Monday, September 15, 2008
Most data breaches discovered too late, study says
Most data breaches discovered too late, study says
500 investigations examined, with ugly results
Brad Reed
June 12, 2008 (Network World) Most companies only learn about network data breaches in the months after their data has already been compromised, according to a new study.
The study, conducted by Verizon Business, looks at data breaches in a wide variety of industries, such as retail, food and beverage, technology services, and financial services, and it examines more than 500 forensics investigations involving roughly 230 million records over a period of four years.
Looking at the big picture, the study finds that three-fourths of all data breaches lead to compromised data within a matter of days. Despite this, the study also finds that 63% of enterprises don't learn about data breaches until months after their data has been compromised. What's more, 70% of all data breaches are discovered by third parties, such as customers or banks, meaning that most companies have no idea that their data has been compromised until they are alerted by an outside voice.
And even after breaches are discovered, the study finds that nearly half of them take weeks to fix, while only 37% are fixed within a matter of days or hours.
A strong majority (73%) of enterprise data breaches come from external sources, while only 18% come from internal sources such as IT administrators or employees. However, while internal data breaches are far less common than external data breaches, they are far more damaging to data security: A median of 375,000 records are compromised during internal security breaches, compared with a median of 30,000 for external security breaches, according to the study.
The most popular method for breaching company data is hacking, which accounts for 59% of all data breaches studied. Thirty-nine percent of all hacks occur at the application or service layer, while 23% occur at the operating system or platform layer. Interestingly, the study finds that 18% of all hacks exploit known data vulnerabilities. Of these known vulnerabilities, fully nine-tenths had patches available for six months prior to the breach.
The study lists several ways for businesses to guard themselves against future data breaches, most of which do not require a heavy investment in upgrading IT infrastructure. In the first place, the study says that companies fail to actually enact their established security policies. The study also notes that 83% of all network attacks are not difficult to thwart and that 85% are opportunistic attacks that are not directed against a particular entity but are rather initiated randomly through techniques such as phishing.
What's more, the study finds that evidence of 82% of all breaches studied is available to the victims, but that this evidence is not noticed or acted upon. Thus, the study recommends that enterprises concentrate on enforcing the basics of data security -- such as actively monitoring data logs and creating data-retention plans -- before they take extra precautions against sophisticated hacking or malware assaults.
"Security breaches and the compromise of sensitive data are very real and growing concerns for organizations worldwide," says Peter Tippett, vice president of research and intelligence at Verizon Business Security Solutions. "This can help companies better understand data breaches. ... Most importantly, it urges organizations to be proactive in their approach to security."
500 investigations examined, with ugly results
Brad Reed
June 12, 2008 (Network World) Most companies only learn about network data breaches in the months after their data has already been compromised, according to a new study.
The study, conducted by Verizon Business, looks at data breaches in a wide variety of industries, such as retail, food and beverage, technology services, and financial services, and it examines more than 500 forensics investigations involving roughly 230 million records over a period of four years.
Looking at the big picture, the study finds that three-fourths of all data breaches lead to compromised data within a matter of days. Despite this, the study also finds that 63% of enterprises don't learn about data breaches until months after their data has been compromised. What's more, 70% of all data breaches are discovered by third parties, such as customers or banks, meaning that most companies have no idea that their data has been compromised until they are alerted by an outside voice.
And even after breaches are discovered, the study finds that nearly half of them take weeks to fix, while only 37% are fixed within a matter of days or hours.
A strong majority (73%) of enterprise data breaches come from external sources, while only 18% come from internal sources such as IT administrators or employees. However, while internal data breaches are far less common than external data breaches, they are far more damaging to data security: A median of 375,000 records are compromised during internal security breaches, compared with a median of 30,000 for external security breaches, according to the study.
The most popular method for breaching company data is hacking, which accounts for 59% of all data breaches studied. Thirty-nine percent of all hacks occur at the application or service layer, while 23% occur at the operating system or platform layer. Interestingly, the study finds that 18% of all hacks exploit known data vulnerabilities. Of these known vulnerabilities, fully nine-tenths had patches available for six months prior to the breach.
The study lists several ways for businesses to guard themselves against future data breaches, most of which do not require a heavy investment in upgrading IT infrastructure. In the first place, the study says that companies fail to actually enact their established security policies. The study also notes that 83% of all network attacks are not difficult to thwart and that 85% are opportunistic attacks that are not directed against a particular entity but are rather initiated randomly through techniques such as phishing.
