Wednesday, December 31, 2014

Developers vertrouwen ten onrechte op open-source

Developers vertrouwen ten onrechte op open-source

door         
opensource, logo, open-source
    
Nieuws - Open-source is in 2014 diverse malen zeer onveilig gebleken, kijk maar naar de paniek die ontstond door de openbaring van lekken als Heartbleed, Shellshock en Poodle. Dit waren geen incidenten, waarschuwt Jake Kouns, CISO bij beveiliger Risk Based Security.
Kouns stelt tegenover de IDG News Service dat het een mythe is dat open-source veilig is omdat iedereen ernaar kan kijken. "De realiteit is dat hoewel iedereen de code kan onderzoeken, het in de praktijk nauwelijks gebeurt en verantwoordelijkheid voor de kwaliteit wordt afgeschoven", zegt hij.
"Developers en bedrijven die gebruikmaken van third-party bibliotheken steken nauwelijks resources in het testen van andermans code. Iedereen denkt dat een ander wel lekken zal vinden en dat wat gepubliceerd wordt veilig is."
Afgelopen jaar zijn verschillende kwetsbaarheden gevonden in open-source bibliotheken als OpenSSL, LibTIFF, libpng, OpenJPEG, FFmpeg en Libev, terwijl deze door miljoenen bedrijven gebruikt worden.

'Projecten moeten serieuzer worden genomen'

Bij OpenSSL bleek bijvoorbeeld dat maar één developer zich full-time met het project bezig hield. Te weinig coders op een project en gebruikmaken van verouderde code zijn de grootste redenen voor de onveiligheid van open-source, stelt Risk Based Security.

Tuesday, December 30, 2014

Four Ways For A Financial Institution To Minimize Losses Related To A Data Breach

Four Ways For A Financial Institution To Minimize Losses Related To A Data Breach

The explosive growth of electronic credit and debit card transactions has increased the possibility of data breaches for financial institutions. The ongoing data breach litigation by financial institutions against Target is just one example of what could be the new normal with card-swipe electronic transactions now dominating commerce: according to Javelin Strategy and Research, only about twenty-five percent (25%) of point-of-purchase sales are currently made with cash, and that percentage is expected to continue to decline in the coming years.
This surge has been beneficial to the bottom line of many financial institutions, but the spike in electronic transactions has also increased the potential for data breaches and related liability. According to the Ponemon Institute's 2014 Cost of Data Breach Study: Global Analysis1 the average cost of a data theft from financial services companies in 2013 was $236 per customer account. The primary reason for the increase is the loss of customers following the data breach. Financial services providers continue to be most susceptible to high rates of customer defections as a result of data breaches. (Ponemon, 2014)
As the volume of electronic transactions has increased, hackers and cybercriminals have become more sophisticated and successful, as evidenced by recent high-profile data breaches involving Target, Neiman Marcus, eBay, and Jimmy John's. While mega-breaches tend to grab the headlines, most data losses involve fewer than 10,000 customer records. (Ponemon, 2014) Nonetheless, these data losses can be costly, averaging $5.9 million per breach incident in 2013. (Ponemon, 2014)
What can financial institutions do to minimize their losses, when both large and small institutions can fall victim? Below are four proactive steps that may be taken by any size institution:

1. Preparation

Statistically, four factors are most important to reducing the cost of a data breach: a strong pre-incident security posture, a current incident response plan, business continuity management involvement, and leadership by a Chief Information Security Officer. Together, these can reduce the per capita cost of a data breach as much as 30%. (Ponemon, 2014) Good preparation should also include data security audits and breach response exercises to test preparedness.

2. Purchasing Data Breach and Other Insurance

One in three companies has insurance to protect against data breach losses (Marsh LLC, Benchmarking Trends: Interest in Cyber Insurance Continues to Climb, 2014)2. Covered risks typically include disclosure of confidential data, malicious or accidental loss of data, introduction of malicious codes or viruses, crisis management and public relations expenses, business interruption expenses, and data or system restoration. In 2013, cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped significantly. (Marsh LLC, 2014) Given the potentially tremendous costs associated with a data breach, cyber insurance policies are no longer a niche or specialty product, and are quickly becoming a necessity in the financial services industry and a key component of risk management for financial institutions.
In addition to policies specifically covering data breaches, it is important to consider whether an institution's losses may be covered under the terms of an existing policy. Some courts have found that traditional policies include coverage for data breach claims. In Netscape Communications Corp. v. Federal Insurance Co., decided in 2009, the Ninth Circuit Court of Appeals held that personal and advertising injury coverage in a commercial general liability ("CGL") policy applied to claims alleging that the insured had violated the plaintiff's right of privacy in private online communications. In Retail Ventures, Inc. v. National Union Fire Insurance Co., the Sixth Circuit Court of Appeals found that coverage may also apply under a financial institution's crime policy. In WMS Industries, Inc. v. Federal Insurance Co., the Fifth Circuit Court of Appeals affirmed the district court's holding that all-risk and first-party property policies may provide coverage for data damage and business interruption arising out of data breaches. Lastly, in Retail Systems, Inc. v. CNA Insurance Companies, the Minnesota Court of Appeals found that an insured's loss of a computer tape containing third-party data was "property damage" and, therefore, was covered by CGL insurance.
Even if there may be a question as to whether coverage is available, notice of the breach should be given to the insurer immediately. Financial institutions should consider consulting with their insurance providers to confirm whether or not their standard policies cover data breaches and, if so, whether there are any coverage limits or exclusions. "Too often, the close scrutiny of policy coverage does not occur until after a claim is made. This makes misunderstanding and disappointment a distinct, and potentially costly, risk. Even sophisticated companies stumble. In 2011, SONY suffered a series of cyber security breaches affecting data in its online gaming systems. The SONY insurer said the company did not have a cyber insurance policy, that SONY's existing policies only covered tangible property damage, not cyber incidents, and therefore the insurer would not provide any coverage for the company's nearly $200 million loss. SONY spokespersons contested these statements, expressing their belief that at least some of the losses were covered. (Mark F. Foley, Digital Lex: Insurance Coverage for the Cyber World (Feb. 19, 2013), at http://www.WTNNews.com. See, Insurance Against Cyber Attacks Expected to Boom, New York Times online, December 23, 2011)
Banks, or their counsel, should also proactively review vendor or third-party contractor agreements to confirm that the vendor or third party contractor has an obligation to indemnify the financial institution for losses related to a data breach, and that the financial institution is named as an additional insured under the vendor's or third-party contractor's insurance policy covering such breaches. Contracts that do not provide these protections should be updated.

