Category Archives: Data Breach

Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak

Posted on September 12, 2017 | Leave a comment

Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month.

The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Wrestling Entertainment. Two Amazon S3 buckets were eventually found and linked to BroadSoft, a global communications company that partners with service providers, including AT&T and TWC.

Not all of the TWC records contained information about unique customers. Some contained duplicative information, meaning the breach ultimately exposed less than four million customers. Due to the size of the cache, however, the researchers could not immediately say precisely how many were affected. The leaked data included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information—though it does not appear that any Social Security numbers or credit card information was exposed.

Time Warner Cable was purchased by Charter Communications last year and is now called Spectrum, though the leaked records date back from this year to at least 2010.

Other databases revealed billing addresses, phone numbers, and other contact info for at least hundreds of thousands of TWC subscribers. The servers also contained a slew of internal company records, including SQL database dumps, internal emails, and code containing the credentials to an unknown number of external systems.

A leak of administrative credentials typically heightens the risk of further systems and sensitive materials being compromised. But Kromtech did not attempt to access or review any of the password protected data, and so the contents of any other servers potentially vulnerable remains unknown.

CCTV footage, presumably of BroadSoft’s workers in Bengaluru, India—where the breach is believed to have originated—was also discovered on the Amazon bucket.

“We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes,” said Bob Diachenko, Kromtech’s chief communications officer. “In this case engineers accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access company’s network and infrastructure.”

Publication of the breach, which Kromtech detailed on its website Friday, was delayed so that BroadSoft could privately alert its customers.

A spokesperson for BroadSoft said the company had verified that customer data was exposed to the public internet, but that it does not believe the information to be “highly sensitive.” The company also does not believe it was accessed by anyone with malicious intent. “We immediately secured these Amazon S3 bucket exposures and are continuing to aggressively investigate these exposures and will take additional remedial actions as needed.”

Charter Communications sent the following statement:

“We were notified by a vendor that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources. Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them. There is no indication that any Charter systems were impacted. We encourage customers who used the MyTWC app to change their user names and passwords. Protecting customer privacy is of the utmost importance to us. We apologize for the frustration and anxiety this causes, and will communicate directly to customers if their information was involved in this incident.”

Seems to be an everyday occurrence, cybersecurity is something everyone should be aware of.

 

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers

Posted on September 8, 2017 | Leave a comment

Social Security numbers, birth dates, addresses and driver’s license numbers exposed.

Credit-reporting company Equifax Inc. said Thursday that hackers gained access to some of its systems, potentially compromising the personal information of roughly 143 million U.S. consumers in one of the biggest and most threatening data breaches of recent years.

The size of the hack is second only to the pair of attacks on Yahoo disclosed last year that affected the information of as many as 1.5 billion customers. It also involves nearly twice the number affected by one of the highest-profile breaches at a financial firm, the cyberattack at J.P. Morgan Chase & Co. about three years ago.

The Equifax breach could prove especially damaging given the gateway role credit-reporting companies play in helping to determine which consumers gain access to financing and how much of it is made available. The attack differs, too, in that the attackers in one swoop gained access to several pieces of consumers’ information that could make it easier for the attackers to try to commit fraud.

Equifax said hackers gained access to systems containing customers’ names, Social Security numbers, birth dates and addresses. The company also offers credit-monitoring and identity-theft protection products to guard consumers’ personal information.

“This is the nightmare scenario—all four pieces of information in one place,” said John Ulzheimer, a credit specialist and former manager at Equifax.

On Friday, shares of Equifax fell 14% to $123.03 in morning trading in New York.

The incident comes at a time of heightened sensitivity to cyberattacks in the political, commercial and personal realms, especially in the wake of presumed Russian interference in the U.S. presidential election last year.

The number of large hacks has increased in recent years—with incidents involving tens of millions of accounts each involving tech companies, banks, retailers and others.

More companies are putting more information online from more users, creating bigger targets for hackers who continually develop and refine their techniques and tools.

Equifax is one of the big three credit-reporting firms in the U.S. and maintains credit reports on more than 200 million U.S. adults. The other two are TransUnion and Experian. Credit reports compiled by such companies include personally identifiable information as well as records of the credit cards and loans consumers have, their spending limits on cards, and whether they are on time with their debt payments.


“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax Chief Executive Richard Smith said in prepared remarks. “I apologize to consumers and our business customers for the concern and frustration this causes.”

The four pieces of information exposed in the attack are generally needed for consumers to apply for many forms of consumer credit, including credit cards and personal loans. That means that swindlers who have access to this data could have an easier time getting approved for credit in other people’s names and potentially makes it more difficult for lenders to spot a problem. In addition, Equifax said the hackers gained access to some driver’s license numbers.

An added concern is that the breach raises the chances of more fraudulent loan approvals occurring when various forms of fraud are already hitting lenders and contributing to higher losses.

Smaller financial institutions, including community banks, credit unions and online personal-loan lenders, are more vulnerable to the effects of this breach, said Al Pascual, head of fraud and security at Javelin Strategy & Research.

