Category Archives: Technology Risk

Игроки всегда ценят удобный и стабильный доступ к играм. Для этого идеально подходит зеркало Вавады, которое позволяет обходить любые ограничения, обеспечивая доступ ко всем бонусам и слотам.

What IT Security Execs Think About Risk Management

Posted on by

In response to the results gathered in its 2012 Strategic Security Survey, InformationWeek has some simple advice that can apply as much to your marriage or workplace debates as it can IT risk management: pick your battles.

When it comes to security and risk management, don’t try to address every possible threat. Instead, pick your battles: Implement better access control, vet cloud providers, safeguard mobile devices, educate users and build more secure software, for starters.

buy xifaxan online www.phamatech.com/wp-content/uploads/2023/10/jpg/xifaxan.html no prescription pharmacy

They surveyed nearly 1,000 IT security pros and many of the findings are fascinating.

buy ventolin online www.phamatech.com/wp-content/uploads/2023/10/jpg/ventolin.html no prescription pharmacy

The following four graphs are just a small sampling.

buy oseltamivir online www.phamatech.com/wp-content/uploads/2023/10/jpg/oseltamivir.html no prescription pharmacy

You can download the full, 44-page report at their website (link above).

Most interesting to me is the top two bars in the second chart: security executives now, finally, consider internal users as just a large threat as they do cybercriminals.

 

DDoS Attacks “Have Never Been Easier to Launch”

Posted on by

As was heard throughout the speeches, sessions and networking chatter at the recent RIMS 2012 Annual Conference & Exhibition in Philadelphia, the biggest worry to business owners, CEOs and managers is that of cyber threats. And rightly so. It seems like each day we are inundated with reports of a new way hackers can gain control of company information and/or take down systems. Today is no exception.

This morning, Prolexic Technologies released a threat advisory on the use of booter shells, which allow hackers to readily launch DDoS attacks without the need for vast networks of infected zombie computers.

“Increased use of techniques such as booter shells is creating an exponential increase in the dangers posed by DDoS attacks,” said Neal Quinn, chief operating officer at Prolexic. “For hackers, DDoS attacks have never been easier to launch, while for their victims, the power and complexity of attacks is at an all-time high. The threat of a DDoS attack has never been more likely or its potential impact more severe. We’ve entered the age of DDoS-as-a-Service.” The increased use of dynamic web content technologies, and the rapid deployment of insecure web applications, has created new vulnerabilities — and opportunities — for hackers to use infected web servers (instead of client machines) to conduct DDoS attacks. Traditional DDoS attacks make use of workstations infected with malware, typically infected through spam campaigns, worms or browser-based exploits. With these traditional tactics, hackers needed multitudes of infected machines, to mount successful DDoS attacks.

Where boot scripts differ is in the fact that they are standalone files, meaning DDoS attacks can be launched more readily and can cause more damage, with hackers using far fewer machines. Even more alarming, people don’t need as much skill to launch such attacks. A DDoS booter shell script can be easily deployed by anyone who purchases hosted server resources or makes use of simple web application vulnerabilities (i.e., RFI, LFI, SQLi and WebDAV exploits). This, in essence, puts attacks within reach of even novice hackers. Companies should take note, especially financial firms.

According Prolexic’s quarterly global DDoS attack report released a few weeks ago, there was an almost threefold increase in the number of attacks against its financial services clients during Q1 compared to Q4 2011. “This quarter was characterized by extremely high volumes of malicious traffic directed at our financial services clients,” said Neal Quinn, Prolexic’s vice president of Operations. “We expect other verticals beyond financial services, gaming and gambling to be on the receiving end of these massive attack volumes as the year progresses.”

So what should companies do to protect their information and IT infrastructure? Though organizations can never be 100% protected from an attack, they can help by continuously testing proprietary web applications, as well as constantly testing known vulnerabilities in commercial apps.

 

The Risks of Near Field Communication

Posted on by

At the RIMS 2012 Annual Conference & Exhibition in Philadelphia, one of the “hot topic” sessions will focus on the risks of near-field communication. Your first question is probably, “what is near field communication?” That is understandable. It is a new, emerging technology that few people know about right now. But many experts believe it will soon change the way consumers pay for good.

In short, it is a radio link established between two electronic devices, usually smartphones, that allow them to communicate when they are tapped together. Right now, the business focus on the technology mostly surround the new method of payment it can enable, as when one person can chip in for their share of the dinner bill by entering in a dollar amount and “crossing streams” with the person who picked up the tab. This, and other payment scenarios, represent one more way — and a convenient way at that — that our society is continuing to move away from using cash to buy stuff.

Here is how the session description describes the related promise and threats.

Now paying the check is as easy as using your phone. But this seemingly time-saving and convenient payment poses many threats. To some, the [near field communication] chips embedded in phones and the supporting technology are viewed as more secure than credit or debit cards, with features such as off-site shutdown if a phone is lost. Opponents argue that nearby readers can hijack personal information from nearby points-of-sale. This session will demonstrate this technology and examine the risks to companies that pursue this technology and how those risks can be managed.

The session takes place in the Philadelphia Convention Center on Wednesday, April 18 at 8:45 am. Be sure to attend to find out more. But for those who cannot get to to Philly, I reached out to Larry Collins, head of eSolutions for Zurich and a presenter at the session, to do a Q&A on the matter.

The upside of near field communication seems obvious — so much so that it seems like one of those technologies that the market will push into widespread use, perhaps before most companies really understand what they’re getting into. What are the major risks that businesses may be exposing themselves to? 

Larry Collins: There are several issues that need to be considered. First is obvious: hackers or eaves droppers can steal vital information. A near field communication device such as a smart phone is basically acting like a two-way radio. It’s creating a “nearby electrical field” that theoretically only an authorized reading device can pick up. The concerns are that if the field broadcasts to strongly or if some one simply walks by you with an active reader as your smartphone is in its holster on your hip, they may be able to pick up the signal.

The second issue is data storage. The technology companies that are helping with these transactions also may be storing some of the data. Anyone who processes or stores this data is subject to the same privacy and security requirements that exist now for the credit card companies. Data privacy and security will be paramount.

Third is the issue of what the data gets used for. People who transact using near field may be assuming that they’re just making use of their credit card information. If you have their phone information or other data about the consumers involved, and want to use if for other marketing purposes, you may need the card owners permission to do so. Risk managers need to review related rules, such as how long you can keep the data and who gets to see it.

How much more difficult is mobile data to protect than, say, corporate servers housed in an office building or other protected location?

Larry Collins: The issue is that mobile data is still a some what new capability. Ultimately the back-end servers are the same infrastructure as traditional servers. It’s the front-end use of smart phones and smart tablets that is new and, as such, it’s this new use that’s of concern. The security exposures there are still somewhat unknown and may ultimately experience a higher level of breach. Stay tuned on that issue.

Are there any insurance options out there for this? Would this fall under cyber-risk policies that exist now? 

Larry Collins: There are several insurance options available for these exposures, although it is important to identify the economic impact for which you are seeking coverage. For instance, an unauthorized party to an NFC-enabled transaction may gain access to either sensitive data (credit card numbers, names, addresses) or they may be able to steal or divert funds. There is risk transfer available for the financial loss elements of both scenarios.

The entity using the NFC technology to offer or enhance their services may incur substantial expenses upon loss of sensitive information, such as the cost of a forensics investigation, notification and provision of call center, credit monitoring. This can also include other fraud remediation services to affected parties, like legal and public relations consultation expenses. The breached entity may even be susceptible to third-party claims and regulatory investigations depending on the circumstances. On the other hand, the breached entity may lose the funds that were to be transferred during the transaction.

Insurance solutions are available for the majority of third party liability and first party expenses, although, it is important to analyze your coverage forms since all of the financial loss elements associated with a breach may not be covered by the same policy.  Risk managers should assess the specific elements of financial or economic loss they are willing to retain versus those they need to transfer.

What advice would you give to companies that are beginning to consider using near field communication technology? 

Larry Collins: The advice we offer is that companies should manage the exposure the same way they manage any other risk management exposure. Near field communications is great technology. However, existing privacy and security regulations — and there are many — apply to this new technology, too. If your company processes this kind of data, you have to maintain the confidentiality, integrity and availability of the data you capture. Make sure that the ultimate owner of the data — the customer themselves — is aware that you have it, that he has given his permission for you to have it, and that you use it as intended.

NFC technology is great — just make sure you’re company is managing the privacy and security exposures properly.

The Benefits and Limitations of Cyberinsurance

Posted on by

(The following is a guest post for the Risk Management Monitor written by Rick Kam, president and co-founder of ID Experts, a provider of data breach solutions.)

The Information Age. The Digital Age. The Computer Age. Whichever name you use, we’re in an era where many companies’ most valuable asset is information, from consumer buying habits to patient diagnoses to scientific data. At the same time, this asset also comes with a burden: companies are responsible for safeguarding the information they hold.

buy symbicort inhaler online pelmeds.com/wp-content/uploads/2023/10/jpg/symbicort-inhaler.html no prescription pharmacy

Given the almost immeasurable amount of information produced today—something often called “Big Data”—the task can become overwhelming.

Data privacy laws such as the Gramm–Leach–Bliley Act in the financial sector and the Health Insurance Portability and Accountability Act (HIPAA) for health care are designed to protect customers in the event their information is compromised, most often during a data breach. Data breach notification laws, starting with California’s SB1386 in 2003 raised the legal and financial stakes for companies holding sensitive data. Since then, class action lawsuits and regulatory fines have become synonymous with data breaches. For instance, under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, health-care organizations could face up to $1.5 million in fines for violation of the HIPAA privacy and security rules.

In addition, new trends such as outsourcing data processing to cloud providers and the increased use of personal mobile devices to conduct business have greatly increased the risk of a data breach, since data are now in less-secure environments.

