In 2016, 328 individual healthcare breaches occurred, surpassing the previous record of 268 in 2015, according to Bitglass’ recent Healthcare Breach Report. As a direct result of the breaches, records of approximately 16.6 million Americans were exposed due to hacks, lost or stolen devices, unauthorized disclosure and more.The good news, however, is that the overall number of compromised records has declined for the second year in a row, and early indications suggest that those numbers will continue to decline in 2017.+ Also on Network World: Healthcare records for sale on Dark Web +
The report aggregates data from the U.S. Department of Health and Human Services’ Wall of Shame—a database of breach disclosures required as part of the Health Insurance Portability and Accountability Act (HIPAA)—to identify the most common causes of data leakage.To read this article in full or to leave a comment, please click here
April may not have been the busiest month for security breaches, but what it lacks in volume it made up for in variety. The month began loudly when a hacker set off all of Dallas’s 156 emergency tornado alarms for 90 minutes in the wee hours of the morning on the seventh.Then on April 10, London-based Wonga Group revealed that as many as a quarter-million bank accounts may have been compromised. They weren’t alone. On the seventeenth, InterContinental reported that customer data may have been taken at more than 1,000 of its hotels.To read this article in full or to leave a comment, please click here(Insider Story)
It is commonly referred to as information overload. An infosec professional throws out a wide net in hopes of stopping malware before it gets too deep into the network, but like a motion-sensor light, sometimes the alert catches a squirrel instead of a burglar.Rob Kerr, chief technology officer at Haystax Technology, cited the 2013 breach at Target, as an example in which thieves stole some 40 million Target credit cards by accessing data on point of sale (POS) systems. Target later revised that number to include theft of private data for 70 million customers.To read this article in full or to leave a comment, please click here
There's now a new tool that could allow companies to quickly block communications between malware programs and their frequently changing command-and-control servers.Threat intelligence company Recorded Future has partnered with Shodan, a search engine for internet-connected devices and services, to create a new online crawler called Malware Hunter.The new service continuously scans the internet to find control panels for over ten different remote access Trojan (RAT) programs, including Gh0st RAT, DarkComet, njRAT, ZeroAccess and XtremeRAT. These are commercial malware tools sold on underground forums and are used by cybercriminals to take complete control of compromised computers.To read this article in full or to leave a comment, please click here
Tinder was ticked after 40,000 profile photos were scraped to create the People of Tinder dataset, accused the person behind the script of violating its terms of service, and asked Kaggle to remove the dataset from the platform. Nevertheless, it was downloaded hundreds of time before the take-down which now results in a 404 error.The People of Tinder dataset was created by Stuart Colianni; it consisted of 40,000 images from Tinder users in the San Francisco Bay Area – half were of women and half were of men. He intends to use the dataset with Google’s TensorFlow’s Inception to create a neural network capable of distinguishing between male and female images.To read this article in full or to leave a comment, please click here
By now, you've probably seen the ad that Pepsi released to the world and then quickly withdrew when it became obvious how tone deaf it was.I don't have anything to say about the ad that hasn't been said already, but I do want to examine the conditions that led to an ad of such obliviousness to be released. Why? Because Pepsi’s failed attempt to promote itself may have some lessons for those anxious to keep their company from experiencing a similar calamity when it comes to the release of personal data. I’d like to use this post to explore how the Privacy By Design approach to improving organizational awareness about data protection may offer a way to avoid such pitfalls.To read this article in full or to leave a comment, please click here
Android is getting security fixes for more than 100 vulnerabilities, including 29 critical flaws in the media processing server, hardware-specific drivers and other components.Android's monthly security bulletin, published Monday, was split into two "patch levels," which are represented as date strings on the "About" page of Android devices.The 2017-05-01 security patch level covers fixes for vulnerabilities that are common to all Android devices while the 2017-05-05 level covers additional fixes for hardware drivers and kernel components that are present only in some devices.To read this article in full or to leave a comment, please click here
Last week, I posted a blog about the move toward cybersecurity vendor and technology consolidation along with a growing emphasis on technology integration in the enterprise. Here’s some additional data that reinforces these conclusions. As part of a recent ESG research project, 176 cybersecurity and It professionals were presented with several statements and asked whether they agreed or disagreed with each one (note: I am an ESG employee). Here are the results:
82% of survey respondents “strongly agree” or “agree” with the statement: ‘My organization is actively building a security architecture that integrates multiple individual product.’ This is likely part of a SOAPA (i.e. security operations and analytics platform architecture) project.
81% of survey respondents “strongly agree” or “agree” with the statement: ‘Cybersecurity product integration has become an important consideration of our security procurement criteria.’ In other words, stand-alone point tools don’t make the purchasing cut in most cases.
78% of survey respondents “strongly agree” or “agree” with the statement: ‘The security products my organization buys are regularly qualified on their integration capabilities. This aligns with the previous point.
73% of survey respondents “strongly agree” or “agree” with the statement: ‘My organization Continue reading
Last week, I wrote about the move toward cybersecurity vendor and technology consolidation, along with a growing emphasis on technology integration in the enterprise. Here’s some additional data that reinforces those conclusions. As part of a recent ESG research project, 176 cybersecurity and IT professionals were presented with several statements and asked whether they agreed or disagreed with each one. Here are the results:
82% of survey respondents “strongly agree” or “agree” with the statement: "My organization is actively building a security architecture that integrates multiple individual product." This is likely part of a SOAPA (security operations and analytics platform architecture) project.
81% of survey respondents “strongly agree” or “agree” with the statement: "Cybersecurity product integration has become an important consideration of our security procurement criteria." In other words, stand-alone point tools don’t make the purchasing cut in most cases.
78% of survey respondents “strongly agree” or “agree” with the statement: "The security products my organization buys are regularly qualified on their integration capabilities." This aligns with the previous point.
73% of survey respondents “strongly agree” or “agree” with the statement: "My organization tends to select best-of-breed products." Once again, the data reflects that Continue reading
Because they don’t see themselves as targets, small-to-midsize businesses (SMB) have for a long time believed that their security programs are good enough. They have a firewall, antivirus, maybe they even use two-factor authentication.The mistake is believing that this is enough because they have nothing of value to an attacker. While they may have a smaller attack surface, they are no less vulnerable than a major enterprise.Not only are small businesses growing as the favored targets for ransomware attacks, they are also the most impacted, with 60 percent shutting down within six months of a breach, according to the US National Cyber Security Alliance.To read this article in full or to leave a comment, please click here
It may be time for a revision of, “the customer is always right,” at least in the financial sector.That, Boston Police Detective Steven Blair told an audience of bankers at the Boston Fed’s 2017 Cybersecurity Conference on Monday, is because too many banking “customers” are fraudsters, who take advantage of the generally laudable desire of front-line employees to provide good customer service.Attendees had heard Kenneth Montgomery, first vice president and COO of the Boston Fed, say earlier that cybersecurity is now, “the number-one operational and enterprise issue” for the financial sector. He said the worldwide costs of cybercrime are estimated at $3 trillion annually now, and expected to double by 2021.To read this article in full or to leave a comment, please click here
Intel is reporting a firmware vulnerability that could let attackers take over remote management functions on computers built over nearly the past decade.The vulnerability, disclosed on Monday, affects features in Intel firmware that are designed for enterprise IT management. Enterprises using Intel Active Management Technology, Intel Small Business Technology and Intel Standard Manageability on their systems should patch them as soon as possible, the company says.The vulnerable firmware features can be found in some current Core processors and all the way back to Intel's first-generation Core, called Nehalem, which shipped in 2008. They're part of versions 6.0 through 11.6 of Intel's manageability firmware.To read this article in full or to leave a comment, please click here
In a blog post last September, I highlighted how data breaches for the first half of 2016 shifted from stolen credit card data and financial information to the theft of something much more personal—identities. Unsurprisingly, this trend continued throughout the remainder of the year.According to the recently released Breach Level Index, 1,792 data breaches led to almost 1.4 million data records being compromised worldwide, an increase of 86 percent compared to 2015. Once again, identity theft was the leading type of data breach last year, accounting for 59 percent of all data breaches. To read this article in full or to leave a comment, please click here
President Donald Trump is launching a special council to upgrade the U.S. government’s IT services at a time when some systems more than 50 years old. Americans deserve better digital services from their government,” the"Americans deserve better digital services from their government," said an executive order from Trump, released on Monday.The order seeks to "promote the secure, efficient and economical use" of IT. As part of that goal, Trump is establishing the American Technology Council, which he will chair.To read this article in full or to leave a comment, please click here
Almost every company has data stored in its systems that is overexposed and at risk. That’s the finding of the recently released 2017 Varonis Data Risk Report. The report is based on assessments that Varonis conducts for its customers and prospects to determine which data is at risk. The report data is aggregated and anonymized. download
2017 Varonis Data Risk Report Highlights
Varonis
What this year’s report revealed is that much of the risk is due to bad policy or failure to follow an established policy. For example, files were accessible to people who should not have access, complex permissions rules negatively impacted enforceability, and some companies fail to properly audit data for risk. The report also found that these risks were consistent across geographies and industries.To read this article in full or to leave a comment, please click here(Insider Story)
The infographic below provides good, entertaining definitions of the terms white hat, grey hat and black hat hackers courtesy of Exigent Networks. As the infographic explains, there are some, well, grey areas between categories—for example, there is sometimes a fine line between grey hats and black hats.Some might also disagree with the choices of white hat hacker examples. The telecom industry, for example, might consider Steve Wozniak’s early hacking exploits theft of services rather than hacking for the greater good. And Julian Assange’s qualifications will be tinted by whatever political lens through which an individual judges his actions.To read this article in full or to leave a comment, please click here(Insider Story)
Facebook is so proud of its algorithms, it conducted research about exploiting posts by kids as young as 14 to show how its algorithms could help advertisers pinpoint emotionally vulnerable moments for the purpose of targeted ads.The Australian (paywall) got its hands on a 23-page Facebook document, dated in 2017, marked as “Confidential: Internal Only,” and authored by two Australian Facebook executives, Andy Sinn and David Fernandez. While no screenshots were included, the report allegedly explained how Facebook could analyze posts, photos and interactions to help determine the emotional states of 6.4 million “high schoolers,” “tertiary” (college) students and “young Australians and New Zealander ... in the workforce.”To read this article in full or to leave a comment, please click here
Facebook is so proud of its algorithms that it conducted research about exploiting posts by kids as young as 14 to show how its algorithms could help advertisers pinpoint emotionally vulnerable moments for the purpose of targeted ads.The Australian (paywall) got its hands on a 23-page Facebook document, dated in 2017, marked as “Confidential: Internal Only,” and authored by two Australian Facebook executives, Andy Sinn and David Fernandez. While no screenshots were included, the report allegedly explained how Facebook could analyze posts, photos and interactions to help determine the emotional states of 6.4 million “high schoolers,” “tertiary” (college) students and “young Australians and New Zealanders ... in the workforce.”To read this article in full or to leave a comment, please click here
The U.S. National Security Agency is now suggesting government departments and businesses buy smartphones secured using virtualization, a technology it currently requires only on tablets and laptopsThe change comes about with the arrival of the first virtualization-based smartphone security system on the U.S. Commercial Solutions for Classified list.CSFC is a program developed by the NSA to help U.S. government agencies and the businesses that serve them to quickly build layered secure systems from approved components.An HTC A9 smartphone security-hardened by Cog Systems using its D4 virtualization platform is now on that list, alongside devices without virtualization from Samsung Electronics, LG Electronics, and BlackBerry.To read this article in full or to leave a comment, please click here
Jeffrey Scolaro, an attorney at Daley Mohan Groble PC in Chicago and a member of Legal Services Link, answers questions about employment contracts.Are employment contracts for IT workers negotiable, or are they one-size-fits-all? The axiom that “everything is negotiable” should be where all IT professionals begin their assessment of proposed employment contracts. However, the IT industry in particular can be especially rigid in its collective enforcement of employment agreements.To read this article in full or to leave a comment, please click here(Insider Story)