That is because they are more reliant on the four, key pieces of borrower information when determining whether they are dealing with a legitimate applicant, he said. The biggest banks, he added, have in recent years moved to relying on additional information. With online applications, for example, that includes pinpointing what geographic area the applicant is located in to figure out whether they are an actual person or a fraudster.

Equifax said in its statement that while the incident potentially affected approximately 143 million U.S. consumers, “the company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Equifax said an internal investigation revealed hackers exploited a vulnerability in a U.S. website application to gain unauthorized access to files from mid-May through July. The company said it discovered the breach on July 29.

Equifax said it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review. In the days following the company’s discovery of the breach, three top Equifax executives, including Chief Financial Officer John Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange Commission filings. A company spokesman said the three executives who sold a small percentage of their Equifax shares on Tuesday, Aug. 1, and Wednesday, Aug. 2, had no knowledge that an intrusion had occurred at the time they sold their shares.

Equifax also said credit-card numbers for approximately 209,000 U.S. consumers were accessed, as well as dispute documents with sensitive information for another 182,000 people.

With the Equifax attack, banks now will have to reissue cards for the approximately 209,000 credit cards stolen in the breach, but for consumers the theft uniquely identifying information such as Social Security numbers and birth dates could have a permanent effect. Additionally, a limited number of people in Canada and the U.K. were affected, the company said.

Stock of other financial companies weren’t initially affected with shares of credit-card issuers and big banks mostly unchanged or up slightly in after-hours trading.

Equifax said it has set up a website—www.equifaxsecurity2017.com—to help consumers determine if their information has been compromised and to allow them to sign up for a complimentary slate of credit-monitoring and identity-theft protection. The company also has established a dedicated call center for consumers.

This is becoming an everyday occurrence.  When are we going to get the message to tighten up security across this nation !!

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Law Enforcement, Security

Tagged ,

How Good Cybersecurity Habits Could Save You Millions

Posted on September 7, 2017 | Leave a comment
Landlords collect extremely valuable information from residents. What many don’t know, however, is that they are liable if their residents’ information is stolen.
by Meeghan Fuhr | Aug 30, 2017

Landlords collect extremely valuable information from residents, including addresses, credit card numbers, social security numbers and bank account numbers, making the multifamily industry an attractive target for hackers. Prevention and detection are key aspects of cybersecurity. What many small multifamily owners and managers don’t know, however, is that they are liable if their residents’ information is stolen.

Small multifamily owners and managers may think they have limited options when it comes to keeping their data secure, but there are many simple preventative measures they can take, and ultimately, it is their responsibility to take them.

“An identity is worth about $10-$20 on the dark net, but the actual liability stemming from its loss could be $158 or more,” said Michael Reese, chief information officer at USA Properties Fund. Multiply that by however many residents are in a database, and you could be looking at millions of dollars.

So, Who is Responsible for Making Cybersecurity a Priority?

A common misconception among management is that cybersecurity is an IT issue when, in reality, every level of an organization needs to be involved and bringing in an outside cybersecurity firm is recommended.

“It’s very difficult to have your own IT department manage your cybersecurity framework. You must have a ‘separation of duties,’ [similar to how] you can’t audit yourself. Cybersecurity is an executive decision, not an IT decision. You need to have governance, policies and procedures, and continuous training and education,” Reese said.

Many people believe they are protected because they have a good firewall, but that is just the first line of defense. “It’s best to have a layered approach,” said Reese, with firewalls, IDS/IPS (intrusion detection systems and intrusion prevention systems), server and workstation anti-virus, and SIEM (security information and event management) software/hardware. Reese also stressed that when you receive a notice that software needs to be updated, don’t ignore it!

Simple, Inexpensive Ways to Lessen the Risk of an Attack

Requiring employees to have strong passwords that are changed regularly is a simple measure multifamily firms of all sizes can implement. “Poor password practices make it that much easier for hackers to get into a company’s network or email,” Reese said. “Passwords that use a combination of numbers, symbols, upper and lower case letters are much more difficult to break.”

Another good practice is to require that Virtual Private Networks (VPNs) always be used for remote access. “If any of your employees work remotely, or link to a public Wi-Fi network (think Starbucks), they should have a VPN network installed on their laptop, tablet or smartphone. A VPN provides a secure path through the web and protects your activities from anyone trying to get in.” Reese noted that there are many relatively affordable options out there.

Additionally, it is important to control access to your firm’s data. Not everyone in your company needs access to all of the systems and data that you have,” Reese said. “Do sales people need access to personnel files, or do operations people need access to accounts receivable information?” It’s best to limit access to data only to those employees who regularly need it.

Lastly, train employees regularly. More than 75 percent of hacks come through some action by an employee, usually as the result of phishing,” Reese said. Phishing emails typically appear to come from a “legitimate” source such as a company, customer or employee, with the goal of either obtaining private information or getting the recipient to click attachments that allow malware into the network. “You should train your employees to question these emails and even call the supposed sender to confirm.”

Train your people to become good ‘cyber-citizens,’” Reese said. “And support a culture of data security!”

