Browsing category

Personally Identifiable Information (PII)

Chief Information Security Officer (CISO), CISO, Data Breaches, Data Privacy, Internet of Things (IoT), Personally Identifiable Information (PII), Risk Management, Security Framework, Security Intelligence & Analytics, Security Strategy, Security Testing, Vulnerabilities,

An Apple a Day Won’t Improve Your Security Hygiene, But a Cyber Doctor Might

You might’ve begun to notice a natural convergence of cybersecurity and privacy. It makes sense that these two issues go hand-in-hand, especially since 2018 was littered with breaches that resulted in massive amounts of personally identifiable information (PII) making its way into the wild. These incidents alone demonstrate why an ongoing assessment of security hygiene is so important.

You may also see another convergence: techno-fusion. To put it simply, you can expect to see technology further integrating itself into our lives, whether it is how we conduct business, deliver health care or augment our reality.

Forget Big Data, Welcome to Huge Data

Underlying in these convergences is the amount of data we produce, which poses an assessment challenge. According to IBM estimates, we produce 2.5 quintillion bytes of data every day. If you’re having problems conceptualizing that number — and you’re not alone — try rewriting it like this: 2.5 million terabytes of data every day.

Did that help? Perhaps not, especially since we are already in the Zettabyte era and the difficulty of conceptualizing how much data we produce is, in part, why we face such a huge data management problem. People are just not used to dealing with these numbers.

With the deployment of 5G on the way — which will spark an explosion of internet of things (IoT) devices everywhere — today’s Big Data era may end up as a molehill in terms of data production and consumption. This is why how you manage your data going forward could be the difference between surviving and succumbing to a breach.

Furthermore, just as important as how you will manage your data is who will manage and help you manage it.

Expect More Auditors

It’s not uncommon for larger organizations to use internal auditors to see what impact IT has on their business performance and financial reporting. With more organizations adopting some sort of cybersecurity framework (e.g., the Payment Card Industry Data Security Standard or NIST’s Framework for Improving Critical Infrastructure Cybersecurity), you can expect to hear more compliance and audit talk in the near future.

There is utility in having these internal controls. It’s a good way to maintain and monitor your organization’s security hygiene. It’s also one way to get internal departments to talk to each other. Just as IT professionals are not necessarily auditors, neither are auditors some sort of IT professionals. But when they’re talking, they can learn from each other, which is always a good thing.

Yet internal-only assessments and controls come with their own set of challenges. To begin, the nature of the work is generally reactive. You can’t audit something you haven’t done yet. Sure, your audit could find that you need to do something, but the process itself may be very laborious, and by the time you figure out what you need to do, you may very well have an avalanche of new problems.

There are also territorial battles. Who is responsible for what? Who reports to whom? And my personal favorite: Who has authority? It’s a mess when you have all the responsibility and none of the authority.

Another, perhaps bigger problem is that internal controls may have blind spots. That’s why there is value in having a regular, external vulnerability assessment.

When it Comes to Your Security Hygiene, Don’t Self-Diagnose

Those in the legal and medical fields have undoubtedly been cautioned not to act as their own counsel or doctor. Perhaps we should consider similar advice for security professionals too. It’s not bad advice, considering a recent Ponemon Institute report found that organizations are “suffering from investments in disjointed, non-integrated security products that increase cost and complexity.”

Think about it like this: You, personally, have ultimate responsibility to take care of your own health. Your cybersecurity concerns are no different. Even at the personal level, if you take care of the basics, you’re doing yourself a huge favor. So do what you can to keep yourself in the best possible health.

Part of healthy maintenance normally includes a checkup with a doctor, even when you feel everything is perfectly fine. Assuming you’re happy with your doctor and have a trusting relationship, after an assessment and perhaps some tests, your doctor will explain to you, in a way that you are certain to understand, what is going on. If something needs a closer look or something requires immediate attention, you can take care of it. That’s the advantage of going to the doctor, even when you think you’re all right. They have the assessment tools and expertise you generally do not.

‘I Don’t Need a Doctor, I Feel Fine’

Undoubtedly, this is a phrase you have heard before, or have even invoked on your own. But cybersecurity concerns continue to grow and internal resources remain overwhelmed by responding to so many alerts and financial constraints or understaffing. Therefore, the need for some outside assistance may not only be necessary, but welcomed, as that feeling of security fatigue has been around for some time now.

There is an added wildcard factor too: I’m confident many of us in the field have heard IT professionals say, “We’ve got this” with a straight face. My general rule of thumb is this: If attackers can get into the U.S. Department of Defense, they can get to you, so the “I feel fine” comment could very well include a dose of denial.

When considering external assistance — really just a vulnerability assessment — it’s worth thinking through the nuance of this question: Is your IT department there to provide IT services, or is it there to secure IT systems? I suggest the answer is not transparently obvious, and much of it will depend on your business mission.

Your IT team may be great at innovating and deploying services, but that does not necessarily mean its strengths also include cybersecurity audits/assessments, penetration testing, remediation or even operating intelligence-led analytics platforms. Likewise, your security team may be great at securing your networks, but that does not necessarily mean it understands your business limitations and continuity needs. And surely, the last thing you want to do is get trapped in some large capital investment that just turns into shelfware.

Strengthen Your Defenses by Seeing a Cyber Doctor

Decision-makers — particularly at the C-suite and board level, in tandem with the chief information security officer (CISO) and general counsels — should consider the benefits of a regular external assessment by trusted professionals that not only understand the cybersecurity landscape in real time, but also the business needs of the organization.

