Dyman & Associates Risk Management Projects: Preventing the Next Data Breach

The alarming discovery that hackers stole the credit card and personal information of tens of millions of Americans from Target’s computers is yet another reminder of human vulnerability in the digital age. The more practical and immediate lesson, however, is that retailers, banks and other corporations can do far more than they have done so far to protect customers from identity theft and financial fraud.

At last count, hackers had stolen the credit or debit card information of 40 million Target shoppers, as well as information like the names, addresses and email addresses of 70 million customers. Though the company has said little about how its system might have been compromised, experts say the attackers, who may have been based in Russia, inserted malicious software into Target’s poorly secured systems during the holiday shopping season.

It was the latest in a series of high-profile attacks against retailers like T.J. Maxx and companies that process card payments like Heartland Payment Systems.

[Are you getting the most out of your security data? See Dyman & Associates Risk Management Projects Company Overview for security trends.]

Many of the stolen card numbers have been showing up on black markets where such information is traded. Some Target shoppers have had to deal with fraudulent charges. Experts warn that things could get worse when criminals start using the personal information they’ve stolen to try to commit identity theft by taking out loans and opening new credit card accounts in the names of Target customers.

Even as the investigation into the origins of the heist continues, Target and other companies must begin investing in better security measures to keep intruders out and start investing in software that will trigger alarms when it detects unauthorized access. A Verizon report on data breaches found that nearly four-fifths of intrusions in 2012 were of “low difficulty,” meaning hackers found trespass remarkably easy.

Companies also need to think carefully about what data they are collecting and storing. By keeping lots of sensitive information, they place themselves and their customers at considerable — and in some cases unnecessarily greater — risk than if they had deleted the data or never collected it. To take one startling example, security experts say there was absolutely no reason for Target to have stored the four-digit personal identification numbers, or PINs, of their customers’ debit cards. (Target says the codes were kept in an encrypted file, but hackers have broken open encrypted documents before.)

Retailers and banks can also reduce risk by moving away from cards that use magnetic strips, which are easily faked. Many countries in Europe, Asia and elsewhere have already replaced magnetic strips with chips, which are harder to duplicate. Chip-based cards also require customers to enter a secure code before they can be used. That’s partly why the United States accounts for nearly half of all global credit card fraud, even though it generates only about a quarter of all credit card spending. American retailers, including Target, have resisted (foolishly, as it turns out) the introduction of chip-based cards because they would have to invest in new equipment to handle them. (Target now says it supports chip-based cards.)

No security measure will ever rid the economy of theft and fraud completely. But there is evidence that companies could do a lot more to protect data. 

For more information on how to protect customers from identity theft and financial fraud, visit website @ Dyman & Associates Risk Management Projects.

Dyman & Associates Risk Management Projects: US brings fraud charges against background check company

View Source

The Justice Department filed a civil complaint Wednesday against the company that handled the background checks of National Security Agency leaker Edward Snowden and Navy Yard shooter Aaron Alexis for allegedly submitting thousands of unfinished investigations as complete, and then attempting to conceal their actions after government officials caught wind of what they were doing.

At least 665,000 investigations – or 40 percent of cases submitted to the government over a four-year period – were affected by U.S. Investigations Services’ (USIS) actions, the Justice Department said. The alleged fraud continued through at least September 2012.

The complaint said that USIS engaged in a practice known inside the company as "dumping" or "flushing." It involved releasing incomplete background checks to the government but claiming they were complete in order to increase revenue and profit. The company did so knowing that there could potentially be quality issues associated with those reports, the government alleged.

USIS was involved in a background investigation of Snowden in 2011, but his particular job doesn't factor into the lawsuit. The government has contracted USIS since 1996 to vet individuals seeking employment with federal agencies.

[Are you getting the most out of your security data? See Dyman & Associates Risk Management Projects on Patch for techniques and security trends.]

The Falls Church, Va.-based company conducts hundreds of thousands of background checks for government employees and has more than 100 contracts with federal agencies.

In response to the complaint, USIS officials said that integrity and excellence are core values at USIS, which has 6,000 employees.

