I’m honored and humbled that my colleagues have asked me to join them to speak on a panel Cybersecurity for CEO’s “The Game Has Changed” Atlanta Georgia World Conference Center June 21-24 for National Apartment Association.
https://www.naahq.org/education-conference/education
Unauthorized activity detected from March 24 through April 18
Chipotle Mexican Grill Inc. said on Tuesday that it detected unauthorized activity on its payment system this spring.
The company did not have details about the extent of the hack, and how many restaurants or customers could have been affected. CFO Jack Hartung said during the company’s earnings call on Tuesday that the hack affected the company’s credit card systems from March 24 through April 18.
Chipotle Mexican Grill Inc. said on Tuesday that it detected unauthorized activity on its payment system this spring.
The company did not have details about the extent of the hack, and how many restaurants or customers could have been affected. CFO Jack Hartung said during the company’s earnings call on Tuesday that the hack affected the company’s credit card systems from March 24 through April 18.
Hartung said the company immediately began an investigation, working with cyber security firms.
“We believe the actions taken have stopped the unauthorized activity,” he said.
The news put a damper on an otherwise strong first-quarter earnings report for the Denver-based burrito chain.
Chipotle reported 17.8-percent same-store sales growth in the quarter ended March 31, along with improved profit margins. The numbers were unexpectedly positive and led to a spike that at one time put Chipotle’s stock price above $500 a share for the first time since February 2016.
After Chipotle revealed news of the hack, the stock price fell below $480.
Just another day at the office.
The National Cyber Incident Response Plan describes how stakeholders in numerous areas can properly react to cybersecurity threats.
The Department of Homeland Security released a refreshed version of its National Cyber Incident Response Plan (NCIRP), with a strong focus on how the US can react to cybersecurity threats to critical infrastructure.
The NCIRP as previously published on September 30, 2016, with a national engagement period that went until October 31, 2016.
“The NCIRP describes a national approach to dealing with cyber incidents; addresses the important role that the private sector, state and local governments, and multiple federal agencies play in responding to incidents and how the actions of all fit together for an integrated response,” the US Computer Emergency Readiness Team (US-CERT) stated on its website.
Public and private partnerships are critical to address major cybersecurity risks to critical infrastructure, the NCRIP executive summary explains. Furthermore, the plan “sets common doctrine and a strategic framework for national, sector, and individual organization cyber operational plans.”
Several guiding principles outlined in the Presidential Policy Directive (PPD)-41 also helped DHS and other agencies create the NCRIP:
“While steady-state activities and the development of a common operational picture are key components of the NCIRP, the Plan focuses on building the mechanisms needed to respond to a significant cyber incident,” according to the NCRIP.
The plan also differentiates between a “cyber incident” and a “significant cyber incident.” The former is when the “confidentiality, integrity, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident” are potentially jeopardized.
Significant cyber incidents on the other hand are events that potentially result in “demonstrable harm” to national security interests, foreign relations, US economy, public confidence, civil liberties, or public health and safety.
The DHS Office of Cybersecurity and Communications will also conduct and oversee NCIRP reviews and maintenance in coordination with the DOJ, Office of the Director of National Intelligence, and Sector Specific Agencies.
“The revision process includes developing or updating any documents necessary to carry out capabilities,” the NCIRP explained. “Significant updates to the Plan will be vetted through a public-private senior-level review process.”
The Healthcare Information Management Systems Society (HIMSS) previously commented on DHS response plan, saying it supported the overall principle of cybersecurity education and readiness being shared responsibilities.
HIMSS did point out that all dimensions of potential cybersecurity threats should be considered. For example, IT infrastructure and assets can exist in terrestrial, sea, air, and space. The NCIRP should therefore address all dimensions to help create a flexible response plan.
“The complexity of threat and asset response may be significantly compounded, especially when multiple dimensions are in play— including in the private and public sectors (e.g., underwater data centers, undersea Internet cables, satellite communications, and over-the-air communications),” HIMSS wrote to DHS.
HIMSS also said in its October 2016 letter that a better definition of what qualifies as a cyber incident was necessary. Large cyber threats that could potentially impact public health and safety are a top concern for HIMSS, the organization explained. HIMSS said it is already working to ensure that the healthcare industry understands how to properly prepare for such threats.
“As the federal government’s decision to fund two grants for the NH-ISAC indicated, coordination across the healthcare community is becoming increasingly important in the fight against cyberattacks,” the letter stated. “Collaboration with the NH-ISAC and other stakeholders, particularly on threat identification and incident mitigation, will have a significant impact on public health and safety.”
Posted in Cyber Security, Data Breach, Healthcare, Security
Tagged cyber security, DHS
Hi Subscribers! Please accept my sincere apology for the above email pushed out to all users recently. GoDaddy disabled one of my security plugins which allowed unauthorized emails to be posted.
I wish I could write in Latin like that. It gets me inspired to learn a new language.
I worked with GoDaddy to fix and avoid unnecessary emails being sent to my valuable users. Thank you for your support and comments.
Michael
The Digital Age Blog
From day one, we have said that employees are the weakest link in the cybersecurity chain for an organization. In a recent webcast, Michael Gelles and Robert McFadden of Deloitte Consulting LLP highlighted just how big of a threat “insiders” are to an organization’s cybersecurity well-being.
The term “insider threats” often refers to individuals who use their knowledge of or access to an organization and its systems to deliberately perpetrate wrongdoing, whether fraud, sabotage, theft or a violent act. These individuals may be current or former employees, contractors, or employees of third-party service providers.
