securityagenda · i’ve heard it every year i’ve worked in information security media. there’s...

THE STATE OF

INFORMATION SECURITYREGULATIONS, RISKS AND EVOLVING THREATS

FEATURING

Government: The Insider Threat (p. 12)

Banking: Cyber-Attack Trends to Watch (p. 18)

Healthcare: Protecting Patient Data (p. 24)

Information Security and Risk Management News & Insights February 2014

SecurityAgenda

SecurityAgenda • FEBRUARY 20142

3FEBRUARY 2014 • SecurityAgenda

22 Top Threats in Banking

SecurityAgenda

10 Regulations, Risks and Evolving Threats

CONTENTS

Government: The Insider Threat

Post-Edward Snowden, how are U.S. government agencies taking the lead on establishing effective insider threat programs? And what lessons can other sectors draw?

Financial Services: Trends to Watch

When it comes to cyberthreats, what are the major concerns for banking institutions in 2014? Learn about emerging threats and mitigation strategies.

Healthcare: Regulatory Pressure Intensifies

In the wake of the HIPAA Omnibus Rule, healthcare entities and their business associates are under greater scrutiny to protect the privacy and security of patient health data.

12

18

24

6

16

22

28

8

30

34

35

36

Anatomy of a Data Breach

A panel discussion at RSA 2014 will feature timely insights on critical components of a breach response effort.

Guide for Government

Conference highlights for security specialists at government agencies. Guide for Financial Services

Tips on sessions of interest to infosec pros at banking institutions. Guide for Healthcare

Insights on educational opportunities for healthcare security professionals.

ENISA on the New Threat LandscapeLouis Marinos explains that an ENISA report says cyberthreats increasingly target mobile devices, and simple security measures could help slash these incidents by 50 percent.

What Is the Unintentional Insider Threat? Researcher Randy Trzeciak describes how organizations can protect themselves from insiders who make mistakes or are taken advantage of in a way that puts the organization at risk.

Insider Threats: A Top Concern for 2014Gartner analyst Avivah Litan warns banking institutions to be on the lookout for social engineering as a major source of fraud.

‘Baking in Privacy’ in Healthcare ArenaSecurity expert Michelle Dennedy describes how to build in consumer protections during product development.

IAM: Making the Case for an Investment

CISO Christopher Paidhrin shows how a security professional can steer a discussion of why deploying IAM technology is good for business.

The State of Information Security

Conference Preview

Interviews

Opinion


I’ve heard it every year I’ve worked in information security media. There’s a big breach or a new threat or a high-profile international sting that makes the mainstream news, and without fail someone declares, “This is the Year of Security.”

Except it never quite is. The news inevitably fades, we all go back to whatever we were doing, and security recedes into the background. Maybe next year ...Well, “next year” might finally be here.

Face it, when you start the year fresh on the heels of the announcement that Target, one of the top U.S. retailers, has suffered a data breach that impacts tens of millions of consumer payment cards … that gets attention.

And when you follow up quickly with a second major breach, this one of luxury retailer Neiman Marcus, suddenly cybersecurity is being discussed everywhere – from the boardroom to the living room and especially in line at the checkout counter.

It is finally “The Year of Security,” and we’re pleased to welcome it with this 2014 edition of Security Agenda. The State of Information Security is our theme this year, and we explore it in the context of three key vertical industries:

• FinancialServices– where Executive Editor Tracy Kitten profiles the top cyberthreats to institutions, including insight from Gartner’s Avivah Litan.

• Government – where Executive Editor Eric Chabrow looks at government agencies’ efforts in the post-Snowden era to build robust insider threat programs. Hear from Randy Trzeciak of Carnegie Mellon CERT’s Insider Threat Program.

• Healthcare – where Managing Editor Marianne Kolbasuk McGee profiles new efforts to meet regulatory expectations for security and privacy. She gains exclusive insight from privacy officer and author Michelle Dennedy.

In addition to our industry focus, we also preview our own timely RSA Conference session, “Anatomy of a Data Breach: What You Say (or Don’t Say) Can Hurt You,” which will be presented on Tuesday, Feb. 25, from 2:40 to 3:40 p.m. at the Moscone Center West, Room 2020.

Many of us from Information Security Media Group will be at RSA Conference this year in our media suite and at our booth in the expo hall. Be sure to stop by and say hello.

After all, it’s “The Year of Security.” We have much to discuss.

Best,

TomField, Vice President - Editorial Information Security Media Group

SecurityAgenda

EditorialTom Field, Vice President - Editorial Howard Anderson, News Editor Eric Chabrow, Executive Editor Tracy Kitten, Executive Editor Marianne Kolbasuk McGee, Managing Editor Jeffrey Roman, News Writer Megan Goldschmidt, Associate Editor

Production

Michael D’Agostino, General Manager Glenn H. Mason, Art Director Ian Roberts, Senior Graphic Designer

About ISMGHeadquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries. This information is used by ISMG’s subscribers in a variety of ways —researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape.

The ISMG NetworkBankInfoSecurity CUInfoSecurity GovInfoSecurity HealthcareInfoSecurity CareersInfoSecurity DataBreachToday InfoRiskToday

Contact902 Carnegie Center Princeton, NJ 08540 (800) 944-0401 ISMGcorp.com

Advertising Inquiries: (800) 944-0401 [email protected] © 2014 Information Security Media Group, Corp.

