U.S. Cyber Security News Briefs
159 Million People Affected by Data Breaches in Under Three Years
DHS Head: Cybersecurity Remains a Concern
Information Security Still an Issue in Health Care
Laws Only Go So Far
Congress Moves to Limit Use of Social Security Numbers
Report: Align Disparate Security Regs Before Imposing More
How Close Is World War 3.0?
Doctors Not Adopters
Over-Confidence Is Pervasive Amongst Security Professionals
Anti-Malware Company Wins 'Spyware' Court Case |
159 Million People Affected by Data Breaches in Under Three Years
Ars Technica (08/20/07) Anderson, Nate
Research by Privacy Rights Clearinghouse (PRC) reveals exactly how common data breaches at government agencies, universities, and companies have become. According to the PRC's list, 159,105,898 records have been wrongly disclosed since 2005. Moreover, breaches continue to take place at a shocking rate and via a variety of methods. There have been at least five data breaches since May of this year alone, including a breach at a Hamburger Hamlet restaurant in Los Angeles in June in which a waitress stole credit card numbers from customers. In May, more than 300,000 people were affected when a hacker broke into a server at the Illinois Department of Financial and Professional Regulation and had access to Social Security numbers and addresses. The scope of the problem makes it a difficult one to resolve. Many network security measures are in a dismal state, particularly considering the quantity of sensitive information being amassed. While legislation establishing nationwide regulations on data collection and security has been proposed multiple times over the past few years, no significant legislation has been passed. Some data breach proposals suggested heightened penalties for identity theft, while others aimed to control the sale and utilization of Social Security numbers.
DHS Head: Cybersecurity Remains a Concern
IDG News Service (09/05/07) Gross, Grant
Michael Chertoff, Secretary of the U.S. Department of Homeland Security, spoke before the House of Representatives Homeland Security Committee and testified that DHS will continue to give the "very big issue" of cybersecurity high priority. Because the department’s cybersecurity endeavors are confidential, Chertoff simply made a short statement to assure committee members that DHS is collaborating with other parts of the government to develop an improved strategy for cybersecurity. Chertoff also acknowledged that threats to cybersecurity have great potential to harm the United States in the future. Though cybersecurity problems continue to plague the federal government, the legislators primarily focused on other issues during the meeting, urging DHS to improve in other ways, such as by filling open positions at DHS.
Information Security Still an Issue in Health Care
Investor's Business Daily (09/10/07) P. A8; Cariaga, Vance
The 2007 Global State of Information Security Survey, by PricewaterhouseCoopers, CIO magazine, and CSO magazine, shows that while health care providers have devoted more resources to information security there is still room for improvement. The survey, which included responses from 7,200 IT, security, and business executives from all industries in more than 119 countries, found that 60 percent of organizations now have an overall information strategy and a chief security officer or chief information officer, up from 43 percent in 2006. However, the time invested in practical measures is still insufficient. Less than half of health care payers do not define security baselines for external partners or vendors, and more than half do not keep accurate inventory on third parties using customer information. Almost two-thirds, 65 percent, of health care providers do not conduct a risk assessment either annually or semi-annually, and providers are almost twice as likely as payers not to classify data and information assets by risk level. Additionally, 61 percent of providers do not audit or monitor user compliance, and 58 percent have not measured or reviewed the effectiveness of security policies and procedures in the past year. Most states have adopted breach notification laws that require organizations, including hospitals and medical centers, to notify state residents if unencrypted personal information is reasonably believed to have been exposed. PricewaterhouseCoopers advisory practice partner Mark Lobel says information security is particularly important in health care because of the sensitive nature of personal medical histories.
Read More... (Subscription only)
Laws Only Go So Far
Enterprise IT Planet (08/30/07) Discini, Sonny
A raft of federal and state legislation to address the problems of data security has been proposed, but Sonny Discini writes that new laws alone cannot cover all aspects of this troubling issue. Among the proposed federal laws Discini mentions is the Data Security Act of 2007, which would require businesses as well as the federal government to alert individuals if a data security breach compromises their personal or financial information; the Cyber-Security Enhancement and Consumer Data Protection Act of 2007, which mandates that federal law enforcement officials be apprised of certain data intrusions and establish criminal and civil penalties for parties that knowingly cover up such breaches; and the Data Accountability and Trust Act, which would require companies to deploy data security programs and inform individuals affected by a data security breach. Discini also notes that the House has approved two other federal bills: The I-Spy Act would slap stiff fines and sentences on parties who intentionally use spyware in the aid of another federal crime and intentionally hack into computers, and the Spy Act would ban the collection of personal data from a computer without notice to and permission from the consumer. California's passage of a law requiring all companies based in California or that do business in the state to disclose any security breaches to each affected Californian client whose personal information has been compromised inspired a rash of similar breach notice legislation in dozens of other states. "We need to understand that the issue of data security is no longer just a technology problem but also a criminal, legal and most of all, a business problem," Discini concludes.
Congress Moves to Limit Use of Social Security Numbers
Federal Times (09/10/07) Vol. 43, No. 29, P. 15; Doolittle, Amy
Federal lawmakers have introduced numerous bills that would establish stronger restrictions on the use of Social Security numbers and how they can be accessed by nongovernmental organizations such as credit card companies. Some bills, like the Identity Theft Prevention Act, would require agencies and companies to immediately report the loss of personal data due to computer breaches, and at least three bills would prevent Social Security numbers from being displayed on documents such as government and private-sector employee ID cards, drivers' licenses, or Social Security checks. The Defense Department, the Department of Veterans Affairs, and the Centers for Medicare and Medicaid Services are the only government agencies or programs that use Social Security numbers on employee and citizen ID cards, and requiring the removal of Social Security numbers from such ID cards would likely force the Defense Department to develop a new identification system. "It is time to place some common-sense limits on the use of Social Security numbers by government and businesses in order to reduce their easy availability and ensure the privacy of this sensitive information," says Rep. Michael McNulty (D-N.Y.), who introduced one of the bills.
