Technology continues to advance, security tools continue to emerge, but the good ‘ol tried and true social engineering exploit is still as effective as it ever was.  I found an article published today, "Hook, line and sinker," very interesting.  It describes how computer-based attacks, such as phishing exploits, are being combined with social engineering. 

There are some good stories within this article to not only help demonstrate the need for a comprehensive information security and privacy training and awareness program that includes information on identifying and not falling victim to social engineering attacks, but they could also be used within your training and awareness efforts.

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
cybercrime
social engineering
privacy

Oh, come on now!  I couldn’t believe I was reading yet ANOTHER report of ANOTHER E&Y laptop that has been stolen recently!  ANOTHER stolen from a car…ANOTHER with an unbelievably huge amount of personally identifiable information (PII)…ANOTHER that did not have the data encrypted!  C’mon folks!  If you are information security or privacy professionals, or business leaders of any kind, you really need to step up your efforts to educate your personnel about the risks involved with using laptops, implement encryption on all mobile computing devices, and not allow such inordinately large databases of personal information to be on mobile computing devices.

It is amazing also that the laptop theft occurred in February, but the E&Y client whose PII was on the laptop, Hotels.com, was not notified until May 3. 

The data included names, addresses and credit card information.

"Ernst & Young invites those affected by the incident to enroll in a free credit monitoring service arranged by the auditor."

Why don’t they just go ahead and enroll all those individuals into the credit monitoring service?  Why make the victims have to tell them to do it…it’s likely many of the individuals will not be aware any potential breach has even occurred until they start having problems with their credit reports.  Yeah, sure, letters were mailed to them…but how many will be read?

"The letter from Hotels.com said "Ernst & Young was taking additional steps to protect the confidentiality of its data, including encrypting the sensitive information we provide to them as part of the audit process.""

If you entrust sensitive data, such as PII, to another company, for any reason, you should make it one of your contractual requirements for them to keep the data encrypted.  Their sloppy security is probably going to impact you more than them when they have an incident involving it.

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
encryption
stolen laptop
personal data breach
privacy

Those of you interested and intrigued with malware will find a couple of newly released Sophos reports interesting.

Of the top ten malware for May some of the interesting statistics provided include:

• "Netsky-P worm remains the most widespread piece of malware spreading via email.
• Sophos identified 1,538 new threats in May, bringing the total of malware protected against to 122,634.
• The majority of the new threats (85.1%) were Trojan horses, while just 12.3% were worms or viruses.
• The proportion of email which is virus infected has dropped considerably over the last year as hackers have turned from mass-mailing attacks to targeted Trojan horses. In May 2005, one in every 38 emails was infected, now this number is just one in 141."

And a creative, new, unique malware, Arhiveus, is a type of ransomware that encrypts victims’ computer data, and then attempts to force users into making a purchase from an online pharmacy.

Well, if businesses would keep their data encrypted and backed up to begin with they would not need to worry about this ransomware, would they?  This is a good example of how the cybercrooks are exploiting the human tendency and common business practice of not having adequate security implemented. 

Oh, yes, and not only do encryption and making backups protect your data assets, they also demonstrate due diligence and contribute to compliance with a wide range of laws and regulations.

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
encryption
data backup
malware
ransomware
cybercrime
privacy

The Veterans Affairs department has established a couple of web sites to provide information about the status of the VA data security breach, and some FAQs concerning the incident.

Besides providing information about the current breach incident investigation, the FAQ also has some links beneficial to anyone concerned with information security.  The following is an excerpt of some of the references.

"Request a free credit report from one of the three major credit bureaus – Equifax, Experian, TransUnion – at www.AnnualCreditReport.com or by calling 1-877-322-8228."
"the fraud department of one of the three major credit bureaus:

Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, Texas 75013
TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790"

"On May 25, 2005, the VA’s Office of Inspector General (VA OIG) and the FBI announced a $50,000 reward through the Montgomery County Crime Solvers organization, for information that leads to the recovery of a laptop computer and external hard drive that contained personal information for millions of veterans."

Technorati Tags
information security
personal information protection
laptop theft
credit bureaus
privacy

The continuing thefts and losses of laptops highlights the need to provide ongoing security awareness and training to the people who use these mobile devices to store and process the personal information of customers and employees.

Over the past couple of weeks I have had the pleasure of speaking with Kevin Coffey about laptop thefts, related crimes, and what people need to do to protect their mobile computing devices and storage media when they are in their homes and traveling.  Kevin is Detective Sergeant for a large metropolitan city in California, and also founded and owns his own company, Corporate Travel Safety.

