Anthem Breach Prompts New York To Conduct Cybersecurity Reviews Of All Insurers
In response to the data breach at healthcare insurance provider Anthem last week, New York’s Department of Financial Services (DFS) announced today that it will “integrate regular, targeted assessments of cyber security preparedness at insurance companies as part of the department’s examination process.” The Department also plans to issue “enhanced regulations” to insurance companies based in New York, but has not yet solidified what those enhancements will be.
Encryption and multi-factor authentication may be on that list. Healthcare insurers are already subject to the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), each of which have requirements about privacy and security, but neither of which explicitly require encryption of all personally identifiable information.
Read more here.
My Security Thoughts – My Digital Self
Sitting here watching TV and thinking about everything that is traversing the globe, I start to wonder how often my digital self moves around this blue rock. Then I start to think about where digital me has rested or how many copies of digital me there are in the ether.
Are there full copies of digital me or partial? Maybe it is a combination of the two but I wonder how many. I am going to go with thousands. Yes there are thousands of copies of digital me running around or kicking back having a digital brew.
Now these digital representations of me are in the hands of the government (maybe I should say governments) and commercial entities. There may even be some copies in the hands of private individuals for all that I know. Though it does make me wonder why, I mean I am great and all but you have to have somebody better to collect.
With thousands of copies here, I could go off on the ‘Many Worlds’ theory in which there are infinite numbers of copies of biological me with thousands of infinite numbers of copies of digital me but I will not do that…today. No I want to think about the type of entities that hold my digital self and who I should be most worried about at this time.
First I am going to drop the private individuals from my thinking just because I do not think I have a stalker at this time and I am not that paranoid. Maybe as I get older I will bring this type back into the mix. For now I will focus on the government and corporate entities.
Of the two I am more worried about the digital me that is held by the corporate interest versus that digital me held by the government. I feel that the danger to biological me will come from the corporate interests. When I say danger I am not focusing on physical arm though it could come to that. No I am looking at mental and financial arm from the misuse of digital me.
Google, Microsoft, Apple, insurance, banking and even the fast food industry to name a few have a digital image of me that I could probably not duplicate in years. This image, this digital picture of me tracks biological me, it predicts what biological me will do. Digital me carries my various usernames and passwords. It can be used to determine what types of restaurants I like and where I travel. My health information is out there and not all of it is protected.
Health information, it is sometimes so hard to get the doctor to release health information to the patient. It is your information is it not? It took a week for me to get dental records and they charged me $20.00 and I watched as the receptionist stuck it in the machine and waited on someone else. I could have gone to Kinko’s brought the originals back and had money for KFC with a cookie desert for two.
Ok I digress but it came to me and I had to get it out. Needless to say all this information out there can be used against me or it can be used not to my interest. The worse part of it is I don’t own digital me. Whoever owns where I am stored or transits owns me. I have knowingly in some cases given away parts of digital me for free stuff. Those loyalty cards are from the devil.
Ok enough prattle, why is this a security issue, why a cyber security issue? Well my worry is predictive behavior. The worry is that these companies will have such an excellent picture of me and that their computer models will be so accurate that they will model my behavior and sell it. What if it could predict how I choose passwords.
Now I think that I have a good method for choosing passwords but if the model is that good then maybe the model is not that good. I am not as random as I think. Am I not as secure as I thought? Are my 16 character passwords weak though they do not repeat, use letters, numbers and special characters? Can my encrypted data stored in the cloud be retrieved and unencrypted in less that a day?
Can my identity be stolen not by a breach at the local Home Depot but by purchasing digital me from Google or some unknown commercial data warehouse? Are these corporate entities making it easier?
What do you think?
Cybersecurity Expert David Kennedy of TrustedSec to Speak at ISSA-LA Seventh Annual Information Security Summit on Cybercrime Solutions – June 4
Los Angeles – February 6, 2015 – David Kennedy, founder and CEO of TrustedSec, LLC, will be the opening keynote speaker at the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) Seventh Annual Information Security Summit on Thursday, June 4, 2015 at the Los Angeles Convention Center. The theme of the one-day Summit, The Growing Cyber Threat: Protect Your Business, highlights the impact cybercrime has on all organizations: business, nonprofits, government agencies, schools, healthcare and others. The Summit advances ISSA-LA’s core belief that ‘It takes the village to secure the village’ SM.
