IT Support and Hardware for Clinics
38.7K views | +2 today
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...!

Obama Signs Cyberthreat Information Sharing Bill

Obama Signs Cyberthreat Information Sharing Bill | IT Support and Hardware for Clinics |

On Dec. 18, both houses of Congress enacted the Cybersecurity Information Sharing Act, which is part of a 2,009-page $1.1 trillion omnibus spending bill (see page 1,729). CISA will establish a process for the government to share cyberthreat information with businesses that voluntarily agree to participate in the program.

The legislation is an important tool to help protect the nation's critical infrastructure, says Daniel Gerstein, former Homeland Security acting undersecretary and a cybersecurity expert at the think tank Rand Corp. "Sharing information between industry and the federal government will allow for development of countermeasure signatures that can be incorporated into networks," Gerstein says. "In the absence of such sharing, protecting networks becomes much more challenging. ... CISA is not intended to be a comprehensive bill for cybersecurity. Rather, it focuses on the exchange of information between industry and the federal government. "

Larry Clinton, president of the industry group Internet Security Alliance, says the approval of the bill by large, bipartisan majorities in both the House and Senate demonstrates the growing realization that the nation faces a major cybersecurity problem. "It speaks to the need to come together in a way rarely evidenced lately in D.C. and begin to attack this problem together," Clinton says. " It's a rare instance of our government system actually working in a bipartisan fashion for the public good."

Winner, Loser

Passage of CISA is seen as a victory for big business and a defeat for privacy and civil liberties advocates.

Consumer advocates say the new law provides limited privacy protections to Americans. They object to the lack of transparency in drafting the measure's provisions in secrecy and then inserting it into a spending bill that keeps the government operational. "This shows disrespect for the people whose privacy is at stake in this process, and who deserve real cybersecurity, not more surveillance," says Drew Mitnick, policy counsel for the advocacy group Access Now. "Simply put, we expect more from our elected leadership."

But business groups generally supported the legislation. "This legislation is our best chance yet to help address this economic and national security priority in a meaningful way and help prevent further attacks," says U.S. Chamber of Commerce President Thomas Donohue. "Government and businesses alike are the target of these criminal efforts, and CISA will allow industry to voluntarily work with government entities to better prevent, detect and mitigate threats."

Key Provisions

At CISA's core are provisions designed to get businesses to voluntarily share cyberthreat information with the government. The main incentive is furnishing businesses with liability protections from lawsuits when they share cyberthreat information, such as malicious code, suspected reconnaissance, security vulnerabilities and anomalous activities, and identify signatures and techniques that could pose harm to an IT system. The new law also will provide antitrust exemption for sharing threat data among businesses.

The liability protections alone won't get many businesses to share threat information. "A bill is not going to prompt an organization to change," says Chris Pierson, chief security officer at invoicing and payments provider Viewpost. "What it will do is help the internal teams that want to share have better ammunition for their legal counterparts and compliance people to understand that sharing of threat data and indicators is being done in a coordinated fashion. The true win here will be the communication around what to share, how to share and the business benefit for companies that share."

CISA designates the Department of Homeland Security to act as the cyberthreat information-sharing hub between government and business. Civil liberties activists wanted a civilian agency, not a military or intelligence entity such as the National Security Agency, to shepherd the flow of cyberthreat information between government and business. But the legislation will not prevent the NSA and other intelligence agencies from getting hold of the cyberthreat information.

One provision of the law will require DHS to establish an automated system to share cyberthreat information in real time with other government agencies. The law also will allow the president, after notifying Congress, to set up a second information-sharing center if needed.

CISA will require the removal of personally identifiable information from data before it is shared. However, the vagueness of the law's language could result in "more private information [being] shared than the privacy community would prefer," says Paul Rosenzweig, a former Homeland Security deputy assistant secretary for policy, who analyzed the measure's language.

Healthcare Industry Study

The omnibus bill also includes language to require the Department of Health and Human Services to convene a task force 90 days after enactment of the legislation to address the cybersecurity threats facing the healthcare sector. This task force would:

  • Analyze how other industries have implemented cybersecurity strategies;
  • Evaluate challenges and barriers facing private healthcare organizations in defending against cyberattacks;
  • Review challenges the industry confronts in securing networked security devices; and
  • Develop a plan to share cyberthreat information among healthcare stakeholders.

The task force would report its findings and recommendations to appropriate congressional oversight committees.

No comment yet.!

Why Fraud Is Shifting to Mobile Devices

Why Fraud Is Shifting to Mobile Devices | IT Support and Hardware for Clinics |

As a result of the explosive growth in worldwide use of smart phones, mobile malware will play a much bigger role in fraud this year, predicts Daniel Cohen, who heads up the anti-fraud services group at security firm RSA, which just released its 2014 Cybercrime Roundup report.

Mobile devices will be the new focus for phishing attacks, taking the place of spam attacks that for more than a decade have been waged against PCs, Cohen, an expert on phishing trends, says in an interview with Information Security Media Group.

"Smart phone technology is the fastest adopted technology in the history of mankind," Cohen says. In 2014, 1.3 billion new smart phones were purchased by consumers throughout the world, while in 2015, forecasts suggest that another 2 billion of these devices will be shipped to consumers, he points out.

"The bad guys are looking at this ... and they understand that they have to be on those platforms and those systems," he says.

Security Challenges for Mobile

This shift to mobile fraud is posing challenges for security teams, because the methods used to protect end-users from attacks waged against PCs don't translate well for mobile, Cohen notes.

The mobile threat involves the use of what Cohen describes as "permission-ware." The end-user knowingly downloads mobile applications and gives those apps permission to run on his device, Cohen says. So when the app is malicious, the user determines the number of permissions that app will have once it's installed.

Cohen points to Svpeng, mobile ransomware identified by security firm Kaspersky Labs in summer 2014, as an example of the kind of threat that will become more common this year.

"Svpeng started out as a phishing attack on the mobile phone," Cohen says. "The app would wait for a legitimate app to launch, and once that app launched, the malicious app, Svpeng, would launch and then ask for more information. ... In 2015, we will see the mobile channel leveraged more and more in attacks like this."

In the interview, Cohen also discusses:

  • How the underground economy is evolving and fueling the rapid spread of malware and phishing attacks;
  • Why the U.S. continues to rank No. 1 for phishing attacks waged against banking brands; and
  • Why remote-access attacks waged against point-of-sale vendors are expected to increase this year.

At RSA, Cohen serves as the head of the anti-fraud services group, where he focuses on phishing attacks, malware and threat intelligence.

No comment yet.!

Cybersecurity: A Congressional Priority

Cybersecurity: A Congressional Priority | IT Support and Hardware for Clinics |

The 114th Congress, with solid Republican majorities in both the House and Senate, convenes this week at a time of growing public awareness of security breaches, especially the cyber-attack last year on Sony Pictures Entertainment.

And that means the new Congress is likely to soon take up legislation to promote the sharing of cyberthreat information between business and the government in an effort to help foil breaches.

"It isn't becoming a political issue in the sense that it is partisan. It is, however, becoming political in the sense that the general public is becoming increasingly concerned with the security of the systems they depend on," says Paul Rosenzweig, a former Department of Homeland Security policymaker who serves as a senior adviser to The Chertoff Group, a risk consultancy. "That concern will drive the debate."

President Obama also is putting pressure on Congress to enact laws to make cyberspace safer, especially legislation to encourage the sharing of cyberthreat information. After the cyber-attack on Sony Pictures Entertainment, Obama used his year-end press conference on Dec. 19 to call on Congress to pass threat-sharing legislation.

"One of the things in the new year that I hope Congress is prepared to work with us on is strong cybersecurity laws that allow for information-sharing across private sector platforms, as well as the public sector, so that we are incorporating best practices and preventing these attacks from happening in the first place," he said.

Will Squabbling Continue?

In the past two Congresses, Obama and House lawmakers bickered over the wording of cyberthreat sharing legislation, with the White House twice threatening to veto legislation that passed the House of Representatives with bipartisan support. The Senate, controlled by Democrats until this week, never took up its version of the legislation.

The White House and Congress differed on how to ensure the protection of individuals' privacy as well as their civil liberties. In its veto threat, the administration said the legislation passed by the House last year failed to require businesses to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or private-sector entities. "Given some issues that the privacy community has raised, we need to take that into account as we ... work on the bill," a senior administration official said last year in discussing the legislation.

