The document discusses the need for a National Cyber Security Standard (NCSS) in the United States. It summarizes four major cyber attacks since 2013 on Target, Sony, and Anthem to illustrate the growing threat of cyber attacks and data breaches. These attacks showed vulnerabilities in security practices that could be addressed by an NCSS established by a National Cyber Security Organization. The attacks stole personal and financial data of millions of customers and demonstrated lax security standards and protocols.
Cyber Threats & Gaming Networks: From attackers perspective, these networks have huge potential: for identities, money, for communications, and a lot more. This C/DIG Report outlines the potential threat in gamer’s networks – from the perspective of terrorist and criminal hackers.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
What is the difference between a hacking attack and a cyberwar attack? What do current militaries consider an attack vs. exploitation or just «normal operations»? Kevin will present an overview on the cyber warfare topic and the current understanding of Advanced Persistent Threats in the context of cyber defense.
Referent: Kevin Kirst
Cyber Threats & Gaming Networks: From attackers perspective, these networks have huge potential: for identities, money, for communications, and a lot more. This C/DIG Report outlines the potential threat in gamer’s networks – from the perspective of terrorist and criminal hackers.
All product and company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
What is the difference between a hacking attack and a cyberwar attack? What do current militaries consider an attack vs. exploitation or just «normal operations»? Kevin will present an overview on the cyber warfare topic and the current understanding of Advanced Persistent Threats in the context of cyber defense.
Referent: Kevin Kirst
Are we near the point of cyber-armageddon or are we simply engaged in a new reality of information security priorities? Are the attacks being discovered daily against private sector and public federal systems somehow unique and new, or are they simply the new reality of cyberspace? Organizations are regularly forced to make difficult decisions about how best to protect their information systems. Executives daily open the newspaper to find another example of effective cyber attacks and hacking. How do organizations know when security mechanisms are enough to keep their data safe? In an effort to answer this question and respond to mounting cyber incidents worldwide, the US federal government has been engaging in numerous efforts to secure cyberspace. But what are they and will they be enough? In this presentation James Tarala, a Senior Instructor with the SANS Institute and a Principal Consultant at Enclave Security, will describe current efforts and the tools being offered to help citizens and protect cyberspace.
It seems like every week there's a new high-profile data breach that takes over news headlines. The quickly changing cyber landscape makes forecasting potential threats difficult. Here are some cybersecurity trends to watch in 2019.
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYTalwant Singh
Cyber is a real threat and we can not keep our eyes shut to the same. Most of the countries surrounding us are involved in cyberwar covertly and we need to take steps to counter the same at the earliest.
Here are some of the best guesses about what we will see in 2017 from several dozen vendors and analysts. There are many more than 15 predictions out there, of course, but these are the ones we heard most frequently.
As information technology becomes ever more complex and Internet usage increasingly widespread, cybersecurity is becoming an increasingly important and business-critical field. Unfortunately, most organizations are not prepared to handle cybersecurity threats. In fact, 66% of IT and security professionals say that their firms are unprepared to recover from a cyber attack. A key example of this unpreparedness is the fact that many of the companies impacted by the WannaCry attack last year didn't install critical updates into their Windows infrastructure that had been released by Microsoft many months before.
a brief introduction of cyber war and its methods, may be called "cyber warfare introduction" . i have good knowledge on this domain and i practically follow this method. in this presentation i explain the reference 50% and it will complete on my next upload. please give your feedback if any suggestions to help me. thank you.
Are we near the point of cyber-armageddon or are we simply engaged in a new reality of information security priorities? Are the attacks being discovered daily against private sector and public federal systems somehow unique and new, or are they simply the new reality of cyberspace? Organizations are regularly forced to make difficult decisions about how best to protect their information systems. Executives daily open the newspaper to find another example of effective cyber attacks and hacking. How do organizations know when security mechanisms are enough to keep their data safe? In an effort to answer this question and respond to mounting cyber incidents worldwide, the US federal government has been engaging in numerous efforts to secure cyberspace. But what are they and will they be enough? In this presentation James Tarala, a Senior Instructor with the SANS Institute and a Principal Consultant at Enclave Security, will describe current efforts and the tools being offered to help citizens and protect cyberspace.
It seems like every week there's a new high-profile data breach that takes over news headlines. The quickly changing cyber landscape makes forecasting potential threats difficult. Here are some cybersecurity trends to watch in 2019.
CYBERWAR: THE NEXT THREAT TO NATIONAL SECURITYTalwant Singh
Cyber is a real threat and we can not keep our eyes shut to the same. Most of the countries surrounding us are involved in cyberwar covertly and we need to take steps to counter the same at the earliest.
Here are some of the best guesses about what we will see in 2017 from several dozen vendors and analysts. There are many more than 15 predictions out there, of course, but these are the ones we heard most frequently.
As information technology becomes ever more complex and Internet usage increasingly widespread, cybersecurity is becoming an increasingly important and business-critical field. Unfortunately, most organizations are not prepared to handle cybersecurity threats. In fact, 66% of IT and security professionals say that their firms are unprepared to recover from a cyber attack. A key example of this unpreparedness is the fact that many of the companies impacted by the WannaCry attack last year didn't install critical updates into their Windows infrastructure that had been released by Microsoft many months before.
a brief introduction of cyber war and its methods, may be called "cyber warfare introduction" . i have good knowledge on this domain and i practically follow this method. in this presentation i explain the reference 50% and it will complete on my next upload. please give your feedback if any suggestions to help me. thank you.
Cybersecurity Trends 2018: The costs of connectionESET Middle East
To help the reader navigate through the maze of current threats, ESET’s thought leaders have zeroed in on several areas that top the priority list in our exercise in looking forward.
9 Trends in Identity Verification (2023) by RegulaRegula
Regula held an internal panel discussion and compiled nine expert opinion-based identity verification trends to watch and leverage in 2023. You can find the full text in our blog: https://regulaforensics.com/blog/identity-verification-trends-2023/
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
A1 - Cibersegurança - Raising the Bar for CybersecuritySpark Security
In the past few years, a new approach to cybersecurity has emerged, based on the analysis of data on successful attacks. In this approach, continuous diagnostics and mitigation replace the reactive network security methods used in the past. The approach combines continuous monitoring of network health with relatively straightforward mitigation strategies. The strategies used in this approach reduce the opportunities for attack and force attackers to develop more sophisticated (and expensive) techniques or to give up on the target. In combination, continuous monitoring and mitigation strategies provide the basis for better cybersecurity.
iStart - Cybercrime scene investigationHayden McCall
Crime dramas bring whizz bang technology for tracking down the
baddies into our TV rooms every night, but what happens when it’s the
criminals with the high-tech? STUART CORNER
takes a look at how security
intelligence software is helping those involved in corporate security and
justice to narrow the ield of suspects, and keep the cybercriminals at bay...
Perform a search on the Web for articles and stories about social en.pdffasttrackcomputersol
Perform a search on the Web for articles and stories about social engineering attacks or reverse
social engineering attacks. Find an attack that was successful and describe how it could have
been prevented.
Solution
Answer:
As per Computer Weekly, social engineering attacks were the most well-known hacking strategy
utilized as a part of 2015. What\'s more, there\'s no indication of it backing off; in 2016 60
percent of undertakings were casualties of a social engineering attack or something to that affect.
Furthermore, as per EMC, phishing attacks—the least demanding and most normal sort of social
engineering attacks—brought about almost $6 billion in misfortunes in 2013 alone, spread out
finished around 450,000 separate bargains.
Some hurt more regrettable than others, however all brought about a sufficiently genuine shake
up for security directors to recalibrate their regard for the vector, investigate their conventions,
and make teaching staff a best need.
Here\'s our pick for five of the greatest social engineering attacks ever.
5. 2011 RSA SecurID Phishing Attack
Security firms ought to be the most secure targets with regards to a data framework attack, yet
they are likewise delicious focuses on that draw more than what\'s coming to them of endeavors.
In 2011, one of these attacks bit encryption mammoth RSA and prevailing with regards to mesh
hackers profitable data about the organization\'s SecurID two-factor validation coxcombs.
In spite of the fact that RSA at first denied that the data could enable hackers to trade off
anybody utilizing SecurID, protection temporary worker Lockheed Martin soon recognized
hackers endeavoring to rupture their system utilizing stolen SecurID information. RSA retreated
rapidly and consented to supplant a large portion of the disseminated security tokens.
This inconvenience came down to four workers at RSA parent organization EMC. Attackers sent
them email with a satirize deliver implying to be at a vocation enrollment site, with an Excel
connection titled 2011 Recruitment Plan. It wasn\'t clear why the representatives would think
about a spreadsheet from an outsider site, however they opened it—and a zero-day Flash
adventure covered in the spreadsheet introduced indirect access to their work machines that soon
exposed the keys to the kingdom.
4. 2015 Ubiquiti Networks Scam
Not all hackers are searching for touchy data; here and there they simply need chilly, hard
money.
In 2015, Ubiquiti, a particular producer of wifi hardware and software situated in San Jose,
discovered this out the most difficult way possible when their fund division was focused in an
extortion conspire rotating around worker pantomime.
The organization never uncovered precisely how the attack was organized, yet said that the
bookkeeping office got email indicating to be from the organization\'s Hong Kong auxiliary.
Regularly, such emails contain guidelines with respect to changes in installment account points
of interest or new selle.
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
A Time of Great Risk: The Time Between Compromise and Mitigation
In most organizations today, threat detection is based on various security sensors that attempt to look for anomalous behavior or for known signatures of malicious activity. These sensors include firewalls, intrusion detection/prevention systems (IDS/IPS), application gateways, anti- virus/anti-malware, endpoint protection, and more. They operate at and provide visibility into all layers of the IT stack.
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them.
What’s needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
In this webinar, Protegrity CTO and data security thought leader Ulf Mattsson integrates new information from the Verizon 2014 Data Breach Investigation Report (DBIR) into his analysis on what is driving data breaches today, and how we can prevent them in the future.
KEY TOPICS INCLUDE:
• The changing threat landscape
• The effects of new technologies on breaches
• Analysis of recent breaches, including Target
• Compliance vs. security
• The importance of shifting from reactive to proactive thinking
• Preparing for future attacks with new technology & techniques
Securing information in the New Digital Economy- Oracle Verizon WPPhilippe Boivineau
Situation : A lucrative information black market has created a data breach epidemic. The perimeter security that most IT organizations depend on has become largely ineffective.
Why it matters : IT organizations devote almost 70% of security resources to perimeter security controls, but while
the threats are external, the vulnerabilities exploited are mostly internal.
Call to Action : Securing the new digital economy means thinking security inside out and focusing more on data and
internal controls.
By David F. Larcker, Peter C. Reiss, and Brian Tayan
Stanford Closer Look Series, November 16, 2017
The board of directors is expected to ensure that management has identified and developed processes to mitigate risks facing the organization, including risks arising from data theft and the loss of information. Unfortunately, recent experience suggests that companies are not doing a sufficient job of securing this data. In this Closer Look, we examine they types of cyberattacks that occur and how companies respond to them.
We ask:
• What steps can the board take to prevent, monitor, and mitigate data theft?
• What data, metrics, and information should board members review to satisfy themselves that management has taken proper steps to minimize cyber risks?
• What qualifications should a board member have in order to constructively contribute to boardroom discussions on cybersecurity?
• How difficult is it to find board candidates with these skills?
Critical Update Needed: Cybersecurity Expertise in the Boardroom
NCSO
1. Avraham Lerner
Professor Kurt Rohloff
Project Paper
The Need for a NCSS (National Cyber Security Standard)
As we move further and further into the 21st
century, everyone in the country and
throughout the world is becoming more and more dependant on the Internet. From baby
boomers to millennials and beyond, more of our daily lives are occurring through the
Internet, whether it is shopping, banking, or even checking on our medical care.
Unfortunately, our growing reliance on the Internet is also causing a rise in cyber attacks
and data breaches on all types of companies, with the intent to steal data. Data on it’s
own has very little value, but when gained and traded for other information it can become
quite valuable and earn a fortune for the new age of hackers and thieves. It is for this
reason that any sort of data breach can be at best worrying and at worst a terrible loss of
money, security and trust. Recent attacks have put many sectors on edge, and it’s
possible that these attacks can be deterred if not lessened in impact. Perhaps it’s not a
bad idea to establish a NCSS by an NCSO1
designed to preemptively look at prior attack
patterns to predict future movements, and establish a standard for companies choosing to
join, to implement and follow. I will be looking at 4 recent attacks since 2013 to explain
the reasoning behind the proposal.2
Then I will show what standards are needed for the
1
I will be using these terms to describe what the proposed organization will be. The
names are proposals and not official. NCSS stands for National Cyber Security Standard
and NCSO stands for National Cyber Security Organization.
2
I wanted to use the 2011 Sony Network Intrusion and the 2007 TJ Maxx hack, but the
cause still isn’t clear for the Sony attack, only hypothesized and Sony is withholding
2. NCSO, what the organization will and will not do, and answer any concerns people may
have about the potential security group.
In 2013, many people hadn’t seen much in terms of a large wide scale cyber
attack on an American business, so therefore many people were trusting of businesses
like Target. Prior attacks were due to complete incompetence and laziness, so one would
hope that in this day, that kind of lax security was unacceptable and quickly rectified.
Unfortunately, it was not. On December 18th
, 2013, Brian Krebs of Krebs Security first
leaked a report that Target was the victim of a data breach, yet those two words hid a
more ominous message. “There are no indications at this time that the breach affected
customers who shopped at Target’s online stores. The type of data stolen — also known
as “track data” — allows crooks to create counterfeit cards by encoding the information
onto any card with a magnetic stripe. If the thieves also were able to intercept PIN data
for debit transactions, they would theoretically be able to reproduce stolen debit cards and
use them to withdraw cash from ATMs.”3
This would mean that a large-scale credit card
theft would be possible. Similar to a credit card skimmer put at regular ATMs, they
could obtain information and withdraw from people’s accounts. If only the PIN data was
safe then at least some of the tide could be stemmed. Oops. “According to the company,
Target does not have access to nor does it store the encryption key within its computer
systems. When a Target customer uses a debit card in one of the company's stores and
enters his or her PIN, the number is encrypted at the keypad with a widely used security
program known as Triple DES, the company said.”4
Turns out the PIN were also stolen,
telling the public the reason. As for TJ Maxx, the cause was the weak WEP wireless one
store was using that literally allowed the attackers to waltz on in.
3
Krebs, 2013
4
McCoy, 2013
3. yet the 3DES system used by Target thankfully isn’t in their control, or it’s possible that
that would have been compromised as well, based on the fact that the PIN were so easily
obtainable. Target as a result suffered quite a bit due to the security snafu. “The
Minneapolis company also said that it now foresees fourth-quarter sales at stores open at
least a year will be down about 2.5 percent. It previously predicted those sales would be
about flat.”5
As a result of the data breach that only lasted a bit under 3 weeks, up to 70
million customers had some data stolen, whether it was through credit or debit card
information. The question that still lies though is could this have been prevented
altogether?
Before answering that, there should be an investigation further into the breach. A
little less than a month after he first released the story, Brian Krebs was back on it,
looking at what tools were used. It was discovered that the attackers managed to install
malware on the Point of Sales checkout at Target stores and from there, were able to set
up the attack.
“According to a source close to the investigation, that threatexpert.com report is related
to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of-
sale malware strain that Symantec calls “Reedum” (note the Windows service name of
the malicious process is the same as the ThreatExpert analysis –“POSWDS”).
Interestingly, a search in Virustotal.com — a Google-owned malware scanning service
— for the term “reedum” suggests that this malware has been used in previous intrusions
dating back to at least June 2013; in the screen shot below left, we can see a notation
added to that virustotal submission, “30503 POS malware from FBI”.6
The malware had been in use for nearly 18 months and apparently was not too closely
checked. This allowed it to be used in the Target breach and it took a couple of weeks for
the company to realize it. While it’s hard to say when the actual malware was installed,
5
d’Innocenzio and Chapman, 2014
6
Krebs, 2014
4. there should be a greater vigilance on these devices if they can potentially be
compromised.
Two weeks later, Krebs released a report documenting who is selling the credit
cards and information stolen in the Target data breach. A group of hackers had been
selling the cards en masse in order to make as much profit as they could as quickly as
they can.
Meanwhile, the cybercrook known as Rescator and his merry band of thieves who are
selling cards stolen in the Target breach continue to push huge new batches of stolen
cards onto the market. In an update on Jan. 21, Rescator’s network of card shops released
for sale another batch of two million cards apparently stolen from Target, a collection of
cards which these crooks have dubbed “Eagle Claw.”7
They found a weak target to exploit and they gladly took advantage of it. But why
exactly was it so weak? Was there something on their system that didn’t work properly?
The answer to that is yes, as Michael Riley writes.
“On Saturday, Nov. 30, the hackers had set their traps and had just one thing to do
before starting the attack: plan the data’s escape route. As they uploaded exfiltration
malware to move stolen credit card numbers—first to staging points spread around the
U.S. to cover their tracks, then into their computers in Russia—FireEye spotted them.
Bangalore got an alert and flagged the security team in Minneapolis. And then …
Nothing happened.”8
That’s not good. Apparently they had the security in place to rectify the problem 3 days
in but they did nothing about it. They just sat there and ignored the update. Someone
should be (and was) fired for that, but it’s too late for that firing to change the outcome.
Target lost a lot of customers for a period of time, and even the ones who stayed opted to
use cash only for a while.
10 months after the attack was announced, Teri Radichel provided a case study on
7
Krebs, 2014
8
Riley, et al, 2014
5. the Target breach and what critical controls could have been utilized to prevent the
attack. “Although many security measures were in place throughout the Target
infrastructure, additional layers of protection would have stopped the attack at various
points along the way. Applying a stronger Defense in Depth strategy would have ensured
that each level was not accessible from the next. Additional defenses on the POS system
itself could have further protected the data.”9
Using the in Depth strategy, the POS could
have been implemented to have a kind of “deny all, then gradually accept” setup where
only authorized software could have accessed the POS. With this intact, the malware
would not have been able to run if it were as simple as experts claim. This was not the
case though, and the malware ran rampant, destroying trust that was built up. The next
attack on a major target occurred about a year later and was almost equally as baffling, as
the target was a repeat offender of lax security.
Whenever you are producing something that could offend a group of individuals,
even if they are from a country where their threats could be just words, always make sure
to have some type of control over your company lest they try to attack. In December of
2014 Sony Pictures Entertainment was subjected to a security breach by a group of
hackers under the guise “Guardians of Peace”. The group managed to exfiltrate multiple
terabytes of data files of sensitive information, including unreleased movies and medical
files for workers at the company. The GoP said the attack was for Sony’s planned release
of “The Interview”, a comedy about two Americans sent to North Korea to assassinate
their dictator and the threats to never release the film, or else there will be
consequences.10
Almost immediately, many different analysts weighed in on what they
9
Radichel, 2014
10
It should be noted that there is no direct connection linking Kim Jong Un’s regime for
6. thought occurred with the hack.
“"This type attack is not new, it’s been around for a long time, with multiple examples.
The most recent similarity is the ransomware that’s been attacking systems. These attacks
are often difficult to detect prior to the execution of the payload. The best thing is a good
backup scheme as part of your response. Many times the answer to modern malware
infections is to reimage the system. In case this occurs on your system, a reimage is often
the best response. The only thing that reimaging would not solve is having most current
data like documents and spreadsheet. It’s this combination of reimaging and restoring
backups that is the most efficient response to the attack. While this ‘fixes’ the host,
network forensics should be done to identify the attack and create defenses against the
attack in the future."”11
Apparently the attack wasn’t even sophisticated, according to this analyst, but rather an
execution attack that cannot be prevented and the only real way to offset the risk is to
have detailed backups of data, as the attack can prevent the creation of new backups. It
seems ridiculous that a lack of backups could have allowed this attack to continue
through, but it wouldn’t be surprising coming from a company that, during a previous
network hack, responded to almost every question in the worst possible fashion.12
What is possibly the worst black eye that Sony could receive is that the attacks
weren’t that sophisticated (as mentioned above). What that means is it didn’t take much
to actually go and put through the attack. Stuart McClure, a CEO of a cybersecurity firm
brought in to help Sony, described that the first attack Sony had in 2011 was certainly not
that advanced.
being responsible for the attacks. It’s entirely possible the hackers were using the
movie’s plot and the North Korean anger about the film as a cover, or possibly NK
provided some sponsorship for the hackers.
11
Kovacs, citing Kenneth Bechtel, 2014
12
I previously wrote a paper on the 2011 Playstation Network intrusion, and came to the
conclusion that Sony was lax about what exactly was occurring in their network and
equally non-responsive when questioned what could have been done to prevent the
attack.
7. ““With the Playstation hacks, Anonymous didn’t use anything unique and were able to
get in easily and stay a long time,” McClure said. “I got the impression that [Sony]
executives didn’t care. Some basic technologies could have prevented a large part of
this. This level of destruction of a company on American soil is unprecedented, but my
15 year-old could have written the code.””13
That doesn’t really say much about the current attack, but it sort of explains that Sony
was not really attentive or even caring about the prior attack, a huge red flag to any
investors and users of Sony’s products. Yet, McClure says later on, he believes that the
current attack was not even a computer program, but something else. “McClure said that
his research leads him to believe the breach was accomplished through some sort of
social engineering, rather than by a computer program.”14
That’s not really much better
than if it were to be through a computer program, as the end result is the same, but it
more shows the naivety of the company towards actual protection. This, unfortunately, is
another theme of those who are attacked. They go on the assumption that they don’t need
to be careful to prevent anything sensitive from coming out. That makes some of the
stuff released in the attack dump, downright laughable.
“One striking thing to have emerged from the data that the Guardians of Peace have so
far disseminated is the lack of security around passwords at Sony, including the
revelation of an embarrassingly simple password CEO Michael Lynton was apparently
using. It’s a clear sign that the company did not have sufficient corporation-wide
password standards.”15
Not sure it can get worse than that, other than Sony doesn’t seem to have any desire to
show any type of security protocols for their company. This is a terrifying proposition
for consumers to face in this day and age. The third attack I found is even more
terrifying.
13
Raile, 2014
14
Ibid
15
Ibid
8. Not too long ago, everyone in America was required to have health insurance in
order to offset the costs for medical procedures. Ideally, all of the managed health care
providers would be immune to an attack due to the added customers AND due to the
Health Insurance Portability and Accountability Act (HIPAA) having guidelines for what
security is necessary for online transfers of health care information. Sadly, this wasn’t
the case at Anthem Inc., one of the largest managed health care providers in the country.
From late December 2014 to late January 2015, hackers managed to seize nearly 80
million customers’ Social Security numbers and other sensitive information from Anthem
servers. The attack was unprecedented in the industry as it was the largest attack on a
health care insurer in the United States. There is no answer as to who is behind it
exactly, but there have been clues left to follow.
“[Adam] Meyers said the breach fits the pattern of a hacking unit that Crowdstrike calls
Deep Panda, which over the last several months has targeted both defense contractors and
the health care industry. China appears to be putting together huge databases of
individuals who might be intelligence targets, he said. Another example was the theft last
year from a government agency of data on tens of thousands of employees who had
applied for top-secret clearances, he said.”16
Once again, there is no actual answer as to who did it, but rather there is an answer as to
what kind of group did it, one that is searching for a way to sell information. If the
Chinese were indeed behind it, then the goal was for both trade secrets and espionage,
just to figure out what America is up to.
The worst part of the hack isn’t that it happened but rather it could have been
prevented. All of the data stolen from Anthem’s servers were not well protected. “Health
insurer Anthem says the hacked database containing the personal information of 80
16
Riley, 2015
9. million people wasn't encrypted.”17
That’s a bit troubling. Why wasn’t this encrypted?
“Under the federal Health Insurance Portability and Accountability Act (HIPAA), health
insurance companies are not required to encrypt the data stored on their servers. The
HIPAA ruling recommends using encryption if the health insurer believes it's an
appropriate measure to mitigate risk. But lacking a specific requirement essentially leaves
it up to each company to decide how to protect its data.”18
That makes it worse. A lot worse than just having a single company not follow
guidelines to data encryption standards, but to have the company partially not at fault due
to the security standard it is required to follow not actually fixing an ambiguous situation
makes one wonder if it was an oversight or a complete unforeseen situation that nobody
at Anthem or HIPAA even imagined. There could be a simple fix to this and it would be
through encryption of data as a mandatory requirement. Nicolas Terry, a law professor
from the University of Indiana, mentions that the company would need to do individual
assessment as to what needs encryption and what doesn’t. In addition, he mentions a
change needed at HIPAA “As I have argued elsewhere, if healthcare entities fail to
encrypt given the current environment (and the risk of extremely serious HIPAA
sanctions if the assessment is flawed or poorly documented) maybe the Security Rule
should be amended to require encryption.”19
It will be interesting to see if HIPAA does
do this, or at least correct the gaping hole they currently have in letting the individual
companies decide upon what encryption they feel is enough. It’s better for someone
outside to also be able to figure out what security would be enough.
All of the above breaches, and others not mentioned, seem to stem from a misuse
or lack of knowledge of proper security procedures for the data involved. It almost feels
17
Whitney, 2015
18
Ibid
19
Terry, 2015
10. as if people seem to understate the value of the data contained on their servers up to the
point where the data is no longer available or the data actually contains sensitive
information that could cost the company money. Yes, money is the main reason that
these companies do all that they do in terms of product sales and offers, but it is also the
same aspect used when developing security, and that is to do the best job possible with
the least amount of money needed to invest. Sadly for these companies, the option was
chosen just to do the job for the least amount of money necessary and possibly not double
check the configuration that they use for security so to have a 2nd
opinion.20
In addition,
if a company is not sure what attacks are being attempted on their sector, why not use a
honeypot to “test the waters” and figure out what’s going on. “Now, when worms and
attackers hit, they attack both your honeypot and your legitimate web server. Because
your honeypot has no legitimate uses you can quickly identify the attack traffic and use
that information to build better defenses.”21
It’s understandable though why companies
wouldn’t utilize a honeypot if it were an expensive cash outlay. Then again, why would
you take future funds away now if you could potentially solve a problem?
This is where I feel the establishment of the NCSS or the NCSO will have it’s
most useful purpose, in that it will establish a standard that is more direct than the prior
organizations. I would liken it to a CERT but for commercial purposes and not
necessarily a wide-scale spectrum. The goal of this organization is threefold. One: To
reduce cost for configuration and setup of individual companies’ needs for security tools.
Two: To monitor and track each of these configurations in order to determine attack
20
Not all opinions are useless. If you have a security expert available you should check
with him to make sure that the configuration the company has is suitable.
21
Cole & Northcutt, 2013
11. patterns and model honeypot systems off of the individual companies’ networks. Three:
To push for changes in HIPAA and other monitoring organizations by focusing on trends
and being proactive in determining future types of attacks. The main point of all of these
goals is to tighten all of the bolts in the workings of security. I realize this is a very
idealistic setup and not extremely practical or likely, but it needs to be kept as a goal to
both aspire and work towards.
Apparently I am 6 months late on my proposal as this isn’t something innovative.
Steven Overly in October of 2014 wrote about the National Cybersecurity Center of
Excellence in the metro Washington D.C. area and it’s aims. “The National
Cybersecurity Center of Excellence in Rockville aims to solve one of cybersecurity’s
toughest challenges: getting companies to speak honestly about the threats they face and
the steps they’re taking to thwart them.”22
This is exactly what my proposal looks to do.
Take down barriers in order to improve the security for everyone involved.23
Most
companies hopefully will come to their senses and see this as a good opportunity with all
of the security and data compromises occurring.
The proposal though can have its counter arguments though. One of the biggest
ones is that the companies still may not want to disclose what they feel are trade secrets
to rival companies in the same field. Trade secrets and patents are definitely information
that the third party company needs to keep confidential. The goal of the organization is
to make sure the information is not leaked. If need be, the organization will utilize a
generic file that mimics what the sensitive data is, and then use that to test it with
22
Overly, 2014
23
This would also solve a problem I had mentioned earlier regarding Sony’s lack of
disclosure as to what caused the 2011 hack (or the 2014 one, for that matter), the NCSO
will not disclose this information to the public, but will improve on the security lapses.
12. different types of security protocols. The second problem that could arise is that there is
no mandatory attendance. Thankfully, we are in a country where companies are allowed
to pursue any endeavor they choose. Some may believe that going into a joint security
group isn’t practical for them, or they want to deal with paying for their own security.
That’s their choice. This would merely serve as an option for them if they want to
collaborate on security details and find out where they can improve on their own design
and share ideas that they have found to be effective. The final argument that could be
raised is that the effectiveness of the security won’t be determined until it fails. What
these people would be arguing is that it’s next to impossible to be proactive on security
because you wouldn’t think of improving upon something so secure until it’s proven to
not be secure. In truth, it is possible to be proactive in security if the proper methods are
taken. If the organization as a whole chooses to test a new implementation against an
SQL injection and puts it up as a honeypot, if the honeypot returns no breach then the
implementation can be regarded as a success and will undergo more tests. If it’s seen as a
failure, then it will be retooled or scrapped. Security isn’t something that can necessarily
be bought, it has to be applied, tested and compared, no different than what R&D you
would perform on a car in order to maximize power and fuel efficiency.
Naysayers of the plan need to look no further then the growing trends in the
industry and the world as a whole to see that cyber attacks are increasing in both
frequency and magnitude. Even if companies do offer to check for things like credit
monitoring for customers affected, one of the worst things they could do is announce how
long the monitoring will occur for.
“Criminals who get Social Security or health insurance account numbers have shown
13. more sophistication than the average fraudster, said Pam Dixon, executive director of the
World Privacy Forum. Rather than use the information right away, she said, some crooks
will sit on Social Security or insurance files for a year or more before using them
fraudulently. ‘‘What they like to do is season the data for a time, to allow the credit
monitoring subscription to expire, and wait until people get sloppy or complacent’’ about
monitoring their accounts for fraud, she said.”24
I see it as basically giving an open door to the criminals by blatantly announcing this
monitoring plan. I understand the reasoning, but it needs to be done more discretely.
This is the art of security. It should be discrete enough so that the people inside of the
company are aware of it’s presence and can feel safe about their information, yet also
powerful enough to ward off any sort of external intrusion so that the hackers will have to
try something else, or look for another target. It may not be feasible to believe that any
sort of security organization can fully eliminate data breaches; after all, accidents and
glitches happen. The NCSO though aims to mitigate as many attacks as possible, and
this is the reason for it’s necessity in today’s fight in cybersecurity.
24
Murphy & Bailey, 2015
14. Works Cited:
• Cole, E., & Northcutt, S. (2013, n.d.). Security Laboratory. Retrieved April 27,
2015, from http://www.sans.edu/research/security-laboratory/article/honeypots-
guide
• D'Innocenizo, A., & Chapman, M. (2014, January 10). Target: Breach affected
millions more customers. Retrieved April 18, 2015, from
http://finance.yahoo.com/news/target-breach-affected-millions-more-
184807005.html
• Kovacs, E. (2014, December 5). Industry Reactions to Devastating Sony Hack.
Retrieved April 24, 2015, from http://www.securityweek.com/industry-reactions-
devastating-sony-hack
• Krebs, B. (2014, January 29). New Clues in the Target Breach. Retrieved April
23, 2015, from http://krebsonsecurity.com/2014/01/new-clues-in-the-target-
breach/
• Krebs, B. (2014, January 15) A First Look at the Target Intrusion, Malware.
Retrieved April 26, 2015, from http://krebsonsecurity.com/2014/01/a-first-look-
at-the-target-intrusion-malware/
• Krebs, B. (2013, December 18). Sources: Target Investigating Data Breach.
Retrieved April 25, 2015, from http://krebsonsecurity.com/2013/12/sources-
target-investigating-data-breach/
• McCoy, K. (2013, December 27). Target confirms encrypted PIN data stolen.
Retrieved April 19, 2015, from
http://www.usatoday.com/story/money/business/2013/12/27/target-confirms-
encrypted-pin-data-stolen/4219415/
• Murphy, T., & Bailey, B. (2015, February 6). Why hackers are targeting the
medical sector - The Boston Globe. Retrieved April 17, 2015, from
http://www.bostonglobe.com/business/2015/02/06/why-hackers-are-targeting-
medical-sector/xxjFN6G3cFJZ8Fh3mF3XhN/story.html
• Overly, S. (2014, October 12). Washington wants to become a hub for
cybersecurity companies. Can it be done? Retrieved April 25, 2015, from
http://www.washingtonpost.com/business/capitalbusiness/washington-wants-to-
become-a-hub-for-cybersecurity-companies-can-it-be-
done/2014/10/10/2ec43b54-4d77-11e4-babe-e91da079cb8a_story.html
• Raile, D. (2014, December 21). Sony Hack Was Not All That Sophisticated,
Cybersecurity Experts Say. Retrieved April 25, 2015, from
15. http://www.billboard.com/articles/business/6413955/sony-security-kevin-mitnick-
electronic-frontier
• Radichel, T. (2014, August 5). Case Study: Critical Controls that Could Have
Prevented Target Breach. Retrieved April 15, 2015, from
http://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-
controls-prevented-target-breach-35412
• Riley, M., Elgin, B., Lawrence, D., & Matlack, C. (2014, March 13). Target
Missed Warnings in Epic Hack of Credit Card Data. Retrieved April 26, 2015,
from http://www.bloomberg.com/bw/articles/2014-03-13/target-missed-alarms-
in-epic-hack-of-credit-card-data#p1
• Riley, M. (2015, February 5). Chinese State-Sponsored Hackers Suspected in
Anthem Attack. Retrieved April 22, 2015, from
http://www.bloomberg.com/news/articles/2015-02-05/signs-of-china-sponsored-
hackers-seen-in-anthem-attack
• Terry, N. (2015, February 7). Bill of Health. Retrieved April 26, 2015, from
http://blogs.law.harvard.edu/billofhealth/2015/02/07/time-for-a-healthcare-data-
breach-review/
• Whitney, L. (2015, February 6). Anthem's stolen customer data not encrypted -
CNET. Retrieved April 22, 2015, from http://www.cnet.com/news/anthems-
hacked-customer-data-was-not-encrypted/