Aug 10
31
USB = Unintended Security Breach
It was a USB drive loaded with malware.
That’s how U.S. defense networks were compromised in 2008, according to U.S Deputy Defense Secretary William Lynn, who today offered the first official confirmation of a data breach that led to restrictions on the use of removable USB drives in the military.
In an article written for Foreign Affairs magazine, Lynn said the breach occurred when a single USB drive containing malicious code was inserted into a laptop computer at a U.S. base in the Middle East. The malware, placed on the drive by a foreign intelligence agency, was uploaded to a network run by the U.S. Central Command.
The malware then spread — undetected — on both classified and unclassified systems, essentially establishing a “digital beachhead” from which data could be transferred to servers outside the U.S, “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Lynn wrote.
…
The incident highlights the enormous problems that can result from seemingly minor vulnerabilities, said J.R. Reagan, a analyst with Deloitte Consulting Services. “It brings to life what we have all feared for a long time from the small little holes in the dike that can really open up big problems,” Reagan said.
In the military’s case, the problems may have been exacerbated by an ongoing drive to make information sharing easier, he said.
Officials are reporting that this incident lead to a military-wide ban on USB drives, but really, the answer is so much simpler than that: lock the data down in the first place!
Posted in Industry by .
Aug 10
25
Another Opening at Axis…
This time we are looking for three Hybrid Sr. BA / DA – Sr. Business Analysts / Data Analysts for a NYC/ Jersey City project:
Project: Capital markets / regulatory gig
We are currently seeking a hybrid Business Analyst and Data Analyst to work on Compliance / Regulatory projects. The desired candidate will be responsible for typical Business Analyst activities and will also need to perform as a Data Analyst (SQL, data mapping, data feeds, modeling).
REQUIRED SKILLS:
* Work is located in Jersey City, NJ
* Minimum 10+ years experience as a Business Analyst and/or Data Analyst * Good knowledge of Capital Markets industry and general data concepts * Experience with business requirements (BRDs), high-level functional designs, ETL data mapping specification designs, data feed specifications and data analysis * Skilled with writing and executing SQL queries * Basic understanding of relational and dimensional data model designs * Skilled with MS Office tools * Good Capital Markets project experience / background * SDLC methodology and waterfall project experience * Excellent verbal, written and interpersonal communication skills * Proactive and dedicated team player
NICE TO HAVES:
* Experience working on Basel II, credit risk, data management, data warehousing, ETL or back-office projects * Experience with Quality Center and TOAD tools
Interested? Send your resume to careers @ axistechnologyllc.com!
Posted in Company News by .
Aug 10
16
Axis is Hiring!
Join the team that’s raising the bar on data security! We are currently looking for:
Position (Role): Hybrid Sr. BA / DA – Sr. Business Analyst / Data Analyst
We are currently seeking a hybrid Business Analyst and Data Analyst to work on Compliance / Regulatory projects. The desired candidate will be responsible for typical Business Analyst activities and will also need to perform as a Data Analyst (SQL, data mapping, data feeds, and modeling).
REQUIRED SKILLS:
* Work is located in Jersey City, NJ
* Minimum 10+ years experience as a Business Analyst and/or Data Analyst * Good knowledge of Capital Markets industry and general data concepts * Experience with business requirements (BRDs), high-level functional designs, ETL data mapping specification designs, data feed specifications and data analysis * Skilled with writing and executing SQL queries * Basic understanding of relational and dimensional data model designs * Skilled with MS Office tools * Good Capital Markets project experience / background * SDLC methodology and waterfall project experience * Excellent verbal, written and interpersonal communication skills * Proactive and dedicated team player
NICE TO HAVES:
* Experience working on Basel II, credit risk, data management, data warehousing, ETL or back-office projects * Experience with Quality Center and TOAD tools
Interested? Send your resume to careers @ axistechnologyllc.com and reference job code BADAJC.
Posted in Company News by .