Kevin has amassed a great list of resources on all topics related to travel safety, including how to protect mobile computing devices.  A couple of years ago he also created a laptop theft prevention video that organizations should consider showing as part of their awareness activities.

Technorati Tags
information security
personal information protection
corporate governance
IT compliance
laptop theft
awareness and training
privacy

A story today in Computerworld reports that former Red Cross worker allegedly used the information to which she had authorized access, including names, social security numbers, and birthdates, to open credit card numbers using their names and then go on shopping sprees.  So far at least four people have been confirmed as being victims of this type of identity/credit card fraud…commonly referenced in the papers as identity theft.

This demonstrates how trusted insiders can do bad things with the information for which they are authorized to use. 

What is interesting is that the report indicates that she "had access to 8,000 blood donors in a database she used in her job," but then it goes on to say "she may have accidentally accessed other records in the larger group." 

So…she actually was authorized to access the entire group, it appears?  You can’t "accidentally" access information that you are not authorized through the system to access.  You can try to use others’ authorizations to access the information, but to "accidentally" access something you would have to have access to it to begin with…through the access control settings.  Kind of like "accidentally" grabbing a wrong-sized shirt out of your closet; you have access to everything in your closet even though you may only wear 3 or 4 of the shirts regularly.

Just think of the potential these personal information opportunists have, with so much access at their fingertips, to sell this information to other criminals and make even more money off their crimes than just opening a few credit card accounts.  She had access to names, Social Security numbers, phone numbers and birth dates.  She was a telephone blood-drive recruiter…why would she need all this access?

The alleged crook "began working at the Red Cross branch in October and was fired on March 2, when the incidents were discovered."  So the Red Cross knew about this in March, but only notified the victims last week?  Two months after the crime was discovered?  And the employee was fired, not immediately arrested? 

"The Red Cross offices in the region last week changed the database software to strictly limit access to any Social Security numbers in the future, Williams [a spokesman for the regional agency] said. Only names, phone numbers and birth dates are now accessible by blood drive recruiters."

Well, access controls should have been set to allow access only to that information necessary for job responsibilities long before this incident.  Unfortunately many organizations do what is easiest up front and give all access to all databases to all their personnel.  This even though it has been a standard of due care for many years now to limit access, through such methods as role-based access control (RBAC) method, to only that which is necessary, and even though growing numbers of regulations, such as HIPAA and GLBA, require such access restrictions.  It’s too bad it often takes an incident for organizations get their 20/20 security hindsight vision.

"The agency is reimbursing any of the affected 8,000 donors if the credit reports can’t be obtained for free. The agency also set up a toll-free hotline to aid any identity-theft victims of the incident and said it’s taking additional security steps to ensure that such an incident doesn’t happen again. All staff members are being reminded, for instance, that donors don’t have to put their Social Security numbers into their Red Cross donor records."

Well, it is good the Red Cross is stepping up as much as they can considering they are a nonprofit agency.  It is such a vital and valuable organization…but incidents like these are so senseless! 

Wouldn’t it be nice if the three credit reporting giants, Equifax, Experian and Trans Union would provide, free of charge, credit monitoring for these individuals?  Yeah, well, I’m optimistic…it’s nice to think they would for an important charity…and to help protect the people, whose information was taken, who have been so kind as to donate their blood so that others can live…but I’m also a realist…

Okay…so just a few of the lessons learned…

• Give access only to the information necessary for people to perform their job responsibilities.  Use RBAC, access control lists (ACLs), or whatever is most appropriate for your computing environment to limit access to the data items…not just to the entire database.
• Your authorized users are, and will always be, a threat to the information to which they have access.  Numerous reports support this, including the annual CERT/Secret Service insider threat report; the 2006 report should be coming out soon.
• Perform due diligence before hiring personnel and giving them access to sensitive information with which they can easily commit crime.
• Perform continuous monitoring of personnel with access to sensitive information.  Make sure you have appropriate separation of duties to make this effective.
• Create an incident response and notification plan that will ensure the impacted individuals are notified as soon as possible when someone starts to inappropriately use their information.
• Provide ongoing awareness and training for information security and privacy.  This will help all your personnel not only know what they should be doing, but also know how to identify when others they work with are doing something wrong.
• Establish, and consistently enforce, sanctions for policy non-compliance.  This will help to dissuade at least some potential crooks.

Technorati Tags
information security
personal information protection
corporate governance
IT compliance
identity theft
Red Cross
cybercrime
breach notification
privacy

Just a few days ago CSO Online provided a pretty nice resource, and timely considering all the continuing laptop and mobile storage media losses. 

