Veterans Affairs: Why Not Implement Data Breach Lessons Learned?
Posted In Human Resources, Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 26th, 2010 Tags: Awareness Training, Data Breach, Information Security, lost laptops, Veterans Affairs
Dissemination vs. Implementation
The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency.
What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops. Patient information has been sent to the wrong address or mailed incorrectly 441 times. There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required.
Almost 10,000 breach incidents in 3 months! What is wrong with this picture? Instead of just disseminating data breaches after the fact, what if the VA actually explained and implemented lessons learned and took proactive steps towards prevention?
I think the VA needs to ask a couple of questions:
1) Why are so many handheld devices and laptops being lost? Are there ways we can educate our employees on best practices for protecting devices? Are there consequences?
2) With so many devices and laptops lost each month, how do we ensure these devices are protected with encryption? Are employees taking home sensitive information that should not be placed on personal devices? Do employees know what information is sensitive?
3) What should be done to improve efficiencies in the mail room and prevent mailing errors with patient information? How do we know there were only 441 errors; were these just the mistakes that were caught?
4) How can we implement ongoing awareness and educate our employees (and third-parties) on protecting sensitive information?
Breach notifications are expensive. Credit reporting is expensive. Replacing BlackBerrys and laptops is expensive. Correcting errors and re-mailing information is expensive.
Prevention is a lot less expensive for the Veterans Affairs and a lot less expensive for us tax payers too… is anyone interested in implementing lessons learned?
No Comments
Email This Post
Whistleblowers, Incident Reporting, Incident Management…Are You Ready?
Posted In Incident Reporting, Information Security, Legal, Regulatory Compliance, Risk Management, Workplace Violence on August 19th, 2010 Tags: bank fraud, CYA, financial reform, Incident Reporting, online safety, SEC, whistleblower, Workplace Violence
Have you been paying attention to recent headlines?
“New whistleblower reward program has law firms gearing up”
“Attorney tells audience to brace for a storm of whistleblower lawsuits”
“Financial reforms up retaliation risk”
“Preventing violence in health care setting”
“Banks seek customers’ help to stop online thieves”
Lessons learned and headlines are mounting and organizational leaders from nearly every sector should be paying close attention if they want to prevent their name and their organization’s name from being featured in unwanted headlines and lawsuits.
In a few of our next blog posts, I will be sharing lessons learned on how incident reporting, incident management, threat assessment teams, prevention, intervention, documentation and CYA will play a critical role for the foreseeable future….are you ready?
No Comments
Email This Post
Rite Aid – HIPAA Violation – Lessons Learned Not Implemented
Posted In Incident Reporting, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management on August 12th, 2010 Tags: CVS, FTC, HIPAA, HITECH, Rite Aid, Security Awareness
Did everyone see this ultimate lesson regarding lessons learned but not implemented?
Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark? According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them. The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years.
Now roll the clock ahead to July 2010 and another pharmacy chain – Rite Aid Corp. – has agreed to pay a $1 million fine because they violated the HIPAA privacy rule and the FTC Act when some if its stores improperly disposed of prescription information in dumpsters.
The HHS settlement against Rite Aid requires their pharmacies to:
- Establish policies and procedures for disposing protected health information and sanctioning workers who do not follow them;
- Create a training program for disposing of patient information;
- Conduct internal monitoring;
- Obtain an independent assessment of its compliance for three years.
The FTC settlement against Rite Aid requires the company to:
- Establish a comprehensive information security program designed to protect the security, confidentiality and integrity of the personal information it collects from consumers and employees;
- Obtain, every two years for the next 20 years, an audit from a qualified independent third-party professional to ensure that its security program meets the standards of the settlement.
For lessons learned to become lessons implemented, organizations must ensure that their program [security, privacy, compliance, risk management, etc.] is clearly defined, communicated, acknowledged by all appropriate personnel, documented, updated and maintained on an ongoing basis.
Unfortunately most programs are just pushed out on portals, intranets and shared drives or blasted out in binders, e-mails and memorandums.
Albert Einstein said it best:
“Insanity is doing the same thing over and over again and expecting different results.”
Are you and your organization doing the same thing over and over again and expecting different results?
No Comments
Email This Post
Is Your Company Vulnerable to Social Engineering?
Posted In Information Privacy, Information Security, Risk Management on August 5th, 2010 Tags: BP, defcon, security awareness training, Social Engineering
Lessons learned from a recent hacking competition at Defcon revealed yet again that your employees are the biggest threat to your organization.
With just two phone calls, a hacker posing as a Louisiana-based employee handling claims involving the Gulf oil spill was able to trick a computer support employee at BP into divulging sensitive information that could have proved crucial in launching a network attack. The employee provided information to the caller including the model of laptops BP used, the specific operating system, browser anti-virus and VPN software. The hacker also convinced the employee to visit an unknown web site, Social-Engineer.org.
Other hackers in the competition asked company employees what version of Adobe Reader the company used or who the garbage collector was that hauled their trash. Employees seemed extra willing to help the hackers who pretended to lack specific information. Several large corporations were targeted including BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola and Ford. Only 3 of the 10 companies passed the test and did not provide any sensitive information.
