Monthly Archives: January 2016

Organizations Still Paying Breach Costs After Remediation

290x195securityworry2A new report from SANS Institute examines the costs that organizations deal with after they clean up from a breach.

Data breaches often result in myriad costs for victimized organizations and individuals. A new study from SANS Institute, sponsored by Identity Finder, found that even after organizations remediate the immediate cause of a breach, there will still be ongoing cost consequences.

Barbara Filkins, senior analyst at SANS Institute, wanted to take a different tact to the analysis of data breach costs than other reports, notably the Ponemon Cost of a Data Breach and Verizon Data Breach Investigations Report (DBIR). (The 2015 Ponemon Cost of a Data Breach report, sponsored by IBM, found that the average cost of a data breach is $3.8 million.) In Filkins’ view, the other reports focus on the front-end costs of data breaches as opposed to what can be done to mitigate the damage after an attack.

At the top end, the SANS report found that 31 percent of the surveyed organizations incurred post-breach costs of between $1,000 and $100,000 as a result of a data breach, and 23 percent experienced costs of $100,000 to $500,000.

Looking at the root causes of the data breaches, 35 percent of respondents noted that a hacking or malware attack was the primary vector. The study also asked about how long it took organizations to fully remediate a breach, with 38 percent of respondents reporting it took three months or longer.

Going a step further, even after the breach remediation was considered to be complete, most respondents experienced residual issues, including potential litigation, fines and brand reputation concerns. Only 35 percent reported that they had no lingering effects after a breach was considered to be remediated.

As to why some organizations have no lingering effects, Filkins said it all has to do with the nature of the breach and the difficulty of understanding costs. There are some obvious items that are considered to be post-breach costs, including identity monitoring services, but when it comes to the lingering costs, it’s not as easy to quantify the impact on brand reputation and stock prices, for example, she added.

According to Todd Feinman, CEO of Identity Finder, the path to helping minimize the costs of a data breach involves classifying data so that organizations understand where the risks are. The reality is that breaches are now a fact of life and it’s difficult to prevent all breaches from happening, he said. Taking that as a baseline, Feinman suggests that just because there is a security incident, it doesn’t necessarily have to turn into a large-scale data breach.

“If organizations want to minimize the costs of an attack or a data breach, you have to know where the sensitive data is and keep it as small a footprint as possible and make sure that it doesn’t leave the organization,” he said.

Identity Finder develops its own tool for data loss prevention called Sensitive Data Manager, which was updated this week to version 9.0. The new release includes improved data classification capabilities.

“There is no single technology, including ours, that is a silver bullet to prevent data breaches and related costs,” Feinman said. “It’s all about people, process and technology.”

USENIX Enigma 2016 – NSA TAO Chief on Disrupting Nation State Hackers

Bad boys bad boys, Watcha gonna do when they come for you !!

 

 

The Danger of Fake Patches

 

chipWe talk a lot about threats to data security on this blog, and personal experience has probably acquainted you with everything from Trojan Horses to phishing.

Here’s a particularly sneaky threat that’s becoming more and more common: fake patches.

Part of what makes them a problem is that, unlike those spam e-mails from people and companies you don’t know, fake patches can look like perfectly reasonable notices from software services or programs you’d expect to receive patches from, like Adobe or Google Chrome. The fake updates display the company logo, so they seem real enough. Just last year, in fact, hackers sent out a fake version of Java Update 11 that contained malware.

How well-equipped you are depends, not surprisingly, on the security measures you have in place. Keeping the auto-update feature on is good practice, provided your software is designed to identify incoming patches and make sure they’re genuine. Even then, it’s possible for malware to use a fraudulent certificate to get around an auto-update program.

There are a number of things you can do to minimize risk. Cutting down on Shadow IT and foreign software on corporate machines makes it harder for hackers to send fake patches. A robust antimalware service is another step.

But at the end of the day, just being smart and cautious goes a long way. Fake patches often look suspicious in the same way spam e-mails look suspicious. They might have misspellings or they just don’t look like a software update you’re accustomed to seeing. They might even ask you to pay for the software they’re asking you to download.

Little things like avoiding pop-ups and scanning and cleaning your computer help, too. And, as always, talk with the IT department and back up your files. Communication and stored, safe files will ensure a small problem doesn’t become a big one.

