The attacks, which originated in Europe and China, targeted major corporations and government agencies including pharmaceutical giants Merck & Co. and Cardinal Health.  The operation has affected some 75,000 computers in 196 countries.

Now is the time to examine your company’s business practices to make sure that your critical data and intellectual property are safe from complex electronic and socially initiated thefts.  Lapses in appropriate security measures can expose your company to major financial losses, both from theft and from civil lawsuits filed on behalf of clients or customers affected by the breach.

To protect your company and your shareholders from such losses or litigation, your company’s security practices must be up to date and in compliance with state and federal regulations.  Your IT security practices should also be part of your overall corporate governance, led by your general counsel so that this information is protected by attorney client privilege.

Information Defense Corporation and Interfor Inc. a leading global due diligence and investigations firm are partnered to offer our clients unique and comprehensive security solutions.  From physical security, asset recovery and crisis management to risk based and technical assessments of electronic assets and controls, the team is positioned to work with your company’s legal and combined security personnel to keep your assets, personnel, intellectual property and trade secrets safe or to help restore the integrity of your operations with incident response and forensics and other measures following a security breach.

For more information on the services offered by our team effort please use our contact pages here:  Contact Us

The attack also targeted two other entities, at least one of which is a government agency.  The attack was discovered over the summer, but could have taken place as much as a year earlier.  The case is being investigated by the FBI with assistance from the NSA, the Department of Homeland Security and Citigroup which is partially owned by the US Government.

Citigroup denies that the hack took place and there has been no comment from any government agency, but the report further details that the hack was discovered when officials noticed suspicious internet traffic coming from email addresses known to be owned by the Russian Business Network, a gang that has sold software used to access US government systems.  The gang had been silent for two years, but is suspected in other recent attacks.

Beyond the stolen money, a major concern is that the hackers could destroy information, wreaking havoc on the banking system or that once they have infiltrated one bank that they could use that access to get into other banks.

This further illustrates the point that I was making in the previous article that cyber terrorism is a very real threat and that our banking, communications, government and military systems are currently under assault from gangs and even the governments of other countries.

Protecting these systems must be a priority, and the efforts to do so must be coordinated, not a variety of independent efforts directed my multiple agencies.

By Juval Aviv, President & CEO of Interfor Inc, Strategic Partner of Info Defense

Mr. Schmidt is an industry veteran who previously served the Bush White House.  He was formerly the chief information security officer at Ebay, the chief information officer at Microsoft and worked in computer security for the Air Force, the Army and the FBI.  The Obama administration is the first to promote this position to the level of a White House Director.

Cyber security has increasingly become a priority in the wake of a growing number of cyber attacks and reports of vulnerabilities in business and military computing systems.  Obama was brought face to face with the issue during his campaign for the presidency when his campaign’s computer security was breached exposing critical information ranging from policy positions to travel plans.

Mr. Schmidt will be facing long running turf wars being waged among the Pentagon, the National Security Agency, the Department of Homeland Security and other agencies over the conduct of defensive cyberoperations.

He and others serving in cyber security positions will also be trying to work out how to conduct offensive cyberoperations, and what the rules and tactics should be.  One of the biggest fears in carrying out offensive attacks on computer systems is unintended consequences that damage civilian infrastructure.

In 2003 for example, the Bush administration had the technology to launch a cyber attack that would freeze the bank accounts of Saddam Hussein and cripple Iraq’s economy, giving Hussein no money for war supplies or to pay troops.  The attack never happened though because of the fear that the effects of the attack would not be limited to Iraq and would create world-wide financial havoc.  Attacks were carried out on Iraq’s military and government communications system, which resulted in cellular and satellite telephone service being shut off on the countries surrounding Iraq for several days.

I am heartened to see that the issue of cyber security is being taken more seriously by this administration and that attempts are finally being made to coordinate the efforts to protect our nation’s computer systems.  Cyber warfare has become a very clear and present danger, one that could have deadly consequences leading to a further destabilization of our country’s economy and even the loss of lives without one terrorist ever stepping foot on our soil.

The vulnerabilities of our banking, government and military computer systems, the Federal Aviation Administration systems as well as the systems that are used for general communication and e-commerce have not been addressed sufficiently to this point and those vulnerabilities have led to dangerous security breaches.

In my opinion, the one issue that must be addressed immediately, particularly for the military, is that only about 1/5 of computer chips are produced in secure American facilities.  Most computer chips, even those that are produced by American companies are produced overseas.

In fact only about 2% of the computer chips that are used in our military’s communications systems and weaponry are being produced in America.  This is a major cause for concern as chips produced in unsecured plants can be infected with malicious software or Trojan horses that allow computer criminals to pilfer information or to even take over control of the machine that is being powered by the infected chip.  Retired Army General Wesley Clark has referred to these types of infected chips as “the ultimate sleeper cell” and I agree.  Domestic production must be supported and encouraged if we are to make a serious effort at protecting vulnerable systems.

Clearly, Mr. Schmidt has his work cut out for him.  I wish him luck.

By Juval Aviv, President & CEO of Interfor Inc, Stategic Partner of Info Defense

What your employees know about your business may be of strategic value and provide that competitive edge.  It may be the special sauce that took the company years to develop and it may walk out the door prior to any exit interview or tender of resignation.

Recent surveys, media reports, prosecutions, and our investigations show an alarming number of ex-employees stealing company data, including when changing jobs.  Compromised data may include customer lists, contact information, know how, and other forms of intellectual property.  The majority do so in order to benefit in some financial arrangement or assist with a new job.  A recent theft of a proprietary trading platform at a major Wall Street financial institution is under investigation.  The platform enabled the firm to generate millions of trading profits each year.

There is a growing pervasive sense of entitlement to works for hire. Access to computers and technology without appropriate controls makes such theft inviting and simple for those inclined. How these thefts occur and remain undetected for extended periods of time has much more to do with the lax protective measures in place within the organization then the skills of the perpetrator.

In our investigative experience we have seen far too many cases where there is employee theft, limited binding agreements, no procedural or technical controls or measures, and far too much blind faith and trust extended to those who are not trustworthy.

Forgive me if my experiences make me appear cynical but I have seen thieves rob charities, business owner’s life’s work compromised by over zealous employees, and organizations hobbled and made vulnerable by employees gone bad.

Too often the lack of detective measures, extended periods before suspicion and investigation, further compounded by the lack of protocol in disengaging employees compromises critical evidence.  Lacking sustentative evidence, it is increasingly complex and costly for the organization to pursue justice in what may have been otherwise a clearly defined case.

Organizations must take comprehensive controls and measures seriously to avoid a potentially devastating event precipitated by a individual to which the organization has extended its trust.  This starts with the appropriate legal, technical, and procedural controls from engagement through discharge, employer beware.

Similar scams are being perpetrated via the telephone and are called vishing attacks.  These scams are aimed at getting individuals to give up sensitive information such as credit card data, banking credentials and or some other sensitive information.    Many individuals have come to accept ANI or caller id as verification of who is calling.   Scammers know this and are using the ability to manipulate caller id information to defraud unsuspecting individuals.

Anyone can manipulate caller id information, called ANI spoofing and it’s as simple as purchasing an online service.  The online services will enable the caller to change the number displayed on a caller id, change the voice from male to female or reverse, and record everything that was said.   A tool like this may be fun for the average prankster but could be costly to those exposed to a criminal intent on defrauding individuals.  Here’s how a typical scam might work.

An organized crime group sets up its own server to manipulate ANI.  The group utilizes a predetermined set of phone numbers to call and dials them in mass.  This is called war dialing.  As the call rings on the receiving end the caller id displays the name of the ‘institution’ the caller pretends to be.   A message is played which indicates that the receiving indiviudal has a problem with an account and must dial a particular phone number to resolve the issue.  When the caller makes the call they are prompted by a voice activated agent to enter sensitive information, such as banking info, credit card data, address, social security numbers and more.  What the unsupsecting individual has not determined is that the call was a scam and they have just provided a thief access to a credit card, online bank account, or worse provided enough information to be the victim of identity theft.

