DataBreachToday.com RSS Syndication

Mass. Hospital Pays Breach Settlement

State Attorney General Suit Alleged HIPAA Violations
A Massachusetts hospital that reported a 2010 breach involving lost backup tapes with information on 800,000 individuals has agreed to pay a $475,000 penalty to settle a state attorney general's HIPAA lawsuit.

Attack Highlights Third-Party Risks

Hack of Online Billing Provider May Have Exposed 500,000 Cards
The hack of online billing provider WHMCS may have exposed 500,000 payment cards. Experts say the incident highlights the persistent risks third parties pose in cardholder data security.

Weekly Breach Roundup

The Latest Anonymous Attack.; Missing Laptop Affects Patients
In this week's breach roundup, read about the latest incidents, including Anonymous hacking a Justice Department database and a missing laptop potentially exposing information on 17,000 patients.

What Are the Hidden Costs of Fraud?

Hard to Put a Price on Reputation Loss, Productivity
One measure of an incident's impact is dollars lost of fraud. But the "soft" costs - loss of reputation and productivity - are the ones that most get the attention of Terry Austin of Guardian Analytics.

Annual Report to Congress on Breaches of Unsecured Protected Health Information

The Department of Health and Human Services' Office for Civil Rights provided a report to Congress on health information breaches from September 2009 through 2010, as required under the HITECH Act. Nearly 7.9 million Americans were affected by almost 30,800 health information breaches, according to the report.

FFIEC Final Authentication Guidance

The Final FFIEC Guidance has been issued and its main intent is to reinforce the 2005 Guidance's risk management framework and update the Agencies' expectations regarding customer authentication, layered security, or other controls in the increasingly hostile online environment.

Accounting of Disclosures Under the HITECH Act

A notice of proposed rulemaking from the HHS Office for Civil Rights that would modify the HIPAA Privacy Rule standard for accounting of disclosures of protected health information and add new requirements for access reports.

ENISA: Software vulnerability prevention initiatives

The European Network and Information Security Agency, ENISA, has compiled a list of existing initiatives focused on finding and preventing software vulnerabilities.

Synovus Bank Eliminates Cybercrime - A Case Study

Synovus Bank, one of the largest community banks in the southeast, offers Online Cash Management services to its commercial clients with a simple pledge: "The freedom to manage your cash position anytime, anywhere." After witnessing relentless cyber-attacks on the endpoints of end users, Synovus Bank knew that meeting this pledge required them to take action. The bank's Product Development team carefully selected an endpoint security solution that met their requirements:

Satisfying FFIEC Guidelines
Low customer impact/Ease of installation
Proven effective, quick to implement and easy to manage
Complement the bank's two tier security architecture

Hear how Synovus Bank proactively prevents fraud. Kevin Gibson, Director of Product Development at Synovus Bank, explains the challenges they faced, why Trusteer Rapport was the right fit, and its ease-of-deployment. He also discusses how Trusteer's layered security helps them protect against cybercrime, as well as Trusteer's role in enabling compliance with the latest FFIEC guidance. Trusteer's Director of Product Marketing, Oren Kedem will describe Trusteer's Cybercrime Prevention Architecture and how it stops online banking fraud.

2012 Cloud Security Agenda: Expert Insights on Security and Privacy in the Cloud

What are organizations' top cloud security concerns, and how are security leaders addressing these concerns through policy, technology and improved vendor management?

This is the key question posed by the 2012 Cloud Security Survey.

No longer just an emerging technology practice, cloud computing today is embraced globally as a means of gaining efficient access to critical applications, processes and storage. It's now common for organizations to rely on cloud service providers for functions and business applications such as customer relationship management, messaging or storage via a public, private or hybrid cloud. Further, industry-specific cloud-based applications such as electronic health records or mobile banking and payment applications are emerging at an unprecedented pace.

But these engagements come with questions about risks:

What are your cloud service provider's security and privacy measures, and have they been audited?
Where geographically is cloud data being stored, and how do operational practices comply with government, industry and organizational privacy regulations?
How is a multi-tenant cloud environment managed, and in the event of system compromise - what will be the incident response escalation process?

Yes, cloud computing is about efficiencies and new technologies, but it's also about security, privacy and an organization's reputation.

The 2012 Cloud Security Survey was crafted with assistance from leading experts in cloud computing, security and privacy, with a mission to:

Chart the latest cloud trends, including types of cloud implementations most common by industry and region;
Gauge organizations' top cloud security concerns, from vendor security to data governance and breach preparedness;
Predict the top areas of investment for organizations most concerned about cloud security.

This webinar will draw upon survey results and expert insight from a special roundtable panel to discuss:

Top Security Concerns - Are organizations more concerned about where their data is stored, or whether a malicious insider might be a threat to it?
Success Factors - On a scale with cost savings and availability of services, how does security now rank among elements critical to a successful cloud computing implementation?
Protective Measures - What are some of the practices organizations are employing, from instituting more stringent contracts to enforcing third-party audits and even participating in mock security exercises with cloud service providers?

