A new wave of mass SQL injection attacks seen in mid-August to hit over half a million websites, including parts of Apple’s site serves as a weighty reminder of the growing prevalence of mass injections and of SQL [...]]]>

This article just reiterates the point, once again, that companies need to be more proactive in their security:

A new wave of mass SQL injection attacks seen in mid-August to hit over half a million websites, including parts of Apple’s site serves as a weighty reminder of the growing prevalence of mass injections and of SQL injections in general as a favorite means of hackers to tap into organizations’ infrastructure and data resources.

In light of these attacks, security researchers believe now is as good of a time as any to revisit some best practices necessary to prevent mass SQL injections and mitigate the risks associated with injection attacks. These practices are hardly revolutionary, but it is clear that they aren’t being implemented as widely as they need to be.

via Five Ways to Stop Mass SQL Injection Attacks – DarkReading.

our liveForensics tool addresses issue #2 outlined in this article: “Implement filtering and monitoring tools.” As the article suggests, liveForensics provides monitoring at both the application and database level, helping to mitigate the risk of SQL injection attacks.

Check out the additional benefits of liveForensics.

Although still an evolving concept, penetration testing is becoming more common and more critical for organizations housing confidential data.

What is penetration testing? In simple terms, penetration testing is basically a planned attempt to hack into your system in order to determine any vulnerabilities and weaknesses. Testers simulate [...]]]>

What is penetration testing?
by Lee Haas

Although still an evolving concept, penetration testing is becoming more common and more critical for organizations housing confidential data.

What is penetration testing?
In simple terms, penetration testing is basically a planned attempt to hack into your system in order to determine any vulnerabilities and weaknesses. Testers simulate attacks from malicious sources and evaluate the effectiveness of your security measures. An assessment report is presented outlining the findings and, often, recommendations for improving security are provided.

Who needs it?
Many organizations, such as financial institutions and insurance companies, are subject to industry regulations requiring proof of due diligence in regards to securing data. Penetration tests not only demonstrate due diligence to the regulatory bodies, but also to consumers and customers, providing a deeper level of trust.

A thorough penetration test will safeguard against hackers or employee theft, saving the company from potential financial loss. The assessment also provides a guide for the best allocation of funds and resources.

How does it work?
A penetration test is an active analysis of your system. An attack is simulated and testers are able to look for poor system configuration, flaws in hardware or software and other operational weaknesses. At the conclusion of the test, an assessment is provided detailing the areas of potential weaknesses and vulnerability.

The test may detect:

• Router or firewall penetration
• Password guessing /sniffing / cracking
• Web application attacks
• SQL Injection
• Cross-site scripting
• Denial of Service (DoS)
• Vulnerable port/service exploits
• Social Engineering (human-directed) attacks
• Password acquisition
• Email spoofing
• Phishing
• Spear phishing
• Wireless network attacks
• Open or weak WLANs
• Hidden or stealth WLANs
• Encrypted WLANs authentication/handshake traffic
• Wireless traffic
• Information leaks

Gone are the days when employees kept rolodexes on their desks.  According to the How Much Information? study conducted by the University of California Berkeley, 92% of all new information in 2002 was stored electronically.  This percentage appears [...]]]>

Departing employees and data theft
New techniques shift power back to companies
By Andrew Hoog and the viaForensics team

Gone are the days when employees kept rolodexes on their desks.  According to the How Much Information? study conducted by the University of California Berkeley, 92% of all new information in 2002 was stored electronically.  This percentage appears to increase each year with some informal estimates that 97% of all business documents are now created electronically.  While commentators frequently discuss the impact this business shift has on electronic discovery, the implications for departing employee data theft are just as significant but often overlooked.

What is employee data theft?

Electronic documents by their nature are portable, easy to copy and more prone to theft than paper documents by employees.  This fact not only applies to the ease with which electronic documents are stolen, but also to the sheer quantity taken.  In August 2009, DuPont filed a lawsuit against a research scientist for breach of contract and misappropriation of trade secrets for stealing a large number of files.  It was alleged that research scientist, Hong Meng, stole more than 600 files by copying them to a portable hard drive. After a forensic investigation, over 550 of these files were found on Meng’s home computer.  This was not the first high profile instance of theft at DuPont; another research scientist was sentenced to an 18 month prison term for stealing proprietary company information valued at $400 million.