Since the beginning of time there have been frauds, today this behavior remains.  What has changed are the methods upon which a criminal can defraud the unsuspecting individual or institution.   Technology has been a catalyst in enabling many ongoing exloits.   In order to protect oneself  follow a few simple rules that you normally follow in everyday life.

• Know who you are dealing with.  Just because the phone says Bank of  Your Choice don’t assume it is.
• Your bank knows who you are therefore for them to ask you to provide sensitive information such as a social security number is a big red flag.  If it is your institution and they are using such information to validate who you are, get a new banker.
• Be on guard, if it sounds too good to be true, it is.

Know now that there exist scammers who launch social engineering attacks via vishing scams.  Be wary of what your caller id tells you.  If you find you can not resist believing that little display, put a piece of duct tape over it!

Was 9/11 not enough of a wake up call?  The events of that day cast doubt on the US government’s ability to protect its people.   Now we must question can the government protect our military secrets which enables our patriots to defend this country.    The worst part of all of this is that the cyber spies have apparently been stealing secrets for well over a year’s time undetected.

Information Defense sees this type of activity all of the time within corporate entities that have been compromised and need our help.    The organziations are certain they have the greatest tools in place and they are covered.  They find out after the fact they were not, this is perhaps somehow forgivable.

The Pentagon however must do a better job, these are supposed to be the best and brightest that protect these secrets.  I now truly realize how naive  I am.  There is no room for being asleep at the wheel or incompetence when it comes to national security.  We must do better and address responsibility and accountability.

To say that since data was encrypted they could not determined what was accessed is ridiculous.   The reason no one can say what was accessed or when is due to a lack of oversight and controls.  This is not an overly complex methodology I am talking about.  It’s more common sense than techno sense.  How is it that critical information flying out the back door is not important enough to be detected?   To say that differing security standards within the contracted vendors that work on these projects is how the compromise occurred is not an excuse I am willing to accept.   Who allowed those differing standards to exist without verifying their viability in protecting sensitive US secrets?

Our Legislators are ready to have a cyber czar tell US corporations what they must do to protect their information assets or face the consequences.   Who must we hold accountable for the lack of performance in these breaches?

I am certain we will soon hear the next brilliant idea, from the next want to be in the lime light politician.  Stay tuned.

It is my opinion that this is nothing more than window dressing and a platform for more big government and politicians to be politicians. Government networks are compromised on an ongoing basis and now we need the government to tell private industry how to protect themselves?  I find that interesting at best.

The bill proposes for a cyber czar to set compliance standards and monitor performance.  Lets get real, compliance and security are two different things.  How many PCI compliant or HIPAA compliant organizations have been compromised and lost consumer credit card info, social security numbers and other sensitive information?  The answer is far too many!   It does not matter that you were compliant when you have lost a million or more credit card numbers, social security numbers, or company specific proprietary data.

Unless there is a change in corporate culture and a genuine and informed approach to protecting critical data, theft of information, compromise of infrastructure and other malicious activity will continue.  Yes I agree whole heartedly cybersecurity is a major issue but its not all about technology.  When the CEO looks to his Chief Information Security Officer and say were covered, right?  And meanwhile HR is hiring criminals or employees find themselves in financial trouble and theft of company data viewed as a solution, the answer is not a chance!

While the sponsors of the bill talk about power being knocked out or traffic lights not working due to malicious activity, that is trivial to what could really happen.  The largest potential threat is data poisoning. I can assure you that a monetary system compromise poses a significantly greater risk than compromise of utilities. Compromise or poisoning of monetary transactions could certainly have global impacts especially if we consider most compromises are not detected when they occur but rather months later.

If our power is compromised we know it soon after because THE LIGHTS ARE OUT. Compromised financial transactions are not as readily detectable and could take months before being recognized.  The SEC has enough problems identifying white collar criminals and bogus transactions.  What if there were deliberate acts of data poisoning within the worlds monetary systems, how long might that take to identify and how would the issues be reconciled?

Having now said all this you tell me where the real threat is?  Establishing more compliance regulations only creates more misunderstanding.  Information security starts with culture and you can not regulate that.

According to RBS WorldPay in a press release the company states “Certain personal information of approximately 1.5 million cardholders and other individuals may have been affected and, of this group, Social Security numbers of 1.1 million people may have been accessed”.

