Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation’s largest financial institutions.
European Cyber-Gangs Target Small U.S. Firms” Washington Post August 25th
Launching these attacks from “safe havens” against organizations that tend to have limited information security postures is a cash cow for these criminal outfits. This should be a wake up call to small and mid-size businesses who may not have the knowledge to adequately protect themselves, that some information security help may be needed if they want to stay in business.
If you think this can’t happen to you then understand these attacks are simple and ignoring the threat doesn’t make it go away. Ask yourself if your company can survive if if its ability to process credit cards is taken away? If the answer no then perhaps an evaluation of your security posture is in order.
How often is e-mail used to send documents and information that contains sensitive information? I’ve seen consultants share sensitive information about clients this way as well as staff members just “trying to be helpful”. I’m sure this happens all the time and it can be mitigated through training and providing staff the tools necessary to send information securely. While it is fair to say the majority of these incidents never make the news, the Commerce Department wasn’t quite so lucky:
The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed to a risk of identity theft following an inappropriate transfer of the personal information in mid-July, according to a letter sent to department employees last week.
An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form on July 13, according to the letter. The employee informed supervisors of the oversight almost immediately, and there is no indication thus far that information has been compromised, according to the letter.
“Federal Eye: Personal Data Mishandled at Commerce Dept.“. Ed O’Keefe. Washington Post, August 3, 2009
As another case in point, a friend of mine filled out an online appointment request for his physician. He included all types of PII including social security number, date of birth, as well as the reason for his visit. The online form was secure however, whatever program the office used was sending the “got your schedule request” e-mail with all of the information he had put in, including the PII. The steps the physician took to secure the request were thrown out the window because the same information was sent via e-mail in the clear. Oops!
I’m not sure how much more the concept of not sending PII over e-mail can be hammered home. Mistakes happen but when it’s done as part of a business practice then perhaps there needs to be some financial penalty involved to make the point.
“File Sharing Leaks Sensitive Federal Data, Lawmakers Are Told” – Washington Post
Another politician jumps into high gear with more useless legislation and finger pointing after sensitive information was leaked via P2P software on federal computers. Policy already dictates that P2P software shouldn’t be used but these agencies lacked the technical controls to implement the policy. Adding legislation that merely says “don’t do it” is not the answer. Blaming the P2P software companies for federal agencies failure to implement good security is pathetic but certainly not unusual for the political blame game.
Good endpoint security with perhaps the prudent implementation of whitelisting technology can provide the technical controls necessary to enforce such policy.
Business and Security, PCI, Should Have Known Better | Paul August 26, 2009 | 
Comments (0)