Other differences between the administration and Congress centered on how cyberthreat information is shared with intelligence agencies. Privacy groups worry that the National Security Agency and other intelligence organizations could misuse the data to threaten Americans' privacy and civil liberties.

The administration also contended that legislation in the last Congress extended liability protections too broadly. Businesses say they need the legislation to prevent lawsuits that could result from disclosing how they protected - or inadequately safeguarded - their digital assets. But the administration expressed concern that the bills before Congress could allow businesses to exploit those protections to thwart lawsuits that have nothing to with cybersecurity.

Compromise in the Air

Can the White House and Congress compromise? Several experts say they believe both sides are motivated to find a middle ground.

"It takes 60 votes in the Senate to move a bill," Rosenzweig says. "After Sony, I am skeptical that there are 41 votes to block information sharing legislation."

Dan Lohrmann, the former Michigan state chief information security officer who has long kept an eye on Washington cybersecurity developments, expects members of Congress to act on the issue this year. "They want to be shown as doing something constructive before something worse happens than the recent attacks on Sony," he says. "Cyber may offer the better hope [for compromise] as compared to immigration [reform] or debt reduction."

Lohrmann, now chief strategist and chief security officer at security awareness training firm Security Mentor, points out that many lawmakers - including Republican Sen. John McCain of Arizona and Democratic Rep. Jim Langevin of Rhode Island, co-chairman of the House cybersecurity caucus - have called on Congress to act quickly on cyberthreat information sharing legislation.

But to reach a compromise, the White House and Congress must first agree on a definition of privacy, says Gene Spafford, who as executive director of Purdue University's Center for Education and Research in Information Assurance and Security follows cybersecurity legislative developments.

"There is no broad policy on privacy, and there needs to be," Spafford says. "We need clear lines on privacy protection from companies giving up too much information, to government agencies collecting too much. Companies and agencies should be liable for poor practices and for over-sharing or exposure. The fair information privacy principles are a good start for defining reasonable limits to what is collected and shared."

Three Factors to Mull

To get a bill enacted, Spafford says, lawmakers need to address the three factors influencing the conversation around cyberthreat information sharing legislation: national security, privacy and undue burdening of business with new requirements. "Depending on who you talk to, the balance of these three is different," he says. "Without some better understanding of consequences and compromise, action will not be uniformly accepted."

Larry Clinton, president of the Internet Security Alliance, a trade group that backed the House legislation, warns against expecting the adoption of a new cyberthreat information sharing law to have a substantial impact on data breaches. "Are we overhyping the information sharing legislation and giving the impression that this bill would solve, or even make a significant dent, in the cybersecurity problem?" he asks.

Clinton, for instance, says he doubts that a cyberthreat information sharing law would have helped to prevent the Sony breach. "Most of the benefit of information sharing would be to help entities [stop] second attacks that use similar methods," he says. "I haven't heard anyone in the government come forward and say they had information that would have helped Sony stop the attack. ... To think we are going to address this problem by passing one narrow bill, even a good one, is woefully mistaken."

The new Congress also is expected to take up legislation to nationalize data breach notification. Business leaders say they need one national statute because of the burden their companies face in complying with 47 different state laws. Many lawmakers and the Obama administration favor a national law, but the big challenge facing Congress is deciding on key provisions, such as what constitutes a breach worthy of notification and when should businesses notify individuals and law enforcement of a breach. As the multitude of state statutes show, there's no consensus on the provisions to be incorporated in a data breach notification law.

No comment yet.!

Why Are We So Stupid About Passwords?

Why Are We So Stupid About Passwords? | IT Support and Hardware for Clinics |

Despite the seemingly nonstop pace of data breaches, organizations worldwide still don't seem to be paying much attention to detail when it comes to the proper use of passwords.

The latest entrant into the password "hall of shame" is Sony Pictures Entertainment, as the ongoing leaks of purloined Sony data by Guardians of Peace - a.k.a. G.O.P. - continue to highlight. It wasn't just that Sony was - according to numerous reports - using weak, overly short passwords for many systems. Sony was also storing lists of passwords in text files, Word documents and Excel spreadsheets, Mashable reports. Furthermore, none of those files appears to have been password-protected or encrypted.

 You don't store passwords in Word files or in Excel spreadsheets. 