Statistics prove that data breaches are occurring more frequently, rising 32% in the health-care sector, according to a study on patient privacy and data security by the Ponemon Institute. InformationWeek reported that 419 data breaches were publicly disclosed in 2011 in the United States, with a combined 22.9 million records exposed, based on a study from the Identity Theft Resource Center.

The Benefits of Cyberinsurance

To help bear the costs associated with data breaches, some companies are turning to cyberinsurance as part of their overall risk management strategy. These organizations have discovered several advantages to having cyberinsurance.

1.  Closing the Gap Between Traditional Coverage and Current Needs
Some cases have indicated that traditional insurance commercial liability insurance only covers liability arising out of  “tangible” property, for instance the server on which a data is stored, rather than the data itself, says David Navetta, a founding partner of Information Law Group.

Traditional policies also do not explicitly cover first-party breach notification costs. This could leave a significant gap in coverage of an organization’s digital assets exposing them to the full costs of a data loss event.  Cyberinsurance was designed to cover that gap. According to The Betterley Report, cyberinsurance typically provides coverage for: (1) Liability for data breach or loss of data, (2) remediation costs to respond to breach, and (3) regulatory and legal fines and penalties.

2. Offsetting the Expenses of a Data Breach
Given their unpredictable nature, data breaches are difficult to budget for. The size, scope, and complexity of each data breach vary widely. The breach of protected health information (PHI) can be particularly costly, given strict notification requirements, the potential for fines from multiple regulatory agencies, and specialized medical identity monitoring and recovery services.

Many organizations have found that cyberinsurance helps cope with unexpected expenses and bear some of the data breach costs, especially the costs around data breach notification. Typical breach coverage includes: Forensics investigations, legal fees (during and after response), data analysis, communication (notification letters, call center and regulatory notices), identity monitoring (i.e., credit monitoring), identity restoration services, public relations, regulatory fines, and legal settlements

3. Providing Resources for Data Breach Response
Many carriers, either through informal referrals or panel of approved vendors, offer resources to companies facing a data breach. Often, this includes a breach coach, an attorney who guides the insured through the breach response process and seeks to limit the organization’s legal exposure.

 In addition, insurers may be able to provide referrals for a range of service providers including forensics, data breach notification, legal and PR, often at a pre-negotiated, discounted rate. Sometimes the use of approved vendors can increase coverage limits. Some companies find it convenient to use these vendors rather than shop around for their own data breach services provider. The other benefit to using a carrier’s resources is that of experience. A company’s legal counsel, for example, may not have experience in the data breach/privacy sector.

The Limitations of Cyberinsurance

As with all types of coverage, cyber liability insurance has limits. The following are three that every potential policyholder should understand.

1. Limits on Coverage
Not all policies are the same. What one may cover, another will not. For instance, some breaches are caused not by the data “owners” but by a third-party service provider, such as a cloud provider. In the health-care sector, the data owners (often hospitals or insurance providers) are often liable for the breach of protected health information caused by their business associates.

Another example: Companies with data breaches that cover multiple states face different notification laws. While the company may want to provide the same notice to all affected individuals, the insurer may not cover the cost of notification in states where it is not legally required.

Another variance is the source of a breach: Does a policy only cover “technical breaches,” such as the loss of a computing device or unauthorized access of a company’s systems? Other factors that affect coverage may include the types and amounts of fines or penalties levied or other actions by regulators that affect the outcome of a data breach.

2. Limits on Choice
The terms of a cyberinsurance policy may restrict the way an organization responds to a data breach.  For instance, it may cover credit monitoring services for the breach of protected health information, which requires the monitoring of a patient’s medical identity, not their credit.

Cyberinsurance policies may also limit the choice of vendors when responding to a data breach. Many companies may prefer to use providers with whom they have an existing relationship, such as legal counsel, but are required to use the services of a preapproved vendor. Such limitations can impact the quality of a data breach response. For instance, the use of a foreign call center to manage the breach of sensitive data such as mental health records could be subpar.

3. Cannot Replace the Need for Data Protection
Even with the most comprehensive cybercoverage, companies still have the responsibility to improve their internal privacy and security measures. Ultimately, prevention is still the best form of insurance against a data breach. All organizations should regularly assess their privacy and security risks and then take actions to mitigate the identified gaps.

Additionally, all departments, from IT to human resources, should develop and regularly review their “Incident Response Plan.” This plan must provide an effective, cost-efficient means of helping the organization meet statutory requirements and develop guidelines related to data breach incidents.

Given the increasing complexity and likelihood of data breaches, companies are finding cyberinsurance provides a measure of security. Cyberinsurance, unlike traditional insurance, is designed to meet the needs of companies in the digital age.

As with all types of coverage, however, cyberinsurance has its limitations.

buy cymbalta online pelmeds.com/wp-content/uploads/2023/10/jpg/cymbalta.html no prescription pharmacy

Companies would do well to thoroughly research all their options before deciding to invest in cyberinsurance or other means of data breach prevention.

buy zetia online pelmeds.com/wp-content/uploads/2023/10/jpg/zetia.html no prescription pharmacy