Business Continuity, Cyber Security, Data Breach, Disaster Recovery, News Events, Tip of the Week, Uncategorized, Vulnerability Testing & Management

Breach exposed sensitive information about 143 million consumers

It’s been called the worst data breach in U.S. history. Attackers stole half the U.S. population’s social security numbers from Equifax in July, but the company only notified customers in September. The fallout has been devastating, with class action lawsuits being filed and consumers demanding free credit monitoring.

“Equifax has been hit with dozens of lawsuits from shareholders, consumers and now one filed by a small Wisconsin credit union that represents what could be the first by a financial institution attempting to preemptively recoup losses caused by alleged fraud the hack could cause” as reported by the Washington Post.

Equifax provided a website for customers to search if they were affected. However, on multiple occasions, the company’s official Tweeter account directed customers to a fake phishing site instead.  See imageNick Sweeting fake website small

The company’s stock price has fallen 25 percent since they announced the hack Sept. 7 according to ABC news. In the meantime, Equifax had a meeting with investors in New York in hopes to contain the fallout.

To receive information on how to prevent this type of breach visit VirtualAuditor.com

Virtual Auditor’s Virtual Security Officer Server (VSOS) is a unique, fully-managed, information security auditing assessment solution that helps you establish a formal information security program within your organization. VSOS is packed with powerful vulnerability, auditing and testing tools that can help identify security vulnerabilities within your environment, as well as gaps in your existing security program.

Quick tips on how consumers can protect themselves

  • Monitor your credit reports closely
  • Be aware that scammers can use your sensitive information at any time
  • Freeze your credit report to halt thieves from opening new credit cards or loans using your name

Equifax Cybersecurity Incident:

“To learn more about the cybersecurity incident, including whether your personal information was potentially impacted, or to sign up for complimentary identity theft protection and credit file monitoring”, please go directly to their site:

https://www.equifax.com/personal/

 

Advertisements
Business Continuity, Cyber Security, Data Breach, Disaster Recovery, Education, HIPAA / HITECH Enforcement, Risk Analysis/Risk Management, Social Media, Tip of the Week, Vulnerability Testing & Management

Get Involved and Do Your Part to Make the Internet Safer

Promote the National Cyber Security Awareness Month (NCSAM). Get involved and do your part! This is a job for everyone, make an effort to care! The theme for this year is “Our Shared Responsibility”. NCSAM will be observed in October, but make it part of your practice to start today.

Top 5 Reported Cyber Scams

 

 

Staff can do

 

For more information on keeping current on cybersecurity, vulnerabilities, data loss prevention, managing risks, and workforce members training, Contact RISC Management and Consulting, LLC at 800.648.4358 or visit www.RISCsecurity.com

To learn more about Cyber Security visit: https://www.staysafeonline.org/ncsam/landing-page/

 

Cyber Security, Data Breach, Disaster Recovery, Education, Tip of the Week

Phishing Lifecycle

Phishing is a form of social engineering and works like a con game. A phishing attack is performed using email, a malicious website, or even a direct phone call to the victim. The many purposes of phishing include collecting personal information, gaining access to corporate information, gaining access to corporate information systems, installing malware, or even holding data hostage by changing local encryption keys! The information that is accessed or copied by the attacker is used for gaining access to your accounts such as your financial accounts, committing identity theft, gaining access to corporate networks and systems, changing credentials, or even holding your data hostage.

Quote Mitnick

Social Engineering can be a positive or negative attack using human interactions to obtain information about your organization. The person attacking could potentially be someone hired by the company to locate gaps in their security or, more likely, maliciously by those wanting to hurt you or your organization. During the attack, the person will seem unassuming, or even helpful, and be able to blend in with the employees. Through this process, he/she/they are able to ask questions, retrieve data, take photos for evidence if hired by the company or infiltrate the office or department.

Lure hook catchThe attacker might send a false e-mail often that look surprisingly legitimate, and may seem valid. However, it is important to view the URL in the address field which can tell you if the page you have been directed to is not valid. The email might come from a credit card company requesting you to respond and might often come from other types of organizations such as charities during a natural disaster, holidays, etc. Some phishing attacks involve a phone call directly to the target, where the attacker often claims to be another employee, perhaps calling from the I.T. Helpdesk.

According to the U.S. CERT and IRS remaining alert and knowing the tricks can assist you in avoiding or repelling these malicious attacks. Here are their explanation (2015, January 30):

Spot common elements of the phishing lifecycle

  1. A Lure: enticing email content.
    • Example 1 of actual phishing email – see below
    • Example 2 of actual phishing email – see below
  2. A Hook: an email-based exploit.
    • Email with embedded malicious content that is executed as a side effect of opening the email
    • Email with malicious attachments that are activated as a side effect of opening an attachment
    • Email with “clickable” URLs: the body of the email includes a link, which displays as a recognized, legitimate website, though the actual URL redirects the user to malicious content
  3. A Catch: a transaction conducted by an actor following a successful attempt.
    • Unexplainable charges
    • Unexplainable password changes

Sample of Phishing Email from IRSIRS does not initiate taxpayer communications via email

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Again, don’t be a victim and watch for any unexplainable changes to your financial accounts. If you think there’s a slight chance that your sensitive information was breached, change your passwords immediately. If you use the same passwords in multiple areas, it is important to change each one of those accounts as well. Remember not to use that particular password again in the future.