You can read the original article at link below from Commercial Property Executive:

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Trove of Private Military Contractor Job Applicants Exposed Online

Posted on September 7, 2017 | Leave a comment

Another day another trove of data goes public – This time, personal and sensitive data of American citizens who applied for jobs at North Carolina-based Private Military Contractor (mercenary and security firm) TigerSwan and hundreds of those claiming “Top Secret” US government security clearances.

According to Chris Vickery, director of cyber risk research at security firm UpGuard; Resumé files of 9,402 people were found available publically on an unprotected Amazon Web Services ran by a third-party vendor TalentPen who used the files for recruitment purposes until February 2017.

A look at the exposed files revealed applicant names, home addresses, phone numbers, email addresses, driver’s license numbers and highly sensitive job history of US military veterans, mercenaries and even Iraqi and Afghan nationals who worked alongside US forces and government institutions back in their countries.

Rich Campagna, CEO at Bitglass, told HackRead.com that: “In the last few months, we’ve seen a string of high profile data incidents of this nature, including Deep Root Analytics, Verizon Wireless, and Dow Jones. These exposures are difficult to stop because they originate from human error, not malice. Just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk. This is why Amazon recently introduced ‘Macie’: to discover, classify and protect sensitive data in AWS S3.

Organisations using IaaS must leverage at least some of the security technologies available to them, either from public cloud providers, IDaaS providers, or CASBs, which provide visibility and control over cloud services like AWS. It could also be argued that these AWS server misconfigurations could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”

TigerSwan was founded in 2008 by retired US Army lieutenant colonel and Delta Force operator James Reese. Since then the international security and global stability firm have provided its services during the infamous Iraq war, 2014 Sochi Olympics and Standing Rock Protests (Dakota Access Pipeline protests, DAPL).

However, in May 2017, The Intercept cited leaked documents indicating that the firm used counterterrorism tactics at standing rock to “defeat pipeline insurgencies.” In 2011, the firm also won a one year contract in Saudi Arabia where it provided construction and security services for the South Gate Entry Control Point, Eskan Village, Riyadh.

In their statement, the firm has acknowledged the issue and said that:

“At no time was there ever a data breach of any TigerSwan server. All resume files in TigerSwan’s possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resumé.”

It is unclear for how long the data remained unprotected or whether it was accessed by anyone else other than UpGuard researchers.

“A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details, said UpGuard.

At the time of publishing this article, there was no official response from TalentPen, LLC since the company has been dissolved. However, TigerSwan forwarded an email to Gizmodo showing conversation with a former TalentPen employee.

“I’m afraid that it does show activity that seems to be consistent with the number of files and overall size of the total number of files. I want to know exactly how there could even be a possibility of this happening given the security in place to protect data and files. The account was setup to only give access to you and I. I even had to provide you with security credentials to access the information. While I no longer work for TalentPen since it had been dissolved earlier this year, I certainly want to help you get to the bottom of this,” the email said.

Here is an archive look at the now offline TalentPen’s website.

This is not the first time when unprotected trove of data has been discovered online. In January 2017, medical data of Veterans affected by sleep disorders was exposed online. The database contained personal details of over 1,200 veterans who have been suffering from of sleep disorders.

In March this year, a misconfigured drive led to data leak of thousands of US Air Force officials including passports, names, social security numbers and other highly sensitive and personal data.

In June this year again, UpGuard discovered secret Pentagon files left unprotected on an Amazon server. The data included over 60,000 files with some of the very sensitive info publicly accessible and not even protected with a password.

If you are working as a database administrator, it’s time to run a security check and keep the data secure.  If you are using a third party “cloud” provider, double check the security features and your contract with the provider.

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

The Russian Company That Is a Danger to Our Security

Posted on September 6, 2017 | Leave a comment

Eugene Kaspersky, the founder of Kaspersky Lab, is a graduate of the KGB’s elite cryptology institute and was a software engineer for Soviet military intelligence.

MADBURY, N.H. — The Kremlin hacked our presidential election, is waging a cyberwar against our NATO allies and is probing opportunities to use similar tactics against democracies worldwide. Why then are federal agencies, local and state governments and millions of Americans unwittingly inviting this threat into their cyber networks and secure spaces?

That threat is posed by antivirus and security software products created by Kaspersky Lab, a Moscow-based company with extensive ties to Russian intelligence. To close this alarming national security vulnerability, I am advancing bipartisan legislation to prohibit the federal government from using Kaspersky Lab software.

Kaspersky Lab insists that it has “no inappropriate ties with any government.” The company’s products, which are readily available at big-box American retailers, have more than 400 million users around the globe. And it provides security services to major government agencies, including the Department of State, the National Institutes of Health and, reportedly, the Department of Defense.

But at a public hearing of the Senate Intelligence Committee in May, six top intelligence officials, including the heads of the F.B.I., C.I.A. and National Security Agency, were asked if they would be comfortable with Kaspersky Lab software on their agencies’ computers. Each answered with an unequivocal no. I cannot disclose the classified assessments that prompted the intelligence chiefs’ response. But it is unacceptable to ignore questions about Kaspersky Lab because the answers are shielded in classified materials. Fortunately, there is ample publicly available information to help Americans understand the reasons Congress has serious doubts about the company.