3. Using Regulatory Tools and Guidance

In September 2014, FDIC Chairman Martin Gruenberg stated that "internet cyber threats have rapidly become the most urgent category of technological challenges facing our banks." As a result, the FDIC now defines cybersecurity as "an issue of highest importance" for itself and the Federal Financial Institutions Examination Council.
The FFIEC recently formed a Cybersecurity and Critical Infrastructure Working Group that works with the intelligence community, law enforcement and the Department of Homeland Security on cybersecurity issues. The Working Group is currently assessing the banking sector's preparedness to combat and respond to cybersecurity threats. The report will include a regulatory self-assessment to evaluate readiness and identify areas requiring additional attention.
The FDIC also created a "Cyber Challenge" online resource that features videos and a simulation exercise. As part of this effort, the FDIC also requires third-party technology service providers (TSPs) to update financial institutions on operational threats the FDIC identifies at a TSP during an examination.
The rollout of these resources, coupled with the recent guidance from the OCC and the Fed regarding the management of third party relationships (for a more in-depth discussion, please see our January 2014 Commercial Law Update, "Managing Third Party Relationships: New Regulatory Guidance for Banks"), demonstrates the increased scrutiny regulators are giving to these issues and why they are hot-button topics for financial institutions to tackle.

4. Filing Lawsuits Against Parties Responsible for Data Breaches

A recent example of financial institutions going on the offensive with regard to a data breach by a service provider is the lawsuit brought by several banks against Target, In re Target Corporation Customer Data Security Breach Litigation, Case No. 14-md-02522, which is currently pending in Minnesota federal district court. The banks are seeking class-action status for banks across the country arising out of the compromise of at least 40 million credit cards, which affected up to 110 million people whose personal information, such as email addresses and phone numbers, were stolen.
The banks seek millions of dollars of damages to recover money spent reimbursing fraudulent charges and issuing new credit and debit cards.
The court recently denied Target's motion to dismiss all of the claims, concluding that Target played a "key role" in the data breach. In denying the motion, the court held that "Plaintiffs have plausibly alleged that Target's actions and inactions – disabling certain security features and failing to heed the warning signs as the hackers' attack began – caused foreseeable harm to plaintiffs" and also concluded that "Plaintiffs have also plausibly alleged that Target's conduct both caused and exacerbated the harm they suffered." At this stage, the banks are proceeding with claims for negligence and violations of Minnesota's Plastic Security Card Act.

Monday, December 29, 2014

Bank Leumi fined $400 million, bans former U.S. compliance chief from compliance role

Monday
Dec292014

Bank Leumi fined $400 million, bans former U.S. compliance chief from compliance role

Israel's Bank Leumi will pay $270 million to resolve federal charges and $130 million to settle New York regulators' allegations that it helped U.S. taxpayers hide assets and income in unreported accounts in Israel and around the world.
Under the settlement with the New York Department of Financial Services (DFS), Bank Leumi USA agreed to ban its former chief compliance officer from conducting any activities related to compliance. The employee is currently chief administrative officer.
The DFS settlement also requires Bank Leumi "to terminate and ban individual senior employees who engaged in misconduct, install an independent monitor, selected by DFS, to conduct a comprehensive review of the bank's compliance programs, policies, and procedures."
In 2008, the DFS said, Bank Leumi USA's CEO appointed an employee with no compliance experience to be the chief compliance officer. The employee held the post until 2010 and approved parts of the tax evasion scheme.
Bank Leumi Group entered into a deferred prosecution agreement with the DOJ. Prosecutors filed the DPA in federal court in Los Angeles last week.
Bank Leumi admitted criminal conduct over a 10-year period. The scheme was designed to conceal U.S. taxpayer accounts in Israel, Switzerland, Luxembourg and the United States, the DOJ said.
Federal law requires U.S. taxpayers to pay taxes on all income earned worldwide. U.S. taxpayers must also report foreign bank accounts if the total value of the accounts exceeds $10,000 at any time during the calendar year. Willful failure to report a foreign account can result in a fine of up to 50 percent of the amount in the account at the time of the violation.
Bank Leumi is one of Israel’s biggest banks. It has subsidiaries in seven countries and more than 13,000 employees.
Subsidiary banks included in the federal deferred prosecution agreement are The Bank Leumi le-Israel Trust Company Ltd., Leumi Private Bank S.A. (Switzerland), Bank Leumi (Luxembourg) S.A., and Bank Leumi USA, an FDIC-insured commercial bank with offices in California, Florida, Illinois, and New York.
New York financial regulators said Bank Leumi-Israel helped U.S. clients conceal accounts by:
  • "Hold mail" service for about 2,450 U.S. accounts, whereby every statement of account, notice, or other document associated with the account would be held abroad at the foreign bank and would not be sent to the customer's address in the United States
  • "Assumed name" and "numbered" accounts, where the name of the account holder would not appear on any correspondence or account statements, and the bank would accept wire transfers using these assumed names or numbers in lieu of actual customer names
  • Referring U.S. clients to outside lawyers and consultants who would establish and maintain offshore corporations in jurisdictions like the British Virgin Islands, Panama, and Belize, to nominally hold the undeclared accounts and hide their true tax status from U.S. authorities, and
  • Suggesting U.S. clients open accounts through Bank Leumi Trust in order to add an "extra level of secrecy" to the account.
The DOJ settlement requires Bank Leumi Luxembourg and Leumi Private Bank to stop providing banking and investment services for all accounts held or beneficially owned by U.S. taxpayers.
Bank Leumi Group cooperated with investigators, the DOJ said.
During the ten-year scheme, Bank Leumi sent private bankers from Israel and other locations to the United States. They met secretly with U.S. clients at hotels, parks, and coffee shops to discuss their offshore accounts, the DOJ said.
The bank also gave loans to U.S. clients from Bank Leumi USA against assets in the clients' nominee offshore accounts. That allowed the clients to leverage their offshore assets "to obtain and use capital in the United States while keeping their foreign accounts secret and undetected from the U.S. government," the DOJ said.
In 2008, the DOJ announced criminal investigations into UBS and other Swiss banks for aiding U.S. tax evasion. Bank Leumi viewed that as an opportunity to land more clients. It opened and maintained accounts "for U.S. taxpayers who left UBS and other Swiss banks due to the investigation in an effort to continue to avoid detection by the U.S. government," the DOJ said.
As part of its agreement with the DOJ, the Bank Leumi Group turned over the names of more than 1,500 of its U.S. account holders. The bank also agreed to disclose information to the DOJ about its cross-border business and give testimony and information as part of other investigations.
The New York DFS said a private banker who worked at Bank Leumi-Israel for over 25 years wrote to a supervisor in 2011, "Nearly every client who has an account with us has used the bank as a tax haven, and is aware that by not declaring his account in the U.S. is committing an offense, [and] we have by virtue of the services we provided assisted the clients with what they wished to achieve."
Some employees involved in the U.S. tax evasion scheme have already left the bank. Bank Leumi also agreed to terminate the current head of Bank Leumi Trust who was a regional manager during the tax evasion scheme, the DFS said.
*     *     *
The DOJ's December 22, 2014 release is here.
The New York Department of Financial Services' consent order In the Matter of Bank Leumi USA, Bank Leumi Le-Israel, B.M. dated December 22, 2014 is here (pdf).
- See more at: http://www.fcpablog.com/blog/2014/12/29/bank-leumi-fined-400-million-bans-former-us-compliance-chief.html#sthash.D9bH3yii.dpuf