However, insider threats are not all the same. There are three types of insider threats:
In a study titled “The Widespread Risk of Insider Threats” the following data was collected:
Let’s take a moment to review the above statistics. I think it’s safe to say that we are our own worst enemy. There are two trends we can take away from the study. One, we aren’t doing a good enough job (statistics actually show that we aren’t doing this job at all) of monitoring the activity of our employees. With the evident threat of cybersecurity issues being in the limelight as of late, you would think this would be a major priority of managers and high-level executives. However, this leads us to our second trend that we can identify. If an employee has a negative experience at work, such as being flagged for their suspicious work behavior, statistics show that nine out of ten cases could lead to an insider threat occurrence. That has to be an extremely daunting area of concern for managers and executives to analyze. How do you manage your insider threats without unintentionally creating an insider threat?
The stakes of becoming the next big breach in the news are higher than ever. Cybercriminals are making very lucrative careers out of breaching networks and stealing personally identifiable information. As we become an increasingly information-based economy, securing your network and sensitive data are more critical than ever to any organization’s survival. In 2015, it was estimated that 58% of all data security threats came from the extended enterprise (employees, ex-employees, and trusted partners). Statistics also showed that an insider attack costs a company over $400,000 per incident and approximately $15 million in annual losses per company. Some incidences have gone on to cost a company more than $1 billion.
Whether you are dealing with a malicious, exploited or careless insider, they all end with unauthorized users having access to your company’s sensitive data. Below are “12 Steps to Future Proofing Your Internal Security” from IS Decisions:
Customers are increasingly going to be scrutinizing companies on their approach to security, so it helps to be able to show them that you have the right attitude about keeping their data safe.
Posted in Cyber Security, Data Breach, Hacking, Security
Tagged cyber security, Data Security
Very few of us fall for the old Nigerian prince email scam these days, and even fewer will click on a pop-up ad inviting us to “win $1 million” by playing a simple game. We’ve come a long way in terms of learning the do’s and don’ts of cyber security, but that doesn’t mean our days of online vulnerability are completely behind us.
Over 6 million internet users were attacked by malware in 2015. As we become savvier to the tricks they’ve pulled in the past, hackers begin to up their game by catching us where we least expect it. Although we’d like to assume that all of those users who were attacked in 2015 were prime targets, or perhaps people who are a bit less tech savvy than the rest of us, the fact is that many of them were normal internet browsers like you and me who actually know a thing or two about online safety.
There are additional risks these days, and even some of the tech-savviest internet users create cyber security risks without knowing it. To help avoid online attacks, here is a list of some of the top cyber security mistakes internet users are making in 2016.
According to a recent survey, 59 percent of millennials store passwords in their browsers on a regular basis. It may be convenient to easily access your most-used accounts without typing in a username and password each time, but it also puts you at serious risk for an online attack.
The first step in keeping your passwords safe is to create a strong password that uses numbers, symbols, and both capital and lower case letters. You’ll also want to use a different password for each site. Once you’ve got a solid password for each of your online accounts, avoid storing them in your browser! If you’re like me and tend to forget things easily, try using a secure password storage system or software such as “KeePass, LastPass, Dashlane, 1 Password, RoboForm” to keep track of your logins.
Prices for phones, laptops, and tablets can be high these days. The good news is that the market for selling used electronics online is getting bigger and more easily accessible. The bad news is that scammers have begun to use this second-hand marketplace as a means for duping consumers into paying more for devices that they’ve already paid for.
If you’re looking into purchasing a used device online, it will be important to ensure that it is unlocked. There will be different processes for checking iOS and Android devices.
For iOS devices, you’ll also need to ensure that the former user’s iCloud account is taken off of your device. If it’s not, you’ll need to take the necessary steps to remove their account from your device before they have a chance to lock the phone.
The ability to hop onto free Wi-Fi at your local coffee shop or the university library sure does make working on projects or simply browsing much easier on the go. The problem is, hackers are starting to take advantage of society’s reliance upon public Wi-Fi connections.
Do your best to avoid Wi-Fi connections that don’t have password protection when you’re out and about. Checking for the password of the official Wi-Fi at your location of choice will also help you avoid logging into a network set up by hackers looking to view your online activity.
To be extra secure on public Wi-Fi, stick to HTTPS sites while you’re browsing and look into using a virtual private network. It’s also best to avoid installing new software while using a public Wi-Fi network.
We’re all guilty of clicking out of software update notifications when they pop up on our screens. Although taking a few minutes to update your device’s security software may seem like a burden in the middle of a big project, it will be worth your while when it prevents an online attacker from installing malware on your device.
Be sure to install security software updates each time you receive a notification. If you’re connected to a public Wi-Fi network or really don’t have the time to do it when the notification pops up, set a reminder to install the new software later. The longer your device runs without up-to-speed security software, the more vulnerable you become to cyber security breaches.
Most of us receive emails from banks, utility companies, and other organizations with links to view account activity online. Although these are typically from a trusted source, you can never be too sure. A well-written email from a seemingly credible source could send you a link that installs malware on your device when clicked.
Next time you receive a link in an email, leave your email account and look for the actual site in your browser to avoid clicking on a malicious link. For example, even if the link goes to your bank of choice, it’s best to leave your account and log in through a trusted portal.
Have you been making any of these common cyber security errors? If so, it’s about time to take action and implement the provided tips to protect yourself from online attacks.
Share your experiences in the comment section.
Posted in Cyber Security, Data Breach, eDiscovery, Encryption, Hacking, Malware
Tagged cyber security