Posts Tagged ‘data security’

Earlier this year, we posted about one of the largest data breaches to ever come to light: the Heartland Payment Systems breach that affected as many as 100 million and cost the company $12.6 million in legal costs and fines from MasterCard and Visa.

Heartland CEO, Robert Carr, is now opening up about the security breach, hoping other companies can learn from their experiences.

Carr believes that PCI compliance auditors failed the company, that they believe it was right to inform customers of the breach before the media, and how other companies can learn from all these issues.

Essentially, Carr says the QSA (Quality Security Assessor) audits of their systems were of no value, since they were unable to detect the security holes that were exploited.

“To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware.”

Carr was surprised to learn that others knew of this attack vector and that the information had not been shared. Carr says he now understands the “limitations of PCI” and the assessment process. The problem with any set of standards, in any industry, is that it can lead companies to a false sense of security, meeting those compliance measures, if those measures are not kept up to date. Heartland learned the hard way that “PCI compliance doesn’t mean secure.”

In the rest of the interview, Carr shares how Heartland has spent $32 million to upgrade their security at all levels, making sure that data is secure and encrypted wherever it resides. Heartland shares that their best advice to other companies experiencing a breach is to be up front with customers. After their breach, all Heartland employees were advised to tell customers what the breach meant for them, to be the point of contact for customers (vs the press). “Being candid has been key.”

Image: clipart

Microsoft just released the 6th volume of its Security Intelligence Report (SIR), which provides perspective on the changing threat landscape in terms of software vulnerability, malware, and the changing face of threats and countermeasures.

The SIR indicates that malicious software infected different versions of Windows at different rates. Vista was less infected than other service packs, all versions of Windows XP having higher infection rates. The data, which is based on millions of Windows users, indicates that total vulnerability disclosures was on the decline while the number of high severity disclosures was increasing each quarter. More than 90% of vulnerabilities disclosed affected applications or browsers (vs the Operating System).

In the second half of 2008, there was a rise in rogue security software, which is software that poses as being anti-malware or anti-spyware, when indeed may do nothing or be malware itself. Be sure to download your software just from trusted sources!

The report looks at data breach incidents from the OSF Data Loss database, indicating that the second half of 2008 could blame 33.5% of all data loss incidents on equipment theft, including that of laptops. Adding in equipment loss, and that total goes up to 50%. Be sure to secure your laptops and be able to see if computers have the latest software updates with our Computrace laptop security solution.

SIR Volume 6, which tracks data between July and December 2008, can be downloaded here.

Via technet

Absolute Software has released a list of the Top Five Healthcare Practices for Keeping Data Secure. These best practices will be valuable as healthcare moves forward with technology, particularly since the American Recovery and REinvestment Act (ARRA) was signed in February.

1. Know the consequences of a data breach
2. Assess your organization’s situation
3. Implement a comprehensive data security plan
4. Secure data on mobile computers
5. Create a data breach policy

Learn more about these 5 steps and ARRA here.

Considering the most recent hospital data breach in Miami has affected 200,000, and that data breaches in healthcare data breaches are more costly than breaches in other sectors, it’s a good idea to take all the steps you can to protect the data of your patients, clients and employees in this sector. A data breach is costly in any sector, but it’s important you understand how a data breach can impact, and be prevented, in yours.

Image: clipart

Normally we hear about the massive data breaches that happen due to some loss of electronic data – whether it’s a lost data storage device or laptop or from hacking. However, we can’t forget that paper too is at risk for breaching data. This week there were 4 reports of data breaches the result of incidents with paper.