“We are privileged to have such a renowned leader in information security at our Summit,” said Summit Co-Chair Richard Greenberg, CISSP. “David is an expert resource that the media, including CNN, MSNBC, CNBC, Fox News, and BBC World News, turns to frequently for analysis of major events. He is a highly sought-after speaker, appearing at some of the nation’s largest information security conferences.”
“David is a co-author of the book ‘Metasploit: The Penetration Testers Guide,’ and the creator of the Social-Engineer Toolkit (SET). His presentation will be a great way to kick off the Summit,” continued Greenberg. “He has also testified in front of Congress, having the ability to speak to both technical and nontechnical audiences.”
Kennedy’s keynote topic is “INFOSEC: Fighting our way to a better tomorrow.” He will emphasize that information security isn’t a technology problem – it’s a social issue. In his talk he will be demonstrating effective measures to combat some of the main techniques attackers use in order to attack an organization.
Registration is open to anyone interested in learning more about information security but is particularly recommended for information security practitioners along with business and nonprofit executives and senior managers; business professionals in law, accounting, insurance and banking; technical IT personnel; law enforcement professionals fighting cybercrime; and faculty and students in college and university cybersecurity programs.
The Information Security Summit is part of ISSA-LA’s important community outreach program. The goal of the program is to help the community stay safe from cybercrime by enabling the necessary collaboration between business, nonprofit and community leaders, technical IT professionals, law enforcement and the information security community.
For more information on the Seventh Annual Information Security Summit and to register for the early bird special that ends February 15, please visit http://summit.issala.org .
About Los Angeles Chapter of the Information Systems Security Association (ISSA-LA):
ISSA-LA is the premier catalyst and information source in Los Angeles for improving the practice of information security. The Chapter provides educational programs for information security and IT professionals. The Chapter also conducts outreach programs to businesses, financial institutions, nonprofits, governmental agencies, and consumers. ISSA-LA is the founding Chapter of the Information Systems Security Association, an international not-for-profit organization of information security professionals and practitioners. Please follow the Chapter on Twitter at @ISSALA as well as LinkedIn and Facebook. .
About TrustedSec, LLC
TrustedSec, LLC was created on the belief that the information security industry is in need of extremely tailored and niche services aimed around maturing a company’s security program. The founder, David Kennedy, started off his career working for the United States Marine Corps (USMC) intelligence community and then went on to become the Chief Security Officer (CSO) for a Fortune 1000 company. At this company, he built one of the industry’s cutting edge security programs from the ground up. For more information visit https://www.trustedsec.com.
Stanford Hosting White House Cybersecurity Summit
Stanford University will be hosting a White House summit on cybersecurity and consumer protection next month. The announcement came during remarks made by President Obama at the National Cybersecurity and Communications Integration Center (pronounced “N-kick”), a division of Homeland Security, as part of a proposal to tighten laws related to cybersecurity standards.
The one-day event is scheduled for February 13 and will bring together participants from the federal government, industry, technology, law enforcement and academia, including students. Topics will include how public and private organizations can better share cybersecurity information, how cybersecurity practices and technologies can be improved and how to expand the adoption and use of more secure payment technologies.
The Summit is one of several steps being taken by the White House in the area of digital security. Earlier this week, Obama announced a student digital privacy act that would focus on how data is used in education. Another proposal to be sent to Congress would force companies to comply with certain privacy restrictions, such as removing unnecessary personal information from their systems, and provide liability protections for organizations that share information about cyber threats. In November, the administration announced the “BuySecure Initiative,” a push for retailers and banks to implement more secure payment technologies to minimize the threat of fraud and data breaches.
“We are honored to host this White House summit…and are excited to play a pivotal role in convening experts from government, industry and academia,” said Amy Zegart, director of Stanford’s Center for International Security and Cooperation. “Stanford is very engaged in studying cyber-related issues, and we look forward to enhancing this work by sharing our expertise on the cybersecurity issues that are so critical for the United States, its consumers and its businesses.”
In November Stanford announced that it was one of three institutions that had received a $15 million grant from a private foundation to fund the launch of a new program for developing public policy that could help government, business and individuals deal with security threats.
The White House and the university said they’re still finalizing details for the summit; but the event will include keynote speeches, panel discussions and small group workshops.
About the Author
Dian Schaffhauser is a writer who covers technology and business for a number of publications. Contact her at dian@dischaffhauser.com.
Certified Penetration Testing Engineer aka CPTE [Video]
Certified Penetration Testing Engineer Mile2 CPTE Certificate
youtube • Video Directory: http://www.concise-courses.com/past/ This is a video of mile2 discussing their flagship penetration testing certification “Certified Penetration Testing Engineer” aka CPTE. mile2’s training is available online [live instructor led] or in a classroom.
My Security Thoughts by @mhbjr
As I grow older with teenage children, I find myself looking at aspects of life that have a negative bearing on security specifically cyber security. I know that the word cyber is overused but it is in current fashion among mainstream media and such. If it bothers you just substitute information for cyber and all should be well. Now continuing with my thoughts, my current thoughts are on how cyber security is affected or will be affected by the automation and religion.
Right I am thinking that cyber security is being negatively affected by automation and religion. You are probably saying to yourself that it is obvious that automation affects security since it opens up additional avenues for penetration. Network accessibility on the factory floor allowing control from across the building to across the country. We have seen how power generation with SCADA is allowing centralized control of power plants via the Internet.
So we know that automation opens the attack fabric by allowing greater access from the Internet. What I now see is that along with a larger threat venue, there is the increase in population that poses and even greater danger. You already know that the world’s population is increasing at a staggering rate. In addition to this population growth the majority of the world’s wealth is in the hands of a smaller percentage of the population. The divide in income between the rich and middle class is growing fast while the divide between the middle and the poor is shrinking and not in a good way.
Now lets bring in the topic of religion. Most religions have the goal of precreation. The need to increase numbers is not just a human need but is seen in all aspects of life on Earth. The desire to increase ones genetic code is a hard-wired act. Religion just puts the words behind it with the force being that God wants you to do it or you are a bad person. The person of the cloth wants the flock to increase. Increases in the flock leads to more money and/or power (more likely and versus or).
The increase in population with increase in automation means that a greater portion of the population will have no hope of contributing to society. Rather they will increasingly become a greater burden. The service industry has no hope of absorbing this sub-set of the population. Maybe it will not be a sub-set but rather a super-set of the population. We are really speaking to the increase of the disenfranchised. An increase in those who are seeking something to give meaning to their lives such that they feel that they make a difference.
News reports are showing that radicals are being created from this population. How else would one explain the ability of such organizations as ISIS being able to recruit from Western society? Our political leaders seem astounded that young men and women are being drawn to these so-called fringe elements.
Going back to the automation side, there are a number of good aspects to automation. Quality of products is greater as well as providing products that are the same with minimal variations. Automation brings efficiencies that humans will never achieve. Automation reduces the number of humans needed to produce the same number of products. Automation can reduce the amount of physical theft though as stated earlier it increases the cyber avenues for breaches. Automation also opens the door for a larger number to utilize and study computer science to further the automation trend.
Though it brings efficiencies it disenfranchises more and more which drains the hope for those individuals. What do you do for a population that cannot hope for something better? Increasingly the American dream is out of reach for those who need it most.
The problem is even worse if we think about feeding an increasing worldwide population. The number of farmers is decreasing as big agricultural entities move in to grow not just food but fuel for the energy starved industrial complex. We can’t blame the industrial complex. Their goal is to increase income and decrease cost. For industry humans are a large cost.
Historically, son would follow the father into a career field. This gave generations of factory workers or farmers. People knew the direction their lives would take. During the industrial age there was always the American dream with the house and a two-car garage.
Our religious leaders say be fruitful and multiply but they offer no solution to how to feed and direct the growing population. I realize the Bible states we should be fruitful and multiply but even Pope Francis has said that Catholics do not need to breed like rabbits.
Religion cannot ask this of people anymore. Our religious leaders need to come up with sound solutions to the problems that we face. It also cannot be a blind redistribution of wealth that will not solve the problem. It may lower the number of disenfranchised but not to a level that will relive the pressure of hopelessness.
Ok so how am I tying this into cyber security. The Internet gives power to those without. It levels the playing field a bit for corporations big and small and for countries that don’t have a large military to project. Those with no voice in the physical world can find that they have a megaphone on the net.
Recently the Danes announced that they would be putting in approximately $74 million for a cyber offensive capability. [Defensenews.com]
The Danish military wants to get into the cyber warfare arena. I have always thought of the Danish as the other neutral guys but on the net any country can play with the big dogs.
This just leads me to the conclusion that with net access a tiny bit of skill to cover your tracks and the Metasploit framework anyone can be a cyber threat. With the disenfranchised growing the threat is growing. Just my thouhgts what do you think?