What's more, the study finds that evidence of 82% of all breaches studied is available to the victims, but that this evidence is not noticed or acted upon. Thus, the study recommends that enterprises concentrate on enforcing the basics of data security -- such as actively monitoring data logs and creating data-retention plans -- before they take extra precautions against sophisticated hacking or malware assaults.
"Security breaches and the compromise of sensitive data are very real and growing concerns for organizations worldwide," says Peter Tippett, vice president of research and intelligence at Verizon Business Security Solutions. "This can help companies better understand data breaches. ... Most importantly, it urges organizations to be proactive in their approach to security."
Hotel chain latest victim of cyberthieves
Hotel chain latest victim of cyberthieves
The Best Western hotel chain has reportedly suffered what is being claimed as the world's largest cybercrime, the identity theft of eight million customers.
A Scottish newspaper, the Sunday Herald, reported late last week that hackers placed a trojan on the hotel chain's European reservation system, capturing a clerk's password to gain entry to the group's online booking system.
The intruders then reportedly sold details of how to gain access to the system to a Russian gang. The attack was noticed when the Best Western database, which included guests' names and credit card numbers, was offered for sale on an underground forum.
Responding to the newspaper report, Best Western issued a statement admitting there had been a breach, but claimed that on Friday, it closed the entry point in its system that allowed access to the hackers. The company also refuted claims that its data had been compromised. It also sought to reassure its customers that it is taking appropriate action.
The chain, which has more than 4,200 hotels in 80 countries, responded that the charges in the newspaper report were “grossly unsubstantiated…We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.”
It also stated that it complies with Payment Card Industry (PCI) Data Security Standard (DSS), and that to maintain that compliance, it uses a “secure network protected by firewalls and governed by a strong information security policy.”
The chain added that it only collects credit card details when processing a reservation and then encrypts that information, deleting it when the guest departs. Also, the company restricts access to that data to only those people who require it.
However, despite these appropriate information security strategies, experts point out that there are ways a hacker may have gained entry to the company's network, most likely via a traffic-sniffing trojan.
Ed Moyle, manager at CTG, which provides IT solutions to Global 2000 clients, said Best Western may be correct in its assessment of the breach's extent. But the news is already out and the company's reputation could be harmed, he said.
“It's an unfortunate outcome for what appears to be a smaller-than-reported data loss,” he said. “In an ideal world, companies ought to be looking at how they can prevent this sort of thing with the ultimate goal of not having to put out a retraction.”
Moyle said there appears to be nothing more Best Western could have done to prevent the compromise.
"Yes, they were in compliance with [PCI], it's a useful bar to meet, but that doesn't guarantee loss prevention," he said. "There are always going to be breaches."
The Best Western hotel chain has reportedly suffered what is being claimed as the world's largest cybercrime, the identity theft of eight million customers.
A Scottish newspaper, the Sunday Herald, reported late last week that hackers placed a trojan on the hotel chain's European reservation system, capturing a clerk's password to gain entry to the group's online booking system.
The intruders then reportedly sold details of how to gain access to the system to a Russian gang. The attack was noticed when the Best Western database, which included guests' names and credit card numbers, was offered for sale on an underground forum.
Responding to the newspaper report, Best Western issued a statement admitting there had been a breach, but claimed that on Friday, it closed the entry point in its system that allowed access to the hackers. The company also refuted claims that its data had been compromised. It also sought to reassure its customers that it is taking appropriate action.
The chain, which has more than 4,200 hotels in 80 countries, responded that the charges in the newspaper report were “grossly unsubstantiated…We have found no evidence to support the sensational claims ultimately made by the reporter and newspaper.”
It also stated that it complies with Payment Card Industry (PCI) Data Security Standard (DSS), and that to maintain that compliance, it uses a “secure network protected by firewalls and governed by a strong information security policy.”
The chain added that it only collects credit card details when processing a reservation and then encrypts that information, deleting it when the guest departs. Also, the company restricts access to that data to only those people who require it.
However, despite these appropriate information security strategies, experts point out that there are ways a hacker may have gained entry to the company's network, most likely via a traffic-sniffing trojan.
Ed Moyle, manager at CTG, which provides IT solutions to Global 2000 clients, said Best Western may be correct in its assessment of the breach's extent. But the news is already out and the company's reputation could be harmed, he said.
“It's an unfortunate outcome for what appears to be a smaller-than-reported data loss,” he said. “In an ideal world, companies ought to be looking at how they can prevent this sort of thing with the ultimate goal of not having to put out a retraction.”
Moyle said there appears to be nothing more Best Western could have done to prevent the compromise.