The government paid the company $11.7 million in performance awards for the years 2008, 2009 and 2010, according to the Justice Department court filing.

USIS senior management "was fully aware of and, in fact, directed the dumping practices," the government complaint said. Beginning in March 2008, USIS' president and CEO established revenue goals for the company. USIS's chief financial officer determined how many cases needed to be reviewed or dumped to meet those goals, the complaint added, and conveyed those numbers to other company leaders.

According to one internal company document, a USIS employee said, "They will dump cases when word comes from above,” such as from the president of the investigative service division and the president and CEO.

The background investigations that were dumped spanned most government agencies – including the Justice Department, the Department of Homeland Security, the Defense Department, the Defense Intelligence Agency, the Department of Health and Human Services, the Transportation Department and the Treasury Department.

In one example, the federal Office of Personnel Management (OPM) in April 2011 had raised concerns with USIS after tests showed that a large number of investigation reports were identified as complete when computer metadata revealed that the reports had never been opened by a reviewer. In a response to OPM, USIS falsely attributed the problems to a variety of software issues, said the Justice Department filing.

In addition, USIS ensured that all dumping practices stopped when OPM was on site conducting audits – and then resumed after OPM's auditors were gone, the government alleged.

"Most of the September miss should `flush' in October," an email from USIS's chief financial officer said to the vice president of the investigative service division.

For more details visit our website.

Dyman & Associates Risk Management Projects: VMware Buys Mobile Security Firm for $1.54 Billion

Looking to shift its software offerings, VMware has struck a $1.54 billion deal to bolster its mobile technology.

VMware said on Wednesday that it had agreed to buy AirWatch, a start-up based in Atlanta that makes mobile management and security software for businesses. VMware is paying about $1.18 billion in cash and $365 million in installment payments and assumed unvested equity.

The acquisition will be financed in part with about $1 billion of debt to be provided by EMC, the majority owner of VMware. The deal, subject to regulatory approval, has been approved by the boards of VMware and AirWatch and is expected to close by the end of March.

The announcement came as VMware, based in Palo Alto, Calif., released its preliminary results for the fourth quarter, saying it expected revenue of $1.48 billion, 15 percent higher than in the period a year earlier. VMware’s stock was up nearly 3 percent in trading before the market opened on Wednesday.

[Are you getting the most out of your security data? See Dyman & Associates Risk Management Projects Blogspot Page for techniques and security trends.]

The company’s deal for AirWatch is its latest move to redefine its product portfolio in response to a changed technology landscape.

“With this acquisition VMware will add a foundational element to our end-user computing portfolio that will enable our customers to turbocharge their mobile work force without compromising security,” Patrick P. Gelsinger, VMware’s chief executive, said in a statement.

With more companies allowing employees to use their own mobile devices, AirWatch makes software to manage mobile applications and data, including a security component. The company says it has more than 10,000 customers around the world and more than 1,600 employees.

VMware has been active as both a buyer and seller in recent years. In 2013, it completed a plan to sell assets as part of its broader shift in strategy.

“By joining a proven innovator like VMware, we now have an opportunity to bring our leading-edge solutions to an even broader set of customers and partners to help them optimize for the mobile-cloud world,” Alan Dabbiere, the co-founder and chairman of AirWatch, said in a statement.

The AirWatch team is expected to continue to report to the company’s chief executive, John Marshall, as part of VMware’s end-user computing group.

Morrison & Foerster provided legal advice to VMware.

For more software offerings, visit Dyman & Associates Risk Management Projects.

Dyman & Associates Risk Management Projects: How To Get The Most Out Of Risk Management Spend

Even with most security budgets growing or at least staying flat for 2014, no organization ever has unlimited funds for protecting the business. That's where a solid risk management plan can be a lifesaver.

Dark Reading recently spoke with a number of security and risk management experts, who offered practical tips for getting the most out of risk management. They say smart risk management strategies can make it easier to direct security funds to protect what matters most to the business. Organizations that use them typically can base their spending decisions on actual risk factors for their businesses, rather than employing a shotgun strategy that chases after every threat under the sun. Here are a couple of ways to start making that happen.

Establish A Risk And Security Oversight Board
If an organization is going to get more for its IT risk management buck, then the first thing it has to remember is that security risk is only one facet of business risk. That is why it is important to engage with cross-functional teams, says Dwayne Melancon, chief technology officer for Tripwire, who explains doing so makes it easier to look at risk holistically.

Melancon says he has seen many customers establish "Risk and Security Oversight Boards" that are made up with leaders like the CFO, chief legal counsel, and other stakeholders from across the business.

"This board discusses, prioritizes, and champions actions and investments based on a risk registry developed through cross-functional debate and agreement," he says. "This approach ensures that the business ‘puts their money where their mouth is’ and helps align different parts of the business around the short list of risks that have the potential to cause most harm to the business."

Get A Second Opinion
Even if an oversight board may not be practical, getting a second opinion from the business as to where IT risk management should focus stands as a crucial way to set priorities.

"One way we've seen success with this is to engage with legal, finance, and PR instead of the IT executives," says J.J. Thompson, CEO and managing director for Rook Security. "They identify the real issues with simplicity and have not been brainwashed by the IT industry, who still struggles to realize what really matters to business."

For example, in one consulting engagement, Thompson says his CIO contact was caught up in focusing on standard ISO 27000x practices around SOC services Rook would offer his firm. But when his consultants talked to that firm's legal department, they were most concerned about how that SOC outsourcing would affect their largest defense contractor client. That was the No. 1 risk priority.

"The business was simply concerned about the highest area of risk: that which directly pertained to their largest client," Thompson says. "We shifted focus to the controls that directly reduced the risk of such a compromise occurring and tailored custom control monitoring that focused on creating a sensitive data map, and setting custom anomaly detection triggers when the sensitive data is accessed."

[Are you getting the most out of your security data? See Dyman & Associates Risk Management Projects blog updates for techniques and security trends.]

Map Risk To A Business Bloodline
What's the business bloodline for your company? In other words, what are the areas of the business for which security threats could truly disrupt the way in which the organization operates? This is exceedingly important to determine -- and one that second opinion should help deliver. Once you figure that out, start mapping technical elements to it in order to understand what kind of events could do the organization the most harm, says Amichai Shulman, chief technology officer for Imperva.

"For some companies, a POS system or its database full of credit cards may be its most valuable assets; for some it may be Social Security numbers and the personal information attached," he says.

"For a company that bases its livelihood on transactions and uptime, the loss of revenue or customer loyalty caused by a DDoS could be devastating."

Communicate Risk Visually
A big part of risk management is communicating identified risks both up to senior management and down to the security managers who will put practices in place to mitigate them. One of the most effective ways to do that is to make those results visual.

"Pursuing risk management purely within security can help you make better decisions, but it can't help you get the right level of funding unless you can show people outside what you're doing," says Mike Lloyd, chief technology officer for RedSeal Networks. "Helping executives outside to understand is hard. Doing this with formulae won't work -- you will need pictures."

For example, Rick Howard, chief security officer for Palo Alto Networks, says that any time he starts a proposal to the executive suite; he begins with a business heat map that shows the top 10 to 15 business risks to the company on a grid. Typically cyber-risk is in that top 15, which makes it easier to get the company to address those risks more fully.

"Once that is done, I like to build a risk heat map just for cyber," he says. "I take the one bullet on the business heat map and blow it up to show all of the cyber-risks that we track. Again, this is not technical -- it is an overview. We are not trying to show the 1,000 potential ways that an adversary can get into the network. We want to show the C-suite who the adversary is."

To read more about Risk Management Projects articles, visit our website.

CyberSecurity Malaysia: Beware, your Cyberfling could turn into a Blackmail Scam, Dyman & Associates Risk Management Projects

KUALA LUMPUR: National cybersecurity specialist agency CyberSecurity Malaysia today alerted the public to the dangers of ‘cyber flirts’, saying it is linked to a rising trend in cyber blackmail scams.

