Encryption failing costs £150,000

Insurer Fined

Royal and Sun Alliance (RSA) has been fined £150,000 by the Information Commissioner’s Office following the loss of personal information relating to 59,592 customers.

Following the theft of a hard drive, which contained customers’ names, addresses and bank account details including account numbers and sort codes, ICO enforcement officers found that RSA did not have appropriate measures in place to protect financial information, when the theft occurred at the offices in West Sussex between 18 May and 30 July 2015, an ICO undertaking found .

The device also held credit card details of 20,000 customers, although security numbers and expiry dates were not affected.

The investigation found that the device was stolen from company premises either by a member of staff or a contractor, the information on it was not encrypted and the device has never been recovered. It was kept in a data server room, which required access via an access card and key, to which 40 members of RSA’s staff and contractors (some of whom were non-essential) were permitted to enter unaccompanied.

Steve Eckersley, head of enforcement at the ICO, said: “When we looked at this case we discovered an organization that simply didn’t take adequate precautions to protect customer information. Its failure to do so has caused anxiety for its customers not to mention potential fraud issues.

“There are simple steps companies should take when using this type of equipment including using encryption, making sure the device is secure and routine monitoring of equipment. RSA did not do any of this and that’s why we’ve issued this fine.”

Dr Bernard Parsons, co-founder and CEO of Becrypt, said that the fine should serve as a warning on how dangerous storing unencrypted data can be.

“We find data at rest – information stored in removable hard drives and portable devices such as laptops and tablets – is frequently the weak link in an organization’s security, leaving them extremely vulnerable to a serious breach in the event of a device being stolen or lost,” he added. “Alongside the threat of malicious insiders stealing portable storage devices, we have also seen cases of burglaries targeting technology in recent months.

“These kinds of data loss incidents can be prevented if all potentially sensitive and valuable information stored on portable storage devices is encrypted against unauthorized access by default. This means that, even if the worst happens and a device is stolen by an insider, the organization can be confident that the data it contains will be safe from abuse.”

Mark James, IT security specialist at ESET, said: “The fine itself may seem fairly insignificant, but that of course is not the whole story. The PR exposure, your customer hearing about your failings and of course the damage done through the act in the first place, all has a cost.

“Encryption is not new, it has a relative low cost and can be rolled out and maintained with ease, it would not have stopped the theft of the hard drive in this case, but it would have stopped the data from being accessible. Fines need to be in place, but more importantly there needs to be follow-up, if you are holding other people’s data you need to do all you can to keep it safe.”

Infosecurity 2017

Data Breach Disclosures Jumped 40% in 2016

Number of Data Breach Disclosures Jumped 40% in 2016

Though there were no mega breaches, 2016 had more breaches on record than any previous year, according to a new report.

Last year witnessed few data breaches of the kind that rocked 2015 when organizations like Anthem, the Office of Personnel Management and Ashley Madison reported security incidents involving tens of millions of personal records. Still, 2016 was a pretty bad year for data breaches. New data from the Identity Theft Resource Center (ITRC) and CyberScout show that 2016, in fact, had more reported breaches than any previous year.

A total of 1,093 security incidents involving loss of sensitive data were disclosed last year. The number represented a 40 percent jump compared to the 780 breaches reported in 2015. In all, about 36.7 million records were exposed in the breaches, which the two organizations described as any incident where an individual’s name along with their driver’s license number, Social Security Number, bank or financial account data, medical records and credit or debit card data is exposed.

In keeping with recent trends, the business sector including retail organizations, suffered the most number of breaches and accounted for 495 or 45.2% of all reported incidents. Healthcare organizations, with 377 breaches or 34.5% of the reported total, ranked second in the list of most breached organizations, followed by educational institutions with 98, and then government and military entities with 72 reported incidents.

In terms of raw numbers, banks and credit card companies had fewer breaches (52) than organizations in any of the other sectors included in the data breach report. However, that number does not tell the full story of the extensive financial damage caused to several banks in 2016 by attackers who exploited the SWIFT messaging network to illegally transfer huge sums of money to offshore accounts.

Hacking, payment card skimming, and phishing attacks represented the leading cause for data loss for the eighth year in a row, according to CyberScout and the ITRC. Combined, the three attack methods accounted for 55.5% of all reported security breaches last year, or nearly 18% higher than in 2015.

