A short “How to fail my computer security class”
look at Equifax.
… The company took more than two weeks to
publicly disclose the breach, Smith said, because Equifax’s outside
counsel, King & Spaulding, and cybersecurity firm Mandiant
advised the company to first have a plan in place to protect
consumers affected by the breach. [So
much for thinking ahead. Breaches WILL happen, so why not do at
least some planning (or thinking) in advance? Bob]
… Hackers exploited a vulnerability in a
version of Apache Struts software that was used by Equifax but had
not been patched, despite a March alert from the Department of
Homeland Security (DHS) directing companies to apply the patch.
… The individual
designated to notify personnel to apply the patch failed to do so,
Smith said. [Why not share
DHS notices with more than one person? Bob]
… Smith also revealed that the personal data
accessed was not encrypted
at the time it was accessed, prompting further scrutiny. [That
would have been their ‘Get Out of Jail’ card! Bob]
… Smith offered up little information on the
hackers behind the breach, repeatedly referring to an FBI
investigation. When questioned, Smith would not rule out that the
hackers were sponsored by a nation state.
“We've engaged the FBI at this point, that's all
I'll say,” he said Tuesday.
Bloomberg reported last week that hackers used
techniques that have been previously linked to state-sponsored
hackers.
While Smith said that investigators tracked the IP
addresses of the criminals, he said their identities and whereabouts
remain unknown.
Smith did, however, acknowledge the sophistication
with which the criminals moved through the company’s system,
evading the company’s
security personnel for more than a month. [139
days by my count. Bob]
(Related). Compare and contrast.
Disqus
Demonstrates How to Do Breach Disclosure Right
… I first saw the Disqus data first thing
Friday morning my time in Australia. Verification wasn't difficult
because my own record was in there (there's nothing like finding your
own data in a breach to help expedite verification!) I reached out
to an existing contact I had at Disqus via email as soon as I had a
reasonable degree of confidence that the data was accurate (a couple
of hours after I received it). From that moment, the timeline in
their
public disclosure began which I highlighted in this tweet:
(Related).
U.S.
Banking Regulator Hit by 54 Breaches in 2015, 2016
… The
report, made public last week, focuses on the FDIC’s processes for
responding to data breaches, and it’s based on an audit conducted
in response to concerns raised by the chairman of the Senate
Committee on Banking, Housing, and Urban Affairs.
The
OIG’s
audit focused on 18 of 54 suspected or confirmed breaches
discovered by FDIC between January 1, 2015 and December 1, 2016. The
18 incidents reviewed by auditors affected more than 113,000
individuals.
The
audit found that in 13 of the 18 cases the FDIC did not complete some
key breach investigation activities, such as assessing impact and
convening the data breach management team, within the timeframe
established in the agency’s Data
Breach Handling Guide (DBHG). [Something
every organization should have? Bob]
It
took the organization, on average, more than 9 months to notify
affected individuals after discovering a breach. It took between 145
days and 215 days to send out notifications to impacted people after
the decision was made to notify victims. In one incident that
affected nearly 34,000 people, the FDIC sent out the notifications
exactly one year after the breach was discovered.
… A
report published last year by the House of Representatives Science,
Space and Technology Committee revealed that threat actors believed
to be from China breached
the systems of the FDIC in 2010, 2011 and 2013, and planted
malware on a significant number of servers and workstations. The
committee concluded that the agency’s CIO had attempted to cover up
the incident.
Can the Internet use broadcast radio and TV rules?
Sen. Amy
Klobuchar (D-Minn.) said Sunday that she is working on
legislation that would mandate online political advertisements be
subject to the same rules as broadcast ads.
“And the rules that apply for ads when they’re
put on TV or radio, where you have to register them and say how much
you paid, that doesn’t apply to these online ads. And so our laws
need to catch up with what’s going on with our campaigns,”
Klobuchar told CNN’s “Reliable Sources.”
The effort comes amid the growing controversy over
Facebook’s political advertising during the 2016 election.
Perspective. A look at our future?
Cash is
already pretty much dead in China as the country lives the future
with mobile pay
-
Mainland Chinese stores and services are increasingly centered around mobile pay apps like WeChat Pay and Alipay.
-
Chinese mobile payment volume more than doubled to $5 trillion in 2016, according to Analysys data cited by Hillhouse Capital.
-
Mobile pay is growing so rapidly in mainland China that as a foreigner, I sometimes found it difficult to complete basic transactions without it.
-
The dominance of mobile transactions lends itself to greater data collection by the Chinese government.
Perspective. A bit
rambling, but quite interesting.
The secret
lives of children and their phones
For my Spreadsheet
students.
Excel’s Custom View setting makes it easy to
view specific information on a crowded spreadsheet or to create
different layouts for your data. You can use it to create custom
headers or footers, create a print-friendly version of your
spreadsheet, or you can create a view in which freeze panes or split
rows are activated.
No comments:
Post a Comment