How Can You Predict the Costs of a Data Breach for Your Company?*:
- A common fear of privacy officers is a data breach, the unauthorized acquisition or processing of personal information that is maintained by an organization.
- This time of year, you see various reports published discussing the nature and the associated costs of data breaches that occurred the previous year, which can provide some guidance, a ballpark figure if you will, on what a breach may cost, but it is not tailored for your specific needs.
- Two teams of students from St. Joseph’s University recently took on the challenge of trying to predict the cost of a data breach for a company.
- In early December, the teams presented their project results to a team of judges, the students’ peers, the projects’ sponsors, and their professor Dr. Klimberg.
- The teams working on the predictive model for data breach cost took top honors.
- The guidelines for developing the model had one requirement, it must be “easy” – easy to use, easy to distribute, and easy to understand the results.
- Each team developed a survey to gather estimates of costs contributing to the overall cost of a data breach; some costs were found to be dependent on the number of records lost and others were independent of the size of the breach (i.e. public relations).
- A minimum, maximum and most likely estimate is asked for each item in the survey, then 1,000 trials are run to determine the costs of the data breach using a triangular distribution.
- To meet the “easy” guideline, both teams created their models using Microsoft Excel.
- The model is available free of charge on the Presentation & Papers page at the Privacy Ref website (privacyref.com).
*Source: CIO, March 06, 2017
Consumer Reports to Consider Cyber Security in Product Reviews*:
- Consumer Reports, an influential U.S. non-profit group that conducts extensive reviews of cars, kitchen appliances and other goods, is gearing up to start considering cyber security and privacy safeguards when scoring products.
- The group will gradually implement the new methodologies, starting with test projects that evaluate small numbers of products.
- Personal cyber security and privacy is a big deal for everyone, and security researchers have said that cyber attacks are likely to continue because there is little incentive for manufacturers to spend on securing connected devices.
- The first draft of standards is available online and include issues like whether software is built using best security practices, studying how much information is collected about a consumer, and whether companies delete all user data when an account is terminated.
*Source: Reuters, March 06, 2017
WikiLeaks Dumps Alleged CIA Malware and Hacking Trove*:
- WikiLeaks has released thousands of documents that appear to lay open in detail the CIA's computer hacking techniques.
- The first part of the leaks, comprising 8,761 files, came from the CIA's Center for Cyber Intelligence.
- The disclosure underscores the U.S. government's continuing struggle to keep highly sensitive intelligence material secret.
- The source of the alleged CIA leak has not been identified, but may have been an insider.
- According to WikiLeaks, the source was motivated by a desire to prompt discussion on “whether the CIA’s hacking capabilities exceed its mandated powers.”
- The archive describes in deep technical detail the CIA's efforts to compromise other kinds of networked devices, such as smart TVs, as well as to exploit software vulnerabilities in Android and Apple's iOS mobile devices.
- Parts of those efforts are aimed at finding ways to overcome encryption, which law enforcement and intelligence agencies see as an obstacle to surveillance.
- WikiLeaks contents the documents prove the government hasn’t been sharing information on software flaws with the technology industry, as some believe it should.
- The US Government committed to a program called the Vulnerabilities Equities Process in 2010; under the program, the government notifies companies about software vulnerabilities, with the caveat that some would be used for intelligence-gathering purposes.
*Source: Data Breach Today, March 08, 2017
More Than One Billion Emails Exposed by Spammers*:
- It's become relatively common for databases to be breached and passwords to leak online, but it is usually the result of a hack.
- A MacKeeper security researcher discovered more than 1.4 billion email accounts – linked directly to other personal information including real names, user IP addresses and physical addresses – collected by notorious spam syndicate River City Media.
- The leaked data was available due to a failed remote backup attempt, which left the data sitting exposed on a server for several months.
- The researcher reported he was able to confirm the authenticity of records by looking up people he knew who were listed in the database, though he noted some of the information was outdated.
- The collection of emails was likely amassed through a number of techniques employed by the spammers in order to reach as many people as possible.
- The exposed database also unveiled some of the ways that River City Media spammers did business - the company was able to manipulate security systems by sending emails to their own addresses to open connections with the servers before overwhelming them with upward of one billion emails sent per day.
- The discovery of the database may help put a stop to River City Media's operation, which has proven difficult to shut down in the past due to its overwhelming presence.
*Source: International Business Times, March 06, 2017
Senate Democrats in Pennsylvania Are Being Held Cyber-Hostage*:
- The Pennsylvania Senate Democrats have been hit by a ransomware attack that has locked senators and employees out of their computer network.
- The Democrats were working with law enforcement agencies and Microsoft to resolve the problem.
- In a ransomware attack, hackers inject a network with malware that typically encrypts important data, and then demand payment in exchange for a key that releases the data.
- The Democratic senators in the state capital of Harrisburg are on their own computer network and there is no indication that other state agencies of the Republicans have been affected.
- A spokeswoman for the Pennsylvania Democrats, Stacey Witalec, declined to say whether the data was backed up elsewhere or whether the attackers had identified themselves or any motive.
*Source: NBC news, March 03, 2017