The firm’s billionaire founder, Eugene Kaspersky, graduated from the elite cryptology institute of the K.G.B., the Soviet Union’s main intelligence service, and was a software engineer for Soviet military intelligence. He vehemently dismisses concerns that his company assists Russia’s intelligence agencies with cyberespionage and claims that he is the target of Cold War-style conspiracy theories. But Kaspersky Lab has committed missteps that reveal the true nature of its work with Russia’s Federal Security Service, or F.S.B., a successor to the K.G.B.

Bloomberg recently reported on emails from October 2009 in which Mr. Kaspersky directs his staff to work on a secret project “per a big request on the Lubyanka side,” a reference to the F.S.B.’s Moscow offices. The McClatchy news service uncovered records of the official certification of Kaspersky Lab by Russian military intelligence, which experts in this field call “persuasive public evidence” of the company’s links to the Russian government.

The challenge to United States national security grew last year when the company launched a proprietary operating system designed for electrical grids, pipelines, telecommunications networks and other critical infrastructure. The Defense Intelligence Agency recently warned American companies that this software could enable Russian government hackers to shut down critical systems.

Beyond the evidence of direct links between Mr. Kaspersky and the Russian government, we cannot ignore the indirect links inherent in doing business in the Russia of President Vladimir Putin, where oligarchs and tycoons have no choice but to cooperate with the Kremlin. Steve Hall, former C.I.A. station chief in Moscow, told a reporter: “These guys’ families, their well-being, everything they have is in Russia.” He added that he had no doubt that Kaspersky Lab “could be, if it’s not already, under the control of Putin.”

The technical attributes of antivirus software amplify the dangers from Kaspersky Lab. Mr. Kaspersky might be correct when he says that his antivirus software does not contain a “backdoor”: code that deliberately allows access to vulnerable information.

But a backdoor is not necessary. When a user installs Kaspersky Lab software, the company gets an all-access pass to every corner of a user’s computer network, including all applications, files and emails. And because Kaspersky’s servers are in Russia, sensitive United States data is constantly cycled through a hostile country. Under Russian laws and according to Kaspersky Lab’s certification by the F.S.B., the company is required to assist the spy agency in its operations, and the F.S.B. can assign agency officers to work at the company. Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the F.S.B. to monitor all of a company’s data transmissions.

The Senate Armed Services Committee in June adopted my measure to prohibit the Department of Defense from using Kaspersky Lab software, to limit fallout from what they fear is already a huge breach of national security data. When broad defense legislation comes before the Senate in the weeks ahead, they hope to amend it to ban Kaspersky software from all of the federal government.

Americans were outraged by Russia’s interference in our presidential election, but a wider threat is Russia’s doctrine of hybrid warfare, which includes cybersabotage of critical American infrastructure from nuclear plants to electrical grids. Kaspersky Lab, with an active presence in millions of computer systems in the United States, is capable of playing a powerful role in such an assault. It’s time to put a stop to this threat to our national security.
You do your own research and then decide if you would want Kaspersky software on your PC in your home.

 

Leave a comment

Posted in Cyber Security, Data Breach, Encryption, Hacking, Security

Tagged , ,

Third parties leave your network open to attacks

Posted on August 28, 2017 | Leave a comment

With the Target example as the high-water mark, enterprises need to worry about the lack of security on the part of third-party providers that have access to internal systems.

Most businesses hire third-party providers to fill in when they lack in-house resources. It is often necessary to allow third-party vendors access to their network. But after Target’s network was breached a few years ago because of an HVAC vendor’s lack of security, the focus continues to be on how to allow third parties access to the network without creating a security hole.

The use of third-party providers is widespread, as are breaches associated with them. Identity risk and lifestyle solution provider SecZetta claims that on average, 40 percent of the workforce make up third parties. A recent survey done by Soha Systems notes that 63 percent of all data breaches can be attributed to a third party. “The increased reliance on third-party employees, coupled with the growing sophistication of hackers, has led to the current identity and access management crisis that most businesses are faced with today — whether they realize it or not,” a SecZetta blog post stated.

Rick Caccia, CMO at Exabeam, explained that the Target breach shined a light on the risks that come with trusted partners. On one hand, they often have access to the most sensitive data and systems within a firm’s environment. On the other, the firm has little insight into the partner’s own security processes and doesn’t really know the partner’s employees or their routines.

David Baker, vice president of operations at Bugcrowd, said “The rule of thumb most CSOs live by is that you only use a third party if they do something better than you. So whether that’s delivering a package or managing your data center, if an outsourced third party does it better, it makes sense to use them. This extends to security.”

For example, a large number of organizations have outsourced their data centers to Amazon Web Services (AWS) not only because the functionality of building the technology on AWS is better than what organizations can achieve on their own, but also because the security offered is better than what companies can build themselves, he said.

“If you use a third party and want to avoid something like what happened with Target, you need to have a process by which you select those third parties, and a big part of that criteria should be security. Security has to be something you can measure that they do better than you,” Baker said.

Markus Jakobsson, chief scientist at Agari, said the one big disadvantage to working with third-party vendors is the loss of control over security. “Not only does each vendor create a new entry point into an organization’s network for cyber criminals to exploit, but it also means every employee for that vendor is now a potential target to breach your brand. Unfortunately, the only way to ensure your company is not exposed to greater risks is by keeping everything in-house. But in today’s digital world, this isn’t a reality.”

Mike McKee, CEO of ObserveIT, said the lack of visibility into what users at third-party providers are doing – accidentally or intentionally – is a huge security risk.

“Every organization must ensure it has identified the outside parties with access to systems and data and have secure procedures in place, strict policies for these users to follow, and effective technology in place to monitor and detect if the third parties are putting their organization at risk,” he said.

It is the cost of doing business that leaves your network vulnerable to third parties, said Yitzhak (Itzik) Vager, vice president of cyber product management and business development at Verint Systems. Manufacturers connect directly to suppliers to manage just-in-time production. Accounting departments connect to external invoicing and receipt systems, and the marketing team has given all types of automated solutions access to the network infrastructure.

“Organizations need to assume that they have been already breached by a third-party leaving a hole in your network, and therefore they need to move to detection and response area solutions that consider the big picture, delivering complete visibility by detecting across the entire network, endpoints and payloads.”

Richard Henderson, Global Security Strategist at Absolute, agrees. ​”In the majority of cases, companies will have no way to learn if those partners have a breach or fall prey to atta​ck. Add to this that regulators (and customers) really don’t care if someone else was responsibl​e and it seems like an unwinnable battle. After the damage is done, organizations are left picking up the pieces and will be the ones called to task and held accountable.”

Carl Herberger, vice president of security solutions at Radware, said that business units are under a lot of pressure to leverage new solutions to speed time-to-market and reduce costs. Typically, security is a secondary consideration.

“Most of these business teams don’t have the skills or knowledge to assess security requirements and can result in partnering with a vendor who may leave the company’s networks open to attack,” Herberger said.

If an enterprise lets a third party onto their network, regardless of the reason, that third party then becomes an integral part of their security perimeter, notes Amir Jerbi, CTO of container security company Aqua Security. “Organizations should therefore vet third parties for their security measures and practices and ensure they are aligned with their own, and furthermore, periodically check and test those practices to verify they are still in compliance. These checks may (and should) cover systems, process and people.”

Alertsec’s CEO Ebba Blitz advises to make sure everyone plays by your rules. If full disk encryption is mandated for your own staff, make sure that your third parties do the same. “All too many third parties log into your network from unknown devices – devices that you don’t manage and can’t control, unless they are enrolled in your network. Make sure data only flows to encrypted devices, whether they are enrolled in your IT infrastructure or not.”

Third-party risk management

The market has pushed forward with third-party risk management programs to answer this dilemma. A program such as this would tell if a third party was located offshore or onshore, use a corporate issued device or a personal device, have had a background check performed, and whether they will be performing a critical function for the organization.

“When it comes to the cyber world, vendors must demonstrate that they understand security and have a mature security program in place, including policies and employee training,” noted Asher DeMetz, manager- security consulting at Sungard Availability Services. Any third-party systems connected to the company’s network would need to have a proper business function and owner, and align to the company’s own security program (secure, monitored, controlled).

“The software or hardware would need to be validated with the correct security controls and attestation of security testing, and possibly compliance. If the third party is making configuration changes, these would have to go through proper change-management channels to ensure that they align to the security program and don’t introduce risk into the environment,” DeMetz added.

Risk management involving external actors can be a very challenging activity for a variety of reasons, said Bluelock Director of Engineering Derek Brost. “There are two major factors for consideration. First, is sufficiently involving legal counsel to ensure contractual designation of responsibility, diligence and due care. As a backstop, this should also permit enforcement or litigation related to reclaiming loss or damage if things go awry. Second, is allocating continuous resources for proper control and oversight of external activities in the form of authentication management, timely activity analysis, and especially audit review.”

Unfortunately, businesses commonly involve third parties for cost reduction or “quick fixes,” so an adequate level of investment may not be considered in the budget or overall cost for administering external actors, said Brost. However, like all risk management activities, these costs need to be considered up-front as part of the overall tolerance and loss potential.

Kennet Westby, president and co-founder of Coalfire, said every organization should have a robust third-party vendor management program that is built to support the validation that critical vendors are delivering on their committed services. Part of that vendor management process should be to validate that your vendor has internal security controls. If your vendor management program requires these third parties to operate at an even greater standard than your internal controls, you can actually reduce risk more than if internally managed.

That brings us to identity access management. As SecZetta explained in a blog post, no person or department is in charge of managing non-employee identities (people data) and their relationships at most companies. IT might provide access, but the initial access and managing of non-employee changes is charged to HR or procurement.

This is a challenge, especially in cases where non-employees have greater access to sensitive information than internal employees. If a non-employee is granted access to these sensitive systems for a nine-month period but finishes the job early after six months, there are three months in which the non-employee may still have access to sensitive systems. These are exactly the types of accounts that hackers look for when trying to penetrate systems and steal data, according to SecZetta.

