| |
|
|
Breaking News: Got Hacked...The FTC Can Now Sue You
.jpg) For organizations that get hacked like Anthem, Target and recently Ashley Madison, the problems are only starting. Apart from towering legal fees and a damaged reputation, now an appeals court has confirmed that the FTC can slap you with fines as well. This is excellent ammo to get more IT security budget.
Yesterday, the third U.S. Federal circuit court ruled that the Federal Trade Commission (FTC) has the power to take action against organizations that employ poor IT security practices. The ruling was part of a lawsuit between the FTC and hotel chain Wyndham. This court decision affirms the FTC’s role as a digital watchdog with real-life teeth.
This Is A Big Deal
In 2008 and 2009, Wyndham was hacked three times, losing credit card data for more than 619,000 customers and causing 10.6 million dollars in loss due to fraud. Originally, the FTC sued them in 2012 over the lack of security that led to its massive hack. The hotel chain appealed to a higher court to dismiss it, arguing that the FTC didn’t have the authority to punish the hotel chain for its breach. Wrong move. Yesterday's decision states that Wyndham’s breach is exactly the sort of “unfair or deceptive business practice” the FTC is empowered to stop. This means Wyndham now needs to go back and confront the FTC’s lawsuit in a lower court.
The circuit court also stated that the FTC does not have to detail any specific best practices that Wyndham did not apply. The FTC did however, and it's not a pretty picture. Here are some of the highlights: Wyndham allowed its partner hotels to store credit card information in plain text, allowed easily guessable passwords in property management software, failed to use firewalls to limit access to the corporate network, and failed to restrict third-party vendors from access to its network.
Data Insecurity As ‘Unfair’ Business Practice
The FTC argued that “taken together, they unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft.” In a statement to Ars, FTC Chairwoman Edith Ramirez wrote, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”
The upshot?
This appellate ruling establishes an important precedent for the legal consequences of a data breach. Berkely Law professor Chris Hofnagle said: "Had Wyndham won at the third circuit, it would have called into question the FTC’s ability to police privacy and security”. Well, now we know that the U.S. Government in the form of the FTC can and most likely will jump in and add even more cost to a super expensive data breach.
It's not clear how the hackers got into the hotel chain, but it would not surprise me if it was another phishing email that an employee clicked on. With easy to guess passwords, it is clear that they did not step employees through effective security awareness training. Having that in place is an IT best practice that has great ROI and is a crucial part of your defense-in-depth.
It is clear that educating your users about these risks is very important. If you have not done so already, find out how affordable Kevin Mitnick Security Awareness Training is for your organization, and be pleasantly surprised:
http://info.knowbe4.com/kmsat_get_a_quote_now
|
Stop The AshMad Insanity!
First a 10Gig dump with the full database, then a 20Gig dump with their whole Github repository, and then to top it all off a 300G(!) dump. In an interview with Motherboard, the hackers claimed to have data which includes employee emails, internal documents, nude photographs, and private chats between members. However, the Impact Team said it would not release explicit photos of AshMad customers, but did not rule out publishing the private chats and other photographs posted through the adultery website.
When asked about AshMad security, they said "Nobody was watching. No security", when it broke into their servers repeatedly over the past few years. One hacker said, "[We] got in and found nothing to bypass."
The release last Tuesday contained customer data belonging to U.S. government officials, British civil servants and high-level executives at European and North America corporations. We have a copy and are researching it for security purposes.
Should You Check For Employees' Emails?
Well, this is a field mired in MANY problems. It's not a can of worms, it's a can of scorpions. First, it depends on your organization. Any government employee that has a clearance (and that is true for many government contractors as well) is in immediate risk of losing that clearance if they are found to have been engaged in infidelity, as they become a target for blackmail. Adultery can be a criminal offense under the Uniform Code of Military Justice.
Apparently not everyone was smart enough to obscure their real-life identity using a webmail address. Robert Hansen, VP of WhiteHat Security found well over 13,000 email addresses from .MIL and .GOV domains and a handful of congressmen among the hacked data. He also identified a substantial number of addresses from various Fortune 500 companies like Microsoft, Cisco, Apple, and Bank of America. Perhaps the most shocking revelation is that Hansen found three accounts using Vatican.com email addresses.
The legal repercussions of scanning the database for email addresses with an organization's domain name need to be clarified and well-understood before that scan is done, each corporate lawyer will have to look into that based on their individual organizational situation.
After that determination, IT and/or HR can look into this database, and see if any organizational email has been used or compromised, which then would have to be deleted and a new email address issued to that user, either with mentioning the reason (or omitting it) again based on Legals advice.
I could envision you scanning the AshMad database for your domain name, and issuing new creds to employees found, simply with a generic mention that the address was compromised.
