Defense Contractors Shore Up Security Post-Snowden
Feb 10, 2014 4:12 PM PT
Defense contractors have begun to bolster their cybersecurity practices in the wake of the massive leaking of government data by former NSA contractor Edward Snowden.
Seventy-five percent of defense contractors said the Snowden Affair had changed security procedures for their employees in a survey released by ThreatTrack, conducted by Opinion Matters.
"I'm surprised that number isn't higher," said Dodi Glenn, senior director of security intelligence and research labs at ThreatTrack.
"The technology landscape is constantly changing, and what we saw even one year ago is not what we're currently seeing," he told TechNewsWorld. "Targeted attacks are increasing. Android devices as a target has increased. Malware has increased. So I would have expected the number to be closer to 85 to 90 percent."
A number of measures are being taken to tighten up security. For example, more than half of the 100 defense contractors (55 percent) participating in the ThreatTrack study said they'd increased the amount of cybersecurity awareness training they were giving their employees, and 52 percent had reviewed or revamped the data access privileges of their employees.
Beyond Defense Contractors
Almost half the repondents (47 percent) said they were on a higher alert for anomalous activity on their networks by employees, and 41 percent said they had toughened their hiring practices.
More than a third of the contractors (39 percent) said they had curtailed the rights of their IT administrators.
All companies, not just defense contractors, should be periodically assessing their security procedures, noted James Fisher, senior manager for media relations at Snowden's former employer Booz Allen Hamilton.
"Cybersecurity threats are evolving and becoming more lethal every week, and every company ought to be constantly re-evaluating its cyberdefenses, particularly through the use of predictive intelligence," he told TechNewsWorld.
Those kinds of reassessments appear to be happening, at least with companies doing business with the government.
"Snowden's action is having a ripple effect on all sides," said Tim Keanini, CTO of Lancope.
"People selling into government are anxious to prove they don't have a Snowden working for them," he told TechNewsWorld.
Despite the measures being taken, however, blocking the rise of another Snowden may be impossible, Keanini suggested. "We're fooling ourselves if we think this will be the last one to happen. These things happen. We recalibrate, and then they happen again."
Target Touts Chip Cards
Target CFO John Mulligan last week appeared before the Judiciary Committee of the U.S. Senate to talk about the company's holiday season data breach that compromised payment card information and personal data of 110 million customers. At the hearing, Mulligan cited an action list of what Target was doing to protect its "guests" in the wake of the breach.
Among those action items was pumping more money into chip technology for the chain's payment card and for the point of sale terminals in its stores.
"We believe that chip-enabled technologies are critical to providing enhanced protection for consumers," Mulligan told the Senate panel.
Chip technology is just one component of a consumer security strategy.
"Chip and PIN technologies are good additional safeguards to protect unauthorized use of credit cards at POS terminals," said Eric Chiu, president and founder of HyTrust.
"However, the breaches at Target, Adobe and the NSA with Edward Snowden show that attackers are going after data beyond credit cards, which is something that chip and PIN technologies do not address," he toldTechNewsWorld.
The Unabated Threat
Even data in the purchase stream remains vulnerable when chip and PIN are used, as has become apparent in Europe, where EMV technology is widely used.
"UK experiences over the last several years clearly show that the stolen data from EMV systems can be repurposed for fraud in non-EMV and card-not-present scenarios, such as e-commerce, resulting in a major surge in online transaction fraud," Mark Bower, vice president of Voltage Security, told TechNewsWorld.
"With EMV, the sensitive credit card number is still not encrypted from chip to the POS or beyond," he continued. "Transactions are authenticated but not encrypted."
Chip and PIN will help, but all businesses will have to face a stark fact. As Mulligan told the Senate solons last week, "the unfortunate reality is that we suffered a breach, and all businesses -- and their customers -- are facing increasingly sophisticated threats from cybercriminals."
Data Breach Diary
- Feb. 2. French telephone operator Orange confirms data breach compromising personal information of 800,000, or 3 percent, of its customers. Information was primarily names and mailing addresses of the customers.
- Feb. 3. White House National Security Council confirms issuance of a report warning the U.S. Department of Health and Human Services of security concerns at HealthCare.gov because some of the code for the site may have been created by developers associated with the government of Belarus. The code could be used for cyberattacks on the site, according to the report, which subsequently was withdrawn. A council spokesperson told The Washington Free Beacon that HHS conducted a review of its software and found no indications that any of it was developed in Belarus.
- Feb. 3. White Lodging Services announces the suspected breach of point-of- sales systems March 20-Dec. 16, 2013, at 14 properties it manages, including those of Marriott, Holiday Inn, Westin, Sheraton, Renaissance and Radisson in Illinois, Texas, Pennsylvania, Colorado, Indiana, Virginia, Florida and Kentucky. Breach affects primarily food and beverage outlets at the locations.