Tom Field

LETTER FROM THE EDITOR

Finally … The Year of Security


INTERVIEW

By Tom Field

Cyberthreats increasingly target mobile devices, and simple security measures could help end users slash these incidents by 50 percent. This is the key finding of the European Union Agency for Network and Information Security’s second annual Threat Landscape Report.

Louis Marinos, the primary author of the report, says the threats and threat actors have matured greatly over the past year.

With attacks shifting to mobile, end users have greater responsibility to detect and prevent data breaches. And they can improve their response capabilities with very simple controls, such as up-to-date operating systems, anti-virus software and safer computing practices.

“At least 50 percent of these threats could be avoided if very primitive security controls would be implemented,” Marinos says.

In this excerpt of an interview about the ENISA 2013 Threat Landscape Report, Marinos discusses:

• Top cyberthreats and adversaries;• Why the two new battlefields are big data and the Internet of things;• Where organizations should focus on mitigating threats in 2014.

Marinos is an expert in risk management and risk assessment. During his engagement with ENISA, he has been working in the areas of emerging risks, continuity risks and risk management approaches.

Increased Sophistication

TOM FIELD: This is the second threat landscape report that ENISA has conducted. What has changed most significantly since last year’s report?

LOUIS MARINOS: I think that definitely sophistication of threats has increased. Some examples: We see encrypted connections between malware; we see botnets that are very difficult to detect. We also see business models of attackers being adapted to changes, for example, of business strategies going mobile.

ENISA on the New Threat Landscape Louis Marinos on How Organizations Can Mitigate Emerging Threats

Louis Marinos

“At least 50 percent of these threats could be avoided if very primitive security controls would be implemented.”

- LOUIS MARINOS, ENISA


Going mobile is one big trend that we see, but we also see increases in performance of attacks and also the use of cloud computing to help host malicious programs and user performance of these platforms.

Top Adversaries

FIELD: Who are now our key adversaries in the cyberthreat landscape?

MARINOS: There are not big changes concerning the adversaries. We have just found strong evidence about the capabilities of nation-states. I think this is a very clear message. We have seen also that the adversaries seem to cooperate very strongly. This is one new quality this year. For example, we have seen malware that has been developed by groups of attackers or developers.

We also have seen an interesting development in what we call cyber-fighters, who are individuals with the same or similar motive, like hacktivists, just that they have some national background and national motivation.

New Battlefields

FIELD: In your report, you talk about two new cyber battlefields – big data and the Internet of things. Could you explain this designation?

MARINOS: As we all know, big data is considered to be one of the most promising business cases for many organizations. We see organizations try to explore the value of big data, like, for example, mobile telephony operators trying to develop good products around the data they collect about their customers. So, we see that big data is going to gain value, at least from the commercial point of view. And, of course, whatever is valuable is also a target for adversaries. We think that adversaries are going to target big data for many purposes. One is for fraud, of course. The other might be to abuse big data in order to hide their activities.

The Internet of things – interconnected devices – is actually something that has been known for quite some time now. It just happens now that the number of small dedicated devices and sensors has increased so much that it starts becoming interesting for attackers. The potential [for attack] … I would say is huge. For example, imagine that somebody breaks into your media center at home or to your home area network and finds some information. You can imagine that this would be the perfect material for phishing and spamming. So if somebody had this information, they can fool you perfectly and convince you that you’re talking to somebody who knows exactly who you are.

And, of course, one should say that due to the simplicity of devices and also the ad hoc way of developing things, using networks without a lot of security, like Wi-Fi, these devices do not really have [a lot] of security mechanisms implemented, so it would be easier to crack them.

Mitigation Challenges

FIELD: What are some of the challenges for organizations in trying to mitigate these threats?

MARINOS: In order to mitigate threats, organizations need to continuously improve their security practices. So the challenge will be to continuously check the vulnerabilities – gain speed in reacting and patching your systems. One very important point is also to include the end user. We should not forget that all this debate on cyberthreats and cybersecurity is still a matter for experts, [but] we definitely need to transfer the relevant parts of the knowledge to the end user.

2014 Agenda

FIELD: How should organizations read the threat landscape report, and what should their key areas of focus be in 2014?

MARINOS: The threat landscape report is mainly for informing security experts in, for example, performing some assessments, identifying the relevance of the threats we describe for their own IT assets and to understand how far these threats could affect their platforms. We have also made some future projections, and individuals who think that these areas are in their focus should see what are the trends and various issues we have identified, and try to steer their course of actions [accordingly].

For the decision-maker, definitely there are numerous items [in the report] with regard to coordination activities among different bodies, exchange of information, and many, many other points that people can find in our concluding remarks, which should be addressed in the near future.

And ENISA definitely wants to go along these lines and try to mobilize the community in order to be faster in certain areas. We all know that there is a large amount of data that is almost free, so we have the possibility to collect data, express our threat warnings, but also to validate our threat assessments. This would be the next level of maturity that we should reach in threat analysis. We see definite signs that this will happen, and ENISA focuses very much on this direction. n

To hear this interview in its entirety, please visit: http://www.inforisktoday.com/interviews/enisa-on-new-threat-landscape-i-2135

“In order to mitigate threats, organizations need to continuously improve their security practices.”

- LOUIS MARINOS, ENISA


OPINION

By Christopher Paidhrin

When it comes to identity and access management, there is often a lack of understanding among business leaders. Here’s a conversation between “Chris” – a CISO – and “George” – a CXO – that shows how the security professional can steer the discussion for an explanation of why deploying IAM technology is important to the business.