FTC: Big data and IoT spawn new data concerns

IoTThe ongoing collision of big data and the internet of things raises whole new concerns about maintaining security, privacy, and fairness of personal data, says Julie Brill, member of the Federal Trade Commission.

Brill spoke earlier this month at the Cyber Security and Privacy Summit hosted by Washington State Gov. Jay Inslee.

“The data from connected devices will be deeply personal, and big data analytics will make the data more readily actionable,” said Brill. “Some of these devices will handle deeply sensitive information about our health, our homes, and our families. Some will be linked to our financial accounts, and some to our email accounts.”

However, she added that people won’t change much.

“We as individuals will remain roughly the same. We will not suddenly become capable of keeping track of dozens or hundreds of streams of our data, peering into the depths of algorithmic decision-making engines, or spotting security flaws in the countless devices and pieces of software that will surround us,” she warned.

Faced with a world of uncertainty about which devices are safe and whether they are getting a fair shake in the big data world,  Brill continued, “consumers could use some help.”

Major inroads possible into our lives

This rapidly evolving environment raises issues that have yet to be resolved. Brill divided the issues into the three areas of security, privacy, and fairness:

1. Security

“Because these connected devices are linked to the physical world, device security also is a top concern,” she said. To wit:

No armor. Of the 90% of connected devices that are collecting personal information, 70% transmit the data without encryption.

No expertise or recognition. Traditional goods manufacturers may not have the expertise, or even realize they need such expertise, to secure their new devices.

Cheap as dirt. Many connected devices will be inexpensive and essentially disposable.

Just because the plug fits … Security vulnerabilities may be hidden deep in the code that runs an app or device, which may not become apparent until it is connected to an environment for which it wasn’t designed.

“All of these factors point to the need to take an all-hands-on-deck approach to data security, with security researchers playing an important role in bringing security flaws to light,” Brill said.

2. Privacy

“Consumers want to know—and should be able to easily find out—what information companies are collecting, where they’re sending it, and how they’re using it,” said Brill. She said that information plays an important part in consumers’ decisions about whether to use digital products and services in the first place.

However, obstacles have emerged:

Didn’t know they were watching. Many companies, including data brokers, ad networks, and analytics firms operate in the background with consumer data.

Devices give no clues. Many connected devices do not have a user interface to present information to consumers about data collection.

Queries not answered. Questions have arisen about who should receive disclosures about data collection and use practices; how would consumers or innocent bystanders know when a device is recording images or audio; and how will the collected data be secured.

Brill said that manufacturers of connected devices should recognize that providing transparency will require some creative thinking.

“Visual and auditory cues, and immersive apps and websites should be employed to describe to consumers, in a meaningful and relatively simple way, the nature of the information being collected … and provide consumers with choices,” Brill said.

3. Fairness

 Certain data brokers assemble individual profiles on consumers from various sources which are used for marketing practices.

On such firms specifically, Brill said that “while this kind of information can be used for relatively benign purposes, or even in ways that will enhance financial inclusion, this kind of information has also been used to harm vulnerable consumers.”

Again, pairing big data with internet of things in this area creates new concerns:

Credit scores used beyond credit world. The use of scores, such as credit scores, can go beyond decisions about mortgages, for example, to other major decisions such as whether a prospective employer would extend a job offer to a given applicant, or whether insurance companies would charge higher premiums on auto or homeowners insurance.

Scores grown outside the regulatory zone. The use of many different types of scores has proliferated to make eligibility determinations covered by the Fair Credit Reporting Act, yet they haven’t yet been subject to the same kind of scrutiny that Congress and federal agencies have brought to bear on traditional credit scores.

It all happens in a black box. Scoring algorithms and other forms of big data analytics rely on statistical models and data system designs that few on the outside understand in detail.

“This suggests that testing the effects of big data analytics may be a promising way to go,” Brill said, adding that “companies using scoring models should themselves do more to determine whether their own data analytics result in unfair, unethical, or discriminatory effects on consumers.”

In summary she says, “For now, the rapid changes in big data analytics and the internet of things have made it difficult to meet some of these expectations in practice. The key point, however, is that these are the enduring expectations of consumers, rather than relics of a simpler world.”

