How Company Deals with Data Breach

Data breaching incidents are the inevitable. We need to prepare two actions: the prevention,and the solution to solve the incident. With many digital crimes happening maybe it is good to take some cases as our learning point and references: Trip Advisor’s Viator Card payment and account details were stolen and risked 1.4 million of Viator customers of being exposed. The data breach was discovered in the bookings made through Viator’s websites and mobile offerings that could potentially affect payment card data. According to Viator, debit card PIN and CVV numbers were not included on the breaching. After  knowing this data breach, Viator hired forensic experts, notified law enforcement and have been working diligently and comprehensively to investigate the incident, identify how the systems may have been impacted, and secure the systems. At the same time, Viator warned the customers to monitor their personal credit card transaction, in order to notice suspicious transaction. Albertson’sand SuperValu Two nationwide supermarkets in the U.S confirmed that digital criminal had stolen their customers’ data and identification, especially credit card details. It is suspected that the data breach issues came from the hacked POS. To mitigate the effects of this data breach, Third-party data forensics experts were supporting an ongoing investigation and Albertson’s and SuperValu stated that they have taken immediate state to secure their system, so customers would be able to use their credit card as payment safely again in every stores. Heist One of the biggest online games announced that they were attacked by hackers and compromised users’ credentials, including passwords, names, registration details, and personal details.  It is estimated that the hackers have used a... read more

Cyber security: Business or Technical Issues?

Despite all of the digital criminality that keeps growing for the last few years, cyber security has not become the focused of most executives, until an incident happened inside the company. Then it is damage-control mode, as the company deals with stolen customer data, disclosure of confidential information, or many other worse conditions. This reactive approach is all too common, even though the real question is not if there will be incident but when this cyber incident will happen in the company. It is time for companies to put cyber security matters into a serious consideration. In the corporate world, the raising question is whether cyber security is considered as a purely technical matter, or whether business understands that it is the lynchpin for safeguarding the most precious assets—intellectual property, customer information, financial data, employee records, and much more. Based on the survey conducted by PwC, CIO, and CSO, the answer would depend on whom you ask. 72% of executives were reported being very confident or somewhat confident that their organization’s information security activities were effective. However, when they were asked about the real action the company has taken, it was only 43% who described themselves as ready with cyber attacks. One of the main issues with addressing cyber security problem is that executives do not always agree in the objectives and goals of the company. Usually, executives have different ideas of what the problem with cyber security. “CEOs agreed that lack of capital funding was the problem, but CFOs indicated a lack of leadership from the CEO was the reason. Meanwhile, CIOs and security executives pointed to a... read more

When Your Government Request for Your Data

Recently, Google published the details on government requests upon their data through http://www.google.com/transparencyreport/userdatarequests/. It can be seen that the requests from government keep increasing each year and it is not only U.S government who asked for the data but also the other countries. The question is, is it overloaded surveillance when the government demands data from these internet companies? I believe that the answers for most people would be yes. However, as we all know, in some countries, it is managed by law that the government has full right to monitor their citizens’ activities, including the information that goes and comes to/from the society. Fortunately, most company stands on customer side – of course without disregarding the law condition –  by protecting customers’ data and privacy. Yahoo, for example, got a request of their data by the U.S government since 2007 and refused to give it on the first place. Yahoo’s general counsel, Rob Bell, who wrote the blog post, says the government first approached the company in 2007 after it amended a law to grant itself the power to demand user data from online services. Yahoo made a legal challenge to those requests but was shot down initially and then failed again on appeal. The secretive Foreign Intelligence Surveillance Court (FISC) then ordered the company to comply with the government’s requests and all the hearing notes and records from the proceedings were classified until 2013 when only the judgment was made public. At the moment, the courts have unsealed documents relating to Yahoo. Apple, on the other hand, promised that they will inform customer if the government request... read more

