I strongly
recommend log reviews to my Computer Security students. Why don’t
more organizations do regular reviews? As you see here, it works!
Oregon
Dept. of Revenue detects and responds to employee uploading records
to personal cloud storage
March 23, 2018. Salem, OR—The Oregon Department of Revenue has detected a security incident that involved approximately 36,000 individuals with records at the department.
The facts of the incident are summarized below, along with protective measures the department has taken since discovering the incident. The potentially impacted information from the files included data such as names, addresses, and Social Security numbers.
Because the Department of Revenue takes privacy and the confidentiality of taxpayer information seriously, it has strong information technology security processes in place, which enabled the department to quickly detect and contain the incident. The department has no indication that any personal information has been accessed or viewed by an unauthorized person, or used inappropriately. However, it is notifying the public as a precautionary measure.
What happened?
On February 21, 2018, a Department of Revenue employee uploaded work files to a personal cloud storage account. Department of Revenue’s information security staff identified the upload through routine log reviews. When the incident was detected, the employee’s computer was seized and all network accesses and credentials were immediately disabled. The employee was duty stationed at home and placed on paid administrative leave pending conclusion of a conduct investigation.
Department staff immediately launched a security investigation to determine the scope of the incident and the specifics of the information involved. Over the next several days, all files were deleted from the personal account. No evidence exists indicating the information was viewed or accessed by anyone other than department staff.
While all data was successfully retrieved, it took time to thoroughly review the information involved and determine the number of potentially impacted individuals, as there were many duplicate records.
… The department is also adding the potentially impacted information into their identity theft risk file. Once added to this file, additional identity validation may be required when filing an Oregon personal income tax return. The department shares this file securely with numerous states’ tax departments to help prevent the information from being used to fraudulently file returns in other states.
Source: Oregon
Department of Revenue.
So what was the employee doing uploading the data
to a personal account? Was this intended wrongdoing or was the
employee planning to work on things at home or…? And what did they
do with respect to the employee when their investigation was
concluded?
The
challenges to Computer Security.
The CNN Factor Adds More Complexity to Security Operations
We
all know that security teams are drowning in a sea of alerts, largely
driven by a defense-in-depth
strategy with layers of protection that aren’t integrated and
create a massive amount of logs and events. If you need further
evidence, Cisco's 2018 Annual Cybersecurity Report (PDF)
found that among organizations using 50+ vendors, 55 percent say
orchestrating security alerts is very challenging and for those with
21-50 vendors, 43 percent are struggling. The result? On average,
44 percent of alerts are not investigated and of those investigated
and deemed legitimate, nearly half (49 percent) go un-remediated!
Coming
soon to a city near me? (Why I’m teaching a Software Architecture
class.)
One of the
Biggest and Most Boring Cyberattacks Against an American City Yet
… In a statement,
Atlanta’s mayor, Keisha Lance Bottoms, assured citizens that
utility and safety systems, like police and water, are unaffected.
She also noted, “This is a massive inconvenience to the city.”
Tell me about it. This is the new, humdrum
reality of information-security breaches. When they don’t leak
reams of personal information for theft and resale on the black
market, they make ordinary life annoying in small but important ways.
Here’s more boring corporate bureaucracy for
you: My university uses software made by Oracle and PeopleSoft for
accounting and expense management. The
system assumes one expense report per trip, which means
that now I have to wait until the parking-system website comes back
online so I can extract a receipt (for $100 or less) and submit it.
Until then, I can’t get reimbursed for the rest of my trip, which
totals far more than $100, unless I want to absorb the parking
expense in the interest of expediency.
… The City of Atlanta assures its residents
that anyone who can’t pay a utility bill won’t be penalized if
they cannot access an online system to do so. But those exceptions
would also have to be entered into a computer. Someone’s account
could be incorrectly marked in arrears, and their water service shut
down.
… All of these incidents arise from a slow,
steady drip of small changes to the way people store, access, and
manage information and services. Contemporary civilization has
rebuilt itself atop a lattice of fragile computer systems, all
interconnected. The chaos that ensues when these systems fail or get
breached is so constant, it feels expected. Almost natural.
Perspective.
Passenger electric cars get all the press,
especially when someone launches
one into space. But something important is going on in the world
of commercial vehicles as well. Last year Tesla
announced it would produce an electric long-haul big rig.
PepsiCo,
Walmart,
and UPS
promptly committed to buying a few hundred. More recently, UPS
made an important announcement about its plans to roll out 50 new
midsize electric delivery trucks in Atlanta, Dallas, and Los Angeles.
The headline is that, for
the first time, the electric trucks are expected to cost the company
no more than regular diesel vehicles. Up-front price is no longer a
barrier.
But there’s a second part of the story that’s
not being touted enough. These new trucks will create significant
additional value for the business in ongoing operational savings,
improved routing efficiency, and brand building. In short, the
electric vehicles (EVs) are much better than just a
break-even proposition. Before explaining how this will play out,
some context.
Profound. Even Napoleonic!
No comments:
Post a Comment