Target in Miami

A Few Thoughts on the Consumer Litigation Settlement in the Target Data Breach Case

Target in MiamiMany thanks to CSO Online and Michael Santarcangelo (@catalyst) for his excellent synopsis of our conversation regarding the recent settlement of the Consumer Litigation in the Target data breach lawsuit (note, the more substantive Financial Institutions Litigation has not settled).

Please give the full article a read and also give a shout-out to Michael on his Twitter and let him know what you think so he’ll call me again sometimes! :)  What security leaders need to know about the Target breach settlement

-Shawn

Chaos? Plan Ahead!

New Podcast: #DtSR Episode 130 – Where Law and Cyber Collide

I really appreciate the #DtSR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] inviting me to tag along for another episode of the Down the Security Rabbit Hole podcast.

In this episode we discuss the following:

  • Traveler’s Insurance files suit against a web development company for failing to provide adequate security, resulting in a breach of one of its customers
  • FTC goes after LabMD for a data breach
  • Social media company TopFace pays a ransom to hackers

Go HERE for more details and to listen to the Podcast!

computer-crime-scene1

Will Changes to the CFAA Deter Hackers? | Norse DarkMatters

Read my latest post on Norse’s DarkMatters: Will Changes to the CFAA Deter Hackers?

 

#SonyHack: Will Executives’ Embarrassing Emails Better Motivate Cybersecurity Change?

Sitting in the Miami airport at 5:00 am I am reading news updates on the #SonyHack and a thought just occurred to me:

Previously, many of us preaching the “you better take your company’s security seriously” message to the C-Suites have been wondering if it would take a court decision finding C-Levels or Board members personally liable before they would fully appreciate the significance of cybersecurity risk to their companies.

In reading the articles about how the Sony Hackers are releasing Sony Executives’ entire email folders and all of the personally and professionally embarrassing email conversations they have exchanged, it makes me wonder if this will not do more damage to their professional reputations and careers than anything. And, if it does, does that mean that this may ultimately exert as much or more pressure on them (and other executives who are watching) to put more emphasis on cybersecurity in their companies when the risk to company message has not been working?

If there is one thing we know about human nature, it is that self-interest always prevails … will it here as well?

The Best Evidence Why Your Company Needs a CISO Before a Data Breach

“The proof is in the pudding,” goes the old saying.

When it comes to organizational changes companies make following a data breach, If the proof is in the pudding, then the verdict is clear: companies should hire a Chief Information Security Officer (CISO) before they have a data breach.

Why?

According to this article in USA Today, companies usually tend hire CISOs after they have had a data breach. After?

Yes. They do this because they do not want to have another data breach and, after feeling the sting from the first, they are finally willing to invest more resources so that they do not have another data breach.

There is another old saying to remember: “Wise men learn from their mistakes, but wiser men learn from the mistakes of others.” (author unknown)

As your company’s leader, which will you be?

The Art of Data Security: How Sun Tzu Masterminded the Home Depot Data Breach

The Art of Data SecuritySun Tzu taught that, when it comes to the art of data security, you must be wary of your business associates and other third parties.

Why?

Have you heard that Home Depot had a data breach? That hackers were able to exfiltrate 56 million payment cards and 53 million customer email addresses from its systems? Did you hear what may be the biggest news of all, the news that was announced earlier today (11/6/14)?

Do you know what that news has in common with the other “big breach event” from roughly a year ago?

Have you heard of the national retailer that what was hit with a perfectly timed cyber attack on Black Friday ’13 that resulted in credit card data from roughly 110 million customers being taken? That company has now spent over $61,000,000 as a result of the data breach and will spend much more. It is facing new lawsuits weekly, its net earnings are down, earnings per share are down, and its sales are down. The company is Target. Target, however, was not attacked directly.

Do you know how both Home Depot’s and Target’s computer system were attacked?

In both cases, cyber criminals obtained access credentials from third-party vendors to the “big boys” which credentials were used to get inside of their network environment, past the firewalls and much of the security perimeter. Once on the inside, they then used custom-built malware to execute the heist of the valuable data they were seeking all along.

Home Depot also said today that the criminals used a third-party vendor’s user name and password to reach the perimeter of its network, then gained additional rights to navigate the company’s systems. (Bloomberg)

What did Sun Tzu teach us about this technique?

In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.

You can be sure of succeeding in your attacks if you attack places which are not defended.

The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible attack at several different points; and his forces being thus distributed in many directions, the numbers we shall have to face at any given point will be proportionately few.

Most businesses focus their energy on securing their own networks but focus very little on examining the networks of their business associates and other third parties that they allow to access their networks.

Around 500 B.C. Sun Tzu taught that if an enemy — a cyber criminal — wants to attack your company’s computer network, they would be wise to do so by attacking indirectly, such as through your company’s business associates and other third-parties who have access to your network. Cyber criminals may be a lot of things, but they are not dumb … the successful ones, anyway.

Target learned.

Home Depot learned.

Will your company?

Stay wary friends.

 

Yes, I will mention this post in tomorrow’s seminar on data breach! “Who’s Gonna Get It?”

This is one of my favorite and my most popular posts ever — and you better believe I will find a way to mention it to this group of CEOs to help them understand why it is important to take seriously the data security threat!

Data Breach – Who’s Gonna Get It? | business cyber risk | law blog.