According to the DataLossDB project, 126,749,634 medical records, bank account numbers, names, and addresses were stolen or accidently leaked in 871 separate incidents in 2011.  That’s an increase of incidences by over 37.4% and of records by 370% compared to 2010.  According to research conducted by the Ponemon Institute in 2010, the average cost of a data breach was roughly $209 per comprised record.  That brings the price tag for 2011 of over $26 billion. The following is an analysis of the incidents:

Types of Breaches

Hacking – deliberately breaking into computers – became the most common means of breach last year.

Top Incidents

• RSA
  The security division of data storage firm EMC was hit by a hack that compromised their popular SecurID cryptographic keys, forcing them to offer replacements to their clients.  The stolen information was later used in an attack on defense giant Lockheed Martin.  RSA has provided a useful working definition of the term advanced persistent threats, or APTs, as “military-grade cyber-attacks on commercial entities”.  In the face of APTs, businesses need a new defense doctrine, which is under discussion by an increasing number of corporate chief information security officers.
• Texas Comptroller
  A server mistakenly left open to the public contained the Social Security Numbers of 3.5 million teachers and other state employees.  No hacking was necessary to access this server.
• Sony
  In nine different incidents, the conglomerate lost names, addresses, and credit card and bank account numbers as hackers pillaged its online game, music, and movie divisions.  Hackers made off with 77 million names, e-mail addresses, and passwords after breaching Sony’s PlayStation network.  The Sony breaches followed several similar data breaches by online service suppliers such as Play.com and Lush, so what effect are they likely have on the online services industry?
• SK Communications
  A complex attack on the Internet company netted the personal information of 35 million South Korean users.  That’s in a country of 50 million people.
• SAIC
  A few of the defense contractor’s backup tapes were stolen out of an employee’s car.  The tapes contained the medical records of more than 5 million military patients.
• Sutter Medical Foundation
  A stolen laptop from the health-care provider contained 3.3 million names and other identifying information, along with 943,000 patient diagnoses.  This incident brought on a class action suit, alleging negligence in securing data.

Incidents by Business Type

Cybersecurity was one of the top buzzwords for 2011 as commercial organizations increasingly found themselves up against advanced and persistent attacks to the degree previously seen only in military organizations.  Information security has moved up in the agendas of most corporations and other businesses, but government too is placing increasing emphasis on the topic, backing national cybersecurity efforts with dedicated budgets.

Incidents by Offending Party

While more and more companies are becoming aware of the problem, few have taken action.  As the above analysis demonstrates, the need to take action has never been so persuasive.

To learn how to protect your organization, download our complimentary Executive Guide to Data Security.

Many executives feel that IT security is only an issue for the IT department.  The problem is IT security is a bigger issue than just your IT department.  Everyday your company faces viruses, lost devices, stolen data, and intellectual property walking away with recently dismissed or disgruntled employees.  According to the DataLossDB project, 126,749,634 medical records, bank account numbers, names, and addresses were stolen or accidently leaked in 871 separate incidents in 2011.  Costing companies an estimated $26 billion in 2011.  Now you might say, "We aren't in the business of IT or security.  We make widgets.  We maximize investor returns by buying, selling, and trading subsidiaries to create wealth.”  The fact is currently, for an organization to ignore IT security is clearly risky.   As reported in Forbes magazine on January 2, 2012 “If data loss continues on its current trends, it will cost the U.S. economy $290 billion by 2018”. As most cases go unreported, check out the cases that made headlines in 2011:

• RSA
  The security division of data storage firm EMC was hit by a hack that compromised their popular SecurIDcryptographic keys, forcing them to offer replacements to their clients.  The stolen information was later used in an attack on defense giant Lockheed Martin.  RSA has provided a useful working definition of the term advanced persistent threats, or APTs, as “military-grade cyber-attacks on commercial entities.”  In the face of APTs, businesses need a new defense doctrine, which is under discussion by an increasing number of corporate chief information security officers.
• Texas Comptroller
  A server mistakenly left open to the public contained the Social Security Numbers of 3.5 million teachers and other state employees.  No hacking was necessary to access this server.
• Sony
  In nine different incidents, the conglomerate lost names, addresses, and credit card and bank account numbers as hackers pillaged its online game, music, and movie divisions.  Hackers made off with 77 million names, e-mail addresses, and passwords after breaching Sony’s PlayStation network.  The Sony breaches followed several similar data breaches by online service suppliers such as Play.com and Lush, so what effects are they likely to have on the online services industry?
• SK Communications
  A complex attack on the Internet company netted the personal information of 35 million South Korean users.  That’s in a country of 50 million people.
• SAIC
  A few of the defense contractor’s backup tapes were stolen out of an employee’s car.  The tapes contained the medical records of more than 5 million military patients.
• Sutter Medical Foundation
  A stolen laptop from the health-care provider contained 3.3 million names and other identifying information, along with 943,000 patient diagnoses.  This incident brought on a class action suit, alleging negligence in securing data.

Can you afford to have your company on this list?  I did not think so.  All of us have a role to play in a more secure internet and it is clear  we have a problem and need to get on with fixing the issues as quickly as possible.  If your company has customer information, takes credit cards or has computers that use passwords then IT security is in fact your business.

Recently, a white paper was written by Stefan Viehböck which documented a few implentation weaknesses in the Wi-Fi Alliance's Wi-Fi Protected Setup (WPS). Immediately following the release of the whitepaper, a new tool (called Reaver) was released publicly that could be used to brute force the WPS PIN, and therefore, gain access to the WPA/WPA2 pre-shard key (PSK). The attack takes 4-10 hours on average and has an extremely high success rate.

What does this mean for you?

If you are a home user with a relatively new wireless router, you are probably susceptible to this attack. Basically, if your wireless router is WPS-capable you should assume you are vulnerable.

How do you defend against this attack?

The solution is quite simple: disable WPS on your wireless router. This renders the attack useless and it becomes a non-issue for you.

Hey, wait a minute. How come you only mentioned home users?

WPS is a system designed specifically for non-technical people. It is widely implemented in SOHO wireless routers but is generally not an enterprise wireless feature. If you happen to be running SOHO gear in the enterprise, then you will need to see if you are vulnerable as well.

Just how easy is it to perform the attack?

Easy. Here is a quick video demonstration showing how the attack works, and how to protect against it. This video was created using freely, and readily available how-to documentation on the reaver code page.

The Bottom Line

If you are running enterprise gear, you probably have nothing to worry about. If you are running SOHO gear, then you need to look into this a bit further. Increasing the length and complexity of your PSK does not protect against this attack. You need to disable WPS until the protocol can be strengthened.

Oh yeah, and Happy New Year!

The NCI Blogging Robot

Questions? Concerns? Comments? Get it in touch with us below.

Whether we are talking about financial security, territorial security, or even personal security, the concept of security is constantly evolving as it pertains to the business world and in the overall, global sense. Having recently joined the world of corporate IT security, I was immediately struck by the similarities between the evolution of corporate data, network, site and communications protection and the overall global evolution of security of state and citizen.

In many ways, the focus on IT security in a corporate environment mirrors and evolves along with the idea of security in general. The role of security professionals, whether that is in the IT world or physical world has changed with the evolution of the threat itself.

40 years ago a country could secure its borders, build a strong military, and be relatively safe and isolated from outside threats. Vigilance was reactive and often restricted to military, government, and police agencies within the country. The security of a corporate environment and communications was also a much simpler and more preventative effort.  A locked briefcase, locked doors, and secure passwords on rudimentary communication systems were generally enough to thwart attacks which were often limited to one-off rewards.

The landscape has changed and as security professionals providing security services in today’s market, our roles have evolved to include those of educators, innovators, as well as defenders. We have been shown, quite regrettably and dramatically, that in the modern world, a strong military, a great border defence program, and advanced counter espionage programs are not enough to guarantee indemnity from threats. Dedicated and organised attackers will find ways around those defences and will strike at the hearts of our most vulnerable systems and sites.

This also holds true for the modern corporation. Firewalls, authentication systems, communications monitoring, UTM appliances and software controls are all good and necessary preventative measures, but it is the ongoing vigilance, proactive posture, and prepared response plans that will ultimately provide the best security for our clients.

What does this mean for us in the security provider world?

It means a heightened responsibility and a mandated goal to stay ahead of the curve in combating threats. The challenge for us is understanding our clients and their tendencies. 