1. Dozens of files with Social Security Numbers for public housing residents were dumped on the street in New York. People were seen picking up the loose papers, raising concerns of identity theft. The New York Housing Authority has policies to shred documents for disposal, but that policy was overlooked. [read more]
2. Medical records were found discarded in a trash bin at a convenience store in Shreveport; Social Security Numbers were included. A Doctor has admitted to his mistake in improperly disposing of the files. [read more]
3. Files about seriously ill patients at a New York hospital were found 2 miles away on the pavement. The files contained name, age and medical history, breaching confidentiality though not risking identity theft. [read more]
4. A Dallas man found a box of medical records, including Social Security Numbers, the the parking lot at a storage business. The storage unit belonging to a doctor was broken into and the records left out. [read more]

I think we can learn some important things from these breaches of trust and data. Most indicate a lack of awareness about the data and how it should be treated for storage and disposal. Policies to restrict how data moves about – whether paper or electronic – should be considered. The data retention policy should define how information is disposed of, which can include policies on shredding or purging electronic devices. In terms of data storage for physical papers, standard consumer storage facilities may not have enough security; try looking for companies that specialize in business data storage.

As we shared in a report earlier this month, data breaches at small companies often go unreported. There’s a great deal of education that needs to be done to small business owners – including those practicing in the medical fields – about how to securely handle confidential data in all stages of its life cycle.

Hat tip to databreaches.net ; image: clarita @morguefile

Cisco recently released a whitepaper about data leakage and insider threats. Several predictions for 2009 have indicated that, particularly with the uncertain economic climate, insider data breaches would become more of an issue. With 88% of respondents admitting they’d take sensitive information if they were laid off, this is a clear and present threat to data security.

In 2008, insider theft accounted for 15.7% of data breaches and that 43% of surveyed companies had experienced fraud, theft or losses as a direct result of employees with access to sensitive data.

Bruce Schneier recently addressed the issue of insiders, which he points out are a perennial problem for organizations. Insiders have the means and opportunity to breach data – intentionally or not. The issues coming up lately refer to an increase in intentional data theft or fraud.

“With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks. This is one of the most significant threats companies face” – Microsoft’s Doug Leland

So, given that you need to trust your employees in order to keep your company running, how do you go about addressing the problem of inside threats? Schneier recommends 5 basic techniques, many of which we’ve talked about here on the Absolute blog:

1. Limit the number of trusted people
2. Ensure that trusted people are also trustworthy
3. Limit the amount of trust each person has
4. Give people overlapping spheres of trust
5. Detect breaches of trust after the fact and prosecute the guilty

You can read these recommendations in detail here. Hopefully it will give you some ideas about how to prepare for insider issues. Just like with all security planning, it’s about being prepared and about having multiple layers of security in place.

—-

In other news, there have been a high number of data breaches thus far in February (see latest incidents). One getting a lot of attention is from the Federal Aviation Administration (FAA) that affects 45,000 FAA employees.

Image anitapatterson @morguefile

It was Data Privacy Day on January 28th and Canada’s Privacy Commissioner put together The Top 10 Ways Your Privacy Is Threatened in order to commemorate the occasion.

Data Privacy Day was marked on January 28th in Canada, the United States and in 27 European countries. It is a day meant to remind us that data privacy is important and that we should all be better advocates for it. As the Canadian government notes:

“Every day, we see headlines about sophisticated phishing attacks, enormous data breaches, in both the public and private sectors, and the proliferation of identity theft. It is no coincidence that as businesses began to recognize the immense potential of personal data in their efforts to connect with customers, so too did criminals begin to realize its value.”

Here is what the Canadian government suggests are the 10 ways your privacy is threatened:

1. People need to stand up for their privacy as a right
2. Information flows too freely with privacy protection laws being unequal around the world
3. Identity theft is a lucrative business
4. Cybercrime and physical data theft (laptop theft, unshredded documents)
5. Data breaches in all sectors and a lack of reporting requirements – so you may never know
6. Businesses collecting, but not protecting, data
7. Governments collecting data for national security and public safety
8. Information posted on social networking sites without reviewing privacy policies or privacy settings
9. Information you submit to new applications, online games or online shopping
10. Surveillance cameras, swipe cards, Internet searches

The Liberal Democrats in the UK have publicized the results of their research into computer security across Whitehall. According to their results, 3,000 computers have been lost or stolen across Whitehall in the past 7 years. That’s a staggering average of at least one computer lost per day. The data includes an additional 238 laptops and 40 desktops missing or stolen, a very minor improvement in Government laptop security despite continued public breaches and promises of security upgrades, and even laptop bans.

