Tag Archives: security mistakes

[ISN] Cyber warfare: Capitol staffers aren’t ready

http://www.politico.com/story/2015/01/cyber-warfare-capitol-114383.html By TAL KOPAN Politico.com 1/19/15 Congressional staffers are the gateway to all lawmaking on the Hill, but they also may be unwittingly opening the door to hackers. The Hill’s networks are under constant attack. In 2013 alone, the Senate Sergeant at Arms’ office said it investigated 500 potential examples of malicious software, some from sophisticated attackers and others from low-level scammers. And that’s just the serious cases — in a different measurement, the House IT security office said in 2012 it blocked 16.5 million “intrusion attempts” on its networks. But the thousands of men and women who keep Congress running every day are committing the basic cybersecurity mistakes that attackers can exploit to do harm — like in the CENTCOM social media hack or crippling breach of Sony Pictures Entertainment. POLITICO interviews with nearly a dozen current and former staffers, as well as congressional IT security staff, reveal a typical array of poor cyber habits. Most of the staffers interviewed had emailed security passwords to a colleague or to themselves for convenience. Plenty of offices stored a list of passwords for communal accounts like social media in a shared drive or Google doc. Most said they individually didn’t think about cybersecurity on a regular basis, despite each one working in an office that dealt with cyber or technology issues. Most kept their personal email open throughout the day. Some were able to download software from the Internet onto their computers. Few could remember any kind of IT security training, and if they did, it wasn’t taken seriously. […]


[ISN] How healthcare can learn from retail’s IT security mistakes

http://healthitsecurity.com/2014/07/24/how-healthcare-can-learn-from-retails-it-security-mistakes/ By Patrick Ouellette Health IT Security July 24, 2014 There’s little doubt the healthcare industry’s perception of security and compliance has changed to a serious one within the past few years. While regulatory demands and business needs are certainly strong drivers, what should healthcare organizations be focusing on as cybersecurity threats grow in stature? Eric Cowperthwaite of Core Security and former CISO for Providence Health discussed with HealthITSecurity.com how identifying risks early on can help reduce exposures. The days of organizations that put effort into IT security being only large hospital systems and other organizations that had some sort of significant problem are certainly over. According to Cowperthwaite, there are a few indicators within the past 12-18 months that leads him to believe healthcare organizations, large and small, across the country are focusing on information security. “First is the amount of information security leaders hiring that’s being done,” he said. “And the second piece of it is the number of organizations that are sending their people to [security] conferences and training to help them interact with products and services providers.” Many of these changes have been driven by regulatory compliance, such as HIPAA, HITECH and Meaningful Use, but Cowperthwaite said there are other regulatory considerations, such as any hospital system being a tier 1 PCI merchant. Beyond compliance, the reality these days is that these organizations have a lot of data and there a lot of “bad actors” out there who like to steal data. There are main areas of focus that organizations should be beginning to worry about. First, Cowperthwaite said, though everyone is concerned about PHI disclosures because of bad publicity and potential fines, the other side of PHI disclosures is medical insurance fraud. […]


Top Business Driven Security Mistakes

Top Business Driven Security Mistakes
(yes I do realize there’s a balance between security and business)

1. Implementing an IPS in a IDS mode with no blocking whatsoever. Under the guise of ‘uptime’ businesses often deploy time tested IPS products foregoing their real value advantage of blocking attacks because IT is wary of impacting the business. Meanwhile a breach such as TJX can cost over $250 million dollars for a similarly sized company. Question is, would the IPS interrupting a few ‘false positives’ cost a company $250 million? Hmm

2. Focusing on compliance and proceedural controls instead of technologies to protect data. Often companies are preparing fpr the ‘audit attack’ instead of the ‘hacker attack’. They have impeckable processes such as firewall review, termination processes and user certifications, all well and good initiatives if you’ve already covered your proverbial security bases with preventative controls.

3. Funded only till compliant. Need I say more?

4. Perfected processes require execution. Many information security professionals as well as their IT counterparts find themselves spending most of their days executing proceedures that cannot be given enough time for proper review due to resource constraints. This makes the controls weak at best and at the same time de-emphesizing real prevention measures.

5. Following the alert rabbit hole. most large companies have implemented SIEM tools to monitor logs and end up following the login failure alert rabbit hole which often ends up to a dead end. For example if you have failed login lockout controls yet you still are required to investigate. Hmmm the red pill or the blue pill? Waste of time (IMHO).

5. Not keeping up with the times. Lack of resources gives the security team an inability to have enough resource time to study or perfect their knowledge. This leads to service failures, outtages etc because they need to have the proper amount of on the job research time to do to a quality job.