- Feb. 4. Judiary Committee of U.S. Senate holds hearing on preventing data breaches and preventing cybercrime.
- Feb. 4. Adobe releases emergency fix for Flash Player that's being used by malware in targeted attacks to steal login credentials for email and other services.
- Feb. 5. Hacker group NullCrew posts to Internet a server list, passwords, and a link to a root file containing a system vulnerability that it claims came from 34 servers belonging to Comcast.
- Feb. 5. Olmsted Medical Center in Minnesota confirms data breach of its systems may have compromised personal information of an unspecified number of its employees. The healthcare provider plans on offering employees, their spouses and their dependents one year of free identity theft protection.
- Feb. 6. Javelin Research reports one in three victims of a data breach in 2013 experienced fraud, compared to one in four in 2012.
- Feb. 6. Fazio Mechanical Services, the Pennsylvania heating, cooling and refrigeration vendor at the heart of the Target data breach that compromised payment card and personal information for 110 million customers, states it was the victim of a sophisticated cyberattack and that its security systems are in full compliance with industry practices.
- Feb. 6. Gartner predicts that by 2016, 25 percent of large global companies will be using big data analytics for at least one security or fraud detection use case, an increase from 8 percent today.
- Feb. 7. Legislation introduced in California to require kill switch technology be installed on all smartphones and other mobile devices sold or shipped in the state. Technology would render devices inoperable if lost or stolen.
Upcoming Security Events
- Feb. 9-13. Kaspersky Security Analyst Summit. Hard Rock Hotel and Casino Punta Cana, Domincan Republic.
- Feb. 10-15. CyberCon 2014. Sponsored by SANS. Online courses range from US$4,195-$5,095.
- Feb. 17-20. 30th General Meeting of Messaging, Malware and Mobile Anti-Abuse Working Group. Westin Market Street, San Francisco. Members only.
- Feb. 19. New FFIEC Guidelines on Social Media: 3 Things You Need to Know. 10 a.m. ET. Webinar sponsored by Cyveillance. Free with registration.
- Feb. 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- Feb. 27. TrustyCon. 9:30 a.m.-5 p.m. PT. AMC Metreon, 135 4th St #3000, Theater 15, San Francisco. Sponsored by iSEC Partners, Electronic Frontier Foundation (EFF) and DEF CON. $50 plus $3.74 fee.
- Feb. 27. Suits and Spooks security Town Hall. 7-10 p.m. PT. Ritz Carlton, San Francisco. Ticket: $104.
- March 3-8. Cyber Guardian 2014. Sheraton Inner Harbor hotel, Baltimore, Md. Sponsored by SANS. Courses range from $4,895-$5,095.
- March 5-10. DFIRCON 2014. Monterey Marriott, Monterey, Calif. Sponsored by SANS. Courses range from $4,845-$5,095.
- March 12-23. ICS Security Summit. Contemporary Hotel, Lake Buena Vista, Fla. Sponsored by SANS. Cources range from $1,700-$4,595.
- March 20-21. Suits and Spooks Singapore. Mandarin Oriental, 5 Raffles Ave., Marina Square, Singapore, and ITU-IMPACT Headquarters and Global Response Center, Cyberjaya, Malaysia. Registration: Singapore and Malaysia, by Jan. 19, $415; after Jan. 19, $575. Singapore only, by Jan. 19, $275; after Jan. 19, $395.
- March 25. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- March 25-28. Black Hat Asia. Marina Bay Sands, Singapore. Registration: by Jan. 24, $999; by March 21, $1,200; by March 28, $1,400.
- April 1-2. SecureCloud 2014. Amsterdam RAI Convention Centre, Amsterdam, Netherlands. Registration (includes VAT): Through Feb. 14, 665.50 euros, government; 847 euros, business; After Feb. 14, 786.50 euros, government; 1,089 euros, business.
- April 5-14. SANS 2014. Walt Disney World Dolphin Resort, Orlando, Fla. Job-based long courses: $3,145-$5,095. Skill-based short courses: $575-$3,950.
- April 8. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- April 8-9. IT Security Entrepreneurs' Forum. Computer History Museum, 1401 North Shoreline Boulevard, Mountain View, Calif. April 8 workshops and April 9 forum and reception, $595. Forum and reception only, $495. Government employees, free. Students, $195.
- April 11-12. Women in Cybersecurity Conference. Nashville, Tenn.
- April 17-18. Suits and Spooks San Francisco. Fort Mason in the Firehouse, San Francisco. Registration: Through March 10, $380. After March 10, $575.
- April 29. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- June 5. Cyber Security Summit. Sheraton Premiere, Tysons Corner, Va. Registration: $250; government, $50.
- June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.
- Sept. 17-19. International Association of Privacy Professionals and Cloud Security Alliance Joint Conference. San Jose Convention Center, San Jose, Calif.
- Sept. 18. Cyber Security Summit. The Hilton Hotel, New York City. Registration: $250; government, $50.