Victims are targeted via social networking sites such as Facebook, Tagged and online video chat services such as Skype, with the perpetrators believed to be foreign nationals creating a scam hub in various locations including Malaysia. 

As the victims have thus far been mainly teenage boys and middle aged men, the culprits are suspected to be working with female accomplices.

An analysis of the 80 or so reported incidents thus far revealed the modus operandi of a typical cyber blackmail scam: The perpetrator would usually create a profile on a social networking site portraying him or herself as a beautiful Asian woman, where “she” would befriend and flirt with potential victims, and subsequently invite them to intimate video chats with her using Skype.

Unbeknownst to the victims however, “she” would then secretly record the victims during the video chats and blackmail them into remitting sums of money ranging from RM500 to RM5,000 via Western Union or a third party bank account. Failure to do so would result in the video footage being circulated on the Internet.

“Only four incidents of cyber blackmail scams were reported to our Cyber999 Help Centre in 2012, but by mid-2013 we saw an upward trend,” said Dr. Amirudin Abdul Wahab, chief executive officer of CyberSecurity Malaysia.

He added that by the end of 2013 that number had increased exponentially to 73 cases, leading CyberSecurity Malaysia to believe that there could be many more unreported incidents.

“Malaysians are advised to be extra careful and not to entertain online seductions from women whom they got to know only in social media, but have never really known in person,” stressed Dr. Amirudin.

What to do if you are a victim of such a scam:

· Stop communicating with the perpetrator. Ignore all calls, SMSes or messages from the perpetrator.

· Remove the perpetrator from all your social media friends or contact lists, or add her to your list of ‘blocked’ contacts.

· Make all your social networking accounts private so the perpetrator will not be able to reach you or your friends.

· Keep all relevant data such as chat logs, screenshots, and e-mail messages as evidence for reporting and prosecution purposes.

· Never pay the scammers as it may further propagate the scam.

· Lodge a police report at a nearby police station together with evidence for further investigations.

· Report the incident(s) to CyberSecurity Malaysia’s Cyber999 Help Centre for further assistance, either by sending an e-mail to cyber999@cybersecurity.my or by calling 1-300-88-2999 (monitored during business hours). In case of an emergency outside regular working hours, send a text message to 019-266 5850.

CyberSecurity also added general words of advice to Internet users:

· Be aware that anything you do on the Internet, including video and voice calls, can be recorded and manipulated for malicious purposes.

· Adhere to best practices, and religious or social ethics, when on social networking sites and online chat forums.

· Be very cautious who you befriend, and do not feel obligated to fulfill all requests from other users while online.

· Be alert and suspicious of unusual activities on the Net and immediately report it to relevant authorities.

· As a preventive measure, configure your Skype account to restrict communications with only your existing contact list by doing the following: Go to > Tools > Options > Privacy > Only Allow IMs, Calls etc from People on my Contact List > SAVE.

· Always make sure your software and systems are up-to-date, and that you are using up-to-date security software.

· Never use your webcam to video call someone you do not know.

Dallas Firm iSight Vaults to National Attention with Cyber Scam Report, Dyman & Associates Risk Management Projects

Target shoppers won't be the only ones who have had their personal information breached, says John Watters of iSight Partners.

In business, when a customer of a company becomes an investor in the company, that’s a strong endorsement.

An even stronger endorsement might be when a company emerges as an ally of the U.S. Secret Service and the Department of Homeland Security in the effort to track cyber scammers who stole the personal information of tens of millions of credit and debit card customers.

Both are true for iSight Partners, a global cyber intelligence firm started here in 2006 by Dallas native John Watters.

“That’s two signs of credibility,” Watters said in an interview Friday, a day after iSight issued a joint publication with federal agencies that said the security breach during the holiday shopping season was part of a sophisticated cyber scam that affected several retailers.

Last year, iSight received funding from Blackstone, the giant investment firm. During the previous year, Blackstone had been a customer, relying on iSight to better understand the cyber threats it faced.

With iSight’s new report, Watters and his company vaulted to national attention.

He said his Friday was packed with news interviews. And he warned that the fallout from this round of cyber-attacks is probably not over.

