data

To state the obvious, organizations of all shapes and sizes are under constant attack in cyberspace. Some ignore the risk, hoping that it will simply go away or that they won’t suffer a breach. Others opt to weather the storm even if a breach occurs, willingly risking their critical data. Others still deny that a breach would dramatically affect their business. Is this a risk your organization is willing to take?

Take Action to Protect Critical Data

Some forward-looking organizations focus on protecting their critical data assets because they are vital to their business operations and competitive positioning. These organizations understand they must protect critical data to sustain competitiveness in today’s global economy. Assets such as intellectual property, trade secrets, customer information, information about mergers and acquisitions, health information and other sensitive data are extremely valuable to cybercriminals.

Organizations are taking action to understand the type of data they possess, the value of that data to the organization, the controls that are in place and the potential impact to business processes should the data be breached or corrupted. They are implementing the controls required to protect these sensitive assets and monitor potential risks.

Watch the on-demand webinar to learn more about protecting your critical data

A Collaborative Effort

Discussion should not solely be focused on the type of controls in place, the number of patches applied or the number of incidents detected. We need to discuss potential business disruptions due to cyberattacks and the business processes that may be affected. Risk management should be a collaborative effort between business leaders and the IT team.

Are your line-of-business (LOB) owners and executives aware of the risk to their critical data? Do they know which LOBs carry the greatest risk, what sensitive data is at risk, how valuable the data is, who owns the data and which users are putting the data at risk?

Executive boards must understand the need to protect critical data — it’s no longer just an IT issue. In turn, IT leaders must make sure business leaders have the insight they need to protect their assets.

Learn More

For more information, check out the on-demand webinar titled “Stop Playing ‘Chicken’ With Your Data-Related Business Risk — Protect Your Critical Data.”

To learn more about why traditional security metrics are irrelevant to most executives, download the Gartner report titled “Develop Key Risk Indicators and Security Metrics That Influence Business Decision-Making.”


Security Intelligence

The impact of a data breach can be disastrous for an organization and can include loss of customer confidence and...

trust, financial penalties and other consequences. The average total cost of a data breach is $ 4 million, up by 29% since 2013 according to the "2016 Cost of Data Breach Study" published by the Ponemon Institute. The average cost per record breached is $ 158, whereas the average cost per record for the healthcare and retail industries are $ 355 and $ 129, respectively. Despite the high risk of the threat, enterprises continue to fall victim to data breaches globally, and it raises significant concerns over protecting the data organizations own, process and store.

While the external threats remain a high priority, the threat to sensitive data also comes from insiders. The threats of employees stealing customer information, personally identifiable information or credit card details are real due to the fact that, in most cases, privileged users like system administrators or database administrators are given authorized access to the data. Often, the real data from the production environment is copied over to the nonproduction environment, which is less secure and not managed with same security controls as the production environment, and resulting data can be exposed or stolen.

Data obfuscation techniques offer different ways to ensure that data remains protected from falling into wrong hands, and fewer individuals can access the sensitive information while meeting business requirements.

 What is data obfuscation?

In the technology world, data obfuscation, which is also known as data masking, is the process of replacing existing sensitive information in test or development environments with the information that looks like real production information, but is of no use to anyone who might wish to misuse it. In other words, the users of test or development environments do not need to see the actual production data as long as what they are looking at looks real and is consistent. Thus, data obfuscation techniques are used to protect the data by deidentifying sensitive information contained in nonproduction environments or masking identifiable information with realistic values, enabling enterprises to mitigate the data exposure risk.

The need for data obfuscation techniques

Organizations often need to copy production data stored in production databases to nonproduction or test databases. This is done in order to realistically complete the application functionality test and cover real-time scenarios or test cases to minimize the production bugs or defects. As a result of this practice, a nonproduction environment can become easy target for cybercriminals or malicious insiders looking for sensitive data that can be exposed or stolen. Because a nonproduction environment is not as tightly controlled or managed as the production environment, it could cost millions of dollars for organizations to remediate reputation damage or brand value should a data breach incident occur. Regulatory requirements are another key driver for data obfuscation. The Payment Card Industry Data Security Standard (PCI DSS), for example, encourages merchants to enhance payment card data security with the broad adoption of consistent data security measures that provide a baseline of technical and operational requirements. PCI DSS requires that merchants' production data and information "are not used for testing and development." Inappropriate data exposure, whether by an accidental or malicious incident, could have devastating consequences and could lead to excessive fines or legal action levied for the violation of the rules.