Security experts react with incredulity at Sony's alleged password missteps. "You don't store passwords in Word files or in Excel spreadsheets," Tom Chapman, director of the security operations group at computer security firm EdgeWave, tells me.

G.O.P. didn't have to look far to unearth sensitive passwords for Sony's internal network, social media accounts and Web services. Indeed, many of them appear to have been shared on file-servers in a folder labeled "Passwords."

Sony has not responded to my multiple requests for comment about the hack attack and its password security practices.

Did Sony Learn From LulzSec?

But leaving passwords gift-wrapped for anyone who's able to penetrate the corporate network suggests that Sony's executives haven't learned from their previous information security missteps.

In 2011, Anonymous offshoot LulzSec claimed to have compromised 1 million users' passwords, as well as "all admin details of Sony Pictures (including passwords)."

Over the course of that year, in fact, the company was pummeled by 21 separate attacks that resulted in breaches of Sony sites, including the theft of 77 million consumers' credit card numbers. The attacks began not long after Sony had laid off a portion of its security staff. Sony subsequently received the year's Pwnie Award - decided by a distinguished panel of information security experts - for "most epic fail," as well as a fine of £250,000 (about $400,000) from the U.K. Information Commissioner's Office, which said in a statement that "the security measures in place were simply not good enough."

Missing: Password Management

Three years after what should have been Sony's security wakeup call, G.O.P. struck via what many security experts suspect was a phishing attack. How well-prepared was Sony for such an attack? After reviewing a recent batch of leaked documents, Buzzfeed claims Sony wasn't even using a social media management system. That's essential for adding two-factor authentication to restrict multi-user access to corporate Twitter and Facebook accounts. Internally, meanwhile, the "Passwords" folder means Sony wasn't enforcing the use of easy-to-use password management software.

Security experts recommend everyone use password managers, which automate the process of generating strong, random passwords; corralling them in one place; storing them in encrypted format; and restricting access. "It is a good practice to use a password manager, and that is essentially keeping everything in a folder called 'passwords' with one major difference - it is properly encrypted so that even if the adversary had it in their possession, they cannot read it without proper credentials," says TK Keanini, CTO of network security firm Lancope.

"There were many major mistakes made at Sony, but the question everyone should ask is: Why does it take a major incident to find these mistakes? Why didn't anyone catch these incredibly obvious insecurities prior to the incident and fix them?" Keanini asks.

Every other organization should now ask itself what would happen if - like Sony - attackers penetrated its network. Would they find social media credentials and lists of admin passwords to tens of thousands of systems in an unprotected Excel spreadsheet?

The obvious takeaway is that enterprises need to get smart about not just requiring strong passwords, but encrypting and restricting access to those passwords, preferably using multi-factor authentication.

Even better, look to advanced authentication mechanisms that provide risk-based access controls. For example, consider products that work with the FIDO Alliance - for "fast identity online" - specification. FIDO offers a "bring what you've got" approach that can treat combinations of a user's mobile device, public/private key, one-time passwords, USB security tokens and more as access tokens, thus eliminating the need for passwords.

Until that happens, of course, organizations must pay close attention to password security, or else risk becoming the next Sony.

No comment yet.!

Sony data breach: how not to protect your passwords

Sony data breach: how not to protect your passwords | IT Support and Hardware for Clinics |

Sony Pictures Entertainment faces being left completely red-faced after reports began to emerge that it contributed to its latest data breach by storing thousands of passwords in a folder entitled "Password".

Personal details of some 47,000 employees and actors have been leaked online in recent days and the much-publicized leak contains confidential details including social security numbers and reams of other tidbits, according to The Telegraph.

The controversially named "Password" folder contains 139 Word documents, Excel spreadsheets, zip files and PDFs that give access to passwords and usernames for everything from internal computers to social media accounts.

One of those files, which has been seen by BuzzFeed, contains scores of usernames and passwords to various social media accounts thus giving anyone easy access to Facebook, MySpace, YouTube and Twitter accounts linked to the firm.

Sony hasn’t spoken publicly about the hack and the only noises came in an internal company-wide memo from CEO Michael Lynton and co-chairman Amy Pascal that called it a "brazen attack on our company, our employees and our business partners".

Sony’s leak comes at the same time that a clutch of high profile upcoming films were made available online with many reports pointing the finger at North Korea in retaliation for an upcoming film that pokes fun at the country.

Since then, the country has come out to deny that it is responsible for the hack and called claims that it had anything to do with it "another fabrication targeting the country".

The film in question, The Interview, stars Seth Rogan and James Franco and centers on a fictional plot by the US government to assassinate North Korea’s leader, who bears an uncanny resemblance to the real life leader Kim Jong-un.

Employees at Sony Pictures, who are some of the worst affected, aren’t likely to be surprised at the leak given that former workers told Fusion that the company’s "long-running lax attitude towards security" is likely to blame.

No comment yet.!

Raduege: Why New Cyber Agency Matters

Raduege: Why New Cyber Agency Matters | IT Support and Hardware for Clinics |

A new federal cyberthreat intelligence center could help the government build more resilient networks and better identify cyber-attackers, leading to arrests and punishments, a former top Defense Department IT executive says.

"Those three areas could really go a long way in providing much-needed deterrence to bad cyber-activity on the networks today," says Harry Raduege, a retired Air Force lieutenant general who was the longest serving director of the Defense Information Systems Agency.

Raduege, in an interview with Information Security Media Group, praises the Obama administration's standing up of the Cyber Threat Intelligence Integration Center, announced Feb. 10. The center, known as CTIIC (pronounced see-tick), would cull cyberthreat intelligence from other government agencies to try to identify rapidly responses to protect critical IT systems in government and business.

"I welcome any attempt by our government to improve speed of collaboration and information sharing among government activities and the industry, and also think that this CTIIC can be helpful in more effectively providing fused cyberthreat intelligence and information from across the entire intelligence community in a more timely manner," says Raduege, chairman of the Deloitte Center for Cyber Innovation.

Private Sector Benefits Without Direct Ties

Raduege says he doesn't see the private sector working directly with CTIIC, but says it should benefit from the center's work. He explains that cyberthreat intelligence will be fed to CTIIC from other governmental cybersecurity organizations such as the Department of Homeland Security's National Cybersecurity and Communications Integration Center, a 24x7 cyber-situational awareness, incident response and management center known as NCCIC (pronounced n-kick). NCCIC, which works with the private sector, will forward to CTIIC cyberthreat information from the business community.

When CTIIC comes up with a plan to defend against or respond to attacks, it alerts the other centers, including NCCIC, to execute it. If private sector systems are threatened, NCCIC will work with affected businesses using the CTIIC plan. Through partnerships and the government cybersecurity framework, Raduege says, a trust has developed between DHS and industry in combating cyberthreats.

In the interview, Raduege discusses the:

  • Importance of fusing cyber-intelligence to be analyzed by one agency;
  • Benefits of drawing cybersecurity experts from various agencies to work at CTIIC; the initial team of 50 employees at CTIIC will come from other intelligence agencies;
  • Efforts by DHS to build a strong relationship with the private sector in promoting cyberthreat information sharing.

Raduege, who retired from the Air Force in 2005 after a 35-year career, heads the Deloitte Center for Cyber Innovation, which focuses on developing cyber solutions for organizations grappling with the need to secure interoperable information systems. In the lead up to the 2008 presidential election, Raduege co-chaired the Commission on Cybersecurity for the 44th Presidency, a group of top governmental, military and cybersecurity thought-leaders and practitioners, that presented the new president with an action plan to address IT security challenges.

Since September, he's been a member of DHS's Science and Technology Advisory Committee. For the past five years, he's been a member of the President's Advisory Council at the EastWest Institute, a think tank.

No comment yet.!

How NSA Hacked North Korean Hackers

How NSA Hacked North Korean Hackers | IT Support and Hardware for Clinics |

The U.S. government's attribution of the Sony Pictures Entertainment hack attack to North Korea stems, in part, from the U.S. National Security Agency having infected a significant number of North Korean PCs with malware, which the intelligence agency has been using to monitor the country's hacking force.

So says The New York Times, which bases its report, in part, on interviews with unnamed former U.S. and foreign officials, as well as a newly leaked NSA document. The document, published Jan. 17 by German newsmagazine Der Spiegel - and obtained via former NSA contractor Edward Snowden - details how the NSA worked with South Korea - and other allies - to infiltrate North Korea. The agency reportedly infiltrated at least some of these computers by first exploiting systems in China and Malaysia that help manage and administer North Korea's connection to the Internet.

