Thursday, March 29, 2018

I strongly recommend log reviews to my Computer Security students. Why don’t more organizations do regular reviews? As you see here, it works!
March 23, 2018. Salem, OR—The Oregon Department of Revenue has detected a security incident that involved approximately 36,000 individuals with records at the department.
The facts of the incident are summarized below, along with protective measures the department has taken since discovering the incident. The potentially impacted information from the files included data such as names, addresses, and Social Security numbers.
Because the Department of Revenue takes privacy and the confidentiality of taxpayer information seriously, it has strong information technology security processes in place, which enabled the department to quickly detect and contain the incident. The department has no indication that any personal information has been accessed or viewed by an unauthorized person, or used inappropriately. However, it is notifying the public as a precautionary measure.
What happened?
On February 21, 2018, a Department of Revenue employee uploaded work files to a personal cloud storage account. Department of Revenue’s information security staff identified the upload through routine log reviews. When the incident was detected, the employee’s computer was seized and all network accesses and credentials were immediately disabled. The employee was duty stationed at home and placed on paid administrative leave pending conclusion of a conduct investigation.
Department staff immediately launched a security investigation to determine the scope of the incident and the specifics of the information involved. Over the next several days, all files were deleted from the personal account. No evidence exists indicating the information was viewed or accessed by anyone other than department staff.
While all data was successfully retrieved, it took time to thoroughly review the information involved and determine the number of potentially impacted individuals, as there were many duplicate records.
The department is also adding the potentially impacted information into their identity theft risk file. Once added to this file, additional identity validation may be required when filing an Oregon personal income tax return. The department shares this file securely with numerous states’ tax departments to help prevent the information from being used to fraudulently file returns in other states.
So what was the employee doing uploading the data to a personal account? Was this intended wrongdoing or was the employee planning to work on things at home or…? And what did they do with respect to the employee when their investigation was concluded?

The challenges to Computer Security.

The CNN Factor Adds More Complexity to Security Operations

We all know that security teams are drowning in a sea of alerts, largely driven by a defense-in-depth strategy with layers of protection that aren’t integrated and create a massive amount of logs and events. If you need further evidence, Cisco's 2018 Annual Cybersecurity Report (PDF) found that among organizations using 50+ vendors, 55 percent say orchestrating security alerts is very challenging and for those with 21-50 vendors, 43 percent are struggling. The result? On average, 44 percent of alerts are not investigated and of those investigated and deemed legitimate, nearly half (49 percent) go un-remediated!

Coming soon to a city near me? (Why I’m teaching a Software Architecture class.)
One of the Biggest and Most Boring Cyberattacks Against an American City Yet
… In a statement, Atlanta’s mayor, Keisha Lance Bottoms, assured citizens that utility and safety systems, like police and water, are unaffected. She also noted, “This is a massive inconvenience to the city.”
Tell me about it. This is the new, humdrum reality of information-security breaches. When they don’t leak reams of personal information for theft and resale on the black market, they make ordinary life annoying in small but important ways.
Here’s more boring corporate bureaucracy for you: My university uses software made by Oracle and PeopleSoft for accounting and expense management. The system assumes one expense report per trip, which means that now I have to wait until the parking-system website comes back online so I can extract a receipt (for $100 or less) and submit it. Until then, I can’t get reimbursed for the rest of my trip, which totals far more than $100, unless I want to absorb the parking expense in the interest of expediency.
… The City of Atlanta assures its residents that anyone who can’t pay a utility bill won’t be penalized if they cannot access an online system to do so. But those exceptions would also have to be entered into a computer. Someone’s account could be incorrectly marked in arrears, and their water service shut down.
… All of these incidents arise from a slow, steady drip of small changes to the way people store, access, and manage information and services. Contemporary civilization has rebuilt itself atop a lattice of fragile computer systems, all interconnected. The chaos that ensues when these systems fail or get breached is so constant, it feels expected. Almost natural.

Passenger electric cars get all the press, especially when someone launches one into space. But something important is going on in the world of commercial vehicles as well. Last year Tesla announced it would produce an electric long-haul big rig. PepsiCo, Walmart, and UPS promptly committed to buying a few hundred. More recently, UPS made an important announcement about its plans to roll out 50 new midsize electric delivery trucks in Atlanta, Dallas, and Los Angeles.
The headline is that, for the first time, the electric trucks are expected to cost the company no more than regular diesel vehicles. Up-front price is no longer a barrier.
But there’s a second part of the story that’s not being touted enough. These new trucks will create significant additional value for the business in ongoing operational savings, improved routing efficiency, and brand building. In short, the electric vehicles (EVs) are much better than just a break-even proposition. Before explaining how this will play out, some context.

Profound. Even Napoleonic!

No comments: