Preventing the Breach

An ounce of prevention is worth a pound of cure.

An axiom of the medical community, this mantra easily applies to cyber-security, for a disproportionate number of data breaches could have been prevented had a proscribed set of steps, known as Controls, been in place. In recent breaches: Anthem, Medical Mutual of Ohio, Equifax and others, one or more of these Controls were discovered lacking.

Listed in a series of ordered steps, this group of 20 Critical Controls”[i] , developed by the Center for Internet Security in collaboration with cybersecurity education group the SANS Institute, serve as network fortresses. And thereby greatly reduce the chances of a data breach, or at the very least, lessens the severity of one. Among this set of best practices  are tasks like encryption, patching, network segmentation and inventorying systems- all time-honored fundamentals. In addition, it is recommended that companies have a vulnerability scan performed annually to identify network weaknesses, and those operating in regulated industries are required to do so.

Whether your I.T. is managed in-house or outsourced, all businesses have a fiduciary responsibility to keep customer’s personal information safe, and in some instances, a regulatory requirement to do so.  While securing your network may at first seem daunting, taking the proactive approach set forth in these guidelines strengthens your network.

While some reading this article will incorrectly believe that cyber-attacks happen to others, nothing is further from the truth. Customer databases, financial records, personnel files, written policies and processes are all gold mines for cyber thieves. Moreover if you are a supplier to a larger organization- you are indeed a target. As a supplier, you hold login credentials, which, when stolen will be used to infiltrate that larger organization’s networks and wreak havoc. In the highly publicized Target Stores breach, it was a small HVAC company’s system that was breached; its credentials stolen and then used to infiltrate Target’s network.[ii]

Cybercrime shows no signs of slowing down; indeed, the Privacy Right Clearinghouse[iii] reports that already in 2018, there have been 320,909 records breached and we are not yet through the first quarter. Regardless of company size or industry, no company is immune from a data breach- or absolved of culpability when one occurs. Prevention is key and a

very economical one when compared to mitigation.

For helpful tips, guidelines and links to additional resources, visit www.wins1.net.

[i]  www.cisecurity.org/controls/

[ii] money.cnn.com/2014/02/06/technology/security/target-breach-hvac/index.html

[iii] Privacy Rights Clearinghouse, www.privacyrights.org/data-breaches

The Child’s Tablet

Ordinarily my concern over children and technology relates to issues of security: are they locked out of certain websites, is there personally identifiable information on the device about them; and whom might they be corresponding with via various apps? However, yesterday’s outing with a friend and her 3-year old grandchild momentarily shifted that focus to more organic concerns, such as the physical and psycho-social effects of technology’s use on children.

Following a nice outing we arrived back at my friend’s home for a bit more socializing before I headed home. The little one- who had thoroughly enjoyed herself all day and who had heretofore been so talkative and engaged while we were out- headed straight for her tablet once home. Upon logging on she instantly became absorbed into her virtual world. So quiet in fact that I could have easily forgotten she was there had it not been for the fact that she was lying on the living room floor in plain sight transfixed by this little device.

A few hours later when her mother arrived home from work, she tore herself away from whatever program that had engrossed her, chatted with mom for a few minutes then returned to the device. But an hour or so later when the uncle phoned she absolutely refused to leave that tablet to facetime with him for a while – even at the behest of her mother and the lukewarm encouragement of grandmother, although grandmother simply said to her “go see what your mother needs.”

As I sat watching the interplay between the three over this seemingly innocuous device, I began to recognize how technology can influence behavior, especially in children. Sure the usual underpinnings were in force here: willfulness of the child; authority of the mother; mother’s guilt over being away for extended periods; grandmother’s attitude toward what she perceived as her daughter’s power play- these were all factors in the exchange. But the preschooler was more than willful, she was actually impudent with her mother, and while mom appeared firm- there was a degree of hesitation, most likely due to conflicted feelings of parental guilt and authority. Sure she made noises about taking the tablet away, but never actually made a move to do so, though eventually she did get up and physically lift her child from where she lay perched over the tablet. But from my vantage point, I realized that there were other dynamics in operation here. I was witnessing firsthand the phenomenon that child experts have warned about and that is the negative impact that technology’s overuse has on kids.

