• Insider Threats Force Balance Between Security and Access
    CIO (04/23/15) Corbin, Kenneth

    Speaking at a recent Symantec-hosted panel discussion on insider threats and other cybersecurity issues, Fairfax County, Va., CISO Michael Dent said IT leaders can help their cause with prudent policies that limit who can access what kinds of data. Organizations must broaden their understanding of what constitutes an insider threat, as the typical enterprise access to sensitive systems and information runs beyond in-house staff, Dent says. He notes insider threats are not just employees, but “also are your contractors, your vendors—your volunteers, potentially—that come in and work for you.” Traditional perimeter defenses such as firewalls and intrusion detection are not going to protect against threats coming from within the organization, Dent warns. Although putting in policies to address bad actors is relatively easy, it is far more difficult to develop an appropriate framework for access and permissions that balances strong security protocols and an open workplace where employees are increasingly expecting to be able to work remotely and on a variety of devices. Dent says Fairfax County currently runs on a least-privilege system, strictly limiting access to certain data assets based on job function and responsibility. The county also has implemented a tough policy for offenders who violate the organization’s data-access rules.

    Web Link

  • Enterprise Security Threat Level Linked to User Demographics, Industry and Geography
    Security Magazine (04/15)

    The study, “Running the Risk” by Aruba Networks shows that there is a shocking disparity around security practices in the corporate world. More than 11,500 workers across 23 countries worldwide were questioned and overall, researchers found that employee attitudes are swaying towards more sharing of devices in the workplace. Aruba found that six in ten people share their work and personal devices with others and nearly a fifth of employees do not have passwords on devices. Additionally, 31 percent of workers admitted to having lost data due to the misuse of a mobile device and nearly nine in ten believe their IT departments alone will keep them protected. The report found a level of disparity among industries when it comes to the treatment of mobile devices. High tech employees are almost two times more likely than hospitality or education workers to give up their device password if asked for it by IT. However, educators are 28 percent more likely to write passwords on a sheet of paper compared to those in high tech. The survey found that 37 percent of those surveyed did not have any type of basic mobile security policy in place and Aruba suggests that businesses may not be prepared for lies ahead.

    Web Link

  • London (CNN)British police investigating a spectacular heist in the heart of London’s jewelry district said Friday they knew a burglar alarm went off but didn’t respond.

    Southern Monitoring Alarm Company called the Metropolitan Police Service, also known as Scotland Yard, at 12:21 a.m. April 3 to report that the burglar alarm had been activated at Hatton Garden Safe Deposit Ltd., MPS said in a prepared statement.

    “The call was recorded and transferred to the police’s CAD (computer-aided dispatch) system,” the statement said. “A grade was applied to the call that meant that no police response was deemed to be required. We are now investigating why this grade was applied to the call. This investigation is being carried out locally.

    “It is too early to say if the handling of the call would have had an impact on the outcome of the incident.”

    The theft was so big that police haven’t come up with a value for what was stolen.

    Over the four-day Easter holiday, an unknown number of thieves broke into the vault of Hatton Garden Safe Deposit Ltd. and might have been able to take as long as four days to rifle through the boxes.

    A former police official in London has speculated that the loss could run to £200 million, or $300 million, in a remark widely reported by news media.



  • Wall St. Is Told to Tighten Digital Security of Partners
    The New York Times (04/09/15) P. B7 Goldstein, Matthew

    New York Department of Financial Services Superintendent Benjamin Lawsky revealed that a survey of 40 banks found that only about 33 percent require their outside vendors to notify them of any breach in their own networks that could compromise confidential information of the bank and its customers. Less than 50 percent of banks surveyed conduct regular on-site inspections to ensure vendors have adequate security measures in place, and only about half require vendors to provide a warranty that their products and data streams are secure and virus-free. Lawsky said that banks and other financial institutions clearly need to do more to improve their oversight of vendors and to improve their own cyber security. “Things are in a great state of flux in terms of the institutions and for regulators, too, but all of these things need to be tightened up in a very serious way,” he noted. Lawsky’s office continues to work on guidelines for banks and other financial firms to monitor and improve the security of outside vendors, and one recommendation could be that financial firms obtain guarantees from vendors about security quality through the contracting process. Another area of concern for financial firms is the security of large law firms that conduct regulatory work for banks and advise them on corporate transactions. Moreover, the bank survey found that U.S. financial firms tend to lag behind their European counterparts in terms of safeguarding information shared with third-party vendors. Lawsky’s office also has sent a similar survey on vendor oversight to insurance companies. “The fight against cyberterrorism and cybercrime is one that is not going away. We need to start that fight with certain basic hygiene tests and that involves tightening your security with vendors and tightening your security with multifactor authentication,” he said.

    Web Link | Return to Headlines

    Surprising Number of Cyber Attacks Aim to Destroy, Not Steal
    Reuters (04/07/15) Menn, Joseph

    Hacking attacks that destroy rather than steal data or that manipulate equipment are far more prevalent than widely believed, according to a survey of critical infrastructure organizations throughout North and South America. The poll by the Organization of American States, to be released on Tuesday, found that 40 percent of respondents had battled attempts to shut down their computer networks, 44 percent had dealt with bids to delete files and 54 percent had encountered “attempts to manipulate” their equipment through a control system. Those figures, provided exclusively to Reuters ahead of the official release, are all the more remarkable because only 60 percent of the 575 respondents said they had detected any attempts to steal data, long considered the predominant hacking goal. Destruction of data presents little technical challenge compared with penetrating a network, so the infrequency of publicized incidents has often been ascribed to a lack of motive for attackers. Now that hacking tools are being spread more widely, however, more criminals, activists, spies and business rivals are experimenting with such methods.


    Web Link

« Previous Entries