It’s simple: Get a checkup from a cyber doctor who will explain what’s up in simple language, fix it with help if necessary and then do what you can on your own. Or, get additional external help if needed. That’s it. That semiannual or even quarterly assessment could very well be that little bit of outside help that inoculates you from the nastiest of cyber bugs.

The post An Apple a Day Won’t Improve Your Security Hygiene, But a Cyber Doctor Might appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: George Platsis

Advanced Threats, Automotive Computing Systems, Automotive Industry, Connected Vehicles, Endpoint, Endpoint Security, Malware, Personally Identifiable Information (PII), Risk Management, Smart Devices, software vulnerability, Transportation Industry,

It’s Time for an Automotive Cybersecurity Wake-Up Call

As the modern vehicle becomes smarter and more connected, everything from safety systems — such as steering, acceleration and brakes — to infotainment systems are controlled by some sort of computer. The car of today — and especially tomorrow — relies on countless lines of software code to get those wheels moving, a reality that has placed increasing importance on automotive cybersecurity. When you think about it, the auto industry is blurring the lines between transportation and software.

A recent survey of auto manufacturers from Synopsys and SAE International found that 62 percent of respondents think it is likely or very likely that malicious attacks on their software or components will occur within the next 12 months. The study also revealed that software security is not keeping pace with technology in the automotive industry and, as a result, connected vehicles have a range of unique security issues.

Even more concerning, 30 percent of survey respondents said they do not have an established product cybersecurity program or team. What steps should auto manufacturers take to avert the potential damage cyberthreats could cause to the industry?

The Transportation Industry in Transformation

To answer these questions, I figured it was best to go straight to the source. Chris Clark, principal security engineer for strategic initiatives at Synopsys, co-authored the aforementioned study and possesses in-depth knowledge of the auto industry from a high level down to the technical weeds.

The reality for the industry, according to Clark, is that car manufacturers have always been software companies because for many years they’ve had microcontrollers that perform some level of action. Depending on the type of car you drive, you may have capabilities such as Apple CarPlay, Android Auto or even a digital storefront from which you can add apps and capabilities to your infotainment system.

“We’re going to continue to see that progress,” said Clark. “And the only way you can do that is to be a software house. That’s where the industry is.”

Before we dive in, just to be clear, the purpose of the study — and, for that matter, this article — is not to scare you. Instead, it should be viewed as more of a learning tool.

“I think a lot of people had the same initial response that you had [about the study],” Clark told me. “But one of the takeaways I want to get out of this is that [the study] is really more of a helping document. I hope the technical person, middle management, etc. can reach up to the higher-level offices and say, ‘Here are the challenges we really face and how can we reevaluate the direction we’re going from a security perspective.’”

Assessing Realistic Threats to Automotive Cybersecurity

Reading the report, it’s evident that the industry is facing some severe cybersecurity challenges. The ramifications, however, are not as dire as they seem — at least in the short term. While the vulnerabilities that exist for auto manufacturers need to be addressed ASAP, the risk is more localized.

“When we talk about safety in the automotive industry, yes, there is a potential for hackers to take control of the vehicle and cause some malicious activity,” Clark said. “But right now, we’re so early in this security model … most of the discussions taking place revolving around automotive security aren’t realistically that applicable yet.”

For instance, say an attacker discovered a vulnerability in the infotainment system of a connected vehicle and went on to perform some level of control with the vehicle. According to Clark, it’s not very likely that the threat actor would be able to exploit that in the entire fleet of cars.

In the short term, there is a concern about malicious actors gaining access to personally identifiable information (PII) and/or injecting malware to deny access to a vehicle. In the malware scenario, there’s a parallel to be drawn to ransomware, where you’d need to call an 800 number and turn over thousands of dollars just to turn your car back on.

Interconnectivity Takes the Wheel

Make no mistake: The threat potential is significant, especially as we move toward a future of autonomous vehicles, where discussions around artificial intelligence and machine language will come into play. According to Clark, to do this effectively, vehicles will need to harness abundant local computing power to provide the amenities that the consumer is looking for.

We also must remember that the automobile is just one part of a growing tech-enabled transportation ecosystem. It’s not only car manufacturers that need to address cybersecurity concerns; because our vehicles are communicating with other vehicles, traffic signals and more, security plays a role well beyond the individual automobile.

The city of Los Angeles, for example, has been making progressive investments in public transportation, bicycle lanes and alternative transportation. Soon, it will launch a new data sharing platform. Ted Ross, general manager and chief information officer for the city’s Information Technology Agency, understands that there are tremendous benefits to networking a service — in this case, transportation — and making it digital. Equally important, however, is the investment required to secure these services.

“If not properly secured, [the automobile] becomes an entry point for malicious actors,” Ross said. “Automated cars, traffic signals and urban infrastructure become a tremendous liability if hacked and compromised by criminals.”

The concern for Ross — and any other smart city like Los Angeles — is that an insecure ecosystem could allow criminals to gain access to user payment accounts, personal data and possibly even the digital systems — e.g., automated braking, acceleration and autonomous vehicle guidance systems — used to ensure the safety of riders and pedestrians.

“Cybersecurity is paramount in a rapidly digitizing society,” Ross noted.

It’s safe to assume the most pressing issue for the automotive industry is the collective security practices of all manufacturers involved in the supply chain. The frequent integration of third-party components, software, communications protocols and applications can introduce threat vectors that original equipment manufacturers (OEMs) must address.

A Considerable Amount of Work Still to Be Done

To improve automotive cybersecurity, the industry can implement several strategies. Most importantly, according to Clark, companies in the industry need to ask the same important questions that apply to any industry. Have we hired the right people? Have they been trained properly? Do they have the education they need from a cybersecurity standpoint?

