Cracking the Code on Cyber Crimes

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.destinationcrm.com/Articles/Editorial/Magazine-Features/Cracking-the-Code-on-Cyber-Crimes-84420.aspx

LinkedIn inadvertently found itself the poster child for customer privacy
protection when, in early June, word spread of a password leak with the
potential to affect 6.5 million users.

In the hours that followed, LinkedIn would tweet to some 180,000 of its
Twitter followers that "our team continues to investigate, but at this time
we're still unable to confirm that any security breach has occurred." Hours
later, the company issued a similar statement on the LinkedIn blog, along
with a list of best practices to follow when creating a password.

One day after the alleged breach, LinkedIn issued an update, acknowledging
that 6.5 million hashed—or encrypted—passwords had, indeed, been posted on
a hacker forum. The company reported it had "enhanced our security measures
through an additional layer of technical protection known as 'salting' to
better secure your information" and that it had disabled all member
passwords for at-risk accounts.

In the days that followed, LinkedIn would take the heat for what some
called a bare-minimum means of security—namely, passwords should have been
"salted" and "hashed" to start. The company was slapped with a $5 million
lawsuit in late June, when an irate consumer seeking class-action status
claimed the company failed to properly uphold its privacy policy and follow
standard Internet security protocols.

Merited or not, the fact of the matter is "breaches happen," according to
Carsten Casper, research director and head of the Privacy Key Initiative at
Gartner Research. "Those pointing the fingers might be the next ones
suffering from one." To Casper's point, the very same week LinkedIn fought
to put out its own privacy fire, online dating service eHarmony had to take
extra measures to protect its customers, when 1.5 million passwords were
compromised.

Although experts agree that data breaches are one of the inherent costs of
doing business online, there are steps a company can take to safeguard
customer information and ensure proper risk management processes are
carried out should a data breach occur. To do this, though, it's important
to understand the most common area where the security war is being waged,
new threats, and what efforts are working to combat cyber criminals.

A Steep Price Tag

The LinkedIn and eHarmony password breaches might have put personally
identifiable information up for grabs, but companies also run the risk of
losing even more sensitive customer data—financials. The Federal Trade
Commission (FTC) brought suit against hospitality giant Wyndham Worldwide
in late June for allegedly exposing 619,000 consumer payment account
numbers to a domain in Russia. The FTC claims "the defendants' failure to
maintain reasonable security allowed intruders to obtain unauthorized
access," resulting in $10.6 million in fraudulent charges dating back to
2008, according to court documents.

"Businesses are clearly not acting responsibly enough," maintains Paul
Stephens, director of policy and advocacy at Privacy Rights Clearinghouse.
"The problem is, more businesses [are] ultimately taking the easy way out
[and this] will cost them. It has been shown that the cost of a data breach
to a company is quite high in terms of dollar cost, and in terms of users,
there is a loss of goodwill from their customers."

The FTC reported that identity theft and other scams cost Americans $1.52
billion in 2011, according to Reuters, and despite efforts to combat such
theft, it is on the rise. In fact, the number of complaints filed with the
FTC by consumers for identity-related crimes—1.8 million—was twice what it
was in 2006. Aberdeen Group, an information technology research firm, has
estimated that the worldwide impact of identity theft is a staggering $221
billion drain on businesses.

The Ponemon Institute, an independent privacy policy research center,
estimates that the median annual cost of cyber crime to a victim
organization ranges from $1 million to $52 million. In its second annual
"Cost of Cyber Crime Study," the center found that the most costly cyber
crimes are caused by malicious code, denial of service, stolen devices, and
Web-based attacks. Attacks range from such malicious activities as stealing
intellectual property, hijacking online bank accounts, and creating and
distributing viruses on computers to posting confidential business
information on the Internet and even disrupting critical national
infrastructure. The report also said that information loss accounts for 40
percent of external cyber crime costs.

According to the FBI, the disparity in the gross impact of cyber crimes
depends on an organization's size, scope, and industry. While small
companies might be devastated by one instance of cyber theft, larger
companies might not even realize they have been attacked for weeks, or even
months. When businesses are unable to recoup their losses, it can be
difficult to estimate damages, the FBI says. Also, some companies do not
wish to disclose that their systems and data have been compromised, making
it a difficult task to calculate true damage and loss.

