Ashley Who?

Law of Unintended Consequences

The Ashley Madison affair (no pun intended) certainly brought the issue of private data breach front and center.  By allegedly exposing the most personal of information and private thoughts of participants it took the issue of cyber security out of the realm of corporate boardrooms where bottom lines rule to the realm of bedrooms where bottoms rule.

For those of you who are unaware Ashley Madison is a website that  presents itself as “ the most famous name in infidelity and married dating,” where “ thousands of cheating wives and cheating husbands  signup everyday (sic) looking for an affair.”   They claim to be, “…the most famous website for discreet encounters between married individuals,”  and offer their services from 中国  (China) to ประเทศไทย ( Thailand) to Canada. (Actual wording on landing page, not mine.)

Wikipedia reported that in July 2015, a group calling itself “The Impact Team” stole the user data of Ashley Madison, and on 18 and 20 August, the group leaked more than 25 gigabytes of company data, including user details.  Kim Zetter of wired.com  provides some details of what actually happened and how the hackers did their dastardly deed.  Needless to say, the hacked data became a treasure trove of real or imagined events.   Journalists and their readers from  Sudbury, ON  to Boston, MA  had a field day spawning a short-lived industry focusing on modern day morality and modern day technology.

Not So Fast

It was widely expected that the data breach would effectively be the end of the controversial website, but parent company Avid Life claims that people are using the site more than ever.  Today the site claims 43.46 million members in comparison to the 39 million acolytes it claimed at the time of the breach.  Despite the surge in subscriptions, the website’s future is still uncertain as Avid Life faces several lawsuits from disgruntled customers, which will inevitably be costly.

A Picture is Worth a Thousand Words

Computer Dealer News recently joined the Ashley Madison controversy.  It made the observation that in the Ashley Madison hack it wasn’t the size that mattered but the quality of the data.  CDN listed the 10 largest data breaches as follows:

[visualizer id=”665″]

Have We Made No Progress ?

Ashley Madison pales in comparison to these hacks.  So the question that CDN’s Dave Yin asked is,”Why are these breaches still happening given the number of security tools and practicing MSSPs ( Managed Security Service Providers) ?”

Scott Montgomery, vice president and chief technical strategist at Intel Security and Mike Canavan, vice president of sales engineering at Kaspersky Labs suggest the answers lie in several areas.

Business Behaviour 1 : Minimize Expenses

Firstly, clients and customers value the data differently.  Whereas an individual might assume his personal data is being managed and treated with the same respect he treats it, companies tend to think of the cost of security.  Client data is stored with millions of other client data in a database.  Fences are not erected around each piece of information but rather around all the information.  Once the wall is breached all the information is accessible.

Business Behaviour  2: Maximize Revenue

Secondly, companies frequently do not use the full range of capabilities their devices and software provide.  This small percentage utilization may be a function of cost or lack of familiarity with the functionality of the tools.  Think of the 380-page handbook which came with your new car.  Did you read and understand every page?  Likely not.  You read the minimum necessary to get going. Companies frequently behave the same way.  Although their devices may support extra layers of security, they might lack the technical skills to configure their devices correctly to maximize security.

Business Behaviour 3: Think Bottom Line

Thirdly, many companies have assumed a posture that a data breach is inevitable and have assumed an attitude of breach containment rather than breach prevention.  The companies are more interested in keeping the damaged area as small as possible, rather than preventing the harm itself.   This type of thinking usually involves a risk assessment which attempts to value the cost of insuring against a breach ( security software) versus actual cost of a violation such as legal fees, loss of business, client mitigation expenses.

Get a Professional Opinion

Jolera believes the central concern of any security evaluation must be the impact the loss may have on clients.   What is the value the client ascribes to the data?, What is the impact of a loss to the end user?  What processes will the client follow to mitigate the breach? By placing the client at the focal point, the financial losses can be properly evaluated and different strategies appropriately weighted.  A valid assessment requires an intimate knowledge of hardware, software and business economics.  Call Jolera for a professional assessment of your security posture.  What you don’t know can really hurt you.

How much did you say?

Target reimburses $39 million to MasterCard Inc.