Once denounced as hyperbole, it is no longer mere speculation, rather it is now a recognized fact that excessive use of technology carries negative consequences, particularly for children during the developmental years. Research has uncovered that a child’s overuse of technology leads not only to physical problems such as obesity and eye strain, but more importantly, psycho-social issues like the inability to identify social cues, interact face-to-face with people, display empathy or follow verbal direction- conditions which are difficult to reverse. Noted clinical and developmental psychologist Dr. Catherine Steiner-Adair, author of The Big Disconnect: Protecting Childhood and Family Relationships in the Digital Age, proclaims social-emotional intelligence as the most important overarching tool contributing to a child’s success and achievement of full potential. Moreover technology, when misused, can undermine academically talented kids.

When used in moderation and balanced with physical and other mental stimuli, technology is an excellent tool- its merits untold. So this piece is no disparagement of technology, rather it can be viewed as an advisory to those inclined to provide children with electronic devices without first considering the outcomes. When the children around you are spending far too much time on these devices, it is time for you to do what this extremely active grandmother does routinely – put away the tablets, pack up the children and get out of the house for some exercise and/or other creative endeavors that forces you both to physically move and mentally engage. Because over the long haul these activities will have far greater positive effects on children than any technology ever will.

1. Steiner-Adair, Catherine. “Avenues Speaker Series”. Online Video Clip. YouTube. www.open.avenues.org/ Avenues, 1 June 2016. Web. 11 October 2017.

Every war, physical or virtual, needs allies in order to win and now is this ever more true with the rapid and prolific rise in cyber intrusions. In order to win this escalating cyber-war, the InfoSec community must enlist additional forces- troops made up of not only traditional techs, but end-users and family members as well. So how can “end-user” help, one might ask?

By opening a dialogue, educating and training support personnel, co-workers, family members and friends on the importance of cyber hygiene- by so doing, we lift the veil of mystery surrounding technology and break it down into digestible pieces and we deliver it in layman’s language, so as to avoid isolating our audience.

Getting assistance, or buy-in, from those most frequently producing the work and/or using these devices for whatever it is that they are doing is like readying the troops for battle; it is smart, strategic and economical, as prevention- whether in the physical world, or the virtual- is by far the most efficient and cost-effective means of raising levels of cyber security and easing the strain on the InfoSec community.

Malware

Viruses

Malware
Biological and virtual viruses

Each year, the CDC offers guidance, recommendations, information and warnings about the Flu virus. Information that includes transmission, spread and containment. These tips center on preventative strategies, such as limiting contact with individuals who are sick; isolating oneself if experiencing severe symptoms, and let us not forget the all important- regular hand-washing. Taken together these recommendations fall within the category of good hygiene tips.
Virtual viruses, much like biological viruses, are spread through contact: contact with an infected website, removable storage media, file-sharing, etc., and just as with biological viruses, can be contained, treated, and/or eliminated when we pay attention to, and adopt healthy cyber hygiene habits, such as observing industry “best practices” and recommended strategies and techniques. In treatment terms, much can be learned from the medical community in its treatment of viruses- we may not wipe them out entirely, but we can certainly stem the tide and reduce their damage.

Medical Records Breach

Do you know what an improperly configured device can cost your business?  Does $3.3 million dollars sound outlandish?  Well it can and did when a medical facility/entity inadvertently disclosed a large number of medical records to the internet, resulting in the U.S. Dept. of Health and Human Services, Office for Civil Rights [OCR] bringing charges against a well-known hospital and university. Whether intentional or unintentional, a breach of this nature is a violation under the HIPAA Privacy Rule and can result in huge fines and penalties.

On May 7, 2014, OCR fined the New York Presbyterian Hospital [NYP] following a data breach that occurred in 2010. NYP, like most hospitals throughout the U.S., has contractual relationships with teaching institutions which allows physicians from a given university to practice medicine at the hospital – the school involved here was Columbia University. The entities were using a shared network linked to the hospital’s system when a physician- who had written applications for both the university and hospital- attempted to deactivate a personally-owned network server, and in so doing, inadvertently exposed the records of some 6800 patients to the internet, information that included demographics, diagnoses, vital signs and lab results. This was discovered by a partner of one of the affected patients (who happened to be deceased) when the individual found the records online and launched a complaint with the hospital, which in turn, led to a required reporting.

Following the joint filing by the hospital and university of a Breach Notification with the OCR, the resultant investigation found several instances of failure on behalf of both parties, yet levied the greater fine against NYP with a smaller assessment to Columbia ($1.5 million). Each was charged with the responsibility of taking significant remedial actions, which includes routine vulnerability and risks assessments together with the implementation of other measures designed to ensure data safety; all of which must be performed within a specified period of time, lest the risk of additional punishment. Moreover this settlement does not preclude an action under the Social Security Act, thus creating the possibility of further legal action.

Obviously this physician had some technical expertise, but apparently not enough, so the lesson here is to implement quality assurance controls, as well as, additional access and authorization policies and procedures.

Read more about this settlement, as well as, other OCR activities at http://www.hhs.gov/ocr/office/index.html

Bitcoin goes mainstream?

Sometimes it appears that certain companies are a beacon for cyber intrusion, but then- as the parable goes: things aren’t always as they seem.

At first hearing of Make Your Laws’ (a recently, and seemingly, hastily-formed Super PAC) petition to the Federal Elections Commission for the inclusion of Bitcoins in Political Campaign donations, my immediate reaction was here comes the next easy target, especially given my work and volunteer history with non-profits, as Make Your Laws happens to be. Yet upon closer inspection- it appears that at least one of the companies’ officers is a techie and would thereby hold a greater understanding of the need for system security; moreover, there is a blanket clause in their Bylaws (Article 2, Section 5) that promises Privacy and Security.

Still on the other hand- it begs the question of why someone with such talents would be hyped to enter the disparate industry of campaign contribution/finance?

CyberWar

CYBER WAR

Any battle- whether a match between rivaling sports teams; opponents of either side of major social issues and legal challenges; or, an all-out confrontation between countries– demands opponent groups made up of equally skilled individuals regularly supplied with reinforcements. This has been a long-standing winning strategy. Yet in this virtual war aka Cyber War, in which we find ourselves engaged, where there are no polite and codified Rules of Engagement– there appears to be only one small battalion on the battlefield: the Information Security Professional. And though armed and regularly doing battle this group is grossly outnumbered; indeed, a recent (ISC)2 study paints a sobering picture of just how outnumbered they are. [1]

 While the battle brews, the number of breaches continue to rise (conservative estimates are around 1.1 billion, although this is only a tally of reported intrusions) at an estimated economic impact of around $5.4 million according to a study conducted by the Ponemon Institute[2] . Troops are not being fortified quickly enough to level the playing field and some of those coming forth are inadequately trained for this war; moreover, this happenstance armed forces group happens to be spread across an infinite landscape, making it even more ill prepared to defeat that stealthy opponent- the Hacker.

But just who is responsible for recruiting, sustaining, and supplying additional troops to this small band of InfoSec infantry- we the public, or this regiment itself- must they recruit on their own? Other than issuing a Call to Arms within certain of their own technology ranks, chiefly developers and programmers, have they, or are they, doing enough to solicit prospective warriors?  And more importantly, what happens if they do not?


[1]  2013 Global Information Security Workforce Study

 (ISC)2; Booz Allen Hamilton; Frost and Sullivan, 2013

[2] 2013 Cost of Data Breach Study: Global Analysis

                Sponsored by Symantec

CYBER WARRIORS: Un-Regulated Professionals operating within Regulated Industries

Information Security
Operating in the Wild?

There is a certain irony in the unregulated professional: InfoSec practicing their craft within heavily-regulated industries. Although the data (much of which is highly sensitive: financial, medical, product specs, and the like) held within such industries is regulated, these regulations address issues of collection, storage, retrieval, access, disposal and breach reporting, which applies only to the collector and holder of that information- chiefly the business owner – not the Information Security professional, he has no legal restrictions with regards to his practice.

Sure there has been, and continues to be, talk of licensure for computer forensics experts, but this is only one category within that space. And then of course there are credentials- quite a few as a matter of fact- such as those conferred by ISC2, but does the average business owner understand these designations and distinctions? Can he or she trust that the person carrying these credentials may not themselves comprise their systems or use their data to commit criminal acts? What about the person who does not carry the credentials, for there is no requirement to do so, what if that person is rogue, or worse yet: incompetent?

Absent regulatory limitations or licensing constraints- and with only vague ethics policies housed within professional associations- how does the Information Security profession police its own, how does it ensure that wayward individuals with a bit of knowledge are not operating in the wild; moreover, outside of credentialing, how does it establish a system whereby actions of its own community are monitored?