A major risk is end-users going to websites that claim to show if their name is in the list. Many of these sites will be phish-bait and anything typed in will be used for a variety of nefarious purposes and/or infect the workstation. Any organization should warn their users to watch out for attacks like that. See my recent blog post with a real example of AshMad extortion:
http://blog.knowbe4.com/phishing-alert-warn-your-users-against-ashley-madison-scams-now
|
"100,000 Refrigerators Attack Bank Of America"
This nightmare headline was voiced by Vint Cerf, father of the Internet when he was asked what his greatest fear was about the future Internet of Things in an interview by WashingtonExec:
"Ensuring that devices, including household appliances that now make up the Internet of Things, are properly configured so that uncontrolled or unauthorized access is denied. The nightmare headline for me is, ‘100,000 Refrigerators Attack Bank of America’. That is going to take some serious thinking not only about basic security technology but also how to configure devices at scale, no one wants to spend their entire weekend typing IPV6 addresses for each and every household device."
This is a good InfoSec read, warmly recommended and not too long:
http://www.washingtonexec.com/2015/08/exclusive-father-of-the-internet-vint-cerfs-forecast-for-internet-of-things/
|
What CIOs Can Learn About Security Threats From 4 Recent Hacks
John Brandon at CIO came out with a good story you should read and forward to your C-Level execs. The media and the public are finally waking up to the fact that almost all organizations are at risk of getting hacked. Analyzing a few recent high-profile breaches might just help you prevent the same thing from happening at your company.
There are four examples that each show the problem and the mitigation, I am quoted in two of the solutions:
http://www.cio.com/article/2972263/security/what-cios-can-learn-about-security-threats-from-4-recent-hacks.html |
Warm Regards,
Stu Sjouwerman
|
"There is nothing on this earth more to be prized than true friendship."
- Thomas Aquinas - Philosopher (1225 - 1274)
"If you want to go fast - go alone. If you want to go far - go together." - African Proverb
|
Thanks for reading CyberheistNews
|
Compliance In Half The Time At Half The Cost
I'm sure you will agree, compliance has become a major headache. It is a HUGE burden on already limited IT resources. Yearly audits have become major projects. They are expensive in both dollars and your IT staff time.
Imagine an environment in which your organization is completely compliant 24/7/365, and where all employees work together as a team without nagging and tons of emails. KnowBe4 Compliance Manager (KCM) can help you to achieve that state. It is an IT compliance workflow automation tool that allows you to:
- Manage all of your specific regulatory requirements in one location (PCI-DSS, HIPAA, GLBA, SOX, etc...).
- Eliminate duplication of effort.
- Assign the Directly Responsible Individual (DRI) for a control.
- Direct your auditors to one location for evidence of compliance controls being in place and up to date.
- NEW: Auditor Role, your auditor can log in remotely and save you billable hours.
Go to this link for more info and to request a web demo:
http://info.knowbe4.com/_kcm_pci_30-0
|
This Week's Five Most Popular HackBusters Posts
Off With Their Heads! Execs Get The Ax For Data Breaches
Until last year, executives were able to pass the buck to IT in case a data breach hit the organization. However, several recent high-profile resignations are now putting the focus on board members. Here are a few examples:
US Office of Personnel Management head Katherine Archuleta was forced to resign over a massive hack that exfiltrated well over 20 million highly confidential personal records of government employees. Thomas Meston, CFO of the London-based hedge fund Fortelus, also lost his job following a cyber hack that emptied $1.2 million from the fund’s bank account.
And those are just the two latest victims. The trend began for real last year when Target's CEO stepped down in the wake of a disastrous data breach that compromised 40 million shoppers’ credit cards and 70 million customers’ personal data. Steinhafel had little choice but to resign as the CEO of the US 40 billion company.
The important thing for board members to realize is that they can do little to mitigate the damage after the data has been exfiltrated. Once the data breach has happened, they will find themselves held responsible for, and accused of prior negligence. At that point it's up to the CEO and the board to defend themselves against these claims and that all appropriate measures had been taken to protect the organization’s data.
Up to a few years ago, it sounded reasonable for boards to delegate the defense against hackers to the IT department. They relied to a large degree on traditional firewalls and antivirus. However, the last few years antivirus (AV) has shown to fall behind badly. With hundreds of thousands of new malware flavors being released in the wild every day, bad guys are overwhelming AV and often get through.
Today, it is seen as the task of the Board to prioritize and make IT security budget budgets available so that defense-in-depth can be done the right way.
In order to protect not only their own careers but also the future of the organizations they lead, senior executives must now understand that the buck stops with them and securing their data, almost always their organization’s most valuable asset, is paramount.
Thomas Meston, hedge fund Fortelus' CFO was forced to resign after falling victim to a social engineering attack over the phone. The attack however, had all the hallmarks of a professional job. It was clear the hacker had done their homework and researched Meston in great detail, a technique also used in spear-phishing attacks, which are sometimes followed up with very real-sounding phone calls.
Meston fell for the hacker's scam, but whatever the form of the attack, it is clear that today the cyber security buck stops at the board level. To prevent "human hacks" (which are the weak link of IT security), stepping all employees through effective security awareness training is a very cost-effective way to prevent a large percentage of data breaches.
|
This Week's Links We Like. Tips, Hints And Fun Stuff.
|
|
|
|
|
|
|
