Friday, March 20, 2015
I always discuss this kind of article with my Computer Security students. If someone in senior management or the on the Board of Directors should stumble across this article, they might ask their Computer Security manager how long it would take them to detect an attack or a breach. On the flip side, expressing your current status in terms of “time to detect” might be very useful at budget time.
Data Breach Detection Takes Days or Longer For Many Businesses: Survey
Seconds count when dealing with a security incident. A new survey from Osterman Research however has found that many companies believe it would take hours or more for them to detect a breach – with nearly 30 percent stating it would take days, weeks or longer.
The statistics come from a report entitled 'Dealing with Data Breaches and Data Loss Prevention'. The report – which was sponsored by Proofpoint - fielded responses from 225 large and midsized organizations in the U.S. and Canada. According to the survey, just 24 percent felt they could detect a breach within minutes or seconds. Thirty-seven percent believe they could detect a breach within hours, while 28 percent said it would take days or weeks. One percent said it would take even longer than that, and nine percent weren't sure.
… "However, it is important to note that preparedness is only part of the story," according to the report. "For example, Target was quite well prepared for its now-infamous data breach: the company had deployed a robust anti-malware solution to protect against data breaches, it maintained a team of security personnel in India that were focused on detecting anomalous behavior in the corporate network, and it had a security team in Minneapolis that were focused on dealing with a data breach and other security incidents. Target’s security solution worked as it was designed, its Indian security team notified its counterparts of the breach in Minneapolis, but for some reason that final link in the chain did not respond appropriately." [Does not seem to match the next article Bob]
(Related) Update. (I thought it would take longer.) Looks like there were a few standard security measures not part of Target's repertoire.
My suspicious mind suggests that the costs saved by this settlement allowed Target to raise employee wages.
Steve Karnowski and Michelle Chapman of AP report:
A Minnesota judge has endorsed a settlement in which Target Corp. will pay $10 million to settle a class-action lawsuit over a massive data breach in 2013.
U.S. District Judge Paul Magnuson said at a hearing Thursday in St. Paul, Minnesota, that he would grant preliminary approval of the settlement in a written order later in the day. The move will allow people to begin filing claims ahead of another hearing for final approval.
The settlement would also require Minneapolis-based Target Corp. to appoint a chief information security officer, keep a written information security program and offer security training to its workers. It would be required to maintain a process to monitor for data security events and respond to such events deemed to present a threat.
Read more on FindLaw.
Sometimes you just have to take the abuse.
Wyndham: A Case Study in Cybersecurity: How the cost of a relatively small breach can rival that of a major hack attack
Timothy Cornell of Clifford Chance US LLP has an interesting write-up on the Wyndham case that really details the time and labor costs of responding to a government investigation following a data breach. Here’s an example:
On April 8, 2010, the FTC began to investigate Wyndham Worldwide and three of its subsidiaries (collectively “Wyndham”), sending Wyndham a voluntary request for information. The FTC’s investigatory focus, as stated in that April 8, 2010 letter, was to determine: “whether Wyndham’s information security practices comply with Section 5 of the [FTC] Act, which prohibits deceptive or unfair acts or practices, including misrepresentations about security and unfair security practices that cause substantial injury to consumers.” The FTC’s request contained 14 detailed inquiries (most with subparts) and sought information about Wyndham’s IT architecture, cybersecurity policies, and the three data breaches that occurred. It took Wyndham more than five months to locate all responsive documents. 
During 2010 and the first half of 2011, the FTC sent three supplemental requests for information and documents, and also posed oral requests at meetings between the parties. In total, 29 document requests and 51 information requests were issued to Wyndham prior to December 2011. Wyndham produced over 1 million pages of documents and written responses that totaled 72 pages single spaced. In addition, Wyndham Worldwide’s CFO and head of Information Security – along with attendant inside and outside counsel – attended seven in-person meetings with the FTC. The time and cost associated preparing for each of those meetings was likely significant.
Wyndham estimated that its response cost exceeded $5 million in legal and vendor fees.  And that estimate did not include the time employees spent responding to the requests or the business disruption caused thereby, nor the costs associated with preparing for meetings with the FTC.
Read more on The Metropolitan Corporate Counsel.
No surprise. New technology means ignoring old security solutions.
Companies Find It Difficult to Secure Their Mobile Apps: Survey
A new Ponemon Institute study sponsored by IBM shows that many organizations neglect security when building mobile applications for their customers.