That was the year that was – A review of 2015 in Legal and Legal IT

To wrap up 2015 I thought I’d post a review of the Legal and Legal IT news throughout the year.

One of the big trends across law firms this year has been mergers, and the number or mergers and consolidation in the industry continued throughout 2015.

Dentons has been the major news story as its huge growth continued through the year, we had the Dacheng merger in January, talk of McKenna Long & Aldridge joining in April, discussions with Singapore’s Rodyk & Davidson and Australia’s Gadens about tie-ups in November leaving a firm at the end of the year with a possible headcount of around a massive 7000 lawyers. Other large firms continued to grow this year with DLA Piper entering Canada in March and White & Case planning to boost City lawyer count by over 40% as it put London and New York at heart of new strategy in November. BigLaw doesn’t seem to cover these firms anymore, MegaLaw?

Some mergers don’t come off though, in November Eversheds and Foley & Lardner broke off merger talks that could have created a £815m ($1.25bn) revenue transatlantic firm. And there were growing pains in others, in November at Norton Rose Fulbright the firm’s management looked to reconnect with City partners after years of rapid overseas expansion. But still this didn’t stop the merger talk and in November Irwin Mitchell and Thomas Eggar unveiled merger plans.

It seems the final shackles of the financial crisis had been thrown off in 2015 as growth was back on the cards or at least in the published figures, so although still an industry under pressure from clients it doesn’t seem to have affected the bottom line. Growth numbers look pretty good against most of the western economies, with 4%, 6% and even out at 7% rises in revenue across law firms according to a Deloitte survey in March. By December the Deloitte survey was still predicting firm fee income rises of nearly 5% in Q2 of 2015-16. Impressive numbers.

PEP (Profits Per Equity Partner) was also on the up and into the double figures in some firms with 11% and 12% rises coming through in March figures. BLP posted PEP 22% in June! But not everywhere was rosy, some markets clearly still are ultra-competitive and this saw Hill Dickinson and Holman Fenwick both take revenue and PEP hits. As did DWF as their PEP slid 21% and revenue stayed broadly flat in August figures.

The good times though saw the top firms battle for the best associate pay rise around April/May time with 7% at Linklaters, 8% at Ashurst and 10% at Slaughter and May. White & Case then trumped them all in June with a 20% rise in London associate pay! Not to be outcome in December Slaughter and May associates were in line for bonuses of up to 16% as firms also bumped up rewards.

Was this all driven by a growth in client demand? Possibly as in London, for example, back in February TfL announced a rise in legal spend this year, the first in four years. And the Greater London Authority doubled its spend. But also I suspect a hard look at costs also help the profits in firms in 2015. Freshfields started consultation on a low-cost base in Manchester in February and announced further centers in June to create a global network of centers. White & Case mulled opening European support centers in November. And DLA Piper launched a low cost services center  in Warsaw this November, its third such center alongside one in the US and one in Leeds.

Law firms were also looking at growing their business in other ways, putting pay to a few speakers talks in 2016? Dentons launched a tech investment arm (NextLaw Labs) in May. There were moves into the contract lawyer space in June as DLA Piper and Addleshaws moved into contract lawyer market with new ventures. DWF also launched contract lawyer, support center and consulting offerings in June. And finally to top off a changing market KPMG boosted its UK legal capability with a Birmingham launch in September.

Quite an eventful year for law firms in general, what about the Legal IT side of things?

Starting with the stalwarts of Legal IT, Document Management (DMS) and Finance systems.

Back in January SharePoint was on the agenda again as a possible DMS in law firms with Microsoft pushing Matter Centre, by the end of the year though it was open source product. HP Worksite became iManage again with a management buyout and we saw energy back in the firm after many years of being part of a monolith. And Netdocuments continued to grow market share and cloud coverage with Europe and Australian datacenters.

In the finance arena the column inches were mainly full of Elite v Aderant, but in September Baker & McKenzie became the first global law firm to go live with the latest version of the SAP ERP system.

Elsewhere legal project management (LPM) is clearly on the move with a number of products offering support for this discipline, Umbria and Cael as examples. Strange that in the Legal press itself LPM wasn’t hitting the headlines despite strong take up by law firms and interest by clients! Proof again perhaps that contrary to the press and conferences, law firms are quietly getting on with new ways to grow the business?