Cyber Crime Continues

The general consensus among security experts is that cyber theft will
perpetuate because of the nature of the Internet. "There is no panacea, and
the major problem we're dealing with is a culmination of net globalization
and there being real money on the net," says security expert Jon Callas, a
former operating system security expert for Apple, who is now chief
technical officer for Entrust, a provider of identity-based security
solutions for enterprises, consumers, and the government. "If you're a
bright person living in a part of the world where $1,000 is a lot of
money…the temptation is very high and the risk is relatively small, so of
course [cyber criminals] will continue to strike."

But the FBI wants consumers and businesses alike to know that cyber crimes
don't always originate with foreign perpetrators. Very often, the threat
comes from within. Just this May, a contract employee for the Federal
Reserve Bank was charged with stealing proprietary software code valued at
$10 million to engage in immigration fraud practices. Originally retained
to develop the U.S. Treasury's Government-wide Accounting and Reporting
Program, the contractor replicated the code he was hired to develop on
three personal devices.

"As technology evolves, there are always going to be people who have the
skills and the desire to utilize that technology for gain in an unlawful
fashion," Stephens explains. "It's a…race [between] companies to keep ahead
of hackers and people who would like to penetrate a database unlawfully.
That can be a challenge."

Weighing Countermeasures

There is no magic bullet when it comes to combating the cyber theft
problem, due to the constant metamorphosis of technology. Organizations
like the PCI Security Standards Council, which develops the technical
requirements for data security programs for payment brands like American
Express and Visa, seek to standardize security. But "some argue that
standards are not high enough and that there's not a requirement for there
to be an audit depending on the size of the business," Stephens maintains.

State and federal governments have joined the fight against cyber crimes as
well. At press time, four U.S. senators had proposed the Data Security and
Breach Notification Act of 2012, which would seek to standardize reporting
of data breaches and would be enforced by the FTC with fines for
organizations of up to $500,000 per incident, according to InformationWeek.
There are more intensive requirements if the breach impacts more than
10,000 people, such as the need to refer the case to the FBI.

"By advancing a proposal that offers a comprehensive, uniform approach to
data security…[the bill] demonstrates that it is possible to protect
consumers while providing clear, consistent guidelines to businesses,"
wrote Jot Carpenter, vice president of government affairs for the
International Association for the Wireless Telecommunications Industry, in
a blog response to the legislation.

However, the National Conference of State Legislatures reports that 46
states, the District of Columbia, Puerto Rico, and the Virgin Islands all
have individual legislation requiring notification of security breaches
that involve personal information. And the latest effort by Congress to
enact a bill to standardize them all is certainly not the first.

Beyond government intervention, there are stand-alone bodies that exist to
help companies navigate the privacy and security landscape. The Online
Trust Alliance, for instance, is a member-based nonprofit group that
develops best practices to mitigate emerging privacy and security threats.
It recently unveiled the fourth annual Online Trust Honor Roll, measuring
the security and privacy best practices of 1,200 e-commerce, FDIC, and
social media sites. Twitter topped the list for its support of Do Not Track
privacy preferences; other leading companies included American Greetings
Interactive, Bank of America, Costco, Charles Schwab, and Zynga.

The companies that stood out on the honor roll continued to implement email
authentication, with more than 68 percent of the top 100 e-commerce sites
adopting both sender policy framework (SPF) and DomainKeys Identified Mail
(DKIM) email security specifications. Nearly 30 percent of sites on the
honor roll successfully implemented best practices, which include
maximizing secure sockets layer (SSL) server security. The alliance
reported that worldwide adoption of extended validation certificates
increased 48 percent this year over last.

American Greetings, for example, needed a way to safeguard customer data
for the millions of users who send e-cards through its service on a daily
basis. When the bulk of your online business is email-based, it becomes
increasingly important to ensure best practices are carried out. That's
when the greeting card company selected email security company Agari, also
a 2012 Online Trust Honor Roll recipient, to implement and manage
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
specifications within its interactive division to combat phishing attacks.
"Working with Agari will allow us to focus on continuing to proactively
investigate abuse while leveraging real-time reports and alerts, so we can
immediately take appropriate action to shut down and correct issues that
may arise," said Gary Von Hoch, vice president of Web operations and IT for
American Greetings, in a statement.