Monday, December 22, 2014

Forse schade bij Duitse staalfabriek door verfijnde hack

Forse schade bij Duitse staalfabriek door verfijnde hack
                                                                                                                                                                                                                                                                                   
Een staaloven in actie
Een staaloven in actie
Een zeer goed voorbereide aanval op een staalfabriek in Duitsland heeft tot grote schade geleid doordat normale veiligheidsroutines waren geblokkeerd.

Volgens deze overheidsdienst was er sprake van hackers met zeer geavanceerde capaciteiten. Er werd onder meer gebruik gemaakt van een verfijnde manier van spearfishing om toegang te krijgen tot de systemen van de staalfabriek. Werknemers waren duidelijk eerst vergaand geanalyseerd om uit te vissen hoe ze het best waren te misleiden. Nadat de hackers binnen waren, wisten ze precies hoe ze de industriële systemen moesten manipuleren. Het gevolg van hun actie was dat een van de hoogovens niet meer op een gecontroleerde manier kon worden uitgeschakeld, waardoor ernstige schade ontstond aan de fabriek.

Cyberwar krijgt steeds meer fysieke gevolgen

Het incident is een nieuw geval in de lijst waarin hackers met vergaande kennis van zowel IT als productieprocessen, doelbewust schade aanrichten in een bedrijf om het buiten bedrijf te stellen. Het bekendste voorbeeld is de aanval van de Amerikaanse en Israëlische overheid op de Iraanse nucleaire opwerkingsfabriek waarbij met het Stuxnet-virus zo'n 1000 ultracentrifuges onklaar werden gemaakt. De vrees is dat hackers er binnenkort ook in slagen de energievoorziening in bijvoorbeeld de VS voor een belangrijk deel plat te leggen waardoor de economie grote schade oploopt. De Nederlandse waterwerken vormen ook een potentieel zeer gevaarlijk doelwit.


Sunday, December 21, 2014

Staples breach may have affected over a million credit cards



Staples Possible Breach


Good grief, the hacks just don't stop. Now office-supply store Staples believes that it suffered an attack that compromised some 1.16 million payment cards. Between August 10th and September 16th this year, 115 stores were afflicted by malware that "may have" grabbed cardholder names and payment information, and two stores possibly fell victim from July 20th to September 16th this year as well. The retailer isn't fully owning up to the attacks just yet, but it's offering a mea culpa all the same: free identity protection, credit reports and a host of other security services to anyone who used a card at the affected stores (PDF). And even though four Manhattan locations had reports of fraudulent payment use from this April to September without any malware or suspicious activity taking place, the outfit is extending the aforementioned benefits to customers of those stores as well.
Staples' numbers are a drop in the bucket compared to Home Depot's 56 million compromised cards, sure, but the fact that another retailer was hacked is still an issue. Maybe, just maybe, we can go the rest of the year without news of another data breach. Is that asking too much? Sadly, it probably is.

Thursday, December 18, 2014

Keep encrypted files encrypted when you back them up to the cloud

Keep encrypted files encrypted when you back them up to the cloud

Freelance journalist (and sometimes humorist) Lincoln Spector has been writing about tech longer than he would care to admit. A passionate cinephile, he also writes the Bayflicks.net movie blog.
More by
After reading my article on encrypting sensitive data, Ian Cooper asked if it was safe "to use one of these encryption tools in conjunction with an online backup service?"
In that previous article, I discussed two separate ways to encrypt a folder filled with sensitive files: Windows’ own Encrypted File System (EFS) and VeraCrypt, a free, open-source fork of the well-remembered TrueCrypt. This time around, I'll look at how files encrypted with either of these work with two popular online backup services, Mozy and Carbonite.
[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to answer@pcworld.com.]
Both Mozy and Carbonite encrypt your files and keep them encrypted on their servers. However, the default settings provide a backdoor to that encryption. It's therefore theoretically possible for a hacker, a disgruntled employee, or the NSA to access your files.
Both companies offer a more secure option where you and only you have the key, and therefore, there's no backdoor. Mozy calls this a Personal Encryption Key; Carbonite calls it a Private Encryption Key. The problem, of course, is that if you lose the key, you lose your backup.
But even if the backup service has the key to your files, they don't have the key to your EFS encryption. And the files are useless without that. When I tested this, Carbonite wouldn't let me download EFS-encrypted files onto another computer. Mozy let me download the files, but those files just contained gobbledygook.
VeraCrypt's container approach makes this a non-issue. Remember that VeraCrypt keeps your sensitive files in one or more encrypted container files. Open a container with the password, and your files become available in a virtual drive. Close the container, and your files exist only in the encrypted container.
The simple solution: Don't back up the virtual drive. Just back up the container. That will effectively back up the files, but they'll be encrypted before Mozy, Carbonite, or any other online service will ever see them.

