Profile cover photo
Profile photo
Daily Safety Check
8 followers -
Don't just think you're protected, be protected.
Don't just think you're protected, be protected.

8 followers
About
Posts

If you’ve been paying attention in recent years, you might have noticed that
just about everyone is losing your personal data. Even if you haven’t noticed
(or maybe you just haven’t actually received a breach notice), I’m here to
tell you that if you’re an American, your basic personal data is already for
sale. What follows is a primer on what you can do to avoid becoming a victim of...
identity theft as a result of all this data (s)pillage.

http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/ 

Post has attachment
Fellow entrepreneurs often ask me if going through a comprehensive security audit is necessary for them, considering that theirs are relatively small, young organizations. Their argument for not conducting such an audit is that hackers will find nothing there of interest. Most information they hold in their emails, or in their online profiles on sites like LinkedIn or Twitter, is pretty benign, these entrepreneurs say.
I get it. The logical belief is that while it may be just as easy -- or easier -- for hackers to go after smaller, less sophisticated outlets, there’s nothing of value that they'll find there. Sensitive information, like bank statements, tax returns, company contacts and employee payroll information is securely stored by the companies' service providers.
The risk of damages from an attack, if it occurs, is surely minimal.
I disagree. The reality is that all your information is important to someone who can quickly piece together what you see as relatively innocuous. Hackers can then turn this information into something that could do significant harm to you and your company.
We saw this not too long ago when Russian hackers infiltrated the Pentagon email servers. Federal officials quickly noted that none of the agency's secure servers had been penetrated; but the information obtained, while unclassified, still offered valuable insights to the enemy. What's more, the Defense Department spent significant time and money shoring up its security system's vulnerability and analyzing the threat.
Let’s take an example closer to home and apply it to our business world. Say you’re heading out on a trip someplace you’ve visited several times before with family. Certain hotels, restaurants and attractions have become regular stops for you. Many of us (myself included) will want to tell our beloved Facebook friends about it. And, yes -- though this is a “full-on” vacation -- you, like the rest of us, will still stay a bit connected to work because that’s what entrepreneurs do.
This is all fine but should be done with the understanding that almost anyone else will be able to see that information as well. Something north of 1.2 billion active monthly members, 750 million daily users and 945 million mobile users are on social media platforms. So, when you tell your friends where, when and how you are going to your “favorite vacation spot” yet again, that information can be the perfect opportunity for sophisticated networks to uncover patterns in your activities. Those patterns may prove beneficial to parties aiming to spot vulnerable access points where you connect with your laptop to "check in" on things.
Once hackers gain access to your device at those outlets, they will undoubtedly see your conversations with employees, customers and strategic partners. While those conversations may not be of national security importance, they will provide insight into the activities of other individuals in your network, ones who actually do hold secure data.
The point of the illustration is this: Hackers love to obtain all kinds information, even unclassified data. So, let’s not forget who the enemy is. Contrary to stereotypes, hackers do not live in their mothers' basements staring at a homemade computer all day because they have nothing else to do.
Rather, they have the means to capture a seemingly infinite amount of data in short order and are part of sophisticated, organized global syndicates that are well financed, expertly trained and bent on disrupting -- if not taking down -- governments and corporations around the world.
Given that fact, you might want to reconsider your assumption that your company is "too small" for its information to be of interest to outsiders. Because you may be wrong.

http://finance.yahoo.com/news/why-hackers-not-just-important-223000006.html 

Adobe today released software updates to plug at least 13 security holes in its
Flash Player software. Separately, Microsoft pushed out fixes for at least three
dozen flaws in Windows and associated software.

