Tuesday, April 26, 2016

Vehicle Cybersecurity: DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack

April 25, 2016 - Modern vehicles contain multiple interfaces--connections between the vehicle and external networks--that leave vehicle systems, including safety-critical systems, such as braking and steering, vulnerable to cyberattacks. Researchers have shown that these interfaces, if not properly secured, can be exploited through direct, physical access to a vehicle, as well as remotely through short-range and long-range wireless channels. However, the majority of selected industry stakeholders interviewed for this GAO report agreed that wireless attacks, such as those exploiting vulnerabilities in vehicles' built-in cellular-calling capabilities, would pose the largest risk to passenger safety. Such attacks could potentially impact a large number of vehicles and allow an attacker to access targeted vehicles from anywhere in the world. Despite these concerns, some stakeholders pointed out that such attacks remain difficult because of the time and expertise needed to carry them out and thus far have not been reported outside of the research environment.

You may read the full report here.

Survey: Retail IT Professionals Confidence in Cyber Security Capabilities Increase as Data Breaches Rise

One-third of retail IT professionals say a data breach has occurred at their company

PORTLAND, Ore. - April 26, 2016 - Tripwire today announced the results of its 2016 retail cyber security survey. Conducted by Dimensional Research, the survey evaluated the attitudes of over 200 IT professionals in the retail sector and compared their responses to a similar survey Tripwire conducted in 2014.

According to a report by Arbor Networks, it takes retailers an average of 197 days to detect advanced threats on their networks. However, Tripwire’s 2016 survey found that ninety percent of the respondents believe they could detect a data breach on critical systems in one week or less. In 2014, seventy percent of respondents believed they could detect a breach in one week or less.

"Unfortunately, these results indicate that we can expect retail breach activity to continue in the future," said Tim Erlin, director of IT security and risk strategy. "The increase in confidence connected with speed of breach detection is particularly surprising, especially in combination with partial implementation of detection tools. Together these results indicate while retail organizations might feel better about their cyber security capabilities, there's still a long way to go to close the gap between initial compromise and detection."

Additional findings from the study include:
  • Seventy-five percent of the 2016 respondents believed they could detect a breach within 48 hours, compared with forty-two percent in 2014. 
  • Retail data breaches involving personally identifiable information (PII) have more than doubled since 2014. When asked if a data breach occurred at their organization where PII was stolen or accessed by intruders, one-third (thirty-three percent) of the respondents said, "yes," compared with fourteen percent in 2014. 
  • Implementation of breach detection technology has remained flat. In both 2014 and 2016, fifty-nine percent of the respondents said their breach detection products were only partially or marginally implemented. Both surveys defined breach detection as anti-virus software, intrusion detection systems, malware detection, white listing and file integrity monitoring.
  • •Companies with larger revenues monitor configuration parameters on critical payment assets less frequently. Sixty-five percent of respondents working for organizations with revenues of less than $100 million check their compliance at least weekly, and only fifty-five percent of respondents with revenues of more than $100 million answered similarly.

Trend Micro recently reported that malware that affects point-of-sale (POS) systems grew sixty percent in the third quarter of 2015 alone. According to Verizon's 2015 Data Breach Investigations Report, attacks on POS systems continue to be the top source of confirmed data breaches.

Erlin continued, "Partially implemented tools are a serious liability for information security. Organizations need to move from a checkbox approach to measuring gaps in their security coverage. If you're not monitoring one hundred percent of your endpoints, you're leaving room for attackers to gain a foothold."

Friday, April 15, 2016

EU Data Protection Law Is Passed: What You Need to Know Now

April 15, 2016 - (Eskenzi PR) - Yesterday, the European Parliament passed the final vote for the new General Data Protection Regulation (GDPR). These approved new data protection rules will strengthen online privacy, streamline legislation between the 28 member states and boost police and security cooperation. Notably, the regulation includes tougher penalties for companies in breach of EU data protection law, with fines of up to 4% of global turnover, and a requirement for companies to disclose personal data breaches within 72 hours.

Dr. William Priestley, systems engineer at Varonis, explains: /

"The GDPR replaces the ageing Data Protection Directive, to address contemporary data consumption paradigms such as: the internet, cloud hosting and big data analytics. Basically, it addresses a Digital Single Market where data is flowing increasingly without boundaries. It also expands the territorial reach of, and therefore protection by, EU Data Protection law to organizations outside of the EU but working with data of EU citizens.

