Legal Technology News - E-Discovery and Compliance Blog

Security, Hacking, Code

November 20, 2012

Can CyberInsurance Shore Up Data Insecurity?

Insurance_sign400Baker Hostetler partner Judy Selby asks, "What do Sony Corp.'s PlayStation Network, Zappos.com, Hannaford Brother Co.'s grocery stores, and South Carolina's Department of Revenue all have in common?"

If you answered serious data breaches involving the personal and financial information of over 100 million users, 24 million customers, and 3.6 million unencrypted Social Security numbers respectively, you get the gold star.

But now that data breaches are rampant — with a Ponemon Institute survey reporting 50 organizations experiencing 72 cyberattacks per week — not to mention the compliance issues these attacks raise with federal laws such as the Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley, what are corporate entities expected to do about it?

Selby suggests some of the issues raised by cyberattacks can be met by the aptly named "cyberinsurance." While some may see hype and scareware in this growing line of coverage, Selby lists some of the benefits of cyberinsurance policies, which can range from covering violations of privacy laws that includes paying fines to "cyber-extortion," or meeting the expenses of a threat to disrupt a company's (or law firm's or government agency's) computer systems. Coverage is also available for threats to or attacks on a policyholder's reputation.

Another area covered under the cyberinsurance umbrella is cloud computing, since, as Selby writes, "Cloud customers may not be able to contractually transfer the risk of data breaches to the provider." Some might argue that if a cloud provider doesn't have its own policy in place for cyberattacks, don't sign the contract and seek out a safer cloud. Others might counter you should find coverage where you can.

Read the full article on LTN online.

Image by Dan Hilowitz

June 19, 2012

Keystroke Analysis Could Replace Passwords

KeyboardThe way you type on your computer's keyboard is as unique as your handwriting, and may even be a matter of national security, an Iowa State University engineering professor says.

In the land of digital investigations, investigators and data collectors may find, in the not too distant future, the need for a custodian to stand by to enter their password for system access.

Thanks to a $500,000 research grant from the U.S. Defense Department, they're looking for better ways than hacker-prone passwords to protect its systems, and are betting that ISU Professor Morris Chang is right. Chang, recently quoted in USA Today, an associate professor of electrical and computer engineering, said we all take unique pauses between keystrokes, especially when typing complicated words.  "When you spell a particular word, you may have a tendency to pause at a certain character," Chang said. "Your pause would be different than mine."

Continue reading "Keystroke Analysis Could Replace Passwords" »

February 21, 2012

Foreign Cyberthieves Stole 867 Terabytes in 2011

Jaw-dropping article in The New York Times on How Much Have Foreign Hackers Stolen? The takeaway is Global_threat that as hackers improve their capabilities, and as Americans migrate to a mobile workplace, the problem has grown worse. It is far easier to steal trade secrets when Americans carry them around on their mobile devices.

Tom Kellermann, chief technology officer at AirPatrol, a wireless security company, is quoted in the article as saying: "We never let go of these things. We work with them; we even sleep next to them. That's the dark side of Web 3.0. Once someone hacks your device, they don't just hack the back end, they hack your network. They can turn your camera and microphone on. They can hack your whole life."

See EDD Update, "Mobile Security — Tips to Safeguard Your Devices," and The New York Times article, "Traveling Light in a Time of Digital Thievery."

Image by Clipart.com

December 23, 2011

Mobile Security - Tips to Safeguard Your Devices

Mobile devices pose significant risks for sensitive corporate information. As lawyers become more dependent on mobile devices for their practice, they need to be cognizant of the significant security risk these devices present.Thief

ViaForensics recently released its latest 80-page Mobile Security Risk Report.  Both the Android and iPhone risk is amplified by the fact that these devices tend to hold personal information for a long time by design, i.e, nothing is ever truly deleted.

Mobile devices have become easy to hack by remote exploits due to all the applications loaded on them. Hackers can now remotely jailbreak and root a device over the network which essentially provides the hacker with unrestricted access to the entire file system of the target mobile device.

The rush to develop user friendly apps has been at the expense of security. These apps collect and store a tremendous amount of information.  Even apps that appear to ask for no permissions during installation can become a back door to your phone. Check out appWatchdog for an objective analysis of various publicly available mobile apps.

Encrypting information on your device is not foolproof because encryption on both the iPhone and Android can been broken with minimal effort. Additionally, it is not that difficult to extract data from a passcode protected device as well.

To protect your mobile privacy:

1. Be cognizant of what you install on your phone and who the company is that makes the app.

Continue reading "Mobile Security - Tips to Safeguard Your Devices" »

December 09, 2011

2012 Top Cybersecurity Trends You Should Worry About

Imperva, which offers data security services, has predicted its top nine cybersecurity trends for 2012.

Hacking, the company notes, is inherently innovative — which has caused security to evolve dramatically from just one year ago. Because of that, they expect to see security decisions driven not by compliance but by security.

In the past, compliance regulations and standards such as PCI Security Standards Council, Sarbanes Oxley, and data privacy acts fed security budgets. However, as one CIO put it, “Security is not about surviving the audit.” It's about data security. 

