CoSoSys to Protect SearchAmerica
CoSoSys, the leading provider of End Point Security solutions, has recently announced that SearchAmerica has selected Endpoint Protector 2008 to manage and enforce portable device security policies in their IT environment. The solution SearchAmerica chose is quite new and extremely powerful, and it will protect all company workstations, notebooks and servers against data loss, data theft and other forms of data leakage.
CoSoSys has added a rather important client to its portfolio, as SearchAmerica is the industry leader in financially clearing patients through address verification, prediction of payment and automated charity/Medicaid processing. See more in the official press release.
DLP on the Right Track, but not Fullproof
Speakers at RSA 2008 state the Data Loss Prevention (DLP) segment of security solution is reporting impressive improvements, but it still not able to stop innovative attacks. While it might be the new hot shot of the entire security industry, DLP can fail when attempting to successfully fight off all data breaches.
In a Symantec-sponsored panel addressing DLP related issues, speakers were highly optimistic towards the future of this new technology, which, according to Dark Reading, “is designed to monitor, detect, and control the egress of sensitive enterprise data in an organization”. Yet the fact that insider-theft technology has been describes as omnipotence was acknowledged to be grossly exaggerated. Here’s a selection of the most interesting quotes Dark Reading published:
“The idea that you’re going to be able to protect every piece of data all the time is probably impossible,” said Joseph Ansanelli, former CEO of DLP pioneer Vontu and now vice president of DLP at Symantec, which bough Vontu last year. “It’s not going to happen.”
“DLP is a tool,” said Craig Shumard, CISO for CIGNA Corp., a Vontu user. “It’s one of a number of things you can use to help control the insider threat. But it’s not the whole solution.”
The key, Rich Mogull, founder of Securosis, says, is to define your “sensitive” data before deploying DLP. “You need to put all of your business people in a room and force them to choose which data is the most valuable,” he said. “Once you’ve done that, you can use DLP to start monitoring that data, to set policies for protecting it, and eventually, to enforce those policies.”
How to Secure Thumb Drives
DarkReading has recently published an article exploring the methods and reasons why company should secure their thumb drives. The first issue they bring into our attention is whether stolen or lost USB are less often reported (when compared to laptops for example) because companies have learned to protect them or because they are so hard to track, no one has any idea of how many have been lost or ever used within a certain network.
I’d have to say that unless companies cut access to their USB ports or implement a comprehensive endpoint security application, no one will ever be able to tell how many employees have ever used flash drives to carry data to and fro the office and how often they have misplaced them.
Here are a few of the security methods presented by DarkReadeing that a company is presented with and has to choose from when trying to prevent the damages thumb drives entail:
- blocking all USB ports on all network computers – I would say that’s impracticle as instead of benefiting from all advantages of easy portability and storage, a company would force employees to use other methods to carry their project between work and home. And to my mind, it’s harder to secure an entire laptop than it is for a thumb drive.
- Relying on the security software USB producers advertise – could work, given the security is not a marketing scam only. If it’s not, what is offered, points out DarkReading, can be quite limited
- A hybrid approach mixing advanced data encryption with a system to allow only certain pre-aproved USB drives.
- Using cheap drives and open source encryption technology, but only when you really trust your employees. I’d say this is a bit futile, as if trust is what you base the security policy on, why implement it in the first place? Security is not a matter of trusting or not trusting personnel. It’s a matter of noticing breaches can happen to anybody and that all employees are human and can easily err. Or get really mad at you and hurt your business on purpose.
CareFirst Dental HMO Exposes Data of 75,000 Members
One of the purposes of Endpoint Security is to actively prevent damages caused by inside threats. Such threats don’t always refer to malevolent employees waiting around the corners to steal proprietary technology or private records. It also refers to members of your organization being mugged or simply loosing their laptop, PDA, iPhone or flash drive with sensitive information. Moreover, it aims to prevent human errors. Though uncommon, personnel transferring the wrong data and exposing it to wrong doers does happen.
One of the most recent cases has been covered by The Baltimore Sun. A CareFirst BlueCross BlueShield dental HMO called Dental Network accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public Web site last month and didn’t notify them until about three weeks later.
Experts say security breaches such as The Dental Network’s - where the company itself inadvertently posts the information - are uncommon. More often, experts say, information is compromised when hackers break into a computer system or when computers are stolen - as happened with the theft of a National Institutes of Health laptop last month.
Although state laws impose timely notifications being sent to all those involved, The Dental Network discovered the security breach on February 20 and informed members through a letter letter send on March 10.
A state law passed last year requires businesses to promptly notify those potentially affected by a security breach or theft, according to the Maryland attorney general’s office. Approval followed the loss of computer tapes containing information on more than 135,000 Johns Hopkins employees and patients in early 2007.
The Dental Networks representative stated however that they did their best and announced their members as soon as they could. Still, drafting and editing a letter, printing it and mailing it should take a lot less than 3 weeks.
Personal Data Thrown in the Dumpster
The financial information and social security numbers of hundreds of inhabitants of Flint, USA, have been found in a dumpster. Customers of the Affordable Realty entrusted these private details to the realty mortgage company. When Affordable Realty was evicted from the building where their office was location, company representatives thought the best place to get rid of the data would be the nearest dumpster.
ABC12 News has video record of the incident, along with some text comments. Let’s hope the company is properly held responsible in order to prevent similar future incidents.
