provided under a software license that is in the public domain. This permits users to change, improve the software, and redistribute software in modified or unmodified forms.
Data breach – is defined as the loss or theft of information about people and households. A majority of U.S. states now require organizations to notify individuals when their information is lost or stolen.
Unstructured data – is electronic information on file servers and other storage devices that are not stored in a database or other structured formats, usually resulting from workplace collaboration tools such as SharePoint.
Outsourcing – usually pertains to the transfer of sensitive and confidential information to third parties for data processing or other activities. Outsourcing is done to reduce processing costs and improve operating efficiencies.
Web 2.0 – refers to a plethora of Internet tools that enhance information sharing and collaboration among individuals. These concepts have led to the evolution of web-based communities and hosted services, such as social networking, social messaging, wikis and blogs.
Thursday, November 12, 2009
HIPAA Vendor Compromised Healthcare Records
This is story that is several months old, but as I came across it, i thought it would make a good point. A vendor handling healthcare records has lost social security numbers of people in March of 2009. In this case, Health insurer Aetna, Inc., is reportedly providing 65,000 individuals with free credit monitoring for a year after its job application Web site was breached, the Associated Press has reported.
The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.
The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn't know how many were copied, but the site has been disabled and is undergoing a "thorough forensic review" or you can say network security audit by an outside company.
So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.
As noted in the article "This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee's laptop computer containing certain personal member information was stolen from a car in a public parking lot."
If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.
The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn't know how many were copied, but the site has been disabled and is undergoing a "thorough forensic review" or you can say network security audit by an outside company.
So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.
As noted in the article "This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee's laptop computer containing certain personal member information was stolen from a car in a public parking lot."
If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.
Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning
Subscribe to:
Posts (Atom)