KeyRegulations intended to set minimal security standards make it too costly for organizations to respond on a regulation-by-regulation basis. Instead, they should implement security based on their needs and then evaluate if they have done enough in the context of each regulation.

Additionally, IT departments are shifting security strategy from trying to control data at the source, to regulating user devices, such as smart phones, tablets and custom personal laptops. Imperva's analysts expect this tactic will have limited success. Instead, companies should focus on the data stores and provide strict access control. 

Finally, Imperva reports that with increased supply and demand for sensitive corporate IP, they predict the rise of the so called "cyber crime broker" who will match buyers looking for stolen data with sellers of the data. Scary stuff for attorneys and their clients when dealing with highly sensitive corporate data that will be leaving the corporate firewall for processing and review.

The full report is available here.

 

December 02, 2011

Into the Breach

LockCorporate Counsel must carefully monitor data security breaches and take steps to protect their company's data, say Goldberg Segalla's Soo-young Chang & Daniel Gerber. Read more here.

Image: Clipart.com

September 20, 2011

High Technology Crime Investigation Association

About 400 people attended last week' High Technology Crime Investigation (HTCIA) annual conference in Indian Wells, California. Nuix and AccessData were the only two e- Crime discovery vendors making an appearance and Craig Ball was there entertaining and educating attendees with his popular computer forensic jeopardy game show.

There was a big showing of vendors offering mobile forensic products that can search and extract mobile data including geo-location data. The lectures highlighted how mobile devices are quickly becoming a security nightmare for companies as their capabilities continue to expand. Additionally, forensic companies are having a hard time keeping up with all the iPhone and Android clones coming out of China on almost a weekly basis.

Speaking of China, great lecture by Camilla Herron who runs the world wide brand protection program for Monster Cable products on "Doing business in China: Why We Don't Belong There."  China continues to lead in software piracy, censorship, IP theft, pollution, product clones, bribery, and corruption — the list goes on and on.  A good reason to support "Made in the USA" products.

The 2012 HTCIA International Training Conference and Expo will be in Hershey, Pa.

Image: Clipart.com

September 08, 2011

The Password is Dead

A recent study from the DEFCON conference stated, “with $3,000 dollars and 10 days, we can find your password." Next year, it is predicted the time and amount needed to hack a password will drop to 30 dollars and less than 1 day. By year three, it will literally cost nothing!  

Making passwords longer and more complex has only delayed the inevitable death of the password and created headaches for users struggling to keep up with all the passwords they create. It's time for two-factor authentication - separating authentication keys into different factors so attackers must compromise multiple targets to gain access.  

Businesses have been reluctant to migrate to stronger authentication because of cost and difficulty. With hacking attacks increasing and passwords becomming easier to crack, it is negligent for businesses to wait any longer. 

August 06, 2011

Blackhat Conference: Beware of a False Sense of Security

Code Last week Blackhat held its annual information security conference in Las Vegas. The conference brings together security experts, researchers, analysts, and hackers (the good ones) for briefings and training on tomorrow’s information security landscape and threats. 

The vendors attending are all about monitoring, detecting, testing, and defending corporate and government computer assets against the latest cybersecurity threats and terrorism. These so-called "advanced persistent threats" include data manipulation, eavesdropping, data theft, sabotage, and denial of service. 

Founder and director Jeff Moss provided the opening remarks, observing that while cyber threats are increasingly sophisticated, complex, and volatile, there is a raised awareness among organizations and international governments about the necessity of cybersecurity.  In fact, McAfee reported that 49 of the 72 hacked companies during the last five years were in the United States — and that's the tip of the iceberg! It is agreed that currently the attacker has the advantage.

The keynote speaker on day two was DARPA's Peiter "Mudge" Zatko, program manager, information innovation office, at the Defense Advanced Research Projects Agency. Zatko made an interesting point that over the last decade, the lines of code used to defend against security breaches has grown from a few hundred to more than10,000; while the lines of code hackers use has remained constant — in the low hundreds. Our response to cybersecurity threats needs to be completely overhauled, if we are going to stay ahead of increasingly sophisticated hacking groups saturating the internet, he said.

In a briefing on Microsoft Windows' vulnerability, it was pointed out that every time you install new software on your computer, you weaken your computer and increase the vulnerability of the system. In other words, adding more software increases the landscape for a hacker to play in and find system vulnerabilities. Even security tools used to harden systems can provide nice rabbit holes for hackers to hop into and gain access to your system.  

Continue reading "Blackhat Conference: Beware of a False Sense of Security " »

Sign Up for the E-Discovery and Compliance Newsletter

An Affiliate of the Law.com Network

From the Law.com Newswire

Sign up to receive Legal Blog Watch by email
View a Sample



Contact EDD Update


Subscribe to this blog's feed



RSS Feed: LTN Podcast

Monica Bay's Law Technology Now Podcasts are also available as an RSS feed.

Go to RSS Subscribe page




March 2013

Sun Mon Tue Wed Thu Fri Sat
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Blog Directory - Blogged