Post has attachment
With nearly a dozen cyber and data security bills currently on the table between the House and the Senate, Congress has clearly established data breach prevention as a priority, particularly as it relates to protecting consumers and their financial well-being.
Over the past several years, however, we've seen holes develop in our financial security systems that need immediate attention from our leaders. Countless data breaches and cyber hacks have revealed the flaws in our payment tools that continue to threaten the financial stability of consumers.
And with so many of the country's leaders in positions of power to improve financial policies and practices, consumers wonder why conversations in Washington, D.C., don't also factor in the lackluster efforts of banks and credit card companies to issue more secure payment tools to consumers. Now more than ever, legislators must exert pressure on agencies like the Federal Reserve and the financial industry itself to improve our payment security systems.
The Obama administration and other policymakers on Capitol Hill continue newfound efforts to improve our credit and debit card security. Most notably, President Barack Obama issued an executive order last fall calling for all federally issued payment cards to be equipped with chip-and-PIN technology, a secure system used throughout the world. In the U.S., we currently use magnetic strips – which house our financial information similar to the way the film from a VHS tape houses the video – and sign for purchases.
Realizing that the magnetic strips are easily copied, the financial sector is finally trying to catch up with the rest of the globe, instituting chip-equipped cards. The replacement effort still includes easily forgeable signatures, though, providing little to no protection of our financial data once in the hands of cyber thieves.
"This is all so unnecessary," CBS News reports. "In Europe and most of the rest of the world, the easily compromised magnetic-strip cards we use here in the states are history. Instead, they use ... chip-and-PIN technology, which has dramatically reduced fraud rates." It is also a greater protection for American businesses, which absorb less of a burden and risk when customers use a PIN.
Should a thief attempt to steal or counterfeit a chip-and-PIN card and proceed to use it for an in-store purchase, it would be useless without knowledge of the PIN. Despite empirical evidence to back up the success of the two-prong technology, business leaders on Wall Street resigned to inadequate efforts in updating our payment tools.
Democratic Sen. Mark Warner of Virginia has agreed more financial security is needed for consumers and scrutinized the chip-and-signature trend in a letter to federal banking regulators earlier this year. Warner expressed his frustration with chip and signature, questioning the path of the financial institutions when "better anti-fraud technology and authentication measures exists and indeed are prevalent in other countries." But he shouldn't go at it alone.
Lawmakers from the House and Senate have introduced at least a half-dozen cybersecurity bills since March. But it remains to be seen if any of these bills incorporate improved payment security and the implementation of chip-and-PIN technology.
As congressional leaders continue to champion legislation that protects consumers, they must ensure that Americans are safeguarded against scams threatening their financial well-being.
Now is the time for more of our policymakers to join the effort to equip Americans with greater protections at the cash register. Consumers deserve the highest threshold of protection for a more secure payment tool, and they rely largely on the government to provide that assurance. Given the increased momentum on Capitol Hill to protect consumers from financial harm, an opportunity exists for the country's leaders to help provide those protections by championing chip and PIN.

http://fedscoop.com/now-is-the-time-for-better-payment-security 

100 % of the Federal Government employees ( that means every single one ) ,personal information was hacked and stolen . Just revealed this week . The Hackers had been gathering information for over a year . That confirms my fears that it would be possible for a hacking entity could hack
" EVERY SINGLE PERSON IN AMERICA "
I am convinced that it is just a matter of time .