I couldn’t review this year without mentioning AI (Artificial Intelligence), a marketing teams dream with a whole new “disruptive” technology campaign. 2015 was definitely hello AI, goodbye cloud in the Legal IT zeitgeist. The start of summer saw Ravn launch ACE and by mid-September, Berwin Leighton Paisner confirmed that it had become the first law firm to sign up to RAVN’s Applied Cognitive Engine. We also had US legal tech start up eBrevia has just launched its own AI offering, IBM Watson with Clifford Chance joining the growing number of City firms that work with IBM’s offering. September saw the BBC focus on Intelligent Machines, Riverview Law acquire US tech business to advance use of AI in legal market and AI goes mainstream as LexisNexis acquires Lex Machina in November and December.

The fact that cloud is now out of the news could be that finally its maturing and starting to take off, Netdocuments saw growth and Hill Dickinson kicked off a three-to-five-year IT strategy review that is expected to see a significant further shift towards the cloud.

Document automation was back in the news. Becoming more commonplace across the UK, Ashurst in September became the latest City law firm to sign up with Business Integrity’s ContractExpress solution to automate its legal precedents globally and across all practice areas. And at Clifford Chance in March, two finance lawyers were hired with coding expertise to design a template to allow banking clients to generate their own documents.

Social Media in law firms was in the news in summer as DLA Piper discussed the launch of their internal platform Grapevine.

My final thought though for the Legal IT world in 2015 is where is the big push into mobility, business support workflow and “standard IT” that supports lawyers? Law firms are definitely looking at this, but what about the Legal IT vendors? Some show hints of the above and that they’re starting to get it. Will this be the real news in 2016 or will the marketing teams win and continue to sell us the promise of a disruptive world and robots replacing lawyers?

 

A big thank you to Legal Week , Legal IT Insider, ILTA and Legal IT Professionals invaluable resources in researching the news from 2015 for this blog post!

5 Data Security Errors by Healthcare and How to Fix Them

Healthcare_device

A recent article in Forbes outlines some major missteps the healthcare industry is making when it comes to data security. In the wake of a record year for data loss with breaches at some the largest healthcare companies, the fact that there are problems with their cybersecurity comes as no surprise. As recently reported, 8 out of 10 largest breaches across all industries occurred in healthcare. As many experts have explained, healthcare records and insurance numbers are now a more lucrative target than credit card numbers. Yet, healthcare companies from insurers to hospitals and clinics seem ill prepared to thwart today’s advanced exploits. Here’s what the author of this article characterizes as healthcare’s five most urgent vulnerabilities:

  1. Too much focus on HIPAA compliance: According to the article, the highest number of breaches in 2015 occurred in organizations that have HIPAA-compliant databases.
  2. BYOD isn’t being secured: With more doctors on mobile devices, emailing and texting both colleagues and patients, unsecured devices become a glaring possibility, particularly when they’re personally owned.
  3. Too little investment in security: According to CNBC, healthcare organizations devote only 14% of their IT budgets to security, where other industries devote 20%. Other surveys have placed healthcare security budgets as low as 3% of total IT spend.
  4. Prioritizing security across the organization: In too many organizations, including healthcare, employees consider security the responsibility of IT, and aren’t nearly vigilant and careful enough with their email and personal devices.
  5. Over-simplifying or over-complicating systems: Here the author warns that IT policies and systems will be ignored if they are too difficult to implement and not effective, if they seem too simple. He calls for a balance between security and usability.

The second half of the article is concerned with what healthcare organizations need to do to avoid another year of data breaches like 2015 turned out to be.

  1. Focus on risk-management: Healthcare organizations are advised to worry less about HIPPA compliance and more about data security by layering in security technology like behavioral analytics that can identify suspicious activity before data is compromised.
  2. Two-factored authentication: The articles says two-factored is the minimum organizations should require, but it shouldn’t be so difficult that healthcare professionals will be frustrated.
  3. Encryption for data and devices: Data needs to be encrypted at rest and in transit particularly because of the multitude of mobile device usage by healthcare professionals, who send data back and forth.
  4. Enterprise mobile device management is important: Healthcare needs enterprise mobile device management (MDM) to secure devices that access organizations’ networks.
  5. Make sure security is in your culture: While deploying the most advanced technology is of paramount importance, the author reminds us that establishing security policies and training your workforce are also crucial to increasing data security. He advises healthcare organizations to instill a sense of personal responsibility in all employees, particularly those who have access to sensitive data.