Chris: Need to talk to you. It’s about secure access, information risk and business value.

George: Please, not another argument for IAM! Make it quick. Executive-level only.

Chris: The challenge is that automated and efficient IAM is expensive. But so is non-compliance. There are very few effective low-cost alternatives.

George: I can’t afford a mature process. I have to work with what I’ve got: manual processes, six people, and too many access request tickets. We’re not making any of our service targets, and my budget request was denied.

Chris: It seems you’ve defined the problem.

George: Cute. The clock’s ticking.

Chris: There is a curve of productivity that peaks in every service delivery process. Past a certain point, more people don’t make the service more effective. Process automation is the only effective, adaptive and scalable alternative.

George: But my provisioning matrix is too complex; it’s as if every request is unique - a dozen applications, at three different access levels from four different endpoints, and policy changes for vendors, partners and telecommuters. Argh!

Chris: You need a plan.

IAM: Making the Case for an InvestmentHow a CISO Can Help Business Leaders Understand the Need

Christopher Paidhrin

“The challenge is that automated and efficient IAM is expensive. But so is non-compliance. There are very few effective, low-cost alternatives.”

- CHRISTOPHER PAIDHRIN, PEACEHEALTH


George: I’ve got a plan, what I need is a solution.

Chris: What you need are three things: First, you need a formal plan that describes for business leadership, in little words they can understand, the three core elements of your problem - your current state, your success state and the service gap (don’t call it a pain gap). Include your brief assessment as to why it’s a business priority and a simple recommendation. They can’t say yes if you don’t ask.

George: I did ask.

Chris: Second, you need checklists: Logic-decision trees to take the decision-making out of the service approval loop. Get your information stakeholders to pre-approve classes of users, access levels and constraints so the IAM request is simple for the requestor and your team. Risk management and leadership will need to sign off, but you’d be surprised at how they hate complexity as much as you. Collaboratively, you’ll simplify your matrix, checklists and re-set reasonable service delivery expectations.

George: Collaborate is a big word.

Chris: Third, you need self-service password reset capability. You’ll drop 25 percent to 35 percent of your service desk and provisioning tickets. It’s a technology available for most every access system. The return on investment should be less than one year.

George: Do you also write policies?

Chris: Yes. But, work with the policies you have in place. The important thing is to execute your plan. Focus your team on the parts that add lasting value - that leverage small changes into bigger outcomes. Break down the bigger processes into actionable pieces that one person or role can improve.

George: The fires we have to put out are monstrous.

Chris: “Hot Shots” are constantly out-sized by the fires they face. They follow very carefully tested processes that force-multiply into repeatable success. Their lives depend on it.

George: But I don’t have controls for every type of remote access request.

Chris: Offer no service that you don’t first have a policy and a security control to support. Business line management and leadership may not like that answer, but risk management will stand with you because leadership must sign off on owning all assumed risk.

George: Leadership has already said “no” to IAM.

Chris: Did you make it clear to them the cost of “no”? Is their decision based on competing programs? Because IAM is not a technology project; it’s a business-essential process, supported by technologies. Without people gaining access to information resources–what they need, when they need it–the effectiveness of all other programs is compromised.

George: I’ll quote you. Thanks.

Chris: My pleasure.

George: Do you have time to talk about policies? n

Christopher Paidhrin is security administration manager in the information security technology division of PeaceHealth, a healthcare delivery system in the Pacific Northwest where he has worked for 12 years.

“The important thing is to execute your plan. Focus your team on the parts that add lasting value — that leverage small changes into bigger outcomes. Break down the bigger processes into actionable pieces that one person or role can improve.”

- CHRISTOPHER PAIDHRIN, PEACEHEALTH

THE STATE OF INFORMATION SECURITYREGULATIONS, RISKS & EVOLVING THREATS

Fresh perspectives on the information security

threats in the government, financial services

and healthcare sectors by Eric Chabrow,

Tracy Kitten and Marianne Kolbasuk McGee

of Information Security Media Group


COVER STORY: GOVERNMENT

By Eric Chabrow

As the U.S. federal government tightens procedures to prevent

Edward Snowden-type insider leaks, agency leaders are discovering that implementing well-thought-out plans isn’t easy.

For each step taken to make it more difficult for insiders to pilfer or manipulate data, the business of government slows down. Implementing new processes and tools to mitigate insider threats also can have an adverse impact on employee morale, with workers holding security clearances feeling their bosses no longer trust them.

And, applying new controls to limit the insider threat costs money, funds cash-strapped agencies must find by rejiggering their existing budgets.

Still, as National Security Agency Chief Information Officer Lonny Anderson says, agencies have little choice. “We haven’t asked for additional resources,” he said in a recent interview with NPR. “We just said we’ve got to do this.”

Mitigating the insider threat is a key element of any organization’s risk management plan. And other organizations can learn important lessons from the efforts of government agencies.

One of the more publicized efforts the NSA and other government agencies are taking to prevent the insider threat is the so-called dual-approval approach, which requires two people with security clearances to approve any transaction, such as moving a classified file from one agency server to another or adding or deleting of new user accounts on a classified system.

Army Gen. Keith Alexander, the NSA director, announced last summer the agency was moving toward the dual-approval approach as a result of the Snowden leaks. Alexander said a system administrator such as Snowden who wants to enter a room with secure servers or transfer classified documents to a removable drive would need the concurrence of another employee with security clearance. But the extra manpower comes at a cost. “This makes our job more difficult,” the four-star general said.