Many of the phishing attacks — the report does not specify an exact number — involved CEO business email compromise schemes, and resulted in the exposure of highly sensitive corporate data including those related to state and federal tax filings.

Non-malicious slip-ups, like accidentally sending out an email with sensitive customer data or employees negligently posting confidential data on a public facing website, accounted for a surprisingly high 9.2% — or nearly 1,000 — of the reported incidents last year.

Eva Velasquez, president and CEO of ITRC says it is not entirely clear if the higher number of data breaches in 2016 occurred because there were more actual breaches, or simply because more of them are being reported under new disclosure requirements.

“It is our opinion that both are factors here, but that it is more likely that breaches are actually being discovered due to more robust security measures being in place,” she says.

While the business sector was most impacted last year, it is important keep in mind that over time other sectors have been impacted more heavily for different reasons, Velasquez points out. At one time, for instance, financial companies were big targets since attackers perceived them as having a lot of valuable information. In recent years, the medical and business sectors have gone back and forth as favourite targets.

A study released in December by TrapX showed that attacks on healthcare organizations for instance, grew 63% in 2016 and included some major incidents such as a breach at Banner Health that exposed 3.6 million records, and another at Newkirk Products which compromised 3.4 million records.

“As the thieves come up with more creative ways to monetize our data, different data becomes more valuable, hence the thieves change their targets,” Velasquez says.

Data breaches have become the third certainty in life, adds Adam Levin, chairman and founder of CyberScout. “Businesses of every size and stripe are under assault practically every minute of every day,” Levin says.

“As defenders, they must get everything right while an attacker need find only one point of vulnerability … and make no mistake, foreign and domestic attackers are well armed, fully weaponized and in war mode.”

Dark Reading 2017

Mega security breach’ of the future

 

What will the ‘mega security breach’ of the future look like?

Posted by Kathryn Cave on January 16 2017

Security is an area that just keeps gaining prominence. The breaches keep hitting the headlines. And it is pretty clear that a horrific attack – that most people simply can’t imagine yet – is on the horizon. This means while it is not always helpful to focus on the negative stuff – it can be hard not to with security – and at least by looking at the worst case scenario it might help us confront what we could be up against.

At a December roundtable in London, Jason Hart CTO of Gemalto, highlighted the rise of integrity based attacks. These see attackers manipulating company data for their own benefit rather than simply stealing it. He believes that this will hit business reputations very hard and over the next 12 to 18 months [since December] at least one UK firm will fold because of it.

Andrew Nash, Founder and CEO of identity management startup firm Confyrm, who has a long pedigree with organisations like RSA, Google and PayPal, also attended the event. He focused more on identity theft but agreed that today criminals are more likely to play the long game than they did in the past.

He talked about blowout credit card fraud – where thieves sit on a bunch of stolen cards for months and

He talked about blowout credit card fraud – where thieves sit on a bunch of stolen cards for months and months then use them all in one pre-planned hit – and stressed we’re going to see more of that mentality in data theft. “If I was a [nefarious] nation state I would produce a cheap wi-fi chip,” he said, embed it in a wide range of ordinary devices, leave it for years and switch it on to scan things occasionally.

Overall though, it is difficult to pin security down because there are a few different types of criminals out there with entirely different motivations. There those who are simply motivated by the desire to steal things they can sell easily. There are those who are in for a longer, more lucrative, haul – maybe an identity theft or integrity attack. There are those who are involved because of some kind of political motivation – which could frankly lead to any kind of mayhem. And of course, there are those there for the LOLs.

This means a criminal could be buying kits on the dark web, conducting smash and grab attacks, and just flogging the data straight on. They could be buying up passwords and other personal information as it becomes available with the aim of making a larger cash. Or they could be plotting something truly enormous to achieve maximum devastation.

So, what does this mean for the future of security breaches? Well, when I threw out a few simple questions in an open forum, the 23 senior security professionals who came back came back to me covered a lot of the same ground.

Not surprisingly, the majority agreed that as so much critical infrastructure has a digital component, cyber threats are now are potentially serious as their physical counterparts.