Companies Forced to Live up to Security Promises
The Federal Trade Commission has recently settled a lawsuit against ValueClick amounting to 2.9 million dollars. ValueClick was found guilty of making email and advertising claims that were deceptive and misleading. The company was also found guilty of violating its own privacy policy, which promises, according to DarkReading, to protect customer data and implement “reasonable security measures.” ValueClick’s privacy policy promises encryption but the company failed to provide data entryption and did not fix reported vulnerabilities to SQL injection attacks.
The FTA decision in the ValueClick case opens the door for enterprises to be held responsible for negligence and for failing to implement the required security measures to achieve the user data protection they promise.
“The FTC ruling sends a powerful message to the business community,” says Scott Kamber, a partner at Kamber Edelson LLC, a legal firm that specializes in cyber security law.
“In the past, companies that failed to protect customer data have argued that they are immune from prosecution unless consumers can directly prove that they suffered harm from the breach of their personal information,” Kamber explains. “Given that hackers are generally pretty good at covering their tracks, this argument — if accepted — would mean that few companies would have to account for their negligence.”
With the ValueClick settlement, Kamber says, “the FTC has made clear that common sense will prevail over technical legal arguments, at least when it comes to governmental sanctions. We believe the FTC’s ruling will help with the current cases we are prosecuting, as well as future ones we are contemplating.”
With laws imposing clear requirement for companies, they will no longer be able to hide behind vague security claims and data loss prevention will become a major concern for all those dealing with private records. Hopefully, these laws, supported by international standards, will help prevent fraud, data loss and theft and other types of security breaches.
Second Largest Security Breach Recently Exposed
A supermarket chain based on USA’s East Coast has recently discovered and contained a security breach that exposed over 4 million credit and debit card numbers and let to 1,800 fraud cases.
According to a Hannaford Bros. grocery chain statement cited by Yahoo News, the card numbers were stolen during the card authorization process and about 4.2 million unique card numbers were exposed. Given the scale of the exposed data, this is one of the largest data breaches ever reported, although it is still far from the top leader, the TJX incident.
Hannaford became aware of the breach Feb. 27. Investigators later discovered that the data breach began on Dec. 7; it wasn’t contained until March 10, said Carol Eleazer, Hannaford’s vice president of marketing in Scarborough.
“We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement released Monday. “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”
The breach affected all about 300 chain stores and independent groceries that sell Hannaford products. No other information such as names or addresses have been exposed, but the account numbers were enough to commit frauds for over 3 months. The names or aims of those responsible have not been disclosed, both state security agencies and MasterCard/Visa representatives giving limited comments on the issue.
Mindblowing Data Breaches of 2007
CSO Online has recently published a top 10 of the most significant data breaches of 2007. They have analyzed stolen hardware, malware infections and other such security breaching activities. CSO has also concluded the “most brilliant lunacy” of the year was to require the usage of social securities numbers as passwords.
If you haven’t guessed who the dark winner is, it’s the nasty TJX affair. But considering other data and facts we’ve recently told you about, the CSO estimated losses seem to be a bit off. Nevertheless, the top is quite interesting and a very good reminder security should never be taken lightly.
Data Breaches Going up
IT Security published an interesting feature this week focusing on data breaches, their trends, the laws regarding such security breakdowns and the targeted company. I thought some of the fats and issues they pointed out are highly important and worth being re-broad casted.
- the first law in the US regarding data breaches notice dates back to 2003 and was issued in California. Since the 37 states have enforced similar stipulations.
- In 2007, over 162 million records have been stolen or lost. To better understand what a significant growth the past few years accounted for, note that in 2002 the lost or stolen records amounted to a little under 5,000.
- Big companies with numerous private records seem to be the preferred target. Yet the cause of such breaches is not the thieves’ high level of knowledge. It’s human errors that facilitate such attacks.
TJX, the parent of retail chains including TJ Maxx, announced the computer incursion in January 2007 and later disclosed in an SEC (Securities and Exchange Commission) filing that the incident involved data from more than 45 million payment cards.
Brad Johnson, vice president at SystemExperts, said he views TJX as an anomaly, suggesting most breaches stem from human error rather than an attacker’s ingenuity. “The fundamental problem is a lack of security awareness,” Johnson said. “Employees weren’t aware of the risk involved, so they didn’t take the appropriate precautions.”
The case of HM Revenue & Customs, the United Kingdom’s tax department, fits the human-error category. In late 2007, HM Revenue & Customs acknowledged the loss of two computer disks containing personal information for 25 million people.
- Criminal gangs stealing data get 1$ to 10$ per record. Therefore, as long as the attacks are profitable, they will continue
- The first step a company should take is to realize what sensitive data they have and where it is stored. Such a step should make the implementation of an efficient Endpoint security and DLP solution easier.
- Another security measure would be to only process the data needed at a certain time (e.g. a few entries as opposed to an entire Excel file containing those entries)
- Users or consumers should investigate more the risks they expose themselves to when entrusting their private information to third parties.
Thumbnail Drive with Data of Job Seekers Lost
A company hired by the Nevada Department of Public Safety to do background checks for 109 job applicants managed to loose the private data of said job seekers. According to an article in Chron.com, their private records were stored on a thumbnail drive owned by one of the hired firm employees.
Following this incident, the Department of Public Safety has temporarily suspended the use of outside vendors for background checks while it is reviewing all its processes and procedure.
