| |
Home Depot Facing at Least 44 Civil Suits in Data Breach
Wall Street Journal (11/25/14) Calia, Michael
Home Depot reports that it faces at least 44 civil lawsuits in the U.S. and Canada related to a widespread data breach at the home-improvement retailer earlier this year. The company -- which is also under investigation by several state and federal agencies -- says its investigation of the breach continues, and it is still assessing its financial and other impacts. In a bid to prevent future attacks, Home Depot has completed a project that encrypts customer credit-card data at the point of sale in all of its U.S. stores. It also expects to roll out the encryption system to its Canadian stores by early next year. Additionally, Home Depot says its U.S. stores will soon have EMV chip-and-PIN technology, which helps authenticate transactions with debit and credit cards. The company revealed earlier this month that 53 million customer emails were stolen in a cyberattack that had also compromised an additional 56 million customer credit-card accounts, an intrusion the retailer had previously disclosed in September. The breach resulted in $28 million of pretax expenses in the most recent earnings period.
UVA to Tackle Sexual Assaults After Alleged Gang Rape
Wall Street Journal (11/25/14) Bauerlein, Valerie; Belkin, Douglas
The University of Virginia (UVA) has suspended Greek social activities and will reexamine its approach to sexual assault after accusations of rape have emerged on the campus. A Rolling Stone article, published Nov. 19, discussed an alleged gang rape at a UVA fraternity house and also looked at the broader issue of sexual assault on college campuses. Members of UVA's Greek system, which has been struck by rape allegations, are pledging to examine members’ behavior during social events. The federal government also is more closely looking at the failure of U.S. colleges and universities to adequately report sexual assaults. The number of such assaults on college campuses has increased by 50 percent between 2001 and 2011, the federal government reports. The U.S. Department of Education’s Office of Civil Rights has 88 pending investigations of the handling of sexual-assault cases on college campuses. One in five undergraduate women will experience sexual assault at some point in their college life, according to U.S. Justice Department, although fewer than 5 percent of rape victims in college report the assault to law enforcement.
Banks Open With More Security in St. Louis
St. Louis Business Journal (11/25/14) Edwards, Greg
Banks in the St. Louis, Mo.-area are largely open and keeping regular hours despite ongoing protests in Ferguson following the ruling of a grand jury in the shooting of Michael Brown. Midwest Bank Centre closed its Clayton branch and mortgage offices on Tuesday because they are located close to government buildings and a police staging area which could affect the drive-up facilities, according to CEO Jim Watson. The bank also hired additional security officers. Carrollton Bank also closed its Clayton branch on Tuesday and have had a security guard at the facility for several weeks that they expect to keep in place "for the foreseeable future," according to CEO Tom Hough. Central Bank of St. Louis has hired additional security for its Ferguson branch, as has First Bank, which is delaying the opening of its banks until 10:00 a.m. Other banks in the area have not reported any disruptions.
Retailers Beefing Up Security Against Data Breaches
Detroit News (11/24/14) Abdel-Razzaq, Lauren
There have been just under 700 major data breaches reported this year, up 25 percent from last year, according to new data from the Identity Theft Resource Center, and there are signs that retailers are waking up to the threat. According to eBay's Enterprise 2014 Holiday Retail Audit, 65 percent of large retailers say they have heightened concerns about data security, even though 77 percent say they have not experienced a data breach. A PricewaterhouseCoopers survey of 758 American companies finds that $4.1 billion has been spent to protect respondents from cyber threats this year, a number that PWC expects to grow by $2 billion in 2017. Still, there is more that companies could be doing. Karl Volkman, chief technology officer at SRV Network Inc., says companies will need to bring on security consultants, increase the size of their IT security staffs, and keep themselves up-to-date on the latest threats.
