Tag Archive for Breach

| November 6, 2014
Comments Off on Email Etiquette is Good For You

Email Etiquette is Good For You

Email Etiquette is Good For YouWho remembers when email was a new and exciting technology that the Intertubes brought us? Did AOL’s You’ve Got Mail! Make you giddy? They made a whole chick-flick about it starring Tom Hanks and Meg Ryan. I am pretty sure that thrill has worn off by now. According to marketing researchers, the Radicati Group predicts that by 2015 the average email user will send or receive 125 emails a day. Many of the emails are loaded with threats as I have pointed out here again and again. The ubiquity of email has caused some users to take email for granted and let their guard down.

2015 the average email user will send or receive 125 emails a dayRelaxed vigilance has led to some high-profile incidents where sensitive business information was exposed via email. Research indicates that at least 22% of companies have experienced an accidental or malicious leak of sensitive or confidential information by employees through email in the past 12 months. While it is may be bad for the firm, it could cost you your job. Here are some tips which will make your emails more effective and more secure:

Treat emails like business letters

It’s better to be more formal than too casual when you want to make a good impression. For example, use a person’s surname until they respond by signing their email with their first name. Never write anything in an email message that you wouldn’t want both your boss and your mom to read!

Company email is never private

If you want to Treat emails like business letterssend someone confidential or time-sensitive information, use the phone or meet in person. Emails can be duplicated, forwarded, and printed; anything unfortunate you write could come back to haunt you or your employer. Never use your employer’s email system to look for your new job. That move could cost your current job and the next one too.

Be cautious about the “reply all” feature

If you receive an email that was sent to a multitude of people, including yourself, reply only to those who need a response. Hit “reply all” only if it is crucial that every person on the distribution list see your response. In many cases, the sender is the only person who requires a response. Misuse of “reply all” is a key way in which sensitive business data slips outside the network.

Take care with email attachments

Never open attachments from unknown sourcesNever open attachments from unknown sources. And before sending attachments yourself, find out if the recipient wants them. Bogus attachments remain one of the most popular ways for cyber-attackers to gain a foothold in business networks, and it’s very easy for hackers to imitate legitimate email addresses.

This infographic includes some pretty amazing stats about email. Did you know?

  • The average user creates 5,000 email attachments every year?
  • There are 6 copies of each attachment made?
  • The government reads over 250 million emails annually?

That is why email etiquette is important.

Data Running Wild Infographic

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| June 24, 2014
Comments Off on Heartbleed Old News – Servers Still Vulnerable

Heartbleed Old News – Servers Still Vulnerable

Proof that data breaches like Code Spaces, P.F.Chang’s, Domino’s, Target, Neiman Marcus continue to be inevitable. The Verge is reporting that the Heartbleed Open SSL bug is still running rampant. Despite the initial panic several months ago when Neel Mehta of Google’s (GOOG) security team discovered the major bug which put over a million web servers at risk, the threat is old news.

600,000 still vulnerable to Heartbleed

Being old news does not mean the problem’s solved according to the article. They cite security researcher Robert David Graham who found that at least 309,197 servers out there on the interwebs are still vulnerable to the exploit.

Immediately after the announcement, Mr. Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, only 9,042 of those servers have been patched to block Heartbleed. The author says that’s cause for concern because it means that smaller sites aren’t making the effort to implement a fix.

Affects the OpenSSL protocol

The Verge concludes that it’s likely that the lightly trod corners of the internet will remain vulnerable for many years to come, as sites with sub-par security standards continue to leave themselves and their users exposed. The danger is particularly real now since the exploit has been widely publicized. The bug, which affects the OpenSSL protocol used widely online, can cause some serious damage — it can be exploited to give hackers encryption keys, passwords, and other sensitive information.

rb-

I mean who do all these people think they are the NSA?

CNET has kept a running list of where you should change your password due to Heartbleed.

  1. Google (GOOG)
  2. Facebook (FB)
  3. YouTube
  4. Yahoo (YHOO)
  5. Wikipedia
  6. Bing
  7. Pinterest
  8. Instagram
  9. Tumblr
  10. ESPN
  11. NetFlix
  12. Weather.com
  13. Dropbox
  14. AT&T (T)
  15. OKCupid
Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| October 15, 2013
Comments Off on Need Cyber Insurance?

Need Cyber Insurance?

Need Cyber Insurance?Standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible says Network World. The ruling that data is not tangible goes back to a 2000 ruling by a U.S. District Court. The article explains the ruling arose from an Arizona case, American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc.. In that case, the court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee.

Courts ruled data is tangible propertyAfter that, the insurance firms changed their policies to state that data is not considered tangible property,Kevin Kalinich, national managing director for network risk at Aon Risk Solutions told Network World. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.

Larry Ponemon, chairman of the Ponemon Institute, told Network World that the resulting complexity is a major source of push-back by potential buyers. “The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are.” Mr. Ponemon told the author, “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want.”

Network World describes the types of cyber coverage available.

cyber coverages availableData breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center, credit monitoring, and credit restoration services for the victims, and other crisis management services, Ken Goldstein, vice president at the Chubb Group, told Network World. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts.”

Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach, or from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA) or similar regulations. Some policies only cover the cost of defending against the action, while others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.

Cyber extortion coverageCyber extortion coverage: For cases where a hacker steals data from the policyholder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the cost of offering a reward leading to the arrest of the perpetrator, Chubb’s Goldstein says.

Virus liability: Pays in cases where the policyholder is sued by someone who claims to have gotten a virus from the policy holder’s system.

Chubb logoContent liability: Covers lawsuits filed by people angered over something posted on the Web site of the policyholder. Such coverage should also cover copyright claims and domain name disputes, INSUREtrust’s Haase told Network World.

Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down. But Aon’s Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses, “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later.”

AON logoLoss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss, “Backup policies are not always effective, and accidents and sabotage happen,” Mr. Haase says.

Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.

Errors and omissions coverageAs for what coverage costs, Aon’s Kalinich told Network World that firms smaller than $100 million in annual revenue can expect to pay $5,000 to $15,000 per million of coverage, while larger firms would pay $10,000 to $25,000. For those over a billion, the price can be in the $20,000 to $50,000 range. Robert Parisi, senior vice president with Marsh, an insurance broker, and risk advisory firm put it simpler, saying the cost is between $7,000 and $35,000 per million. Of course, the lower ranges are for buyers who look like better risks — and deciding who is a better risk is another factor that makes cyber insurance a complex topic.

You cannot get good insurance unless you have good security practices,” VP Kalinich says. “Due diligence underwriting has become more streamlined as the insurers have learned what to look for. They will typically benchmark you against other members of your industry.

15% of the premium goes to commissionsINSUREtrust’s Haase explained the cyber insurance purchase process to the author, “This is a complex purchase and you need a professional helping you. Most policies are highly customizable, and there are a lot of endorsements.” Typically the buyer goes to their local agent, and the local agent uses a specialist, Haase says. Both the local agent and the specialist get commissions ranging from 7.5% to 10% so that 15% to 10% of the premium goes to commissions.

Finally, Toby Merrill, vice president of insurer Ace Professional Risk cautions that cyber insurance buyers must understand that if they are outsourcing their data handling, they are not at the same time outsourcing their liability if there is a data breach. The onus of the various breach notification laws is on the organization that gathered the data, not on the organization that was storing it when it was exposed, he notes.

Cyber insurance is not there to replace sound risk management,” VP Merrill told Network World, “It is there to supplement it.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , , , , , , ,
| February 19, 2013
Comments Off on School Kids’ Data at Risk – Part 2

School Kids’ Data at Risk – Part 2

School Kids' Data at RiskIn the Huffington Post article, “In Push For Data, Schools Expose Students To Identity Theft” author Gerry Smith writes about the growing risk of school kids data being stolen across the country.

Read Part One here:

Data Quality Campaign, an organization that encourages states to build student databases argues that students’ Social Security numbers are useful for education policy by creating “enhanced analytical opportunities” for evaluating school curriculum. “The more important conversation is not whether states are collecting Social Security numbers, but how they are ensuring the privacy, security, and confidentiality of all personally identifiable information,” Laird said in a statement to the Huff Post. “We can’t speak to how Social Security numbers are collected and stored at the local level,” she added.

The article cites one survey that concludes student PII is not stored very securely. Only half of K-12 schools use data encryption, according to a survey of IT employees at K-12 schools nationwide. 72% cited budget constraints as the primary barrier to improving their IT security, according to the survey by Panda Security (PDF). Collecting PII in central databases with lackluster security is asking or trouble, “This is making a much bigger honey pot for people with malevolent purposes to gain access to children’s information,” Joel Reidenberg, a professor at Fordham University School of Law. He told The ID Channel, “It’s a meltdown waiting to happen.”

School districts in 26 states now ask for students’ Social Security numbers. The Michigan Department of Education states (PDF), “A school district cannot mandate that parents disclose the social security number of their children.” Huff Post states that Texas is one of those states where education officials use PII to connect K-12 records to higher education and workforce data, according to Debbie Ratcliffe, a spokeswoman for the Texas Education Agency.

Last year, the Texas agency asked eight school districts to send PII, including Social Security numbers, through the mail on unencrypted CDs for research purposes. The article reports that Laredo Independent School District learned the CD it sent got lost in the mail, exposing nearly 25,000 current and former high school students to identity theft, according to the Texas Tribune. Ratcliffe told The Huffington Post that the request came from an agency employee who operated “way outside” normal protocol.

Social Security numbers are useful enhanced analytical opportunitiesIt was not the only school data breach in Texas.

  • Beaumont school officials told parents that Social Security numbers belonging to an estimated 15,000 students were accidentally exposed online for nearly a year.
  • The San Antonio Independent School District told parents that names and Social Security numbers of up to 360 students were mistakenly made visible through a Google search.

Still, the Texas Education Agency has no plans to stop asking school districts for students’ Social Security numbers, Ratcliffe told the author. “We have so many databases that use them that it would require quite a bit of change to make that happen,” she said.