It adopts the "Privacy by Design" school of thought, meaning it will:

• minimize the collection of personal data
• account for where personal data resides
• delete personal data that’s no longer necessary.
• restrict access to only those that need it.
• secure personal data through its entire lifecycle.

It also adopts, by design, accountability for the data, meaning organizations will need:

• to implement technical and organizational measures to properly process personal data; i.e., design comprehensive data governance policies and introduce technical methods to implement and enforce them
• in certain circumstances, to nominate a Data Protection Officer
• to provide clear documentation of process
• to conduct Data Protection impact assessments

GDPR legitimately recognizes Binding Corporate Rules, allowing intra-group international data transfers, and as such require strict data governance practices in place before approval for a BCR. In the GDPR, a data beach needs to be reported within 72 hours of awareness. Those affected also need to be informed. Infringements, such as data breaches, will result in fines of up to 4% of global revenue (not margin).

What Organizations Need to Start Doing Now in Preparation for the GDPR

GDPR won't come into force immediately, but is looking likely to be effective within 2018. Before then, organizations will need to have in place all the governance policies, incidence response plans and technical framework within which to affect compliance before then.

From an IT/digital perspective, these include:

o Prepare for Data Security Breaches and have an incident response plan. (Ideally detect and alert on data breach activity and prevent it. In the event of a breach, be able to provide forensic analysis of what data was affected by the breach and when it occurred and provide this information to the Data Protection Authorities and affected individuals accordingly)
o Establish a framework for accountability within the business (who owns the data, who are the data processors, train staff down the reporting line to understand their obligations etc).
o Embrace privacy by design in the business culture (restrict access to data, track the data's lifecycle activity, retire the data when it is no longer needed)."

Thursday, April 7, 2016

Energy Sector Sees Dramatic Rise in Successful Cyber Attacks

Portland, OR – April 7, 2016 – Tripwire, Inc. today announced the results of a study conducted for Tripwire by Dimensional Research. The study, which was carried out in November 2015, assessed cyber security challenges faced by organizations in the energy sector. Study respondents included over 150 IT professionals in the energy, utilities, and oil and gas industries.

When asked if their organization had experienced a rise in successful cyber attacks in the last 12 months, seventy-seven percent of the respondents in Tripwire’s study replied, “yes.” In addition, more than two-thirds of the respondents (sixty-eight percent) said the rate of successful cyber attacks had increased by over twenty percent in the last month.

“It’s tempting to believe that this increase in attacks is horizontal across industries, but the data shows that energy organizations are experiencing a disproportionately large increase when compared to other industries,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “At the same time, energy organizations face unique challenges in protecting industrial control systems and SCADA assets.”

Additional findings from the study include:

• Energy executives were more than twice as likely to believe their organization detected every cyber attack (forty-three percent) than nonexecutives (seventeen percent).

• In the last 12 months, seventy-eight percent of the respondents said they experienced a cyber attack from an external source, and thirty percent have seen an attack from an inside employee.

• Forty-four percent of the respondents indicated they have not gathered enough information to identify the sources of cyber attacks on their organizations.

• Nearly one-fourth (twenty-two percent) of the respondents admitted their organizations do not have business processes to identify sensitive and confidential information.

“ Detecting attacks successfully is the midpoint of the overall process,” Erlin continued. “Energy organizations need to invest in greater prevention and forensic tools to decrease the rate of successful attacks and fully investigate those they can’t prevent.”

According to the Department of Homeland Security, the energy sector faces more cyber attacks than any other industry. Despite these escalating risks, the energy sector faces serious challenges responding to security threats effectively. For example, the results of the North American Electric Reliability Corporation’s (NERC) GridEx III "cyberwar games" revealed significant challenges with the cyber threat intelligence practices of grid operators.

In addition to this study, Tripwire conducted a survey of 200 security professionals attending RSA Conference 2016. When asked if a cyber attack would cause physical damage to critical infrastructure in 2016, eighty-three percent of the respondents replied, “yes.” In addition, seventy-three percent of respondents to this second survey said critical infrastructure providers are more vulnerable to ransomware attacks than other organizations.