Ryan Stolte, co-founder and CTO at Bay Dynamics, said keeping track of who is doing what is a daunting task. “Instead of trying to boil the ocean, keeping tabs on every user for every vendor, security teams must hone in on those that access the company’s most valued applications and systems.”

Instead of trying to boil the ocean, keeping tabs on every user for every vendor, security teams must hone in on those that access the company’s most valued applications and systems.
Ryan Stolte, co-founder and CTO at Bay Dynamics

Effective vendor risk management begins with identifying your crown jewels and the impact to your organization if those crown jewels were compromised, he said. Then, look at which vendors have access to those crown jewels and continuously monitor not just the vendor users’ activity, but also their team members and fellow users in the larger group. If your security tools flag an unusual behavior coming from a vendor user, it’s important to engage the application owner who governs the application at risk, asking the owner to qualify if the behavior is unusual or business justified. If the behavior is unusual, that threat alert should go to the top of the investigation pile.

“It’s important to consider that often third-party vendors are non-malicious threats. Oftentimes, vendor employees are less conscious than full-time employees of good cyber security hygiene and therefore unintentionally expose your company to risk,” he said.

Viewpost’s CSO Chris Pierson said that having a well-developed vendor assurance program is necessary to oversee, quantify, communicate and mitigate risks. This program should consider the company mission, goals and objectives for the vendor, and provide a review process that looks at all types of risk – cybersecurity, privacy, regulatory/legal, financial, operational and reputational.

All vendor risks should then be scored, owned by the business line executive responsible for the product/service, and depending on level of harm, socialized and even approved by a governance risk committee. “By rating your vendors based on the criticality of the product/service they provide and the risks, the company can more adequately manage these risks, request mitigating controls, or off-board the vendor,” said Pierson.

Rod Murchison, vice president of product management at CrowdStrike, said when it comes to security, being knowledgeable after an event happens is insufficient. “Real-time visibility into the security posture of your network is something every organization should strive to achieve and maintain going forward,” he said.

To mitigate these types of threats, the most sophisticated endpoint security solutions can sense and analyze enough data in real-time to ensure that breaches and intrusions are observed in real-time, he added. “These new solutions leverage advancements in machine learning, artificial intelligence and analytics so organizations can quickly observe and fill unintentional, and sometimes intentional, holes left by third-party organizations.”

With the growing landscape of global privacy regulations, such as the General Data Protection Regulation (GDPR), the ability to control the uses of data throughout its life cycle will be critical. Strong access management controls can help, but often data masking and anonymization need to be implemented to manage access to key data fields, said Focal Point Data Risk’s Data Privacy Practice Leader Eric Dieterich.

What’s the solution?

Third-party access requires a layered security approach with dynamic contextual access control applied throughout, said Gerry Gebel, vice president of business development at Axiomatics. For example, one layer of security is to dynamically control who can access your network. Another layer would be to control access to APIs, data and other assets once these third parties are on the network.

Caccia advises that third-party access to assets is a perfect scenario for behavioral analytics, where the system baselines normal behavior of users on the network, even with limited knowledge of who those users actually are. “User behavior analytics (UBA) should be table stakes for any firm that works with partners extensively; it’s the best – perhaps only – way to understand and control what once-removed users are doing on your network and with your data,” he said.

Henderson recommended that companies make sure governance policies around vendor management are bolstered and reinforced. This should include policies around regular and random audits of those vendors. Those audits should have the ability to return quantifiable and definable metrics.

Also when it comes to creating and drafting contracts with these vendors, it’s critical that the appropriate sections clearly define the security and privacy obligations expected of the vendor are included.

“I like the idea of inserting data canaries into the record sets that are shared with third parties and then watching for those canaries to pop up in dumps online. You would be amazed at how often data leaks onto the web and shows up in places like pastebin,” Henderson said. “Other things that make me nervous about this problem are quite simply the fact that all the staff, resources, tools and technologies can often be defeated by nothing more than some middle manager somewhere dumping a huge amount of customer data into a spreadsheet then sending it off via email to some previously unknown third party contracted by a business unit to run a bulk email campaign.”

For other enterprises an important lesson is to ensure that third parties have no way to reach those portions of the network, he advised. “Microsegmentation of your environment, as well as many other tools designed to keep traffic from co-mingling, can stop or at the very least, slow down an attacker, giving your security teams valuable time to detect and respond to an incident,” he said.

While it’s not possible to avoid third parties, Javvad Malik, security advocate at AlienVault, said there are many fundamental security practices that can help mitigate the risks. Examples of such would include:

  • Knowing your assets – by understanding your assets, particularly critical ones, it can be easier to determine effectively what systems third parties should have access to and restricting it to those.
  • Monitoring controls – having in place effective monitoring to determine whether third parties are only accessing systems they should and in a manner they should. Behavioral monitoring can help in this regard by highlighting where activity falls outside of normal parameters.
  • Segregation – by segregating networks and assets, one can contain any breaches to one specific area.
  • Assurance – proactively seek out regular assurance that the security controls implemented are working as intended.

