Breaches

April 27, 2010

Compliance Mandates Met Some Teeth.

According to Dark Reading, the bottom lines of two companies were hit over the past

several weeks due to data breach fines. The Financial Industry Regulatory

Authority (FINRA) fined one firm $375,000 while the Florida Attorney General fined another $975,000. Read the full article here:

http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml

Posted by Jeff Coveney on April 27, 2010 at 01:44 PM in Breaches, Compliance (General) | | Comments (0) | TrackBack (0)

|

April 16, 2010

Are Data Breach Notification Laws The Right Approach?

Nearly every state has a data breach notification law. Most recently, Mississippi passed a law requiring organizations to notify residents of any breach impacting personal identifiable information (PII).  PII is defined as records that contain the first name and last name or first initial and last name plus any of the following:

  • Social Security number
  • Driver's license or state-issued identification card number
  • Financial account number
  • Credit or debit card number

Only four states have not passed data breach notification laws. They are Alabama, Kentucky, New Mexico, and South Dakota. It is highly likely that they will follow suit in the near future.

The only state that has gone above and beyond these notification laws is Massachusetts. The state has taken a more proactive approach to sensitive information and recently passed the Massachusetts Data Privacy Law 201 CMR 17 (March 1, 2010). The law requires the establishment of a comprehensive information security program to ensure every Massachusetts resident is protected against identity theft or fraud.

Mass 201 impacts nearly every large organization. The law doesn’t care where the business is located –if information about a Massachusetts resident’s PII has been collected, the regulation applies. And if an organization doesn’t comply with the law it can result in penalties of up to $50,000 for each instance.

 

What really confuses me is why has it taken so long for other states to follow? And is establishing data breach notification laws based upon a map really the right approach? I mean if data breaches never happened, no one would need to be notified… proactively securing sensitive data in order to prevent breaches sounds much more sensible AND ultimately more cost effective. If I stop by my local retailer on the way home from work tonight, I’d feel a lot better knowing  that my sensitive information is secure  --  rather than knowing that they’ll let me know if it’s compromised.

To learn more about the Mass 201 law, check out our Website. 

 

XVZAPQWT57WH

Posted by Kelly Kane on April 16, 2010 at 05:19 PM in Breaches, Compliance (General), Database Security (general) | | Comments (1) | TrackBack (0)

Technorati Tags: , , , , , , , , ,

|

December 28, 2009

Only As Strong As The Weakest Link

By now we have all heard about how hacker, Albert Gonzales, and a cohort of his victimized Heartland Payment Systems, Hannaford Brothers, 7-Eleven by stealing over 130 million credit and debit card numbers by exploiting SQL Injection vulnerabilities.  The same hacker is also accused of breaching TJX Companies, Dave & Busters, and the Boston Market chains.

Because of the enormous size of the breaches, there have been a number of lively responses by the security and compliance industry regarding the technical details of the breaches as well as renewed scrutiny of the industry PCI-DSS regulation.  Details are sketchy but one thing we know for certain is that it starts with an exposed application and a database.  The rest of the breach involves getting into the network and navigating around, which brings me to my point.  Security pundits have taken to heart long ago that your IT environment is only as strong as your weakest link.  In these cases, the entry point to the network was though the application and the database, but the anatomy of the attack certainly went well beyond that.  They got into the network, installed software, and presumably navigated around the corporate network performing reconnaissance, before digging for the payload, getting it out and covering their tracks.  Once a hacker gets in, they start to exploit found vulnerabilities to take on the credentials of privileged applications, and armed with what is pretty much a fake passport, digitally travel around the corporate network.

We work with many companies on their security & compliance programs and one thing everyone tries to do is to reduce the scope of what needs to be protected-- draw a circle around a defined set of systems and apply specific controls to them.  It's the practical thing to do because a company only has so many resources. This is done by identifying the systems and applications that house the most critical information-- usually systems that contain information that is regulated by SOX, PCI, HIPAA, FISMA, etc.  But one area that tends to be forgotten is that networks are connected, and the network is "only as strong as its weakest link." We always have to remain keenly aware that threats can start outside of the scoped network, and any vulnerabilities or misconfigurations, is fair game to a person with malicious intentions.  So remember to consider and keep connected networks just as secured.

It is certainly not hopeless.  Today's existing technology combined with security best practices are up to the task today.  Companies just need to apply it, and certainly most don't do enough today.Skd283367sdc

Posted by Richard Tsai on December 28, 2009 at 11:06 AM in Breaches, Database Security (general) | | Comments (0) | TrackBack (0)

|

December 08, 2009

Is it possible we have hit the crisis point?

Our annual study with Enterprise Strategy Group usually generates a lot of buzz around what firms aren't doing to protect their most critical applications that house sensitive information - you guessed it, the database.

But what we've seen in our survey that we launched today isn't just a bunch of statistics – it’s a grim reminder that we are facing perhaps the worst of threats to our confidential data, and there are things we are either overlooking, don't understand...or, simply doing nothing about.

We polled 175 IT Security execs at large organizations, and based on some of the staggering numbers, it’s possible we may have a crisis on our hands...

The study reveals that 60% of organizations don’t feel their existing database controls adequately protect their organization’s confidential data. Coming from security executives, this doesn't inspire a lot of confidence.

In addition, the data reports that nearly 70% of organizations do not feel that their existing database controls are well-defined. Again, considering the source, if controls aren't spelled out and communicated appropriately, how can IT Security even do its job?

The survey reveals that despite the fact that over two-thirds of organizations are spending moderate to significant amounts of time writing custom scripts, remediating compliance issues, and engaging in associated tasks - which means costly manual processes are the norm. 

38% of organizations still failed database security audits, which tells us that while companies may be better this year in identifying database audits as important, they aren't taking a continuous approach to compliance. Therefore they may be passing one audit, but what happens in the next one a month or even a week later? 

The study further reveals the troubling statistic that less than 4% of IT budgets are spent protecting the data where it lives – in the database. Why is it troubling? Well, if companies looked at their overall IT Security spend and re-prioritized their misplaced spending, they'd be able to ground both their compliance initiatives and protections in the database.

 

Posted by Tom Bain on December 08, 2009 at 01:02 PM in Activity Monitoring, Breaches, Compliance (General), Database Security (general), General Security | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

November 17, 2009

Stolen Customer Data Indicates Things Are Getting Worse

 The recent insider attack at T-Mobile where an employee stole personal details of thousands of mobile phone customers and was sold to its competitors is the biggest data breach of its kind, according to the Guardian.

This breach isn’t shocking given that the threat environment has seen a massive uptick in recent weeks. Malicious insiders are the root cause of approximately 75% of all breaches - especially in the still-dire economy, people are disgruntled and are looking to capitalize on the sensitive enterprise data that they may have access to.

What’s compelling is that the breach put T-Mobile’s customer information directly in the hands of their competitors in the UK. So now, their competitors know when customer contracts are expiring – so there is a major risk for loss of revenue.

What’s perhaps more scary, and it’s probably too early to tell, is that the customer info being leaked to competitors is bad, but the potential for fraudulent activity is likely very high. So now T-Mobile is going to have to undertake a massive effort at a massive cost to somehow curb the effect of this thing. 

Is there a silver bullet to stop data loss on such a large scale? Well, a few things have to be considered.  First, a thorough review of access controls on the database regularly is critical to maintaining a protected DBMS environment - and passing database audits.

Second, there is something to be said for knowing what those with access are up to. So database activity monitoring would have alerted administrators that inappropriate activity was happening, which would have in turn allowed administrators and management to take corrective action immediately.

IOUG also reported a 50% increase in breaches from 2007 to 2008, and that about 35% of organizations have their databases are configured securely. With only one in four databases protected, clearly, this is an enormous issue, possibly that contributed this breach, although it seems it was a number of factors.

Organizations really have to look at database security, risk and compliance as an ongoing, continuous and business-critical process that doesn't start when you are breached – it needs to be driven by the security organization with management.  We wish them luck and hope they call us to help!

Posted by Tom Bain on November 17, 2009 at 07:10 PM in Breaches, Database Security (general) | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

November 16, 2009

Authorized Database Roles - Where do they go when someone leaves?

Laptop2 By now you know the drill - another data breach, more identity theft, more records potentially compromised. MassMutual experienced a database breach of employee information over the weekend through a contracted vendor database.

There's some information that's come to the surface already, and it appears they've been able to curb the damages and take the proactive steps to protect employees.

What this breach underscores is the fact that organizations are still not taking the right steps to protect sensitive, confidential information in a comprehensive way. What also persists to be a major issue is the lack of segregation of duties in the database.

As the unemployment rate hovers around 10% and organizations are still slashing headcount, roles and privileges to data still exist, possibly even if that employee has been let go, has moved on or has been reassigned. When those access controls still exist, organizations are at risk.

Databases contain sensitive information are large, enterprise organizations. 99% of enterprise data exists in some form inside a database. Yet with breach numbers up to 340,102,273 you'd think there would be a massive call to action for organizations who have are facing a radically scaled-up threat environment.

Posted by Tom Bain on November 16, 2009 at 02:15 PM in Activity Monitoring, Breaches, Database Security (general), General Security, Vulnerability Assessment | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

|

August 28, 2009

Are Financial Services Organizations Protecting Themselves Better?

Interesting article by Linda McGlasson of Bank Information Security tracking the biggest breaches of 2009. The Identity Theft Center is reporting 356 total data breaches in 2009, 46 or which occurred at financial services organizations.

Of the 46 financial services breaches, IDTC categorized them:

  • Insider theft: 12 breaches;
  • Skimming: 8;
  • Missing paper documents: 10 of the breaches
  • Exposure of data on the Internet: 4;
  • Accidental breaches: 2;
  • Stolen or missing hard drives/laptops: 5;
  • Outside network intrusions: 2;
  • Unknown cause: 3.