Are your employees this gullible? Is your company vulnerable to social engineering attacks?
By sharing real-world stories like the competition results above, you can help your employees understand risks and potential consequences of revealing sensitive information. Managers can help employees become aware of how they can protect their jobs, their organization and your organization’s clients by preventing data breaches, information losses, lawsuits, etc.
Hackers are continuously developing new tactics and more sophisticated strategies for retrieving information from unsuspecting employees. Because we know hackers are getting better at social engineering, it is critical for your organization to develop better awareness training and education to keep up with changing risks, threats and more sophisticated techniques.
Link: Companies Fail Social Engineering Contest
No Comments
Email This Post
Siemens Lessons Learned: The Dangers of Default Passwords
Posted In Information Security, Risk Management on July 28th, 2010 Tags: malware, password management, SCADA, Security, Security Awareness, Siemens, Stuxnet
One of the first things security professionals recommend when you install new programs, systems or hardware is that you change the default password immediately. And, if a system has been breached or is vulnerable to a potential breach, most security professionals recommend your Users change their passwords as a precaution.
Now, what if the password was hard-coded into the system and could not be changed without throwing all systems into chaos and disrupting or halting operations?
And what if the default password for your software had been shared in online forums since 2008?
That would never happen, right…?
Unfortunately this is exactly what has happened to Siemens and their SCADA software. SCADA (supervisory control and data acquisition) software is commonly used in utilities and has become a popular target for hackers of all types. For example, Stuxnet malware is targeting Siemens SCADA software, searching for certain software and then applying the hard-coded password to access the access control database. Once this database is accessed the malware can steal information. Changing the passwords and blocking the malware’s attempts may create even bigger issues.
So, what are the lessons learned here?
1) Default passwords are and always will be a major vulnerability.
2) Passwords should not be hardcoded into a system.
3) Passwords should not be shared on online forums and if they are, the password should immediately be changed!
4) Changing passwords should not cause systems to stop working.
If you work in a utility or organization utilizing SCADA software…be aware and be prepared.
No Comments
Email This Post
CFOs Have Responsibility To Break Down Risk Management Silos
Posted In Business Continuity, Information Security, Regulatory Compliance, Risk Management on July 12th, 2010 Tags: CFOs, Cybercrime, Cybersecurity, DHS
Last week financial executives received some valuable advice on ways to significantly reduce costs associated with an expensive non-budgeted item – cybercrime.
Greg Schaffer heads up DHS’s Office of Cybersecurity and Communications and his comments on cybercrime included:
“Cybercrime is not a problem that is growing, or coming, or off in the future. This is a problem right now.”
Mr. Schaffer also cited some statistics from reports and surveys:
- A single cyber breach costs companies an average of $6.75 million
- 27 countries have claimed to have experienced financial losses related to cybercrime
- In 2009, 30 million examples of new malicious software were released
Mr. Schaffer shared that there is a “disconnect” between corporate risk managers and information technology professionals. Mr. Schaffer also pointed out that most companies have kept risk management related to cybercrime in “a silo” within the IT department, rather than treating cybercrime as a risk the entire organization must address.
Mr. Schaffer had this advice too… because CFOs play an important role in enterprise risk management; CFOs have a responsibility to break down “silos” within an organization.
Do you have “silos” in your organization?
Of course you do! CFOs (along with CEOs, COOs, CROs, etc.) must become more proactive and prevention focused. CFOs must find better ways to break down silos and connect the dots before a cybercrime incident creates a huge hit on their bottom line.
No Comments
Email This Post
SEC Provides Lessons Learned on Policies and Porn
Posted In Business Continuity, Human Resources, Incident Reporting, Information Security, Legal, Risk Management on July 7th, 2010 Tags: Federal Computer Week, incident management, SEC, security policy, social media policies
A recent follow up article in Federal Computer Week (FCW) highlighted the porn scandal at the Securities Exchange Commission (SEC) and suggested this was a dramatic wake-up call for any government agency who doubted the need for and importance of an airtight security policy.
Good for Teri Robinson… who wrote the article!!
However…the steps Teri laid out that an agency should take to build and enforce a security policy are missing a couple of critical steps based on lessons learned and legal defensibility. Teri suggested the following steps:
- Review existing policy
- Social media guidelines should be included and should be specific
- Assign responsibility because policies are more easily adopted if someone is in charge
- Train, train, train as threats change so do policies so regular training is needed
- Enforce the rules
- Ramp up resources with technology and staffing
I agree with Reviewing Existing Policy, Including Social Media and Enforcing the Rules.
I sort of agree with Assigning Responsibility and Train, Train, Train…
I disagree with Ramping Up Resources and Staffing Up.
Based on lessons learned, the following steps are also needed:
- Accountability at the Individual Level
- Documentation of Individual Acknowledgements
- Situational Awareness and Case Studies that relate to organization specific policies
- Incident Reporting and Incident Management Tools for Assessment/Prevention Teams
And based on lessons learned, more staff for enforcement and training is probably not necessary if you implement the right tools for current personnel to utilize.