Post has attachment
The debate between merchants and banking institutions over accountability for card fraud has been a heated one for the past year and a half (see Retail Breaches: End the Finger Pointing).
Banks say retailers should be held accountable for more expenses resulting from breaches for which they bear some responsibility.
But retailers argue that the interchange fees they pay to the card brands to route transactions through their networks are designed to cover breach-related expenses. When a retailer is breached, Visa and MasterCard pay issuers from these fees paid by retailers.
So, retailers have said that if the banks have a grievance about how they are reimbursed for card-reissuance, they should direct their concerns to the card brands.
Well, it seems they have.
Last week, Visa agreed to increase pay to banking institutions when they must reissue cards in the wake of a merchant breach.
The American Bankers Association announced on May 14 that Visa had agreed to substantially increased reimbursements to community institutions, which typically have more difficulty than larger banking institutions when it comes to covering all of the costs associated with fraud detection, mitigation and card reissuance. Visa is moving to a tiered system, with higher reimbursements for all banks, based on annual card purchase volume.
The new tiered reimbursement system will pay smaller card issuers, such as community banks, more for the cards they have to reissue, the ABA says.
"As retailer data breaches, including those at Home Depot and Target, have become more frequent and more damaging, banks have responded proactively by reissuing cards - preventing millions of dollars in fraud losses," the ABA says in its statement. "An ABA survey last year that was shared with the card networks found that smaller banks pay significantly more to reissue."
The ABA says it's been lobbying for a year for the card brands to re-assess their reimbursement structure. So this was a big win, from the ABA's point of view. But so far, Visa is the only card brand to make any changes.
Rather than paying $2.50 for each re-issued card - which historically was the rate paid to every institution impacted by a breach, regardless of the institution's asset size or Visa transaction volume - banking institutions with less than $500 million in annual Visa purchase volume will now be paid $6 per for every card they have to reissue in the wake of a breach at a merchant, according to the ABA.
Visa declined to comment about the adjusted system. But Jim Chessen, the ABA's chief economist, says the higher reimbursements are a huge step forward for community banks, which really take a hit when they have to reissue cards. Chessen says smaller institutions' volume of Visa transactions is too low for them to absorb the high expense of reissuing cards.
"I think Visa really took a great step forward and realized that the cost for smaller issuers was too high and very expensive," Chessen says. "The tiered approach recognizes higher expenses for smaller-volume issuers."
Other adjustments now accounted for in Visa's tiered system:
Institutions with between $500 million and $10 billion in annual Visa transaction volume will now receive $3.85 for each card reissued;
Institutions with more than $10 billion in annual Visa transaction volume will receive $2.65 per card; and
In addition to the higher rates tied to a bank's size, all issuers will be reimbursed an additional $1 for every chip card they reissue.
The changes take effect July 1 and will be applied to all card-reissuance expenses associated with breaches that are detected after that date, the ABA says.
MasterCard did not respond to my inquiry about whether it plans to change any of its reimbursement allocations. But ABA's Chessen says he's hopeful it will follow Visa's lead.
While MasterCard already reimburses card issuers based on a tiered system, Chessen says the payout rates should be higher for smaller institutions.
"The ABA has been trying for more than a year to get Visa and MasterCard to reconsider their reimbursement rates," he says.
Chessen says results from a July 2014 survey of 500 ABA member banks, which were asked about the reissuance expenses they incurred after the Target breach, garnered attention from the card brands.
"We had a lot of interest and long conversations with both Visa and MasterCard as a result of that survey," Chessen tells me. "It was clear that smaller issuers bear a bigger burden."
I'm surprised Visa declined to comment about this new reimbursement structure. It's a positive step.
But given that the card brands have remained silent in the midst of all the wrangling that's been going on between bankers and retailers, it's not surprising that Visa wants to stay on the periphery of all the finger-pointing.
Your thoughts on this latest move?

http://www.databreachtoday.com/blogs/visas-paying-banks-more-after-breaches-p-1859 

Post has attachment
If there was any question about the need for Congress to modernize our nation’s data-security laws, the recent settlement negotiation between Target and MasterCard should put all doubts to rest.
Target agreed to reimburse affected MasterCard-issuing banks roughly $19 million following the retailer’s massive 2013 data breach, which incurred significant costs for thousands of community banks.
MasterCard issuers had to choose whether to accept pennies on the dollar for the costs of reissuing cards compromised by the retailer’s breach or to continue the costly and risky road of litigation. As of May 22, fewer than 90% of the qualified accounts had opted into the settlement, so the settlement has not become effective, according to a statement from Target.
Neither the settlement nor litigation is particularly desirable. And it follows a bit of a Catch-22 for those community banks that had to respond to the Target breach in the first place. Reissuing compromised cards incurs not just an expense, but also the wrath of customers who feel inconvenienced and blame their banks for retailer breaches. But choosing not to reissue compromised cards, which would put customers and issuing banks at considerable risk, is simply not an option.
Talk about being caught between the devil and the deep blue sea. Community banks had to reissue nearly 7.5 million credit and debit cards at a total reissuance cost of more than $90 million as a result of last year’s Home Depot data breach, according to Independent Community Bankers of America data.. That follows a reissuance of more than four million payment cards at a cost of more than $40 million after the data breaches at Target and Neiman Marcus less than a year before. That’s a total of 11.5 million debit and credit cards, costing more than $130 million.
So how can we keep credit- and debit-card issuers and their customers from paying the price for data breaches at retailers? The court system certainly hasn’t gotten us very far. The legal battle between these retail and payments behemoths has left affected community banks as collateral damage. What really has to change is the law itself, which is why Congress must finish the job of reforming our data-security system.
To effectively protect against the threat of data breaches, Congress must ensure all participants in the payments system—including retailers—are required to play by the same set of rules. Under current law, merchants are not subject to the same federal data security standards and oversight as financial institutions, which are required to meet a host of regulations laid out in the Gramm-Leach-Bliley Act.
Further, policymakers should ensure that the costs of data breaches are borne by the breached parties. Requiring breached parties to shoulder the cost would align incentives to maximize data security by all parties that store consumer data, making the payments system stronger over time.
The security of our payments system is only as strong as its weakest link. Securing financial data at financial institutions is of limited value if it remains exposed elsewhere. That’s why applying consistent standards to all participants and requiring everyone in the system to take responsibility for the breaches they incur is crucial to truly protecting our most sensitive information.

