New PCI Standards Disregard Inside Threats
Starting June 30, new measures inserted in the Payment Card Industry (PCI) standard will be inforced. However, representatives of a database security firm point out that the new additions do nothing to address inside threats.
As Vnunet.com shows in a recent article, the new measures require that companies dealing with stored credit card and other consumer financial data either install firewalls around all internet-facing applications or have all customer application code reviewed for common vulnerabilities.
Secerno representatives showed that the new and “improved” standard does not address real threats effectively:
“The PCI Data Security Standard has the best intentions but, as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data,” said Paul Davie, founder of Secerno.
“It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users.”
Other than completely ignoring ill willed insiders, the PCI standard also fails to regulate data encryption requirements, database security policies, measures of protecting data on private networks.
There’s No DLP without Encryption
Any enterprise considering to implement data loss prevention technology in the future must keep one aspect in mind: efficient DLP comes hand in hand with a sound encryption strategy. Given this aspect, Dark Reading states DLP solutions are surely moving from quick-fixes aimed at reducing data breaches to being seen as a core strategy with the purpose of identifying corporate sensitive information as such and controlling access to it.
This shift in views over DLP solutions, data loss prevention might be what’s needed to bring pack to life previously designed and now stagnant data encryption projects.
“Every major DLP vendor has, or is developing, encryption capabilities or partnerships,” says Rich Mogull, founder and principal analyst at Securosis, a security consultancy. “File/folder encryption and DLP should be integrated.”
If this prediction is the right one, we have complex and highly effective corporate security strategies to look forward to. As laws don’t stop breaches or identity thefts, nor significantly reduce them, a comprehensive policies might prove to be a much better alternative.
Breach Disclosure Laws are Pointless
Researchers at the Carnegie Mellon University have just released data showing information security breach laws enforced in the US have failed to reduce identity theft. According to the Register, these findings come at a time when there’s an increased demand for similar laws in Europe that would oblige organizations to notify customers in cases where their personal details become exposed.
Research findings were based on a state-by-state analysis of data from the US Federal Trade Commission (FTC). They analyzed identity theft complaints made to the FTC from 2002 to 2006, trying to spot differences after states introduced data breach disclosure laws. California was the first state to introduce such regulations and 43 other states have since followed its lead.
The researchers determned that factors such as changes in average income and population in a state or overall levels of fraud had a much greater impact on fraud rates than these laws, as a Register reproduction of the abstract to the paper shows:
We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.
“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” Sasha Romanosky, a PhD student at Carnegie Mellon and one of three authors of the study, told Computerworld.
The Army Investigates Breach Exposing 1,000 to Identity Theft
The Walter Reed Army Medical Center has just released information on a security breach exposing about 1,000 patients of both Walter Reed and other military hospitals to identity theft. The incident has raised great concerns, thus the Army is currently investigating the incident.
According to Associated Press, the exposed private records contained names, Social Security numbers, birth dates and other personal details. However, the compromised computer file did not include medical records, or the diagnosis or prognosis for patients, hospital representatives quoted by AP said.
The disclosure marked the latest in a series of breaches of government computer records.
Walter Reed officials declined to explain exactly how the information was compromised, pending an ongoing investigation by the hospital and the Army. They would only say that the computer file was found on a “non-government, non-secure computer network.”
A New Approach to Stealing Identities
Research company Gartner is about to release it’s new forecast showing us what security threats we’ll be dealing with in the future. To raise interest in their soon to come data, they’ve given away some of the details, as a teaser that seems to be working great. Their statements have been also reported by Dark Reading.
What is really interesting here is their view on where new threats will emerge. Hackers and all types of wrong doers will target all things shared and social. While this will be mostly to facilitate the quick spread of malware, social networks will also be targeted to obtain credentials. So beware what personal data you post on your social profiles, make sure you find out how your email passwords are handled when you import contacts or send out invitations. Try these easy steps to make sure your identity isn’t then misused.
Our blog will fill you in with other interesting findings as soon as the official Gartner Forcast hits the market, so see you all soon!
Malware Infected Giveaways at Security Conference
One would expect security to be a major concern for those advertising at and attending security conference. But reality shows otherwise. Integrated telecommunication provider Telstra distributed malware-infected USB drives at the 2008 AusCERT security conference.
According to SerchSecurity, as soon as the security issue was discovered, the USB drives have been recalled. The AusCERT security conference was attended by up to 1200 delegates, all of them potentially exposed to a serious infection.