Industry leaders looking to make use of best practices can also turn to helpful resources such as:

Despite the startling statistics and an industry fraught with challenges, there’s one nugget of information from my conversation with Clark that stood out from the rest. When you look at the automotive space, cybersecurity is a relatively new consideration.

“Ten years ago, we wouldn’t even be having this discussion about computing platforms and vehicles,” Clark said. “We look at cybersecurity in the automotive space; we’re like toddlers. Security in the space is only two, three years old, and maybe some [companies] are a little more ahead, a little bit more mature, but this is the early days.”

It’s a positive sign that research demonstrates how automotive industry leaders are jumping on the bandwagon to address the challenges they’re hearing about. To make real progress, Clark says there still has to be discussions within and between organizations on how to address potential vulnerabilities and challenges to integration related to security.

“Those discussions are happening, but they’re not happening enough,” said Clark.

There’s still a considerable amount of work to be done. While the Synopsys report isn’t meant to sensationalize the threat, perhaps it’s the wake-up call the industry needs.

The post It’s Time for an Automotive Cybersecurity Wake-Up Call appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mark Stone

Data Breach, Data Privacy, Data Protection, Digital Identity, General Data Protection Regulation (GDPR), Personal Data, Personally Identifiable Information (PII), privacy regulations, Security Training,

Developing a Security Plan Around Consumer Data Privacy Concerns

When developing a security plan, most organizations turn their focus internally to protect business interests. That used to work because most people didn’t give cybersecurity a second thought — that is, until their personally identifiable information (PII) was affected. But that isn’t the case anymore.

With the increase in very large, high-profile data breaches and regulations such as the General Data Protection Regulation (GDPR), consumers now care about security and data privacy, and they want to make sure the companies they do business with are taking action to protect customers’ PII. According to a study from The Harris Poll and Dtex, Americans are demanding organizations do a better job at cybersecurity and protecting personal data. The challenge for organizations is to enact security policies and systems that meet enterprise objectives while also addressing consumer privacy concerns.

Digital Monitoring Is the Primary Concern

The security and data privacy issue that concerns Americans most is digital monitoring. The majority of consumers don’t mind that their PII is being digitally monitored — they understand this helps organizations streamline business operations — but they want transparency. In other words, they want to know what information is being used and why.

It isn’t just consumers that demand this transparency. More than three-quarters (77 percent) of those surveyed in the Harris Poll/Dtex report said they want their employers to be transparent about how employee information is monitored. Transparency is such an important issue that the vast majority of Americans (71 percent) would turn down an employment opportunity if the prospective employer was not upfront about digital monitoring.

Consumers and employees understand that monitoring of digital identities is often done in the name of improved cybersecurity — that this will protect them in the long run — and the security angle plays a role in their perception. But it stops with the workplace; consumers don’t want a Big Brother monitoring their personal devices, even when they are used in a business setting. They also worry about the amount of digital monitoring that occurs in social media, banking, government and even retail. Again, they don’t like being watched, but recognize that this will help organizations provide better security.

Still, most people don’t believe they can do anything about it. According to an ExpressVPN study, 89 percent of Americans think they should have some control over how companies, especially the big tech companies, share the PII they gather, but barely half (52 percent) believe that will happen in 2019. Even with the spotlight shining brightly on security and privacy, Americans simply don’t trust organizations to keep their personal data safe. Cybersecurity of personal data is taken out of their hands once they share the information. According to Harold Li, vice president of ExpressVPN, it shouldn’t be that way.

“Privacy is a fundamental right, and internet users should be in control of their personal data and how it should be used,” he asserted.

Develop a Security Plan That Works for Everyone

We know what consumers want when it comes to the protection of their digital identity. Now it is up to every organization to find a way to develop a security plan and put together a cybersecurity system that addresses consumer concerns while providing optimal business operations.

This begins with understanding why and how consumers’ PII is used for business, which requires internal security leadership to meet with other business units to understand how each uses and stores consumer and employee data. Marketing will use this information differently than human resources and accounting, for example, and providing the right security and data privacy solution can’t be a one-size-fits-all approach if data protection and transparency is the goal.

The growing number of privacy laws will also impact any security policy, and leadership has to go beyond the regulations already in effect. Security and privacy systems have to address more than just the GDPR and the California Consumer Privacy Act (CCPA), or newer laws in Colorado and Illinois. Instead, leadership must anticipate what is coming, possibly from a federal level, and recognize that how they handle privacy concerns today isn’t going to meet next year’s demands.

Security policy that deals with data privacy also needs to address the concerns of consumers. As Americans become more savvy about cybersecurity, they will expect organizations to put greater emphasis on protecting PII and to offer more transparency around digital identity monitoring. If your organization isn’t willing to meet consumer expectations, they will take their business to a company that will.

Finally, no organization can improve its security and privacy policies without improving internal behavior. More emphasis needs to be placed on data privacy training and transparency. Just as employees should receive education on how to identify a phishing email or avoid downloading malware, they should also be well-versed on what constitutes a violation of data privacy.

Consumers are more aware than ever about cybersecurity and its risks. They understand that they willingly turn over a lot of personal information, and now they want organizations to step up efforts to protect that data’s privacy. The onus to meet the challenge of consumers’ security and privacy expectations is on the enterprise. Developing a security plan around consumer concerns is a good first step.