“There’s likely a heck of a lot of victims out there who don’t yet know they are victims,” Watters said.

“This is going to unfold over days, weeks and months.”

He said iSight couldn’t mention specific names of retailers involved. News reports have indicated at least two, Target and Neiman Marcus.

Watters said that while the origin of the malware source code used was Russian, iSight and federal authorities do not know where the attacks originated. “It’s like buying a gun in Russia and selling it in Brazil,” he said.

He said his company detected the malicious software — dubbed Kaptoxa (Kar-toe-sha) — being sold around the world last summer. By now, it has potentially infected a large number of retail information systems, he said.

Watters, an entrepreneur, said that he started investing in cyber security firms in the early 2000s. He became chairman and CEO of Virginia-based I Defense, a security intelligence firm acquired by VeriSign for $40 million in 2005, according to reports then.

“I bought it for $10 out of bankruptcy in 2002,” Watters said of I Defense.

On its website, iSight says its network of security analyst’s numbers more than 200 in Washington, D.C., the Netherlands, Brazil, Ukraine, India and China. The company operates in 24 languages in 16 countries.

Using a sports analogy, Watters said his company creates playbooks to help organizations defend against potential adversaries in different circumstances. These plans provide specific information to counter discrete threats, such as the recent attacks on retailers’ point-of-sale systems.

“We give them the equivalent of an audible,” Watters said.

In an interview with ExecutiveBiz in 2010, Watters said his business “always tries to intersect the future rather [than] replicating the current.”

“It’s a risky way to roll, but way more fun,” he said

IN THE KNOW / BE VIGILANT

On its website, iSight advises retailers who believe their point-of-sale system has been compromised to immediately contact the local Secret Service/Electronic Crimes Task Force field office.

The company advises consumers to be vigilant but not worried:

Regularly check bank statements for fraudulent charges, monitor credit statements for unusual activity, and do not open email from unknown or suspicious sources.

If you receive an email from what appears to be your bank or financial institution, do not open the email or click on any links. Instead, contact your financial institution directly via phone or website to avoid any phishing scams.

Target Security Breach Appears to be Part of Broader Scam, Dyman & Associates Risk Management Projects

NEW YORK — The security breach that hit Target during the holiday season appears to have been part of a broader and highly sophisticated scam that potentially affected a large number of retailers, according to a report published by a global cyber intelligence firm that works with the U.S. Secret Service and the Department of Homeland Security.

The report, made public Thursday by iSight Partners of Dallas, offers more insight into the breach at Target. That attack affected 40 million credit and debit card accounts and led to the theft of personal information, including e-mail addresses and names, of as many as 70 million customers.

The report said a malicious program vacuuming personal data from terminals at store checkout stations was “almost certainly derived” from BlackPOS, a crude but effective piece of software that contained malware scripts with Russian origins.

“The use of malware to compromise payment information storage systems is not new,” the report said. “However, it is the first time we have seen this attack at this scale and sophistication.”

[Reuters reported that on Thursday the U.S. government provided merchants with information gleaned from its confidential investigation into the data breach at Target in a move aimed at identifying and thwarting similar attacks that may be ongoing. ISight helped prepare the report, called “Indicators for Network Defenders,” along with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, the U.S. Secret Service and the Financial Sector Information Sharing and Analysis Center, an industry security group.]

Starting in June, iSight said it noticed the malicious software codes on the black market, the report said.

Criminals bought the original malware on the black market and then created their own attack method to target retailers’ terminals at store checkout stations, iSight chief executive John P. Watters said.

“It’s less about the malware but more about the sophistication of the attacks,” Watters said in an interview.

The iSight report noted that because this kind of software can “cover its own tracks,” it’s not possible to determine the scale, scope and reach of the breach without detailed forensic analysis.

“Organizations may not know they are infected,” the report said. “Once infected, they may not be able to determine how much data has been lost.”

Last week, Neiman Marcus said thieves stole some of its customers’ payment information and made unauthorized charges over the holidays. At the time, it said it was working with the Secret Service on the breach.