Cyber Security News of the Week, May 20, 2012

Cyber Security Commentary —Solutions to Cybercrime Risks Provided by Dept. of Homeland Security, SANS Institute and Other Cybersecurity Experts at ISSA-LA 4thAnnual Information Security Summit.

Keynote speakers Alan Paller, Director of Research at the SANS Institute,  and Bruce W. McConnell, Senior Counselor for Cybersecurity at the U.S. Department of Homeland Security, along with 15 other speakers described steps businesses can take to lower the economic risks from cybercrime at ISSA-LA’s Fourth Annual Information Security Summit held on May 16, 2012 at Hilton Universal City Hotel in Los Angeles.  More than 500 security professionals, IT professionals and business leaders attended the one-day Summit entitled The Growing Cyber Threat: Protect Your Business.

In his opening Keynote Address, Paller described several measurably effective countermeasures organizations are implementing to keep cyber criminals at bay. “Everyone in information security has an opinion,” said Paller in his keynote address. “But the attackers are fighting us with weapons, not opinions.”  That’s why it is so important, he continued, to be able to distinguish strategies and tactics that work from those that don’t.

As reported on KNX 1070 Newsradio in Los Angeles, “The Department of Homeland Security had a stark warning for business owners. ‘Take it seriously, make the investments,’ said DHS cyber-security counselor Bruce McConnell. ‘I think the key thing is to look at cyber security and manage it just like you manage other risks, financial risks, reputation risks.’”

“We’re losing a lot of intellectual property from cyber theft, and I think that’s very worrisome from the long-term competitiveness of the U.S.” McConnell said on KNX. “It’s very serious.”

Other cyber security solutions were provided by a broad range of speakers including David Hallstrom, Security and Privacy Underwriting Director, CNA; Brad Maryman, President, Maryman and Associates; Tim Toohey, JD, Partner at Snell & Wilmer; David Marcus, Director of Advanced Research and Threat Intelligence for McAfee® Labs; Ira Winkler, President, Internet Security Advisors Group; information security consultant, Kevin Cardwell; Lance Spitzner, Training Director at SANS; Marc Maiffret, Chief Technology Officer at BeyondTrust; Robert Brown, Chief Information Security Officer at Western Bridge Corporate Federal Credit Union; Joe McCray of; Rafal Los, Chief Security Evangelist for Hewlett-Packard Software; Michelle Schafer, Vice President, Security Practice at the Merritt Group; Chris Coffey, Executive Coach; and Tim Wilson, Editor of Dark Reading.

Below are three news stories on the Summit: Maiffret; Paller, U.S. Competitiveness.

Cyber Crime

Global Payments Breach Now Dates Back to Jan. 2011: The data breach at Atlanta-based credit and debit card processor Global Payments just keeps getting bigger. Earlier this month, I reported that Visa and MasterCard were alerting banks that the breach extended back to June 2011. Now it appears the breach jeopardized cards processed by Global as far back as January 2011. KrebsOnSecurity, May 17, 2012

Multiple Human Rights, Foreign Policy Sites Hacked: A rash of recent and ongoing targeted attacks involving compromises at high-profile Web sites should serve as a sobering reminder of the need to be vigilant about applying browser updates. Hackers have hit a number of prominent foreign policy and human rights group Web sites, configuring them to serve spyware by exploiting newly patched flaws in widely used software from Adobe and Oracle. KrebsOnSecurity, May 15, 2012

Amnesty International Hackers Learned From Flashback: Hackers took aim last week at Amnesty International websites in Britain and Hong Kong with an exploit that targeted anyone visiting those websites. InformationWeek, May 14, 2012

Hackers Break Into Bitcoin Exchange Site Bitcoinica, Steal $90,000 in Bitcoins: Bitcoin exchange site Bitcoinica suspended its operations on Friday after hackers managed to steal 18,547 bitcoins — valued at about US$90,000 — from its online wallet. PC World, May 14, 2012

Cyber Risk

Thwarted by security at enterprises, cyber criminals target SMBs: Big business — at least a significant percentage of it — has apparently heeded the decades-long mantra from information security experts, and invested enough in security to make it difficult, expensive and risky for cyber criminals to attack them. NetworkWorld, May 15, 2012