Data obfuscation use cases

A typical use case for data obfuscation techniques could be when a development environment database is handled and managed by a third-party vendor or outsourcer; data obfuscation becomes extremely important to enable the third-party vendor to be able to perform its duties and functions as needed. By applying data obfuscation techniques, an enterprise can replace the sensitive information with similar values in the database and not have to worry about the third-party vendor exposing that information during development.

Another typical use case could be in the retail industry, where a retailer needs to share customer point-of-sale data with a market research company to apply advanced analytics algorithms and analyze the customers' buying patterns and trends. But instead of providing the real customer data to the research firm, the retailer provides a substitute that looks similar to the real customer data. This approach helps enterprises minimize the risk of data exposure or leakage through a business partner or other type of third-party organization.

Stay tuned for part two of this series on data obfuscation techniques.

Next Steps

Read more on building an information security risk management program

Learn about how cyberattacks use obfuscation techniques

Discover why threat monitoring on the dark web can help enterprises

This was last published in November 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

EU countries must not be too restrictive in how they apply EU data protection laws or risk damaging the development of big data projects, German chancellor Angela Merkel has said.

Germany has traditionally been cautious over data collection, but if countries are too restrictive then "big data management will not be possible", Merkel told the 10th IT Summit (link to video in German) in Saarbrücken.

Europeans are famous for banning things, Merkel said. These bans are put in place for good reason, she said, but can be damaging if taken to excess.

"In Germany we have the principle of 'data minimisation', but we may have to give a little on that. Such a principle doesn't seem as appropriate when you are looking at big data," she said.

While it is important to protect personal data, it is also important to enable new developments, she said.

"Courts will have to be careful not to be too strict if that means limiting opportunities", Merkel said.

Munich-based data protection expert Kirsten Wolgast of Pinsent Masons, the law firm behind Out-Law.com said Merkel's comments suggest a change of direction.

"Merkel obviously wants to create some space for big data business models, and make it a bit easier to establish. But we'll have to wait and see whether the data protection authorities or courts take her comments into account," Wolgast said.

Berlin data protection commissioner Maja Smoltczyk said this month that nine of the country's federal data protection authorities are to conduct a review of 500 businesses' data transfer arrangements.

The review will focus on arrangements the businesses have in place for transferring personal data outside of the European Economic Area (EEA).

Copyright © 2016, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Sponsored: Customer Identity and Access Management


The Register - Security

There is little question that the perpetrators of cyberthreats spend little time thinking inside the box — that’s how they stay ahead of their victims. It’s time for some out-of-the-box thinking of our own to get serious about fighting back. It’s time for the democratization of cybersecurity data.

Here is the challenge to users, organizations and security vendors alike: First, we should aggressively democratize the threat data we all have and share it securely yet freely with each other. Second, we should pivot a full 180 degrees from the accepted practice of automatically classifying, by default, all cyberthreat data. Instead, we should declassify threat data by default. Hence, the democratization of cybersecurity data.

Thinking Outside the Box

Cybercrime information sharing is nothing new. Unfortunately, the wrong people have been doing the sharing, and they have elevated the practice to a commercial art form. Cooperating and collaborating on the Dark Web, the most sophisticated cybercriminals build and peddle attack software to each other. They even have seller ratings and rankings for their malware, with the most effective earning five stars. They offer gold, silver and bronze levels of service — even money-back guarantees if the malicious efforts fail.

With thieves as organized and sophisticated as they are, it is a small wonder that estimates of their annual take in illegal profits total $ 455 billion These aren’t amateurs. The United Nations estimated that highly organized, well-funded criminal gangs account for 80 percent of breaches today.

For these and so many other good reasons, the time is now for businesses, governments and other organizations to elevate cyberthreat information sharing to entirely new levels. The public sector has initiated steps in this direction. Last year the U.S. passed the Cyber Information Security Act (CISA). Its goal is to help organizations share cyberthreat information and actual attack data anonymously and without fear of liability.

Democratization of Cybersecurity Data Dents Cybercrime

There are massive collections of cybercrime data largely kept under lock and key in individual organizations. Security vendors, including IBM, typically have the largest repositories.

Why has it been kept secret? Both security vendors and businesses tend hold onto this data for its perceived competitive value. It is valuable to some extent, but the potential gains of having that much threat data and information can be an even more formidable competitive weapon. After all, it isn’t possessing the data that yields an advantage; it’s what each organization or vendor does with it.

