Fall-outs from infamous data breaches

Closed-out-of-businessIn a blog on IT Governance dated February 17, 2015, Julia Dutton (Link here) wrote about the expenses and other ramifications that companies caught with a data breach have endured and could encounter in the future. We are talking lawsuits, remediation (both for the company and its customers), more investigations, and possible firings of top executives. Any organization that does not take its IT security seriously could be find themselves paying out millions of dollars to potential victims of any data breach from their files. Lawsuits are now proceeding Target from the banks that had to pay out to replace the compromised credit cards. If you think you are safe, that is the first clue that you need more security. No one is safe anymore, about the best we can do is to do our best to protect our assets and our customers from data breaches. Like Jeff Mueller, FBI Director once said, “There are only two types of companies: those that have been jacked and those that will”.

Merchants have new cause for concern

Reuters published an article on December 5th talking about new lawsuit status that could leave merchants and other taking credit cards for payment with more concern than ever. A judge in Minnesota ruled that a class action lawsuit from banks and other financial institutions can proceed against Target. U.S. District Judge Paul Magnuson found that the banks were foreseeable victims of Target’s negligent conduct. The suit seeks to recover some of the billions the banks and financial institutions spent replacing customers’ compromised credit and debit cards. Target filed to dismiss because there was no contract in place between the card issuers and Target. Magnuson agreed with the bank’s argument that the case is about plain old negligence, not third-party contract harm. He also found that imposing a duty of care on target “will aid minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information”, a policy he found followed from Minnesota’s Plastic Card Security Act which holds merchants liable for card issuers’ cost on Minnesota business that have violated the law’s restrictions on retaining customer data. To read the full story, Click Here

Travel Smart During Spring Break

This spring break, students and families will step away from school and travel to warmer locales.

Before you jet to your spring break destination, don’t forget to pack your passport, sunscreen, and these mobile safety tips from Stop.Think.Connect.:

Keep a Clean Machine. Ensure all devices that connect to the Internet, including smart phones, tablets, and laptops, have the latest mobile security software, web browsers, and operating systems. This is the best way to defend against viruses, malware, and other online threats.

Protect Your Personal Information.Keep your phone securely locked (with a passcode) and in your possession. Disable geotagging features on your phone and applications so that your movements are not tracked and broadcast. Only give your phone number to people you know, and don’t share your friends’ numbers without their permission.

Connect with Care. While conducting online banking or shopping, look for websites that begin with “https.” These sites have taken extra measures to secure your information. Also, be wary of using public Wi-Fi or Internet hotspots to conduct sensitive online activities, such as banking and shopping.

Be a Good Online Citizen. Think before you upload photos or videos. What you put online can have consequences in the future. Ask your friends’ permission before uploading photos of them as well.

For more cybersecurity tips for those on the go, download the Stop.Think.Connect. Mobile Safety Tip Sheet.

DHS_logo This information was published by GovDelivery on behalf of the US Department of Homeland Security in a March 2014 newsletter email.

Be Aware of Online Fraud – Protect Yourself.

Online fraud is big business for criminals. The Internet Crime Complaint Center (IC3), jointly run by the Federal Bureau of Investigation and the National White Collar Crime Center, reported receiving over 289,000 complaints in 2012, which resulted in more than $525 million dollars in losses. Many long-running telemarketing and mail fraud techniques are now being used on the Internet, with criminals preying on people’s trust to bilk Americans out of millions of dollars. In addition, some criminals target older Americans or small businesses with specific scams.

Common online fraud scams include:

  • People selling items, such as automobiles, that they do not own. These transactions can take place over sites like Craigslist or eBay, with the buyer transferring money electronically and receiving no product in return.
  • Phishing and spoofing, where criminals pretend to represent a legitimate company or agency and request personal information from their targets. These attempts can include a legitimate-looking email or website. In these cases, the criminals have “spoofed” a real company’s site.
  • Nigerian letter scam, where people are offered to share in a large sum of money if they can help place this money in overseas bank accounts. Victims give criminals their bank account information and send money to the criminals to help pay for bribes and taxes with the promise of repayment.
So how can you protect yourself? Follow these tips from the Stop.Think.Connect.™ Campaign and the National Cyber Security Alliance (NCSA):
  • Think Before You Act. Be wary of “too good to be true” deals. Free money, cheap iPads, cheap cars – if a deal sounds too good to be true, then it probably is.
  • When in Doubt, Throw it Out. Do not click on links or emails that seem suspicious or are from unknown, unsolicited sources.
  • Shop Only at Reputable Online Retailers. Look for the padlock symbol or for URLs that start with “https” or “shttp.” For auction sites such as eBay, check the seller’s reviews.
  • Use Safe Payment Options. Use a credit card if possible. Credit cards have higher protection measures than debit cards. If you do become a victim of fraud, credit cards offer a better chance that you will not be liable for fraudulent charges.
If you believe you have been a victim of online fraud, file a complaint with Fraud.org’s online complaint form at http://fraud.org/complaint or with IC3 at http://www.ic3.gov/complaint/default.aspx. DHS_logo This information was published by GovDelivery on behalf of the US Department of Homeland Security in a March 2014 newsletter email.

How employees get around IT policies and restrictions

people n Circuitboard
Thanks to mobile devices, cloud services, mobile apps and MiFi hotspots, end users can get around even the most stringent IT policies. But how do they do it? To understand the answer to that question, it’s important to take a look at the restrictions a typical company might place on employees and contractors. That way, you can take the appropriate steps to limit the loss of control over data. Most companies have a mixture of personal and corporate-owned devices, which means there’s a mixture of IT policies that apply to each. Many businesses also have some kind of enterprise mobility management (EMM) tool to enforce those policies and monitor devices, data and apps. Some businesses even have bring-your-own-device (BYOD) or security policies that outline usage rules for employees who use their personal devices for work. Common rules that an IT department may lay out include:
  • only allowing employees to connect devices with a certain mobile operating system to the corporate network
  • not permitting workers to use jailbroken or rooted phones
  • prohibiting users from changing the SIM cards in their phones and tablets
  • banning specific tools and services, such as cloud vendors and MiFi hotspots
  • enforcing certain levels of encryption that let EMM tools hook into users’ devices
Despite all those IT policies and restrictions, employees want to use personal devices for work because it allows them to be more productive. Agreeing to these IT-enforced policies usually gives workers the ability to access company email, use remote desktop tools or virtualization to access their files and use company-approved apps.

How and why do employees circumvent IT policies?

Admins often give users who violate policies the benefit of the doubt because employees don’t always break the rules for malicious or vindictive reasons. Rather, workers may not even know that certain actions break a company policy. That being said, thousands of breaches occur daily, and they can cost companies millions of dollars. Breaches can occur when employees store company information in third-party cloud services or when they use a blacklisted app, jailbroken phone or other device that does not meet the company guidelines. Employees who violate policies usually do so to be more productive. For example, many companies require workers to “remote-in” to access files from a mobile device. An employee may find it easier to store those files in a personal Dropbox account and then access them from anywhere, even though that action may violate a corporate policy. Additionally, restrictions on device model and OS version can cause strife for employees who may buy a personal device based on price. If the device they choose falls below the standards that the IT department set, that employee only has a few options: get no work done, upgrade his phone to gain access to the tools he needs, or go around IT blocks.

What should IT admins do?

Today’s users are smart, and they will do what they need to so they can get work done, but there are steps you can take to combat employees circumventing IT policies. Create policies based on employees. Interview users to learn how they work, find out which devices and apps they like and then form policies around that research. When the guidelines for devices, services and applications mirror the way people really work, they won’t need to go around restrictions. For example, whitelist a note-taking app that you are comfortable with supporting, rather than blacklisting all note-taking apps. You’ll only have to manage one app, and employees can still get work done. Educate users. You might find that some employees are still new to smartphones and tablets. Education is key for these employees, and it doesn’t hurt to refresh the memories of seasoned mobile device users. Make sure workers know how to get the most out their devices, teach them about the risks of exposing company data and explain why your company’s policies are in place. Focus on data, not devices. Although you may need to create specific device guidelines so you can continue to use your EMM tools on all the devices that access your network, it’s more important to keep data safe. Operating systems change and update frequently, and it can be difficult to keep up.
 
 
 
 
 
This is a reprint from an article first published in February 2014 by Matt Schulz on SearchConsumerization.com

Your Adobe account got hacked, now what?!

Last month, October 3rd to be exact, Adobe was hacked and over 2.9 million customer’s information was leaked. Later in the month Adobe revealed that number may be closer to 40 million. This information includes customer names, debit/credit card numbers, home address and much more. Most of this information was encrypted, however it won’t take long for an experienced hacker to decrypt it. Additionally, this incident shed light on another security concern: sharing passwords across accounts. It is common for people to use the same password for Facebook, email, bank accounts and even their garage code. Obviously this presents a problem if it’s possible for Adobe or Facebook to get hacked themselves. If you received a letter or email stating your personal information may have been compromised, click the link below to view recommended steps to secure your credit score and identity. –          https://www.privacyrights.org/fs/fs17b-SecurityBreach.htm We can’t assume that our passwords are safe on servers, even with tech giants like Adobe. We can, however, protect our important accounts by having separate passwords. Now I know it can be agonizing to keep up with multiple passwords, but this is easier by segmenting your passwords into a couple of categories like common, shared and top-secret. This way you only have to remember 3 passwords with maybe 2 sets of numbers to alternate at the end for those mandatory password changes. SecureNation has many solutions to help manage this problem. Contact us for more information!

