How Easily Could the Sony Breach Have Been Prevented?
Check out this short video of Jonathan Sandler of STEALTHbits talking about how their technology would very likely have kept Sony out of the headlines.
Check out this short video of Jonathan Sandler of STEALTHbits talking about how their technology would very likely have kept Sony out of the headlines.
I don’t normally give a moments notice to stuff that goes on in Hollywood, but the story “Future of Sony's Amy Pascal questioned after hacked email revelations” caught my attention because of the cyber security aspect involved. So often I hear executives say something similar to “I don’t worry about our security because we don’t have anything anyone would want to hack into.”
That complacent assessment is wrong as most everyone knows since today nearly all hacking/security breach incidents are the result of indiscriminate malware that scans the Internet searching for vulnerable systems. When that malware finds a vulnerable system most of them run automated code that looks for passwords, bank account information, encrypts data for ransom, etc.
In this particular case a ton of data was stolen and released. The implication for Sony Pictures Co-Chairman is that her personal e-mails were....
...Under the Final Rule, the OCR has the power to domestically deal out civil penalties, corrective actions and long-term monitoring, while the DOJ has the power to domestically deliver a criminal prosecution. Through enforcement under HITECH, the State attorneys general [...]
Kevin is a featured writer for TechTarget. Here is is latest column: _________________________________________________________ A few months ago, I wrote an article about the practice of non-attorneys consulting on HIPAA business associate agreements. After talking with scores of people about the [...]
The new malware uses SMTP to send the data it steals to the perpetrators. It appears the origin of this malware has its roots in China. It first appeared in August.It collects phone numbers, sent and received SMS messages and [...]
Creating successful targeted attacks requires attackers to learn about us. They will research our email addresses, our job, our professional interests, and even the conferences we attend and the websites we frequent. All of this information is compiled to launch a successful targeted attack. Once on our devices, the attacker’s tools are designed to pull as much data as possible. Undiscovered targeted attacks can collect years of our email, files, and contact information.
So, as if healthcare practitioners didn’t already have enough to focus on with Obamacare, HITECH and the Flu epidemic, the Obama administration through the Department of Health and Human Services, has released a massive pile of new regulations in a [...]
This article is interesting not because the hacker is convicted, but because of the reader comments at the end. The first post defends the hacker and blames AT&T for their system not being secure enough and allowing a breach. The next poster says that is akin to blaming a bank if they are robbed because their doors are not secure enough. Another poster points out that both are to blame.
IPswitch conducted a recent survey of 100,000 end users who were asked about their most challenging compliance issues. According to the survey, compliance with the Health Information Portability and Accountability Act (HIPAA) was the clear winner for the top spot. Of the 100,000, 38.2% chose HIPAA and second place came in at 29.3% held by Sarbanes Oxley Act (SOX). The next closest competitor for IT concern was compliance with the Federal Information Security Management Act (FISMA) at a mere 9.2.
If you are regulated under any of the myriad government and industry regulations from ITAR, FIPS, CLETS and PCI, to HIPAA and Red flags, the process of responding to security, integrity, and availability verification is not a simple exercise. It is more than answering questions in the positive. Polices, procedures and declarations of compliance are contracts with your company, partners, clients and government regulatory bodies. What do I mean?
The process typically involves making sure servers are rebooted in the right order, making sure they have completely rebooted, restarting applications in the right order, and then testing to be certain everything is working properly when users return to work in the morning.
This typically takes 30 minutes per server, depending upon your environment.
PCs are not typically smoke tested, or if so, not all of them.
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
There are many variables to consider. Some are:
You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.
For example, someone making $80,000 per year will typically work 52 weeks of 40 hours, or 2080 hours. $80,000 divided by 2080 is $38.46/hour. Multiply that hourly rate by 1.3, and you get $50.00/hour. Of course, rates of pay, taxes and benefits will vary from city, state and company; but 30% is usually a good number to use. Don’t forget to account for time-and-a-half or after-hours rates of pay if patching is being done in the late evening, early morning, or weekends (in order to avoid impacting user productivity).
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.
If you are presenting to management for a budget, and using this calculator as the basis for a Return on Investment (ROI), you will need to do more homework. An ROI measures as a ratio of the cost of investment against its expected benefit. For patching, calculating benefit can be very difficult to determine. How do you measure the cost of a system breach you have not yet had? You can estimate what expenses, penalties, and losses a company might incur when a breach occurs; but there is no certainty of a breach event and what those costs actually are. There are also regulatory compliance issues and/or potential fines for not patching, but those, too, can be vague. For calculating these potential risks and costs, it is advisable to enter into a discussion with your management team.
Mr. Nichols has over 25 years of experience in the Information Security and Healthcare Technology industries. Mr. Nichols leads the Global Product Security program at Danaher Corporation, representing over 30 companies, including 4 medical device manufactures and 8 life sciences companies. Focusing on security by design for Danaher’s medical devices, diagnostics, life sciences, water quality, environmental and applied solutions product portfolios. Mr. Nichols is the chairman for the Danaher Global Product Security Council and serves on the steering committee for the Medical Device Innovation Consortium (MDIC). He is a certified healthcare information security and privacy practitioner (HCISPP) and a certified HIPAA privacy security expert (CHPSE).
Hamlet Khodaverdian is Vice President of Americas at LMNTRIX, a company specializing in threat detection and response to address advanced and unknown cyber threats that bypass perimeter controls. As a business technology executive with more than 20 years’ experience, he has held various roles in multiple companies, leading sales teams, software engineering teams, IT infrastructure teams, business intelligence and data science teams. Previously, he has been at Canon R&D, Western Mutual Insurance Group, Alliance Funding Group, Quick Bridge Funding, and has been involved in a number of startups.
Through his various leadership roles, Hamlet has gained extensive experience in building high- performance teams, in addition to extensive experience with enterprise risk management, security architecture (both infrastructure related and software engineering related), governance and compliance.
Len Tateyama is the Director of IT at NetSecure, by Alvaka Networks, leading the company’s Network Operations Center and Field Services teams. Len is responsible for the developing and maintaining technical infrastructure and the delivery of managed and consulting services to clients. With twenty years of experience leading information technology, he has held various executive positions in the highly regulated environments of financial management and banking sectors.
Areas of expertise include managing operational support teams; data center build-outs; selection and management of managed services providers; service delivery models; network and security systems design; storage area networks; disaster recovery/business continuity; application development and maintenance; large scale project management; vendor and contract management; risk assessment; and budgeting.
David McNeil is the principal for a leading risk management and commercial insurance brokerage, EPIC Insurance Brokers and Consultants. David speaks on cyber issues for business. He is a recruited member of the Orange County Sheriff’s Technology Advisory Council (TAC); Anaheim Police Department Special Operations TAC; FBI InfraGard (SIG’s Cyber, Dams, Water and Wastewater); and the Homeland Security Defense Group. Specialties include the fields of High Tech, Manufacturing, and U.S. Infrastructure protection regarding the water industry.
Mark Essayian is President of KME Systems Inc., an IT support company he founded in 1993 that provides technology products, process, security and business continuity consulting to a wide range of clients. KME Systems helps clients improve profitability via the way they communicate with and assist their respective clients.
Mr. Essayian’ s background has involved technology for over 30 years. He attended the University of California Irvine where he earned a degree in Physics with an emphasis in computer science and engineering. Mark is expert and passionate about assisting clients along their IT journey to protect their assets, culture and people.
Mark has presented for the Wall Street Journal, SCORE, Microsoft partner network, technology manufacturers, IT peer groups and numerous executive meetings. Mark also currently serves on advisory boards for several manufacturers and is a source of information to the IT industry.
Kevin is a trusted technology and security practitioner and public policy advisor to some of America’s most influential people and organizations. He advises corporate executives, federal and state legislators, law enforcement, high net worth individuals and other business leaders. He is a sought after consultant, writer, presenter and trainer on the issues surrounding personal, physical and cyber security, compliance and advanced technology. Kevin has written for and been interviewed by dozens of national publications and on major television, radio and digital outlets.
Investigator Lance Larson. Ph. D., – Lance Larson is a Cyber Investigator for the Orange County Intelligence Assessment Center (OCIAC), a Department of Homeland Security-funded fusion center. Lance has been a police officer with a law enforcement agency for nineteen years. During his tenure with the department, he has served multiple assignments including a role as the technical leader for the first online crimes against children sting in California, patrol, special investigations, and his current role helping to protect the cyber security infrastructure within Orange County at OCIAC. Dr. Larson holds a Ph.D. in Applied Management and Decision Sciences – Information Systems management, is a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (CEH), GIAC Certified Cybersecurity Incident Handler (GCIH) has authored two books, and teaches both undergraduate and graduate information systems and homeland security courses for the California State University System in San Diego.
Frank Ury is an Orange County leader in both governance and technology operations, sales and business development with a background in setting infrastructure, and IT operations strategies and roadmaps. Frank’s technology career includes senior technology positions in many major companies, including DXC Technology, HP Enterprise Services, Intel Corporation and Black and Decker. Having served for 12 years as a Councilmember and Mayor of the City of Mission Viejo, Frank was influential in assisting the District with the development and financing of the Lake Mission Viejo Advanced Water Treatment Plant. Frank currently serves on the Big Data-Open Data Committee for the Southern California Association of Governments, and on several regional cybersecurity advisory boards.
Sheriff Don Barnes has over thirty years of law enforcement service to the people of Orange County, joining the Orange County Sheriff’s Department in 1989. Over the course of his career with the department, he has held every leadership rank, culminating with his election as the 13th Sheriff-Coroner for Orange County in November 2018.
The Sheriff has worked to be an advocate for law enforcement and public safety both at the state and federal level. He currently serves as an executive officer with the California State Sheriffs’ Association (CSSA) and serves as the chair of CSSA’s Technology Committee. At the national level, he serves as chair of the Major County Sheriffs of America’s (MCSA) Intelligence Commander Group. In that capacity the Sheriff is working to ensure open communication amongst local, state and federal law enforcement regarding critical threats facing our nation. This work is also accomplished through his service as MCSA’s representative to the Department of Justice’s Criminal Intelligence Coordinating Council (CICC).
Brian Keith serves as a Protective Security Advisor (PSA) for the Los Angeles District. As a PSA, he coordinates, facilitates, and performs vulnerability assessments for local critical infrastructure owners and operators, and serves as a physical and technical security advisor to federal, state, and local law enforcement agencies. In addition to conducting vulnerability assessments, Brian supports homeland security efforts by serving in an advisory and liaison capacity for the State Homeland Security Advisor. Prior to serving as a PSA, Brian was appointed as Deputy Director for Critical Infrastructure Protection (CIP) to Governor Arnold Schwarzenegger’s Office of Homeland Security (OHS). Throughout the past 20 years, he has conducted several law enforcement technology presentations at the Federal Bureau of Investigation’s (FBI) National Academy in Quantico, Virginia, and the New York State Police Union Association.
Pierson Clair is a managing director in Kroll’s Cyber Risk practice, based in Los Angeles. Pierson brings an uncommon perspective to cyber risk challenges from his years as a leading digital forensic examiner, technical security consultant, researcher, and educator. He has conducted extensive academic research at the forefront of cyber risk, most currently on changes of investigative significance in Mac and mobile device hardware and software. Prior to this emphasis, he focused on the dynamics within the complex framework of protecting critical national infrastructure as well as intelligence, espionage, and terrorism. In addition to working on analytical projects with members of the Intelligence Community and the U.S. Department of Homeland Security, Pierson has provided sophisticated digital forensic services for a wide range of private sector clients and law enforcement agencies.