The post Developing a Security Plan Around Consumer Data Privacy Concerns appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Sue Poremba

Cybercriminals, Data Privacy, Data Protection, Education, FBI, Government, Personal Data, Personal Health Information (PHI), Personally Identifiable Information (PII), Ransomware,

FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data

Terms like “privacy,” “personally identifiable information (PII)” or “educational technology (EdTech)” often sound abstract and far from the responsibility of the average person, meant primarily for security and IT professionals. But when schools are forced to close after parents and kids receive ominous, personalized messages, as they did recently in an Iowa school district, according to the Des Moines Register, internet security becomes very real for the whole community.

Late last year, a cybercriminal group known as Dark Overlord — infamous for attempting to extort Netflix — stole data from school districts around the country, according to The Washington Post. Then, as part of ongoing extortion attempts, it used the pilfered information to threaten parents and students around the country. Districts in Montana, Texas and Alabama also closed schools after attackers texted threats to parents, according to CSO Online.

The Department of Education issued a warning and that round of attacks subsided, but others continue. Earlier this year, a Massachusetts school district paid cybercriminals $10,000 in bitcoin to regain control of its data after a ransomware attack, according to ABC News.

Inform the Public

Incidents like these have federal authorities increasingly worried about security at school districts around the country, even as schools increasingly rely on technology for everything from tracking performance to attendance.

The Federal Bureau of Investigation (FBI) recently issued a sharply worded public service announcement aimed at schools and parents titled “Data Collection and Unsecured Systems Could Pose Risks to Students.”

Software used in schools collects a lot of very sensitive information, the FBI warned, including “[PII]; biometric data; academic progress; behavioral, disciplinary and medical information; web browsing history; students’ geolocation; IP addresses used by students; and classroom activities.” That data is a potential treasure trove for a group like Dark Overlord.

“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI said.

Social Engineering 101: How to Hack a Human

Expand District Resources

It is unclear whether the FBI’s warning came in response to a specific threat — as the Department of Education’s warning did — or was just a renewed call to action. Either way, the challenges are steep.

While increased use of EdTech products creates an ever-expanding set of targets for threat actors, many districts are facing tighter budgets, unable to buy the latest security technology that corporations employ, warned the Future of Privacy Forum, an industry group.

“Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate — combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013,” it said.

How to Manage the Full EdTech Attack Surface

In the Iowa case, authorities say student and family data was stolen from a third-party supplier. Vendor management is a headache for all manner of organizations. The proliferation of outside organizations with access to students’ most personal information creates a vast attack surface for threat actors, warned privacy law expert Bradley Shear, CEO of school security consultancy Digital Armour LLC.

“Our public schools are fast becoming targets of cybercriminals. These types of incidents are increasing and costing taxpayers tens of thousands of dollars per incident,” Shear said. “It’s not just school districts we have to protect from cybercriminals, but also their vendors.”

In its PSA, the FBI also called attention to internet of things (IoT) devices.

“EdTech connected to networked devices or directly to the [internet] could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments,” it said. It also pointed to the risk of take-home devices, like tablets, or monitoring devices that allow remote access.

How to Give Power to the Parents

The FBI alert called on parents to become more aware of potential risks, and urged families to keep in contact with school districts about various EdTech programs they use. It also recommended participation in parent coalitions, and suggested regular internet searches to identify children’s exposure and spread of their information on the internet.

The Future of Privacy Forum also offers a number of tools to parents on FERPA|Sherpa, named for the federal law that governs data collection and sharing at schools, the Family Educational Rights and Privacy Act (FERPA). The organization recommends parents regularly ask districts how they handle directory information, what the rules are for recording devices, how they secure children’s information and a set of other queries in their document, “Parents: Raise Your Hand and Ask Schools How They Protect Student Data.”

How School Districts Are Improving Data Privacy

School districts are beginning to tackle the problem by sharing resources and strategies with one another. Nearly 500 districts in more than a dozen states participate in the Student Data Privacy Consortium (SDPC), and they’ve implemented a model contract that vendors must use to ease vendor management, available on the SDPC website.

The SDPC says it leverages privacy-related projects by member districts “to have their good work utilized and no reinvention of existing work.” The Department of Education also offers a “Student Privacy 101” resource for various stakeholders, from K-12 administrators to vendors.

But for Shear, improving cybersecurity at schools needs to begin with an attitude about collection minimization. The less data schools and vendors collect and store, the smaller the opportunity for threat actors. Most critically, vendors and schools should delete information as soon as it is no longer necessary.

“Technology vendors have a huge bull’s-eye on them because of their insatiable appetite for personal information,” he said. “Recent data breaches … demonstrate why it’s necessary to have strict sunset provisions inherent in the data collection process.”

School districts must perform a balancing act when deleting data, however, as there are various data retention requirements to take into account. There are also juggling acts to perform when setting strict requirements around data to keep out threat actors while enabling access for educators and parents when necessary. Take allergy requirements: If a substitute teacher has trouble accessing his or her students’ health records because of a tricky login process, a dangerous situation could develop.

Parents, teachers, administrators and security experts need to engage in an ongoing dialogue about what schools must do to keep kids safe while ensuring they have access to the tools they need.

The post FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bob Sullivan

customer experience, Data Breach, Data Privacy, Data Protection, General Data Protection Regulation (GDPR), IBM X-Force Incident Response and Intelligence Services, Malware, Network Security, Personally Identifiable Information (PII), Point-of-Sale (POS) Systems, Retail, Retail Data Breach, Retail Industry, Retail Security, Risk Management,

5 Recommendations to Improve Retail Cybersecurity This Holiday Season

This is the first installment in a two-part series about how retailers can help protect their enterprises this holiday season.