Jeremy Koppen, FireEye principal consultant, said there are four security controls that should be discussed regarding third-party access:

  • Assign a unique user account to each vendor user to better monitor each account and identify abnormal activity.
  • Require two-factor authentication for access to applications and resources that could provide direct or indirect access to the internal network. This protects an organization in case the vendor’s user credentials are compromised.
  • Restrict all third-party accounts to only allow access to systems and networks required.
  • Disable all accounts within the environment upon termination of third-party relationship.

In the enterprise application development world, Jerbi sees many companies being caught off guard by third-party use of emerging technologies such as virtual containers. If a company is using containerized applications from a third party, that application should be vetted for container-specific security risks such as vulnerabilities in container images, hard–coded secrets and configuration flaws.

Baker said there are plenty of best practices to look for when choosing a vendor: how transparent is their security? Do they have third-party security testing? Do they share the results of that testing? “In the end, choosing a secure vendor alone won’t necessarily prevent another Target, but it will prevent the third-party firms you work with from being the weak link,” he said.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Public Cloud, Security

Tagged ,

PlayStation suffers social media hack, possible data breach

Posted on August 23, 2017 | Leave a comment

PlayStation’s official social media accounts have been temporarily exposed, with the gaming company’s Twitter account showing messages from a hacking group who claim responsibility.

Screenshots of the tweets, posted on the morning of Monday 21 August, suggest that PlayStation Network databases were leaked, but this has neither been confirmed or denied by Sony.

The tweets have now been deleted by PlayStation, which quickly took back control of its social media. The messages, which allegedly came from a hacking group known as OurMine, directed readers to the group’s contact web page and called for PlayStation employees to get in touch.

The group pledges not to share the leaks, stating that it is a security organization.

OurMine is a security hacker group based in Saudi Arabia. According to its website, it is a White Hat group that looks to help companies protect their security by exposing vulnerabilities.

Its website states that the group can ‘help you secure your network, show you all available vulnerabilities, and fix them all.’ It also notes that it has the capability to crack anything from a social media account to an entire network.

While the only confirmed security breach so far has been on PlayStation’s social media accounts, the tweeted threat that database information has also been leaked is likely to worry Sony and its customer base.

It is not the first time that Playstation has suffered a breach. The gaming giant suffered a leak in 2011, in which personal details from 77 million accounts were compromised and caused Sony to turn off the Playstation Network for 23 days.

Following the breach, Sony faced criticism over the way it handled the leak and was slow to warn users.

Another high-profile entertainment breach was under the spotlight recently which saw HBO suffer an attack and the loss of 1.5 terabytes of data, including a script for hit show Game of Thrones.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Hackers are aggressively targeting law firms’ data

Posted on August 3, 2017 | Leave a comment

Behind every splashy headline is a legal industry that’s duking it out – helping to support entrepreneurs and big corporations in a power struggle to dominate their industry. From patent disputes to employment contracts, law firms have a lot of exposure to sensitive information.  Because of their involvement, confidential information is stored on the enterprise systems that law firms use.

This makes them a juicy target for hackers that want to steal consumer information and corporate intelligence.

For an example of this, look no further than the Panama Papers – “…an unprecedented leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca.”

This was devastating, but it is only one example among many. Just a few weeks ago news broke that a ransomware attack was successfully executed against yet another multinational firm – DLA Piper. This ransomware attack left the firm, with estimated revenues of $2.5 billion, completely without access to its own data.

“Law firms are the subject of targeted attacks for one simple reason,” says John Sweeney, President of LogicForce. “Their servers hold incredibly valuable information. That includes businesses’ IP, medical records, bank information, even government secrets. For hackers looking for information they can monetize, there is no better place to start.”

These headlines, buried among the others, make it clear that the legal industry is facing an unprecedented cyber-security challenge. And solving this problem starts with helping firms realize they’ve been victims.

40% of firms did not know they were breached in 2016

The Law Firm Cybersecurity Scorecard includes an array of assessments – from cyber defenses, crisis management procedures, and post-hack responses. The report comes to a chilling conclusion: “…40% of surveyed law firms had experienced a data breach in 2016 and did not know about it.”

Part of the challenge is the skyrocketing cost of cybersecurity. Hiring an in-house team simply isn’t feasible for most firms. Instead they rely on consumer-grade technology that is ill-equipped for the threats they are facing.

The solution, as we’ve seen in many industries, is to outsource cybersecurity to trusted firms that can offer heavy-hitting, managed solutions at an affordable rate. SaaS (Software as a Service) is long overdue in this space, and thankfully it’s becoming more and more available.

An evolving threat matrix

Real-time industry expertise is an important part of the solution – something software alone can’t handle.

Today’s hackers hold a strategic advantage because of the growing numbers of devices and associated vulnerabilities. Every access point is a potential breach. A knowledgeable, sophisticated team can create security solutions specially crafted to meet the challenges that law firms face.

One of the greatest challenges in modern security is the Internet of Things (IoT). Everything from the appliances in the breakroom to the smartphones in the pockets of employees create dynamic networks – communicating information in a way that opens up opportunities to hackers.