The figures, which were released in Parliamentary answers, include:

• Since 2002, 1,774 laptop computers and 1,035 desktop computers have been lost or stolen across Government, at a rate of nearly five a week and three a week respectively
• In 2008 (as of December 29), 238 laptops and 40 desktops went missing
• Since 2002, 676 mobile phones, 202 hard drives and 195 memory sticks have also been lost or stolen
• The worst offenders are the Ministry of Defence (which handles very sensitive information), which has had 866 laptops stolen and has lost 178, as well as 157 desktops stolen and seven lost

Liberal Democrat Home Affairs Spokesman, Paul Holmes said:

“Everyone understands that things go astray but it is truly staggering that over the last seven years a laptop has been lost every working day across government.

It demonstrates a culture of carelessness across Whitehall that ministers have done nothing to curtail.”

It is clear that fundamental changes need to happen in the Government in terms of the way data is handled. This includes a ‘culture of change‘, changing attitudes and knowledge of security practices, as well as upgrading technology that protects data devices (like Absolute’s Computrace can).

Also in troubling Government security news, the IRS in the US has failed to patch more than half of the cybersecurity problems identified in November. Only 49 of the 115 issues found by the Government Accountability Office have been addressed. Read more here…

Via Daily Mail, ITV ; image: mconnors @morguefile

Document Retention - understanding what documents to keep, for how long, and how to destroy what you no longer need. This is an area Michael Overly recently explored, providing a series of tips about basic elements to be considered in a document retention program. Using those tips as a jumping off point, and supplementing with other research, I came up with this list.

10 basic elements of a good document retention policy

1. Understand what documents to keep, looking first to type of record (employment, accounting / tax, legal, electronic). Understand legal requirements, as well as business requirements, as to how long to keep documents. In the master policy, list the rationale to any decisions made for each type of information. The retention period for each type of document should be listed.
2. Electronic documentation retention should be clearly defined on its own, particularly as it pertains to email and IM. List the location where electronic information will be stored and policies as pertain to backup tapes.
3. Define how data is disposed – for both physical and electronic information. This includes how information is shredded and disposed of, how old electronic devices are purged and/or resold, how electronic information is purged from the network, etc.
4. Choose a storage / backup method that matches with the continued demand for information. Accessing backup tapes is not cost effective, so retain information in a way that makes sense with its use
5. Restrict the copying of data so that it cannot be duplicated to local machines (if desired) and/or restricted devices such as USB keys or mobile devices
6. Detail actions associated with the policy – for example, if email >X days old is to be deleted, list that the network will automatically perform this function.
7. Define disposable documents – those documents that don’t need to be retained. For example, duplicates or “trivial” documents.
8. Assign a process to keep documents, if a legal claim arises to exempt them from regular disposal
9. Assign a person or group to maintain the program and answer questions
10. Audit the program regularly to ensure the program has been implemented correctly and that it stays up-to-date with changes in the business or legal environment

Also in security news:

• Four in five Australian companies suffered data breaches in past five years
• Express Scripts customers threatened on data breach (millions perhaps affected)

Supplemental research sources: nfib, it world, uofaweb, microsoft, abanet Image: ppdigital @morguefile

The Information Commissioner’s Office (ICO) in the UK, with Information Commissioner Richard Thomas, have made a public statement calling on CEOs to take responsibility for data protection safeguards.

The Information Commissioner, Richard Thomas, announced that the number of data breaches reported since November 2007 has reached 277. November 2007 marks when HMRC lost 25 million child benefit records (story here). Of those 277 breaches, 28 are attributed to the central government. The ICO is investigating 30 of the most serious breaches of this past year.

