A Billion here, a billion there …

It has been reported in the NY Times, among other places, that a Russian crime gang has amassed 1.2 BILLION userid/password combinations, along with 500 million email addresses.  Even to me, that is a large number.

The passwords represent data stolen from 420,000 web sites, including both large and small companies.

The bad news is that they are not disclosing the names of the sites that have been compromised, in part because many of them are still vulnerable.  What this means is that you as a user have no idea where to look.

Ultimately, this tells us that the security processes and mechanisms that we are using have failed and cannot be fixed, but rather must be changed.

The challenge is that people don’t like change and will, for the most part, resist it  — which is why we are still using userids and passwords.

Apparently, this particular gang is currently only using this data to spam people, but that does not mean that it will only be used for that or that the gang won’t morph into a different business model.  If they do change into a financial crime model, it could get pretty ugly.

For now, all you can do is be vigilant, and that is hard to do for more than a short period of time.  Do pay special attention to important sites like online banking and bill pay, credit cards and e-commerce sites.

Even though it is inconvenient, I avoid allowing web sites to store my credit card and bank account information.  This is especially true for the smaller sites.  Remember that if your userid and password have been compromised and the site has your credit card information, your credit information is also compromised.  So, while you may not care if the hackers know that you are buying jeans at Wal-mart, you probably care if those crooks can lift your credit card information from that site.

The better web sites do not allow you to see your credit card information after it has been entered (other than the last 4 digits) to make harvesting the card information harder.

Stay tuned … there will be more details I am sure.

M

The FBI is looking for a little love

According to an item on Govtech, The FBI is looking for a little help from businesses in their effort to bring cyber criminals to justice.

Assistant AG for National Security  John Carlin and FBI Director James Comey said they need more than knowing how a breach occurred.  They also want to know why the bad guys are after them.  So exactly what is in it for businesses to cooperate?

I assume that number one on most company’s list would be to get the bad guys, get the information back and put the perpetrator in jail for a long, long, time.  Let’s analyze this.

While some cyber attacks come from inside the US, many come from foreign countries.  Countries that are not terribly friendly to us.  Countries like Russia, China, North Korea and other places.  Do you think China is going to help us catch some cyber thieves?  Not likely.  Many of them are likely on the government’s payroll.  The ones that are not and are doing things that the government doesn’t like will likely disappear.  That problem is solved.  Sending them to the US to face trial?  Not gonna happen.

What are companies concerned will happen?

1.  My company will be turned into a crime scene.  To some extent, this is likely to happen.  The Feds are going to want to collect evidence.  Are they going to come thundering in and haul off all your computers?  Not likely, but there are no parameters that say what they are going to do and not do.  Are they going to question my employees and take their time?  Likely yes.

2. I will get a lot of PR – all bad.  This is likely to happen anyway unless you can keep the breach quiet.  If it consists of stealing corporate intellectual property, you can probably do that, but the odds of catching the bad guys go to zero.  On the other hand, once the IP is stolen, getting it back is probably not very useful, since it has likely already been copied and distributed.  You cannot get the cow back in the barn.

3. The FBI is not going to understand what I am telling them and I will get frustrated.  Also likely to an extent.  The FBI is hiring a bunch of cyber agents, but they are not programmers and not system administrators and they have not been involved with your company to understand how your systems work.  Still, they are getting much better than they were.

4. The bad guys won’t get caught.  Also likely.  The US just indicted a bunch of Chinese military hackers.  Do you think the Chinese are going to turn them over to us.  Not very likely.  That indictment was a publicity stunt to try to impress the uninformed.  At least we do have some idea of who was attacking us, but the odds of us getting our hands on them to put them through our legal process is as close to zero as you can get.

5. Information I don’t want to get out will get out.  Partly true.  Some information will be protected, but unless a judge agrees to seal an indictment or clear the courtroom before testimony,  which is very unusual, some information will get out and you won’t get to decide what does and what does not.

So it is a messy situation.  No easy answers.  Your board will have to make some decisions. Also consider, however, that if it involves PII (like credit cards) or PHI (like medical records), the decision is mostly out of your hands unless you want to break the law – and they know where you live, so that is probably not a good plan.

Best answer – work hard to protect yourself and hope that your breaches are small.

Sorry if you were looking for a better answer.

M

 

 

 

 

Are you managing your third party connections

Those of you who have been following the Target Company’s security breach are probably aware that the publicly stated source of the breach was a heating vendor who clicked on a malicious email and set the wheels in motion for one of the largest security breaches ever.

Since since the old adage says that your firm’s security is only as good as it’s weakest link, you might assume that companies would be reviewing the security of third parties that are vendors and are part of the company’s supply chain.

According to an article in CSO Online, only 44% of companies surveyed take the effort to vet the security of third party vendors and others in their supply chain.

92% of the firms don’t have a supply chain risk management process.

We have heard of law firms being targeted.  Apparently, the bad guys have figured out that may be easier to attack a company’s law firm than the company itself.

Do your vendors have the ability to log in to your systems?  You might say that if the answer to that question is no then you are safe.  Maybe not.

If those third parties have the ability to send you an email or send you a Word doc, then they could be the vector for an attack on you.  If they can log on to your systems, the risk is even higher.

My suggestion – use a risk management process to minimize the likelihood of your most important vendors being the source of a breach of your information.

Remember that even if they have cyber liability insurance (and since you are not vetting them you don’t know),  who is getting the black eye is you, not them.  Nobody remembers the name of the heating contractor that started the Target breach.  And, if all they have is general corporate liability insurance, then the odds of you collecting a dime are nill.

Food for thought.

M