Defense contractors have begun to bolster their cybersecurity practices in the wake of the massive leaking of government data by former NSA contractor Edward Snowden.
Seventy-five percent of defense contractors said the Snowden Affair had changed security procedures for their employees in a survey released by ThreatTrack, conducted by Opinion Matters.
“I’m surprised that number isn’t higher,” said Dodi Glenn, senior director of security intelligence and research labs at ThreatTrack.
“The technology landscape is constantly changing, and what we saw even one year ago is not what we’re currently seeing,” he told TechNewsWorld. “Targeted attacks are increasing. Android devices as a target have increased. Malware has increased. So I would have expected the number to be closer to 85 to 90 percent.”
A number of measures are being taken to tighten up security. For example, more than half of the 100 defense contractors (55 percent) participating in the ThreatTrack study said they’d increased the amount of cybersecurity awareness training they were giving their employees, and 52 percent had reviewed or revamped the data access privileges of their employees.
Beyond Defense Contractors
Almost half the respondents (47 percent) said they were on a higher alert for anomalous activity on their networks by employees, and 41 percent said they had toughened their hiring practices.
More than a third of the contractors (39 percent) said they had curtailed the rights of their IT administrators.
All companies, not just defense contractors, should be periodically assessing their security procedures, noted James Fisher, senior manager for media relations at Snowden’s former employer Booz Allen Hamilton.
“Cybersecurity threats are evolving and becoming more lethal every week, and every company ought to be constantly re-evaluating its cyber defenses, particularly through the use of predictive intelligence,” he told TechNewsWorld.
Those kinds of reassessments appear to be happening, at least with companies doing business with the government.
“Snowden’s action is having a ripple effect on all sides,” said Tim Keanini, CTO of Lancope.
“People selling into government are anxious to prove they don’t have a Snowden working for them,” he told TechNewsWorld.
Despite the measures being taken, however, blocking the rise of another Snowden may be impossible, Keanini suggested. “We’re fooling ourselves if we think this will be the last one to happen. These things happen. We recalibrate, and then they happen again.”
Target Touts Chip Cards
Target CFO John Mulligan last week appeared before the Judiciary Committee of the U.S. Senate to talk about the company’s holiday season data breach that compromised payment card information and personal data of 110 million customers. At the hearing, Mulligan cited an action list of what Target was doing to protect its “guests” in the wake of the breach.
Among those action items was pumping more money into chip technology for the chain’s payment card and for the point-of-sale terminals in its stores.
“We believe that chip-enabled technologies are critical to providing enhanced protection for consumers,” Mulligan told the Senate panel.
Chip technology is just one component of a consumer security strategy.
“Chip and PIN technologies are good additional safeguards to protect unauthorized use of credit cards at POS terminals,” said Eric Chiu, president and founder of HyTrust.
“However, the breaches at Target, Adobe, and the NSA with Edward Snowden show that attackers are going after data beyond credit cards, which is something that chip and PIN technologies do not address,” he told TechNewsWorld.
The Unabated Threat
Even data in the purchase stream remains vulnerable when chip and PIN are used, as has become apparent in Europe, where EMV technology is widely used.
“UK experiences over the last several years clearly show that the stolen data from EMV systems can be repurposed for fraud in non-EMV and card-not-present scenarios, such as e-commerce, resulting in a major surge in online transaction fraud,” Mark Bower, vice president of Voltage Security, told TechNewsWorld.
“With EMV, the sensitive credit card number is still not encrypted from chip to the POS or beyond,” he continued. “Transactions are authenticated but not encrypted.”
Chip and PIN will help, but all businesses will have to face a stark fact. As Mulligan told the Senate solons last week, “the unfortunate reality is that we suffered a breach, and all businesses — and their customers — are facing increasingly sophisticated threats from cybercriminals.”
Data Breach Diary
- Feb. 2. French telephone operator Orange confirms data breach compromising the personal information of 800,000, or 3 percent, of its customers. Information was primarily the names and mailing addresses of the customers.
- Feb. 3. White House National Security Council confirms issuance of a report warning the U.S. Department of Health and Human Services of security concerns at HealthCare.gov because some of the code for the site may have been created by developers associated with the government of Belarus. The code could be used for cyberattacks on the site, according to the report, which subsequently was withdrawn. A council spokesperson told The Washington Free Beacon that HHS conducted a review of its software and found no indications that any of it was developed in Belarus.
- Feb. 3. White Lodging Services announces the suspected breach of point-of-sales systems March 20-Dec. 16, 2013, at 14 properties it manages, including those of Marriott, Holiday Inn, Westin, Sheraton, Renaissance, and Radisson in Illinois, Texas, Pennsylvania, Colorado, Indiana, Virginia, Florida, and Kentucky. The breach primarily affects food and beverage outlets at the locations.
- Feb. 4. Judiciary Committee of the U.S. Senate holds a hearing on preventing data breaches and preventing cybercrime.
- Feb. 4. Adobe releases an emergency fix for Flash Player that’s being used by malware in targeted attacks to steal login credentials for email and other services.
- Feb. 5. Hacker group NullCrew posts to the Internet a server list, passwords, and a link to a root file containing a system vulnerability that it claims came from 34 servers belonging to Comcast.
- Feb. 5. Olmsted Medical Center in Minnesota confirms data breach of its systems may have compromised the personal information of an unspecified number of its employees. The healthcare provider plans on offering employees, their spouses, and their dependents one year of free identity theft protection.
- Feb. 6. Javelin Research reports one in three victims of a data breach in 2013 experienced fraud, compared to one in four in 2012.
- Feb. 6. Fazio Mechanical Services, the Pennsylvania heating, cooling, and refrigeration vendor at the heart of the Target data breach that compromised payment card and personal information for 110 million customers, states it was the victim of a sophisticated cyberattack and that its security systems are in full compliance with industry practices.
- Feb. 6. Gartner predicts that by 2016, 25 percent of large global companies will be using big data analytics for at least one security or fraud detection use case, an increase from 8 percent today.
- Feb. 7. Legislation introduced in California to require kill switch technology to be installed on all smartphones and other mobile devices sold or shipped in the state. Technology would render devices inoperable if lost or stolen.