Wednesday, December 10, 2014

7 Lessons from Target's Breach

7 Lessons from Target's Breach

One Year Later, What Retailers, Bankers Have Learned

By , December 10, 2014.           
 

It's been a year since the breach at Target Corp., which exposed 40 million debit and credit cards along with personal information about an additional 70 million customers.
See Also: Account Takeover, Payment Fraud and Spoofed Identities: The Common Thread
Although the attack drew attention to the need for bolstered cybersecurity measures, retail breaches show no signs of abating. Other major payments breaches at retailers since Target have included Sally Beauty, Michaels, Home Depot, Kmart and Staples, to name a few.

Target was a watershed event that put the spotlight on payment card security. Here's a review of seven important lessons learned from the huge breach incident.

1. EMV Alone Is Not Enough

Target's breach spurred congressional hearings and renewed debate among retailers and bankers about the need for a speedy migration to EMV chip technology to help prevent breaches (see Target Hearings: EMV Not Enough).
It also was a catalyst in October for a presidential order to push adoption of EMV chip technology among U.S. retailers and banks.
Visa had years earlier set October 2015 as the counterfeit fraud liability shift date for U.S. merchants and issuers that had not yet transitioned away from magnetic-stripe card technology. But EMV didn't get that much publicity until the Target attack.
In the wake of the retailer's breach, experts and industry groups, including the Payment Card Industry Security Standards Council, said that in addition to EMV, merchants also should implement tokenization and end-to-end encryption, to ensure card data is completely devalued.
"Among all of the large retailers that I talk to, their attitude is that they won't talk to vendors unless they offer tokenization with EMV," says Avivah Litan, an analyst for the consultancy Gartner. "It has to be part of the POS solution."
End-to-end encryption, on the other hand, can be an add-on, she says. "But retailers want to work with vendors that can provide all three."

2. Network Segmentation Is a Necessity

The Target breach also proved how easy it is for hackers to tunnel from one part of a corporate network to another, which is why merchants have to segment their networks.
Hackers broke into Target's POS system after they stole network credentials from Fazio Mechanical Services Inc., a vendor that serves the retailer (see Target Vendor Acknowledges Breach).
Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says network segmentation would have prevented many of the breaches suffered by retailers, including Target, over the last 18 months (see OCC: Retailers Accountable for Breaches).

3. Third-Party Oversight Is Part of Compliance

The Target breach put a spotlight on vulnerabilities related to third parties. In August, the PCI Council issued new guidance on managing third-party vendor risks that retailers and bankers alike can put to use.

Banking regulatory bodies, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. also have, in the wake of Target, repeatedly reminded banking institutions that they are responsible for ensuring the security of the third-party vendors and service providers with which they work.
See Also: Payments Security & EMV: Join CEO Bob Carr of Heartland Payment Systems

4. Log Monitoring Needs Analytics

A forensics investigation into the Target breach found that transaction logs raised alarms about anomalous activity, but no one picked up on the warnings, according to multiple reports. Thus, the breach went undetected for several weeks.
In November, the PCI Council announced it will issue guidance specifically aimed at log monitoring (see Why PCI Will Issue Log Monitoring Guidance). But experts says log monitoring has to be coupled with additional analytics to be truly effective.
"Everyone is inundated with alerts," Gartner's Litan says. "One retailer may get a half million alerts a day, so it's impossible to go through all of those. By putting context awareness and behavioral analytics to the transaction logs, you can start profiling users and devices. With this context-aware view of transactions, you're able to correlate anomalies across different systems. Then you can go from a few thousand high-priority alerts to a couple hundred."
Analyst Julie Conroy of the consultancy Aite says without analytics, basic log monitoring is counterproductive because of the high rate of false positives. "A key lesson is the ability to apply analytics to the tens of thousands of false positives that these solutions throw off, to help security teams separate the wheat from the chaff," she says.

5. Executives, Boards Are Accountable

In May, Gregg Steinhafel resigned as Target's chairman, president and CEO. In the statement issued about Steinhafel's resignation, the company noted that he "held himself personally accountable and pledged that Target would emerge a better company."
Steinhafel's announcement came just two months after the resignation of Beth Jacob, Target's CIO during the time of the breach.
The two resignations came shortly after Target's chief financial officer, John Mulligan, was first questioned about the breach before Congress (see Target, Neiman Marcus Differ on EMV).
The congressional attention given to Target's breach, coupled with the resignation of two of its key officers, made waves in the financial services industry, too. Over the summer, banking regulators launched a pilot cyber-exam program at 500 community banks to review the cyber-awareness of C-level executives and boards of directors at those institutions.
In November, the Federal Financial Institutions Examination Council noted that cybersecurity awareness among executives and boards was in need of improvement, and that cyber-awareness had to be a higher priority across the board (see FFIEC: Boards Need Cyber Training).

6. Retailers May Be Liable for Breaches

The debate over who should be liable when card data is compromised at the retail level also has heated up since the Target breach. For months, banking groups and retail associations have been at odds about who is responsible for bearing the losses associated with card breaches (see Hold Merchants Accountable for Breaches?).
While bankers argue they're stuck with expenses related to card reissuance and fraud, retailers say they indirectly cover these costs for banks through the interchange fees they pay to the card brands (see Card Breaches: Retailers Doing Enough?).
~Banking regulatory bodies, such as the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. also have, in the wake of Target, repeatedly reminded banking institutions that they are responsible for ensuring the security of the third-party vendors and service providers with which they work.
See Also: Payments Security & EMV: Join CEO Bob Carr of Heartland Payment Systems

4. Log Monitoring Needs Analytics

A forensics investigation into the Target breach found that transaction logs raised alarms about anomalous activity, but no one picked up on the warnings, according to multiple reports. Thus, the breach went undetected for several weeks.
In November, the PCI Council announced it will issue guidance specifically aimed at log monitoring (see Why PCI Will Issue Log Monitoring Guidance).
But experts says log monitoring has to be coupled with additional analytics to be truly effective.
"Everyone is inundated with alerts," Gartner's Litan says. "One retailer may get a half million alerts a day, so it's impossible to go through all of those. By putting context awareness and behavioral analytics to the transaction logs, you can start profiling users and devices. With this context-aware view of transactions, you're able to correlate anomalies across different systems. Then you can go from a few thousand high-priority alerts to a couple hundred."
Analyst Julie Conroy of the consultancy Aite says without analytics, basic log monitoring is counterproductive because of the high rate of false positives. "A key lesson is the ability to apply analytics to the tens of thousands of false positives that these solutions throw off, to help security teams separate the wheat from the chaff," she says.