Continued Breaches Show Dropbox Not Secure Enough for Small Businesses

data

I’m just going to come out and say it: Dropbox on its own is not secure enough for businesses. Bugs and open-doors leave sensitive files open for viewing and who knows what can happen if your classified information falls into the wrong hands. If you’re sharing files with coworkers by sharing Dropbox links, cease and desist! You are potentially leaving your files open to the masses.

Problem
Dropbox is currently the top dedicated cloud storage provider hitting 200 million users back in November 2013.  Unfortunately for business users, Dropbox is also the most targeted cloud service by hackers and thieves. Remember when hackers held 7 million Dropbox passwords ransom? Not only is Dropbox prone to cyber-attacks, but they also suffer from bugs and leaving open doors. In October 2014, Dropbox released an update with a bug that deleted user files, making backup on Dropbox inadequate for business. File deletion!? Then what’s the point of storing files in the cloud anyway?

Prior to this incident, a cloud-based file locker, Intralinks, found that Dropbox users were unknowingly allowing private data to be read by third parties as their files were being indexed by search engines.  Links that you may have shared with other colleagues were being indexed by Google, Yahoo! and Bing, and if competitors searched for a matching keyword on your link, they could click and open your files without you knowing. As you can see saving sensitive company information with Dropbox offers significant risk for business users.

Challenge
Many employees already use Dropbox to quickly store company files. The more employees that use Dropbox to store files, the more vulnerable the company is to information leaks. Although Dropbox offers server-side encryption for your files, it is not enough to protect your files if there is a security breach as Dropbox provides and controls your files’ encryption keys. Dropbox already accesses your files to provide a file preview, which opens obvious security holes. Dropbox has even changed their privacy terms to give themselves the right to share data collected from your files. Depending on the sensitivity of your data, you may want to consider encrypting your data with a 3rd party security software even before it reaches the Dropbox cloud. This would allow you to experience the convenience and value of Dropbox without compromising security.

Biggest cybersecurity threats in 2016

Cloud

Headless worms, machine-to-machine attacks, jailbreaking, ghostware and two-faced malware: The language of cybersecurity incites a level of fear that seems appropriate, given all that’s at stake.

In the coming year, hackers will launch increasingly sophisticated attacks on everything from critical infrastructure to medical devices, said Fortinet global security strategist Derek Manky.

“We are facing an arms race in terms of security,” said Manky. Fortinet provides network security software and services, and its customers include carriers, data centers, enterprises, distributed offices and managed security service providers.

Here’s how the 2016 threat landscape looks to some experts:

“Every minute, we are seeing about half a million attack attempts that are happening in cyber space.” -Derek Manky, Fortinet global security strategist

The rise of machine-to-machine attacks

Research company Gartner predicts there will be 6.8 billion connected devices in use in 2016, a 30 percent increase over 2015. By 2020, that number will jump to more than 20 billion connected devices, predicts Gartner. Put another way, for every human being on the planet, there will be between two and three connected devices (based on current U.N. population projections).

The sheer number of connected devices, or the “Internet of Things,” presents an unprecedented opportunity for hackers. “We’re facing a massive problem moving forward for growing attack surface,” said Manky.

“That’s a very large playground for attackers, and consumer and corporate information is swimming in that playground,” he said. Many consumer connected devices do not prioritize security. As they proliferate, expect the number of attacks to skyrocket. “A lot of these products and services, oftentimes security will take a backseat, so it puts a lot of information at risk,” said Manky.

In its 2016 Planning Guide for Security and Risk Management, Gartner puts it like this: “The evolution of cloud and mobile technologies, as well as the emergence of the ‘Internet of Things,’ is elevating the importance of security and risk management as foundations.”

Smartphones present the biggest risk category going forward, said Manky. They are particularly attractive to cybercriminals because of the sheer number in use and multiple vectors of attack, including malicious apps and web browsing.