Not surprisingly, DuPont is not alone in its woes.  Outlined in a 2009 study conducted by the Ponemon Institute, data theft is rampant in the business world.  The study found that 59% of employees who either quit or are asked to leave take confidential or sensitive business information upon their departure.  Done without the employer’s permission, this confidential electronic information has the potential to be saved in multiple locations beyond the employer’s control and on devices unknown to the employer.

The reasons an employee takes confidential company information vary from being benign and misguided to intentional for the purposes of personal gain.  The Ponemon Institute study found that over 50% of departing employees claimed that one reason they took employer data was their perception that “everyone else did it when they left.”  This statistic alone underscores the importance and impact of a policy regarding the company’s confidential data that is well thought out, documented, communicated and enforced.

Other reasons cited in the report include the potential usefulness of the data in the future (53%), the employees’ sense of ownership around what they helped to create (52%); their belief that the company cannot trace the theft back to them (49%) while only 13% state the theft was an accident.

What kinds of confidential data do employees take?

An employee may steal valuable trade secret information as seen at DuPont.  However, not every business has these types of trade secrets.  The type of information an employee is most likely to steal is the information needed to do his or her specific job, usually information that is readily available to them.  To maintain a competitive advantage, the electronic information an employee uses everyday must be protected.  Everyday employees have access to a wide variety of electronic information which range from important (email lists and non-financial business information), to confidential (customer information), to private (employee records), through the most sensitive and potentially damaging data: financial records, databases with enormous company history, trade secrets and intellectual property.

When the employee is in IT or security, the access to confidential data is even greater.  According to a 2008 study by Cyber-Ark Software, almost 90% of IT employees indicated they would take sensitive company data if they were laid off.  The types of data itemized in the report include passwords, customer information, intellectual property from Research and Development (R&D), financial and other strategic plans for the company.

How do employees take confidential data?

Technology affords many methods for an employee to take data electronically from a company.  In the past, the most common method was to write the files to a CD or DVD, but a growing trend involves copying files to a portable USB storage device.   USB devices are easily concealed, ready to use and can hold vast amounts of data.

Smart phones

Surprisingly, most companies do not address the danger of stealing electronic information through smart phones which include the BlackBerry, iPhone and the emerging Android phones.  These devices often have enormous storage capacity (the most recent iPhone is capable of storing 32GB of data) and are easily connected to the corporate email system.  They can also access WiFi wireless networks for high transfer speeds and even have the ability to connect to a company’s private network.  The combination of storage, data access and ubiquity make a mobile communication device an ideal method of stealing data.

Email

Email is also another efficient way to take confidential data.  Most email services provide users with a website for email access and a generous storage quota.  With IT budgets constrained and limited spending available for security, personal emails generally flow unfettered through the enterprise.  Employees can easily email large amounts of data to personal accounts and then access it from anywhere in the world. While this is convenient to an employee, it can be very dangerous to the employer.  By using a personal email account, the employee not only circumvents the corporate email system but the account is beyond the control and scope of corporate investigations and most legal instruments.

Messenger Services

There are also many less common approaches to stealing data that are just as damaging as those mentioned so far.  These include websites focused on the sharing of data (for example, yousendit.com), Instant Messenger services (such as Yahoo, AIM, MSN, Google Talk), the venerable FTP (File Transfer Protocol), software which allows complete copies of hard drives and very sophisticated techniques which create encrypted tunnels for transferring data.  Suffice to say, it is impossible for a company to completely prevent data loss.  According to the U.S. Homeland Security Department, in 2008 there were 5,499 known breaches of U.S. government computers.

All of the methods described above cover intentional data theft by employees.  However, an employee may also inadvertently expose confidential data by installing software onto his or her computer.  Over half of all respondents to the Ponemon Institute’s survey admitted to downloading personal internet software to their company computers.  Many of these programs contain a trojan horse or other malware which seeks out confidential data and copies it to data caches on the Internet for retrieval by unauthorized individuals.

