There is an interesting article that I read recently entitled “Cybercriminals have penetrated U.S. electrical grid” that is quite disturbing. In the original Wall Street Journal article, it states that cybercriminals have gained access to U.S. power grid systems and are mapping the network and infecting computers with malware. Although it appears to be speculation at this time, a wide variety of scenarios have begun to emerge regarding what these criminals could do with this level of access. Some of the scenarios are pretty scary. Everything from control to sabatoge and ransom have been discussed.
My feeling is that as a world culture, we don’t understand where the newest threats come from and the impact they could have. While Heartland Payment Systems seems like a big deal today, the cost and damage has likely been a drop in the bucket compared to what is on the horizon if we don’t get a better handle on these current threats.
The Business Software Alliance (BSA) recently released statistics that says the 2008 percentage of pirated software grew from 38 percent in 2007 to 41 percent in 2008. The US has a low percentage compared to most nations.
In my opinion, this isn’t about economic and revenue losses, but rather a security issue. Most pirated versions of software cannot receive updates and patches. This leaves a lot of vulnerable systems to be attacked, exploited, and then used for nefarious purposes.
Vint Cerf estimated that one in four computers worldwide has command and control software that makes it part of a botnet. Of course no one knows the real figure. Most other security professionals estimate it somewhere between one percent and 10 percent. Either way, it is a big number. Having that many systems under the control of others can have devastating consequences. This is why we have the volume of SPAM we have today. This is how countries can (and have) been taken offline through DDOS attacks. The problem with pirated software is that those systems become a plague to all the legitimate systems out there. This will grow to be an enormous problem in the near future.
I have been talking for some time regarding the security threats of P2P software. Specifically, their ability to scan and post sensitive documents to the Internet for anyone to download. In 2007 this was a concern of congress that led to Mark Gorton (Lime Group Chairman) to testify. Congress more recently stated that the P2P software providers still haven’t done enough to address these security issues. In a letter from Mark Gorton to congress, he discusses the specific security enhancements they have made to their latest version 5 of their product. The one thing that it does is not index and post standard document types. I assume this means .xls, .doc, and so forth. The inadvertant posting of sensitive information has been a problem for some time.
While I commend Lime Group for thinking about security and enhancing their product, this is like organizations playing with fire. It has always been, and remains my stand that no organization should allow P2P software to be loaded on their systems. Where it can be blocked, it should be. Where you can keep it from being installed, you should do that. At a minimum, you should have a written policy banning this and when an issue is discovered, you have some recourse against the employee.
Cyber criminals know that often times people want to get their hands on the latest and greatest software prior to its official release. As a result, these hackers have been known to modify this software and post it to the Internet for unsuspecting people to download. The modifications that they make include methods to subvert traditional AV systems, install Trojans and other malware that can offer full control to the bad guys anywhere in the world.
Microsofts Windwos 7 was the latest to have this happen, although this is far from the first time. Apple’s iWork ’09 had something similar last year. My suggestion is to not download and use pirated software because the security implications can be huge. Remember, it isn’t just about that one system being infected. Once it is on the inside of your network, it can spread to other systems.
This isn’t the first time I have heard about this type of thing, but it does appear to be a growing threat. According to Wikileaks.org, cyber attackers breached the Virginia Department of Health Professionals’ prescription monitoring website, downloaded a ton of data and are now demanding $10 million dollars in ransom for its return.
The site became unavailable after this happened on May 4, 2009. The ransom note said they had 7 days. At this time I have not been able to find out any additional information on this, and the 7 days has long past. I don’t know if Virginia is keeping a good wrap on this, or something else is going on. Perhaps due to the investigation, they can’t release any additional information.
I believe we will begin to see more and more of this type of thing.
From the latest Microsoft Security Intelligence Report it states “In contrast to the decrease in total disclosures, vulnerabilities rated as High severity increased 13% with respect to the second half of 2007, with roughly 48% of all vulnerabilities receiving a rating of High severity. This is still a 28% decline from the first half of 2007.”
While there was a clear spike in 2007, I think there is a clear up-trend in the overall severity of breaches.
What is concerning to me is that there is less sophistication on the defensive side. Most organizations are doing the same old things to protect against (what they think) are the same old attacks. The truth is, the bad guys are out thinking most organizations and while there are technologies and risk mitigation solutions that can be used, most don’t due to lack of focus, time, resources, etc.
Many of the questions were specific questions if one type of business or company are required to conform to “Red Flags” based on the broad definition of “Creditors” and “Covered Accounts”. I attempted to describe the regulation and qualification as best I could during the webinar. The problem with trying to answer those questions here is 1) a breif question usually doesn’t give me enough information to know for sure if a company falls under Red Flags and 2) Often there is more to the way that a company is doing business than what is expressed.
But generally, what I find is that organizations are looking for any possible way to not be qualified under Red Flags. They don’t want more work and regulations, but is many respects, that is exactly why they needed to enact this legislation. Far to few businesses think about identity theft and fraud. I suggest that if you aren’t sure if you qualify as a business that is subject to Red Flags that you err on the side of caution and assume that you are. That last thing you would want is to find out later that you should have been and be subject to civil monetary penalties.