5. Executives, Boards Are Accountable

In May, Gregg Steinhafel resigned as Target's chairman, president and CEO. In the statement issued about Steinhafel's resignation, the company noted that he "held himself personally accountable and pledged that Target would emerge a better company."
Steinhafel's announcement came just two months after the resignation of Beth Jacob, Target's CIO during the time of the breach.
The two resignations came shortly after Target's chief financial officer, John Mulligan, was first questioned about the breach before Congress (see Target, Neiman Marcus Differ on EMV).
The congressional attention given to Target's breach, coupled with the resignation of two of its key officers, made waves in the financial services industry, too. Over the summer, banking regulators launched a pilot cyber-exam program at 500 community banks to review the cyber-awareness of C-level executives and boards of directors at those institutions.
In November, the Federal Financial Institutions Examination Council noted that cybersecurity awareness among executives and boards was in need of improvement, and that cyber-awareness had to be a higher priority across the board (see FFIEC: Boards Need Cyber Training).

6. Retailers May Be Liable for Breaches

The debate over who should be liable when card data is compromised at the retail level also has heated up since the Target breach. For months, banking groups and retail associations have been at odds about who is responsible for bearing the losses associated with card breaches (see Hold Merchants Accountable for Breaches?).
While bankers argue they're stuck with expenses related to card reissuance and fraud, retailers say they indirectly cover these costs for banks through the interchange fees they pay to the card brands (see Card Breaches: Retailers Doing Enough?).


While courts have dismissed numerous class action suits filed by consumers against breached retailers, a class action suit filed against Target by banking institutions, seeking to recoup their breach-related costs, has won court approval to proceed (see Target Breach Suit Won't be Dismissed).
See Also: Account Takeover, Payment Fraud and Spoofed Identities: The Common Thread
If banks win that suit, it could send a strong message about the financial responsibilities retailers should bear in the wake of a breach.

7. Cyberthreat Intelligence Sharing Must Improve

The Target breach also raised awareness about the need for more cross-industry information sharing. The sharing of cyberthreat intelligence among banking institutions has been on an upward swing since 2012, after numerous distributed-denial-of-service attacks targeted leading U.S. banks.
But it wasn't until the retail breaches of the last year that serious consideration was given to the need for similar information sharing among retailers, as well as across the payments and financial landscape.
In May, the Retail Industry Leaders Association announced the launch of the Retail Cyber Intelligence Sharing Center - an effort to improve sharing among retailers and other public and private stakeholders, including the Department of Homeland Security and law enforcement.
Then in June, Tim Pawlenty, CEO of the Financial Services Roundtable, explained why information sharing in the retail sector needed to mimic information sharing within the financial sector.

Tuesday, November 25, 2014

Most Targeted Attacks Exploit Privileged Accounts

- See more at: http://threatpost.com/most-targeted-attacks-exploit-privileged-accounts/109514#sthash.zFyXXWqX.dpuf

Monday, November 24, 2014

Beth Israel fined $100,000 for patient data breach

The Boston Globe


Beth Israel Deaconess Medical Center will pay $100,000 after a physician’s laptop holding personal information for nearly 4,000 patients and employees was stolen in 2012.
Steven Senne/AP
Beth Israel Deaconess Medical Center will pay $100,000 after a physician’s laptop holding personal information for nearly 4,000 patients and employees was stolen in 2012.
Beth Israel Deaconess Medical Center agreed to pay $100,000 to settle a complaint by the Massachusetts attorney general’s office that its lax data security led to the theft of personal information of about 4,000 patients and employees.
In May 2012, a physician’s unattended laptop was stolen from his desk at the hospital. The laptop contained health information of 3,796 patients and Beth Israel employees, as well as personal information, such as Social Security numbers, of 194 other Massachusetts residents. The attorney general’s office argued the hospital’s lack of security and failure to encrypt patient data was against the law.
“The healthcare industry’s increased reliance on technology makes it more important than ever that providers ensure patients’ personal information and protected health information is secure,” said Attorney General Martha Coakley.
Dr. John Halamka, chief information officer at Beth Israel Deaconess, said the hospital has since improved its security procedures.
“After this incident, we worked closely with the federal and state governments, as well as security industry experts, to ensure that [the hospital] adopts state-of-the-art security policies and technologies,” Halamka said in a statement. “Every device we purchase is encrypted before it is used, and every employee must attest on an annual basis that his or her personal devices are also encrypted.”
Beth Israel is not the first hospital to be penalized for poor data security by Coakley’s office. Earlier this year, Women and Infants Hospital of Rhode Island agreed to pay $150,000, and South Shore Hospital settled a suit by the Attorney General for $750,000 in 2012.

Jack Newsham can be reached at jack.newsham@globe.com. Follow him on Twitter @TheNewsHam.