The report shows that nearly 40 percent of the 400 organizations that took part in the survey, 40 percent of which are Fortune 500 companies, potentially expose their customers’ data because they don’t scan the code for vulnerabilities.
… When asked about why mobile apps contain vulnerable code, many of the respondents cited rush-to-release pressures, lack of training on secure coding practices, lack of quality assurance and testing procedures, and the lack of internal policies that clarify security requirements.
… According to the report, organizations spend an average of $34 million per year on mobile app development, but only $2 million, or 5.5 percent of the annual budget, on mobile app security.
I don't want my Ethical Hackers penetrating systems to leave a “Kilroy was here!” If they really want to probe, we have a formal authorization procedure.
Cyber Attackers Leaving Warning 'Messages': NSA Chief
Attackers hacking into American computer networks appear to be leaving "cyber fingerprints" to send a message that critical systems are vulnerable, the top US cyber-warrior said Thursday.
Admiral Michael Rogers, director of the National Security Agency and head of the Pentagon's US Cyber Command, made the comments to a US Senate panel as he warned about the growing sophistication of cyber threats.
"Private security researchers over the last year have reported on numerous malware finds in the industrial control systems of energy sector organizations," Rogers said in written testimony. "We believe potential adversaries might be leaving cyber fingerprints on our critical infrastructure partly to convey a message that our homeland is at risk if tensions ever escalate toward military conflict."
All data is targeted actually, the priority changes depending on the value of the data and the amount of security.
The Next Cybersecurity Target: Medical Data
… Calhoun points out that healthcare breaches aren't unheard of: In fact, according to Intel Security and the Atlantic Council's latest report on cyber risks, about 44 percent of all registered data breaches in 2013 targeted medical companies, with the number of breaches increasing 60 percent between 2013 and 2014. Those numbers may seem larger than expected—how often do healthcare breaches make the news?—but Calhoun tells me that these reported medical-company breaches happen on smaller scales, affecting far fewer people than attacks on banks and government data.
… "Advanced cybersecurity defenses are still a relatively new idea to many healthcare organizations," said Greg Kazmierczak, the CTO of data-security company Wave Systems Corporation. "Big banks and large financial firms, on the other hand, have been dealing with these issues internally and in the public eye for the past decade or so with the large-scale breaches of JP Morgan and Bank of America."
In other words, as more attacks happen, more victims will beef up their cybersecurity. [Only if they ask “Could that happen to me?” Bob] So, with the Premera breach, it's the healthcare industry's turn to rethink data security.
Typical government doubletalk? If “law enforcement” is buying it, we certify it. But it's not about who buys it? Once law enforcement has it, it passes out of the FCC's regulatory environment?
The Federal Communications Commission (FCC) lacks oversight of so-called stingray surveillance devices once they are in the hands of law enforcement, Commissioner Tom Wheeler said Thursday.
Wheeler said the commission certifies the devices, which collect location information from cellphones, if they are being made for law enforcement use. [If they are made for other users, they are not certified? Bob]
"And then from that point on, its usage was a matter of law enforcement, not a matter of the technological question of whether or not the piece of hardware interfered with other [radio frequency] devices," he said.
… Wheeler did say the commission could have authority over the "unauthorized use" of the device, such as one that was sold illegally outside law enforcement circles.
… our jurisdiction and our authority is to certify the electronics of the RF components of such devices for interferences questions. And that if the application was being made in conjunction with law enforcement, then we would approve it. This is for the technology, this is not for who buys it."
Shrink wrap, click wrap, psycho rap. What did the user mean when he clicked that “I Agree” button?
Aaron R. Gelb and James R. Glenn of Vedder Price write:
Since December 2014, retail giant Michaels Stores, Inc. (Michaels) has been hit with two class action lawsuits regarding its background-check process. The lawsuits allege that Michaels violated the Fair Credit Reporting Act (FCRA) by having job applicants click an “I Agree” box consenting to the terms and conditions of an online job application, which include an authorization to obtain a consumer report on the applicant.
Employers utilizing a third party to obtain background checks for use in the hiring process (and other employment decisions) must comply with a number of requirements set forth in the FCRA, including that the employer give job applicants a written authorization form that includes a “clear and conspicuous” notice that a consumer report may be obtained for employment purposes. This disclosure and authorization must be part of a separate or “stand-alone” document consisting of the disclosure and nothing else. The employer must obtain the individual’s authorization before a consumer report is procured.
