Almost all key US federal civilian agencies are all well below security standards they are required to meet, says Government Accountability Office (GAO). In a recent report quoted by Dark Reading, the GAO found that of the 24 agencies they have reviewed, almost all had major flaws in security controls and management, which puts them in harm’s way, allowing for successful cyberattacks that could compromise them. The GAO also stated they kept making several recommendations to the reviewed agencies, many of which have been overlooked.
During the past three years, the number of incidents reported by federal agencies to U.S.-CERT has increased by almost 200 percent — from 5,503 in 2006 to 16,843 in 2008, according to the report. More than one-third of the incidents are still under investigation, and the sources of the compromises are not yet known.
Of the incidents in which the sources are known, approximately 22 percent were caused by improper use of computers by authorized users, the report states. Eighteen percent of the compromises were caused by unauthorized access, and 14 percent were caused by malicious code. About 12 percent of the breaches were caused by scans, probes, or attempted access by external attackers, the report says.
The new data reported by the GAO is downright scary, especially when only 4 got the “no significant weakness” stamp after the review. The remainder of 20 agencies reported either “material weaknesses”(7) or, even worse, “significant deficiencies” (13).
Hosting company Network Solutions has recently experienced a security breach in an ecommerce services system which resulted in exposing details for a whooping number of over 500,000 credit and debit cards. The data security mishap is the work of hackers penetrated the system and installed software that diverted transactions to a rogue server.
The malicious software was active March 12 to June 8 and affected transactions Network Solutions processed on behalf of over 4,000 merchant websites of small businesses, spokeswoman Susan Wade said to the Register. Although discovered in early June, Network Solutions waited for about a month to disclose the breach, the reason stated being that it took until July 13 for forensics investigators to analyze and understand how the rogue code worked.
Network Solutions has offered to foot the bill for notifying affected cardholders so those costs don’t have to be born by the merchants who used the company’s e-commerce service. [...]The company is also making 12 months of fraud-monitoring services available free of charge to cardholders whose information was exposed. Affected merchants and cardholders can enroll by visiting this site, which walks them through the process.
2008 came with a 10 percent growth in data breaches for UK companies. Seven out of ten reported such an incident last year, up from a 60% incidence rate reported in 2007. The new data was released in a recent survey conducted by the Ponemon Institute.
The Institute’s findings also revealed that 12% of 615 public and private sector organizations were hit by no less than five data breaches in 2008. Only 43% of the occurrences were reported, as reporting the rest was not mandatory. Here are more interesting findings of the survey:
- Public sector (4.48 breaches per organization) and financial services firms (3.11 breaches) were the worst affected
- entertainment, media and defense firms stayed clear of data loss incidents
- One third of the unaffected firms had introduced a corporate encryption policy
- 57% of UK firms use some encryption technology
How much do these breaches cost? The Register quotes a separate Ponemon Institute study that estimates that one compromised record costs abut 60 pounds.
The good news? The rise in data breaches also fueled the rise in awareness when it comes to the importance of proactively securing sensitive data. 61% of the surveyed companies said data protection was either “important” or “very important” in wider risk management efforts.
There has been much noise about the Goldman Sachs ex-employee who managed to leave the company with their secret solution to be faster and better than their financial services competitors. At first, the name of the company reporting the data breach was unclear, then more started whispering Goldman Sachs. Let’s sink into the juicy details.
It all started when a computer programmer was arrested for stealing classified application code that powerd his former employer’s, later identified as Goldman Sachs, high-speed financial trading platform. The programmer’s name, along with more details on the incident, were reproduced from an FBI affidavit by DarkReading:
According to an affidavit (PDF) filed by the arresting FBI officer and subsequently posted by news media, the programmer, Sergey Aleynikov, copied “proprietary trade code” from his company and uploaded it to a Website in Germany. He later quit his job at the New York firm and moved to a new company in Chicago that “intended to engage in high-volume automated trading” — and paid him around three times his old salary of $400,000, according to the affidavit.
The programmer says it was all a mistake. Apparently, he only wanted some open sourced files he was working on and ended up with the entire shabang. The fact he never sold the code or tried to otherwise use it plays in his favor. The fact he tried to hide all traces of the data transfer, doesn’t. But that’s somehting to be settled in a court.
What’s fascinating, as ZDNet’s Larry Dignan explained on one of the network’s blogs, is that Goldman Sachs, “a master at gauging risk”, was able to overlook the danger of inside threats. Especially when it’s something all security experts have been talking about for a long while.
When you think about it, nothing happened to Goldman Sachs. Other than a much needed wake up call. What could have happened? The competition actually improving their own platforms and taking over more and more clients from Goldman Sachs. I have a feeling adding up the numbers of this potential loss would make us all dizzy!.
Take it to the could. See how it works explaind in plain english.
Device Control and DLP taken to the cloud to help you reduce cost and deploy much faster.
An EU committee of data protection regulators has recently announced that all social networking sites such as Facebook or MySpace are legally responsible for their users’ privacy. According to the Register, the European data watchdogs regard such sites as “data controllers”, thus they have to abide by all legal obligations such a status entails. Even if they are headquartered in a different country, social networking companies still are data controllers under EU laws.
Also, the site users hold a similar position, making them all legally responsible for all information posted on behalf of a club, society or company.
“SNS [Social Network Service] providers are data controllers under the Data Protection Directive,” it said. “They provide the means for the processing of user data and provide all the ‘basic’ services related to user management (e.g. registration and deletion of accounts). SNS providers also determine the use that may be made of user data for advertising and marketing purposes – including advertising provided by third parties.”