Cyber Threat

Maiffret: If it’s a Linux flaw, your phone is directly threatened: Marc Maiffret, co-founder of eEye and now — through acquisition — CTO of BeyondTrust, ran attendees of ISSA-LA’s Security Summit IV through the modern-day risks of mobile phone use. Not surprisingly, he suggested that threats to mobile phones and tablets are not new at all. CSO, May 16, 2012

Facebook Takes Aim at Cross-Browser ‘LilyJade’ Worm: Facebook is attempting to nip in the bud a new social networking worm that spreads via an application built to run seamlessly as a plugin across multiple browsers and operating systems. In an odd twist, the author of the program is doing little to hide his identity, and claims that his “users” actually gain a security benefit from installing the software. KrebsOnSecurity, May 17, 2012

Wikipedia ads mean you’ve got malware: If you see an advertisement on Wikipedia, there’s a good chance you have malware on your computer. MSNBC, May 15, 2012

Android Trojan Mimics PC Drive-by Malware Attack: Researchers have noticed one of the first examples of Android “drive-by” malware from an ordinary website, a dangerous type of automatic attack more commonly used to infect Windows PCs. PC World, May 13, 2012

Cyber Update

Apple Inoculates OS X Leopard Against Flashback: In the wake of the Flashback malware outbreak that last month infected more than 600,000 Macs, Apple Monday pushed two security fixes for users of OS X 10.5 Leopard. InformationWeek, May 15, 2012

Cyber Security Management

Alan Paller on cutting through the bull: Alan Paller of the SANS Institute delivered the first talk of the day at ISSA-LA’s Security Summit IV, focusing on the keys to being a successful security leader. A lot of those keys involve cutting through the bull (my words, not his). “Everyone in information security has an opinion,” he said. “But the attackers are fighting us with weapons, not opinions.” CSO, May 16, 2012

Cybersecurity: How US utilities passed up chance to protect their networks: Cybersecurity needs are not hypothetical, as the recent DHS warning of a cyberattack on the US natural gas industry shows. Why then was a post-9/11 initiative to secure US utilities dropped? Christian Science Monitor, May 17, 2012

Governance of Enterprise Security: CyLab 2012 Report: Carnegie Mellon CyLab has just concluded its third survey on how boards and senior executives are governing the privacy and security of their organizations’ digital assets (networks, systems, and data). Sponsored by RSA, this survey reached beyond the U.S. survey populations used for the 2008 and 2010 CyLab Governance of Enterprise Security reports. Using the Forbes Global 2000 list, the 2012 survey represents the first analysis of cyber governance postures of major corporations around the world. RSA, 2012

HIPAA changes on the way for covered providers: The privacy and security landscape for covered providers will soon be changing. A number of rules are finally making their way through the system in relationship to HIPAA, HiTECH and Stage II Meaningful Use., May 14, 2012

Feds Step Up HIPAA Compliance Audits: The Health Insurance Portability and Accountability Act (HIPAA) has fundamentally changed the health care industry’s privacy and security practices. However, the federal government’s enforcement efforts historically have been complaint-driven and sporadic. As a result, HIPAA-covered entities and business associates typically have failed to make compliance a priority. In fact, in 2008, the federal Department of Health and Human Services Office of Inspector General published a report criticizing the government’s HIPAA oversight, concluding that, “reliance on complaints alone was ineffective” for identifying noncompliance. Connecticut Law Tribune, May 14, 2012

Business Partners: A New Risk to Health Data Security?: HIPAA: Third-party business partners represent a significant security risk to health care providers, who may need several layers of protection to ensure the security of patient data. iHealthBeat, May 14, 2012 

Cyber Legislation

Cybersecurity bill hits snag: There’s yet another hurdle for Sen. Joe Lieberman’s cybersecurity bill: Democrats who say it doesn’t go far enough to protect consumer privacy. Politico, May 13, 2012

Securing the Village

US ‘Long-Term Competitiveness’ At Risk Over Cyber Attacks: Security experts at ISSA-LA summit on cyber-crime on Wednesday warned the economic growth of U.S. companies could be at risk from emerging threats online. CBS2, Los Angeles, May 16, 2012

White House’s cybersecurity official retiring: The White House’s cybersecurity coordinator said Thursday that he is stepping down at the end of this month after a 2 1 / 2-year tenure in which the administration has increased its focus on cyber issues but struggled to reach agreement with lawmakers on the best way to protect the nation’s key computer networks from attack. The Washington Post, May 16, 2012