Aug 10
10
Mike Logan Live on Cyberhood Watch!
Today at 1:00 p.m. Eastern I will be live on CyberHood Watch discussing how small businesses can best protect their data. Listen and call in with your questions!
Aug 10
3
Healthcare Data at Risk
eWeek’s Brian Horowitz recently discussed an American survey that revealed that the healthcare industry suffers the most when it comes to breaches:
A total of 113 healthcare facilities have been hit with data breaches in 2010, compared with only 39 banking/finance firms, according to a July 28 report by the Identity Theft Resource Center.
This certainly doesn’t make the road to Electronic Medical Records very easy. Not too long ago I interviewed with Mark Marotta of the Therapy Times and we discussed the risk and rewards of EMRs:
Logan says the transition to EHRs is probably going to take longer than people want, and it will probably occur in states like California or New York, which have the most to gain. “There will be a transition period which could be painful for folks who live in rural areas,” he adds.
Along the way, Logan predicts, there will be stumbles in the form of data breaches that will cause people to say that computerizing healthcare information is unsafe. Nicholls-Sharp says it is important for practitioners to make sure the EHR systems they select meet the standards of the Healthcare Insurance Privacy and Accountability Act in terms of ensuring patient privacy and security. “It’s complex enough that you probably should have someone – if you’re a private practitioner – take a look at the different aspects to make sure you’re compliant,” advises Elrod.
The good news, Logan says, is that many products to ensure data security are already on the market. He adds that the healthcare field can also leverage the knowledge that has been developed by financial services or the government, which are experienced in dealing with these issues.
“It’s an area where there are a lot of best practices available. It’s going to be more about understanding and learning what those best practices are and then trying to apply them to their environments in a smart way. I think it’s very doable. It’s just a question of starting down the path, thinking it through a little bit, and working through it in a reasonable time frame. It’s not going to be overnight, but it shouldn’t take 20 years, either. It should be one to five years. There should be a fair bit of progress, especially with smaller providers, since they don’t have huge investments to retool,” says Logan.
And of course we’ll be there to protect EMRs every step of the way.
Jul 10
27
How Long is Too Long?
In a follow up to the recent story about a South Shore hospital whose records had gone missing via a third party vendor, the Patriot Ledger ran an update discussing the length of time it took the hospital to report the breach:
The regulations do not give a specific notification period, only stating it must be done “as soon as practicable and without unreasonable delay.”
Deborah Birnbach, a partner at law firm Goodwin Procter’s Boston office, said the four weeks that passed before the hospital announced the missing records could meet the intentions of the law. The hospital may have been researching the scope of the breach and how many people were affected, she said.
It’s interesting because it looks like this could be a bit of a loophole for companies that are impacted by 201 CMR 17.00. We’ll continue to watch this situation as it unfolds…
Jul 10
21
Life’s a Breach
It’s summer in Boston and it’s not just the weather that’s hot. Earlier this week there was a major loss of private data affiliated with South Shore Hospital. According to iHealth Beat:
Monday, officials at South Shore Hospital in Massachusetts announced that the personal information of about 800,000 individuals could be missing after an off-site contractor responsible for destroying the computer files did not receive all of them…
…Hospital officials said that the files were shipped to be destroyed on Feb. 26 because the hospital no longer used the format in which the files were stored.
When the hospital did not receive confirmation that the contractor had received the files, it questioned the contractor in June and found that only some of the files had been received and destroyed.
WCVB reports that “The information on the backup computer files may include individuals’ full names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, protected health information including diagnoses and treatments relating to certain hospital and home health care visits, and other personal information. Bank account information and credit card numbers for a very small subset of individuals also may have been on the backup computer files.”
South Shore Hospital has notified regulators, including the Attorney General’s office. It’ll be interesting to see how this all unfolds, particularly with the newer laws in place.
Posted in Industry by .
