Cyber Crime Continues to Rise

February 11, 2016

Cyber Crime Continues to Rise

If you’ve picked up a newspaper or watched the news on television over the last five years, you’re probably aware that identity theft is one of the fastest rising crimes in the United States. It was probably bound to happen, as more and more of our lives, including our financial transactions, are done digitally, criminals have followed close behind, and cyber crime is increasing dramatically. So you knew that, but did you know that identity theft now costs Americans nearly twice as much as property theft? In a recent report the U.S. Bureau of Justice statistics found that total losses attributed to identity theft in 2012 were $24.6 billion, compared to $13.9 billion for property theft crimes. One would imagine that those numbers are only going to rise over the next decade.

Cyber Crime – is there an End in Sight?

There are plenty of studies that show that the crime rate is falling in the U.S., but many of those studies can be construed as inaccurate, as there still isn’t a great way of measuring cyber crime. An article from last year in phys.org had the following two quotes:

“Crime reporting has to be updated for the cyber-era,” said researcher and dean of the UAlbany School of Criminal Justice Alan Lizotte. “Property crime that remains underreported because it’s online crime shapes our response to it, particularly the response of law enforcement—what’s hidden stays hidden, yet continues to be a real, growing threat.”

“Recent data breaches targeting major US retailers and, more disturbingly perhaps, health-care providers, are evidence that we’ve reached a new frontier in criminal behavior,” said UAlbany criminal justice school researcher Giza Lopes. “Crime control is far from keeping up—a deficit that spans from inadequate measurement to jurisdictional inability to deal with a problem that spills over physical and national boundaries.”

Clearly cyber crime is on the rise and the ways to keep track of it haven’t quite caught up yet. What this means for organizations however, is that it’s pretty obvious that the need for data security is more important than ever. Maxxum’s recent research study revealed that over 40 percent of companies sometimes use disposal methods outside of a professional technology disposal service—including equipment donations and giving equipment to employees.

There’s certainly nothing wrong with donating or gifting old technology, but we can’t stress enough how important it is to have that technology wiped clean of information beforehand. Simply deleting material isn’t nearly enough. Drives need to be sanitized and wiped clean to insure that your sensitive information isn’t leaving your building in your old technology assets.

Organizations should make sure they receive documented transfer of custody and indemnification from their technology asset disposal company (we’ve outlined a few other key things to expect from a technology asset disposal company for reference here).

At Maxxum, we’re committed to smart, strategic partnerships with our clients. We stay up-to-date on laws and regulations regarding data privacy and environmental responsibility. We develop and support industry best practices in compliance, remarketing, recycling and reporting.

Third-Party Breaches: Eyeing the Risks

March 27, 2015

BitSight’s Stephen Boyer on the Merits of Continuous Monitoring

By Information Security Media Group, February 17, 2015

Target is the high-profile example, but many organizations have been breached through third-party vulnerabilities. Where are the security gaps, and how can they be filled? BitSight’s Stephen Boyer offers insight.Boyer, CTO and co-founder of BitSight Technologies, sees the Target breach as transformational for the industry. It showed that a CEO could be fired as a direct result of a breach.

“Now what we’re seeing is boards of directors getting much more involved,” Boyer says. “They’re asking questions about cybersecurity performance.”

And they want to know specifically which of your third-party service providers leaves you most vulnerable to a breach.

As organizations examine these relationships, they also increasingly turn to continuous monitoring solutions. “[This movement] is a lot different than typically what has been done in the past, which is ‘how do I get continuous visibility into not just myself, but also my third parties, so I can better understand where the risks are and take action in a timely manner?'”

In an interview about data breaches and third-party risks, Boyer discusses:

  • How recent breaches have deeply impacted organizations;
  • Results of a new Forrester survey of third-party risks;
  • How continuous monitoring can help organizations reduce these risks.

Boyer is the CTO, co-founder, and board member of BitSight Technologies. Previously, he has worked at Saperix, Lincoln Lab and Caldera.