Saturday, November 22, 2014

Ingrijpende privacywet op komst: EU-toezichthouder gegevensbescherming Peter Hustinx blikt vooruit [interview]

Ingrijpende privacywet op komst: EU-toezichthouder gegevensbescherming Peter Hustinx blikt vooruit [interview]

21nov 2014

Buitenlandse opsporingsdiensten, de Nederlandse Belastingdienst en commerciële Big Data-exploitanten grasduinen in persoonsgegevens. De oude Europese richtlijn uit 1995 die het toezicht regelt, wordt eindelijk vervangen. Peter Hustinx, Hoofd van de Europese Toezichthouder voor Gegevensbescherming, richt zijn blik op de vergaande Europese Privacy Verordening.
Het voornemen van ING om – zo leek het – betaalgegevens van klanten door te verkopen aan externe partijen leidde eerder dit jaar tot een storm van kritiek. Het overheersende gevoel: inzage in het huishoudboekje vormt een te grote inbreuk op de privacy. Geschrokken door het oproer van klanten, de Consumentenbond, De Nederlandsche Bank en de Autoriteit Financiële Markten, trok ING het plan snel weer in. De privacy-kwestie zal de ‘megatrend’ Big Data niet remmen. Het verzamelen en samenvoegen van zoveel mogelijk data is de Heilige Graal van marketeers. De Boston Consulting Group voorspelt dat het in 2020 in Europa een economische waarde vertegenwoordigt van bijna 1 biljard euro.

Toezichthouder Peter Hustinx

Overheden laten zich ook niet onbetuigd, bleek uit de onthullingen van klokkenluider Edward Snowden over de voorheen onnavolgbare werkwijze van de Amerikaanse inlichtingendienst NSA. De Nederlandse Belastingdienst is ook volop aan het grasduinen. Zo wist de fiscus in augustus nog in hoger beroep toegang te forceren tot de klantgegevens van de parkeerdienst SMS Parking.
M HUSTINX
Peter Hustinx
De Nederlandse jurist Peter Hustinx (69) is als Hoofd van de European Data Protection Supervisor (EDPS) vanuit Brussel bezig om toezicht te houden op de gegevensbescherming bij alle EU-instellingen – van de Europese Commissie tot de tientallen agentschappen en de Europese Centrale Bank. Daarnaast geeft de EDPS advies aan de Raad en het Europees Parlement bij de totstandkoming van wetgeving waar gegevensbescherming een rol speelt.
De heetste aardappel momenteel: de nieuwe Europese Privacy Verordening die de gedateerde privacyrichtlijn uit 1995 moet vervangen. Het voorstel is in maart met grote meerderheid aangenomen door het Europees Parlement en gaat nu naar de Raad van Ministers die de Verordening, al dan niet geheel of gedeeltelijk, kunnen aannemen. De inwerkingtreding zal naar verwachting pas in 2017 plaatsvinden. De Europese Privacy Verordening is een stuk ingrijpender dan de verouderde richtlijn.
Europese Privacy Verordening
  • Boetes tot maximaal 100 miljoen euro of 5 procent van de wereldwijde omzet bij overtreding van de regels
  • Strengere eisen aan de beveiliging van privacygevoelige informatie en een meldplicht (aan de toezichthouder) bij datalekken
  • Expliciete toestemming van klanten vereist zodra bedrijven persoonsgegevens (Big Data) willen verwerken. Klanten moeten deze toestemming ook weer kunnen intrekken
  • NO-NSA clausule: Bedrijven mogen persoonsgegevens niet meer zonder toestemming van de toezichthouder delen met buitenlandse overheden
  • Het ‘recht om vergeten te worden’ in zoekmachines
  • De verplichting om een Functionaris voor de Gegevensbescherming aan te stellen bij instanties die persoonsgegevens verwerken van meer dan 5.000 mensen in een jaar