Protecting Against the Insider ThreatWill Continual Monitoring of Private Lives Affect Worker Morale?


Safeguards Slow Critical Processes

Such moves slow workflow and critical processes. “The challenge will be making it convenient, meaning not slowing down important activity so much that people would just go around it,” says Alan Paller, founder of the cybersecurity training school SANS Institute.

Increasing resources to mitigate the insider threat will require each organization to determine what level of inconvenience it will accept to secure critical assets. “Adding a separate step does add to complexity, but it adds some security into their IT processes,” says Randy Trzeciak, senior leader at Carnegie Mellon University’s CERT Insider Threat Center. “That’s the tradeoff many organizations struggle with.”

But many government operations – and businesses as well – have little choice but to take steps to reduce the threat insiders pose. Among federal agencies, taking steps to diminish the insider threat isn’t a choice. In 2011, President Obama issued an executive order for structural reforms to improve securing classified networks, which includes adoption of standards and guidelines offered by the president’s Insider Threat Task Force.

“We talk about the geeks inheriting the world,” says Ron Ross, the information risk management leader at the National Institute of Standards and Technology. “You got the system admins sitting on top of a treasure trove of gigabytes of classified information and they really have a lot of power out there. And, it’s going to be really important that we take extraordinary measures where those assets are very critical to make sure one person can’t bring down the entire organization.”

DHS Units Tackle Insider Threat

At the Department of Homeland Security, three units – Citizenship and Immigration Services, Transportation Security Administration and Customs and Border Protection – have begun to establish collaborative insider threat working groups to develop an integrated strategy and program to address insider threat risk.

TSA’s assurance division has implemented a training plan that is routinely used in insider threat assessments to inform and educate after auditing insider activity at airports, says Jim Crumpacker, director of DHS’s liaison office with the inspector general and Government Accountability Office. TSA also implemented insider threat monitoring capabilities in TSA-controlled secret and top-secret networks and established the Classified Security Operations Center, which employs analysts and forensics professionals focused on detecting insider activity in networks holding TSA’s most sensitive data.

“To support the mission of safeguarding and securing cyberspace, the department has continued to strengthen both the monitoring of insider threats and its assessments to prevent loss, theft or destruction of mission-critical data,” Crumpacker said in response to a DHS audit.

In that audit issued in December, DHS Deputy Inspector General Charles Edwards said Citizenship and Immigration Services, Transportation Security Administration and Customs and Border Protection are incorporating insider threat vulnerability assessments that check privileged user accounts on unclassified information systems to verify the necessity for privileged user access and determine user rights granted to system administrators.

Security Operations Centers

The three DHS units also are establishing security operations centers to monitor information systems to help detect and respond to insider threat incidents. Edwards says the units could further develop their insider threat program by implementing specific policies and procedures and a risk management plan, as well as enhancing training and awareness programs.

“DHS can strengthen its situational awareness against insider threats by centrally monitoring information systems and by augmenting current IT applications and controls to better detect or prevent instances of unauthorized removal or transmission of sensitive information outside of DHS networks,” Edwards says.

At a Senate hearing in December, Alexander said the NSA is taking 41 actions to prevent leaks by insiders, including the dual-approval approach and increased use of encryption to keep sensitive data secret from unauthorized individuals.

The agency also is deploying software to continually monitor unauthorized activities on its networks. In fact, it was in the process of installing software to monitor networks in real-time to detect anomalous activity, such as the unauthorized downloading of top-secret files, when Snowden accessed top-secret documents about NSA e-spying programs. “Snowden hit at a really opportune time, for him, not for us,” Richard Ledgett, who heads the NSA task force investigating the information leak, told Reuters.

“It isn’t anything against them. It’s about just making sure that the information stays on the proper side of the firewall.”

- ROBERT CAREY, DEPARTMENT OF DEFENSE

Robert Carey


COVER STORY: GOVERNMENT

Risk Management

Defense Department officials say the entire department – including the NSA – is implementing continuous monitoring of the activities and behaviors of employees with security clearances. In the past, individuals receiving security clearances were reviewed every five or 10 years. The new continuous security clearance vetting of individuals employs a risk management approach and is based on the sensitivity and quantity of the programs and information to which individuals are given access.

On demand, continuous monitoring systems can query a large number of government and commercially available databases with “adjudicated, relevant information that speaks to the reliability of an individual,” says Stephen Lewis, deputy director for personnel, industrial and physical security policy at the

Directorate of Security Policy and Oversight in the Office of Undersecretary of Defense for Intelligence.

After mining big data, such systems evaluate the results from the queries and issue red flags, when necessary, that would require an individual to intervene. “We are looking at continuous evaluation in addition to the normal inputs we get from commanders and supervisors,” Lewis says.

Raising Red Flags

The types of information that could raise a red flag include arrests for driving under the influence and running up credit card debt that can’t easily be repaid. Lewis says DoD seeks information that could help determine whether individuals should continue to be in “a position of trust.”

The perception of a lack of trust could have an adverse impact on employee morale. And blame Snowden for that. “What we had is a person who was given the responsibility and the trust to do this job; [he] betrayed that responsibility and trust, and took this data,” Alexander says.

Government workers and contractors with security clearances have been required for years to sign a national security document, known as SF86, which allows the government to monitor their private lives, though in the past it rarely involved the extensive use of sophisticated data mining technologies.