Now if we could just get federal agencies to start using “tractors” instead of “old horses”…
No Comments
Email This Post
Organizational Security: Is Your Door Wide Open?
Posted In Information Security on June 29th, 2010 Tags: dark reading, Security, Security Awareness, vulnerability assessment
Last Tuesday at about 2:00 AM, I woke up to the doorbell ringing and knocking on our front door. While I was initially a little startled, my next thought was, “Why isn’t our ferocious guard dog barking?”
When we answered the door, it was the local police department informing us that we had left our garage door wide open (welcoming in thieves and intruders). After overcoming our embarrassment and thanking the officer, I then had to check through the house to make sure there was no one hiding out in the basement. 
This incident got me thinking; you can have the best security system in the world, guard dog, alarm system, door locks, cameras, etc., but if you make one simple mistake like forgetting to shut your garage door after mowing the yard, your entire house (or system) is at risk.
A recent Dark Reading article also revealed that some of the biggest vulnerabilities organizations face can be the most obvious everyday things.
For example, the article listed several everyday dangers that are often overlooked:
- Network-attached devices
- Paper documents
- Passwords on post-its
- Portable storage devices
- Printers and fax machines
One of the article’s tips was to change the default password for devices attached to the network. While this tip seems like common sense, many organizations may find themselves at risk if they do not verify all devices are secure.
The article also revealed that many ’open doors’ can be found on employees’ unattended desks including:
- Security badges
- Entry cards
- Passwords
- Keyrings
- USB drives
So, how can you ensure your organization is not leaving doors open?
By providing ongoing training and situational awareness, you can help educate your employees on everyday risks and vulnerabilities. Employees (and third-parties) need to be made aware of new risks and threats and best practices for securing their environments. You should also establish policies and procedures for verifying devices are secured, passwords are secured, desks are cleared, etc. Once these policies and procedures have been created, you must also ensure they are communicated and acknowledged by all appropriate personnel and everyone understands their individual roles and responsibilities.
Are your employees leaving your organization’s doors wide open?
No Comments
Email This Post
Marketing Security as a Competitive Advantage
Posted In Information Security on June 7th, 2010 Tags: BankInfoSecurity, Joseph Menn, Security
The title above was a title from an interview with author/journalist Joseph Menn that I saw on BankInfoSecurity.com. Mr. Menn suggests it is time for banking institutions to start marketing their security and protective measures as competitive advantages.
Mr. Menn went on to say, “They should put serious security in place – and advertise it. Get this competition going on the basis of security. That will gain them customers, in my opinion.”
My question is this…I wonder what Mr. Menn thinks banks should be doing to “put serious security in place”? Is it just me or do we have a lot of authors and journalists pretending they have the answers when they say things like “they should put serious security in place”?
What do you think “serious security” is?
What do you think the process is to “put serious security in place”?
Comments (2)
Email This Post
Prevention is Key to Escalating Costs for Banks and Customers…
Posted In Information Privacy, Information Security, Legal, Regulatory Compliance on June 4th, 2010 Tags: ACH Fraud, Awareness Training, Financial Security, Hillary Machinery, PlainsCapital, Security Awareness
Did you see this lesson learned involving a bank and their customer?
We all know that famous quote from Benjamin Franklin – “An ounce of prevention is worth a pound of cure”….but knowing it and implementing it are two entirely different efforts.
I hope financial institution and business leaders are paying attention and realizing that COSTS related to implementing prevention are a whole lot less expensive than COSTS related to reaction and damage control?
What if PlainsCapital and Hillary Machinery had invested more in individual level awareness and tools that could have prevented this string of events?
- Cyber criminals transferred more than $800,000 out of Hillary Machinery’s bank account via ACH and wire transfers.
- Hillary Machinery and PlainsCapital bank were able to recover about $600,000 of the funds that were sent to eastern Europe.
- Hillary Machinery asked PlainsCapital to repay the remaining $229,000.
- PlainsCapital responded by filing a lawsuit against Hillary Machinery asking the judge to declare the bank’s security measures “reasonable”.
- Hillary Machinery filed a countersuit that charged that the bank did not catch the irregular wire transfers and ACH transactions made to Europe over a weekend.
- Hillary Machinery moved their business accounts to a different bank.
- PlainsCapital settled its lawsuit against Hillary Machinery.
Hillary Machinery is saying nothing and PlainsCapital is saying nothing.
Bottom line…the COSTS to both organizations were significant. When you add up the COSTS for legal fees and reputation management related to negative headlines along with each organization’s time, resources, marketing, damage control and lost business…you see that prevention would have been much less expensive.
Is your financial institution prepared to prevent this type of incident? Are customers prepared to do their part in preventing this type of incident? Are business leaders prepared to prevent sophisticated cyber attacks and risks?
One last thing…don’t you wonder what the settlement details were?
No Comments
Email This Post