U als Europese toezichthouder, maar ook de nationale toezichthouders, werken met wetgeving die is afgeleid van een richtlijn uit 1995. Is dat nog wel houdbaar in het internettijdperk?
‘Een pak melk dat zuur is, ga je niet opdrinken. Dat doen wij helaas nog wel. De huidige regels in de richtlijn hebben hun houdbaarheidsdatum overschreden. Het was destijds een heel goede stap vooruit om zeker te maken dat alle landen in Europa ongeveer dezelfde maatregelen namen op het gebied van gegevensbescherming. Maar inmiddels 20 jaar later zijn er een aantal dingen gebeurd, zoals het internet, sociale netwerken en mobiele communicatie.’
In de voorgestelde Europese Privacy Verordening is een maximale boete vastgelegd van 5 procent van de geconsolideerde jaaromzet zodra bedrijven zich niet houden aan de nieuwe wetgeving. Wat voor krachten worden er losgemaakt zodra dergelijke boetes worden voorgesteld?
‘We hebben in jaren niet zoveel gelobby gezien, parlementsleden zijn werkelijk gebombardeerd. Er is hele zware druk uitgeoefend door buitenlandse regeringen en Europese en Amerikaanse bedrijven die op het internet in Europa actief zijn. Maar ik merk in de discussie dat er teveel uitgegaan wordt van worst case analyses. Zo zijn er bedrijven die zeggen: je moet dadelijk overal toestemming van klanten voor krijgen zodra we hun data willen gebruiken, dat is het einde van internet.
Nou, toestemming is een belangrijk element, maar het is niet altijd nodig. Een bedrijf kan er alleen niet meer van uitgaan dat ze wegkomen met dingen als “stilzwijgende toestemming” of “opt-out toestemming” – er is een hele reeks van woorden die ze daarvoor gebruiken. Dan onderschat je de problematiek ongelooflijk, want als dát toestemming is, dan weet ik bijna zeker dat het niet bindend is. En de volgende dag moet je het kunnen intrekken, daar heeft men helemaal geen rekening mee gehouden.’
In de nieuwe verordening wordt ook het principe van “one-stop-shop” toezicht geïntroduceerd: het land waar de hoofdvestiging van een bedrijf is gevestigd, krijgt de verantwoordelijkheid over het gehele toezicht op dat bedrijf. Hoe ziet dat er dadelijk uit in de praktijk?
‘Het toezicht is dadelijk zo verdeeld dat iedere nationale toezichthouder bevoegd blijft op zijn eigen territorium, maar er komt een lead authority, een one-stop-shop. Er is nu een hele discussie over ontbrand wát dat precies inhoudt. Is de toezichthouder dan enkel het land waar de hoofdvestiging van een bedrijf is gevestigd, of doet hij het samen met anderen?’
De toezichthouder in Ierland krijgt het dan druk omdat daar veel grote tech-bedrijven zoals Google, Facebook en Apple daar hun Europese hoofdkantoren hebben gevestigd.
‘Als zo’n bedrijf daar gevestigd is, wordt dat land de lead. In Ierland zijn veel bedrijven neergestreken die een grote rol spelen op internet, dat zal met de taal en het fiscale regime te maken hebben. Als je die one-stop-shop als een exclusieve operatie ziet – en dat was aanvankelijk toch een beetje de beeldvorming – dan is het zorgwekkend dat er misschien verschil in behandeling zou kunnen zijn in Ierland en andere landen. Gaan de Ieren wat soepeler handhaven? Onze ervaring is dat onze Ierse collega’s hun werk uitstekend doen.’
Maar bij hen staat wel een groot deel van hun BBP op het spel als ze besluiten om een boete van 5 procent van de jaaromzet van bijvoorbeeld Google te geven. Wie kan aangesproken worden op falend toezicht?
‘Dat is één van de vragen die nu in het laatste stadium veel hoofdbrekens kosten. Ik verwacht dat het toezicht in de verordening gebaseerd gaat worden op een vorm van samenwerking waarbij de lead een stevige rol krijgt, maar waar beslissingen van de lead op een of andere manier in een groep genomen worden. Door samenwerking moet voorkomen worden dat er forum shopping gaat plaatsvinden.’
Hoe realistisch is het volgens u dat grote internetbedrijven besluiten om hun hoofdvestigingen uit Europa terug te trekken?
‘Helemaal uitsluiten kun je dat niet, zo is nu eenmaal de wereld, maar het is niet erg realistisch. Bedrijven als Google hebben een sterke aanwezigheid op de Europese markt. Hun verantwoordelijkheid ligt daardoor hier. Zelfs als hun data in werkelijkheid in Jersey of op de Kaaimaneilanden zijn opgeslagen, of in de cloud en nobody knows where, zijn ze aansprakelijk voor de beveiliging. Als een bedrijf – ik ga geen namen noemen – de gegevens opslaat in de cloud, en accepteert dat de provider niet kan zeggen wáár dat is – moeten er wel afspraken gemaakt worden of deze de juiste beveiligingsmaatregelen heeft genomen. Het is volstrekt onverantwoord om zonder nadere bepaling van controls gegevens in de cloud op te slaan, want dan kom je je verantwoordelijkheden niet na. Dan ben je in gebreke. Als de markt zich bewust is van zijn verantwoordelijkheid dan zal de gegevensbescherming toenemen.’
Wie moet dat verantwoordelijkheidsbesef bijbrengen: de toezichthouder of de markt zélf?
‘Bedrijven moeten het zelf oppakken. In de huidige richtlijnen en toekomstige verordening staat dat het bedrijf de verantwoordelijke is voor naleving: het moet de noodzakelijke maatregelen treffen om te verzekeren dat gegevens worden beschermd. En als zij dat niet doen, moet een toezichthouder er iets aan doen. De nieuwe regels en het nieuwe beleid zijn belangrijk om onachtzaamheid aan te pakken. De nieuwe verordening zal een paar keer hard worden toegepast en dan krijg je: “Waarom krijg ík een boete?” Daarna gaat het zich verspreiden en dan zeggen mensen: het schijnt tegenwoordig zo en zo te moeten gebeuren. Ja, dat was eigenlijk al jarenlang zo, maar dat waren we vergeten. We moeten die olietanker zien te draaien – bedrijven die wel de gouden bergen zien, maar onvoldoende over gegevensbescherming hebben nagedacht.’
***********
Dit is een ingekorte weergave van een interview dat onlangs in Tijdschrift voor Compliance werd gepubliceerd. Het vijfde nummer van 2014 is geheel gewijd aan het thema Compliance en Privacy en gaat onder meer over de Big Data trend en gegevensbescherming. Klik hier voor een abonnement of proefnummer.

Tuesday, November 18, 2014

Run-amok compliance officers cost Bank of Tokyo Mitsubishi $315 million for sanctions report whitewash


                      

The New York State Department of Financial Services (DFS) Tuesday levied $315 million in penalties against Bank of Tokyo Mitsubishi UFJ (BTMU) for misleading regulators regarding its transactions with Iran, Sudan, Myanmar, and other sanctioned entities.
A year-long  DFS investigation found that BTMU compliance officers pressured the bank's consultant, PricewaterhouseCoopers (PwC), into removing key warnings to regulators in a supposedly "objective" report the bank submitted to the DFS.
Under the DFS consent order, BTMU will pay the additional $315 million penalty beyond a $250 million penalty it paid under a previous June 2013 DFS agreement over its sanctioned transactions.
"As such,"the DFS said, "the total monetary penalty that BTMU has paid in this case is $565 million."
At the direction of the DFS, the bank "will also take disciplinary action against individual BTMU compliance personnel involved in the watering down of the PwC report."
The DFS demanded that BTMU fire Tetsuro Anan (manager, anti-money laundering compliance office, compliance division). Anan has resigned from BTMU, the DFS said.
"On multiple occasions, despite being responsible for anti-money laundering compliance, Tetsuro Anan asked PwC to remove from its report specific issues of material concern to regulators about the bank's misconduct," the DFS said.
The DFS also banned two former compliance officers who now work at BTMU affiliates.
Akira Kamiya (deputy president, Mitsubishi UFJ Securities Holdings) and Tetsuji Kamisawa (executive deputy president, Defined Contribution Plan Consulting of Japan) can't do work involving any New York banks (or other financial institutions) regulated by the DFS, including BTMU's New York branch.
Benjamin M. Lawsky, head of the DFS, said: “We continue to believe that fines -- while often necessary -- are not sufficient to deter misconduct on Wall Street. We must also work to impose individual accountability, where appropriate, and clearly proven, on specific bank employees that engaged in wrongdoing.”
In August, the DFS suspended PwC Regulatory Advisory Services for two years for helping whitewash the BTMU sanctions and anti-money laundering compliance report.
PwC was also required to make a $25 million payment to the State of New York.
As part of Tuesday's order, BTMU will relocate its U.S. Bank Secrecy Act/Anti-money Laundering Compliance (BSA/AML) and Office of Foreign Assets Control (OFAC) sanctions compliance programs to New York, the DFS said.
Those programs will have U.S. compliance oversight over all transactions affecting the New York Branch, the DFS said, "including transactions performed outside the U.S. that affect the New York Branch."
BTMU said in a statement Tuesday it is "committed to conducting business with the highest levels of integrity and regulatory compliance, and to continually improving its policies and procedures."
*     *     *
The New York State Department of Financial Services consent order In the matter of Bank of Tokyo Mitsubishi UFJ, Ltd. New York Branch dated November 18, 2014 is here (pdf).
_______
Richard L. Cassin is the publisher and editor of the FCPA Blog. He can be contacted here.
- See more at: http://www.fcpablog.com/blog/2014/11/18/run-amok-compliance-officers-cost-bank-of-tokyo-mitsubishi-3.html#sthash.kwvVrjxU.dpuf

Banks have lost so much consumer information to hackers this year that two members of Congress are asking them to come clean with the extent of the damage

Congress to banks: Admit you've been hacked!