IT Security journalist Davey Winder states security problems at such conferences are no longer surprising. In a blog post published on DaniWeb, he provides insight on how potential breaches are facilitated at security events:
I have lost count of the number of such events where I have been able to quickly scan and detect numerous unsecured wireless networks and where ‘researchers’ attend with the express intention of finding such security holes and jumping in with both feet to see what resources can be compromised. Often it is the people who should know best who seem most liable to suffer from complacency, and security conferences are a great example of this genre of should have known better syndrome.[...]
So you could say I am not easily surprised, but what does surprise and rather shock me about this particular case in Australia is that the USB sticks being distributed by a large telco were apparently pre-owned, second-hand ones. I mean, how cheap do you have to be to use pre-owned USB sticks? These things are so cheap brand new that you will be finding them in Xmas crackers soon…
TJX Suspect Charged Along With 2 Other Hackers
A suspect in the largest private records theft in history has been charged along with two other men linked to similar scams. The three men, one of them suspected of playing a role in the 45.6 million credit card data theft from retailer TJX Companies, have been accused of hacking into cash register terminals belonging to a restaurant chain and installing software that sniffed credit card numbers, as explained by the Register.
“According to a 27-count indictment unsealed Monday, the scheme was carried out in part by Maksym Yastremskiy. In July, the Ukrainian was arrested in a Turkish resort town for allegedly selling large quantities of credit card numbers, many of which were siphoned out of TJX’s rather porous network. He remains incarcerated in Turkey, where an application for extradition to the US is pending. Yastremskiy also went by the name Maksik.
The indictment also names Aleksandr Suvorov, aka JonnyHell, of Estonia, and a separate complaint names Albert Gonzales, who also went by the moniker Segvec. Together, they are accused of installing packet sniffers at 11 restaurants belonging to Dave & Buster’s. The sniffers captured track 2 credit card data as it passed from the restaurants’ point-of-sale terminals to servers at the chain’s central headquarters.”
Hospitals, a Danger to Your Personal Data
According to a recently released study carried out by research firm HIMSS Analytics and risk management company Kroll Fraud Solutions, from 2006-2007, over 1.5 million patients’ personal information was exposed through hospitals alone, allowing them to be threatened by identity thefts. The survey however does not take into account insurance companies, pharmaceutical companies or individual doctors’ offices, which would have meant a significant increase in the total number.
According to Dark Reading, we should keep in mind that these numbers are based on reporter breaches only. About 44 percent of hospitals that experienced a breach in 2007 didn’t inform the patients whose records were affected, as shown in the study.
Hospitals are not paying enough attention to security issues, and the steps they are taking are often ineffective, the HIMSS/Kroll study says. While there is a high awareness of the security requirements described in Health Information Portability and Accountability Act (HIPAA) among hospital IT professionals, most hospitals are putting too much emphasis on compliance and not enough on real security vulnerabilities, the study says.
This lack of attention could lead to real problems for individuals down the road, the study warns. Hospitals are often a source for birth, health, and death records that can be very valuable to criminals, and patient data breaches are among the most difficult to clean up, because compromises or changes can affect insurance eligibility or even patient safety if the data is manipulated.
CoSoSys’ Secure it Easy to Protect VIPdesk Critical Data on Removable Storage Devices
CoSoSys, the leading provider of Endpoint Security solutions, announced today that VIPdesk, a pioneer of premium home-based contact center solutions and concierge services, has selected the newly released Secure it Easy version 2.0 software to manage and enforce the company’s portable device security guidelines. Secure it Easy efficiently protects VIPdesk’s remote workstations and notebooks owned by its home-based agents against data loss, data theft and other forms of data leakage.
See more details on in company’s online press room.
CoSoSys to Protect VIPdesk’s Critical Data Housed on Removable Storage Devices
CoSoSys, the leading provider of Endpoint Security solutions, announced today that VIPdesk, a pioneer of premium home-based contact center solutions and concierge services, has selected their most recent released Secure it Easy software, version 2.0, to manage and enforce the company’s portable device security guidelines. Secure it Easy efficiently protects VIPdesk’s remote workstations and notebooks owned by its home-based agents against data loss, data theft and other forms of data leakage.
“Legislative requirements enforced by an increasing number of US states and the recent Federal Trade Commission rulings against companies who did not prevent sensitive data exposure are stipulating clear actions to be taken in case of data theft or private record exposure. Such laws call for proactive management of portable devices that are capable of storing private information,” said Roman Foeckl, Managing Director of CoSoSys. “This set of features within Secure it Easy enables organizations of all sizes to better comply with government regulations and industry standards regarding data breach management and IT governance.”
See the full press release here.
