Having used open source Truecrypt for years to encrypt a few files, some may remember when the developers abandoned the project in 2014, due to a potential security problem.  As reported by the Krebs on Security blog:  “The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”

On Extreme Tech, Joel Hruska reported that security researcher “James Forshaw found two critical bugs in the program that could compromise an end-user’s machine. While neither allowed an attacker backdoor access, the Register reports that both could have been used to install spyware to the host machine or record keystrokes. Either of these could’ve been sufficient to allow an attacker to capture the drive’s encryption key, depending on how good the end-users security practices were.”

Hruska continues that “We’ll never know why TrueCrypt’s authors left the project. Clearly these bugs, while significant, can still be fixed without compromising the system. Equally clearly, VeraCrypt was able to solve them in short order, once Forshaw drew attention to them.”

After reading about these concerns, I switched to Veracrypt, which has the same interface look and feel that Truecrypt had, and even allows one to access existing Truecrypt containers or volumes that you may have.  It is still freely available as open source software.  Veracrypt’s home page can be found at:

https://veracrypt.codeplex.com/

References

When we think about crime, we often associate it as something that is violent and happens very suddenly and then the crime is over.  Take a typical bank robbery, for example.  The robbers might case the place for a while.  Sure, there might be some long thought out planning time for the “perfect job.”  Sometimes, it is a crime of opportunity with little planning.

The almost constant factor is that the commission of the crime typically takes less than a few minutes, then the bank robbers are fleeing as quickly as they can with their loot before law enforcement arrives and boxes them in.

Let’s look at the Target stores data breach.  According to various sources, about 40 million credit & debit card numbers were exposed and up to 70 million names, addresses and other personal information may have been taken (Bloomberg, 2014).  Sources familiar with the investigation said that the attackers first broke into Target’s network on Nov. 15th, 2013.  Krebs on Security first reported the breach on Dec. 18th with Target acknowledging it the next day on the 19th.

Charlie Osborne on ZDNet reports that “Most companies take over six months to detect data breaches.”  Osborn reports that a recent study pointed out that it takes an “average of 98 days for financial services companies to detect intrusion on their networks and 197 days in retail.”

These high-profile breaches get most of the media coverage and attention, but it makes one think about how often the small-to-medium sized organization is being hacked and how long the hackers are hanging around siphoning off data, especially since these organizations typically don’t have IT security staff that is looking for problems.  In many cases, these organizations don’t have any IT staff at all that would be looking for signs of a cybersecurity problem.

References:

Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. (n.d.). Retrieved March 27, 2016, from http://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data

Krebs on Security. (n.d.). Retrieved March 27, 2016, from http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/

We’ve all seen the media coverage of big data breaches, yet they keep happening.  Big data breaches have occurred at Target, Home Depot, the U.S. Office of Personnel Management, Anthem Insurance, Sony Pictures, and more.  Investment in information security just doesn’t seem to be important as it should to many organizations.  Of course, this type of expenditure doesn’t produce revenue.  It is almost like buying insurance, expensive and boring.  Compliance with regulations often drives cybersecurity expenditures, but organizations really need to do serious thinking about what a data breach means to its operation and reputation.

What do these breaches cost?  Maybe not enough for big business.  Target estimated that its data breach cost $191 million of gross expense in 2014.  According to Fortune, “Sony estimates its breach’s financial impact has been just $15 million to date “in investigation and remediation costs.” That’s barely a blip on the radar.”

We know that enterprise IT departments all provide for some level of cybersecurity, but how much, and how much is enough?

Cybersecurity is getting more attention in some companies.  There is talk and activity about moving the infosec role out of the IT department and into general executive status, because cybersecurity is not all about technology.  It is about people, processes, compliance and technology.

Since big business is vulnerable given their big data stores and budgets, how vulnerable do you think small businesses are?  Why is that important?  Your lawyer or accountant is a small business.  You might bank at a credit union or small bank.  How do they protect your data (and do you really think they are protecting it)?  What would the impact cost to the reputation of a small accounting firm for losing its client’s financial information.

References

How much do data breaches cost big companies? Shockingly little. (2015). Retrieved March 19, 2016, from http://fortune.com/2015/03/27/how-much-do-data-breaches-actually-cost-big-companies-shockingly-little/

This site is for the discussion of Information Security or Cybersecurity and how it relates to small-to-medium sized businesses and organizations.  Welcome!