Greg Day, VP and Chief Security Officer, Palo Alto Networks describes how “more and more traditional national infrastructure is being replaced by its digital twin”. 2016 saw the potentially harmful social impact of this when hospitals had to cancel surgeries because digital health records were held to ransom.

“As the interconnection of data and systems grows into a global mesh, leveraged by an ever-diverse ecosystem of technological devices, it seems we are generating a bigger cyber risk profile,” he says. “However, we should recognise that this is not more risk, but actually a transference of physical information risk into cyber, and in most instances a blurring between the two.”

Yet Lisa Baergen, Director at NuData Security puts it: “The paradox is that investments are being made in physical infrastructure and cyber security separately, [while] the connection between the two is being overlooked.”

In fact, countless breaches have shown critical infrastructure and organisations alike are not prepared. Eric O’ Neill, Security Strategist at Carbon Black believes “a mega security breach will look like a ‘lights out’ scenario, where a carefully orchestrated attack compromises a critical mass of infrastructure components to such a degree that power grids are overloaded or shut down for a significant period.”

But this is just one scenario. The mega breach of the future could take on a variety of different shapes and guises. Douglas Crawford, Cyber Security Expert at BestVPN.com imagines what it might be like if a criminal got hold of a lot of banking passwords. “The economic chaos caused could, in addition to bankrupting potentially millions of individuals, destroy banks and banking systems, create global economic depression, and even bring down governments,” he says.

The interesting thing about this situation is it could arise from a variety of different motivations. Yet Chad Schamberger, Director of Engineering at VirtualArmour believes that mega breach of the future “will be driven to affect a decision, a political election, a financial outcome, or the intent to cause mass chaos across a population. Not necessarily to gather sellable assets but intended to expose the attack surface that has developed by introducing more and more poorly develop connected devices (IoT).”

James Wickes, CEO and Co-Founder of Cloudview agrees: “A mega security breach in my opinion is one that either affects national security or competitiveness.”

Bharat Mistry, Cyber Security Consultant at Trend Micro believes that integrity will play its part. “I think breach data won’t necessarily be around mass data extraction as monetisation of stolen data has almost become a commodity. It’s more likely to evolve towards mass undetected modification data especially in environments where the data is being used to make strategic or economic decisions.”

Other people we spoke to warned that criminals are beginning to use data to improve their own operations. Chris Carlson, Vice President of Product Management at Qualys says “the mega security breach of the future is likely to reflect criminals’ advances in using analytics to combine and crunch stolen data to identify new opportunities for themselves.

“When bad actors combine stolen data from multiple smaller breaches then analyse it, the real risk is that they will identify trends in the data that allow them to innovate and succeed with more specific and targeted attacks on more vulnerable systems. Doing this at scale represents a huge risk to the economy – when a small percentage of people or businesses are hit by attacks, the system can cope. If that percentage grows significantly, the network effect would have serious repercussions,” he says.

While Norman Shaw, CEO at ExactTrak adds: “There is a lot of discussion about big data. This tends to centre around general commercial activities. Why do we not assume that criminals are using the same big data tools to bring together all the data from cyberattacks and maximise the opportunity.”

In some ways, this feels like the teething pains of watching our whole way of life go digital. It isn’t just the business transformation we hear so much about in the enterprise space. It is a full and complete social transformation.

Amit Sethi, Senior Principal Consultant at Cigital believes: “In the future, we will likely see huge data breaches involving personal information that will make everything we’ve seen so far pale in comparison. Unlike with breaches involving passwords where password changes can help you recover, once personal data is stolen, you cannot recover from it.”

In the end though the level of destruction wreaked does come down to the motivation of the criminal. And Baergen of NuData Security describes cyberwarfare as the “elephant in the room” that nobody wants to talk about.

IDG Connect

Security Guardian for VDI

Security Guardian brings global management to Virtual Desktop Integration. Even when not connected to a host computer, The remote Security Guardian units can be directly controlled from the management console. You can remotely turn On and Off access as well as remotely destroy the memory chip.

This video explains how the service works.

Security Guardian Overview

Security Guardian provides a global solution to the global problem of protecting mobile data. This video outlines the flexibility and functionality of Security Guardian. In conjunction with the management console the data owner will know where their data is, who is using it and can remotely turn it On and Off or even destroy the memory chip.

Watch the video to learn more.