Heartland in a statement to the public indicated that it contacted more that 150,000 merchant locations with information on the breach. Further statements by Heartland’s CEO indicate “A piece of malicious software planted on the company’s payment processing network recorded payment card data as it was being sent for processing to Heartland” He further stated it does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised.

Certainly the consequences for both organizations will be severe between the costs of clean up, legal challenges, and brand impact. According to reports by the Boston Globe the cost of TJX data breach involving 45M credit cards was $256 million. Final costs in the TJX breach are estimated to top $500 million and possibly approach $1 billion according to Forrester Research analyst Khalid Kark. What organization can reasonably withstand such losses? What are the costs when proprietary data that corporations invest billions into creating is compromised? Most compromises never make the news as few are required by law to be reported.

The FBI lists its number 1 priority as “Protect the US from terrorist attack”, its 2nd priority as “Protect the US against foreign intelligence operations and espionage”; and its 3rd priority as “Protect the US against cyber-based attacks and high-technology crimes”. How is it that these issues are not top concerns of our business leaders which head corporations that produce sensitive information and systems or manage sensitive information and infrastructures? Such entities are subject to attempts of data poisoning from terrorists, targeted by foreign intelligence for intellectual property, and or organized crime groups for financial gain.

Corporate CEOs and business leaders need to wake up and face the reality of cyber crime, its sophisticated perpetrators, and its potential business consequences and national security impact. Most leaders that I speak to are in denial, believing that the issue is somehow technology related and covered by their unfortunate Chief Information Security Officer, or other technology professional.

Clearly this is a business issue which is the responsibility of the executive team and its directors. Many of the necessary protections exist outside of the technology group’s purview and technology solutions implemented to monitor breaches are largely ineffective.

I know from experience in having investigated a variety of data breaches that most organizations which suffer compromise remain unaware until such time as Federal authorities notify the organizations of their demise. Many times what lead to the compromise had little to do with technology and much more to do with people and process or the lack there of.

So what can be done? First business leaders must engage and see the problem for what it is. The criminal mind and crime have been around since the beginning of time, only the avenues of exploitation and targets change. Executives must be vigilant which begins with considering the value of assets, threats which exist, and direct the appropriate measures to mitigate the risks, and monitor activity.

There is significant ROI on establishing comprehensive security just ask those who have paid the ultimate cost having suffered theft of intellectual property or a mass scale compromise. That is if they are still in business.

Essentially it goes like this.  In 2004 BJ’s Wholesale Club’s ineffective information risk management lead them to first, store customer credit card data that they should not have been storing, and secondly not provide even a modicum of security around it.  Apparently the data was stored unencrypted, with default passwords, and limited or no monitoring.  All of which allowed the customer credit card data to be stolen.

BJ’s settled charges with the FTC “that it failed to provide adequate security for its customer data” in 2005.  BJ’s also recorded $10 million in related costs.  In addition to the $10 million, under terms of the settlement BJ’s will implement a comprehensive information security program and be subject to third-party audits every other year for the next two decades.

PSECU, a card issuer who suffered $100,000 loss reissuing suing cards to its effected members, sued BJ’s and Fifth Third Bank in 2005. The credit union lost at the district court.  The new ruling reverses the district court ruling and will allow Pennsylvania State Employees to continue with their case against BJ’s and Fifth Third Bank.  The ruling found that even though the credit union was not a direct party to the contracts between VISA, BJ’s, and Fifth Third, it has third party beneficiary rights.

I can understand PSECU suing BJ’s.  After all it was BJ’s inadequate security that led directly to PSECU’s loss.  However PSECU is claiming 5/3 bore some responsibility for inadequately training BJ’s staff.  It is completely beyond me why this is 5/3rds responsibility.  Nevertheless, this ruling could have far reaching consequences in the payment card industry by effectively making card processors responsible for the sins of their merchants.  It could possibly lead to changes in the PCI-DSS standards, to processor-required training programs, have insurance impacts, or even force processors into effectively “policing” the PCI compliance and information risk management practices of their merchants.

It will be interesting to see how the suit finally turns out.