Their "Portable Data Protection Options" provides a nice start for organizations to start planning on protecting their mobile computing devices and storage media, or to quickly see if their current program is not addressing something.  Their list of potential vendors for the product categories listed are very limited…there are many other good vendor solutions available…but it is a place to start. 

I’ve written on this quite a bit.  For one of my recent papers discussing the issues involved, see "Managing Mobile Computing Risks."

Technorati Tags
information security
personal information protection
corporate governance
IT compliance
laptop theft
awareness and training
privacy

I just ran across another U.S. government sponsored site, Looks Too Good To Be True, with some information that could be useful for information assurance professionals, particularly small- to medium-sized businesses, in addition to the general public.  From a business practitioner perspective this site isn’t quite as useful as some of the other government sites I’ve mentioned, however, you can always find useful nuggets.  For example, this site has:

*  There are some awareness quizzes that businesses could either point their users to, or use to give them ideas for their own quiz questions.  The threat thermometer is cute; I don’t agree with some of the "temperatures" resulting from some of the answers the quiz taker gives, but it does provide a nice visual form of feedback.
*  The victim stories that web visitors have supposedly submitted are interesting; I didn’t realize there was so much activity going on with Internet-order bride schemes!
*  The consumer alert section is pretty good for your general computer user.  When you are implementing your awareness programs, it is good to go beyond the scope of just your own business security issues and communicate to your personnel the issues they need to know about for their own personal use.  Pointing them to these types of stories helps to keep information security issues at the forefront of their thoughts.

Technorati Tags
information security
government
corporate governance
IT compliance
cybercrime
awareness and training
privacy

Okay, this story was widely reported starting Tuesday, "Websense survey says 50 percent rise in keylogger spying at work," but I’m just now getting to it.

"There was a 50 percent increase in the number of companies that reported spyware problems over the last year, according to the annual Websense Web@Work survey, the findings of which were released on Tuesday."

Hmm…yes, very interesting, but not that surprising.

""In April 2005, there were 77 unique password-stealing applications. In the latest March report, there were 197. Unique Web sites hosting keyloggers in the same time frame have gone up from 260 to 2,157–almost a 10-times growth,""

I’m not surprised, are you?  Just look how quickly other types of malicious code have grown over the years…exponentially.  It would be interesting to graph the occurrences growth trends of the different types of malicious code and overlay them…wouldn’t you think other types are still growing just as quickly…or more in some instances?

"The current survey also found that most companies believed that their staff could not distinguish between genuine sites and phishing sites. "Forty-seven percent of IT decision makers said their employees have clicked on phishing e-mails, and 44 percent believe employees cannot accurately identify phishing sites," Camissar revealed. "I am surprised that the results are not showing a larger growth in the number of organizations hit by this kind of threat.""

Now this does NOT surprise me at all!  Just look at the numerous reports about the meager awareness and training budgets organizations have for their information security efforts…E&Y, Deloitte and PWC have all published such surveys recently.  Your staff will not know how to distinguish real sites from bogus and/or malicious sites if you do not continuously remind them.  So, of course they are continuing to go these phishing sites.

Technorati Tags
information security
phishing
corporate governance
IT compliance
HIPAA
keylogger
awareness and training
privacy

There were some interesting statistics in a Rediff India Abroad article today, "It takes 14 secs to crack your password."  Several of them good justification for business leaders to invest in more information security and privacy education for their personnel, and to invest in more information security resources and technologies. 

Some of the stats in the article:

• "Over 60,000 mobile phones, 5,838 pocket PCs and 4,973 laptops were left in licensed taxicabs in London last year."
• "Up to one in 10 laptops will be stolen during their lifetime."  See www.juststolen.net for more info.
• "A Symantec report suggests that an ordinary laptop holds content valued at $972,000, and that some could store as much as $8.8 million in commercially-sensitive data and intellectual property."
• "A Gartner study warns that the Windows password can be cracked in as little as 14 seconds. "
• "With less than $100, anyone can purchase password-recovery tools on the Internet."
• "The Symantec research also reveals that only 42 per cent of companies automatically back up employees’ e-mails"
• "Peter Larsson, CEO of Pointsec Mobile Technologies, says they were able to read seven out of 10 hard-drives bought over the Internet at auctions such as eBay, for less than the cost of a McDonald’s meal, all of which had "supposedly" been "wiped-clean" or "re-formatted"."

Technorati Tags
stolen laptops
lost laptops
governance
personal data protection
information security
passwords