Mission to Mars – The never-ending journey of Backup Data

mars rover A previous Blog post from last year………. Over the last few days I have read and watched closely the happenings around the MARS Rover Landing. NASA’s car-sized rover, Curiosity, successfully landed on Mars last Sunday, completing a mission that some believed impossible just days before. While watching the landing unfold, it made me think of the challenges we have around the never ending journey of our data and how we can ensure that we have total control over our backup and replication processes. If one thinks about the journey of data it is amazing to think that we transmit billions and billions of bits and bytes over wire and wirelessly every second of the day. The challenge around this is to ensure we safely protect our company data and to make sure we have recoverability of our mission critical data at all times. We have no control over the road the data takes to get to its final destination and the only chance we have to validate the final resting place of our data is to verify by using our Backup Applications to restore the data, start the applications and go through a long verification process. And just as with the Mission to Mars we are challenged with the limited amount of control we have over the transmission of these bits and bytes. We put our trust in multiple variables that are part of the transmission process and we hope that every other party that is involved in this data transmission process holds up their end of the bargain to ensure the data gets where it is suppose to go. The challenges around this are never ending. What if a piece of hardware like a Fiber Channel card on a Storage array goes ‘bad’? This happened at a company I worked at and we had to rely on the backup data at our offsite location and do reverse Replication to restore business. The process to do this took nearly 27 hours. Many questions come to mind when you go thru something like this:
  • Did all our backups complete successfully every night?
  • Did we verify that the data reached the destination site via the link?
  • Do we have the latest data available and not something that is hours or days old?
  • Have we tested our data to ensure validity?
  • Did we test enough to be comfortable that the data is valid?
The bottom line is that we can put hundreds of processes in place to try and ensure that our backups will be sufficient at the time of a disaster, but the reality is that when we press the ENTER key to submit whatever we are sending, it is out of our Control.  Just like the MARS rover blasting off into space without being seen for many months, all we can do is hope that all the planning and execution of the plan will go smoothly without incident. Key items to remember: Backups are a necessity. We can’t live without backups; they are part of the everyday life of any IT shop. We are in control of what we test, how often we test and how much validation we do.  Think about the 7 minutes of terror that the NASA Scientists had to go through which was similar to what we experience when we do a restore of valuable company data, the period of uncertainty if everything will be ok or not. Trust your processes!  Make sure all your documentation is up-to-date and ensure that your staff is trained in the recovery process. Make sure Senior Management understands the process and the value these backups bring to the Company. They need to support you and need to be aware of potential difficulties surrounding data recovery and the challenges that go with that! If you follow the basic rules and guidelines and proven processes your data’s journey can be as successful as the journey of Mars Rover. With that said – ‘Mission accomplished – Over and Out.’

Disaster Recovery Best Practices: A Hurricane named Gustav

hurricangustav_png-550x0 Back in September of 2008, no one in our south Louisiana city was prepared for the wrath and impact that a hurricane would bring to the community.  Nor were we prepared for the damage it would cause to the Operations Center at our organization. The Operations Center that was primarily used for hosting of our Disaster Recover and Business continuity equipment was hit by a tornado that spawned out of the hurricane. The roof of the building was ‘sucked’ up by the force of the winds and rain penetrated the 3 story building and started seeping down into the Computer Room on the 2nd floor. There was nobody in the building at the time, which was a good thing, except for a Security Guard stationed near the front door. The Security Guard noticed water coming down the walls.  As he stepped out of his office into the ankle deep water already pooling in the hallway, all power was lost in the entire building.  The guard, following procedures according to plan,  contacted the on-call Building Supervisor who in-turn contacted Security staff at the Main Office about 8 miles away. A call was placed to the IT Director to advise him of the damage and he immediately deployed a team of IT team members to go and assess the damage. This was what they found:
  • Water had seeped through the ceiling onto the Storage Arrays , AIX Servers and Mainframe in the Computer Room
  • Water had risen to ankle deep depths under the floor where all the cabling and power drops were situated
  • The fiber link between the Main Campus and the DR site was down
  • Power to building was non existent
After assessing all the damage, the IT Team faced a number of challenges:
  • The need to quickly re-establish a 2nd copy of the Company Data for DR and Business Continuity Purposes
  • Identifying a new location of equipment to replace the damaged DR Site equipment
  • Developing procedures for the removal and disk eradication of damaged equipment
  • The need to identify and set up a new DR site
  • The importance to assess and minimize the financial impact
With the amazing help of our Storage and Computer Equipment Vendors, we re-established equipment in the Main Campus Data Center and had a copy of our data on the new Storage Arrays within 2 weeks. IT staff worked around the clock for 96 hours to achieve the ‘impossible’ but all members of the team did so without any complaints or problems. Within 4 months of the incident we moved the DR equipment to a site 250 miles away and out of the so called Hurricane Zone; it is in the location where we still operate our DR Site today. While I hope that very few readers will have to experience the damage brought about by a hurricane, here are some lessons that our team learned from this experience:
  • Don’t have your second Data Center in the same town as your Primary Site
  • Vendors will help in the moment of need – it’s critical that you build and maintain a good relationship with them
  • Your staff members will accomplish great things when needed and will amaze you as they work together to achieve a common goal
  • Don’t Panic!
  • Test your ‘data’ at least annually to ensure validity.
  • Family is extremely important during ’emergency’ times – they are truly your ‘Support Structure’
Overall the experience was challenging, but a lot was learned throughout the ordeal. Do we want to go through this again? Definitely not –  but at least we know that we have staff and vendors that will step up and  do whatever it takes to re-establish business and work to bring back some feeling of normality.