I
always discuss this kind of article with my Computer Security
students. If someone in senior management or the on the Board of
Directors should stumble across this article, they might ask their
Computer Security manager how long it would take them to detect an
attack or a breach. On the flip side, expressing your current status
in terms of “time to detect” might be very useful at budget time.
Data
Breach Detection Takes Days or Longer For Many Businesses: Survey
Seconds
count when dealing with a security incident. A new survey from
Osterman Research however has found that many companies believe it
would take hours or more for them to detect a breach – with nearly
30 percent stating it would take days, weeks or longer.
The
statistics come from a report entitled 'Dealing with Data
Breaches and Data Loss Prevention'. The report – which was
sponsored by Proofpoint - fielded responses from 225 large and
midsized organizations in the U.S. and Canada. According to the
survey, just 24 percent felt they could detect a breach within
minutes or seconds. Thirty-seven percent believe they could detect a
breach within hours, while 28 percent said it would take days or
weeks. One percent said it would take even longer than that, and
nine percent weren't sure.
…
"However,
it is important to note that preparedness is only part of the story,"
according to the report. "For example, Target was quite well
prepared for its now-infamous data breach: the company had deployed a
robust anti-malware solution to protect against data breaches, it
maintained a team of security personnel in India that were focused on
detecting anomalous behavior in the corporate network, and it had a
security team in Minneapolis that were focused on dealing with a data
breach and other security incidents. Target’s
security solution worked as it was designed, its Indian security team
notified its counterparts of the breach in Minneapolis, but for some
reason that final link in the chain did not respond appropriately."
[Does
not seem to match the next article Bob]
(Related)
Update. (I thought it would take longer.) Looks like there were a
few standard security measures not part of Target's repertoire.
My
suspicious mind suggests that the costs saved by this settlement
allowed Target to raise employee wages.
Steve
Karnowski and Michelle Chapman of AP report:
A Minnesota judge has endorsed a settlement in which Target Corp.
will pay $10 million to settle a class-action lawsuit over a massive
data breach in 2013.
U.S. District Judge Paul Magnuson said at a hearing Thursday in St.
Paul, Minnesota, that he would grant preliminary approval of the
settlement in a written order later in the day. The move will allow
people to begin filing claims ahead of another hearing for final
approval.
[…]
The settlement would also
require Minneapolis-based Target Corp. to appoint a chief information
security officer, keep a written information security program and
offer security training to its workers. It would be required to
maintain a process to monitor for data security events and respond to
such events deemed to present a threat.
Read
more on FindLaw.
Sometimes
you just have to take the abuse.
Timothy
Cornell of Clifford Chance US LLP has an interesting write-up on the
Wyndham case that really details the time and labor costs of
responding to a government investigation following a data breach.
Here’s an example:
On April 8, 2010, the FTC began to investigate Wyndham Worldwide and
three of its subsidiaries (collectively “Wyndham”), sending
Wyndham a voluntary request for information. The FTC’s
investigatory focus, as stated in that April 8, 2010 letter, was to
determine: “whether Wyndham’s information security practices
comply with Section 5 of the [FTC] Act, which prohibits deceptive or
unfair acts or practices, including misrepresentations about security
and unfair security practices that cause substantial injury to
consumers.”[2]
The FTC’s request contained 14 detailed inquiries (most with
subparts) and sought information about Wyndham’s IT architecture,
cybersecurity policies, and the three data breaches that occurred.
It took Wyndham more than five months to locate all responsive
documents. [3]
During 2010 and the first half of 2011, the FTC sent three
supplemental requests for information and documents, and also posed
oral requests at meetings between the parties. In total, 29 document
requests and 51 information requests were issued to Wyndham prior to
December 2011.[4]
Wyndham produced over 1 million pages of documents and written
responses that totaled 72 pages single spaced. In addition, Wyndham
Worldwide’s CFO and head of Information Security – along with
attendant inside and outside counsel – attended seven in-person
meetings with the FTC.[5]
The time and cost associated preparing for each of those meetings
was likely significant.
Wyndham estimated that its
response cost exceeded $5 million in legal and vendor fees.
[6]
And that estimate did not include the time employees spent
responding to the requests or the business disruption caused thereby,
nor the costs associated with preparing for meetings with the FTC.
Read
more on The
Metropolitan Corporate Counsel.
No
surprise. New technology means ignoring old security solutions.
Companies
Find It Difficult to Secure Their Mobile Apps: Survey
A
new Ponemon Institute study sponsored by IBM shows that many
organizations neglect security when building mobile applications for
their customers.