Furthermore, company secrets can be leaked through social networking sites. Today, secrets can be leaked through status updates on these sites, where ‘updating your status’ is a common phrase.  Both current and departing employees can inadvertently leak company information by disclosing their current ‘status’ or updating online profiles. For example, a recent Microsoft development was leaked to the public through an online posting on Linkedin.com.

What can you do to protect your clients?

Clients need to protect themselves not only before a data theft has occurred but definitely after such an event.  Clients frequently do not understand that failing to take preventive measures may preclude an effective response to the data theft.

Before a theft occurs, you should offer your client advice on appropriate IT policies and technology necessary to protect their valuable data.  If a theft has already occurred, legal counsel can provide advice on how to investigate the theft and what legal remedies may exist, such as litigation.

Policy

The first protection an employer should have in place is a thorough and well communicated set of company policies and procedures .  Two policies and one procedure in particular are essential to the protection of company confidential data: (1) Acceptable Use Policy, (2) Data Classification and Retention Policy and (3) New and Departing Employee Procedures.

The Acceptable Use Policy is a comprehensive policy governing the use of all company assets and in particular should include safeguards to prevent the theft of confidential data, as well as general policies limiting the copying of information and use of computer hardware or software which puts company data at risk.  Keep in mind that developing an effective policy may require trading employee convenience for data security.  The assessment of these issues will involve difficult decisions that each company must make after weighing the benefits versus the consequences.

The goals of the Data Classification and Retention Policy are to identify all types of data created within a company and the amount of time it should be retained.  While this may seem obvious, the process needed to develop an effective policy is arduous, demands participation from numerous departments throughout an organization and an attention to detail.  After classifying the various data within a company, other policies can specifically address the data types and how to control and protect them.  This policy is also instrumental in developing an effective e-discovery strategy.

Finally, direction must be provided to the Information Technology department to ensure that an employee’s computer equipment is properly handled, starting from the initial setup through the eventual decommissioning of the system.  Without specific procedures, it is extremely difficult to use the results of a computer investigation in a legal proceeding since most IT departments will significantly modify an employee’s computer once they have departed.

Technology

Even with a thorough set of policies and procedures in place, it is impossible to prevent an employee from stealing confidential data. The next important step in prevention is to deploy effective technical solutions to protect your data.  In many companies, a few minor changes to the IT system can yield significant results.

One important change is to remove employees from the Administrator group on their computer.  This prevents them from installing any software or hardware.  Also, companies should not allow employees to create CDs/DVDs or copy data to USB drives unless there is a business need.  In some instances, only the IT department should have the authorization to make or create such data.

Many companies eliminate attaching a printer to a single computer.  This not only prevents theft of confidential data (by printing) but also allows for improved print management.  Companies should also consider deploying a device which can monitor and block websites that are malicious, in violation of the Acceptable Use Policy, not required to operate the business or allow easy transmission of data.

Finally, companies should implement a centralized logging device.  This device will receive all of a company’s log files for aggregation and allows a single view of what is happening throughout the organization.  In addition, it can provide critical information as to whether or not your system was compromised by outside entities.

Getting help via forensics (computer and mobile)

While policies and technology will prevent casual data theft, determined employees will still steal data.  If this occurs, protect your company by proving two things; that the departed employee took information without your permission and that the stolen information caused harm.  This is where computer forensics is important.  Companies must first have documentation of the theft by proving that the theft originated from their systems.  Computer forensics experts can find and document instances of an employee’s improper conduct using specialized software, hardware and techniques.

Computer forensics experts can determine if an employee connected a device such as a removable USB storage device or if a CD was created which contained confidential data.  A true expert can even identify the make, model and serial number of the removable storage device, when it was first connected and the last time it was used.  They can also identify which data was deleted and often times can even recover the information.  Printing a document also leaves a trail which can be uncovered and can provide key information about the theft itself.  Frequently, websites visited by an employee will bring context to the theft or even constitute direct evidence.

An emerging discipline is mobile forensics which target smart phones such as an iPhone, Blackberry or Android phone.  Since they contain information which can provide significant insight on what an employee was doing leading up to the theft of data, it might also provide direct evidence of the theft.  As an example, a forensics investigation of an Apple iPhone will generally result in the recovery of 50,000 – 60,000 files, most of which the employee never realized existed or thought they had deleted.  For the iPhone, the files recovered include all voicemails that were ever left on the phone, all emails ever sent or received, and data users often believe is deleted but can be recovered – including text messages, contacts, call logs and pictures.  The blending of modern smart phones with GPS technology can also pinpoint a departing employee’s location at a particular date and time.  Of course, many privacy implications exist and should be thoroughly vetted, but lawyers should be aware of the data available if a company employs the services of a qualified computer/mobile forensics expert.

Information gathered during a forensic investigation can provide crucial evidence which enables the employer to seek legal redress from a employee’s data theft.  Remedies can include monetary damages or an injunction.  Unfortunately, many employers do not realize an employee has taken confidential information until weeks or months have passed. If the former employee’s computer is redeployed or altered by the company, the value of the evidence uncovered is severely diminished.

Whether to preserve forensically a departing employee’s computer is a business decision that must be considered in light of the employee’s access to confidential data.  One cost-effective precaution is to make a forensics copy of the hard drive or mobile device.  Should suspicions arise in the future concerning theft of confidential information (or a number of other potential matters), the results of a forensic examination conducted on the hard drive “mirror” will be as valid as if the original hard drive had been preserved and examined.

Legal remedies

Once a breach of security has been detected the remedies available to the former employer are limited. The Computer Fraud and Abuse Act (CFAA) have limited application to stolen confidential electronic information. This statute authorizes losses to be recovered in a civil action.  However, “losses” are defined as loss or damage suffered by computer systems.  In other words, losses of revenue or unfair competition are not recoverable under the statute.  The most widely used legal remedy in a case of stolen electronic information is an injunction followed by a claim for damages based on misappropriation of trade secrets. However, to support this claim of theft, evidence of actual damages must be shown.

An example of an injunctive order that was issued and upheld on motion to dismiss, was against Frank Ringo in Dental Health Products, Inc. v. Ringo.  Ringo was accused of stealing confidential information from his employer.  He had been issued a laptop by his employer which allowed him to access highly confidential information about customers, business practices, negotiating strategies, and sales reports. In July 2008, Ringo’s employer noticed that his sales were declining and Ringo submitted his resignation soon after.  That same month, his employer learned that Ringo was associated with a direct competitor.

Upon the return of Ringo’s laptop to the employer, computer forensics revealed that Ringo had installed and used special software (Norton Ghost) to copy the entire hard drive onto an external hard drive on multiple occasions.  From the evidence produced to the court on the motion to dismiss, there were not enough facts to base the injunctive relief on a violation of CFAA because ‘loss’ to the computer system must be shown.  However, the court denied the motion to dismiss because it found that the plaintiff had presented a case sufficient to find that Ringo misappropriated trade secrets of his employer.

Conclusion

With the percentage of business documents being created and stored digitally approaching 100%, the most important assets of a company are easier than ever to steal. And with nearly 60% of departing employees admitting to such theft, companies must find more effective ways to protect their assets.  Since litigation is expensive, time consuming and may not yield the desired results, the best strategies to prevent or minimize loss include:  (1) Development of a comprehensive set of policies and procedure, (2) Deployment and verification of IT security controls, (3) Proactively leveraging the power of computer and mobile forensics and if necessary, (4) seek legal redress.

Growing awareness that a company takes serious steps to protect digital assets can significantly reduce casual theft by employees.  With proper policies and procedures in place, the theft of data requires an intent to profit that is easily proved.  In such a case, a company which leverage computer and mobile forensics has the means to identify and document the theft to provide a sound basis for seeking legal redress as did DuPont.  The result is a company which operates more efficiently, proactively reduces theft, and has all available means to address thefts which do inevitably occur.

References:

http://www2.sims.berkeley.edu/research/projects/how-much-info-2003/execsum.htm#summary

Beyond Reactive: Leverage Forensics to Increase Security and Auditability:

As network environments get larger, faster, and more complex, they become more difficult to secure. With numerous applications, users, and systems interacting, and a staggering [...]]]>

The St. Louis chapter of ISACA will present on proactive forensics during its 2010-2011 kick-off meeting on September 15th. Click below for details.

Beyond Reactive: Leverage Forensics to Increase Security and Auditability:

As network environments get larger, faster, and more complex, they become more difficult to secure. With numerous applications, users, and systems interacting, and a staggering array of increasingly complex threats, the number of events to monitor can be overwhelming.

Traditional IT security has largely failed to protect corporations, government and individuals. Typical firewall/anti-virus combinations are reactive and frequently circumvented, and provide little mitigation in the case of data breaches. The problem is apparent with numerous high-profile breaches getting headlines in the last several years DoD, PCI, HIPAA.

This session will focus on the use of proactive forensics and how an organization can audit live systems in real time. Proactive forensics provides advanced capabilities to protect internal & external systems at a very low level and is undetectable to attackers. Benefits discussed will include

• file system monitoring

• live memory capture

• user activity monitoring

• application-aware event monitoring, and

• malware detection

Additionally, we will discuss how this information can be combined with automated differential reporting and how to develop a user-friendly dashboard.

via Beyond Reactive: Leverage Forensics to Increase Security and Auditability – Event Summary | Online Registration by Cvent.

Organized cyber-criminals and malicious insiders were responsible for most corporate data breaches in 2009, [...]]]>

Companies need to protect themselves both inside and out. According to a report by Verizon and the Secret Service, summarized in the article below, while external parties still pose the largest threat, 48 percent of security breaches originated from within the organization.

Organized cyber-criminals and malicious insiders were responsible for most corporate data breaches in 2009, and used tactics like credential abuse, hacking and sophisticated social engineering to get away with their heists, according to a new report by Verizon and the Secret Service.

In a first-of-its-kind collaboration, Verizon and the Secret Service confirmed 141 breach cases in 2009 that resulted in 143 million compromised records. With the addition of three years of Secret Service data, Verizon has now documented more than 900 data breaches over the last six years involving 900 million individual records.

“The chance to study a larger set of breaches is certainly something that we enjoyed,” said Wade Baker, director of research intelligence at Verizon Business. ”

Adding the Secret Service data contributed to give us a more accurate picture.

“The additional information revealed a much higher number of inside breaches than previous reports had shown, with 48 percent of breaches originating from inside a business or organization. However, external parties still posed a larger threat, having been involved in 70 percent of all cases 27 percent of the cases studied were plotted by a combination of agents, which accounts for overlaps.

via Study finds more data breaches are inside jobs – SFGate.

viaForensics has developed tools and services to help organizations protect themselves from both internal and external threats. But organizations needs to start taking actions proactively rather than waiting until the breach occurs.

There have been 41 data breaches involving financial institutions so far in 2010 – well on the [...]]]>

This article comes from a company focused on providing news, training and education in the areas of information security, risk mitigation and fraud. Their source is the Identity Theft Resource Center, a nonprofit that tracks this issue.

There have been 41 data breaches involving financial institutions so far in 2010 – well on the way to surpassing the 62 such incidents in all of 2009.

via bankinfosecurity.com: 41 Banking Breaches So far in 2010

The article also links to an interesting timeline of breaches including type. Even more startling is that many breaches still go unreported, as also reported in the article.

For now, the underreporting of data breaches remains a problem, Foley says. The ITRC is one of several organizations tracking data breaches in the United States. Example: The New York list of data breaches that was made public this spring had more than 200 breaches that had not been reported by any news media, she says. This is a problem not just for the victims of those data breaches, but for other potential victims. “The only thing that underreporting or hiding breaches is doing,” Foley says “is allowing criminals to do the same thing to other businesses without law enforcement becoming aware and investigating them.”

While many organizations leverage forensics after they realize a breach has occurred, they fail to leverage forensic technology proactively to help monitor and protect their systems. viaForensics is a pioneer in applying forensic technology proactively, detecting IOC’s (indicators of compromise) and tracking key forensic information that can be crucial in the investigation of suspected breaches.

I wonder how many more banks and corporations have to become “data breach” headlines before they get serious about security?