With the holiday season upon us, retailers have an opportunity to boost revenues before the end of the year. Any increase in profit at the expense of retail cybersecurity, however, can cost a company more in the long run, given the rising size and costs of data breaches and associated revenue and reputational loss. With extra web traffic and high order volumes coming in, the holiday shopping season can be a particularly perilous time for businesses seeking to safeguard customer information.

A Timely Cause for Retail Cybersecurity Concerns

Tis the season for retailers to buckle down on security, since data breaches typically peak just prior to and during the holiday shopping season. IBM X-Force Incident Response and Intelligence Services (IRIS)’s assessment of X-Force Interactive Security Incident data recorded between 2012 and 2017 revealed that 41 percent of all retail and consumer product breaches occurred between September and December, elevating the risk for enterprise network breaches during that time of year. More than two-thirds of all records in the consumer products sector were leaked, lost or stolen during these last four months of the year — that’s nearly 180 million records each year.

Don’t Reward the Naughty

A growing number of retailers now offer rewards programs to retain and nurture their customer bases. For shoppers to join these programs, most retailers ask for personally identifiable information (PII) such as name, address, phone number and email address. If ever compromised, an attacker can correlate this customer PII to payment data and use it to aggregate information to compromise the user’s identity.

In line with recent regulatory laws such as the General Data Protection Regulation (GDPR), retailers should collect the least possible amount of PII on customers, have a clear purpose for each data element, and make sure to always keep data encrypted and safeguarded, both in transit and at rest.

Phishing Is in Season

Attackers don’t wait for the holiday season to begin launching spam campaigns, which are often employed as the first stage of their overall fraud and attack campaigns. Analysis of X-Force spam honeypot data collected between 2015 and 2018 revealed a notable rise in the average volume of spam emails beginning in August, with September slightly lower and October ranking third.

Average Spam per Month

Figure 1: Total volume of spam emails recorded, 2015–2018 (Source: IBM X-Force)

Preventing and responding to data breaches leading up to and during the holiday shopping season has become imperative. It is incumbent on retail security professionals to perform due diligence during this time, and there are several ways to accomplish this goal.

Below are five holiday season tips for retailers to help make your enterprise a safer shopping environment. These techniques can help retailers identify impending data breaches and sidestep the costs associated with a major data breach.

While I’ve listed these tips in the order of what I generally consider to be top-of-mind for retailers, this list can be customized to serve your organization’s specific needs.

1. Mitigate the POS Malware Threat

After a popular big box retailer suffered a breach in 2013, public awareness around the vulnerability of point-of-sale (POS) systems grew exponentially. That breach was facilitated by malware that infected POS machines and helped threat actors access a large volume of credit card information to sell to other criminals on the dark web. This intrusion resulted in the theft of more than 110 million records.

Five years later, POS malware continues to plague retailers. According to IBM X-Force, 74 percent of publicly reported POS malware breaches in 2017 impacted the retail sector. X-Force IRIS has observed malicious actors using POS malware, such as FrameworkPOS and PoSeidon, to siphon credit card data from POS terminals. Web-based malware, which steals credit card data on the fly as online transactions are processed, is also gaining steam.

To help mitigate these risks, both in physical and virtual realms, retailers should take the following steps:

  • Use some form of malware detection on your entire network to include the network of POS systems.
  • Test the devices’ hardware and software (more to come on penetration testing in the second installment of this series) and keep devices up-to-date through regular patching.
  • Work with a supplier that will contractually adhere to both your regulatory standards and security requirements.
  • When using mobile POS, have controls in place to ensure the integrity of the hand-held device and the encryption of its communication channels with the server that processes and stores card data.
  • Ensure any mobile payment system is from a trusted provider that supplies regular updates, patches, and equipment upgrades to comply with advances in encryption requirements and evolving threats.

Cybercriminals also commonly steal credit card data through payment card skimmers. These physical devices are fitted into the mouth of card readers and work by copying track data from the credit card and storing it on a memory chip inside the skimming device. In addition to retail establishments, skimmers are often found in ATMs, restaurants and gas stations.

As a precaution, retailers should frequently search for devices on their POS terminals and swiping equipment. Attackers typically attach skimmers to the device by sliding them onto the scanners and collecting them later. To check for a skimmer, examine devices daily and pull on the scanner if anything appears different. If part of the device comes off, it may be a skimming device. Call your service provider and IT security team to report it before resuming activity with that terminal or device.

With security controls and practices becoming more efficient, threat actors have resorted to gluing card skimmers to machines. This makes it difficult to detach by simply pulling it off the affected device. Retailers should train employees in all locations to recognize the proper look and components of their POS terminals and swiping devices. Employees should also know how to report suspicious devices.

2. A Clean Network Is a Safe Network

Payment card data carries immediate monetary value to criminals, and there are many methods by which they aim to steal it.

One tactic IBM X-Force researchers have seen increasingly often is the injection of malicious code into legitimate e-commerce websites. By compromising websites where people shop online, attackers can send payment data submitted during customer checkout to their own infrastructure.

To help reduce the likelihood of becoming a feeding ground for criminals, online retailers should take the following steps:

  • Harden the security of underlying web servers.
  • Limit access to critical assets and properly manage the privileges of those that maintain them.
  • Ensure that web applications are secure, harden them against threats like SQL injections and other common attacks, and have them tested regularly.
  • Deploy a change monitoring and detection solution to spot unauthorized modifications to your e-commerce platform’s web hosting directories. If this is not feasible, schedule periodic, manual reviews of these assets.

Account takeover (ATO), which occurs when a threat actor gains unauthorized access to an online account that belongs to someone else, can also affect e-commerce customers. With access to shoppers’ accounts, fraudsters can wreak havoc by stealing stored payment data, making fraudulent purchases and rerouting existing orders to a different address, for example.