The
report shows that nearly 40 percent of the 400 organizations that
took part in the survey, 40 percent of which are Fortune 500
companies, potentially expose their customers’ data because they
don’t scan the code for vulnerabilities.
…
When
asked about why mobile apps contain vulnerable code, many of the
respondents cited rush-to-release pressures, lack of training on
secure coding practices, lack of quality assurance and testing
procedures, and the lack of internal policies that clarify security
requirements.
…
According
to the report, organizations spend an average of $34 million per year
on mobile app development, but only $2 million, or 5.5 percent of the
annual budget, on mobile app security.
I
don't want my Ethical Hackers penetrating systems to leave a “Kilroy
was here!” If they really want to probe, we have a formal
authorization procedure.
Cyber
Attackers Leaving Warning 'Messages': NSA Chief
Attackers
hacking into American computer networks appear to be leaving "cyber
fingerprints" to send a message that critical systems are
vulnerable, the top US cyber-warrior said Thursday.
Admiral
Michael Rogers, director of the National Security Agency and head of
the Pentagon's US Cyber Command, made the comments to a US Senate
panel as he warned about the growing sophistication of cyber threats.
"Private
security researchers over the last year have reported on numerous
malware finds in the industrial control systems of energy sector
organizations," Rogers said in written testimony. "We
believe potential adversaries might be leaving cyber fingerprints on
our critical infrastructure partly to convey a message that our
homeland is at risk if tensions ever escalate toward military
conflict."
All
data is targeted actually, the priority changes depending on the
value of the data and the amount of security.
The
Next Cybersecurity Target: Medical Data
…
Calhoun points out that healthcare breaches aren't unheard of: In
fact, according to Intel Security and the Atlantic Council's latest
report on cyber risks, about 44 percent of all registered data
breaches in 2013 targeted medical companies, with the number of
breaches increasing 60 percent between 2013 and 2014. Those numbers
may seem larger than expected—how often do healthcare breaches make
the news?—but Calhoun tells me that these reported medical-company
breaches happen on smaller scales, affecting far fewer people than
attacks on banks and government data.
…
"Advanced cybersecurity defenses are still a relatively new
idea to many healthcare organizations," said Greg Kazmierczak,
the CTO of data-security company Wave Systems Corporation. "Big
banks and large financial firms, on the other hand, have been dealing
with these issues internally and in the public eye for the past
decade or so with the large-scale breaches of JP
Morgan and Bank of America."
In
other words, as more attacks happen, more victims will beef up their
cybersecurity. [Only
if they ask “Could that happen to me?” Bob] So, with
the Premera breach, it's the healthcare industry's turn to rethink
data security.
Typical
government doubletalk? If “law enforcement” is buying it, we
certify it. But it's not about who buys it? Once law enforcement
has it, it passes out of the FCC's regulatory environment?
The
Federal Communications Commission (FCC) lacks oversight of so-called
stingray surveillance devices once they are in the hands of law
enforcement, Commissioner Tom Wheeler said Thursday.
Wheeler
said the commission certifies the devices, which collect location
information from cellphones, if
they are being made for law enforcement use. [If
they are made for other users, they are not certified? Bob]
"And
then from that point on, its usage was a matter of law enforcement,
not a matter of the technological question of whether or not the
piece of hardware interfered with other [radio frequency] devices,"
he said.
…
Wheeler did say the commission could have authority over the
"unauthorized use" of the device, such as one that was sold
illegally outside law enforcement circles.
…
our jurisdiction and our authority is to certify the electronics of
the RF components of such devices for interferences questions. And
that if the application was
being made in conjunction with law enforcement, then we would approve
it. This is for the technology, this
is not for who buys it."
Shrink
wrap, click wrap, psycho rap. What did the user mean when he clicked
that “I Agree” button?
Aaron
R. Gelb and James R. Glenn of Vedder Price write:
Since December 2014, retail giant Michaels Stores, Inc.
(Michaels) has been hit with two class action lawsuits regarding
its background-check process. The lawsuits allege that Michaels
violated the Fair Credit Reporting Act (FCRA) by having
job applicants click an “I Agree” box consenting to the terms and
conditions of an online job application, which include an
authorization to obtain a consumer report on the applicant.
Employers utilizing a third party to obtain background checks for use
in the hiring process (and other employment decisions) must comply
with a number of requirements set forth in the FCRA, including that
the employer give job applicants a written authorization form that
includes a “clear and conspicuous” notice that a consumer report
may be obtained for employment purposes. This disclosure and
authorization must be part of a separate or “stand-alone”
document consisting of the disclosure and nothing else. The
employer must obtain the individual’s authorization before a
consumer report is procured.
Read
more on National
Law Review.