http://www.paymentssource.com/news/paythink/small-banks-should-not-pay-for-retailers-breach-mistakes-3021395-1.html 

Post has attachment
Last week the Ponemon Institute rolled out the results of yet another Global Cost of Data Breach report and, surprising very few people in the security world, the stats show costs rising again. Sponsored by IBM, the report benchmarked 350 companies across 11 countries. It found that the consolidated total cost of a breach has now risen to $3.8 million, about 23 percent higher than the figure back in 2013. They're compelling statistics for anyone in the managed services world ...trying to offer customers justification for improved security coverage.
According to the report, there are three big factors that are contributing to the rising costs of breaches.
Attack volume is rising and attacks are messier to clean up
"Cyber attacks are increasing both in frequency and the cost it requires to resolve these security incidents," explained Larry Ponemon, chairman and founder of Ponemon Institute.
In breaking down the root causes of benchmarked incidents, data breaches due to malicious or criminal attacks rose by five percentage points to 47 percent. Meanwhile, the cost of breaches cause by these attacks rose from $159 per record to $170.
Reputation damage is taking its toll
It may be one of the hardest figures to estimate, but Ponemon's team believes lost business has one of the most severe potential financial consequences of all of those stemming from a breach.
"The financial consequences of losing customers in the aftermath of a breach are having a greater impact on the cost," he says.
Based on an examination of things like abnormal turnover of customers, reputation losses, diminished goodwill and increased customer acquisition activities, Ponemon comes up with estimates on lost business costs. It estimates that it rose to $1.57 million on average from the previous estimate of $1.33 million.
According to the report this is likely a function of consumers' growing awareness of identity theft and willingness to vote with their wallets when trusted brands fail to protect their personal information.
Incident response and forensics costs rose
Response and detection costs have increased for the past three years running, the report showed.
"More companies are incurring higher costs in their forensic and investigative activities, assessments and crisis team management," Ponemon explains.
According to the report, in the past year, the average cost of detection and escalation costs rose by more than 25 percent. In many cases companies are investing in integrating forensic solutions into incident response procedures, which will help them with long-term analysis of root causes of their breaches. This is good and bad as the increase in tooling could expose bigger breaches, resulting in higher costs in years to come.

http://mspmentor.net/managed-security-services/060115/3-reasons-it-security-breach-costs-keep-rising 