Unauthorized access requires the use of legitimate credentials, which criminals can attain through a variety of tactics. The most common methods include phishing, brute-forcing weak passwords and launching SQL injection attacks on the web application itself.

You can help mitigate these threats by practicing good network hygiene. Here are some useful tips retailers can apply today to lower the risk of user account compromises:

  • Employ the most recent patches for all hardware, internal and external software, network communication protocols, and database security protocols.
  • Sanitize user input to prevent injection attacks.
  • Prioritize patching for the threats most relevant to your organization. Look out for the most-exploited vulnerabilities and ensure that internet-facing servers and systems are up to date.
  • Always consult your local computer emergency response team (CERT), IBM X-Force Exchange and other threat intelligence sources to gather the latest news on vulnerabilities and mitigation techniques.
  • Enforce multifactor authentication (MFA) for employees.

3. Go to Your Separate Corners

Cybercriminals are always leveraging new ways to steal payment card data and correlate it with PII. Elevated volumes of web traffic during the holiday season provide attackers with even more targets and opportunities.

To help keep customer data safe, even in cases where criminals manage to infiltrate assets, security teams should keep PII, financial data and POS information separate by segmenting enterprise networks. By keeping this information separated and encrypted, attackers will find it much harder to correlate data on customers. While segmenting a network can be an intensive process, it’s a small price to pay to keep customer data safe.

In network segmentation, allow only one IP address per segment to communicate at a time to detect suspicious traffic. While an attacker may spoof his or her IP address, this control can allow defenders to find out about most intruders rather easily. Here are some other best practices to consider:

  • Conduct internal audits for segment crossover to ensure that segregated data sets do not get mixed over time and appear in other places on the network, which can help attackers with identity theft.
  • Deploy web application firewalls (WAFs) to help ensure that incoming traffic is filtered, monitored and blocked to and from web applications to mitigate threats such as cross-site scripting (XSS) and SQL injection.
  • As a secondary measure, a firewall should be implemented to effectively govern all traffic coming in and out of the network. Firewall configuration is a key element in its effectiveness and should be performed by a certified network technician.
  • Have administrative users log in with a lower privilege level before escalating their privileges to perform updates and maintenance.
  • Prevent sensitive users and systems from communicating with the internet.

4. Learn From History and Educate Users

Nearly every company has some kind of data protection training in place. To make employee training programs more effective, organizations must understand that training materials are sometimes clicked through at a rapid pace to complete them as quickly as possible in favor of getting back to work. So how can an organization effectively educate their users?

  • Plan for role-based training of all employees in the organization.
  • Train employees on both physical and digital security.
  • Conduct short training sessions and field-test them by asking for employee feedback.
  • Launch an internal phishing campaign: Send a spoofed email from a dummy account with official-sounding names, titles and subjects, and track the number of users who click on the links or attachments. Offer additional training according to the conclusions from the campaign.
  • Identify users who need remedial training and retest as needed.
  • Most importantly, provide all users with an easily accessible resource to report issues. Users should be able to contact IT security with any question or suspicion.

For education to be effective, it has to be repetitive and stay top-of-mind for users across the entire organization. Get management to support awareness campaigns and find opportunities to educate users. Having vigilant employees makes mitigating attacks during the holiday season that much more effective. Frequent email reminders, illustrative posters and communicating best practices during team meetings can demonstrate your organization’s commitment to secure day-to-day conduct. Giving users personalized attention can go a long way toward making the message resonate with them — for example, you might consider gifting a security-themed mug for the holiday season.

5. Use Network IP Whitelists and Blacklists

Whitelists are IP addresses or domains used specifically for allowing access, whereas blacklists are used to help prevent IP addresses or domains from entering a network. Whitelists and blacklists are useful for keeping unauthorized and authorized connections within or outside the network. Keeping these lists up-to-date demands some diligence, but they can be crucial to boosting network security.

Filtering IPs according to these lists is more suitable for enterprises that do not manage e-commerce activity, since e-commerce companies have to accept inbound requests from all over the world, especially during the holiday shopping season.

These lists are much easier to maintain for networks that do not face external customers because blacklists can be used on both inbound and outbound access to help block known malicious hosts from communicating or accessing the organization’s data and assets. Below are some basic tips for filtering hosts:

  • Blacklist any IP addresses known to be malicious. Constantly updated lists can be fed into security solutions directly from threat intelligence platforms.
  • Should a blacklisted IP address have legitimate reasons for communicating with the network, investigate, confirm and allow access via the whitelist.
  • Whitelists should include any internal company addresses.
  • Whitelists should exclude any websites that are not relevant for employees carrying out their daily tasks (e.g., social media, webmail, etc.).
  • It is imperative to verify these lists periodically to help ensure that all information is accurate.
  • Should any IP addresses on the whitelist become outdated, it should be promptly removed or moved to the blacklist.
  • Keeping allowed and banned IP addresses from becoming intermingled is a basic premise of effective whitelist/blacklist practices.

Stay Tuned for More Holiday Season Tips for Retailers

There is no such thing as unimportant data. Take every necessary precaution to help protect enterprise and customer data by implementing strong retail cybersecurity controls, educating users and following current best practices. Maintaining customer confidence in your ability to protect their PII can result in more business, increased customer loyalty and stronger organizational reputation.

Stay tuned for five more tips to help retailers stay secure this holiday season.