This kind of sharing is not new in our business. The whole open source movement that gave us Linux, OpenStack, Hadoop, Spark and so much more resulted from aggressive information sharing. It can be the same with cyberthreat data. Large-scale sharing of threat data will signal a new high water mark in fighting cybercrime.

We are walking the walk at IBM, recognizing that we were as much a part of the problem as any other business or organization. That is why IBM published all of its actionable, third-party global threat data — all 700 terabytes of it. This includes real-time indicators of live attacks.

We believe the free consumption and sharing of real-time threat data from our repository can put a sizable dent in cybercrime efforts. Think of what else we can accomplish with the democratization of cybersecurity data.

Information Sharing at the Speed of Business

As mentioned earlier, sharing is only one part of the out-of-the-box thinking we need to adopt. We have to share this information as soon as possible, not weeks or months after a major breach.

The default action today is to immediately classify such information, rendering it unshareable until it is eventually declassified. Instead, put a timeline on classification of new threat data — maybe 48 or 72 hours, no more. If no valid, justifiable case is made for continued classification within that period, release it to be shared among other organizations. The aforementioned CISA spells out methods for doing this securely so the information doesn’t fall into the wrong hands.

We must abandon the Cold War mentality that leads us to classify all information and share nothing. We are all engaged in a very hot war with cybercriminals. Speed matters when it comes to using relevant data to stop active attacks and thwart future threats. Information sharing at the speed of business can be a formidable weapon — we just need to unleash it.

Learn more about staying ahead of threats with global threat intelligence and automated protection


Security Intelligence

Technology recruitment site GeekedIn has scraped 8 million GitHub profiles and left the information exposed in an unsecured MongoDB database. The backup of the database was downloaded by at least one third party, and it’s likely being traded online.

GitHub profiles scraped

Troy Hunt, the security researcher who runs the Have I been Pwned? service and whose own information is in the compromised backup file, received the file, and ultimately notified GitHub of the matter.

His analysis of the file ultimately revealed that:

  • It contains 8.2 million unique email addresses, i.e. records about 8.2 million users of GitHub, Bitbucket (another web-based hosting service for projects), and possibly other online services.
  • Most of these records contain users’ names, usernames, email address, geographic location, professional skills, years of professional experience.
  • All of this information is already online on GitHub and those other services, accessible to anybody – GeekedIn just scraped it and created its own database, access to which is offered to companies interested in finding developers – for a fee.

When contacted, GitHub said that they allow third parties scraping of their users’ data, so long as it’s only used for the same purpose for which they gave that information to GitHub.

“Using scraped information for a commercial purpose violates our privacy statement and we do not condone this kind of use,” they told Hunt.

After he finally managed to get in touch with GeekedIn, they acknowledged the incidente and promised to secure the data.

Hunt made some of this data searchable in raw format through his service, but only a little over 1 million users will be able to find it. He only included the data of those who had a publicly available email address on GitHub.

“This incident is not about any sort of security vulnerability on GitHub’s behalf, rather it relates to a trove of data from their site which was inappropriately scraped and then inadvertently exposed due to a vulnerability in another service,” he made sure to note.


Help Net Security

Big data has become a critical business tool and a transformative force for enterprises across multiple industries and geographies. Vast amounts of data are now organized, available and ready to be analyzed, leading to advanced tactics and strategies that were previously impossible.

But prior to adopting a big data and analytics solution, business leaders should answer a few fundamental questions: How will big data solutions affect my organization’s security profile? What governance is needed? Are my existing technology solutions sufficient?

Big Data Solutions: Handy Tools and Juicy Targets

Data proliferation has led to greater amounts of data passing through networks. Through big data solutions, organizations can aggregate, index and analyze many types of data. These solutions allow organizations to find patterns and correlations in the data that can potentially reveal new business insights.

The ability to consume and process this data makes big data solutions appealing to many organizations. However, what makes these solutions attractive to business leaders also makes them attractive to bad actors. Think of big data as a digital library that provides organizations with an index to easily locate and access files. If a cybercriminal were to gain access to this index, he or she would have a direct line to the organization’s most sensitive information.

Big data environments are tempting targets, and defending them puts additional stress on the security personnel and systems tasked with data protection. In addition, the exponential growth of data is leading to challenges beyond security, including governance issues related to data accuracy, accessibility, completeness and consistency. Organizations can avoid feeling overwhelmed when implementing a big data solution by effectively managing and protecting their environments with an integrated governance and technology strategy.