In a speech delivered to the RSA Conference, Commissioner Robert Thomas talked about the state of data security, or “data insecurity“, he adds. The HMRC data breach of 25 million child benefit records merely brought the existing data security issues to public and political attention, Thomas notes.

“The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously. More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total.”

Arguing that information can be a “toxic liability” as well as an asset, Robert Thomas challenges CEOs to ensure that they are minimizing the amount of data they hold and that appropriate data security measures are being taken. He says this responsibility lies with the CEO, not with the IT department or other staff.

“It’s no good saying the IT boys are looking after this, it’s no good saying the lawyers are sorting out the policies, it’s no good saying human resources are doing the training – it’s right across the organisation.”

Richard Thomas notes that personal information is the lifeblood of both government and business, but that more responsibility needs to be taken to assure that data remains safe. The first step in that is to understand the risks being faced associated with the vast centralized stores of data and its portability across networks and devices.

The ICO continues to offer advice on data security, from the encryption of laptops to improved data access policies. As noted several times by the ICO in their report, the actual figures for data breaches probably are much higher than 277. Currently there is no legal obligation to report data losses in the UK, and many data breaches may go undetected.

Out of the 277 reported breaches, 67 were due to the loss or theft of a computer or laptop. The National Health Service (NHS), the worst breach offender so far for 2008 with 75 breaches, has had 27 of those breaches the result of lost or stolen computers. Learn how Computrace can help provide multi-layered security solutions for your computers here.

Further Reading:

• ICO Press Release – Privacy watchdog calls on CEOs to take responsibility for data protection safeguards [PDF]
• Transcript – Speech to RSA Conference Europe on data breaches
  Richard Thomas, Information Commissioner [PDF]
• ICO Chart – Data security breaches since November 2007, by breach type and sector

Via BBC

Cisco announced the findings for a new study about data loss and its sources. The survey, conducted by InsightExpress of more than 2000 employees, outlines 10 common risks and mistakes employees make that put data at risk. The study, which was conducted across 10 countries, also found that behavioral risks of employees can vary by country and culture. 100 employees and 100 IT professionals were surveyed in each country.

The study was commissioned in order to understand the risks of an increasingly distributed and mobile business force. With the lines between work life and personal life blurring on a global scale, there are new risks. The collaborative tools that make this type of workforce possible also pose new challenges. Given that security is not just about technology, but about people and their behavior, this is a very interesting examination of the behavioral side of risks to data loss. The results could help businesses better tailor their security policies.

The 10 most noteworthy risks and mistakes by employees were:

1. Altering security settings on computers – 20% of employees bypass IT policy to access unauthorized websites
2. Use of unauthorized applications – 70% of IT professionals said unauthorized applications and websites resulted in as many as half of the data loss incidents
3. Unauthorized network/facility access - 39% of IT professionals said they have dealt with an employee accessing unauthorized parts of a company’s network or facility
4. Sharing sensitive corporate information – 24% of employees admit to verbally sharing sensitive information
5. Sharing corporate devices – 44% of employees share work devices with non-employees
6. Blurring of work and personal devices, communications – nearly two thirds of employees use work computers daily for personal use – music downloads, banking, blogging, chat rooms, personal email
7. Unprotected devices – at least one in three employees leave computers logged on and unlocked when away from their desk. Laptops often are left on desks without logging off.
8. Storing logins and passwords – one in five employees store login / password information on their computer or write them down near their computer
9. Losing portable storage devices - 22% of employees carry corporate data on portable storage devices
10. Allowing “tailgating” and unsupervised roaming – 13% of employees allow non-employees to roam around their offices unsupervised, 18% have allowed unknown people into corporate facilities

Some of these figures have been broken down by country in a great analysis here.

Check out more here:

• Data Leakage Worldwide: Common Risks and Mistakes Employees Make – Summary

Data Leakage Worldwide: Common Risks and Mistakes Employees Make [pdf]

Via network world