Every single information security breach investigation that the team at Integrity was a part of in 2014 had a malware component.  This isn’t to say that the hack was the result of the malware attack.  It just means that the security breach was aided in some way by the malware.  How in the year 2015 is a statistic like this still possible?

Quite simply, finding mismanagement of the anti-malware tools and a lack of security monitoring is common in security breach investigations.  In all cases we investigated in 2014, the anti-malware tools were either not configured properly or not updated on a regular basis.  Couple that with the fact that no one was checking to make sure the tools were working properly or looking for malware detections and you see the problem.  Folks are betting the farm on a flawed system. 

Lots of money is spent on technology each year.  However, if you don’t have the right people and process behind the technology, your risk of getting hacked and being the victim of a security breach rises exponentially.  People, Process, Technology.  There’s a balance to be found.  Do you have it?

This article I found at Nextgov.com is a great reminder that the cyber espionage and surveillance that was once reserved for the movies is now a real threat.  If you are a corporate executive or IT administrator you should assume you are being watched and tracked.  The cyber security rules are different when you are on an international trip.  An abundance of caution is needed. 

Read this article and think about how it applies to you.  Should you use burner phones or “dummy” laptops and tablets?  Should you disable wireless LAN capabilities and force only trusted wired connections?  Is the government of the country you are visiting hostile to your company, your industry or your home country? 

There is a balance between paranoia and preparedness when it comes to cyber security and cyber espionage.  Don’t assume the stuff of fiction and movies isn’t in the real world.  As Mark Twain said, “Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't”.

Just a reminder to join us for the ISSA chapter meeting on 2/23.  FBI Special Agent Jordan Loyd will be presenting on the state of information security and an update on some breach investigations here in the Midwest.  Visit http://desmoines.issa.org for more info.  Lunch orders must be placed by 8:30am Monday morning.

Register Here:  http://www.eventbrite.com/e/february-2015-meeting-of-the-des-moines-issa-chapter-tickets-15741556419

For years, CNET had been a trusted source for technology news.  Every technology professional in the mid to late 1990’s and early 2000’s used CNET for research and downloads of utility software.  Somewhere along the way CNET lost their path.  I won’t go into my thoughts on their reporting of the news.  I only want to caution you on the use of their download section.

Much of the software has additional bloatware, adware, spyware or other “x-ware” type of behavior bundled with it.  This is concerning to me.  I’ve tried to use a few utilities found there only to find tons of other things attempting to install in the background, some of them unannounced.  I don’t like that.

My advice to you is to never again download a piece of software from CNET.  It’s obvious that quality control or review is not a priority.  It’s obvious that they are most interested in advertising or linking revenue.  If you want to gamble that a download from CNET won’t lead to some malware infection be my guest.  That’s a bet I’ll pass on every time.

Over the past few years, insurance carriers have been taking major hits on liability claims due to security breaches because many liability policies have had at least some limited amount of cyber insurance coverage in the past.  Some carriers have even paid out claims under business interruption insurance.  I saw one claim for nearly $500,000 paid out under a business interruption policy for what amounted to a really bad virus infection.

Things are changing and you need to understand the impact on your business.  Here are a few tips:

  1. Many insurance carriers are now making stated exclusions for any cyber related information security breaches.

  2. Information security breaches are now having very strict limits placed on the coverage levels unless you have added a specific rider to include the added coverage.

  3. Cyber liability policies vary greatly between carriers.  It’s not like the more common coverages like property and casualty, life or auto. You need to shop around and have a good broker help explain the differences.

  4. Cyber liability coverage comes in many forms; Errors & Omissions (E&O), network security, information security, breach notification, intellection property loss, etc.  Make sure you get the coverage you need for the type of data as well as the type of loss.

Many brokers just don’t understand this new and complex cyber insurance market.  I understand you may trust and love your current broker.  Have them explain the coverages to you and then find someone who specializes in the cyber market and have them review it with you again.  You don’t want to have an information security breach just to find out what you thought was covered under your liability insurance isn’t covered at all.

Wednesday, January 28th is the 8th Annual Data Privacy Day led by the National Cyber Security Alliance (NCSA).  On this day, consumers and businesses are reminded and encouraged to check the security of their personal information and learn how to keep it better protected.  Learn more about Data Privacy Day and find out ways to protect your data: http://staysafeonline.org/dpd.

Also, don’t forget to join Data Privacy Day (@DataPrivacyDay) tomorrow on Twitter for a conversation about different topics pertaining to privacy and data stewardship. Just use the hashtag #ChatDPD.

 

SSL has been obsolete for some time now.  It had a useful life and now it needs to go away.  During many of our penetration tests or ethical hacks, we find SSL is alive and well.  There is no information security if you are using SSL today.  It’s broken beyond repair.  Don’t use it or you are inviting someone to hack you. 

The POODLE hack is a serious threat to information security.  For some reason though, many webservers still allow browsers to negotiate all the way back to SSL v3.0.  To give you some perspective, TLS 1.0 superseded SSL in 1999, TLS 1.1 was released in 2006 and 1.2 in 2008.  I get the whole backward compatibility thing but seriously, browsers have supported TLS since early last decade.  That’s nearly 15 years folks.  It’s time to implement a process to progressively not support browsers that don’t support security.  We have no problem forcing out older browsers which don’t support the cool new functionality that makes our updated websites look so rich and full featured.  Why not do the same thing for security to prevent hacking?

Read more: SSL is Dead, Long Live SSL!

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724