(Related)
Wendy
Davis reports:
Yahoo is asking a judge to deny class-action status to a group of
people who are suing the company for scanning their email messages.
The company argues in new court papers that the lawsuit doesn’t
lend itself to class-action treatment because one
of the key unresolved issues turns on whether Web users consented to
the scans. Yahoo says that users’ consent needs to be
litigated on a case-by-case basis.
Read
more on MediaPost.
Interesting
timing. Probably had nothing to do with Google's support for Obama
in 2012. Probably. It's just that people from tech firms cross into
government positions just like people from defense firms do.
Google
threatened to remove websites from its search engine unless they let
Google use their content
…
The
Wall Street Journal on Thursday published excerpts from a 2012
Federal Trade Commission document. The document was part of the
FTC's investigation of Google after complaints from competitors. It
was never meant to be public but was accidentally
sent to The Journal after a Freedom of Information Act request.
…
Eventually, Google offered to let websites opt out of including
their content in Google's search results, and made some other
changes. In 2013, the FTC commissioners unanimously voted 3-0 to
drop the investigation.
…
The FTC probably won't reopen an
investigation just because this report was leaked. This isn't news to
the FTC.
However,
it could give new fodder to European investigators.
(Related)
See what I mean?
The
former top engineer at Facebook is taking over as the White
House’s first-ever director of information technology, the Obama
administration announced Thursday.
David
Recordon will be responsible for making sure President Obama’s
office is using the most updated and secure technology, the White
House explained in a blog
post.
…
Last year, the president created the new U.S
Digital Service to replicate the government’s success turning
around the early troubles of HealthCare.gov all across the
government.
That
effort is led by former Google executive Mikey Dickerson, and
on Thursday it helped unveil
a new tool for the public to keep track of how people visit
government websites.
For
our Big Data students.
Understanding
Small Business Web Analytics
You
can find a slew of powerful Web
analytics tools that you can use to see how well your
small business website, social media feeds, email blasts and
pay-per-click ad campaigns are performing. But those tools won't
help much unless you understand which numbers matter most and what
they mean.
I
wonder... Could we use this App to allow our students to “test
out” of certain tech skills?
Smarterer
Announces Free Access to Its Skill Assessment API
Smarterer,
a skill assessment engine, has announced that the Smarterer
REST API is now free for companies and individuals to utilize.
With the API, companies and individuals can embed hundreds of
crowdsourced skill assessments directly into products, apps, and
websites. Prior to this announcement, the API came with a charge to
use the service; but, Smarterer and its parent company, Pluralsight,
decided to open the service for anyone to freely use.
Smarterer
was created after founder, Dave Balter, discovered that the skills
needed to fill job openings in today's rapidly changing,
technology-driven marketplace where difficult to uncover but
necessary to adequately choose a candidate. Smarterer is built upon
a crowdsourced set of skill tests (currently over 400 tests exist).
…
For more detailed information on the
API, check out the API
docs.
Perhaps
I should expand my idea of students writing their own textbook to the
creation of links to all the educational tool you will ever need.
(Then use them to conquer the world!)
Book
Preview - Deeper Learning Through Technology
Ken
Halla writes the US
History Educators Blog. I've been following that blog for years
so when Ken had his first book published I agreed to share the news
here. Ken's book preview is posted below. On a related note, Ken
and I are planning to offer an online course together this summer.
For
the better part of 14 months I (Ken Halla) have devoted a great deal
of time to my new book Deeper
Learning Through Technology: Using the Cloud to Individualize
Instruction. If you follow my blogs on content, pedagogy and
technology (US history, economics, government and world history) you
know that I have definite research based beliefs to change that needs
to occur in our classrooms. My book discusses these needs, outline
the technology needed for higher level thinking and for more
personalized learning and then gives you step by step instructions
for how to use it all.
…
my favorite part of the book is that after giving you reasons why
and then showing you how, I give you actual examples of how each is
being implemented in the classroom. To ensure you follow through I
give you and your PLC five action items to start doing in each
chapter so you can change your classroom.
(Related)
Even we have Luddites.
Convincing
Skeptical Employees to Adopt New Technology
…
According to a study
by MIT Sloan Management Review and Capgemini Consulting, the vast
majority of managers believe that “achieving digital transformation
is critical” to their organizations. However, 63% said the pace of
technological change in their workplaces is too slow, primarily due
to a “lack of urgency” and poor communication about the strategic
benefits of new tools.
For
my Excel students. If MakeUseOf.com keeps producing these guides,
I'll keep pointing to them for my students!
Mini
Excel Tutorial: Using Advanced Counting and Adding Functions in Excel
No comments:
Post a Comment