Jul 10
20
The Latest & Greatest: DMsuite 3.2
Today we unveiled the latest version of our flagship data masking platform: DMsuite™ Standard Edition 3.2:
Complete with a powerful, intuitive PeopleSoft Enterprise plug-in that automatically maps and profiles data, this latest version of the industry-leading data masking platform ensures companies stay ahead of current security threats and regulations. The PeopleSoft plug-in comes standard with DMsuite™ 3.2, allowing companies to enhance their Oracle investment, rather than adding costs to it. DMsuite™ 3.2 also supports the entire Oracle Financials solution set, which is part of the Oracle E-Business Suite.
DMsuite™ 3.2 has also added Informix to its roster of supported databases. Other environments the platform supports include Oracle, SQL Server, Sybase, and DB2, as well as file formats such as VSAM, delimited, XML, XLS and flat files. Web-based, DMsuite™ 3.2′s central point of control enables easy operation, administration, logging and auditing- all while maintaining referential integrity across business lines and different platforms. Reports are easily generated on the fly, detailing information such as the date of the last database refresh, masking, and audit operations. DMsuite™ 3.2 saves its clients time and resources with its out-of-the-box ease of implementation, provides status alerts via email, and allows team members to efficiently share masking rule sets.
We have some exciting new clients taking advantage of this latest version, and I’m certainly looking forward to sharing those in the near future. With officials on the lookout for any violators of the newest data privacy laws, more and more companies are turning to us to ensure compliance and true security.
Posted in Company News by .
Jul 10
14
Coming Out of the Closet
Bank Info Security’s Tom Field conducted a “state of the security industry” interview with Forrester analyst Jonathan Penn entitled “It’s Time to ‘Take Security Out of the Closet’.” It’s a great read and I highly recommend it, though there is one portion regarding data masking and tekenization that I wanted to comment on:
There is a lot happening in data security. DLP adoption continues to grow (that is Data Leak Prevention technology), but there are also things happening in database security, data masking and database monitoring. Tokenization is a big issue. Basically trying to make the information that is such a prime target for identity thieves that much more meaningless by turning it into something that isn’t directly useable by them.
By lumping “data masking” and “tokenization” into the same answer and simply stating, “trying to make the information that is such a prime target for identity thieves that much more meaningless by turning it into something that isn’t directly useable by them,” might lead to the misconception that they are the same thing. It’s important to note that tokenization is a less in-depth measure that is best suited for one-time use for numbers-based databases. Data masking, especially done by DMsuite, is meant for all types of data, can be used and repeated for multiple databases and environments, and can be used for every kind of outsourcing.
Overall a good interview with some great insight and a mid-2010 “pulse check.”
Posted in Industry by .
According to researchers at Vupen Security, there’s a memory corruption flaw in Microsoft Office 2010 that could be used by an attacker to execute code:
The company June 22 said it “created a code execution exploit which works with Office 2010 and bypasses DEP (Data Execution Prevention) and Office File Validation features.”
The bug, Vupen CEO Chaouki Bekrar told eWEEK, is caused by a heap corruption error when processing malformed data within an Excel document.
“Exploiting this vulnerability is not trivial since many security features are enabled by default in Office 2010 including DEP … Office File Validation and Protected View,” Bekrar explained in an e-mail. “However, we have been able to reliably achieve code execution via a specially crafted Excel document.”
Microsoft is saying they do not have any knowledge of the details, however:
“Microsoft is aware of a claimed vulnerability but does not have the details to validate the claim,” Jerry Bryant, group manager of response communications at Microsoft, said in a statement. “To minimize risk to computer users, Microsoft continues to encourage responsible disclosure. Reporting vulnerabilities directly to vendors helps ensure that customers receive comprehensive, high-quality updates before cyber-criminals learn of—and work to exploit—a vulnerability.”
So it looks like the “jury” is still out on this one. But at any rate, enterprises using Office 2010 should keep a close eye on the situation.
Posted in Industry by .