“We call this drive-by attacks — websites that will fingerprint your phone when you connect to them and understand what that phone is vulnerable to,” said Manky.

Apple devices are still the most secure, said Manky. “Apple’s had a good security policy because of application code review. So that helps, certainly, to filter out a lot of these potential malicious applications before they make it onto the consumer device,” he said.

“With that, nothing is ever safe,” he said.

Mobile apps

Are you nurturing a headless worm?

The new year will likely bring entirely new worms and viruses able to propagate from device to device, predicts Fortinet. 2016 will see the first “headless worms” — malicious code — targeting “headless devices” such as smartwatches, smartphones and medical hardware.

“These are nasty bits of code that will float through millions and millions of computers,” said Manky.

Of course, the potential for harm when such threats can multiply across billions of connected devices is orders of magnitude greater.

“The largest we’ve seen to date is about 15 million infected machines controlled by one network with an attack surface of 20 billion devices. Certainly that number can easily spike to 50 million or more,” said Manky. “You can suddenly have a massive outage globally in terms of all these consumer devices just simply dying and going down.”

Malware, spam, virus, cybersecurity

Jailbreaking the cloud

Expect a proliferation of attacks on cloud and cloud infrastructure, including so-called virtual machines, which are software-based computers. There will be malware specifically built to crack these cloud-based systems.

“Growing reliance on virtualization and both private and hybrid clouds will make these kinds of attacks even more fruitful for cybercriminals,” according to Fortinet.

At the same time, because apps rely on the cloud, mobile devices running compromised apps will provide a way for hackers to remotely attack public and private clouds and access corporate networks.

Hackers will use ghostware to conceal attacks

As law enforcement boosts its forensic capabilities, hackers will adapt to evade detection. Malware designed to penetrate networks, steal information, then cover up its tracks will emerge in 2016. So-called ghostware will make it extremely difficult for companies to track exactly how much data has been compromised, and hinder the ability of law enforcement to prosecute cybercriminals.

“The attacker and the adversaries are getting much more intelligent now,” said Manky.

Alongside ghostware, cybercriminals will continue to employ so-called “blastware” which destroys or disables a systems when detected. “Blastware can be used to take out things like critical infrastructure, and it’s much more of a damaging attack,” he said.

“Because attackers may circumvent preventative controls, detection and response capabilities are becoming increasingly critical,” advises Gartner in its report.

 

Two-faced malware

Many corporations now test new software in a safe environment called a sandbox before running it on their networks.

“A sandbox is designed to do deeper inspection to catch some of these different ways that they’re trying to change their behaviors,” said Manky. “It’s a very effective way to look at these new threats as we move forward.”

That said, hackers in turn are creating malevolent software that seems benign under surveillance, but morphs into malicious code once it’s no longer under suspicion. It’s called two-faced malware.

This is at least partially the sheer volume of attacks is so high — Fortinet sees half a million security threats per minute.

“The reason we see so much volume as well is because cybercriminals are trying to evade [detection]. They know about security vendors, they know about law enforcement, they’re trying to constantly morph and shift their tactics,” said Manky.

 

What can companies and individuals do to protect themselves?

“Companies should definitely enforce more security policies,” said Manky. “Security’s becoming a board level discussion, so that’s already happening, and it should continue to happen.”

Part of any cybersecurity strategy should be the use of antivirus software, the education of employees not to click on unknown attachments or links as well as keeping software up to date, also know as patch management.

“A lot of these devices are not going to be patched that quickly or they might not have an update mechanism on them,” said Manky. “Certainly, any time a patch becomes available, companies should enforce that because these are closing a lot of the holes where attackers are navigating through.”

Here is how Gartner frames it for business seeking to protect themselves in 2016. “While some traditional controls have or will become less effective, techniques such as removing administrative privileges from endpoint users should not be forgotten. Similarly, vulnerability management, configuration management and other basic practices have to be priorities in organizations that have not yet implemented them effectively.”

And ultimately, something is better than nothing, advises the firm: “Addressing priorities does not mean striving for perfection, but rather ensuring, at least, that critical exposures are remediated (or, if applicable, mitigated with compensating controls) and that the residual risks are minimal and acceptable (or at least enumerated and tracked).”