Texas has no plans to stop asking for students' Social Security numbersYet concerns over child identity theft have prompted at least five states — Nebraska, North Dakota, Washington, Maine and Wyoming. to create policies that restrict the collection and use of Social Security numbers in K-12 schools.

Jerry Coleman, director of school finance at the North Dakota Department of Public Instruction Coleman said in an interview, “To protect those Social Security numbers would be a hassle we don’t need,”

Parents can refuse to disclose their child’s Social Security number, and the student would be assigned a different identifying number. Ratcliffe, of the Texas Education Agency, said most parents disclose their child’s number anyway.

Parents can refuse to disclose their child's Social Security numberBut privacy experts say, in most cases, parents should keep that information to themselves. “When someone asks for your child’s Social Security number, say no,” said Aaron Titus, chief privacy officer for Identity Finder, which helps organizations protect sensitive data. “I have found about 90 percent of the time when I push back a little bit, I get my way.”

Data breaches leave people six times more likely to become victims of identity theft, according to a survey by Javelin Research. Schools warn parents to monitor their children’s credit after a data breach. The Huff Post says credit reports only turn up 1 percent of fraud on children’s credit histories because thieves pair children’s Social Security numbers with new names and birth dates, a study by Debix found.

More than 18,000 child identity theft complaints were reported to the Federal Trade Commission. But experts tell Huff Post that figures on child identity theft are likely much higher because the crime often goes undetected for years. ID Analytics estimates more than 140,000 children are victims of identity theft each year, based on a one-year study of those enrolled in the firm’s identity protection service. When child identity theft victims turn 18, they find their credit has been destroyed, preventing them from taking out loans or renting apartments.

rb-

Consumers Unions points out that Michigan law restricts how Social Security numbers can be used. In Michigan, SSNs cannot be printed on ID cards, intentionally communicated to the public, and/or publicly displayed or mailed within an envelope.

Related articles
    • Child Identity Theft: Warning Signs and Action (lexingtonlaw.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , ,
| February 14, 2013
Comments Off on School Kids’ Data at Risk

School Kids’ Data at Risk

School Kids' Data at RiskGerry Smith writes about the growing amount of school kids’ data being stolen across the country. In the Huffington Post article, “In Push For Data, Schools Expose Students To Identity Theft” the author explains why.  Data thieves want this information to commit identity theft. The author cites several recent cases:

Child identity theftThe article says these incidents highlight the growing risk of school kids’ vulnerability to identity theft. Across the country, schools have become conduits for children’s pristine Social Security numbers. The students’ numbers are increasingly falling into the hands of credit-hungry identity thieves. The frequent data breaches have prompted calls for schools to stop collecting sensitive student data. The breaches have angered parents like Art Staehling, whose 14-year-old daughter was among 18,000 Nashville students who had their Social Security numbers accidentally exposed online for three months in 2009.

They left the gate wide open for data theft

“They left the gate wide open,” Mr. Staehling told The Huffington Post. “It’s clumsiness. There’s no excuse for it. If schools want that information, there should be some sort of penalty paid if they don’t guard it with their lives. I haven’t found a reason why they honestly need it.

Schools collect students' Social Security numbersSchools collect students’ Social Security numbers as part of a campaign to more precisely track their progress. But privacy experts told Huff Post there are less risky ways to identify students. The privacy experts accuse schools of needlessly exposing children to identity theft by gathering their Social Security numbers. Mn then not securing them.

The push for collecting student data began under the federal No Child Left Behind Act. Financial incentives in the 2009 stimulus package, including Race to the Top‘s $250 million in competitive grants drove schools to collect student social security numbers, according to Reidenberg.

No Child Left Behind Act drove schools to collect student social security numbersThe U.S. Department of Education has warned schools not to use students’ Social Security numbers in their databases. The Huff Post says the Feds urge schools to create other unique identifiers. The National Center for Education Statistics warned schools last fall that. They told educators that Social Security numbers are “the single most misused piece of information by criminals perpetrating identity thefts.”

School abuses student’s Social Security numbers

Despite the warnings, the collection and use of student’s Social Security numbers in K-12 schools remain “widespread.” An audit last year by Patrick O’Carroll, the Social Security Administration‘s inspector general. The IG found students’ Social Security numbers printed on transcripts, tests, and athletic education forms. According to the article, the audit concluded that schools were using the numbers “as a matter of convenience.” Mr. O’Carroll found there have been at least 40 data breaches of confidential student information at K-12 schools since 2005.

In his report, O’Carroll wrote.”We believe the unnecessary collection and use of Social Security numbers is a significant vulnerability for this young population. Each time a student provides his or her Social Security number, the potential for a dishonest individual to unlawfully gain access to, and misuse, the number increases.

Read Part 2 here.

rb-

Consumers Unions points out that Michigan law restricts how Social Security numbers can be used. In Michigan, SSNs cannot be printed on ID cards, intentionally communicated to the public, and/or publicly displayed or mailed within an envelope.

Related articles
  • Young children can be identity-theft targets (goerie.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
« Older Entries   Recent Entries »