The post 5 Recommendations to Improve Retail Cybersecurity This Holiday Season appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: David Bales

Artificial Intelligence (AI), Cloud, Cloud Security, Data Breach, Data Privacy, Data Protection, Incident Response (IR), Managed Security Services (MSS), Payment Card Industry (PCI), Personally Identifiable Information (PII), Platform-as-a-Service (PaaS), Ransomware, Retail, Retail Breach, Retail Industry, Retail Security, Skills Gap, Software-as-a-Service (Saas), Threat Protection,

Retail Cybersecurity Is Lagging in the Digital Transformation Race, and Attackers Are Taking Advantage

Digital transformation is dominating retailers’ attention — and their IT budgets. As a result, significant gaps in retail cybersecurity are left unfilled just as retail IT faces new challenges, from infrastructure moving to the cloud without clear security policies to an array of new threat vectors focused on personal customer information, ransomware and underprotected business-to-business (B2B) connections.

Just as with line-of-business functions like merchandising and operations, retailers’ cybersecurity functions must undergo a digital transformation to become more holistic, proactive and nimble when protecting their businesses, partners and customers.

Retailers Aren’t Prioritizing Security, and Attackers Are Exploiting the Gaps

According to the retail edition of the “2018 Thales Data Threat Report,” 75 percent of retailers have experienced at least one data breach in the past, with half seeing a breach in the past year alone. That puts retail among the most-attacked industries as ranked by the “2018 IBM X-Force Threat Intelligence Index.”

Underfunded security infrastructure is likely a big reason for this trend; organizations only dedicated an average of around 5 percent of their overall IT budgets to security and risk management, according to a 2016 Gartner report.

While retailers have done a great job addressing payment card industry (PCI) compliance, it has come at a cost to other areas. According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, 78 percent of publicly disclosed point-of-sale (POS) malware breaches in 2017 occurred in the retail sector.

In addition to traditional POS attacks, malicious actors are targeting retailers with new threat vectors that deliver more bang for the buck, such as the following:

  • Personally identifiable information (PII) about customers — Accessible via retailers’ B2C portals, attackers use this information in bot networks to create false IDs and make fraudulent transactions. An increasingly popular approach involves making purchases with gift cards acquired via fraud.
  • Ransomware — Criminals are exploiting poorly configured apps and susceptible end users to access and lock up data, so they can then extract pricey ransoms from targeted retailers.
  • Unprotected B2B vendor connections — Threat actors can gain access to retail systems by way of digital connections to their partners. A growing target is a retailer’s B2B portals that have been constructed without sufficient security standards.

What Are the Biggest Flaws in Retail Cybersecurity?

These new types of attacks take advantage of retailers’ persistent underfunding of critical security defenses. Common gaps include inadequate vulnerability scanning capabilities, unsegmented and poorly designed networks, and using custom apps on legacy systems without compensating controls. When retailers do experience a breach, they tend to address the specific cause instead of taking a more holistic look at their environments.

Retailers also struggle to attract security talent, competing with financial services and other deeper-pocketed employers. The National Institute of Standards and Technology (NIST) reported in 2017 that the global cybersecurity workforce shortage is expected to reach 1.5 million by 2019.

In addition, flaws in governance make retailers more vulnerable to these new types of security threats. To keep up with rapidly evolving consumer demands, many line-of-business departments are adopting cloud and software-as-a-service (SaaS) solutions — but they often do so without any standardized security guidance from IT.

According to the “2017 Thales Data Threat Report,” the majority of U.S. retail organizations planned to use sensitive data in an advanced technology environment such as cloud, big data, Internet of Things (IoT) or containers this year. More than half believed that sensitive data use was happening at the time in these environments without proper security in place. Furthermore, companies undergoing cloud migration at the time of a breach incur $12 per record in additional costs, according to the “2018 Cost of a Data Breach Study.”

To protect their data, retailers need tools to both identify security threats and escalate the response back through their entire infrastructure, including SaaS and cloud services. But many enterprises lack that response capability. What’s more, the “Cost of a Data Breach Study” found that using an incident response (IR) team can reduce the cost of a breach by around $14 per compromised record.

Unfortunately, cybersecurity is not always on the radar in retailers’ C-suites. Without a regularly updated cybersecurity scorecard that reflects an organization’s current vulnerability to attack, senior executives might not regularly discuss the topic, take part in system testing or see cybersecurity as part of business continuity.

3 Steps to Close the Gaps in Your Security Stance

Time isn’t stopping as retailers grapple with these threats. Retail cybersecurity leaders must also monitor the General Data Protection Regulation (GDPR), where compliance requirements are sometimes poorly understood, as well as the emergence of artificial intelligence (AI) in both spoofing and security response. In addition, retailers should keep an eye on the continued uncertainty about the vulnerability of platform-as-a-service (PaaS), microservices, cloud-native apps and other emerging technologies.

By addressing the gaps in their infrastructure, governance and staffing, retailers can more effectively navigate known threats and those that will inevitably emerge. Change is never easy, but the following three steps can help retailers initiate digital transformation and evolve their current approach to better suit today’s conditions:

1. Increase Budgets

According to Thales, 84 percent of U.S. retailers plan to increase their security spending. While allocating these additional funds, it’s important for retailers to take a more holistic view, matching budgets to areas of the highest need. Understanding the costs and benefits of addressing security gaps internally or through outsourcing is a key part of this analysis.

2. Improve Governance

Enacting consistent security guidelines across internally run systems as well as cloud- and SaaS-based services can help retailers ensure that they do not inadvertently open up new vulnerabilities in their platforms. Senior-level endorsement is an important ingredient in prioritizing cybersecurity across the enterprise. Regular security scorecarding can be a valuable tool to keep cybersecurity at the top of executives’ minds.