Free Vulnerability Scanners

Vulnerability scanners help us in automatic security auditing and play a crucial part in our IT security. The advantages of these scanners are the ability to scan our network and websites up to thousands of different security risks, producing a prioritized list of things that should be patched, describe the vulnerabilities, and give steps on how to remediate them. Even more, the scanners can sometimes even automate the patching process. Unfortunately, the cost of vulnerability tools can sometimes be too expensive. Don’t worry, though! There are some tools that are pretty affordable or, even better, free. As mentioned on techworld.com, there are some vulnerability tools that are free and proven to work well: –          OpenVas The Open Vulnerability Assessment System (OpenVAS) is a free network security scanner platform, with most components licensed under the GNU General Public License (GNU GPL). The main component is available via several Linux packages or as a downloadable Virtual Appliance for testing/evaluation purposes. Thus, most components work only in Linux. Although the scanner itself does not work on Windows machines, they offer clients for Windows. OpenVAS is not the easiest and quickest scanner to install and use, but it is one of the most feature-rich, broad IT security scanners that you can find for free. It scans for thousands of vulnerabilities, supports concurrent scan tasks, and scheduled scans. It also offers note and false positive management of the scan results. –          Retina CS Community Retina CS Community provides vulnerability scanning and patching for Microsoft and common third-party applications, such as Adobe and Firefox, for up to 256 IPs free. Plus it supports vulnerabilities within mobile devices, web... read more

CISO: The Current Role and Position

Chief Information Security Officer (CISO) is usually the one who takes the blame when there is any problem related to cyber security in a company. Years ago, CISO was perceived as one of IT security administration. For the last few years, it is believed as a high-level risk management position. As the IT administrator, CISO was used to babysit the firewalls, negotiate with software vendors over antivirus updates, and clean the spyware off of infected laptops. Indeed, that’s still the similar role for some CISO at the moment. However, for the majority CISO, the responsibility has shifted to looking at the big picture and designing the program that balances acceptable risks against the unacceptable, which is why CISO now a day can be considered as the high end management position. In real world, CISO will form a team  that handle all those technical tasks and monitor if it runs well or not. One CISO in health care industry, Eric Cowperthwaite, agreed that security is growing in scope to cover things like business continuity, disaster recovery, information security (as opposed to IT security, focused very narrowly on technology controls within the scope of the IT organization), compliance training and awareness, and so forth. So, things that security practitioners long said were part of security are now looking for to be accomplished also. Essentially, the CISO has become a permanent part of the group sitting at the table deciding how the company does business. The CISO leads the security function within the business and that function is now viewed as a necessary function within the business, rather than something to be... read more

Simple Steps to Perform Vulnerability Management

It is confirmed that vulnerability management is essential for information risk management and security programs. Unfortunately, many organizations’ vulnerability management processes are reactive and inefficient. It is ironic because organizations that implement a comprehensive and proactive vulnerability management program will gain a significant increasing success in protecting their data and business. By definition, vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The expected final result is reducing the efforts dealing with vulnerabilities and exploitation of those vulnerabilities. Ideally, it has to be done proactively as when it is performed proactively, it will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred. According to The National Institute of Standards and Technology (NIST), first step that has to be done in order to perform vulnerability management is by forming a patch and vulnerability group (PVG), consists of information and security people that actively work with local administrators. This group is later become the one that perform the vulnerability management. PVG has to be able to determine which hardware and software they will support for vulnerabilities using company IT inventory. The PVG will then be responsible for monitoring information regarding vulnerabilities, patches, and threats corresponding to the supported hardware, operating systems, and applications. Also, it is a must to clearly communicate the supported resources to system administrators so that the administrators know which hardware, operating systems, and applications the PVG will be checking for new patches, vulnerabilities, and threats. The PVG is expected to be able to set priority... read more

I Do Not Need Computer Security!

