2014 was a terrible year for corporate data breaches. If there is to be any silver lining, information security professionals must draw lessons from the carnage. A good place to start is to identify common denominators.
Several of the most damaging incidents started with phishing emails into office (or contractor) networks. Social engineering has gotten so sophisticated and targeted, we can hardly blame the employees (sometimes high-level executives) for clicking on legitimate-looking links. Once an attacker establishes his credentials as the compromised employee, he potentially can gain access to whatever that employee uses. One attacker got in through a corporate software development network that was not sufficiently segregated from other critical networks. In other cases, disgruntled employees with access to valuable customer data were involved.
Clearly, employee access controls are critical. If we can improve these systems, we will go a long way toward securing our networks. This is not as easy as it sounds, however. When information security teams restrict access or revoke privileges, they get pushback. They become obstructionists, bad cops, bureaucrats. To be fair, we really do run the risk of strangling teamwork, erecting stovepipes, and throttling collaboration. How do we construct robust user access controls without being the bad guys?
Read More »
Tags: access control, data breaches, phishing, security, social engineering
Do you feel that you’ve been hearing a lot about data breaches lately? You are right! Take a look at the chart below. There is plenty of time left in September, but the data breach calendar is already filled with victim names. And August? I don’t even have enough space to put down all the victim names.
If anyone believes that if we do a great job, we can fully guard our data and valuable information assets against attacks and breaches, now it’s time to think again. The reality is, data breaches can happen to anyone. They are happening everywhere from household names, to lesser-known businesses or organizations, and to the mighty government of the United States. The question is no longer “if”, it is “when”.
However, this does not mean that we will just give up. On the contrary, we need new thinking. And get prepared. We need to be prepared before breaches take place to minimize their chances to succeed. We need to be prepared during breaches to detect and stop them. And we need to be prepared to rapidly apply mitigations after breaches. We cannot totally eliminate these risks, but we can control and minimize them. Read More »
Tags: catalyst, data breaches, security, switch
Cybersecurity is a hot topic and a major concern for all organizations. No one is immune, and indeed, higher education institutions can fall victim to large breaches as well. In fact, according to PrivacyRights.org, below are a few examples from the last 6 months:
||Iowa State University
||The University of Wisconsin-Parkside
||North Dakota State University
||University of Maryland
||Maricopa County Community College District
Theft, intellectual property loss, and loss of individual’s personal data affect all organizations in varying degrees. While higher education institutions face many of the same challenges as government and commercial organizations, they also have worries that are unique to their environments. Some of the higher education specific cybersecurity topics include:
- Data Privacy & Security – Colleges posses the Personal Identifying Information (PII) of their students AND students parents, faculty and alumni – the numbers add up quickly. In addition to the usual PII, this can also include: medical, financial, academic and other data.
- Device Mobility – The average student currently has 3 devices and this is expected to grow to 5 devices in the next few years.
- Application Protection & Control – Education specific applications have become a target for bad actors and file sharing sites cause concern of digital rights violations in Higher Education.
- Digital Learning & Assessment – On-line classes and testing provide one-to-one learning opportunities, more choice, and cost reduction in Higher Education. It must be secure
- Protecting Intellectual Capital – Research universities have become a prime target for intellectual property theft. They risk loosing valuable data and the possibility of losing grant funding.
Threats have become more sophisticated and protecting the enterprise with these topics in mind needs to be more sophisticated also. It is no longer enough to harden access to the network and think you are OK. Because the bad guys trying to steal your data are using so many different types of attack, effective defense requires a multi-level approach.
Cisco recently acquired SourceFire, and we have adopted their frequent question to customers: “If you knew you were going to be breached, what would you do differently?” The 2014 Cisco Annual Security Report studied the web traffic of corporate networks and every one had connections to domains that are known malware threat sites or threat vectors – an indication that bad things are on every one of these networks and likely on most networks. Think about the question again – what would YOU do differently? That is what we all should be doing.
We recommend looking at the Attack Continuum of “Before, During, and After” with the following actions for each phase:
- Before an attack you want to harden your network, to enforce security policies with controlled, segmented access to resources.
- During an attack you want to defend your network by detecting the threats and blocking them from getting in.
- After an attack you want to contain the threat, determine the scope of the problem, remediate the damage, and get back to educating students.
The conventional perimeter protections such as firewalls, intrusion prevention, and anti-virus are still part of a good defense in depth framework, but more is now needed. We offer many parts of the solution, of course, and have experts who work with universities to address their specific security needs. But no matter who you work with, please look carefully at what you can do differently to protect your students and your institution from these new, advanced threats.
Our upcoming whitepaper will focus on some of these trends, challenges and strategies for higher education. You can register to receive the whitepaper as well as a compilation of all the #HigherEdThursdays blog series upon completion. Reserve your copy now.
Tags: cybersecurity, data breaches, edtech, Heartbleed, higher education, mlearning
From peeking at Brittany Spears medical records to the theft of almost five million medical records from a tape back-up, no healthcare issue garners more adverse publicity, or passion, than violations of patient privacy. While you might expect that since the institution of HIPAA and quarter million dollar fines that this is relatively uncommon now, you would be wrong. A stunning incidence of nearly 18 million breaches of privacy has occurred over the past two years according to a recent report from ANSI, the American National Standards Institute. That is equivalent to the population of the states of Florida or New York.
As the world moves towards adoption of Electronic Health Records and Health Information Exchanges, concern for the vulnerability of private health information is escalating as the scale of these data breaches reach epic proportions. A West Coast health care system experienced the theft of electronic health information for 4 million of its patients. And another major academic medical center inadvertently disclosed the electronic health records of 20,000 of its patients. The risks are real and global. And they leave an organization – any organization – subject to severe legal and financial damage, not to mention the damage to their reputation. None of these organizations were cavalier about their security compliance. But let’s face it, the workforce is larger and more mobile. The data is more prolific and ubiquitous and takes on many different forms. And the thieves are getting more sophisticated.
But so are the solutions. In the past, it was necessary to balance mobility with security-the more mobile, the less secure. Not anymore. Cisco’s AnyConnect combines industry-leading Cisco cloud and premises-based web security and next generation remote access technology to deliver the most robust and secure enterprise mobility solution on the market today.
Read More »
Tags: Cisco AnyConnect, data breaches, data security, ehr, health information exchange, HIE, mobility, patient privacy, security