Is your company’s data under surveillance by foreign spybots looking for any competitive advantages or weaknesses they can exploit? This might sound farfetched, but such electronic espionage is real. It’s an insidious security [...]]]>

This article provides a good summary of how corporations can be targeted by cyber criminals. liveForensics can help address some of these issues.

Is your company’s data under surveillance by foreign spybots looking for any competitive advantages or weaknesses they can exploit? This might sound farfetched, but such electronic espionage is real. It’s an insidious security threat that’s a lot more common than you probably realize.

As an IT or security executive, determining whether your organization is under attack via this seemingly undetectable threat — and putting in place adequate technology and procedural safeguards — should be a high priority. The stakes are too high to ignore the problem.

via The quiet threat: Cyber spies are already in your systems.

Organizations are getting hit by at least one successful attack per week, and the annualized cost to their bottom lines from the attacks ranged from $1 million to $53 million per year, according to a newly published benchmark study [...]]]>

Data breaches are costing companies millions each year, according to the studies cited in the following article.

Organizations are getting hit by at least one successful attack per week, and the annualized cost to their bottom lines from the attacks ranged from $1 million to $53 million per year, according to a newly published benchmark study of 45 U.S. organizations hit by data breaches.

The independent Ponemon Institute's “The First Annual Cost of Cyber Crime Study” (PDF), which was sponsored by ArcSight, showed a median cost of $3.8 million for an attack per year, a price tag that includes everything from detection, investigation, containment, and recovery to any post-response operations. “Information theft was still the highest consequence — the type of information [stolen] ranged from a data breach of people's [information] to intellectual property and source code,” says Larry Ponemon, CEO of the Ponemon Institute. “We found that detection and discovery are the most expensive [elements].”

And a separate report called “The Leaking Vault” (PDF) released today by the Digital Forensics Association found that among the 2,807 publicly disclosed data breaches worldwide during the past five years, the cost to the victim firms as well as those whose information was exposed came to whopping $139 billion.

The article goes on to say:

“It seemed that the majority of the 45 organizations were random and haphazard in their approach” to the problem, Ponemon says. “They didn’t have the right tools or technologies, and they didn’t know what kinds of threats there were and that the actual attacks were happening” until afterward. One finding in the report gave a nod to SEIM tools: Organizations with a SIEM solution incurred 24 percent less costs of the breach than those that did not.

This point illustrates the need for organizations to take a more proactive approach to their data security. Tools (such as liveForensics) can help organizations monitor and stay one step ahead of security issues. A small investment up front could save a fortune down the road.

via One Breach = $1 Million To $53 Million In Damages Per Year, Report Says – DarkReading.

A U.S. District Court judge on Tuesday ruled that it’s not a criminal act to violate the Terms of Service of a Web site, a decision hailed by the Electronic Frontier Foundation.

The case, Facebook v. Power Ventures, arose because Power offered software that allowed users to aggregate Facebook [...]]]>

An important ruling that could affect our industry:

A U.S. District Court judge on Tuesday ruled that it’s not a criminal act to violate the Terms of Service of a Web site, a decision hailed by the Electronic Frontier Foundation.

The case, Facebook v. Power Ventures, arose because Power offered software that allowed users to aggregate Facebook friends and other data with similar sets of data from other social networking sites.

Facebook argued that because its Terms of Service forbid users from using automated methods to access user data, Power’s software violated California’s computer crime law, specifically section 502(c).

via Violating Web Site Rules Not A Crime — InformationWeek.

Two days ago I wrote about a thermostat you can adjust from your phone, and today Allure Energy announced another twist on the idea. The company connects your thermostat to [...]]]>

In Andrew’s words: “Awesome, now we can image both the smart phone and the thermostat for an investigation. Time to update those forensic procedures.”

Two days ago I wrote about a thermostat you can adjust from your phone, and today Allure Energy announced another twist on the idea. The company connects your thermostat to a BlackBerry or iPhone app that tracks how far you are from home and adjusts your thermostat accordingly. Think of it as a location-based service for interacting with your thermostat.

When you leave in the morning, the system calibrates your home’s thermostat so you don’t waste energy while you’re away. Likewise, it senses when you’re on your way back, returning the temperature to your perfect degree of cozy.

via Allure Energy Announces a Thermostat That Knows When You’re Coming Home.