Security Update
Compromised certificate authority (CA) DigiNotar went belly-up this week due to the fallout of its disastrous infiltration earlier this year. Elsewhere, new insurance policies help to cover losses from digital security breaches while a report on social engineering demonstrates vulnerability costs and exposures.
Focal Points:
- Dutch firm DigiNotar has closed and filed for bankruptcy in the Netherlands this week after its CA rights were revoked by a Dutch authority earlier last week. The company's servers had been penetrated by one or more hackers in June of this year, allowing the intruder(s) to generate approximately 500 secure socket layer (SSL) certificates that identify sites' authenticity. DigiNotar noticed the penetration on July 19th, but did not disclose the breach until one month later and after a Google, Inc. Chrome browser user noticed and reported an issue. Now, digital rights group Electronic Frontier Foundation (EFF) is working to leverage its HTTPS Everywhere program and SSL Observatory project to allow users of the technology to act as anonymous sensors to analyze SSL certificate issuances to help verify identity. By observing IP addresses of the sites using certificates and comparing them against user-reported ones from HTTPS Everywhere, the detection system aims to quickly identify rogue certificates. The feature is included in the developer version of HTTPS Everywhere, and once it leaves alpha stage, will be available to the more than one million people that use the program.
- The Hartford Financial Services Group, Inc. is now selling data loss insurance for small businesses seeking protection from the fallout associated with data breaches. The Hartford has joined numerous other insurers offering similar coverage including advertising, crisis management, forensic analysis, legal liability, notification, repair, and additional associated expenses. More than 40 states have already imposed regulations dictating proper response for sensitive and imposed penalties for sensitive data breaches and federal legislation is circulating in the U.S. House of Representatives as the Secure and Fortify Electronic (SAFE) Data Act. The MozyPro cloud backup service, backed by EMC Corp., is now offering a new service that provides hard drives to customers to ease the full backup process. Called Mozy Data Shuttle, users are shipped up to four 2 terabyte (TB) hard drives to fully encrypt and backup sensitive corporate data. Once the full backup is complete, Mozy automatically begins copying incremental backups to its cloud service and merges that data with the hard drive data once it arrives at Mozy’s data center. Backup drives employ two layers of encryption to secure data.
- A recent survey of 850 IT and security professionals in Australia, Canada, Germany, New Zealand, U.K., and the U.S. found that 48 percent experienced social engineering attacks costing the enterprise between an average of $25,000 and $100,000 per incident. Phishing e-mails and social networking sites are the most common attack vectors, while money, competitive knowledge, and revenge are the primary motivators. Research shows that new employees are the most vulnerable to social engineering, followed by contractors, executive assistants, human resources, business leaders, and IT employees, respectively. Elsewhere, new security firms reported an Apple Inc. Mac-based Portable Document Format (PDF) exploit that uses a so-called "double extension" trick to get users to run an executable disguised as a PDF document. The two-step ruse uses the executable to download a backdoor that connects to a server controlled by the attacker.
Experton Group believes the failure of DigiNotar exemplifies the difficulty professional security providers even have in completely preventing penetrations by cyber attackers and the ease with which trust is lost when a firm does not report a breach in a timely manner. The HTTPS Everywhere program will make it more difficult for hackers to succeed in the future but the risks will never disappear, hackers get more sophisticated, and are supplemented by deep-pocketed businesses and governments. Meanwhile, social engineering attacks are preying on the uninitiated and untrained personnel within an organization. These attacks will also get more complex and sophisticated over time. While software protection tools are necessary, the best protection executives have is aware, well-trained individuals that can spot suspicious activity and report it to the appropriate parties before damage is done. Privacy and security has to be the responsibility of everyone at a company. Additionally, executives should consider the requirement for data loss business processes or data loss insurance from insurers such as The Hartford amongst its governance and risk management best practices. Surveys show that a large percentage of small and mid-sized businesses (SMBs) do not have disaster recovery (DR) plans for their data and IT operations. Statistics find the majority of the firms without adequate DR plans end up closing their doors after a major catastrophe. Offerings like MozyPro are an inexpensive way to insure the company can remain an ongoing enterprise after a disaster. Getting the DR, privacy and security message out to executives and staff and keeping it front and center on a daily basis is a major challenge, but IT and security executives must make it an ongoing initiative. Corporate survival depends on it.
.