November 18, 2014: 10:08 AM ET

The gun range where you can buy booze
  • 12
    TOTAL SHARES
  • 1
NEW YORK (CNNMoney)

Banks have lost so much consumer information to hackers this year that two members of Congress are asking them to come clean with the extent of the damage.

Tuesday morning, 16 financial institutions will receive letters from Sen. Elizabeth Warren and Rep. Elijah E. Cummings asking them to admit that they have been hacked, explain how it happened and be transparent about what they lost.
In many cases, companies that are hacked never reveal it to their customers. Or they release vague, useless information that hides the seriousness of the breach.
Related: Hackers attack U.S. energy grid
Earlier this year, hackers broke into JPMorgan. The bank said hackers gathered information on more than 80 million customers. But sources close to the investigation told CNNMoney the hackers hit at least six other companies -- none of which came forward about it.
"The increasing number of cyberattacks and data breaches is unprecedented and poses a clear and present danger to our nation's economic security," Cummings and Warren wrote in the letter.
They noted that faith in banks' ability to keep consumer data safe "is central to earning and maintaining consumer confidence in our economic system." The letter referenced a recent USA Today report that hackers have stolen more than 500 million financial records over the past year.
Earlier this year, CNNMoney noted that half of American adults have been hacked.

Monday, November 17, 2014

Corporate data security trust restoration

Corporate data security trust restoration

SafeNet : 14 November, 2014  (Special Report)
Paul Hampton, Payment & Crypto management expert at SafeNet explains the four steps required to restore trust in corporate data security
Corporate data security trust restoration
Results from the latest Breach Level Index report show there have been more than a thousand worldwide data breaches so far this year that compromised nearly 563 million data records of customers’ personal and financial information. Particularly worrying for consumers, is that the retail industry accounts for more than 30 per cent of all data records breached and has thus become the embodiment of the data breach epidemic. These are shocking figures, and should be a serious cause for concern, especially in the lead up to Christmas, when many more shoppers will be using their cards, and could be putting themselves at risk.

Until now, consumers have appeared apathetic about identity compromise security breaches. But new research indicates unrest. A SafeNet survey of more than 4,500 adults across five of the world’s largest economies – U.S., U.K., Germany, Japan, and Australia has found that nearly two-thirds (65 per cent) of respondents would never, or were very unlikely to, shop or do business again with a company that had experienced a data breach where financial data or information was stolen. The research also indicated that only half of adults surveyed feel that companies take the protection and security of customer data seriously enough.

What does all this mean? The traditional data security mind set does not work anymore.With companies collecting ever-increasing amounts customer information and with digital interactions becoming more diverse, vast amounts of data about who we are, what we do, and what we like is being stored online. We entrust our entire identity as individuals to the companies who gather this information and need to be reassured that it is being kept safe.

For decades, the prevailing wisdom about cybersecurity has been that a perimeter “wall” should be built around the corporate network to keep intruders out. More recently, newer technologies such as real-time threat protection have been implemented to bolster security.  However, as the current breach epidemic shows, these approaches haven’t stopped today’s sophisticated cybercriminals.

Companies can seize upon these four approaches to help restore customer trust in corporate data security:

* Out With the Old, In With the New: Today’s security strategies are dominated by a singular focus on breach prevention that includes firewalls, antivirus, content filtering, and threat detection. But, if history has taught us anything, it is that walls are eventually breached and made obsolete. Companies should assume that prevention and threat detection tools can only go so far, and should be used as part of a layered approach to data security that can defend data once criminals get into the network. The next and last level of defence needs to be around the data itself and surrounding it with end-to-end encryption, authentication and access controls that provide the additional layers to protect both corporate and customer information.

* Protect Customer Data As If It Were Your Own: If companies want to earn and retain customer trust, they must view the protection of sensitive data not as a compliance mandate, but as a responsibility essential to its success. Meeting the minimum legal requirements is no longer enough. If a breach hits, and companies have encrypted financial data, but not the 10 million records containing customer names, addresses and social security numbers, they’ve broken the bond of customer trust in its brand. Being a better steward of customer data is not just good PR, it makes good business sense, too.

* Transparency Is the Road to Trust: Put security front and centre and tell customers about the security measures that companies have put in place to protect their data. With the recent dust-up about surveillance, the largest online companies are now much more open about what they are doing to protect customer information. If a company is doing something better than the rest of the industry, like encrypting data end-to-end, then it will be seen as a trusted innovator.

* Security Is a Two-Way Street: Just as customers are informed about what companies are doing to protect them, they should also be told what to do in order to protect themselves. If a customer experiences identity theft or a data breach while doing business with a company, that brand suffers. A better-educated consumer is a safer consumer of services.

As data breaches become increasingly severe and consumers become more educated on what is (or isn’t) being done to protect their data, their attitudes about what is acceptable will change. And with it, the corporate mind set on security must change. So far, customers may not have been concerned about having their credit card numbers stolen, because there are built-in protections for them. However, distress sets in if their location information is being used so thieves can rob their houses. Companies need to wake up to this new reality sooner rather than later, or else risk consumers severing ties with them and taking their business to trustworthy competitors.
Read more: http://www.prosecurityzone.com/News_Detail_Corporate_data_security_trust_restoration_22689.asp#ixzz3JJoQb3AA