“People signed those forms, but then nothing had happened in the past,” says Robert Carey, DoD’s principal deputy chief information officer. “Now, we have more positive knowledge about our workforce for what it’s doing and not doing than we did in the past. That’s good, but to the nominal national security workforce member, it’s a little bit of a change. This makes people uncomfortable for a while until such time as it becomes standard.”

Implicit Trust

And, as the department educates personnel about the monitoring program, Carey says he believes most security-cleared employees won’t see it as a problem.

“We trust them implicitly but we need to mitigate what they could do,” says Carey, who also co-chairs the federal CIO Council’s information security and identity management committee. “It isn’t anything against them. It’s about just making sure that the information stays on the proper side of the firewall.”

Carey says the DoD is rolling out the monitoring system on a fast track. But many other agencies may not be as fast as DoD and NSA in getting their monitoring systems implemented.

“It takes a while to populate such programs through the federal system,” says James Lewis, the government cybersecurity expert at the Center for Strategic and International Studies, a Washington think tank. “People know it’s something they have to do, but it’s not moving as quickly as it could if you gave everyone a template and said, ‘Now, here, use it.’” n

Eric Chabrow is executive editor of GovInfoSecurity and InfoRiskToday.

“What we had is a person who was given the responsibility and the trust to do this job; [he] betrayed that responsibility and trust, and took this data.” - GEN. KEITH ALEXANDER, NSA DIRECTOR

General Keith Alexander


“Now, we have more positive knowledge about our workforce for what it’s doing and not doing than we did in the past.” - ROBERT CAREY, DEPARTMENT OF DEFENSE


INTERVIEW

By Tom Field

For years, researchers have studied malicious insider threats. But how can organizations protect themselves from insiders who make a mistake or are taken advantage of in a way that puts the organization at risk?

According to the CERT Insider Threat Center within the Software Engineering Institute at Carnegie Mellon University, the unintentional insider threat is defined as: “A current or former employee, contractor, or business partner who has or had authorized access to an organization’s network, system, or data and who, through action or inaction without malicious intent, causes harm or substantially increases the probability of future serious harm to the confidentiality, integrity, or availability of the organization’s information or information systems.”

In this excerpt of an interview on the latest insider fraud research, Randy Trzeciak, senior member of the technical staff at CERT, discusses best practices in identifying and responding to the unintentional insider.

Trzeciak heads a team focusing on insider threat research; threat analysis and modeling; assessments; and training. He has more than 20 years of experience in software engineering; database design, development and maintenance; project management; and information security.

A Variety of Insider Threats

TOM FIELD: Based on your latest research, what have you learned about the unintentional insider?

RANDY TRZECIAK: For years, we’ve been doing research focused on the malicious insider, and we think we’ve done a pretty decent job of describing the motives, the impacts of insiders who intend to harm organizations. But from an organization standpoint, [security leaders] really do need to be concerned about impacts to their critical assets whether or not there is malicious intent.

After we collected [information about] a number of cases of the non-malicious, unintentional insider threat, we tended to break those down into different categories. The first one we would categorize as almost negligence, where we would see impacts to the organization along the lines of accidental disclosure. So, for an example, if I take some type of device off of the corporate network and I happen to lose that particular device, that would be some type of accidental disclosure. There wasn’t really malicious intent, but it is something that the individual did or didn’t do that allowed the disclosure of information.

The second categorization really is focused around some type of malicious code. ... So for example, someone outside of the organization socially engineers [an insider] and sends them a phishing e-mail, and they actually open up the e-mail. Or another example might be that [an outsider] provides someone a USB device within the organization, and then some type of malicious code is introduced onto the network.

Then we certainly have some cases that we’ve analyzed related to physical security, such as loss of [paper] records.

Reducing Risks

FIELD: Based on those characteristics, what are your key findings about the unintentional insider?

TRZECIAK: From an organizational standpoint, there are things that organizations can do to, hopefully, reduce the risk that someone could unintentionally harm an organization’s assets. [That could include] technologies or controls that they could introduce, but also … things such as security awareness training or really just improving the way that communication is being conducted across the organization to raise awareness of the insider threat.

What is the Unintentional Insider Threat?Researcher Randy Trzeciak on How to Detect, Defend

Randy Trzeciak


So, if we were to use the first example of the accidental disclosure, where someone takes a laptop off the organization network and it does contain confidential or sensitive information, protection strategies could be put on that device that would not allow the information to be accessed.

If we think about … social engineering, malicious code, the phishing e-mail attempts that come about, again, there could be technical controls that could prevent the impact of someone clicking on a phishing e-mail coming in, but also it could be in the form of security awareness training–training your employees, your contractors and subcontractors to know what could be suspicious e-mail and what they should do if they encounter a suspicious e-mail.

Fundamental Controls

FIELD: What would you say are fundamental controls that organizations need to have in place?

TRZECIAK: It needs to start with the organization identifying what its critical assets are. So, for example, if an organization is concerned about a data disclosure event that would compromise a key piece of information … certainly the protection strategy or the control should be focused on the prevention of data leaving the network. There are a number of tools, such as data loss prevention, that would stop information from leaving.

A number of controls can be put in place that could prevent malicious code from being downloaded from a website or introduced onto the network through a USB device. [Some] controls would not allow an unauthorized device to be put on to the network and system.

And [another] set of tools may be effective when you’re trying to prevent or detect fraudulent activity on your network and systems.

