“Do as I say, Not as I do”…General Services Administration (GSA) Exposes Personal Data March 16, 2013
Posted by Chris Mark in Uncategorized.Tags: cyber security directive 23, cybersecurity, data breach, data security, GSA, InfoSec, SAM
add a comment
The infamous GSA, who in 2012, was identified for gross fraud, waste, and abuse, sent an email today disclosing to me, and every other company that has participated in Government contracting that the System for Award Management (SAM) system had a vulnerability that exposed sensitive data. Here is a copy of the email I recieved today: (bold is my emphasis)..Before I go into more detail, I would personally like to thank the GSA for exposing my bank account data and SS# through their blind incompetence. At least they “apologized” in their email.
Dear SAM user
The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity’s registration information, including both public and non-public data at all sensitivity levels.
Immediately after the vulnerability was identified, GSA implemented a software patch to close this exposure. As a precaution, GSA is taking proactive steps to protect and inform SAM users.
The data contained identifying information including names, taxpayer identification numbers (TINs), marketing partner information numbers and bank account information. As a result, information identifiable with your entity registered in SAM was potentially viewable to others.
Registrants using their social security numbers instead of a TIN for purposes of doing business with the federal government may be at greater risk for potential identity theft. These registrants will receive a separate email communication regarding credit monitoring resources available to them at no charge.
In the meantime, we wanted you to be aware of certain steps that all SAM users may want to take to protect against identity theft and financial loss. Specific information is available at www.gsa.gov/samsecurity. If you would like additional background or have questions, you may call 1-800-FED-INFO (1-800-333-4636), from 8 a.m. to 8 p.m. (ET), Monday-Friday starting Monday, March 18. We recommend that you monitor your bank accounts and notify your financial institution immediately if you find any discrepancies.
We apologize for any inconvenience or concern this situation may cause. We believe it is important for you to be fully informed of any potential risk resulting from this situation. The security of your information is a critical priority to this agency and we are working to ensure the system remains secure. We will keep you apprised of any further developments.”
Interestingly, the FAQ posted on their website does not indicate how long the data was exposed. Since SAM went into effect over a year ago, I am guessing that the vulnerability had been in place for at least a year.
Maybe, just maybe, instead of sending GSA employees to ‘cooking class’, and funding parties in Hawaii, the Federal Government should focus on protecting the data to which it is entrusted. The Federal Government recently passed a CyberSecurity directive…again, maybe they should focus on cleaning their own house.
“SpyGames” – Global Cyber Espionage Ring Discovered January 15, 2013
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, cyberespionage, information security, InfoSec, Kaspersky, mark consulting group, Stuxnet
add a comment
In an article published today in RT Magazine, it was disclosed that recently Russia’ Kaspersky labs uncovered. “A sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies, as well as gas and oil industries…” “The majority of infections are actually from the embassies of ex-USSR country members located in various regions such as Western Europe and even in North America – in the US we have few infections as well. But most infections are concentrated around Russia,” Vitaly Kamluk, chief malware expert at Kasperky Lab, told RT, adding that in Europe, the hardest-hit countries are apparently Beligum and Switzerland. Kaspersky is also the company that identified Stuxnet, Flame, and Duqu malware.
According to the article: “The hackers’ primary objective is to gather information and documents that could compromise the security of governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups, and trade and aerospace targets.”
In August, 2012, I published an article in The Counter Terrorist Magazine titled: “The Rise of CyberEspionage” which outlines the International efforts to steal data from Western nations. Unfortunately, while many companies are busy trying to protect NPI, PII etc. advanced efforts are being undertaken to steal their intellectual property. Stay tuned for a February 2013 article in The Counter Terrorist, as well!
Chris Mark in Jan 2013 TransactionWorld: “Only Certainies are Death, Taxes, and PCI DSS.” January 2, 2013
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, data breach, Heather Mark, InfoSec, mastercard, PCI DSS, security, transactionworld, TSYS, visa
add a comment
Chris Mark (this guy with two thumbs) is in the January 2013 edition of TransactionWorld Magazine. You can read my article titled: “In 2013 the only certainties are Death, Taxes, and the PCI DSS” in which I opine about the need for PCI DSS and other security standards as we enter 2013. The bio on the article is not accurate and still references an old position I had at ProPay. That being said, ProPay is a great company for which I was fortunate and proud to have worked, a company at which my illustrious wife, Dr. Heather Mark still works, and a company who deserve a big Congrats for being acquired by TSYS!..all in all…no harm, no foul.
Beating an Old Drum October 27, 2012
Posted by Heather Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.Tags: cybersecurity, data security, Dr. Heather Mark, Heather Mark, InfoSec, mark consulting group, privacy, security
add a comment
It’s the end of what has already been a tough year for data security. And the news just got worse. South Carolina has announced that its Department of Revenue suffered a major breach. The breach is so massive, in fact that more than 75% of the state’s residents have been affected. The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents. Also included in the breach were about 390,000 payment cards. Most of those were encrypted, though.
This is disturbing on a number of levels. I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those). Consumers have built in protections on payment cards. As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions. The far more sensitive data, the social security numbers, were not encrypted, though. This defies logic. Consumers have little to no protection against misuse of SSNs. Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.
Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.” WHAT? If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold. After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.
Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data. It’s long past time states put forth the same level of protection. On the plus side, the state did comply nicely with its own data breach notification law.
Because I Said So September 23, 2012
Posted by Heather Mark in cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Politics.Tags: cybercrime, cybersecurity, data security, Dr. Heather Mark, Heather Mark, InfoSec
add a comment
Last week, Democratic leaders made some minor news when they sent a letter to President Obama suggesting that he issue an executive order on Cybersecurity. Their position is that, since Congress seems to be at loggerheads over the issue, the president should take the opportunity to force action by issuing an Executive Order. In fact, Secretary of Homeland Security Janet Napolitano told a congressional committee that just such an order was in its final stages. So what might we see in this forthcoming order?
According to reports, the order will attempt to regulate sixteen “critical” industries. The guidelines will be voluntary, after a fashion. Compliance with the standards may determine eligibility for federal contracts. The White House has not made any secret about its intentions on Cybersecurity. In fact, the White House website lists “Ten Near Term Actions to Support Our Cybersecurity Strategy.” Brevity prevents me from getting into a deep discussion about those actions here, but you can read them and draw your own conclusions.
The questions remain, however – 1) how stringent (read intrusive) will the requirements be?; 2) Will they be relevant to the threats in the landscape?; 3) How will compliance be policed? and 4) How much additional cost are we potentially adding our already stretched budgets?
Another question that merits examination is whether or not the standards will be redundant. Many industries are already straining under the weight of a variety of infosec requirements – whether industry-regulated or government mandated? Will another layer of regulation mean increased efficacy of data protection strategies and mandates or will it be just another layer of red tape?
Global Security, Privacy, & Risk Management 