"Yes, they were in compliance with [PCI], it's a useful bar to meet, but that doesn't guarantee loss prevention," he said. "There are always going to be breaches."
Labels: Best Western
ID Theft Red Flags Rule: How to Help Your Business Customers Comply
ID Theft Red Flags Rule: How to Help Your Business Customers Comply
Auto Dealers, Mortgage Brokers, Utility Companies are Among Non-Banking Entities That Must Comply by Nov. 1
September 8, 2008 - Linda McGlasson, Managing Editor
With all the focus on banks and credit unions' work to comply with the ID Theft Red Flags Rule, many in the financial services industry have forgotten that the largest share of entities impacted by this new regulation are non-banking institutions -- finance companies, automobile dealers, mortgage brokers, etc.
And while banking institutions have their own hands full ensuring Red Flags compliance, they still can perform great customer service by assisting business customers who also must comply with the regulation.
The Red Flags Rule is part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under this rule, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.
Banking regulatory agencies are working with their institutions to ensure compliance. Meanwhile, the Federal Trade Commission oversees compliance by the rest of the covered entities identified as creditors.
Which Non-Banking Entities Must Comply?
The FTC has an extensive outreach effort to explain the Rule in greater detail. According to Tiffany George, attorney in FTC's Division of Privacy and Identity Protection, many companies that don't think of themselves as creditors or believe they need to create a prevention program for identity theft actually are deemed a covered entity under this rule.
These covered entities, no matter how small, need to design and implement an identity theft prevention program, George adds.
She reminds companies that the rule is not based on what kind of information a business collects, but whether it is a financial institution or a creditor. "A creditor is broadly described as anyone who defers payment on a debt, or anyone who defers payment on goods or services," George says.
Further, a creditor is:
Any entity that regularly extends, renews or continues credit;
Any entity that regularly arranges for the extension, renewal or continuation of credit;
Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors do include:
Finance companies,
Automobile dealers,
Mortgage brokers,
Utility companies,
Telecommunications companies.
Even healthcare providers who defer payment (provide credit) for patients also fall under the creditor status according to the rule. Any interaction where a consumer is not paying up front would make the business a creditor, "So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," George explains.
Other examples of companies that would fall under the ID Theft Red Flag rule: Home improvement service companies that offer monthly repayment schedules for customers' home improvement projects such as siding, window replacement and remodeling.
"Entities need to realize this applies to anyone who defers payment for a good or service," George says. "Even mom and pop stores that offer monthly credit to customers would fall under this rule. Again, the nature of their program should be tailored to the nature of their business. If their business isn't complex, then they could have a very straightforward, streamlined program."
Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Most creditors, except for those regulated by the federal bank regulatory agencies and the NCUA, are under the jurisdiction of the FTC.
The Requirements
Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
Designing and putting in place a program that is appropriate to a creditor's size and complexity and nature of its business can be helped through the guidelines issued by the FTC and the federal banking agencies says George.
Businesses should be watching for the 26 possible red flags identified in the guidelines. These red flags should be used as a starting point by creditors and fall into five categories:
• Notifications, alerts, or warnings from a consumer reporting agency;
• Suspicious documents;
• Suspicious personally identifying information, such as a suspicious address;
• Unusual use of - or suspicious activity relating to - a covered account;
• Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
The nature of a company's ID theft prevention program will vary based on a company's business, says George. "It will involve things such as proper identification and authentication of customers; looking for anomalous activity in customer accounts; and looking for any suspicious or forged documentation," she notes.
If companies don't comply, enforcement outside of the banking industry will be done by the FTC. "We expect covered entities to be compliant by November 1," she says.
If they aren't, then they will be in violation of the rule and will be subject to civil monetary penalties of up to $2500 for every violation. Violations will be considered on a case by case basis, says George.
Auto Dealers, Mortgage Brokers, Utility Companies are Among Non-Banking Entities That Must Comply by Nov. 1
September 8, 2008 - Linda McGlasson, Managing Editor
With all the focus on banks and credit unions' work to comply with the ID Theft Red Flags Rule, many in the financial services industry have forgotten that the largest share of entities impacted by this new regulation are non-banking institutions -- finance companies, automobile dealers, mortgage brokers, etc.
And while banking institutions have their own hands full ensuring Red Flags compliance, they still can perform great customer service by assisting business customers who also must comply with the regulation.
The Red Flags Rule is part of the Fair and Accurate Credit Transactions (FACT) Act of 2003. Under this rule, financial institutions and creditors with covered accounts must have identity theft prevention programs in place by November 1, 2008, to identify, detect, and respond to patterns, practices, or specific activities that could indicate identity theft.