The value proposition for American Greetings was being able to identify,
"'What are my third parties?' 'What's me?' 'What's malicious?' and 'Here
are some things reporting to me, but which don't have authentication,'"
explains Daniel Raskin, Agari's vice president of marketing. To put it
simply, a security specification like DMARC allows organizations to build
email governance into their infrastructure, and to take a proactive
approach to safeguarding customer data. "The net effect is that they now
have a more secure email channel, and criminals, being smart, say, 'I'm
going to move on to their competitors' if there's a problem competing to
see your domains."

A Moving Target

While tightening email security screws is helpful, there are growing
concerns that cyber criminals will turn their attention to other popular
technologies, such as mobile devices and social media sites. With the
proliferation of social media, mobile devices, and location-based services,
experts agree the playing field for cyber thieves has widened. And sheer
volume of data is a top reason. "Think about your Facebook profile and how
much data the company has about you based on what you've shared [and what
others share about you]," says Andy Land, vice president of marketing for
identity management software company UnboundID. "That profile has to be
stored, secured, and hopefully privacy policies are applied. Facebook's
valuation was based on that richness of data."

Entrust's Callas concurs. "Ironically, one of the best ways to manage your
customers' privacy is to figure out what data doesn't need to be stored,"
he explains. "The privacy decision is to say, 'What do we not want to
save?' If my Web site that is giving you a service does not log all of the
details, then I have protected your privacy implicitly."

Because of the growing number of data breaches, a surge in cloud computing
and location-based services, as well as ever-changing regulatory policies,
Gartner Research predicts that at least half of all organizations will
revise their current privacy policies before the end of 2012.

Develop a Risk Management Strategy

To minimize your organization's chances of experiencing an embarrassing and
costly data breach, there are some preliminary steps to follow when
developing a case for risk management. According to the Privacy Key
Initiative's Casper, companies need to ask themselves these basic
questions: "Do we have someone in charge of information security? Do we
have a security program? Did we train our people? Do we verify how business
partners process data? Do we have a process in place to detect and respond
to a security or privacy breach?"

As Casper puts it, "The important thing is that companies conduct a risk
assessment and make a conscious decision: How much risk do they want to
take and how much money do they want to spend to mitigate some of that
risk? Companies need to define a common structure for privacy compliance,
based on corporate-wide privacy principles, but with enough flexibility to
adjust to local laws' requirements." This is especially true for companies
that operate in several countries and states within those countries, as
well as different industries.

While the U.S. Department of Justice and the FTC play varying roles in
privacy and identity theft enforcement, and while businesses should be
vigilant to ensure they're in compliance, Casper maintains that privacy
today is not only about complying with the law, but increasingly is
associated with meeting customer expectations.

It Happened to You. Now What?

As experts have outlined above, the only certainty about cyber crime is
that it will continue. But what a company can control is the manner in
which it bounces back from an incident and the effort it makes to prevent
future attacks. Here are strategies to consider:

Follow the leads of the airlines and NASA. According to Entrust's Jon
Callas, airlines and NASA have a predictable way of mitigating risk and
rapid transparency. "They get the right people in to manage the immediate
problem and they don't deny that anything happened. They say, "We will make
this right and we are conducting an investigation." A company could say,
"Here are the things that we and people outside my company have identified
we did not do correctly. We are tasking people to fix these things and then
we will let you know when they happen.'"

Keep the lines of communication open. Paul Stephens, of the Privacy Rights
Clearinghouse, says it's crucial to be up-front about the extent of a
breach right when an investigation is opened. "Typically, when there is a
security breach that involves financial information, companies tend to
offer free credit monitoring to the affected individuals," he says. "Also,
it's important for companies to utilize this as an educational opportunity
for their customers. There are many customers, for instance, who are not
aware of such dangers as reusing passwords on multiple sites."

Be proactive with privacy, even if it costs you. Experts say that failing
to implement security measures for your business can be a little like
driving without insurance in hopes that you'll avoid a crash. Companies
"think they need to balance the value of processing information against the
risk of doing so," Carsten Casper, of Gartner Research's Privacy Key
Initiative, says. "That's wrong. The more personal data you collect and
process—in other words, the more value you generate—the higher the risk.
Companies can control the cost they put into risk mitigation. Some spend
very little on privacy, store lots of personal information, have a high
level of risk, and get away with it—until one day it falls apart."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!