According to the Times report, the hacked computers have given the NSA an "early warning radar" against attacks launched by the Pyongyang-based government of North Korea. Related intelligence gathered by the NSA also reportedly helped convince President Obama that North Korea was behind the Sony Pictures hack.

North Korea's Reconnaissance General Bureau intelligence service, as well as its Bureau 121 hacking unit, control the vast majority of the country's 6,000-strong hacking force, some of which operates from China, according to news reports.

Fourth Party Collection

Some of the evidence of the NSA's ability to monitor North Korean systems comes from a leaked NSA document, which appears to be a transcript of an internal NSA question-and-answer discussion that's marked "top secret" and is restricted to the U.S. and its Five Eyes spying program partners: Australia, Canada, New Zealand and the United Kingdom. The document refers to the NSA's practice of "fourth party collection," which involves hacking into someone else's hack, according to a Der Spiegel report.

The document relays an episode that involves North Korea: "We found a few instances where there were NK [North Korea] officials with SK [South Korea] implants [malware] on their boxes, so we got on the exfil [data exfiltration] points, and sucked back the data," the document reads.

Der Spiegel reports that this practice, which is employed by the NSA's Tailored Access Operations team, has been used extensively to undermine many hack attacks emanating from Russia and China and has allowed the NSA to obtain the source code for some Chinese malware tools.

But some attacks against U.S. systems did succeed, and one leaked NSA document says that as of several years ago, 30,000 separate attacks had been detected against U.S. Defense Department systems, 1,600 systems had been hacked, and related "damage assessment and network repair" costs had exceeded $100 million.

The NSA document also discloses that South Korea in recent years has begun attempting to hack into some U.S. government systems.

The FBI has previously said that its attribution of the Sony Pictures hack was based in part on intelligence shared by the NSA, although that attribution did not single out the North Korean government, thus leaving open the possibility that pro-Pyongyang hackers or even mercenaries may have also been involved.

The Role of Botnets

On the attribution front, meanwhile, documents newly published by Der Spiegel - and leaked by Snowden - have detailed an NSA program, code-named "Defiantwarrior," which involves the NSA using infected nodes - or zombies - in a botnet. When such nodes are traced to U.S. computers, the FBI reportedly uses the information to help shut down those parts of the botnet. But when nodes are discovered on computers in countries outside the Five Eyes program, the NSA - according to the leaked documents - may use these to launch attacks against targets. While such attacks might be traced back to the botnet node, this practice reportedly helps the agency launch attacks that are difficult - if not impossible - to attribute back to the NSA.

Did NSA Keep Quiet?

The report that the NSA had hacked into many of the systems employed by the North Korean military, and was monitoring them, has prompted information security experts to question whether the agency knew about the Sony Pictures hack and failed to stop it.

"If the NSA were secretly spying so comprehensively on the networks used by North Korea's hackers, how come they didn't warn Sony Pictures?" asks independent security expert Graham Cluley in a blog post.

If the NSA did detect signs of the Sony hack planning, reconnaissance and actual attack unfolding, however, then it might have declined to warn the television and movie studio to avoid compromising that monitoring ability, says Europol cybersecurity adviser Alan Woodward, who's a visiting computing professor at the University of Surrey in England. Similar questions have been raised in the past, for example, over the World War II bombing of Coventry, England, by the Germans, and why - if the British had cracked the Nazis' secret Enigma codes - the U.K. government didn't evacuate the city.

Another outstanding question is the extent to which the leadership of North Korea suspected - or knew - that their computer systems may have been infiltrated by foreign intelligence services. "Presumably, the cat is now out of the bag," Cluley says. "These news stories may take some of the heat off the [United] States from some of those in the IT security world who were skeptical about the claims of North Korean involvement, but it also tips off North Korea that it may want to be a little more careful about its own computer security."

Szymon Mantey's curator insight, January 19, 2015 2:28 PM

Poradnik w jak łatwy sposób zostac shakowanym przez skośnookich  w ktorym to kradną nasze dane osobowe a NSA nie ejst wstanie nic z tym zrobić...!

Is Sony data breach a sign of things to come in 2015?

Is Sony data breach a sign of things to come in 2015? | IT Support and Hardware for Clinics |

Is Sony's data-breach event about to change how hackers go after our personally identifiable information in 2015?

When the news broke that the information of more than 6,800 Sony employees including Social Security numbers, birth dates, and salaries – most consumers, including me, thought "Here we go again" with another typical major data breach event.

However, this is anything but typical. Unlike Target or Home Depot hacks, the Sony breach exposes a new threat realm that includes stealing and exposing health-care information, employee e-mails and project e-mails involving clients, partners and other employees.

Can you imagine private e-mails from your employer, health provider, banker, social media or child's school about your salary, medical records, credit score, child's grades, personal or business relationships going public for everyone to read and see?

In Sony's case, files that were hacked included unreleased movies (even forcing the cancellation of one), thousands of employees' Social Security numbers, executive pay packages and internal e-mails that were uploaded to the Internet. Sony has described this breach as an "unparalleled crime" that is unprecedented in nature.

Sony Pictures now has legal, financial and public relations liabilities in protecting its image, responding to the needs of individuals affected by the breach and complying with state and federal data- breach laws.

I believe we will see more of the Sony-type hacks — targeted attacks specific to both our personal and business information.

I encourage you to check out Experian's just released second annual data breach industry forecast report. Here are some of Experian's 2015 data breach predictions:

- Internet of things. Cyberattacks likely will increase via data accessed from third-party vendors

- Employees will be companies' biggest threat. A majority of companies will miss the mark on the largest data breach threat: employees. Between human error and malicious insiders, time has shown us the majority of data breaches originate inside company walls.

- Data-breach fatigue will grow among consumers. A growing number of consumers are becoming more apathetic and are taking less action to personally protect themselves.

- Business leaders will face increased scrutiny. Where previously IT departments were responsible for explaining security incidents, cyberattacks have expanded from a tech problem to a corporate-wide issue. With this shift, business leaders are being held directly accountable.

- More hackers will target cloud data. Cloud services have been a productivity boon for consumers and businesses. However, as more information gets stored in the cloud and consumers rely on online services for everything, the cloud becomes a more attractive target for attackers.

Mark's most important: Set goals in 2015 to focus on risk management and cybersecurity. Be proactive and prepared for a broader range of hacking threats.

Claudia Stevenson's curator insight, December 29, 2014 3:19 AM

The future of online security and privacy.!

Top Security Threats Still Plaguing Enterprise Cloud Adoption -

Top Security Threats Still Plaguing Enterprise Cloud Adoption - | IT Support and Hardware for Clinics |

As cloud computing moves beyond the early-adopter stage, security and privacy concerns and the inherent risk of moving assets off-site are not just fears -- they're real. Uncertainty about data security and privacy slowing the adoption of cloud computing existed before last year's revelations by Edward Snowden of covert government surveillance, but the scope accentuated skepticism, coinciding with the rise of cyber attacks from around the world.

"Edward Snowden's revelations were really a wake-up call for the industry about what the government can do with your data," says IDC analyst Al Hilwa. "And if the government can see your data, who else can? It's really not surprising that security concerns have slowed enterprise adoption."

Those fears notwithstanding, they're unlikely to put a major dent in projected adoption of public cloud services in the coming years. Gartner Inc., for example, predicts cloud computing will constitute the bulk of new IT spending by 2016, and that nearly half of large enterprises will have hybrid cloud deployments by 2017. However, the results of a recent survey by U.K.-based communications services provider BT Group of IT decision makers in large U.S. companies underscore a contradiction: 79 percent of respondents said they're adopting cloud storage and Web applications in their businesses, but they also report their confidence in the security of the cloud is at an all-time low.

Top Security Threats
The lack of confidence is with good cause. The Cloud Security Alliance (CSA) has identified what its researchers believe to be the top nine cloud security threats. Data breaches top that list, dubbed "The Notorious Nine". Also on that list are data loss, service traffic hijacking, insecure interfaces and APIs, denial-of-service attacks, malicious insiders, cloud services abuse, insufficient due diligence, and shared technology vulnerabilities. The company emphasized those risks at a three-day conference in September hosted jointly by the CSA and the International Association of Privacy Professionals (IAPP).