Read more on National Law Review.
Wendy Davis reports:
Yahoo is asking a judge to deny class-action status to a group of people who are suing the company for scanning their email messages.
The company argues in new court papers that the lawsuit doesn’t lend itself to class-action treatment because one of the key unresolved issues turns on whether Web users consented to the scans. Yahoo says that users’ consent needs to be litigated on a case-by-case basis.
Read more on MediaPost.
Interesting timing. Probably had nothing to do with Google's support for Obama in 2012. Probably. It's just that people from tech firms cross into government positions just like people from defense firms do.
Google threatened to remove websites from its search engine unless they let Google use their content
… The Wall Street Journal on Thursday published excerpts from a 2012 Federal Trade Commission document. The document was part of the FTC's investigation of Google after complaints from competitors. It was never meant to be public but was accidentally sent to The Journal after a Freedom of Information Act request.
… Eventually, Google offered to let websites opt out of including their content in Google's search results, and made some other changes. In 2013, the FTC commissioners unanimously voted 3-0 to drop the investigation.
However, it could give new fodder to European investigators.
(Related) See what I mean?
The former top engineer at Facebook is taking over as the White House’s first-ever director of information technology, the Obama administration announced Thursday.
David Recordon will be responsible for making sure President Obama’s office is using the most updated and secure technology, the White House explained in a blog post.
… Last year, the president created the new U.S Digital Service to replicate the government’s success turning around the early troubles of HealthCare.gov all across the government.
That effort is led by former Google executive Mikey Dickerson, and on Thursday it helped unveil a new tool for the public to keep track of how people visit government websites.
For our Big Data students.
Understanding Small Business Web Analytics
You can find a slew of powerful Web analytics tools that you can use to see how well your small business website, social media feeds, email blasts and pay-per-click ad campaigns are performing. But those tools won't help much unless you understand which numbers matter most and what they mean.
Smarterer Announces Free Access to Its Skill Assessment API
Smarterer, a skill assessment engine, has announced that the Smarterer REST API is now free for companies and individuals to utilize. With the API, companies and individuals can embed hundreds of crowdsourced skill assessments directly into products, apps, and websites. Prior to this announcement, the API came with a charge to use the service; but, Smarterer and its parent company, Pluralsight, decided to open the service for anyone to freely use.
Smarterer was created after founder, Dave Balter, discovered that the skills needed to fill job openings in today's rapidly changing, technology-driven marketplace where difficult to uncover but necessary to adequately choose a candidate. Smarterer is built upon a crowdsourced set of skill tests (currently over 400 tests exist).
Perhaps I should expand my idea of students writing their own textbook to the creation of links to all the educational tool you will ever need. (Then use them to conquer the world!)
Book Preview - Deeper Learning Through Technology
Ken Halla writes the US History Educators Blog. I've been following that blog for years so when Ken had his first book published I agreed to share the news here. Ken's book preview is posted below. On a related note, Ken and I are planning to offer an online course together this summer.
For the better part of 14 months I (Ken Halla) have devoted a great deal of time to my new book Deeper Learning Through Technology: Using the Cloud to Individualize Instruction. If you follow my blogs on content, pedagogy and technology (US history, economics, government and world history) you know that I have definite research based beliefs to change that needs to occur in our classrooms. My book discusses these needs, outline the technology needed for higher level thinking and for more personalized learning and then gives you step by step instructions for how to use it all.
… my favorite part of the book is that after giving you reasons why and then showing you how, I give you actual examples of how each is being implemented in the classroom. To ensure you follow through I give you and your PLC five action items to start doing in each chapter so you can change your classroom.
(Related) Even we have Luddites.
Convincing Skeptical Employees to Adopt New Technology
… According to a study by MIT Sloan Management Review and Capgemini Consulting, the vast majority of managers believe that “achieving digital transformation is critical” to their organizations. However, 63% said the pace of technological change in their workplaces is too slow, primarily due to a “lack of urgency” and poor communication about the strategic benefits of new tools.
For my Excel students. If MakeUseOf.com keeps producing these guides, I'll keep pointing to them for my students!
Mini Excel Tutorial: Using Advanced Counting and Adding Functions in Excel