Let’s talk about the truth: how many of us are still being ignorance regarding computer security? A lot, I would say. We tend to assume that we are safe and slack of security issues. It is just so easy to do nothing about computer security as our system will run smoothly. Fact is no one is resistance to cyber criminals. Sadly but true, people keep making excuses to ignore computer security issues. There are many reasons why people forget cyber security but I found the top reasons people use when they were asked to take care of their computer security: I only browse safe site and ignore unknown links If you believe so! Unfortunately, there is no 100% safe site exists in our world at the moment. There is always a risk that even a formal, trustworthy website is being hacked. How can you know when they are hacked? The answer is: no – you don’t know! In addition, you do not need unknown links to implant malware in your device. Even your best friends may send you a malware/virus link just because his/her email is being hacked. I am invaluable for hackers If you think this way, then you are underestimating yourself. Every individual is a point access for valuable things. You would never know what others want from you, it could be your company data, your family data, or your financial data (even though you don’t think you have lots of money). Remember, we all are a potential victim of cyber security. The best thing to avoid it is by protecting our property as best as we... read more

The Importance of Security Policies

With the increasing number of connections and growth of the Internet, security has become an issue for both corporate and individual environment. Therefore, it is crucial for every organization to design, not only a good security architecture system but also a proper security policy that can ensure things will run as it is supposed to be. When designing a security policy, it is important to remember that there is no right or wrong way to begin the process of developing a security policy. No single policy or security strategy will work for every organization. Many factors must be taken into account, including audience type and company business and size, or the maturity of the policy development process currently in place. A company which currently has no information security policy or only a very basic one may initially use a different strategy to a company which already has a substantial policy framework in place, but wants to tighten it up and start to use policy for more complex purposes such as to track compliance with legislation. The basic idea of security policy is to provide protection for the integrity of your company’s information, allow for the confidentiality and privacy of your company’s information, and provide the availability of your company’s information. A security policy is different from security processes and procedures, in that a policy will provide both high level and specific guidelines on how your company is to protect its data, but will not specify exactly how that is to be accomplished. This provides leeway to choose which security devices and methods are best for your company and budget.... read more

Single Sign On (SSO): An Insight

There are thousands of different applications and security databases within the industry today. Each operating system and application has its own set of security requirements for both user id and password. With the introduction of so many systems it is possible that users will forget their user id or password and eventually lock themselves out. Unfortunately this happens frequently. Help desk personnel are overwhelmed with the amount of calls regarding password reset and account activation. Many organizations have internally developed applications that authenticate to proprietary databases. As it is rare that all these different components are managed and maintained by the same department, it is less likely that standardization has taken place. User name and password restrictions would all benefit from standardization. Security often competes with convenience in many different areas within an organization. Reducing password restrictions for end user convenience may or may not be an acceptable sacrifice. Due to this problem, single sign-on (SSO) exists. SSO is the ability to authenticate once and never have to repeat the process for the duration of the session. Many solutions are available throughout the market that provides SSO capabilities. As a whole they all provide some form of Authentication, Authorization, Access control and password synchronization. Authentication is the process of a user being identified as who they say they are. SSO applications either take advantage of the existing databases within the organizations or require the implementation of a proprietary database. Typically SSO products contain a central server. The central server is responsible for authenticating the user against one of the security databases within the organization. This is usually the database... read more

Data Encryption: Oh, sure! It is safe, isn’t it?

We are taught to believe that data encryption is one good way to protect our digital information. As long as it is encrypted, no unauthorized agent will be able to access it. Is it true or do we miss something here? At the moment, there are many available tools and methods that you can use to encrypt your digital data. If you use the encryption software, it is relatively user friendly, depends on your IT infrastructure and the software itself. In principle, encryption methodology works by transforming the information (plain text) into code, using an algorithm (mathematical formula) by use of a code that prevents it from being understood by anyone who is not authorized to read it. Encryption and decryption takes place using software that may be loaded on the computer where the files reside or emails are sent from – and opened from – or by the encryption key accompanying the data itself. Also, encryption is implemented on ecommerce websites and for wireless networking security and remote access in order to prevent spoofing. However, nothing is perfect; even the RSA algorithm has flawed. If you still remember the case of Edward Snowden, then we know that leakage exits. By tweaking code for efficiency, current developers vastly reduced the resources required to crack encrypted message. During the Black Hat 2014 in USA, one key-note speaker, Thomas Ptacek explained and challenged the audiences to break the encryption. Surprisingly, it did not require a high math solution to crack the code. Some people submitted the solutions through excel spreadsheet and others through PostScript. During his speech, Ptacek also demonstrated the smart technique on cracking encrypted credit... read more