Banking regulatory agencies are working with their institutions to ensure compliance. Meanwhile, the Federal Trade Commission oversees compliance by the rest of the covered entities identified as creditors.
Which Non-Banking Entities Must Comply?
The FTC has an extensive outreach effort to explain the Rule in greater detail. According to Tiffany George, attorney in FTC's Division of Privacy and Identity Protection, many companies that don't think of themselves as creditors or believe they need to create a prevention program for identity theft actually are deemed a covered entity under this rule.
These covered entities, no matter how small, need to design and implement an identity theft prevention program, George adds.
She reminds companies that the rule is not based on what kind of information a business collects, but whether it is a financial institution or a creditor. "A creditor is broadly described as anyone who defers payment on a debt, or anyone who defers payment on goods or services," George says.
Further, a creditor is:
Any entity that regularly extends, renews or continues credit;
Any entity that regularly arranges for the extension, renewal or continuation of credit;
Any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors do include:
Finance companies,
Automobile dealers,
Mortgage brokers,
Utility companies,
Telecommunications companies.
Even healthcare providers who defer payment (provide credit) for patients also fall under the creditor status according to the rule. Any interaction where a consumer is not paying up front would make the business a creditor, "So in the healthcare context, even where a consumer offers insurance (that would normally cover the bill), if the patient is still ultimately responsible for medical fees not covered by insurance, then that hospital or doctor's office would be considered a creditor," George explains.
Other examples of companies that would fall under the ID Theft Red Flag rule: Home improvement service companies that offer monthly repayment schedules for customers' home improvement projects such as siding, window replacement and remodeling.
"Entities need to realize this applies to anyone who defers payment for a good or service," George says. "Even mom and pop stores that offer monthly credit to customers would fall under this rule. Again, the nature of their program should be tailored to the nature of their business. If their business isn't complex, then they could have a very straightforward, streamlined program."
Where non-profit and government entities defer payment for goods or services, they, too, are considered creditors. Most creditors, except for those regulated by the federal bank regulatory agencies and the NCUA, are under the jurisdiction of the FTC.
The Requirements
Under the Red Flags Rules, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.
Designing and putting in place a program that is appropriate to a creditor's size and complexity and nature of its business can be helped through the guidelines issued by the FTC and the federal banking agencies says George.
Businesses should be watching for the 26 possible red flags identified in the guidelines. These red flags should be used as a starting point by creditors and fall into five categories:
• Notifications, alerts, or warnings from a consumer reporting agency;
• Suspicious documents;
• Suspicious personally identifying information, such as a suspicious address;
• Unusual use of - or suspicious activity relating to - a covered account;
• Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.
The nature of a company's ID theft prevention program will vary based on a company's business, says George. "It will involve things such as proper identification and authentication of customers; looking for anomalous activity in customer accounts; and looking for any suspicious or forged documentation," she notes.
If companies don't comply, enforcement outside of the banking industry will be done by the FTC. "We expect covered entities to be compliant by November 1," she says.
If they aren't, then they will be in violation of the rule and will be subject to civil monetary penalties of up to $2500 for every violation. Violations will be considered on a case by case basis, says George.
Security Awareness Overview: Tips for Tackling ID Theft
Security Awareness Overview: Tips for Tackling ID Theft Red Flags Rule Compliance
Examination Procedures, Training Programs Take Center Stage as Nov. 1 Nears
September 5, 2008 - Tom Field, Editorial Director
When I started this job a year ago and reached out to banking/security leaders, the overwhelming message I got was "Security awareness - we don't do it well."
For banking institution employees, maybe there was an information security training seminar when they first started. Or an occasional workshop on identity theft or social engineering.
For customers, "statement stuffers" were the operative words.
Then along came the Identity Theft Red Flags Rule, and suddenly banking institutions were required - by Nov. 1, mind you -- to strengthen, document and implement new awareness programs for employees and customers alike. This requirement has been one of the biggest challenges faced by institutions this year, and it was a major focus of our news coverage in the month of August.
Looking back on our month-long focus on training and education, let's start with the word from the top. The Office of Thrift Supervision (OTS) became the first regulatory agency to reveal its examination procedures for ID Theft Red Flags Rule compliance in this piece: ID Theft Red Flags Rule Examination Procedures Unveiled
These procedures include 15 separate examination steps related to three principle elements of the new rule:
Identity Theft/Red Flags;
Change of Address;
Address Discrepancies.
And training - including for board members - is a significant component of these procedures.
So, knowing that the training program is such a critical element of compliance, we examined expectations, progress and best-practices in these articles:
ID Theft Red Flags Rule: 3 Keys to Successful Awareness Programs
Regulators Discuss What's Missing Now, What Will Be Sought in Future Exams
ID Theft Red Flags: Essential Elements of Customer Awareness
With New Focus on Prevention, Examiners Will Be Looking Beyond Statement Stuffers
Best Practices in Building Security Awareness
Insights on Keeping an Information Security Training Program Robust and Interesting
While on the topic of Red Flags compliance, I also have to recommend this blog posting by my colleague, Mike D'Agostino (and if you've not been following our blogs, please do take a minute to visit http://blogs.bankinfosecurity.com/):
ID Theft Red Flags: The Only Compliance Initiative Your Customers Care About
Beyond Red Flags, we also tackled other angles of training and education as they relate to banking/security, and I have to recommend this recent interview with Gene Spafford, one of the gurus of security education. Spaff has lots to say about the state of security education and how to start or jumpstart a career in the field. Listen to or read his insights here:
The State of Information Security Education: Interview with Prof. Eugene Spafford
And I'd be remiss if I didn't share some of the other hot stories we covered in the month of August. In case you missed them, please check out these top articles:
Top 6 Regulatory Issues of 2008 - and What's Coming Next
Red Flags and Vendor Management are Big Now, But Remote Deposit and PCI Could be Among the Next Hot Topics
TJX Arrests Are 'Tip of the Iceberg'
Largest ID Theft Case in History is Just a Symptom of True Global Threat, Experts Say
Wells Fargo Reveals Data Breach
Thousands of Consumer Records Compromised by Data Theft from Vendor
Examination Procedures, Training Programs Take Center Stage as Nov. 1 Nears
September 5, 2008 - Tom Field, Editorial Director
When I started this job a year ago and reached out to banking/security leaders, the overwhelming message I got was "Security awareness - we don't do it well."
For banking institution employees, maybe there was an information security training seminar when they first started. Or an occasional workshop on identity theft or social engineering.
For customers, "statement stuffers" were the operative words.
Then along came the Identity Theft Red Flags Rule, and suddenly banking institutions were required - by Nov. 1, mind you -- to strengthen, document and implement new awareness programs for employees and customers alike. This requirement has been one of the biggest challenges faced by institutions this year, and it was a major focus of our news coverage in the month of August.
Looking back on our month-long focus on training and education, let's start with the word from the top. The Office of Thrift Supervision (OTS) became the first regulatory agency to reveal its examination procedures for ID Theft Red Flags Rule compliance in this piece: ID Theft Red Flags Rule Examination Procedures Unveiled
These procedures include 15 separate examination steps related to three principle elements of the new rule:
Identity Theft/Red Flags;
Change of Address;
Address Discrepancies.
And training - including for board members - is a significant component of these procedures.
So, knowing that the training program is such a critical element of compliance, we examined expectations, progress and best-practices in these articles:
ID Theft Red Flags Rule: 3 Keys to Successful Awareness Programs
Regulators Discuss What's Missing Now, What Will Be Sought in Future Exams
ID Theft Red Flags: Essential Elements of Customer Awareness
With New Focus on Prevention, Examiners Will Be Looking Beyond Statement Stuffers
Best Practices in Building Security Awareness
Insights on Keeping an Information Security Training Program Robust and Interesting
While on the topic of Red Flags compliance, I also have to recommend this blog posting by my colleague, Mike D'Agostino (and if you've not been following our blogs, please do take a minute to visit http://blogs.bankinfosecurity.com/):
ID Theft Red Flags: The Only Compliance Initiative Your Customers Care About
Beyond Red Flags, we also tackled other angles of training and education as they relate to banking/security, and I have to recommend this recent interview with Gene Spafford, one of the gurus of security education. Spaff has lots to say about the state of security education and how to start or jumpstart a career in the field. Listen to or read his insights here:
The State of Information Security Education: Interview with Prof. Eugene Spafford
And I'd be remiss if I didn't share some of the other hot stories we covered in the month of August. In case you missed them, please check out these top articles:
Top 6 Regulatory Issues of 2008 - and What's Coming Next
Red Flags and Vendor Management are Big Now, But Remote Deposit and PCI Could be Among the Next Hot Topics
TJX Arrests Are 'Tip of the Iceberg'
Largest ID Theft Case in History is Just a Symptom of True Global Threat, Experts Say
Wells Fargo Reveals Data Breach
Thousands of Consumer Records Compromised by Data Theft from Vendor