It also means we have a great opportunity. We have the opportunity to be critically integrated into the organisms which are our clients’ corporate environments. Having a defensive responsibility that stretches from the server, to the endpoints, and to the cloud, means there is an abundance of opportunities for us to be creative, inventive, vigilant and consistent in our approach to protecting our clients from the threats that exist and evolve daily.

The concept of security in 2011 is constantly changing and is just as dynamic as the world around us. The notion of “not if – but when”, offers us a unique chance to truly act as trusted advisors and as mission critical resources to our clients. Despite all of our efforts, the adversary is organized, relentless, and in many cases unpredictable due to non-specificity. Hackers will often repeatedly attack multiple targets looking for weakness that may or may not exist until, at some point, they eventually succeed at finding a way past the defences.

The key to our value is not how we stop all breaches of security; we cannot do that. The key is how we help our clients minimize that risk through deployment of  best-of-breed preparations  and a strong response plan that spells out how we will react organizationally, from CEO to end-user, when the risk confronts us as a reality. A corporation that accepts responsibility for ‘response’ along with the obligatory risk management tasks will improve overall security and reduce losses and damages in the long run.

Our role and enduring professional mission is to help our clients and our industry evolve our collective thinking in line with these goals. This presents both a great challenge and a fantastic opportunity, which makes the security industry an exciting place to work and live.

Paul Robbins

IT security is one of the largest growing sectors in the IT field overall and as such IT security professionals are in high demand. As a result, security field employers are using certifications more and more as their baseline for evaluating and comparing security professional position candidates. As an IT security professional, I have gone through many certifications in my career.

Here is an overview of the major IT and security certifications I have obtained:

Cisco Track CCNA, CCNP: As many Security professionals, my journey in IT certifications started with Cisco routing and switching track, as I was in the networking field prior to the security field. Cisco certifications are highly technical and very demanding in terms of hands-on abilities on routers and switches. Cisco certifications gave me a strong knowledge on networking technologies and a deep understanding of routing protocols. Currently to obtain the CCNP certification, three exams are required (routing, switching and troubleshooting) after CCNA. Like all Cisco certifications, CCNP is valid for three years and requires taking a professional level exam or expert level written exam before expiration date, in order to renew certification.

Security+: This is the first certification to think of for a junior IT professional aiming to specialize in IT security field. CompTIA Security+ is an international, vendor-neutral certification that demonstrates competency mainly in network security, threats and vulnerabilities, access control and identity management. This was my first step in the IT security world. It was not highly technical; instead, it was more focused on learning the terminology and basic security concepts used by security professionals. Security+ is valid for three years and requires taking the exam in order to renew certification before expiration date.

CISSP: After gaining the required five years experience in the security field (with a strong networking flavour), I took the CISSP exam. This is a very demanding certification with a large volume of documentation to walk through. It took me about 4 months to finish the Shon Harris study guide (studied only during the weekends), then about a month to practice CISSP exam like questions. CISSP is not the most technical certification but by far the most complete one in terms of security subjects’ coverage. It took me around four hours to finish the 250 questions of the exam. CISSP is valid for three years and gaining CPEs is required to maintain and renew the certification.

CEH: It is much more technical than the Security+ certification and focused on penetration testing methodology and various hacking tools. I can’t say I learned pen testing with CEH. Indeed, prior to taking the CEH exam, I already had some experience on pen testing and security assessments, CEH gave me a strong knowledge on methodology and the targets to be defined for each step in the pen testing process. CEHv6.0 was more focused on tools whereas the new CEH curriculum CEH v7.0 is more focused on methodology with an OWASP flavour. CEH certification is valid for three years and CPEs are required in order to maintain the certification.

CISA: CISA is a well known audit certification, most probably the oldest certification in the field of information systems audit. The CISA exam was focused on IT governance, Risk management and General IT audit process & methodology. Unlike the CISSP exam, which I found to be pretty easy; this exam was hard, really hard. Indeed, few questions were of a technical nature and the business process and risk management related questions were very subjective and ambiguous. Just like CISSP, CISA is valid for three years and gaining CPEs is required to maintain and renew the certification.

The journey is not finished yet; this year I’m targeting GIAC certifications and will focus more on audit process, risk and security program management.

Maher G.

What has your certification path been like? Are there any certifications you would highly recommend? Do you agree or disagree with emphasis and importance that employers place on certifications during the hiring process?