DDoS attacks were used in a bank heist targeting the wire transfer switches at several banks.  There are two primary things to take away from this.  You can read about the attacks here.

  1. Diversions to siphon resources away from the actual attack are not new.  They've been common place in both the physical and cyber worlds for a long time.  We need to remember that our efforts during incident response can't be so full and swift that our our ability to detect and respond to new attacks is weakened.
  2. Monitoring only a few "critical" systems isn't enough.  We need to monitor multiple points along any path that data traverses to ensure we have a holistic view of our data security.

The bad guys are getting smarter, more organized and more patient.  Our defense tactics need to evolve with these changes.  Are you adapting or still relying on what worked last month?

If you have been watching the details of hacking attacks over the past couple of years, you should have noticed a disturbing trend.  Attacks are shifting from mass destruction to maximum impact as their goal.  Gone are the days where the majority of attacks would be focused on having global impacts but were relatively minor in severity. We're moving into an age where the primary goal is to cause catastrophic damage to a very small group or individual.

Motives are changing.  The attacker profile is changing.  More and more targets of hacking are not just getting caught up in the massive sweep of global attacks.  They are becoming targeted victims.  This means our risk assessment must change.  No longer can we try to "fly under the radar" or assume our company isn't "big enough" to be a target.  It also means we as individuals need to begin thinking about becoming a target as well. Every company, big and small, has competition or those who want to see it fail.  Every individual has the potential to upset another and become the target of violence. 

Are we ready for some of this animosity to be carried out via cybercrime? Are you uncomfortable right now?  Are you worried about cybercrime in ways you might not have been 10 minutes ago?  The key is not to be affraid, but to be informed and aware.  Just as we're not paralyzed by the threat of physical crime, we can't be paralyzed by the threat of cybercrime.  We do however need to be "street smart" and know the risks that cybercrime poses to our professional and personal lives.  We need to understand the profile of hackers and their motives.  When we understand the risks, we can better identify the appropriate precautions we need to take to protect ourselves and our companies.

DEFCON and Black Hat are two prominent hacking conferences that come around each year.  And each year we hear the news outlets gush over the next “ground breaking” hacking attempts that will shatter our lives forever.  We hear how hackers are going to crush the confidentiality, integrity and availability of our data and destroy modern society.  Really?  We’ve had the BlackHat conference for a few years now, 17 actually.  I’m pretty sure society has been moving along ok each year since then. 

Let’s put this into perspective.  Information security is all about risk.  We each take risks every day.  We drive or ride a motorized vehicle to work, we eat foods we didn’t grow or prepare, we use sharp blades to shave hair off our face…you get the picture.  Risk is everywhere.  We take precautions to lower our risk like drive the speed limit, wear safety gear at work, buy insurance and many other activities.  Information security is no different.  We face the risk and then take certain precautions to lower the risk that a hack will occur or at least lower the impact if it does occur.

Read more: BlackHat Hacks Signal World Will End. Just Kidding!

Are you worried about PRISM and other government programs designed to monitor electronic communications?  You should be.  The privacy implications are far reaching.  The 4th Amendment to the U.S. Constitution was ratified because we wanted to control what the government can find out about its citizens without cause.  The funny thing is I’ve heard very little commotion about what hackers and organized criminal networks can find out about you.

Here’s a list of some of the common ways we use smartphones and tablets today.  This list is in no particular order.  You may not do all of these things, but I’m sure you do at least a few.

  • Read company and personal email with sensitive information detailed in the message
  • Download email attachments with confidential information enclosed
  • View sensitive client or patient information via a web application
  • Check banking or investment accounts online
  • Use VoIP technology (Skype, FaceTime)
  • Use GPS to find directions to our friends, vacation spots, stores, etc.

The information security and privacy controls on smartphones and tables are weak, at best.  They are laughable at worst.  There are very few security controls in place today to stop an attacker from getting access to everything on that device.  Yet we routinely download every free app regardless of what the privacy settings are.  We freely use these devices knowing that every conversation can be recorded and played back.  We surf the web and enter passwords into applications with no idea who the developer is or if they have good intentions.

Anyone else see the hypocrisy here?  We shout to the mountain top about the little information the government collects but there is hardly a whisper about the plethora of information we are freely giving to hackers.  Think about it.  Which is the bigger risk?

Here are the new statistics released this month from the Ponemon Institute's annual survey of breach costs.

 

$188 per record lost – Average cost in 2012 for a data breach in the US

28,765 – Average number of records per data breach in the US

$5,403,644 – Average cost of a breach in the US

$565,020 – Average cost to notify clients of a data breach in the US

$3,030,814 – Average cost of lost business from a data breach in the US

 

The costs figures are plain and simple.  They are verified.  They speak for themselves.  If you are having trouble getting executives to buy into the notion that no security is more expensive than a little security, float these numbers past them.  A breach of just 500 records will likely cost you $94,000.  Information security is critical to survival.  Ironically, the smaller you are, the worse a breach will hurt from a financial perspective. 

Ask your executive team if they would consider not having a fire extinguisher or casualty insurance for your office.  If they say no, ask why they are willing to take such large risks with information security.  You're probably far more likely to suffer a security breach than to have a fire.  Put into proper perspective, most executives will follow your logic and begin to appreciate information security activities.

The definition of a data “breach” is a murky quagmire to many of our clients. For some it’s defined as “any unauthorized access or view of patient information outside an employee’s job scope.”  For another it’s defined as “a successful external cyber-attack which results in actual financial loss to a customer.”

Those are pretty different approaches to determining when a breach has occurred.  Things like company culture, regulatory compliance and insurance claims requirements will drive an organization’s definition of a data breach.

Read more: Define Data "Breach" Please..

As we continue to work through the 2013 Data Breach Investigation Report, I’ve realized that the more things change, the more they stay the same.  End user devices were involved in 71% of the reported breaches.  This is a significant jump over the last report but not really a new statistic altogether.

Here’s the sad truth.  We continue to value usability over security.  We always have and likely always will.  The ability to access data when, where and how we want is trumping our desire to protect the confidentiality, integrity and availability of the data.  Every information security professional wrestles with how to balance the risks of data access in an increasingly mobile workforce.

Read more: 2013 Data Breach Report - Point #3

Contact Information

Birmingham Office

205.568.5506


Des Moines Office

515.965.3756


Kansas City Office

913.991.8724