Cyber Monday Means Loss of Productivity

As Black Friday has come and gone many consumers are excited for Cyber Monday. The only problem? Many Americans who plan to partake in the deals offered online are doing so at work. According to a recent survey done by the staffing firm Adecco,nearly half of American workers (46 percent) plan to make a dent in their holiday shopping during work hours – either through online shopping while at work, shopping on lunch breaks, taking sick days or cutting out a little early periodically. Another similar survey done by Randstad shows that 40% of employees plan to only spend an hour online shopping at work while 1 in 3 plan to spend over 5 hours of their work day shopping online.


The lure of online deals does not only pose a threat to productivity, but it can also expose the corporate network to malware. Malware and spam attacks are often quickly formulated and executed based on current events and popular online happenings. These malicious websites are found as links that are a part of common searches such as "Cyber Monday Deals". 


Since many people will be ordering online the use of online postal tracking will go up as well, because of this hackers will be sending postage and shipping related emails to trick people into downloading malicious attachments. Websense Security Labs cites this type of spam as one of the "Top 5 Malicious Spam Subjects" .


Security Labs has detailed the type of subjects and email contents everyone should be on the lookout for.

• USPS Invoice copy ID46298 (numbers vary)
• FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
• DHL Express Notification for shipment 90176712199 (numbers vary)

The email will look like this:

The moral of the story is to shop at home, be careful, and no matter how good the deal looks, do not suspend judgement to click on a strange looking link. Also remember that shipping companies will never require you to download an email attachment to get information about your packages and if you are still concerned, check their website for accurate and up to date information.

Sacramento Health System Breached - 4.2 Million Records

Two branches of the Sutter Health network were breached in October of this year after an employee's laptop was stolen. The laptop contained databases with Personally Identifiable Information and Personal Health Information for 4.2 million patients. These records are from dates as far back as 1995 and as recent as this year.  Sutter does say that the employee's laptop was not encrypted even though they are currently in the process of encrypting all laptops across the enterprise. 

Data stored in an unprotected state on a laptop or desktop PC puts organizations at risk of becoming the next data breach headline, like Sutter. Only strong encryption of all data on hard disks counters the threat of losing critical intellectual property, customer and/or competitive information and provides a safe harbor from the high profile public disclosures and costly remediation mandated by privacy laws. To protect mobile data from the risks of loss or theft of a laptop or desktop, enterprises not only need the security provided by strong encryption, but also a standards-based solution to the practical issues that organizations encounter when deploying endpoint data protection.


Sutter Health network of care press release below: 

/PRNewswire/ -- Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) — two affiliates within the Sutter Health network of care — announced the theft of a company-issued password-protected unencrypted desktop computer from SMF's administrative offices in Sacramento the weekend of Oct. 15, 2011. Following discovery of the theft, Sutter Health immediately reported it to the Sacramento Police Department. It also began an internal investigation. The computer did not contain patient financial records, social security numbers, patients' health plan identification numbers or medical records. While no medical records themselves were on the computer, some medical information was included for a portion of patients.

Following a thorough internal review, Sutter Health discovered that the stolen computer held a database that included two types of information:

1. For approximately 3.3 million patients whose health care provider is supported by Sutter Physician Services (SPS), the database included only the following patient demographic information dated from 1995 to January 2011: name, address, date of birth, phone number and email address (if provided), medical record number and the name of the patient's health insurance plan. SPS is an organization that provides billing and managed care services for health care providers with which it contracts, including facilities within the Sutter Health network. Patients who think they may be affected should visit www.sutterhealth.org to see the list of impacted health care providers.

1. For approximately 943,000 SMF patients, the database contained the above demographic data as well as the following information dated from January 2005 to January 2011: dates of services and a description of medical diagnoses and/or procedures used for business operations. Because the data of SMF patients was broader in scope, Sutter Medical Foundation has begun the process to notify these patients by mail. Patients should receive letters no later than Dec. 5.

Read more: http://www.sacbee.com/2011/11/16/4059251/sutter-health-informs-patients.html#ixzz1dyUMTGrj

Two-fer Thursday!

It is rare that we see two security and data breach related reports cause a stir on the same day. However, today Forrester and lesser known Risk Based Security Inc. delivered two reports with a similar theme -- data breaches can and will affect you personally as well as your organization.


Forrester reports that in a questionnaire distributed to 2,300 IT executives via LinkedIn 25% responded that their organization has had a data breach in the last year. Even more surprising, 21% declined to answer despite being assured that names and responses are kept confidential. 7% of very honest IT executives reported that they don't know and Forrester believes that many of the remaining who reported no breaches in the last year, were probably breached but just don't know it yet.


The above findings by Forrester make this second report more understandable but no less shocking. According to Risk Based Security Inc. and research done by the Open Security Foundation as of October 2011 there have been over 1 billion records exposed. In the first nine months of 2011 we have seen  176,385,870 records exposed compared to 88,473,589 records for all of 2010.


All of these statistics server to prove a point that organizations still are not taking the necessary measures to protect their data and the data of their customers and clients. When it comes to securing your organization taking a holistic approach is the first step to enforcing better protection. By better understanding business needs and processes your security department can better determine where risks reside. Security is more than a simple technology solution. Aligning IT security with business needs requires a combination of policies, people and enforcement.


Links to the above reports
Forrester
Risk Based Security Inc.

Advanced Persistent Threats -- Something to worry about or just another buzzword?

In recent months there has been increased discussion in the media about advanced persistent threats (APTs) and even more discussion about how to define an APT. McAfee defines an APT as a "targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than a pure financial/criminal reason or political protest." Other definitions are more broad describing an APT as a cybercrime category in which the attacker utilizes the full spectrum of attack vectors to reach and compromise the their target. 


Whatever definition is used often is the definition that best serves the main goal of the article or advertisement, which has lead many IT security professionals to put advanced persistent threats in the "buzzword" category. It seems that despite those non-believers almost two-thirds of enterprise information security managers believe their businesses have been targeted by advanced persistent threats and  72% expect to see such attacks continue in the future. These numbers are according to an Enterprise Strategy Group report on  advanced persistent threats. These managers believe that these attacks are being carried out, in order of likelihood, by hacktivist groups such as Anonymous, organized crime rings, competitors conducting reconnaissance or perpetrating industrial espionage, foreign governments, and terrorists.

Whether or not APT is just another catchy acronym we can see that based on the survey results, organizations are responding in the correct way. 51% of respondents said that senior executives have increased the amount of money allocated to training employees on security strategies, 33% now meet more frequently with their Chief Information Security Officer (CISO) or IT risk team and 18% have created the role of CSO or CISO, or another type of senior security position.  The trend of organizations to staff Risk and Security related positions, as direct report positions to the Board of Directors, continues to demonstrate the importance of integrating technology with business process.  Risk and Security of the organization and its critical technology infrastructure (uptime and productivity) and its confidential and sensitive data (GRC, Brand Loss, IP Loss) should be a fundamental to any best-practices organization.   


With the increasing sophistication of the threat matrix, reliance on under managed technologies (AV, IPS, IDS) is simply not enough.  As we continue to build more efficient and open B2B and B2C models, an organization must take into account the context of the information being accessed starting with the roles of people accessing that information, the sensitivity of the information, and the actual use of the information, and enforcement policies.   This takes coordination, via the CISO, of Executives, HR, Legal,  Technology , and Business Unit leaders.