BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

VA CIO Reveals Biggest Security Concern

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 27 Oct 2014 19:01:54 -0600
http://www.databreachtoday.com/blogs/va-cio-reveals-biggest-security-concern-p-1760

What cybersecurity issue keeps Steph Warren, CIO of the Department of
Veterans Affairs, up at night? He tells me it's the potential long-term
harm that data breaches and other incidents can have on public faith in
e-commerce.

"If people stop going to the Internet because they don't think it's safe,
all the things we're trying to do to enable delivery of service benefits
are going to be impacted. We count on that tool; it is a tremendous saver
of resources," Warren said in response to a question I asked him during a
recent media roundtable to provide an update on various VA IT initiatives.

"It used to be when folks went to mainline businesses on the Internet, they
were safe," he said. "The security concerns arose when consumers visited
websites offering deals that 'seemed too good to be true.'

"The challenge now is that all those commerce sites are under threat. We've
got to figure out how digital commerce can still be done safely, how you
can do it with credit tools that don't put your bank account or identities
at risk."

Warren says there's a lot at risk if cyberthreats continue to grab
headlines.

"I think we are coming into a pretty critical time period," he says. "If
the public loses confidence in whether they can safely do ... digital
commerce, we've got a serious problem because it's been an engine of
innovation and change," he says. "We have got to get our arms around it."

ID Theft Awareness

For its part, the VA has been ramping up efforts to help make veterans more
aware of identity theft and fraud risks so that they can avoid falling
victim to cybercrimes, Warren says.

That includes providing tips to veterans about how they can protect
themselves against ID theft - like using stronger passwords and encrypted
e-mail and monitoring their credit card statements. The agency is providing
extensive advice for vets on its new VA ID theft website.

The VA offers free credit monitoring to vets when the department
experiences breaches of any size that expose sensitive information. But
Warren admits that only about 4 percent of vets accept the offer, and he's
hoping to get more takers.

Wake-Up Call

The VA grabbed headlines back in May 2006 when the agency reported a breach
stemming from a stolen unencrypted laptop that contained information on
more than 26 million individuals. Although the device was eventually
recovered and the FBI determined that no personal information was
inappropriately accessed, the VA agreed to pay $20 million to settle a
lawsuit filed by veterans over the incident (see VA Breach: Assessing The
Impact).

In the wake of that incident, the VA launched a massive encryption
campaign. Today, 100 percent of the VA's more than 430,000 desktop and
laptop computers are encrypted, Warren says.

In addition to using encryption to prevent breaches, the VA has been
ramping up its efforts to thwart hackers.

At a hearing last year, a member of Congress said hackers from other
nations had repeatedly breached VA computers since 2010 (see: VA Systems
Hacked From Abroad).

Warren admits that VA systems are "always under threat." But so far, he
says, no data has been seized by hackers. "No data has been exfiltrated ...
or pulled out, even as viruses hit laptops or desktops."

The VA defends itself against 55,000 new malware variants per day that are
tracked and blocked, he says.

The agency's cybersecurity strategy relies heavily on continuous monitoring
of network traffic.

"We're constantly updating threats ... with remediation in near real time,"
he says. The VA uses the Department of Homeland Security's Einstein 3
intrusion detection system to block sites and stop downloads that pose
potential threats.

Medical Devices

In another security move, the 600,000 medical devices in use at the VA
healthcare facilities are segregated away from the rest of the enterprise.
Warren explains they're run on "an isolation architecture ... to better
control access" and help keep those devices away from malware and other
threats.

The need to segment medical devices from other network systems was one of
several security steps stressed at last week's medical device cybersecurity
workshop hosted by the Food and Drug Administration (see Medical Device
Hacks: The Dangers).

And Warren says the VA must always look for more ways to improve security.

"We have to keep doing more, and that's what we do. We don't rest on our
laurels. The threat environment keeps increasing, the sophistication of the
threats keep growing," he says. "As a large institution we're always under
threat."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: