First let me say this: I am not trying to create mass panic. We are not having a crisis, epidemic, pandemic or any other world ending situation. You should not refuse medical treatment because of anything I point out in this short blog entry.

Recently a security researcher found a way to take control of an insulin pump and dole out a potentially lethal dose of insulin. The device is made by a large corporation and is widely used today. It uses wireless technology with no encryption. Yes...you read that right. Wireless...no encryption. I know, I know...it should be a no-brainer these days to encrypt all wireless communications but evidently it's not. The researcher had to customize the communication device and write a customized program to connect to the insulin pump. But if he can do it, so can the next guy. This isn't the first of such discoveries. A couple of years ago, certain types of pacemakers were discovered to have a similar flaw.

This is why it is so important for all projects your company works on, not just IT projects, to go through a formalized information security and privacy review before getting the green light for production. If you are buying products, especially those you sell, configure or install for others, you should do a thorough information security and privacy review during your procurement process. Ask the vendors if they've done security testing. Ask them for independent verification. If they can't or won't provide the information you must assume it wasn't done and you'll need to do your own validation. Information and communications are everywhere. Even inside our own bodies. Welcome to the Matrix.

While setting up a new laptop our resident security engineering guru, Steve Healey made a funny discovery.  Cell phone videos can be used to bypass facial recognition software.  The laptop he was configuring offers biometric authentication via facial recognition using the built in webcam.  Steve recorded a video of himself on his smartphone and then used it as the subject for authentication.  By simply changing the viewing angle of the phone to the camera he was granted access.  As a disclaimer, he didn't have the sensitivity turned all the way up.  It also wasn't turned all the way down either though.  Those of you using biometric devices, fingerprint readers, facial recognition, etc. on your mobile devices, take note.  It's really not all that secure.  You probably still want to use a password in combination with the biometrics.  Low end biometric capture devices in cell phones, laptops, etc. are not the same ones you see protecting a Level-3 Bio Hazard lab!  Kudos to Steve on this "shocking" discovery.

I'm happy to announce the launch of Integrity's new online security awareness training portal.  If you are looking for a quick and cost effective way to provide security awareness training to your employees, our new security awareness training portal is for you.  We call it InTraining. The training course meets the needs to provide employee security awareness training for HIPAA, SOX, PCI and other compliance requirements.  Our fully integrated training portal provides a company administrator with the ability to enroll employees on the fly, create compliance reports for auditors and send reminders to those who haven't completed their annual training.

The multi-media content is designed to provide a high level overview of common information security topics in a format that is easily understood by the average employee.  No fancy techno-jargon, just practical information employees need to know in order to protect the confidentiality, integrity and availability of company data.

If you're looking for OWASP training for your application developers to satisfy your PCI compliance, our OWASP course will be launching next month as well.

If you would like more information please visit our product page for InTraining or try it for yourself with a free online demo.  Just login as a guest for access.

The Catholic Diocese of Des Moines was involved in a computer security breach last month in which thieves were able to steal more than $600,000 from their automated clearing house (ACH) account at Bankers Trust.  To the credit of Bankers Trust, they were able to detect the fraudulent activity and notify the Diocese within a matter of days.  Unfortunately the funds were already gone by then.

According to the Diocese press release and other media reports, the FBI has seized several computers from the Diocese but no employees of the Diocese or Bankers Trust are suspected to be involved.  This either means one of two things.  Either law enforcement is trying to divert attention away from the true angles they are working or the systems themselves were to blame.

If the computers are part of the problem we can assume they were either not patched and vulnerable to attacks or end users allowed some sort of malware to be installed and siphon data.  Either way, this points to a break down in very rudimentary security practices.

This should be a warning to all organizations.  Patch your systems, scan them for malware and please, please, please...educate your users.  There is no patch for the human factor.

In my last blog post, I discussed the increase in reported breaches caused by insiders.  What I didn't tell you was that the loss from those breaches was primarily (49%) embezzlement and related fraud.  Only 3% of the records breached were from inside attacks. 
This is important to note.  The controls you need in place to prevent embezzlement, skimming and other types of fraud may be different than those you need to protect static database records or file type data.  Understanding where your attacks are coming from and the target of those attacks can be very useful in selecting and placing controls.

On the flip side, 98% of the records compromised (customer, patient, etc.) were from external sources.  Of this, 85% of the records were attributed to organized crime.  WOW!  I knew the number was high but that was surprising to me. 

Makes me second guess my career choice.  Here I am tracking organized crime for a living and I don't even get to carry a gun.  All kidding aside though.  This too should be a wake up call.  Knowing where our attacks are coming from is important.  Organized crime has the resources, capital and manpower to do significant damage when they want to.  The days of implementing simple security controls which are not interconnected and sharing information will come to an end.  As the attacks get more complex so must our defenses.

Don't read too much into all of this though.  As pointed out in the report, 96% of all breaches were unsophisticated.  Start small and work you way into a robust risk management and security program.  Like the old addage goes...you only have to be faster than the slowest gazelle.  That's if there's only one lion.

At the last ISSA meeting in Des Moines, we reviewed the 2010 Data Breach Investigations Report published by the Verison RISK Team in cooperation with the US Secret Service (USSS).  This was the first year the USSS provided data for the report.  The additional information expands the scope of the report and only helps to add credibility.  Not that the report wasn't credible in the past, but Verizon's client base is going to favor those larger clients who can pay for their services.  The USSS data helps to broaden the scope.

Two things caught my eye this year.  The first was the 26% increase in breaches caused by insiders.  The addition of USSS data helps reveal what we've known for a long time.  Inside threats are very real and we must be prepared to prevent or detect them. 
The second interesting fact was that 96% of all breaches were avoidable through simple or intermediate contols.  This means it's not difficult or expensive to stop this epidemic.  Why does it continue?

I believe the biggest reason is risk management.  IT leaders are not proving their case well enough. When asking for budgets to mitigate risk we're not providing the detail or clearly communicating the risk.  I'll bet if you asked every executive involved in that 96% of breaches if they would rather have paid for the controls up front you'd get a 100% affirmation rate.

This week make a concerted effort to ensure you are clearly communicating risk to the organization.  Don't pull a "chicken little" routine but spend the time to have facts and numbers which show the entire picture to your management.  You might be surprised how quickly they respond.

I'll add some additional thoughts on the report next week.  If you are local to central Iowa and are interested in joining us at the next ISSA meeting, plesae check out our website at www.issa-desmoines.org