For more information about the survey please visit Tripwire.

Related Books

NEW! Cyber Security for Industrial Control Systems: From the Viewpoint of Close-Loop

Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS

Security and Privacy in Smart Grids

Data Privacy for the Smart Grid

Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations

Wednesday, April 6, 2016

Data Security Incident Response Report Reveals Being "Compromise Ready" Better Positions Companies to Respond to Incidents

Data Security Incident Response Report Reveals Being "Compromise Ready" Better Positions Companies to Respond to Incidents

Second annual report shows shift in cause of incidents: phishing/hacking/malware are now number one

New York, March 30, 2016 –– According to the 2nd annual BakerHostetler Data Security Incident Response Report phishing/hacking/malware was the cause of 31% of data security incidents during 2015, revealing a shift from 2014 when human error was the leading cause. The report also continues the inaugural-year theme that no industry is immune to data security incidents, which reinforces that it is more important than ever that companies take action in advance to become ready for the inevitable incidents to come.

“Being ‘compromise ready’ better positions companies to respond to data security incidents faster, contain the threat, and potentially lessen the severity of these events,” explains Theodore Kobus, Chair of BakerHostetler’s Privacy and Data Protection team. “This year’s report has evolved to include more robust data to raise awareness of how these events take place, and also includes the action items companies should take to their boards of directors to plan for the inevitable data security incident.”

The full 2016 BakerHostetler Data Security Incident Response Report can be found here. The Privacy and Data Protection team will host a webinar on these findings on April 20 at noon ET.

The report, produced by the Privacy and Data Protection Team at BakerHostetler, analyzes data from more than 300 incidents on which the firm advised in 2015. The report looks at causes of incidents, industries most affected, and what happens after a security incident is detected – from containment, to notification, to regulatory investigations and even lawsuits. A final section in the report provides the eight components of being compromise ready and identifies measures companies should take to minimize the impact of an incident.

Notable statistics from the report include:

• Cause of incidents: phishing/hacking/malware (31%), employee actions/mistakes (24%), external theft (17%), vendor-related incidents (14%), internal theft (8%), and lost or improper disposal (6%).
• No industry is immune: the healthcare industry (23%) was affected more than any other. Rounding out the top three are financial services (18%) and education (16%).
• Number of individuals notified: for incidents in 2015 where notification was made, the average number of individuals notified was 269,609 and the median was 190,000.
• 52% of the incidents that BakerHostetler helped manage in 2015 were self-detected.
• Detection time – the time from when an incident first began until it was detected – ranged from 0 days to more than 400 days. The average amount of time from incident to discovery for all industries was 69 days, with healthcare taking nearly twice as long as other industries. Average amount of time from discovery to containment was 7 days.
• Notification – the average amount of time from discovery to notification – was 40 days.
• Not all incidents require notification to individuals or the public at large. In about 40% of the incidents that BakerHostetler helped manage in 2015, notification or public disclosure was not necessary.
• Credit monitoring was offered in 53% of the incidents that BakerHostetler advised on in 2015 and the average redemption rate was 10%.
• Regulatory inquiries resulted from 24% of incidents reported, and litigation commenced after 6% of the incidents were made public.

“While healthcare companies again topped the ‘Frequency of Breach Incidents by Industry’ list, our findings show that those incidents are less severe than those that occur in other industries on average. In fact, topping the severity list by number of individuals affected was restaurants/hospitality, mostly due to financially motivated attacker groups moving their focus from grocers and big-box retailers to restaurants, hotels, and casinos,” explains Kobus.

Compromise Ready
“Every company should be constantly focused on preventing, detecting, and having the right capabilities in place to respond to incidents. Accepting that incidents are inevitable does not mean that you stop trying to prevent them. In addition to reducing risk profiles through information governance and implementing preventative security measures, companies must focus on adapting measures to changing risks along with faster detection and containment to effectively respond,” says BakerHostetler Privacy and Data Protection Team Partner Craig Hoffman.

“The bottom line is that the key to successful and rapid containment is to plan for the inevitable incident. Companies that have identified the forensic firm they will work with, have a master services agreement in place, and have conducted scenario planning usually reach containment faster and with less impact to business operations and reputation,” says Kobus.