Post has attachment
The IRS has failed to implement dozens of security upgrades to combat cyberattacks, leaving the agency's computer systems vulnerable to hackers, a government watchdog told Congress Tuesday.
The agency's inspector general outlined the security weaknesses a week after the IRS announced that criminals had stolen the personal information of 104,000 taxpayers from an IRS website. The IRS believes the information was stolen as part of an elaborate scheme to claim fraudulent tax refunds.
"The IRS faces the daunting task of protecting its data and IT environment from the ever-changing and rapidly-evolving hacker world," said J. Russell George, the Treasury inspector general for tax administration. "This incident provides a stark reminder that even security controls that may have been adequate in the past can be overcome by hackers, who are anonymous, persistent, and have access to vast amounts of personal data and knowledge."
Each year, George's office audits the IRS's security systems and recommends improvements. As of March, 44 of those upgrades had not been completed, George said. Ten of the recommendations were made more than three years ago.
George could not say whether the security upgrades would have prevented the recent breach. However, he added: "It would have been much more difficult had they implemented all of the recommendations that we made."
George and IRS Commissioner John Koskinen testified at a hearing Tuesday by the Senate Finance Committee.
Koskinen said budget cuts have hampered the IRS's ability to upgrade its computer systems. The IRS said funding for cybersecurity has fallen from $187 million in 2011 to $149 million in 2015, a drop of more than 20 percent.
Overall, the agency's funding has been cut by more than $1 billion since 2010, to $10.9 billion this year.
? "We can't on one hand reprimand the IRS for not better protecting taxpayer's sensitive information, while on the other, we slash their budget," said Sen. Tom Carper, D-Del.
Republicans were less sympathetic to claims of inadequate funding.
"Any questions regarding funding levels for the agency should wait until we have a complete understanding about what occurred," said Sen. Orrin Hatch, R-Utah, chairman of the Finance Committee.
Despite the cuts, the IRS has stepped up efforts to combat criminals who use identity theft to claim fraudulent tax refunds, Koskinen said.
This year, the agency's computer filters stopped almost 3 million suspicious returns before they were processed, Koskinen said. That's an increase of 700,000 from last year.
The taxpayer information was stolen from an IRS website called "Get Transcript," where taxpayers can get tax returns and other tax filings from previous years.
The breach doesn't appear to be a traditional hack. The thieves already had detailed knowledge about each taxpayer, including their Social Security number, date of birth, tax filing status and street address. They presumably stole the information elsewhere, the IRS said.
The thieves used the information to access the IRS website. Koskinen said old tax returns could help criminals prepare more authentic-looking tax returns in the future, which they could use to claim fraudulent refunds.
IRS investigators believe the thieves were based in Russia, two officials who were briefed on the matter told The Associated Press. The officials spoke on condition of anonymity because they were not authorized to speak publicly about an ongoing criminal investigation.
On Tuesday, George said the criminals were based in Russia and other countries, which he would not name.
The revelation highlights the global reach of many cyber criminals. It could also complicate efforts to prosecute the offenders.
Koskinen said an increasing number of cyberattacks are coming from Eastern Europe and Asia. However, he said, foreign governments are often slow to help the IRS.
"As a general matter we don't get a lot of cooperation," Koskinen said.

http://www.usnews.com/news/politics/articles/2015/06/02/irs-commissioner-to-face-questions-about-security-weaknesses 

