jump to navigation

“You Can’t Unring That Bell!” – What is a”Data Breach” and When Should I Notify? August 21, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
add a comment

There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more.  I frequently find myself working with companies on data breach notification plans.  One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”.  More interesting is when I ask them to define a “suspected data breach”.  Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example.  You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes?  Maybe, maybe not.  It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc.  In short, it is not easy to decipher yet it is critical to be as accurate as possible.

Understanding what is, and what is NOT, a data breach or data compromise is the first step in defining your company’s data breach notification plan.  The reason it is so critical is in the titled of this article.  Once you notify that your company has been ‘breached’ you cannot ‘unring that bell’.  The genie is out of the proverbial bottle and things start moving quickly.  Most company’s would absolutely hate to make an announcement only to find that, while they may have experienced a security incident, it did not impact sensitive data (PII, CHD, NPI, PHI, etc.).   It is important that you work with your compliance group, legal (don’t forget legal!), and the infosec & risk department to ensure you have a solid understanding of when, and under what conditions your company is required to notify of a breach or suspected breach.  Here are some basic definitions to use as a starting point.  (check with your legal council and don’t simply use these…there..that should protect me!;)

Security Incident/Event – Any event that compromises the availability, accessibility, or integrity of any asset.  This includes systems, personnel, applications, services, etc.

Data Breach – Any exposure of or unauthorized access of sensitive and/or protected data to include PHI, PII, CHD, and NPI.

Suspected Data Breach– In the absence of  direct evidence (identified fraud, or misuse of data, for example), any Security Incident in which it can be reasonable assumed that sensitive and/or protected data was exposed or accessed without authorization.

Remember, some state breach notification laws do not consider a breach of encrypted data as a trigger for notification…others do 😉  If you need help unraveling these issues (insert shameless marketing plug)…contact Mark Consulting Group…www.MarkConsultingGroup.com

graphic by Hippacartoons.com

“Old Ironsides & The War of 1812” – 200 Years Ago Today August 20, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , ,
add a comment

Many Americans would likely be surprised to learn that the US has a ship built in 1797 that is still in active service.  The USS Constitution, known as “Old Ironsides”, was launched in 1797 and fought in numerous battles and wars including the First Barbary Wars and the War of 1812. Here is a previous post I wrote about the Barbary Wars.

August 19th, 2012 marks the 200th anniversary of one the battle that gave the ship her nickname.  In 1812 the Constitution waged a fierce battle with the HMS Guerriere in which the Constitution was victorious and the the HMS Guerriere, too badly damaged to bring into port, was burned at sea.

“Wanna Bet?..Yup…Straight8 I wanna CombatBet!”…Now You Are Asking What the Hell? August 15, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , ,
add a comment

So I just had an opportunity to catch up with an old Marine buddy named Jason.  Jason owns Straight8 Photography.  He is a retired

Recon Marine and was an instructor with me at the Basic Reconnaissance Course in late 1990’s.  As I am talking, he mentions that his wife owns CombatBet.  I couldn’t believe it!  CombatBet is the “new” challenge coin.  For those unfamiliar, ‘challenge coins” have been around for years and are coins carried by people in units that identify their membership etc.  (too much history to explain).  Long and short, it sucks to carry 10 coins to hand out.  They are also expensive and not super customizable. I have been handed a half dozen of these over the last couple of years and didn’t know who was behind them!  If you are looking for either  a great photo or some kick ass poker chips, you have to take a spin by Straight8 Photography or CombatBet.com…BTW…if the pic looks familiar it is Jason with his daughter and was in the scrolling credits of Act of Valor…courtesy of Straight8…

   

“Gauss What!?” – Another CyberWeapon Discovered August 14, 2012

Posted by Chris Mark in cyberespionage, Risk & Risk Management, terrorism.
Tags: , , , , , , , ,
add a comment

According to Kaspersky labs, yet another cyberweapon was discovered last week.  On August 9, 2012 Kaspersky labs released a press release stating that they had identified another cyber-weapon dubbed Gauss.  According to the press release:

“…‘Gauss’, a new cyber-threat targeting users in the Middle East. Gauss is a complex, nation-state sponsored cyber-espionage toolkit designed to steal sensitive data, with a specific focus on browser passwords, online banking account credentials, cookies, and specific configurations of infected machines. The online banking Trojan functionality found in Gauss is a unique characteristic that was not found in any previously known cyber-weapons.” (more…)

“Bow-Chicka-Bow-Wow!” – Privacy Failure of Photobucket Can Make You a Porn Star! August 13, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , ,
add a comment

For those who like to use the popular photo sharing site Photobucket to share (ahem)..”private” pictures may want to take action immediately.  According to an article on CNN, a privacy flaw in the way Photobucket allows users to share photos resulted in hackers gaining access to numerous R rated and even explicit photos of users.  Photobucket allows users to share photos using direct links.  This means that even if the user does not intend to share a photo, if a person can deduce the URL then the unencrypted file can be directly accessed.   This is a hack known as “Fuscking” and it has been used to access numerous files.  (more…)