If you receive a phone call that you suspect of being a phishing attack, tell the caller that you need to call them back at the number you know to be the person or department they represent. For example, if the caller claims to be from the I.T. Helpdesk, tell them you are calling them back at the officially listed number (Never at the number the caller gives you), and hang up. Using a corporate directory, a known number, or a number in your contact list on your corporate-owned phone, call that department back and verify the communication to you, and their request. Never connect to a remote access service such as GoToMyPC, or setup a remote service request through Microsoft Windows when receiving a phone call that you did not initiate.

References

Mitnick. K.(2000, March 2). Frontline: The testimony of an ex-hacker. Retrieved from http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html

Phishing. (2015). TechTerms.com. Retrieved from http://techterms.com/definition/phishing

U.S. Computer Emergency Readiness Team. (2013). Security tip (ST04-014): Avoiding social engineering and phishing attacks. Retrieved from https://www.us-cert.gov/ncas/tips/ST04-014

U.S. Computer Emergency Readiness Team. (2015, January 30). Security Tip(ST15-001): IRS and US-CERT Caution users. Retrieved from https://www.us-cert.gov/ncas/tips/ST15-001

Business Continuity, Cyber Security, Data Breach, Disaster Recovery, HIPAA / HITECH Enforcement, Meaningful Use, Upcoming Events, Vulnerability Testing & Management

Visit with Virtual Auditor and RISC at the Texas Chapters of HIMSS in Austin, Texas

VA and RISC for Texas HIMSS Feb 18 2015

 

Come visit with Virtual Auditor and RISC at the 7th Annual Regional Conference Texas Chapters of HIMSS in Austin! There will be over 400 healthcare IT professionals and optional preconference activities such as legislative visits at the State Capitol and Networking social. The focus will be on promoting the value of investing in Health Information Technology.

Wednesday, February 18, 2015 – Friday, February 20, 2015

Renaissance Austin Hotel

9721 Arboretum Blvd.

Virtual Auditor will be demonstrating an industry-leading Information Security Continuous Monitoring Solution (ISCMS). The ISCMS was specifically developed to help organizations including healthcare, banking, finance, and other heavily regulated industries, to meet their data privacy, information security, and compliance requirements. The ISCMS provides continuous monitoring, alerting, reporting, and event correlation, providing the data your techs want, your security folks wish they had, and your executives need! Visit www.VirtualAuditor.com for more information if you can’t see this amazing technology first hand.

Contact Sales@virtualauditor.com or 888-312-5151

For more information please visit: http://www.cvent.com/events/2015-texas-regional-himss-conference/event-summary-25f61ec35a2f482d99a39eb8605be861.aspx#

Business Continuity, Cyber Security, Data Breach, Disaster Recovery, Education, HIPAA / HITECH Enforcement, Tip of the Week, Vulnerability Testing & Management

Is Your Organization’s New Years Resolution to Be More Secure?

Is Your Organization’s New Years Resolution to Be More Secure? If not, it should be!

However, that is too easy to say, and very hard to accomplish. The current threat environment is expanding far faster than the controls can hope to keep up with. A CISOs / CSOs job has never been harder; a trend that will continue this year and on into the future. If you don’t believe that call up organization’s like SONY, ebay (one of the least talked-about giant data breaches of the year), Target, JPMorgan Chase, Home Depot, Community Health Systems, or the 321 other healthcare organizations reporting breaches affecting over 83 million individuals! In fact, healthcare breaches accounted for a whopping 42.3% of data breaches included in the just-published Identity Theft Resource Center 2014 Data Breach Report(1).

Threat vectors include all of the usual suspects that we have been talking about for years. But the massive proliferation of data, accelerating migration to remote and teleworkers, and huge increase in activity of nation-states, organized crime, and hacktivists all make the CISOs / CSOs job next to impossible. It’s not a matter of whether an incident will happen to a modern connected company, but when.

Data breach incident handling must be a part of your data privacy and information security program. Balancing the need for speed of response, especially prompted by state-level data breach rules, with accuracy and responsible forensic activities is a tough challenge. It becomes tougher when interested parties such as the CEO, who suddenly realized that information security is important, compliance, legal, IT Management, public relations, the cyber security insurance carrier and their forensic experts, and the press all want constant feedback and a complete understanding of what happened, who did it, and how much is this going to cost us? from the word, “Go!”

Hopefully all of these parties were interested when the CISO / CSO asked to run a data breach incident drill last year in order to test the capabilities, response time, and training of all relevant parties to respond to such an incident. From our experience performing risk assessments, they were not, and a drill has never been completed.

Don’t let a real incident be the first time you test your data privacy and information security incident response plan. Remember a successful program is built on statements of policy, supporting procedures, tools, checklists, logs, forms, and training. If a real incident is your first test, chances are you are looking at a poor result, and a poor result is more likely to lead to fines and firings.

Since an incident is a matter of When Not If, testing your incident response plan should not be seen as optional or subject to perpetual procrastination!

Lastly, remember that while Information Technology (I.T.) is the system owner and the primary source of information in the event of an incident or breach, the problem is a business issue, not an I.T. issue! Consider addressing requirements and response in your Business Continuity Plan (BCP). BCP procrastination is a topic for another article!

Happy New Year and we’ll secure you in 2015

The team at RISC Management

(1) http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf