New York agrees with me

During a discussion of cyber security, the superintendent for the New York Department of Financial Services (DFS), Benjamin Lawsky, said, “It is impossible to take it seriously enough” (Lopez &  Friefeld ).  The importance of cyber security cannot be understated. Last week I posted specifically about the Home Depot breach, but there are so many more. Just yesterday, the Channel 7 news in Omaha had a story that Jimmy John’s experienced a breach.  J.P. Morgan has also recently reported that they are investigating a potential breach. In fact, the DFS issued a report earlier in the year that the majority of financial institutions have experienced at least one attack in the last three years. Exact numbers were not provided in the article, but this still seems like a significant number of attacks. This doesn’t even include the number experienced by retailers.

In my post last week, I stated that it seems retailers are taking the required extra steps only AFTER an attack has occurred, instead of learning from others and taking steps now. Lawsky points out that lawmakers are in a position to enforce requirements, but I think any policies they put into place to address this specific topic would be to general or too outdated by the time the bills were approved. Technology tends to move faster than Congress (especially of late).

The article ends with Lawsky saying, “Once there is a major event, everyone suffers. We are going to pay for it either now or then” (Lopez &  Friefeld ).  This is my belief to an extent, but I would suggest that it actually costs more to wait for something to happen. Aside from the expense of review and upgrading the system to prevent a breach, the company would have to cover the cost of identity protection and any required reparations after a breach.  In the long run it is cheaper to make changes now instead of waiting for shit hit the fan and have people scrambling to resolve what should happen fix initially. By focusing attention on the importance of cyber security now, Lawsky is positioning New York in a better position to protect the financial institutions.

Lopez, L. &  Friefeld, K. (2014). N.Y. Financial Regulator Says to Focus on Cyber Security. 

Retrieved from http://www.reuters.com/article/2014/09/22/us-regulator-cybersecurity-

lawsky-idUSKCN0HH2J020140922.

Thoughts on Home Depot

CNN posted a short little article about the hack into Home Depot that has been recently reported in the news. This latest breach, involving over 56 million credit/debit cards, only serves to highlight the need for strong security measures. In addition to that, it also raises some questions. How did it happen? Why was it able to happen for such a long time? What’s going to happen in the future?

According to Home Depot, the breach resulted from “a custom strain its security team had never seen before.”  Unfortunately, this is likely to be the future of these kinds of attacks. With changes in technology, and improved methods from the attacker community, this will also be a more common occurrence. Home Depot has said that they are seeking to increase their encryption and security methods, but why did it take a major hack to make those changes? Granted, I don’t know all the facts in the case yet, and it’s easy to judge, but does it really take a 56 million card lost to instigate changes? Target reported a breach of 40 million cards last year, and this should have been a wake up call to any retailer. Instead, the attack was found on September 2, but is believed to have been around since April. This is a long time to be losing information.

There are some lessons that can be taken away from this. We shouldn’t rely on what is in place. Instead, it should be regularly reviewed, tested, and updated. Improvements are constantly made in regards to technology and this should also apply to our defenses. Anytime a client’s information is at risk, companies need to ensure it is protected. Having an effective security plan in place has got to be cheaper then supplying identity protection services for millions of cardholders.

Backman, M. (2014). Home Depot: 56 Million Cards Exposed in Breach.  Retrieved from http://

money.cnn.com/2014/09/18/technology/security/home-depot-hack/index.html.

Patience and Planning

I’m going to write about something that happened at work recently. I apologize for some of the generalities in this post, but I am not going to discuss any company specific technologies in a public forum.  In our cyber-security courses we learn about Confidentiality Integrity and Availability being the cornerstones for protecting information.  This also applies to new systems in development.  My company prides itself on our technology and often uses it as an incentive when we are inviting new agents to join us.  While our agents do think about the Confidentiality and Integrity legs of the triangle, their primary concern is Availability.   

A new program was recently implemented that completely replaced one of the primary services we provide to our agents.  Testing had been done to ensure it worked as designed; however, it couldn’t talk to the agent facing system that is used to view the service.  The new program was security tested, and passed.  Information remained remained secure, but the Availability failed once the program went live.  Because of this the entire Information Security team had to give up their weekend so they could find the problem, fix it, and test it by Monday morning.  

In my opinion, this comes down to planning and patience. I saw this happen at my previous employer, but never to the scale as what happened at my current company.  Management was excited about the new program, and rushed to put it in place.  Once it passed initial testing, it should have gone through a secondary phase of a limited rollout to test it in the live environment.  This wasn’t done, and resulted in a pretty big failure.  Planning and patience could have avoided this. 

Websites for managing threats and vulnerabilities

Establishing a list of reliable sources for breast and bone abilities is important for managing them. Below is a list of the sites I like best with a little bit of a description and why I like them. I’ve also included a link to each one so that you can also visit the site and give me your thoughts.

The National Vulnerability Database (NVD), which is a government sponsored database for vulnerability management.  They provide links to additional websites dedicated to threat and vulnerability management.  Having these additional links all in one place is easy.  

http://nvd.nist.gov

I especially like the link the NVD provide to The National Checklist Program.  These lists provide guidance for setting up security configurations to defeat known threats.

http://web.nvd.nist.gov/view/ncp/repository

Common Vulnerabilities and Exposures provides information about know vulnerabilities and exposures.   This is helpful for the use of vulnerability management, patch management, alerting, and intrusion detection.  

http://cve.mitre.org

Symantec has two pages that I like for current threats and vulnerabilities.  First is their Threats page, which lists the name, severity, height, and discovery date.   Each threat name has a link that provides additional information about it.

http://www.symantec.com/security_response/landing/threats.jsp

Symantec’s vulnerabilities page, lists the name of the threat, it’s severity, and the date discovered. Each name is hyperlinked to a description page that details the problem, and provides recommendations. 

http://www.symantec.com/security_response/landing/vulnerabilities.jsp