On Dec 2, 2015,  Target Corporation in the US announced it had agreed to reimburse MasterCard Inc. and other U.S. financial institutions a total of about $39 million to settle claims brought against the retailer in connection with its massive 2013 data breach.

This settlement comes on the heels of a $67 million agreement Target struck in August with Visa Inc. on behalf of banks and other firms that issue credit and debit cards.  Combined Visa and Master Card implications at Target are around $ 106 M.  While the final numbers will likely be buried somewhere in an annual report a year or two down the road,   total Target loss estimates vary widely. We can all agree however that you have to sell a lot of bread to recover this kind of bread.

Target’s data breach exposed 40 million credit and debit cards to fraud during the 2013 holiday season. The Minneapolis-based company’s breach ranks among the most high-profile data incidents to hit retailers in recent years.

Other costly breaches at other well-known merchants include Home Depot Inc.,   luxury retailer Neiman Marcus Group, and  P.F. Chang’s China Bistro chain.  Dollar figures from the web are not terribly accurate as civil suits continue to wend their way through the US courts.  Liability and class actions suits can take years to finalize.

Our earlier posts on Cybersecurity generated many positive responses and asked that we provide some sort of mechanism for our readers to measure what they are facing.  We all certainly are not Target Stores with annual sales of $ 72.6B USD. So how does the Small to Medium sized business get a handle on the cost of a data breach?  Jolera has found the Ponemon Institute’s Canadian Data Breach  Study May 2015  most informative.  This report was sponsored by IBM but produced independently by the Ponemon Institute.   Verizon’s  2015 Data Breach Report  contains much useful information as well.

We can distill much of the information and there are many inexpensive fixes you can do tomorrow to shore up your defenses.

40% of the Solution is Not Rocket Science 

Some of the suggestions are things your sensible mother would have mentioned had you asked the question.  Lock the machine when you leave your workstation, make sure no one is looking over your shoulder, use passwords whenever feasible to protect data.  The Ponemon Institute has categorized some security measures which are easily managed and can have a significant impact on your security posture.   Admittedly some of the solutions require a discipline and internal surveillance which may impose a “cost” however there are relatively inexpensive quick wins which will you get some distance down the road.

 

40% of the solutions fall into the quick fix category, they are no-brainers.

So now you are probably doing some mental gymnastics weighing the cost of implementing and monitoring some of these solutions at your place.  The IBM has a blunt tool to help you estimate the cost of a major data breach at your business.  The numbers can be scary and, of course, there is always the hurdle of getting the C-Suite on-side when dealing with intangibles.

Let me suggest a possibility.  Get the Jolera team to lend a hand.  We have over 100 high-tech minds,  and 10,000s of hours of practical hands-on experience to place at your disposition.  Together we can be formidable.  No matter how complex your IT questions we can help you take decisive action and achieve those “elusive” results.

Cyberattacks Vol.2

List of data breaches
Jolera recently visited the Identity Theft Resource Center’s website  at  https://www.idtheftcenter.org/

