Are you managing your third party connections

Those of you who have been following the Target Company’s security breach are probably aware that the publicly stated source of the breach was a heating vendor who clicked on a malicious email and set the wheels in motion for one of the largest security breaches ever.

Since since the old adage says that your firm’s security is only as good as it’s weakest link, you might assume that companies would be reviewing the security of third parties that are vendors and are part of the company’s supply chain.

According to an article in CSO Online, only 44% of companies surveyed take the effort to vet the security of third party vendors and others in their supply chain.

92% of the firms don’t have a supply chain risk management process.

We have heard of law firms being targeted.  Apparently, the bad guys have figured out that may be easier to attack a company’s law firm than the company itself.

Do your vendors have the ability to log in to your systems?  You might say that if the answer to that question is no then you are safe.  Maybe not.

If those third parties have the ability to send you an email or send you a Word doc, then they could be the vector for an attack on you.  If they can log on to your systems, the risk is even higher.

My suggestion – use a risk management process to minimize the likelihood of your most important vendors being the source of a breach of your information.

Remember that even if they have cyber liability insurance (and since you are not vetting them you don’t know),  who is getting the black eye is you, not them.  Nobody remembers the name of the heating contractor that started the Target breach.  And, if all they have is general corporate liability insurance, then the odds of you collecting a dime are nill.

Food for thought.

M

 

Facebooktwitterredditlinkedinmailby feather

Is cyberinsurance an effective tool to protect against the costs of a cyberattack?

An article at Investors.com made a number of good points, but I have a bone to pick about one point.

First the good points –

One of the many changes that the Internet brought about is that it is easier than ever to steal someone’s data.  You don’t have to break in to someone’s house or office — you can be thousands of miles away – which means that the odds of getting caught are very low.

People are buying more and more cyberinsurance.  It seems like a good thing.  Have a risk?  Insure against it.  The attacks are endless and mindnumbing – Target, eBay, Boeing, Lockheed.  The list seems to go on for ever.  Attacks are more prevalent and harder to detect.

The industry has been writing fire insurance for over a hundred years.  They have been writing cyber insurance for less than ten years.  Do you think the insurers have this figured out?  Do YOU know what is covered in your cyber liability policy and what is not covered?

The article points out that we don’t even know what percentage of companies have cyberinsurance. Three different studies reported very different results – from 52% to 33% to only 6%.  Even if you are very optimistic, it means that half of the companies don’t have cyber insurance.  That’s probably not a good plan today.

Now the bone –

The article says “Yet challenges remain to raise awareness that cyberinsurance can be an effective tool to protect against the costs of repairing and defending against cyberattacks.”

Far be it from me to suggest that people should not buy cyberinsurance.  I think most companies should have some cyberinsurance, BUT, all that will do is help defray some of the costs – after the fact.

While Target is not the typical breach, it is representative.  It has been reported that Target had $100 million in cyber insurance.  I don’t know if that is true, but that has been reported. It has also been reported that Target will likely spend more than a billion dollars mitigating the attack.  That includes everything from PR to lawsuits.  Of course it depends on the outcome of the 50 lawsuits that have been filed against Target, but the cost might be several billion dollars.

So, if you are optimistic, Target’s insurance will cover 10% of the cost of mitigation.  If you are pessimistic, it might only cover 1%.  Ignoring for the moment the purely financial impact of paying to mitigate the breach, Target has been the recipient of an awful lot bad publicity and their sales fell significantly after the breach as well.

What companies really need to do – besides making sure that they do have cyberinsurance – is to take some positive action to reduce their own risk of being the victim of a cyberattack.  What most companies do is install anti virus software and a firewall and call it good.  Tomorrow I will write a post on the downside to anti virus software – check that out.

What companies need to do today is way more than that.  To start with, do you have a Chief Risk Officer (not someone who does 10 things plus risk management)?  Do you have a chief data security officer?  If you a small to medium size company, these could be part time or they could be fulfilled by a contractor, but these need to be well defined jobs.  AND, they need to brief the board of directors on a regular basis.  Ultimately, this is a bet the company issue.  Studies report that somewhere around two thirds of companies that suffer a data breach go out of business.  Whether that number really is 66% or 40% or even 33%, the number is significant and as a result, this issue needs real ongoing visibility at the board level.  What this likely means is spending money, changing processes, dealing with people complaining about change and a whole lot of other things.

Alternatively, be prepared to be the next Target.  At Target, the CEO, CIO and CISO all lost their jobs.  Among other people.

Choose!

Facebooktwitterredditlinkedinmailby feather

New York tracks you by your license plate – and keeps it

According to an item in USA Today, counties in New York State not only snap pictures of your license plate, but keep them in a database with date-time and location information.

The data is accessible by police throughout the state as well has the Department of Homeland Security.

If you take a bunch of pictures of your license plate at different times, you can piece together a picture of where you go, what you do and who you connect with.

