Adesta

There is no shortage of news stories dealing with cybercrime this week. Today, Citigroup admitted that computer hackers breached the bank's network and accessed the data of about 200,000 bank card holders in North America, according to Reuters.

Sony has been trying to recover after a hacker took down its Playstation Network and exposed some 77 million users' personal and credit card information, reported The Atlantic.

That same hacker group, LulzSec, also targeted the Atlanta chapter of InfraGard, the FBI-affiliated group that aims to share information between the private and public sector. LulzSec said it obtained about 180 log-ins from InfraGard, which it acknowledged is not that many, but "we'd like to take the time to point out that all of them are affiliated with the FBI in some way," the group said in a note, reported PCMag. "Most of them reuse their passwords in other places, which is heavily frowned upon in the FBI/Infragard handbook and generally everywhere else too."

And, the story I wrote yesterday for Newswire mentioned defense contractor Lockheed Martin's admission that hackers breached its network in May partly by using data stolen from security-token maker RSA Security, which supplies coded security tokens to tens of millions of computer users. RSA was itself hacked in March and said yesterday that it has offered this week to replace or monitor all SecurIDs -- an offer several major customers, including Bank of America and SAP, immediately accepted, reported CNN.

Obviously, IT folks should be extremely concerned about this rash of hacking incidents hitting major corporations that one would assume have some of the strongest security measures in place, but apparently do not.

Some lawmakers are trying to make these corporations more accountable when such security breaches occur. The Personal Data Privacy and Security Act is a bill that has been introduced to Congress since 2005, but is yet to become law. The primary sponsor, Sen. Patrick Leahy reintroduced this legislation again this week to try to establish a national standard for data breach notification, according to a statement. The bill would require American businesses that collect and store consumers’ sensitive personal information to safeguard that information from cyber threats.

"The many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country,” said Leahy.

Corporate executives who do not adhere to this legislation could face criminal penalties if found to have willfully or intentionally concealed security breaches involving personal data.

Other provisions of the bill include:

* A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security;

* An update the Computer Fraud and Abuse Act to make attempted computer hacking and conspiracy to commit computer hacking punishable under the same criminal penalties as the underlying offense; and

* A requirement the government ensure that the privacy and security of sensitive data is protected when the government contracts with third-party contractors.

Protecting a company's assets is getting far more complicated. Physical security professionals have to worry about much more than protecting physical assets, they also have a critical role in protecting electronic assets as well. I just read an interesting article from CNN about the cost of cybercrime. Here's the gist:

A few years ago a disgruntled employee for a large multinational automotive firm left the company -- but when he walked out the door, he also walked out with plans for a new car model under development on a cheap USB drive.

When the plans were leaked, the cost to the company was an estimated $1 billion in lost sales and increased research and development costs.

Yep, you read that right: $1,000,000,000. All on a single thumb drive.

When Wikileaks story came out, I talked to several security professionals about the role of physical security practitioners in this increasingly IT world in this SDN article.

“First and foremost these recent events should be a wake-up call for organizations to make sure they understand where their data is, what is sensitive data, and who has access to it,” said Steve Salinas, product marketing manager of the forensic business unit for Guidance Software, a provider of digital investigations.

And security professionals must remain vigilant about employee behavior. Is someone coming in on weekends when they've never done that? Is an employee exhibiting strange behavior? Strong collaboration throughout an organization is really the key. Human resources needs to talk to security about possible "disgruntled" employees and security needs to talk to IT about it, too. Is there a correlation between their physical behavior and their electronic behavior?

Policy is also important. In this same SDN article, Jon Oltsik, principal analyst for Enterprise Strategy Group, a full-service IT analyst and business strategy firm, said companies should use the principle of least privileges, meaning only those who need access to certain information have it, but those who don’t need it, don’t have access. Here's more:

It’s also important for a company to limit the number of people who have access to critical information. Then, once those privileges are determined, organizations should monitor what employees are doing with the information. Are they saving information to laptops unnecessarily? Are they transferring information to thumb drives? It’s also important to set up controls. For example, a company should set up controls that employees can’t email certain types of files to email addresses outside of the company or only approved USB drives can be inserted and used to transfer information on company computers.

Does your company have these types of controls in place?

During recent discussions with retail professionals, I've been trying to determine  the level of concern regarding cybersecurity. I realize that it's largely an IT issue, but with all the talk of convergence between IT and physical security, I wonder how long we can silo cybersecurity?

Here is a great article by Wired.com about the security breach at Wal-Mart in 2005 and 2006.

Internal documents reveal for the first time that the nation’s largest retailer was among the earliest targets of a wave of cyberattacks that went after the bank-card processing systems of brick-and-mortar stores around the United States beginning in 2005. The details of the breach, and the company’s challenges in reconstructing what happened, shed new light on the vulnerable state of retail security at the time, despite card-processing security standards that had been in place since 2001.

At the same time, the attacks on stores like TJX, Barnes & Noble and other stores were happening, which resulted in more than 100 million stolen credit card accounts. In case you missed it Albert Gonzalez plead guilty this month to carrying out many of those breaches with other hackers, and is facing 15-25 years in prison.

BUT, here's the sentence that caught my physical security attention:

The intruder had reached the machine through a VPN account assigned to a former Wal-Mart worker in Canada, which administrators had failed to close after the worker left the company.

That's a physical security issue, is it not?

Microsoft's latest Security Intelligence Report, which provides "an in-depth perspective on the changing threat landscape including software vulnerability and exploits, malware and potentially unwanted software." This report details trends observed in the second half of 2007; its purpose is to keep Microsoft customers informed to help them improve their security programs in the face of these threats.

I know that phishing, exploits, hacking. trojan downloaders and rogue security software trends aren't a priority for you but the report does include one interesting data point for you physical security junkies:

Exploits, malware and hacking accounted for no more than 23 percent of all security breach notifications recorded from 2000 through 2007, and they only accounted for 13 percent of security breach notifications during the second half of 2007. 57 percent of the security breaches publicly disclosed involved lost or stolen equipment in 2H07.

Bring that number to your CEO.