Security Spotlight


Measuring Security Program Maturity

Eric Vanderburg

As an organization becomes more conscious and engaged in protecting information, it progresses along a path of security maturity. I like to describe this path in five stages starting with ad hoc and ending with leading organizations (see the figure below). This model is helpful because it demonstrates how security is refined in an organization. Most importantly, it shows that security maturity takes time to be part of an established organization and how an organization can transform from viewing security as a cost to an investment. Let’s see how it works.

[Read more…]

Investigating the Negative SEO Threat

Eric Vanderburg

I read a recent Power More article by Mark Schaefer said that SEO content today is about insight rather than quality, and this reminded me of a case I worked on. As many of you know, one of the many hats I wear is that of a cybersecurity private investigator. A client called me to report that his website was no longer showing up in Google search results. The cause became apparent shortly after I started investigating. Someone had built hundreds of websites that listed their key search terms frequently. Not only did these sites rank higher than my client’s site, but they also warned users that my client’s site was allegedly defrauding its customers. I were dealing with a negative SEO threat.

[Read more…]

Fighting Employee Apathy Towards Security

Eric Vanderburg

employee-apathy-data-securityIs it irritating when an employee loses a phone containing sensitive company information? Even more irritating is that the loss of such a device is almost considered by employees as a cost of doing business. Absolute Software conducted a survey on organizational response to lost corporate devices that was participated in by 750 US employees from various industries including banking, energy, healthcare and retail. Their survey showed that 25% of employees said it’s not their problem, 34% were not punished, 21% were given the talk and 30% were asked to replace the device.

If you want to curb this kind of behavior, what should you do? Here are some tips to help you out:
[Read more…]

The Largest Internet Security Breach in History

The largest internet security breach in history has just been discovered. Hold Security, a small cybersecurity firm, first reported the details of the incident around August 5th, 2014. A group of Russian hackers of approximately 10 men are suspected ofLargest Data Breach - Russia the crime.

What was Stolen and from Where?

The thieves stole roughly 1.2 billion login user IDs and passwords from over 420,000 different websites as well as 500 million email addresses. The Target data breach of 70 million addresses dwarfs in comparison to this incident. At this time, the names of the affected websites are not being released in order to protect them from further attacks but many large and well-known websites are expected to be on the list. Many of these websites are still vulnerable to attack.

How was the Data Stolen?

The hackers used a “botnet” of computers to search the internet for websites that were vulnerable to attack. Once those websites were identified, they were targeted with sophisticated SQL injection scripts that gave them access to the website’s database of user information.

How to Protect Yourself

Here are several tips to protect yourself from this particular breach, as well as hacks in the future:

  • Never click on links that you suspect are unsafe
  • Immediately change your passwords and make it a habit of changing them frequently
  • Do not use the same password on multiple websites
  • Do not share your passwords with anyone
  • Create complicated passwords with numbers, upper and lowercase letters and special characters

For more tips on how to create stronger and more secure passwords, click here.

Data Security Breaches at Retailers

Eric Vanderburg

Security breaches and identity theft are becoming an increasing concern for consumers as hackers continue to target large retailers. Target, Sally Beauty Supply, Neiman Marcus, Home Depot, Michaels, Dairy Queen and Kmart are POS Credit Card Machineamong retailers recently hacked. These incidents have resulted in stolen personal information such as phone numbers, addresses, emails, and credit card information. As a result of these breaches, affected consumers are more likely to fall victim to identify theft.

The following is a summary of retailers who recently suffered a data breach. Reports suspect hackers were able to infiltrate these stores by installing malware on their point-of-sale systems. Information was then stolen when credit cards were swiped at the store during checkout. The data stored on the magnetic strip of the credit cards, such as the number and expiration date, was then used to make replicas and sold on the black market.

[Read more…]

Companies with Virtual CSOs get ahead without losing an arm and a leg

Virtual CSOEric Vanderburg

Security remains a complex discipline.  This ever-changing challenge grows in complexity daily as new threats emerge and compliance requirements increase.  Several regulations including HIPAA require organizations to have a person whose role is to ensure compliance within the organization.  This is why organizations need a designated person with primary responsibility for security and compliance.  This person is the Chief Security Officer (CSO).

The Role of a Chief Security Officer

A Chief Security Officer or CSO is first and foremost a business leader in the organization.  He or she sets the organization’s security vision and ensures that it is in line with other business objectives.  The CSO works with other business leaders such as the senior financial manager such as a Chief Financial Officer (CFO), business owner, senior partners, or Chief Executive Officer (CEO), senior IT executive such as the Chief Information Officer (CIO) and Chief Operating Officer (COO) to implement security and compliance initiatives throughout the company.

[Read more…]

Sharing is not always caring

share-dataEric Vanderburg

There are so many ways to share on social media today and users, especially the younger generation, are sharing almost everything.  The problem is that some data is not meant to be shared.  A culture of sharing is developing that can be quite harmful for businesses and the confidential information they hold.  It is even more important in this day and age to educate employees on what they can and cannot share.  Consider implementing a social media policy that specifies sharable data and data that must remain confidential along with sanctions for those who violate the policy.  Make sure that all employees are aware of the policy and why it is in place.  Lastly, make sure the policy is enforced through both technical and procedural controls.

Recent indictments reveal debit card fraud techniques

Credit Card FraudEric Vanderburg

On May 9, 2013, Federal prosecutors issued indictments against eight individuals for hacking and theft.  The case revealed the methods used by hackers to gain access to debit card numbers that were ultimately used to withdraw $45 million.

Hackers gained unauthorized access to credit card processing companies and conducted what hackers term “unlimited operation”.  Unlimited operation is an attack where debit cards account balances and withdrawal limits are removed.  In this case, attackers performed unlimited operation on several prepaid MasterCard debit cards and then distributed the card numbers and pins to groups around the world.  These groups recoded gift cards and hotel entry cards with the stolen card numbers and then coordinated withdrawals from ATM machines.

We have spoken of the increase in coordination of cyber-attacks many times and this is an excellent example.  In a little over two hours on December 22, 2012, the criminals were able to withdraw $400,000 from 140 ATMs across New York City.  A series of thefts in February resulted in the theft of almost $2.4 million in 10 hours and the group is accused of stealing a total of $45 million by following this procedure for different card issuers and locations.

The banks involved in this case might have prevented the theft by monitoring for anomalous behavior such as the excessive use of a card number or the modifications required in unlimited operation attacks.  Anomalous behavior monitoring is valuable no matter where the next attack comes from and it is useful in other industries as well.