3. Invest in MSS

A growing number of retailers have realized that starting or increasing their use of managed security services (MSS) can help them achieve a higher level of security maturity at the same price as managing activities in-house, if not at a lower cost. MSS allow retailers’ internal cybersecurity to operate more efficiently, address critical talent shortages and enable retailers to close critical gaps in their current security stance.

Why Digital Transformation Is Critical to Rapid Response

Digital transformation is all about becoming more proactive and nimble to respond to consumers’ rapidly growing expectations for seamless, frictionless shopping. Retailers’ cybersecurity efforts require a similar, large-scale transition to cope with new threat vectors, close significant infrastructure gaps and extend security protocols across new platforms, such as cloud and SaaS. By rethinking their budgets, boosting governance and incorporating MSS into their security operations, retail security professionals can support digital transformation while ensuring the business and customer data remains protected and secure.

The post Retail Cybersecurity Is Lagging in the Digital Transformation Race, and Attackers Are Taking Advantage appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Lisa Terry

Data Privacy, Data Protection, Data Security, facial recognition, Personally Identifiable Information (PII), Privacy, social media,

Think You’ve Got Nothing to Hide? Think Again — Why Data Privacy Affects Us All

We all hear about privacy, but do we really understand what this means? According to privacy law expert Robert B. Standler, privacy is “the expectation that confidential personal information disclosed in a private place will not be disclosed to third parties when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities.”

It’s important to remember that privacy is about so much more than money and advertisements — it ties directly to who we are as individuals and citizens.

What Is the Price of Convenience?

Most users willingly volunteer personal information to online apps and services because they believe they have nothing to hide and nothing to lose.

When I hear this reasoning, it reminds me of stories from World War II in which soldiers sat on the sideline when the enemy was not actively pursuing them. When the enemy did come, nobody was left to protect the soldiers who waited around. That’s why it’s essential for all users to take a stand on data privacy — even if they’re not personally affected at this very moment.

Some folks are happy to disclose their personal information because it makes their lives easier. I recently spoke to a chief information security officer (CISO) and privacy officer at a major unified communications company who told me about an employee who willingly submitted personal data to a retail company because it streamlined the online shopping experience and delivered ads that were targeted to his or her interests.

This behavior is all too common today. Let’s dive deeper into some key reasons why privacy should be top of mind for all users — even those who think they have nothing to hide.

How Do Large Companies Use Personal Data?

There is an ongoing, concerted effort by the largest technology companies in the world to gather, consume, sell, distribute and use as much personal information about their customers as possible. Some organizations even market social media monitoring tools designed to help law enforcement and authoritarian regimes identify protesters and dissidents.

Many of these online services are free to users, and advertising is one of their primary sources of revenue. Advertisers want high returns per click, and the best way to ensure high conversion rates is to directly target ads to users based on their interests, habits and needs.

Many users knowingly or unknowingly provide critical personal information to these companies. In fact, something as simple as clicking “like” on a friend’s social media post may lead to new ads for dog food.

These services track, log and store all user activity and share the data with their advertising partners. Most users don’t understand what they really give up when technology firms consume and abuse their personal data.

Advanced Technologies Put Personal Data in the Wrong Hands

Many DNA and genomics-analysis services collect incredibly detailed personal information about customers who provide a saliva-generated DNA sample.

On the surface, it’s easy to see the benefit of submitting biological data to these companies — customers get detailed reports about their ancestry and information about potential health risks based on their genome. However, it’s important to remember that when users volunteer data about their DNA, they are also surrendering personal information about their relatives.

Biometrics, facial recognition and armed drones present additional data-privacy challenges. Governments around the world have begun using drones for policing and crowd control, and even the state of North Dakota passed a law in 2015 permitting law enforcement to arm drones with nonlethal weapons.

Facial recognition software can also be used for positive identification, which is why travelers must remove their sunglasses and hats when they go through immigration control. Law enforcement agencies recently started using drones with facial recognition software to identify “potential troublemakers” and track down known criminals.

In the U.S., we are innocent until proven guilty. That’s why the prospect of authorities using technology to identify potential criminals should concern us all — even those who don’t consider privacy to be an important issue in our daily lives.

Who Is Responsible for Data Privacy?

Research has shown that six in 10 boards consider cybersecurity risk to be an IT problem. While it’s true that technology can go a long way toward helping organizations protect their sensitive data, the real key to data privacy is ongoing and companywide education.

According to Javelin Strategy & Research, identity theft cost 16.7 million victims $16.8 billion in the U.S. last year. Sadly, this has not been enough to push people toward more secure behavior. Since global regulations and company policies often fall short of protecting data privacy, it’s more important than ever to understand how our personal information affects us as consumers, individuals and citizens.

How to Protect Personal Information

The data privacy prognosis is not all doom and gloom. We can all take steps to improve our personal security and send a strong message to governments that we need more effective regulations.

The first step is to lock down your social media accounts to limit the amount of personal information that is publicly available on these sites. Next, find your local representatives and senators online and sign up to receive email bulletins and alerts. While data security is a global issue, it’s important to keep tabs on local legislation to ensure that law enforcement and other public agencies aren’t misusing technology to violate citizens’ privacy.

Lastly, don’t live in a bubble: Even if you’re willing to surrender your data privacy to social media and retail marketers, it’s important to understand the role privacy plays in day-to-day life and society at large. Consider the implications to your friends and family. No one lives alone — we’re all part of communities, and we must act accordingly.

The post Think You’ve Got Nothing to Hide? Think Again — Why Data Privacy Affects Us All appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Eric Jeffery