Insider Threat Programs

FIELD: Do I understand that you’re seeing more entities now pressuring organizations to stand up a formal insider threat program?

TRZECIAK: Certainly within the U.S, the government organizations need to respond to Executive Order 3587, which was the White House’s directive to ask organizations to stand up a formal insider threat program. Those organizations are required to stand up programs, and that really is at the crux of trying to protect classified information.

As we start looking at the organizations that support the federal government, including contractors, there’s some guidance that … will be coming out in the foreseeable future that should ask those organizations to form the formal insider threat programs as well. That’s certainly a key area that we’re looking for in terms of the next generation of research. How can we assist the organizations, both within the government and outside of the government, to be able to allow them to stand up an insider threat program [and] provide some way to assess the programs to see that [they] are effective or [have] ways they can improve their programs that are in place now?

Upcoming Research

FIELD: What are your next topics of research?

TRZECIAK: Certainly that’s something that we’re looking into today. How can we provide guidance for organizations to stand up programs? How can we provide ways for organizations to assess how effective their programs are? We’ve continued to do research in terms of providing organizations the abilities to do insider threat and vulnerability assessments.

Our foundation here is empirical data: collecting incidents, analyzing the incidents, looking for common patterns that we can describe to organizations that they should consider when trying to prevent or detect malicious or even unintentional incidents from happening within their organization. n

Tom Field is the VP - Editorial of Information Security Media Group.


COVER STORY: FINANCIAL SERVICES

By Tracy Kitten

When it comes to cyberthreats, what are the major concerns

for banking institutions in 2014? Distributed-denial-of-service attacks waged as a mode of distraction to perpetrate fraud across numerous banking channels are a growing threat.

But financial institutions also are concerned about ransomware attacks designed to wage account takeover fraud, as well as mobile malware and insider threats.

The key for banking institutions in 2014 will be to focus on detecting and mitigating multiple risks across multiple channels. “We will see more blended attacks that combine DDoS with some form of attempted data compromise,” says Doug Johnson, vice president and senior advisor of risk management policy for the American Bankers Association.

Other threats that will require renewed attention include spear-phishing attacks and call-center schemes waged against employees, nation-state threats and third-party breaches.

In 2014, banking institutions need to focus on stronger authentication and increased reliance on big data analytics to anticipate and mitigate fraud.

DDoS as a Distraction

Avivah Litan, a financial fraud expert who’s an analyst for the consultancy Gartner, says 30 percent of all banking institution fraud is perpetrated across multiple channels.

For example, attackers will target an institution’s online-banking site with a DDoS attack as a distraction. Then, during the attack, when the online-

Cyber-Attack Trends to WatchSocial Engineering, Mobile Risks on Rise


Cyberwarfare

As the DDoS attacks waged in 2012 and 2013 against leading U.S. banking institutions proved, cyberwarfare campaigns are increasing. Self-proclaimed hacktivist groups and nation-states are taking aim at financial services to disrupt service, compromise accounts and steal intellectual property.

“Banks have always been a target for nation-state launched threats,” Wills says. “Geographically coordinated attacks, not just across states but across the world, seem to be becoming more and more common.”

And banking institutions cannot afford to ignore the risk of third-party data breaches, says Anton Chuvakin, an emerging technology analyst at Gartner. As banks and credit unions outsource more of their core banking services, third-party risks will increase.

banking site is unavailable, fraudsters can take advantage of customer service representatives who are overburdened, Litan says.

But cross-channel attacks can be launched in a variety of ways, says Shirley Inscoe, a financial fraud analyst at the consultancy Aite.

“Organized fraud rings are targeting call centers, armed with some information gleaned from data breaches, hacking, etc., and then calling repeatedly to gain additional information so they can successfully impersonate the client,” Inscoe says. “Once they have enough information, they may ask for a password reset to gain online access, request a debit card or request a wire transfer be sent. The resultant fraud may originate through the contact center or a different channel.”

Spear Phishing and Ransomware

Employees’ credentials also can be compromised through socially engineered schemes, such as spear-phishing attacks. Banking institutions can expect these targeted attacks waged against their employees, as well as their customers, to increase in volume and sophistication in the year ahead, experts say.

And when it comes to social engineering schemes waged against customers, institutions should brace for a significant uptick in ransomware attacks, such as CryptoLocker, says Tom Wills, a financial fraud expert in Singapore and director of Ontrack Advisory, a consulting firm focused on payments.

“The banking industry is already being hit indirectly, as ransomware is being delivered as phishing e-mail payloads, purportedly from banks,” he explains.

Mobile Malware

Malware that targets mobile phones and tablets will continue to be a substantial threat in 2014.

“When it comes to mobile, there are a lot of different steps that banks have to take to protect their mobile applications,” Litan says. “But most financial institutions just don’t have the resources to protect these mobile applications as fully as they should. I do think that we’ll see that change, because it’s becoming so prevalent to engage a mobile banking app,” she says. But the industry still has a long way to go, she notes.

“The most serious issue that banks and all of us face in trying to protect assets and data is our open architecture,” Litan says. “There are so many different channels users can come in from. There are so many different activities employees can engage in. We’re pretty much an open society: The Web code is there to be deciphered and the mobile apps are there to be downloaded.”

Insider Threats

Edward Snowden’s leak of classified documents about the National Security Agency’s surveillance programs brought attention to insider threats in 2013.