Acting Out: Cyber Simulation Exercises
SC Magazine (11/03/14) Robinson, Teri
Simulation exercises for organizations can improve cybersecurity by encouraging preparedness in a way that classes and email advisories cannot offer. Such activities can help organizations build “muscle memory” to help them react to problems, says Ed Powers, national managing partner of Deloitte & Touche's Cyber Risk Services practice, which observed the Quantum Dawn II cybersecurity exercise held last year by the Securities Industry and Financial Markets Association (SIFMA). Karl Schimmeck, vice president of financial services operations at SIFMA, said that the simulation created a game-like feel that engaged participants. It also helps them identify potential problems before an actual emergency. After participating in a cybersecurity simulation, many organizations find weaknesses in communications and the flow of information among stakeholders. These exercises also help employees understand what to look out for and what their responsibilities are in case of an incident. Sara Hall, deputy chief information security officer at the U.S. Department of Health and Human Services, says that simulations should be well organized and as similar to reality as possible. Simulations should have clear objectives and set goals, and participants should comprise a good cross-section of the organization's stakeholders. The exercises also should be sector-specific, with results that the organization can put into action.
Security in Ferguson Is Tightened After Night of Unrest
New York Times (11/26/14) P. A1 Davey, Monica; Fernandez, Manny
A grand jury’s decision not to indict Darren Wilson for the fatal shooting of Michael Brown set off a night of arson and looting in Ferguson, Mo., prompting Gov. Jay Nixon to announce Tuesday that he would increase the number of National Guard troops in the city and expand their powers in keeping the peace. More than 2,200 members of the Guard had been called for possible duty, and 1,200 were in and around the St. Louis region on Tuesday evening. On Monday evening, 700 Guard members had been primarily limited to protecting government buildings. Public officials, community leaders, and clergy have attempted to explain how the protests got even worse than those that followed Brown's death in August. “I don’t think we were underprepared, but I’ll be honest with you, unless we bring 10,000 policemen in here, I don’t think we can prevent folks that really are intent on destroying a community,” said Chief Jon Belmar of the St. Louis County Police. In a speech in Chicago, President Barack Obama said that Attorney General Eric H. Holder Jr. would undertake a major review of U.S. policing practices.
Nations Ponder How to Handle European Fighters Returning From Jihad
New York Times (11/24/14) Eddy, Melissa
European governments are trying to keep suspected Islamic radicals from joining the fighting in Iraq and Syria. At the same time, there is a growing fear that returning militants may stage further violence on their home soil. Several nations have proposed legislation that expands authorities’ ability to pursue suspected extremists, or to prevent nationals from returning to their homes for a period of time. Many security experts, social workers, and psychiatrists argue that a blanket approach to returning fighters could only increase the alienation of those populations at greatest risk of sympathizing with jihadists. Palestinian-born psychologist Ahmad Mansour says that the few fighters he has counseled are often severely traumatized or eventually reject the extremist ideals of the groups they left behind. Encouraging public alarm over former fighters also could make their families less willing to inform the police, which makes it harder to monitor returnees. Richard Barrett, a former British intelligence officer, has suggested that disillusioned returnees be approached as a resource rather than a threat. Other experts have called on governments to emphasize rehabilitation for returning fighters.
New Deportation Approach Targets Convicted Criminals, Threats to National Security
Homeland Security News Wire (11/24/14)
On Nov. 20, President Barack Obama announced the end of Secure Communities, a program created to label deportable undocumented immigrants who had committed crimes by granting federal immigration agents access fingerprint records. The program made immigrants' fearful of law enforcement and led to deportations of those who were arrested for minor crimes. In one case, an undocumented immigrant was placed in deportation proceedings after she called the police for help in a domestic violence dispute. The Priority Enforcement Program, Obama's new initiative, targets only undocumented immigrants who have been convicted of serious crimes or are a threat to national security. Many local and state law enforcement agencies have complained that Social Communities required them to hold inmates beyond the length of their sentence. The new initiative will require Immigration and Customs Enforcement officials to indicate that an inmate is likely deportable before making a hold request. Christ Newman, attorney for the National Day Laborer Organizing Network, said there is now recognition that the old program was a failure, however, many are still skeptical what the new initiative will mean for broader immigration reform.