Feel free to ask further questions in the comment section.
Q: Does the extended date apply to financial institutions, or is the original Nov date still applicable for banks, while the new date is for other organizations?
A: According to the FTC’s website “The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs.” - http://www.ftc.gov/opa/2009/04/redflagsrule.shtm
Q: Are the rules applicable to law firms?
A: If they allow their customers to pay for services at a later time then when the services were rendered….Yes
Q: It seems like law firms have a pretty secure way of handling accounts – what could they do in order to follow the rules that they aren’t alredy doing without a wrirtten program per se?
A: The point of Red Flags is to have a written program and then follow that program…not to find ways to avoid creating an identity theft program even if strong methods are already in place. Even if an organization has a “secure way of handling accounts” that doesn’t mean that employees are trained to look for the signs of identity theft or that system are in place to detect or respond to those events.
Q: Does date change affect ALL orgs, or just FTC regulated orgs? I was under the impression that FDIC regulated orgs were still held to original deadline
A: See above…but yes, it applies to all
Q: What guidelines are there for managed service providers that serve customers requiring Red Flag compliance?
A: I don’t know of any that specifically call out service providers.
Q: Do you offer a Red Flags service?
A: Our eSecurity Training portal does have a Red Flags training course. We also offer several technologies that help identify, stop, and report on attempted data breaches which is part of Red Flags.
Q: Will FINRA, independent from FTC, be issuing any Info Security regs?
A: I haven’t heard anything, but that doesn’t mean much.
Q: Would an investment adviser that allows clients to pay their annual fee in quarterly installments qualify as low risk for ID theft? If so, where can the ID theft program template be found?
A: That does not sound like “low risk” to me, but you should evaluate your business based upon what is outlined by the FTC and others. I believe that the template will be sent out to everyone that was on the webinar.
Q: Is there some sort of red flag checklist, kind of like the PCI self-assessment questionnaire?
A: Not that I have seen. I have found several good sample policies on the Internet that an organization could use to model their policies and procedures on.
Q: What are the penalties/consequences of non-compliance?
A: “Civil Monetary Penalties”. While it doesn’t look like there will be any active enforcement or auditing (at least at this time), if identity theft occurs and the company was not adhearing to Red Flags, that is likely where consequences would come in.
Q: Must we notify our clients of our anti-identify theft program? If yes, how often do we need to do this and how do we communicate this information?
A: I haven’t read anything that states that your program must be communicated to customers. I know some business do that simply for the PR benefit.
Q: What agency will be monitoring this or will it only be complaint driven?
A: See answer above
Q: Does the FTC, or some other organization, have to approve a company as a low risk creditor?
A: As this seems to more of a self governing type regulation, I don’t think the FTC or anyone else will get in the business of deciding who is low risk or not.
I read an interesting post with some commentary and analysis of the Retail Data Breach Study that I had written several months ago. It is nice to see people catch the vision and seriousness of these things and disucss it. In general I have to agree with the analysis and conclusions.
According to McAfee, “Cybercriminals have taken control of almost 12 million new IP addresses in Q1 2009, a 50 percent increase over the previous quarter. The United States is now home to the largest percentage of botnet-infected computers, hosting 18 percent of all “zombie” machines.” In their Global Threats Report, it shows Austrailia being #3 in the world for most infected computers.
Microsoft reports are quite a bit different. See chart. I don’t think it much matters who is in the lead or falling behind. Several years ago when we attempted to implement blacklists based on world geography, it could have helped. However those days are long gone in that we are truly a global society. What I think is important to note here is that everyone agrees that the number of infected systems is going up at an alarming rate.
We at Perimeter E-Security of course monitor this traffic and behavior as well. For those that are interested, our finding more closely match those of Microsoft and not McAfee in that Australia is close to the bottom on our list.
There might be several reasons for the discrepancy between McAfee and Microsoft. Microsoft’s seems to me a better indicator because their tool is free and globally distributed and used. McAfee, while having a very large user base, is not as equally distributed. So their findings are likely skewed.
There is a very interesting article discussing how Conficker spread to medical devices and systems in many hospitals in the U.S. and abroad. Many are still baffled by how some of these systems even got infected in the first place. The devices include those of MRI machines, heart monitoring systems, and more. This was discussed during a panel at the RSA conference a few weeks ago.
This is some very scary stuff. While Conficker has not done much from an attack perspective, it certainly can. So far it has been in “harvest” mode where it is attempting to get more and more systems compromised and under the command and control of the developers of Conficker. With one single payload dump, these infected systems could do any number of actions. Those actions performed on medical devices could be life and death. While we have seen infrastructure attacks become more in focus for cyber terrorists (such as the potential blaster worm being respoonsible for blackouts in the northeast…which the government denies but has also not ever disclosed the reason) being in control of specific medial devices is very scary.