Read More... (Requires Subscription)
Report: Align Disparate Security Regs Before Imposing More
Federal Computer Week (08/24/07) Mosquera, Mary
Lawmakers should properly align existing data security regulations before passing more requirements, concludes a new report from the Congressional Research Service. Federal and state laws already require organizations to protect sensitive and personally identifiable information and to notify people affected by data breaches, says CRS attorney Gina Marie Stevens. "An important issue to be addressed is harmonization of these various laws in order to provide uniform protections for personal information not dependent on the owner of the information or the category of information involved," says Stevens in the report. The Privacy ACT, the Federal Information Security Management Act, and the Office of Management and Budget already establish guidelines for preventing and responding to data breaches for federal agencies, and the Veterans Affairs Information Security Act adds data security, privacy, notification, and credit protection policies for veterans and their dependents. The Health Insurance Portability and Accountability Act adds health information privacy and security. Congress may soon consider several data security bills, including the Federal Agency Data Breach Protection Act, introduced by Rep. Tom Davis (R-Va.), and a Senate version of the bill introduced by Sen. Norm Coleman (R-Minn.).
How Close Is World War 3.0?
Network World (08/22/07) Marsan, Carolyn Duffy
A series of coordinated, politically motivated cyberattacks against the Estonian government are provoking anxiety among American IT and network professionals about further incidents and what strategies should be followed to prepare for similar cyber-assaults on commercial networks. "As we move more critical infrastructure to the Internet and we depend on it more and more for communications, the threat [of cyberwar] is real," says Arbor Networks security researcher Jose Nazario. The success of the Estonian attacks and the media attention they attracted could encourage other people or groups with an axe to grind to launch similar exploits, warn experts. Most security experts say the Estonian incident was not an instance of all-out cyber warfare because there is no evidence that a government was behind the attacks. Eugene Spafford, executive director of Purdue University's Center for Education and Research in Information Assurance and Security, says authentic cyberwar would be an attempt by a country to impose its will on another, and network attacks would probably function as a complement to physical assaults. Columbia University professor Steve Bellovin believes cyberterrorists or hactivists are more likely to attack individual commercial or government targets than wage an all-out cyberwar. Security experts concur that the Estonian incident should serve as a wake-up call for CIOs, who have generally ignored the threat of politically motivated attacks in favor of profit-oriented ones. ISPs, banks, and oil and electric companies are considered ripe targets for politically motivated cyberattacks. Spafford says it is important for U.S. companies to realize that small groups of hactivists can cause considerable damage, as the Estonian attack demonstrates. The incident also shows that the strategy of acknowledging the problem and seeking help from ISPs and international governments can be successful.
Doctors Not Adopters
Washington Times (09/06/07) Lopes, Gregory
Although electronic prescribing recently became legal nationwide, physicians have been reluctant to surrender their pen and paper in favor of a more technologically advanced solution. E-prescribing could potentially eliminate a large amount of medical errors by replacing handwritten prescriptions with safer, easier-to-read electronic messages. The Institute of Medicine estimates that technological health care innovations such as e-prescribing prevent about 1.5 million medication errors annually in the United States. In 2001, the National Community Pharmacists Association and the National Association of Chain Drug Stores founded SureScripts, the largest provider of electronic prescribing services. SureScripts created the Pharmacy Health Information Exchange, which allows physicians and pharmacists to exchange prescription information electronically, including new prescriptions and refill requests. The Pharmacy Health Information Exchange can also be used by physicians to access patients' medical records, depending on states' privacy laws. Currently, fewer than 30,000 prescribers in the United States, out of the nation's more than 900,000 prescribers, use e-prescribing systems, according to the Gorman Health Group. If current trends continue, e-prescribing will account for only 7 percent of all prescriptions by 2010.
Over-Confidence Is Pervasive Amongst Security Professionals
CSO Online (09/11/07)
Security executives may be becoming overconfident when it comes to cyber threats, according to the results of the 2007 E-Crime Watch Survey, which was conducted with the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute's CERT Program, and Microsoft. The study found that while 57 percent of the 671 respondents said they are increasingly concerned about the potential effects of e-crime, 69 percent said they have reduced spending on IT security by 5 percent and corporate security by 15 percent. The survey also found that 37 percent of security executives believed that cybercrimes committed by people outside of their organization caused the most damage, compared with 34 percent who said insider crimes caused the most damage. As a result, many executives are doing less to address insider threats. Background checks were used by 57 percent of organizations this year, down from 73 percent last year, while 84 percent of organizations used account/password management policies this year, down from 91 percent last year. The survey also revealed that most e-crimes, whether committed by an insider or an outsider, are handled internally without involving legal action or law enforcement. When asked why they did not pursue legal action against the perpetrators of e-crimes, 40 percent said that the damage level was insufficient to warrant prosecution, 34 percent said there was a lack of evidence, and 28 percent said they could not identify the individuals responsible.
News Abstracts © Copyright 2007 INFORMATION, INC.