The threat goes beyond teams. An individual attorney uses a plethora of electronic devices, all networked together to provide a more streamlined work environment. And human intelligence, served up to hackers through social media, only makes targeted cyber-attacks easier.

Preparing for data breaches

There are things attorneys and other legal professionals can do to start upping their defenses.

  1. The American Bar Association has published a comprehensive guide for law firms – including both methods for preventing and responding to cyber-attacks.
  2. Firm managers need to create a data security plan that speaks to every member of their team. Educate employees on strategies for identifying phishing attacks and other dangerous threats aimed at fooling people into compromising networks.
  3. Engage outside IT security experts and have risk assessments completed on a regular basis. If you can identify vulnerabilities, you can put a plan in place to minimize or eliminate them.
  4. Communicate and enforce a password policy that limits access and requires authorized users to regularly change their credentials.
  5. Conduct a weekly check for patches or other updates to computer security software.
  6. Develop a comprehensive breach response plan. After you’ve been hacked, it will be too late to develop a competent response that protects the Firm’s reputation.

It’s my hope that companies will wake up to the realities of cyberthreats.  I’ve witnessed the horrible pain and anguish that comes from the breach of an unprepared company. If you understand the threat, and then use honest assessment to develop improvements and response plans, you will find that operating in the digital age doesn’t have to be a nightmare.

 

 

Leave a comment

Posted in Cyber Security, Data Breach, Forensic, Hacking, Security

Tagged , , ,

HBO Says It Was Hacked, Some Programming Stolen

Posted on August 1, 2017 | Leave a comment

Hackers claim to have stolen information related to HBO’s Game of Thrones, allegedly including written material from an upcoming episode. HBO has confirmed a hack occurred, but not what information was acquired. Here, Samwell Tarly (John Bradley) sits with some written material of his own. Helen Sloan/courtesy of HBO

HBO says it has been hacked, and that the perpetrators have acquired some programming.

The premium cable channel won’t confirm what materials were acquired in the cyber breach. But the alleged perpetrators claim to have acquired text related to the popular — and famously spoiler-plagued — Game of Thrones.

“Hackers claimed to have obtained 1.5 terabytes of data from the company. So far, an upcoming episode of Ballers and Room 104 have apparently been put online. There is also written material that’s allegedly from next week’s fourth episode of Game of Thrones. More is promised to be ‘coming soon.’ ”

It’s not clear if the hackers do actually have any Game of Thrones material.

NPR’s Eric Deggans reports:
” HBO is so secretive about spoilers involving its hit series Game of Thrones, journalists weren’t even given advance copies of new episodes before the new season began July 16.

“Now HBO has acknowledged that a ‘cyber incident’ resulted in stolen proprietary information, including some programming. … HBO says it is working with law enforcement and cybersecurity firms to investigate the breach.”

HBO has had material prematurely leaked online — including screeners, clips from overseas distributors and a Game of Thrones trailer.  But none of those incidents involved hacking.

“Hacking Hollywood can have significant repercussions,” The Associated Press notes. “Sony struggled in the aftermath of its huge hack in 2014, which leaked employee emails as well as films.”

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Casino hacked through fish tanks private officer

Posted on July 25, 2017 | Leave a comment

Most people know about phishing — but one casino recently learned about the dangers of actual fish tanks.

Hackers attempted to steal data from a North American casino through a fish tank connected to the internet, according to a report from security firm Darktrace.

Despite extra security precautions set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped.

“Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Fier, director for cyber intelligence and analysis at Darktrace, explained to CNN Tech.

As internet-connected gadgets and appliances become more common, there are more ways for bad guys to gain access to networks and take advantage of insecure devices. The fish tank, for instance, was connected to the internet to automatically feed the fish and keep their environment comfortable — but it became a weak link in a the casino’s security.

The unnamed casino’s rogue fish tank is one of nine unusual threats that Darktrace identified on corporate networks published in a report Thursday.

The report cites examples compiled from Darktrace’s threat detection technology. Darktrace makes security technology that sits on a company’s network and monitors the activity taking place. That could be anything from data transferred between computers or actions taken by a connected coffee maker.

When the technology notices an anomaly — like a device that doesn’t belong or data being sent somewhere it shouldn’t — it alerts the company’s security team.

In another example of an unusual attack, smart drawing pads connected to insecure wifi were used to send data to websites around the world in what’s called a “denial of service” attack. A hacker had scanned the internet looking for vulnerable devices, and exploited them to try and flood other websites with too much traffic.

We’ve seen cybercriminals leverage connected devices for destructive purposes before.

Last year, the Mirai botnet took control of smart home devices, like security cameras, all over the world, effectively turning them into zombie machines directing web traffic to take down popular websites like Netflix and Twitter.

Fier, a former U.S. intelligence contractor, says he anticipates threats coming from more unexpected places. Phishing emails will be one way hackers can get onto systems. But things like insecure fish tanks connected to the internet will be another.

“In the current cyber climate with political and corporate espionage, I think you’re going to start to see attackers, whether nationstate or criminal, having to get more creative in their attack vectors,” Fier said.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,