I suspect that the courts will say that when you are out and about you have no reasonable expectation of privacy.  You and I might view it differently, but I doubt the courts will.

Here is the interesting part of this.  While the cameras can be used to ferret out stolen cars, wanted people and expired license plates, that group, collectively, probably represents 1/100th of 1 percent of the pictures taken.  The rest are people going out about their daily business, not committing a crime and being watched.

There is no central database;  each county does their own thing and there are no statewide rules about it.

Here is a little data:

  • Monroe, Albany, Westchester and New York City keep the data for 5 years.
  • The New York State Police keeps the data for 5 years also.  They have 140 cameras.
  • Erie and Onondaga counties keep the data for 1 year.
  • Monroe county had 3.7 million snapshots as of last week
  • Onondaga county had 5.2 million as of a couple of weeks ago
  • Albany county, where the state capital is, had 37 million pictures
  • Erie county said they have the capacity to store 12 million pictures and plan to add more storage.
  • Most agencies declined to say how many pictures they had.

In a sense, this is like the NSA – no rules, no watchdogs, no transparency – just trust us.

To me, that doesn’t seem like a really good plan – just saying!

 

 

Facebooktwitterredditlinkedinmailby feather

How are public restrooms and public computers alike?

There is an article in Slate that suggests that we should treat public computers like we treat public restrooms – very cautiously.

I had never made that analogy before, but I do like it.

Both public restrooms and public computers may harbor germs and viruses.  Both may have been frequented in the recent past by people of dubious character and you don’t know what you might catch if you visit either one of them.

The article talks about hackers installing key logging software on hotel business center computers, thereby grabbing every keystroke you type – including userids and passwords, of course.  The article is based on a US Secret Service advisory from early July 2014, so I am guessing that the Secret Service found some infected computers.  Obviously, this type of attack is not limited to Hotels – schools, libraries and any other place where shared computers are available are susceptible to this kind of attack.

I know that on those rare occasions that I use public computers, I sort of touch them gingerly and would never use them for anything important – like online banking or paying bills for example.

The article says, and I would agree with it, that it is not hard to install such software on most business center computers, although it is also fairly easy to make it more difficult to do.  (It is impossible to make something bullet PROOF.  On the other hand, bullet RESISTANT is definitely possible).  In the old days, you just stuck a wedge on the parallel port and came back later to retrieve it.  Now all you do is log on to your internet connection and harvest the data.

Unfortunately, there is not the equivalent of the sheet of tissue paper to put down before you use the public computer, so beware.

M

Facebooktwitterredditlinkedinmailby feather

Benefits of the cloud

ITWorld reported yesterday that a New York judge  granted a warrant on June 11th that allowed the police to seize an entire GMail account, including the address book and drafts and sift though that to find what they were looking through.

While this is no where near as bad as the NSA hoovering entire fiber optic pipes into their data centers, it does point to a lack of privacy.

Lets say you were discussing things you wanted to be private, but were not illegal.  Maybe they were embarrassing or personal (view my post from yesterday on the NSA).  Or maybe they should be part of your freedom of speech.

Should you choose to store that stuff in the cloud, then I would say you should consider your privacy options limited.  One option would be to store it in the cloud, but encrypt it first.  This limits your ability to view it in the cloud, of course, but it does make it difficult for the feds to trample on your roses, so to speak.  Is it possible that they could decrypt it – sure – but that would be a lot of work.  A few courts have even said that you have to turn over your encryption keys, although none of those decisions have ever made it to the Supremes, so it is not clear if that would be upheld on appeal.  I don’t think the feds are keen to have that precedent established at the Supreme Court level, because if that decision goes against them, that would be a big problem.  Now they can try and strong-arm people into giving up their encryption keys.

Maybe you don’t care if the feds get the pictures of your dogs – I don’t – but there are many things that I do care about.  Those I don’t store in the cloud unencrypted.

Just a word of advice.

M

Facebooktwitterredditlinkedinmailby feather

iOS devices safe – well sort of

It was reported yesterday that there are undocumented services in iOS that allow  someone to bypass all of Apple’s security and encryption features.  The researcher did not say that  either Apple or the NSA were using these features, but….

The researcher, Jonathan Zdziarski, reported his findings at the HOPE/X conference in New York.  According to Zdziarski, the data collected is of a personal nature and the hooks to do this are not documented in any Apple documentation.

Apparently, once a device has been booted in iOS 7, the data can be accessed, even if the device is locked.

The researcher claims that several forensic software firms, such as Cellbrite and Elcomsoft either have discovered these features or were informed about them and may be using them to suck data  out of your device.

Now here is the really interesting question —

Is Apple the only vendor that has this form of back door – whether it be accidental or on purpose?

I, for one, are not going to say that Apple is in bed with the Feds, but it will be interesting to hear what their response to this is.  No response, in my opinion, is tantamount to admitting they did this on purpose.  If they say “trust us”, DO NOT.

M

Facebooktwitterredditlinkedinmailby feather
Visit Us On FacebookCheck Our Feed