Not on that list, but another major risk, is the ease with which employees can and typically do bypass IT departments when using cloud services, says Jim Reavis, founder and CEO of the CSA. Today, anyone can use a credit card to spin up a virtual machine on Amazon or Microsoft Azure, set up a SharePoint instance via Office 365 or another third-party provider or by using free services such as Box, Dropbox, Google Drive or Microsoft OneDrive. Reavis points out that when people bypass IT when using these and other services, it undermines business-level security policies, processes, and best practices, making enterprises vulnerable to security breaches.

Another risk Reavis points to: the lack of knowledge by IT management of the scope of cloud usage in an organization. At the CSA Congress 2014, the group published the results of a survey of U.S. companies, many of which drastically underestimated the number of cloud-based apps running in their organizations. The report concludes, "Cloud application discovery tools and analytical tools on cloud app policy use and restrictions are crucial in the workplace, especially when it comes to sensitive data being used by these cloud applications. With sensitive data being uploaded and shared by these apps with authorized and unauthorized users, policy enforcement becomes a major role in protecting your data."

The report estimated with more than 8 billion Internet connected devices, a growing number of businesses may own data, but no longer own their infrastructure. "A few years from now, that 8 billion will become a quarter trillion," Reavis says. "If we lose ground on privacy and security today, we'll have a very hard time getting it back. That creates a mandate to embrace the tools and technologies that are emerging to manage and protect these resources."

The proliferation of all those devices and the bring-your-own-device corporate culture has resulted in an enterprise that's more difficult than ever to protect -- cloud or no cloud, says C.J. Radford, VP of Cloud at data security company Vormetric Inc.

"The perimeter has failed or is failing, given that data is now everywhere," Radford says. "If you're only focused on your perimeter, you're going to have a very hard time protecting your data. But that's where the enterprise has traditionally spent its money over the past 10 or 15 years -- essentially, on building a bigger moat. The problem is, you can't build a moat around, well, everything."

Controlling Access
In an increasingly cloud-centric, perimeter-less world, enterprises must concentrate their security efforts on protecting the data itself, Radford says. His company partners with leading cloud vendors, including Amazon Web Services Inc., Rackspace, IBM Corp., and Microsoft, to provide data-at-rest encryption, integrated key management, privileged user access control, and security intelligence logging. Among other things, the Vormetric Key Management Key Agent software works with Microsoft SQL Server Transparent Data Encryption (SQL Server TDE) to help manage SQL encryption.

"Today, it's all about controlling data access," he says. "If you read any of the major breach reports, one of the ways the bad guys are getting access to data is compromising privileged username and password credentials. They're doing it through social engineering, phishing and that sort of thing."

Not surprisingly, Radford is a strong advocate of data encryption, and he also recommends a bring-your-own-key (BYOK) approach. "You should never rely on the provider to manage your encryption keys," he says.

"BYOK means the provider can turn over your data in encrypted form, but it's useless without the key. The other thing it buys you is the ability to `digitally shred' your data. We call that `permanently securing your data.' That's why we always say, rule No. 1 in encryption is never lose your key."

Encryption support is even showing up above the infrastructure level. Azure,, Office 365 and OneDrive, for example, are now supported by Transport Layer Security (TLS), Microsoft announced last summer. The encryption support covers inbound and outbound e-mail, as well as Azure ExpressRoute, which allows users to create private connections among Azure data.

Data encryption and data-centric solutions seem to be especially appealing to enterprises in the post-Snowden era, says Luther Martin, chief security architect for Voltage Security Inc.

Martin believes the primary cloud security concern in the enterprise today is availability.

"If you look at the data, in terms of frequency, most of the cloud incidents so far have been about service outages," he says. "The outages have been relatively short, but they can be terrifying, and there's not much an enterprise can do about them."

He also notes, however, that encryption keys present their own challenge -- namely, keeping track of them. "Effective encryption key management is hard," he says, "and people often don't give it the consideration it deserves. I mean, if you lose a key, you've lost your data, too."

Via Michael Dyer
No comment yet.!

Cybercrime expert on Sony hack, protecting personal info

A major computer hack of Sony Pictures Entertainment is far from over, as hackers took new movies like "Fury" and "Annie" and leaked them on the internet. Sony executives also confim some of...

Via Paulo Félix
No comment yet.