The ITRC is a non-profit organization.  Its mission is to assist identity theft victims at no charge, educate both consumers and organizations on best practices for fraud and identity theft detection, reduction and mitigation and serve as a resource on consumer issues related to cybersecurity, data breaches, social media, fraud, scams and other issues.
It was a useful experience and I suggest everyone bookmark the link and visit the site at least once or twice a month to keep up with developments.  Let me quickly summarize some of the facts I discovered.  We will just focus on a few 2015 breaches to keep things simple:
Nov. 10, 2015- Dow Corning Suspects Internal Data Breach.   4000 employees are possibly affected. Personal information may have been stolen.
https://www.idtheftcenter.org/Data-Breaches/dowcorningbreach.html
Oct 15, 2015-  Dow Jones Data Breach Reveals Surprising Shift in Identity Theft Crime.  Investigators believe that between August 2012 and July 2015, cyber thieves began accessing information stored on subscribers in the system. This breach was discovered in July 2015.
https://www.idtheftcenter.org/Data-Breaches/dowjonesbreach.html
Oct 1, 2015- Hilton Hotels Suspects Ongoing Data Breach.  A pattern of credit card fraud suggests hackers have compromised point-of-sale registers in gift shops and restaurants at many  Hilton Hotel and franchise properties.
https://www.idtheftcenter.org/Data-Breaches/hiltonbreach.html
Sept 23, 2015- Molina Health Data Breach an Inside Job.  A CVS employee had downloaded patient information to his laptop, information which included full names, CVS-specific numbers on each patient, prescription coverage plan numbers, and coverage dates.
https://www.idtheftcenter.org/Data-Breaches/molina-health-data-breach-an-inside-job.html
Dell summarized its observations on Cyber Security in its 2015 Annual Security Report in a statement of best practices:
1. Continuously train employees for security awareness.
2. Vigorously employ endpoint defenses.  Most network infiltrations begin with a compromised user device.
  • Deploy secure mobile access technology that checks the security posture of user
devices before granting network access and enforces policies that grant VPN access
only to trusted users, mobile apps, and devices.
  • Deploy secure workspace technology to establish and enforce on-device data
protection policies and app management.
  • Implement 2FA ( 2 Factor Authentication) for both administrators and users.
  • Protect privileged accounts.
  • Manage contractor, partner, intern, patient, and vendor access differently than internal
resources. Control and monitor access rights regularly.
3. Replace traditional or legacy firewalls with a Next-Generation Firewall (NGFW).
4. Invest in a capable intrusion prevention system (IPS).
5. Add an SSL/TLS inspection capability to detect and block malware that is hidden in SSL/TLS-encrypted  traffic. [Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols which are designed to provide communication security over the Internet.]
6. Implement continuous threat counter-intelligence feeding security updates to NGFWs​ and intrusion prevention systems.
7. Deploy an email security solution.
8. Consistently update software.
9. Secure remote work environments by segmenting router access.
10. Implement the same level of defense throughout a distributed enterprise’s locations, including kiosks, executive homes, and remote offices.
Please contact Jolera to arrange for a discussion of cyber-security at your shop.  The cost of investing in the time and effort to have this conversation may save you millions.

Cyberattacks Vol.1

​​I was reading last week’s issue of The Economist ( Nov. 7-13, 2015) and came across a great article on cyber –security. It exclaimed that theaverage time between an attacker breaching a network and its owner noticing the intrusion is 205 days or 295,200 minutes!. Give or take a few minutes.​​

It speaks of an annual $ 575 billion cost to the Gross National Product of the 90 million cyber-attacks. While I appreciate that these numbers are at best guesstimates, there is certainly no doubt in the minds of Sony executives or those at Target Stores in the US that these attacks are real and that real dollars must in spend in correcting these breaches. Violated customers must be given free access to credit review agencies so that all accounts may be monitored in one place and systems must be checked for the source of the intrusion and then patched. At the technical level, privileged information is stolen, marketing strategies exposed and private customer records are made public.

American statistics may not be representative of conditions where you live, but they do provide an indication of the types of data being stolen.

​Sector ​Percentage of Attacks (%)
​Medical ​43
​Business ​32
​Government/Military ​12
​Education ​8
​Financial ​5

Medical breaches have experienced the fastest growth in the past three years. Government/Military, Education and Financial breaches have remained relatively stable. And as it commonly said by financial institutions, “Past results are not indicative of future performance.”

It would seem we are in a “wild west” period in the cyber security industry as well. A report by Bank of America suggests the market is now $ 75 billion and will grow to $ 170 billion by 2020 a 17.7% annual growth rate. Who says crime doesn’t pay? There are no standards for security providers. Anyone can hang up a shingle and call himself or herself a computer security expert. And the most sophisticated of security technology can be thwarted by individuals intent on wreaking havoc. Unfortunately, most of the solutions being offered are backward looking in the sense that they create defenses against known threats. The best technology doesn’t work if the humans who operate it are ill-trained or careless or both.

Let’s talk about your situation and what can be done to improve it. Your clients will appreciate your keeping them safe. Should you feel uncomfortable dealing with this issue or the need to audit your current security provider, Jolera will be most happy to help you confidentially assess your situation and provide guidance. Please don’t procrastinate. We want to help.

The original article can be found here:

https://econ.st/20BIzFk