Hacktivists, BotNets and More: Top Security Trends and Threats from the HP Enterprise Security 2011 Cyber Risk Report

Organizations have been under security attacks for the past decade, but the security events in 2011 have created a ripple effect that will be felt for years to come and will actually start to shift the way enterprise organizations view security. For example, 2011 saw a significant increase in activity from "hacktivist" groups Anonymous and Lulz Security (LulzSec). The motivation for these groups' organized, systematic attacks on businesses or individuals - retaliation for perceived wrongdoing - brings new visibility to a security threat that has been looming for years and highlights a new era of security risk that must be addressed. In addition, highly publicized attacks on major corporations such as Sony, RSA, and the United States Postal Service demonstrated the significant financial loss that can result from a vulnerable system.

Because unplugging the business from the Internet is not a viable security option, the question becomes: What is the best way to minimize risk to the most critical assets of the organization without interrupting or impeding business operations? Prioritization of assets and risk is essential, but so is prioritizing how and where to deploy security protection.

In the 2011 top cyber security risks report, HP Enterprise Security provides a broad view of the vulnerability threat landscape, as well as in-depth research and analysis on security attacks and trends. The aim of this report is to highlight the biggest risks that enterprise organizations face today - and to help prioritize mitigation strategies. Key findings from this report include the following:

Continued decline of new, disclosed vulnerabilities in commercial applications The report notes the decline in commercial vulnerability reporting, and it discusses the key trends in the vulnerability disclosure market that may be hiding a deeper issue. The report also highlights the growing market for private sharing of vulnerabilities, the increased expertise required to uncover complex vulnerabilities, and the price these can fetch in various markets. Data from HP Fortify will also highlight the increasing number of vulnerabilities that are being discovered in custom applications - vulnerabilities that can be devastating to the security posture of an organization.
Changes in attack motivation are increasing security risk While security attackers have always sought glory and/or financial gain from their activities, the formation of hacktivist groups, like Anonymous, has added not only a purpose behind security attacks, but a level of organization as well. This shift in motivation and subsequent organization has given rise to newer and more severe security attacks. This report will highlight the motivations of today's security attack community - and the implications for security defense techniques.
Increase in the number of attacks against a "smaller" set of known vulnerabilities Despite the shrinking number of known vulnerabilities in commercial applications, the report will use real data - pulled from the HP TippingPoint Intrusion Prevention System (IPS) and HP Fortify - to highlight an increase in severe attacks against both client/server and Web applications. The data is broken down by attacks, vulnerability category, source information, and severity to provide a snapshot of the attack landscape. This section also features an actual case study of the Web application risks at one large corporation.
Improved techniques for executing security attacks While many targeted attacks leverage zero-day vulnerabilities, the average cyber criminal generally exploits existing vulnerabilities. Data from the report breaks down several techniques, including obfuscation, used to successfully exploit existing vulnerabilities. The report also includes an in-depth look at the Blackhole exploit toolkit, which uses many of the techniques highlighted.

Protect IBM i Data from FTP, ODBC and Remote Command

Each year, PowerTech releases its "State of IBM i Security" study, documenting how well organizations manage their security. And, each year, the study shows that the vast majority of organizations still rely on menu security to protect their data. Unfortunately, today's users have access to interfaces (such as FTP, ODBC, JDBC, and remote command) that completely bypass these controls and make it easy to view, update, and delete data in the database. If you need to comply with government or industry regulations, or if you simply want to ensure the integrity of your application data, understanding these interfaces is critical.

In this webinar, Robin Tatam, Director of Security Technologies for PowerTech, discusses:

What you need to know about IBM i security
How to close the "back doors" not covered by traditional menu security schemes
How to implement policies that restrict access to only those users who need it

Tatam also demonstrates PowerTech's Network Security, the exit point monitoring and access control software that can help you secure your system.

How to Respond to Hacktivism

Hacktivist attacks will increase, and researcher Gregory Nowak says organizations can take proactive steps to reduce exposure and protect brand reputation. Why, then, are many organizations failing?

4 Security Priorities for Banks

From mobile and the cloud to DDoS attacks and risks surrounding big data, what should banks and credit unions do now to mitigate exposure? Gartner's Anton Chuvakin offers his top recommendations.

Intelligent Defense Against Intruders

Imagine a computer network that can fool intruders into seeing configurations that in reality don't exist, making it hard for them to invade the system. That's what Scott DeLoach is trying to figure out how to do.

Understanding 'Big Data'

Banks have a lot of data, but how well is it integrated? How much are institutions gleaning from the data they house? State Street Corp's chief scientist says financial services could be doing more.

Global: A Lack of Breach Transparency

Processor Promised Updates, But We've Heard Little
Global Payments has been less than forthcoming with information about its data breach. How could this lack of transparency hurt the processor, and what's the lesson for others?

Symantec: Beware Insider Threats

New Study Shows Internet Vulnerabilities Drop, Yet Risks Rise
Symantec says Internet vulnerabilities are down, but don't get too comfortable. We can expect more attacks in 2012. Why are the same threats still posing so much concern?

Ignorance Is Not Bliss

Many Enterprises Don't Know They've Been Breached
Weeks, months or even years often go by before organizations discover they've been hacked, not learning of the attack until law-enforcement authorities inform them, says recently retired FBI Executive Assistant Director Shawn Henry.

Global Payments' Patriotic Duty to Share

Creating a Mechanism to Share Threat Information
The Global Payments breach provides further fodder to those wanting Congress to enact cyberthreat, information-sharing legislation.