Iran Nuclear Talks to be Extended Until July
Associated Press (11/24/14)
Nuclear negotiators trying to reach a deal that would ease international concerns about Iran's atomic program are poised to extend the negotiations for a comprehensive agreement until July 2015, diplomats report. Under the terms of limited agreements reached after a frenetic six days of talks in Vienna, a political accord is to be completed by March 1, with final details contained in annexes to be sealed by July 1. Iran, the five permanent members of the U.N. Security Council and Germany had set a deadline of midnight on Nov. 24 to come to a final agreement on a mechanism whereby Iran's pathways to develop a nuclear weapon would be closed in return for relief from international sanctions. Instead, British Foreign Secretary Philip Hammond said it "was not possible to meet the deadline" due to wide gaps on well-known points of contention, including levels of uranium enrichment and the number of centrifuges Iran would be allowed to operate. He stressed that while July 1 was the new deadline for a comprehensive deal, the expectation was that broad agreement would be in place by March 1. In the interim, expert level talks will resume in December at an as yet undetermined venue and Iran will receive about $700 million per month in frozen assets, Hammond said.
Pentagon Mulls "Byte for a Byte" Cyber Retaliatory Operations
Homeland Security News Wire (11/24/14)
In a recent article on the Huffington Post, Stephen Bryen, founder and CT of mobile security firm Ziklag Systems and Ziklag CCO Rebecca Abrahams advocate for the U.S. government adopting a "byte for a byte" retaliatory policy when it comes to hostile cyber attacks and data breaches. Bryen and Abrahams say that the despite U.S. efforts to harden and protect critical infrastructure, it still remains vulnerable to cyber attacks and many people still fail to understand the potential impact of such attacks. "There is a prevailing attitude in America, even at the highest level, that security vulnerabilities are not too big a concern. That is why some of our top officials don't hesitate to use compromised smartphones for sensitive conversations," writes Abrahams. The two also identify the widespread use of commercial off-the shelf systems manufactured in China that could server as conduits for hacking, surveillance, and theft. Abrahams and Bryen say that the U.S. is in need of a comprehensive strategy for responding to cyber attacks and espionage and say the "byte for a byte" approach is the best solution. Abrahams says the strategy is readily understood and that potential adversaries will, "know they will lose because we have far more cyber resources to drawn on than they have, and we can cause real harm if they mess with us."
Powerful New Cyber Espionage Program Said Discovered
Wall Street Journal (11/24/14) Mizroch, Amir
A sophisticated computer spying program has been monitoring computers in Saudi Arabia, Russia, and other countries since at least 2008, according to Symantec. The software, called Regin, is similar in its complexity and the way it hides its presence, to the Stuxnet virus that attacked Iran's nuclear-enrichment facilities. Symantec said Regin infections were observed between 2008 and 2011, after which it was abruptly withdrawn. A new version of the malware resurfaced from 2013 onwards. It is customizable, in that it deploys different capabilities for different targets. The spyware targeted private companies, government entities, research institutes, and telecoms companies. The latter were targeted in a way designed to gain access to calls being routed through their infrastructure, Symantec said.
Hackers Attacked the U.S. Energy Grid 79 Times This Year
CNNMoney.com (11/18/14) Pagliery, Jose
Hackers attacked the U.S. energy grid 79 times this year, gaining the opportunity to potentially flip off switches. Energy companies are so vulnerable because their industrial systems still rely on 1970s-era technology that does not get upgraded because doing so would interrupt service, says David Kennedy, CEO of TrustedSec. "The energy industry is pretty far behind most other industries when it comes to security best practices and maintaining systems," says Kennedy. The implications are so serious that the Department of Homeland Security and the FBI are now touring 12 U.S. cities, hosting classified meetings with energy providers and utility companies to brief them on the danger. Still, hackers have not been able to turn off lights. The companies have cybersecurity teams, separate their corporate computers from the stations that control critical machines, and firewalls and passwords also help. A calculated, coordinated army of hackers would probably be needed to take out a city's power. Nonetheless, storms currently pose more of a potent threat of power outages than hackers.
Cyber Security Awareness Still in Its Infancy, Says Sans Institute
ComputerWeekly.com (11/18/14) Ashford, Warwick
Government agencies and other organizations increasingly are displaying an interest in adopting cybersecurity awareness programs, although most organizations are in the early stages of this effort and many are not doing enough to make employees and other end users aware of potential cybersecurity threats, according to the SANS Institute's Lance Spitzner. He says one way in which organizations are generally failing at cybersecurity awareness is by neglecting to educate end users about the risks associated with phishing and other social-engineering attacks. Such attacks are being used to infect organizations' systems with malware, which can in turn be used to facilitate advanced cyberattacks. However, adopting a cybersecurity awareness program can help reduce the amount of potentially risky behaviors end users engage in. Spitzner notes providing employees with phishing awareness training has been shown to reduce the percentage of workers who click on links in test phishing messages from 40 to 60 percent to less than 5 percent in just six months. Spitzner also recommends organizations of all sizes, not just large organizations, implement cybersecurity awareness programs. He notes even small organizations can be targeted by cyberattacks because they may have information that is of interest to attackers.
Cyber Crusaders
Security Management (11/14) Stowell, Holly Gilbert
Penetration testing is an important part of the effort to protect information systems from attackers, cybersecurity experts say. Organizations that are covered by the Health Information Portability and Accountability Act and the Sarbanes-Oxley Act, as well as industry standards like the Payment Card Industry Data Security Standard, are required to perform such tests, although Foreground Security senior penetration tester Tom Keigher says all companies should perform the tests at least once a year. Keigher notes that penetration tests are important because they can help organizations identify issues that can allow attackers to fully compromise their networks. He cites one recent penetration test, which found an organization's network-monitoring tool stored credentials for other parts of the network. This risk was magnified by the fact that no one at the organization that requested the penetration test knew who developed the network monitoring tool. Keigher notes the presence of the vulnerability, coupled with the lack of knowledge about who developed the tool, could have allowed an attacker to maintain access to the organization's systems without having to re-exploit the flaw in the network monitoring tool. Experts say organizations should follow several best practices to obtain the most benefit from penetration tests, including making mission-critical systems off-limits to pen testers.
The Top Infosec Issues of 2014
CSO Online (11/17/14) Armerding, Taylor
Cybersecurity experts say the growing threat from cyberattacks, as well as the changing nature of the attacks being carried out, are among this year's biggest information security issues. Conventus' Sarah Isaacs says cyberattacks are now a bigger threat to national security than terrorism, in part because such attacks increasingly are executed by nation-states to obtain a military advantage or for espionage purposes. Isaacs notes a case in point is the Chinese People's Liberation Army's suspected theft of American industrial secrets. Another information security issue that has attracted a significant amount of attention is the potential risk insiders pose when they act maliciously or make mistakes such as opening phishing messages. This issue is particularly concerning for the federal government, where 63 percent of the security breaches last year were the result of human error. Experts say some of these errors can be attributed to the use of more sophisticated attack methods, although executives who do not know what steps are necessary to protect sensitive data also are part of the problem. Experts cite several ways organizations can address these and other issues that have been raised this year, including increasing employee awareness about cybersecurity, hiring trained personnel capable of protecting against emerging threats, and educating staff about the U.S. Department of Homeland Security and National Institute of Standards and Technology frameworks.
Abstracts Copyright © 2014 Information, Inc. Bethesda, MD |
No comments:
Post a Comment