    So between IDTC reporting that fraud cost consumers $1.8 billion and the classification of breach method, doesn't it beg the fact that the thieves are scoring this data from somewhere?

    Wait, can you hear that? It sounds like a database being cracked open to steal that information that lead to all that theft. And isn't it more important to protect data where it resides as opposed to focusing on the conduits?

    • Posted by Tom Bain on August 28, 2009 at 04:05 PM in Breaches, Current Affairs, Database Security (general) | | Comments (1) | TrackBack (0)

    |

    August 24, 2009

    263,379,546?

    As of this morning, Privacyrights.org has documented over 263 million records breached ranging from simple laptop thefts to full fledged attacks. The scary thing is this number does not include all the undocumented breaches.

    If you are looking for some specific breach examples to build a business case for a database security, risk and compliance solution, check out Privacyrights.org. The site lists just about every documented data breach since 2005.

    Posted by Jeff Coveney on August 24, 2009 at 11:52 AM in Breaches | | Comments (0) | TrackBack (0)

    Technorati Tags: ,

    |

    December 16, 2008

    And the Survey Says......

    By Josh Shaul

    This week we released the results of our “Database Security Controls” research study, which was run for us by the analyst firm Enterprise Strategy Group (ESG). We sent ESG off to interview global IT decision makers located in North America. They met with 179 companies and asked a set of questions around data and database security. The rEsgstudyesponses were collected and aggregated for the report. The results are simply astonishing.

    A whopping 84% of respondents believed that they have adequate protection in place for sensitive data.

    With so many data breaches reported this year, we were surprised to hear that so many folks felt comfortable with the controls they have in place….but if 84% of companies really have adequate data security, we’re all in pretty good shape….Right?

    The survey then drilled down into more specific questions. Have you failed an internal audit? Have you failed a compliance audit? Have you experienced a data breach recently? The answers to the specific questions painted a very different picture. More than 50% of the organizations surveyed experienced a data breach in 2008. I repeat, more than 50% experienced a breach this year, while at the same time, 84% claim to have adequate security. Adequate means enough to get the job done…..Right?

    And it’s not just data breaches.

    48% failed internal audits. 42% failed payment card industry audits. 38% of federal agencies surveyed failed FISMA audits. The number of failures present a huge problem on their own, but couple that with the false sense of security that the IT community has built around its data, and we really have something to worry about. The amount of data at risk is staggering. For those of you who have experienced a data breach this year, or who regularly fail key components of your audits, stop feeling secure. If you haven’t done something drastic to correct the situation, you’re likely a soft target just waiting to be spotted.

    There are signs of hope.

    There were some real signs of hope within the survey results. 76% of the organizations we spoke with said that they plan to place purchasing priority on database security solutions in 2009. Wait, didn’t 84% say they already had adequate security?? Maybe folks aren’t burying their heads in the sand after all.

    Grab a copy of the survey results from our webpage.

    Bonus_ESG

    Posted by Jeff Coveney on December 16, 2008 at 10:47 AM in Breaches, Current Affairs, Database Security (general), Josh Shaul | | Comments (0) | TrackBack (0)

    |

    November 13, 2008

    Kidnapping your Data

    Why do people rob banks? According debonair American bank robber Willie Sutton, “because that's where the money is."

    Cybercriminals think the same way about the enterprise database, and they do not need a gun.

    The Cyberextortionist Case of Express Scripts
    BankThere are different ways cybercriminals can attempt to monetize their theft. In a current case involving St. Louis-based Express Scripts, a breacher is demanding an undisclosed ransom for the company’s data. Express Scripts has put the pressure back on the thief by offering a $1 million dollar reward for his or her capture.

    How did Express Scripts find out about the breach? According to its web site, the extortionist sent Express Scripts a letter with a sample of 75 customer records back in October of 2008. The letter also threatened to publicly expose millions of the company’s members’ records if an extortion threat was not met.

    Read the Full Story

    Lessons Learned
    It is unclear which data security policies were in place at Express Scripts. No security system is perfect. As a best practice, this story paints a picture of why organizations can't be proactive enough about assessing data vulnerabilities and monitoring for breaches.

    By assessing vulnerabilities, enterprises can see where the security holes exist. You can bet that when a bank robber is looking for the easiest way to rob a bank, he or she looks for the weak spots. A data thief does the same thing. And by monitoring for threats, organizations can be alerted about any breaches as it happens.

    As a side note, I wonder where Willie Sutton would focus his efforts today.

    Posted by Jeff Coveney on November 13, 2008 at 10:49 AM in Breaches | | Comments (1) | TrackBack (0)

    |

    Next »

    Categories

    Recent Posts

    Pages

    Subscribe to this blog's feed

    Archives

    More...

    Blog Roll