Post has attachment
IT service providers, particularly cloud service providers, increasingly are resisting unlimited liability for breaches of privacy and data security obligations in their customer agreements. Instead, they offer unlimited liability for breaches of confidentiality, asserting the customer’s risk of a data breach would be covered as a breach of confidentiality, and arguing that unlimited liability for breaches of data protection obligations is simply double dipping.
A Data Breach Is Not Needed to Create Liability
When an IT service provider takes this position, one of the first questions a customer asks is: Assuming that the service provider has access to data that would be covered by privacy and data security laws, what is the risk if the provider breaches the privacy and data security obligations without an actual data breach
In other words, does there need to be a data breach for the customer to incur liability? Unfortunately, the answer is no.
To fully understand the risk of accepting the IT service provider’s position, a customer should identify:
- The privacy and data protection requirements the customer must satisfy.
- The likelihood the IT service provider may cause the customer to fail to comply with those requirements.
- The potential for damages, fines, penalties or other enforcement activity if the customer fails to comply with those requirements—even absent a data breach.
Privacy and Data Protection Requirements
In terms of the privacy and data protection requirements the customer may need to satisfy, the customer should consider legal and regulatory requirements (including regulatory guidance) and industry standards. For example, if a customer collects or processes credit card information, the customer must comply with the Payment Card Industry Data Security Standards (PCI DSS) as well as Visa's Cardholder Information Security Program (CISP), MasterCard's Secure Data Protection program (SDP) and Discover Network's Information Security and Compliance program (DISC). In addition, Massachusetts 201 CMR 17.00 requires a company that owns or licenses personal information of Massachusetts residents to implement and maintain a comprehensive information security program that contains administrative, technical and physical safeguards.
Even if there is no data breach, failing to comply with these standards may subject the customer to enforcement actions by the relevant regulatory authority and/or significant fines.
‘Flow-Through’ Terms
Once a customer identifies the relevant requirements, the customer should ensure that these requirements are expressly passed through to the IT service provider through well-tailored “flow-through” terms. Not only is the customer at risk for liability if the IT service provider causes it to fail to comply with the requirements; simply failing to flow through the requirements may subject the customer to liability for noncompliance.
This is true even if the service agreement includes a confidentiality clause, which generally requires the receiving party to exercise a duty of care to protect confidential information of the disclosing party in a way that is consistent with the measures the receiving party takes to protect its own confidential information. It is often unclear, however, exactly what measures an IT service provider takes. For example, Massachusetts 201 CMR 17.00 specifically requires companies to oversee its service providers, including requiring its service providers by contract to implement and maintain appropriate security measures.
Legal requirements and industry standards are not the only potential risk. The customer also may have contracts in place with its end-user customers and other third parties that would expose it to unlimited liability for breaches of privacy and data security obligations. If the IT service provider only offers unlimited liability for breaches of confidentiality and the IT service provider’s obligation is to comply with its own duty of care standard and not the customer’s standards, the customer may not be able to look to the IT service provider for full recourse if the IT service provider causes the customer to breach these contractual obligations.
A Data Breach Does Not Always Mean a Breach of Confidentiality
Even if there is a data breach, customers may be at risk that the confidentiality provision does not cover the data subject to the breach. Confidentiality provisions often define “confidential information” in a manner that may not encompass all of the data subject to privacy and data security laws. For example, the definition may include only information that is labeled as confidential or that a “reasonable person” would consider to be confidential. In this case, certain types of data, such as IP addresses or geolocation data, are unlikely to be labeled as confidential when disclosed to the IT service provider and may not be something a “reasonable person” would consider to be confidential.
“Confidential information” often is defined to include end-user customer data but not employee data. The IT service provider’s services, however, may include storing or processing employee data. Particularly for services such as cloud-based HR solutions, this may be as simple as receiving employee names, phone numbers, addresses and emails in order to provide technical support.
If the customer discloses personally identifiable information to the IT service provider that is not covered by the definition of confidential information, then a breach of that data would not be a breach of confidentiality for which the IT service provider would have unlimited liability under the service agreement.
Conclusion
The risk of liability for a breach of privacy and data security obligations without a data breach is only increasing. Audit and enforcement activities have continued to increase, an example being the U.S. Department of Health and Human Services Office for Civil Rights’ focus on HIPAA privacy rule violations—with some resulting in civil penalties in the millions. This risk is likely to continue to grow as regulators and states become even more active in setting data protection requirements and enforcing them, including increasing scrutiny of how companies are flowing down protections to third parties.
Customers will want to minimize their risk in deals with IT service providers by (1) including privacy and data security obligations sufficient to satisfy their privacy and data protection requirements; and (2) insisting on uncapped liability for the IT service provider’s breach of those obligations. If the IT service provider simply refuses to accept such unlimited liability and only offers uncapped liability for breaches of confidentiality, the customer may try to reduce its risk by:
- Including privacy and data security obligations sufficient to satisfy the customer’s privacy and data protection requirements, even if those obligations are subject to a general limitation on liability.
- Ensuring damages the customer may incur for breach of privacy and data protection obligations, such as regulatory fines, penalties and the like, are not excluded by a sweeping exclusion of liability for consequential damages, even if they are subject to a general limitation on liability.
- Seeking a heightened liability cap for breaches of privacy and data security obligations in addition to uncapped liability for breaches of confidentiality
- Defining “confidential information” to ensure it encompasses all personal data the customer may disclose to the IT service provider.
- Including the right to terminate for convenience without the payment of any early termination charge.

https://www.lexology.com/library/detail.aspx?g=b98863cd-e713-4f4b-85d9-07b274fed112 
Wait while more posts are being loaded