Governance and Data Reservoirs

With respect to governance, big data solutions call for an agile approach to profiling and understanding data as it is ingested. This enables organizations to implement appropriate controls as the data is profiled without inhibiting the speed and flexibility of technologies.

Data lakes, for example, present a unique security challenge since they allow organizations to access and process many types of data within a distributed environment. To address these challenges, organizations can utilize enhanced, agile governance to better organize data lakes, creating what is known as a data reservoir.

Within a data reservoir, organizations ensure that data is properly cataloged and protected as it is ingested by the data lake. To do so, a data owner classifies the information sources that feed the reservoir and determines how the data should be managed, including access control, quality control, masking of sensitive data and data retention periods. No data should enter the reservoir without being cataloged upfront, which enables the immediate application of appropriate security controls. This agile governance approach should be applied across all big data solutions.

Technology Considerations

From a technology standpoint, organizations should leverage existing platforms where possible and supplement with additional tools as required. At a minimum, organizations should consider coverage of the following areas:

  • Configuration and vulnerability management: Are traditional security tools sufficient to protect and secure the data?
  • Identity and access management (IAM): Are the requests for sensitive information authorized and valid?
  • Network traffic encryption: Are attackers able to intercept and access the data in motion?
  • Metadata management: Is your metadata sufficient to let you know where and how that information came into existence? Is your data usable?
  • Encryption and masking for structured data and redaction for unstructured data: Are the sensitive information assets protected from unprivileged users?
  • Data activity monitoring: Are there unusual error patterns indicating a possible attack?
  • Blocking and prevention: Are there new requests for analysis that were not scheduled or known?

The effort to strike the right balance of governance and technology is a continuous process and will be unique to each organization. However, by focusing first on governance and fundamental security components, an enterprise will be well on its way to securing its big data solution.

Read the solution brief: Top tips for Big Data Security


Security Intelligence

Software vendor CA Technologies is best known for its mainframe, business-to-business and distributed computing offerings. As an expansion of its enterprise-based offerings, the company also offers a data loss prevention suite called CA Technologies Data Protection. Formerly known as CA Technologies DataMinder, CA Technologies Data Protection is capable of supporting large enterprises with thousands of users and desktops. The DLP software suite components include CA Data Protection Endpoint, CA Data Protection for Networks, CA Data Protection for Stored Data and CA Email Supervision.

Data scanners

This CA Technologies Data Protection suite is able to protect data at rest, data in transit and data in use. It also integrates with CA Technologies Identity and Access Management products to allow access to sensitive information based on content and data classification. CA Technologies Data Protection is also able to quarantine data and protect sensitive information by granting or blocking access based on the reviewer's access privileges.

Endpoint agents

CA Data Protection Endpoint agents are application plug-ins for securing data at rest that execute on an endpoint device. These agents can monitor user activity and execute capture and control actions based on DLP policy. They either work with a gateway server or report directly to the DLP central management server. The agents are also able to continue policy enforcement even if disconnected from the central management server. CA Data Protection Endpoint is able to encrypt data sent to removable media. This action is controlled in part by the Client File System Agent (CFSA). In addition to monitoring local file copy actions, the CFSA is able to enforce policy for synchronization folders connecting to cloud resources such as Drop Box.

Network security

The CA Data Protection for Networks network appliance is able to control SMTP, web browser, webmail and social media HTTP/HTTPS traffic, instant messaging and peer-to-peer messaging such as Skype. Using SPAN ports, it can function as a passive DLP monitoring tool or be deployed in line to block sensitive data traffic, including decoding SSL traffic while inline.

Stored data

CA Data Protection for Stored Data secures data at rest by protecting and controlling sensitive information stored in network file shares and document repositories, public folders, ODBC sources and information collaboration servers such as Microsoft SharePoint. It can recognize and classify over 300 file types including HTML, XML, ZIP and others. CA Data Protection for Stored Data can also conduct full and partial fingerprinting of text and graphical content in order to the file content's transmission and usage. The product's scalable and distributed architecture enables file scan rates of up to 500 gigabytes per hour.

Email data

CA Email Supervision controls and reports on sensitive email in motion and at rest for popular email servers such as Microsoft Exchange and Lotus Domino as well as mail transport agents such as sendmail and postfix. The CA Email Supervision lightweight agent is deployed at the email sever and supports any number of email policies designed to product an organization from potentially criminal as well as unintentional sensitive data exposure. Supported email endpoints include laptops, virtual desktops and smartphones for DLP controls inside and outside the corporate network.

Summary

CA Technologies' DLP suite offers several components and features designed to address a wide array of data protection needs for large enterprises. CA Data Protection cover endpoints and data in use as well as data in transit on the network, data at rest in storage or databases, and mobile and cloud data as well. The product suite comes with 24/7 technical support from CA Technologies; free training and educational courses are also available for customers. Organizations interested in pricing and licensing terms for CA Data Protection products should contact the vendor or authorized CA reseller partners.

Next Steps

Part one of this series looks at the basics of data loss prevention products

Part two examines the business case for DLP products

Part three explores usage scenarios for DLP products

Part four focuses on procuring DLP products

Part five offers insight on selecting the right DLP product

Part six compares the best DLP products on the market

This was last published in November 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

Trump hotel chain fined over data breachesA chip-enabled credit card, inserted into a store's reader. Credit: Zach Miners

Trump Hotel Collection has arrived at a settlement with New York Attorney General Eric T. Schneiderman over hacks that are said to have led to the exposure of over 70,000 credit card numbers and other personal data.

The hotel chain, one of the businesses of Republican presidential candidate Donald Trump, has agreed to pay $ 50,000 in penalties and promised to take measures to beef up its data security practices, according to the attorney general’s office.

[ Make threat intelligence meaningful: A 4-point plan. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

The chain is one of many hotels and retailers that have been hit recently by malware that skimmed payment card information.

The key charges apparently against Trump Hotel Collection (THC) are that it didn’t have adequate protection and even after the attacks became known, did not quickly inform the people affected, in breach of New York law.

"It is vital in this digital age that companies take all precautions to ensure that consumer information is protected, and that if a data breach occurs, it is reported promptly to our office, in accordance with state law," Schneiderman said in a statement Friday.

In May 2015, banks analyzed fraudulent credit card transactions and figured that THC was the last merchant where a legitimate transaction had been made using the cards, suggesting that the hotel chain had been targeted in a cyberattack that resulted in the compromise of credit card information.

Further investigations found that a person with access to legitimate domain administrator credentials had infiltrated the chain's payment processing system in May 2014 and planted malware for stealing credit card information, which was noticed in computer networks at multiple locations, including its New York, Las Vegas and Chicago hotels, according to the statement by the attorney general’s office.

THC could not be immediately reached for comment. Safeguarding customer data is a top priority for the company, a THC spokeswoman
InfoWorld Security

Original release date: September 22, 2016

The Federal Trade Commission (FTC) has released a step-by-step video to users whose personal information may have been exposed in a data breach. This video provides instruction on how to report an incident and develop a personal recovery plan after a data breach has occurred.

US-CERT encourages users to review the FTC blog and US-CERT Tips on Avoiding Social Engineering and Phishing Attacks, Safeguarding Your Data, and Protecting Your Privacy for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No


US-CERT Current Activity

Subscribers of UK-based MoDaCo, a forum specialising in smartphone news and reviews, have been unpleasantly surprised by notifications that the site and their account have been compromised.

MoDaCo

But not all subscribers have been notified, and that’s because the alert didn’t come from the site admins, but from the Have I Been Pwnd? service. The service allows users to submit their email address, and notifies them when it’s found in data batches stolen in breaches.

According to the notification, MoDaCo suffered a data breach in January 2016, and the attacker made off with email and IP addresses, and usernames and passwords (stored as salted MD5 hashes) of nearly 880,000 subscribers.

The reason why MoDaCo hasn’t notified users of the breach is still unknown. MoDaCo founder Paul O’Brien promised to post an official statement about the incident later today, and reassured subscribers that all passwords are hashed and salted.

Security researcher Troy Hunt, who runs Have I Been Pwnd?, says that 70 percent of the email addresses exposed in this breach were already contained in data batches from previous breaches of other online services.

“With data that includes email and IP addresses, passwords and usernames, there’s nothing out of the ordinary there,” Mark James, IT Security Specialist at ESET, commented for Help Net Security.

“To be honest data breaches happen all the time, this particular one is causing a bit of a storm on their own forums as the users would like to have received notification from the owners first not through a third party site. Looking through the forum posts many of the users have not used the site for a while and were looking for means to delete their accounts. The problems of course are that when we create usernames and passwords on sites that reflect our current interests if we then move on or stop using those sites it’s sometimes difficult or almost impossible to delete those redundant accounts. This breach apparently happened in January 2016 (that needs to be confirmed officially) but at least the passwords were stored as salted MD5 hashes and not in plaintext.”


Help Net Security