Third-Party Risks

TOM FIELD: In the past year, we’ve seen so many high-profile data breaches. I’m thinking about Target, but certainly that there were others, and they resulted because of third-party vulnerabilities. As I talk with security leaders, I certainly hear their frustration in trying to mitigate something that they can’t control and to prepare their organizations to respond to an incident that really doesn’t happen on their purview. Does that match what you’ve seen in the past year as well?

STEPHEN BOYER: Absolutely. I think you articulated it really well. It has been very transformational over the last year. I would say the Target breach, having the CEO let go from that, has really been a transformational event for the industry. Now what we see is that boards of directors are becoming much more involved. They’re asking questions around cybersecurity performance and also wondering how we are doing with respect to our supply chain and our third parties in trying to mitigate those risks. That’s moving up to the board level.

Additionally, what we’re also seeing is risk transfer options. Companies realize that even if they invest heavily in security and train their staff, there’s always some risk or some threat that they can’t account for that they want to be able to transfer into cyber-insurance. We’re seeing a growth there.

Then, also, we’re seeing legislators perk up and become much more interested and asking more questions than they previously had been, specifically with respect to third-party risk management.

Impact on Breached Organizations

FIELD: You make a good point. I traveled to a lot of places all over the world in the past year, places where you never will find a Target store, but everybody knows about the Target breach because it resulted in the CEO losing his job. When you look back on Target and some of the other high-profile breaches, what do you see as common threads in terms of the impacts on the organizations that were breached?

BOYER: It really kind of depends on the situation of the company and their industry. But what we’ve seen is that companies have moved to an outsourcing model. For all the variety of efficiencies that exist in terms of cost and capability, they have outsourcing open up their networks and provide data to someone else, and they’ve increased that trust relationship, which has been a very difficult thing to manage and mitigate. “I’m now moving the parameter of my company and I’m extending the enterprise out to a variety of different companies.” That could be somebody who’s providing heating and ventilation; that could be someone else who’s providing some sort of IT services. They all have access into data or into the networks, and those are points of vulnerability.

Survey Findings

FIELD: You just conducted a new survey with Forrester that’s on third-party risks. Can you share with me some of the key findings?

 

Read full article…

U.S. Postal Service Confirms Data Breach

November 11, 2014

Employee, Customer Information Potentially Compromised

By , November 10, 2014.

U.S. Postal Service Confirms Data Breach

The Federal Bureau of Investigation is leading an investigation into a data breach at the U.S. Postal Service, which affected employees and customers.

In a Nov. 10 statement, which provides few details, USPS says it recently learned of a “cybersecurity intrusion” into some of its information systems. All operations are now functioning normally, according to the statement.

More than 800,000 employees were impacted in the breach, says David Partenheimer, spokesperson for the USPS. Employee information potentially compromised includes names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information.

Customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1 and Aug. 16 were also potentially affected, although USPS is still investigating the exact number of individuals impacted, Partenheimer says. Potentially compromised customer details include names, addresses, telephone numbers and e-mail addresses.

CNN, citing a U.S. official familiar with the breach, says 2.9 million postal service customers were affected by the breach.

Transactional systems in post offices, as well as on usps.com, where customers pay for services with credit and debit cards, have not been affected by the breach, USPS says. There is also no evidence that any customer credit card information from retail or online purchases, such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised, officials say.

China Involved?

Some news reports are indicating China may be behind the attacks, but Partenheimer says he cannot confirm that because “the source of the intrusion is under investigation.”

But security consultant Richard Stiennon, author of Surviving Cyberwar, doesn’t suspect China is behind the USPS breach. “They are still in the espionage and reconnaissance phase of their cyber-evolution,” he says. “On the other hand … one has to question the timing of the notification considering that President [Obama] arrived in China today.”

Karl Rauscher, ambassador-at-large and chief architect for cyberspace policy at the Institute of Electrical and Electronics Engineers, says that cyber-attacks, like the one that targeted USPS, are becoming more sophisticated, “and even those best capable of reacting to them are overwhelmed. Cyber security today is typically practiced in a reactive posture to an ever growing number of threats.”

No Evidence of Fraud

The USPS says it’s not aware of any evidence that any of the potentially compromised customer or employee information has been used to engage in malicious activity.

Read more…