“The worldwide focus on insider threats, privacy, responsibility and trust … has had a massive impact on security in all industries,” Wills says. “This may be the story of the decade, not just the year.”

Snowden’s breach put a spotlight on the need for stronger insider controls, Litan says. “And sometimes that’s as simple as changing default passwords,” she explains.

From an authentication perspective, it’s not just customers who require stronger authentication; employees who have access to sensitive data need to be scrutinized as well, Litan says.

“There are more disgruntled employees and there are more opportunities for them to commit fraud with outside parties,” she says. “You have to pay attention to who you hire and continuously authenticate those individuals.”

“We will see more blended attacks that combine DDoS with some form of attempted data compromise.”

- DOUG JOHNSON, AMERICAN BANKERS ASSOCIATION

Doug Johnson


COVER STORY: FINANCIAL SERVICES

But it’s not just risks associated with vendor relationships banking institutions have to consider, Chuvakin and others say.

Increasingly, payments risks associated with retailers and payments processors are becoming a greater concern. Point-of-sale breaches, such as the ones that struck retailers, including Target Corp. and Neiman Marcus Group, illustrate the complexity of securing financial transactions across numerous entities.

In 2013, several smaller retailers were targeted by malware that exploited POS software and network vulnerabilities. These smaller organizations often have less sophisticated and secure systems, which make them prime targets for attackers.

But the Target and Neiman Marcus breaches prove that even some of the larger retailers are vulnerable to attack – often through the point of sale.

“The biggest weakness in the breaches I see is the point of sale,” says cybersecurity attorney David Navetta, a partner at the Information Law Group.

In the wake of recent breaches, some institutions have sued breached retailers to recoup losses not covered by their merchant services agreements through the card brands. Other institutions have leaned more heavily on cyber-insurance to cover financial losses and expenses that result from a breach.

In October, the Office of the Comptroller of the Currency issued updated guidance for banking institutions on risks related to third parties, such as technology vendors and core processors. Other federal banking regulators, including the Federal Deposit Insurance Corp., are expected to follow suit. As a result, banking institutions should prepare now for increased scrutiny of their vendor management programs.

“As banks improve security, the security of their service providers becomes more of an issue,” Chuvakin says.

Banking institutions need to focus more attention on risk assessments – those conducted internally as well as those of the third parties with which they have contractual relationships.

Big Data for Fraud Detection

In light of emerging threats, banking institutions are enhancing their fraud detection and prevention capabilities. And a lot of these enhancements will revolve around big data, Wills says.

“Analytics technology is getting better at pinpointing actual high-risk activity, with fewer false positives and negatives,” he says.

But while the use of big data in the fraud fight shows potential, most banking institutions will be limited by their infrastructure, Litan says. The systems and

processes a majority of institutions have in place today just aren’t equipped to handle that much information, she says.

“Big data analytics and the revolution in technology that’s taking place in that domain are going to put a lot of pressure on operational systems,” she says. “As organizations learn to get their arms around data really quickly, in real-time, the systems that they’ve put in place aren’t going to be able to keep up that easily. It’s an interesting phenomena, but one that’s very promising; and I don’t think the bad guys are going to have the last word.”

Thanks to data analytics, banking institutions are starting to make more connections between cross-channel fraud trends, Litan says.

Still, the role big data will play in the banking sector will vary widely, Wills says. “They have to do their risk assessments and secure accordingly,” he adds. n

Tracy Kitten is executive editor of BankInfoSecurity and CUInfoSecurity.

“Organized fraud rings are targeting call centers, armed with some information gleaned from data breaches, hacking, etc.”

- SHIRLEY INSCOE, AITE

“Geographically coordinated attacks, not just across states but across the world, seem to be becoming more and more common.”

- TOM WILLS, ONTRACK ADVISORY


INTERVIEW

By Tracy Kitten

As banking institutions shore up technical security gaps by investing in enhanced online user and device authentication methods and layered fraud-detection systems, attackers will take aim at less defended channels, such as the call center and branch.

As a result, banking institutions will see more fraud that leverages social engineering attacks against individuals in 2014, says fraud expert Avivah Litan, an analyst at the consultancy Gartner Research.

In this excerpt of an interview with Information Security Media Group, Litan explains why insider threats, social engineering and third-party breaches rank as the top three security risks banking institutions will face in the coming year.

Litan, a vice president at Gartner, has more than 30 years of experience in the IT industry. Her areas of expertise include financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications, as well as other areas of information security and risk, including those related to payment systems and PCI compliance.

Insider Risks a Top Concern

TRACY KITTEN: What leading fraud and breach trends should banking institutions be focused on in 2014?

AVIVAH LITAN: There are more disgruntled employees and there’s more opportunity for them to commit fraud with outside parties. So insider threat is a big one. Social engineering is becoming bigger as we speak. The bad guys are finding more defenses at institutions with online commerce, so they’re taking advantage of call center representatives and other employees through social engineering techniques. And then the third biggest risk continues to be data breaches outside the bank’s control. This [can be] a breach against a retailer or an ATM or even a customer.

Insider Threats: A Top Concern for 2014Why Social Engineering Is a Major Source of Fraud

“Many banks use caller ID to help them verify a customer, and now the bad guys know how to disguise their real phone numbers.”

- AVIVAH LITAN, GARTNER

Avivah Litan


Neglected Security Areas

KITTEN: Where would you say that banking institutions are not paying enough attention?

LITAN: I don’t think they’re paying enough attention to insider threats and privileged user access. Let me explain about privileged user access. Sometimes it’s actually the privileged users that are committing bad acts, but sometimes it’s these bad guys that get in with advanced persistent threats and take over privileged accounts. There’s not enough attention around monitoring those accounts and controlling them; again, not enough around insiders.

And there are a lot of monitoring and fraud detection systems in place, but there’s not enough attention being paid to making those smarter. So if you’re a large financial institution, you could be getting 20 to 30 million security alerts a day, and that may even be a low number for some of them. They could be getting hundreds of thousands of data loss prevention alerts daily, for example. That’s just too much for any organization to monitor. So there needs to be more attention paid to eliminating those false-positives and making the systems smarter through analytics.

Level of Preparation

KITTEN: How well prepared would you say banking institutions are to weather and defend themselves against these types of threats?

LITAN: I think the largest financial institutions are very well prepared. There’s always more that they can be doing. … But, typically, they have enough money and manpower to keep the criminals at bay. What I worry about are the smaller institutions, the smaller banks and credit unions that are dependent on their online banking processors or their core processors, because their security services are hosted. I don’t think there’s enough attention being paid to their security by their service providers and they don’t have the resources to put it in themselves.

Fraudsters More Sophisticated

KITTEN: How have fraudsters perfected their social engineering skills in the last year to bypass traditional authentication methods?

LITAN: They’ve done a few things. No. 1 is by stealing this data–PII data, data brokerages–they’re able to answer questions when a customer service representative is trying to authenticate them. … They’re also hiding behind anonymizers, so they hide the originating phone number. … Many banks use caller ID to help them verify a customer, and now the bad guys know how to disguise their real phone numbers.

Beyond that, they’re not really the best social engineers. I’ve listened to some of these recordings, and they will just get on the phone with a customer service rep who will say, “OK, if you want to move some money, you have to answer these questions.” … They couldn’t even answer where they were born, but you end up with these service reps who are trying to please the customer. … The bad guys figure out who the nice service representatives are and keep calling back.

Mitigating Breach Risks

KITTEN: How will breach risks be mitigated in the future?

LITAN: We’ll see more of the same, where most attacks are detected by outside parties, third parties like Visa and MasterCard, issuing banks and the FBI. So 80 percent of the time, a company will get a call from one of those parties saying, “Guess what? You’ve been breached,” because those companies just don’t have the tools to see the breach themselves. I think we’ll see most breaches continue to be detected that way until we get smarter about security.

But we also have to pay attention to the people we hire, and I think retailers and processors need to focus on that more. We talked about the insider threat as being pretty serious; I just heard … from a law enforcement agent that in the case of Heartland Payment Systems, it was that Albert Gonzalez was working in their call center that caused the breach. He just walked out with the data every day. So this was not a high-tech spectacle; this was just a call center employee stealing data. It just points to the fact that the insider threat is very serious and it could be a very low-tech crime. You have to pay attention to who you hire and continuously authenticate those individuals. n


“You have to pay attention to who you hire and continuously authenticate those individuals.”

- AVIVAH LITAN, GARTNER


COVER STORY: HEALTHCARE

By Marianne Kolbasuk McGee

Under the new HIPAA Omnibus Rule, healthcare organizations and their

business associates will be under more scrutiny than ever to protect patient information.

But the important and complex job of safeguarding healthcare data – and avoiding potentially hefty federal penalties for HIPAA non-compliance – boils down to getting some basic steps right.

Those steps include updating privacy and security policies and procedures, communicating them clearly to the workforce, and above all, doing a thorough security risk analysis.

The HIPAA Omnibus Rule, which went into effect in March 2013 and was enforced as of Sept. 23, 2013, makes numerous modifications to HIPAA as mandated by the HITECH Act of 2009. Those changes include a new breach notification rule that spells out a more objective way to determine whether a security incident must be reported to authorities as well as the individuals affected. The rule also expanded capacity for HIPAA enforcement activities and spelled out tougher penalties for HIPAA non-compliance.

“It’s really important that organizations have policies and procedures in place to assure that they are following the requirements of HIPAA,” says David Holtzman, vice president of privacy and security compliance services at the consulting firm CynergisTek. It’s also essential that organizations successfully communicate that information to workforce members, he notes.

“They also need to have an appropriate and broad view and evaluation of the threats and vulnerabilities to their health information, whether it’s electronic or printed, and then take appropriate measures to safeguard that information,” says Holtzman, who formerly worked for the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA compliance.

Valuable Investment

Too often organizations view compliance with the HIPAA privacy and security rules as a burdensome expense, rather than a valuable investment, Holtzman says.

They need to keep in mind, for example, that under HIPAA Omnibus, non-compliance penalties range up to $1.5 million per HIPAA violation. Plus, they

“It’s really important that organizations have policies and procedures in place to assure that they are following the requirements of HIPAA.”

- ATTORNEY DAVID HOLTZMAN

Regulatory Pressure to ProtectHealthcare Information IntensifiesHIPAA Omnibus Rule Means Scrutiny Increases

David Holtzman


“Doing a risk analysis that is consistent with HHS

guidance is critical.”- ATTORNEY ADAM GREENE


COVER STORY: HEALTHCARE

need to be aware that OCR has promised to ramp up its HIPAA compliance enforcement in 2014, including launching a permanent HIPAA compliance audit program and intensifying breach investigations in light of the HIPAA Omnibus Rule’s modified breach notification rule.

And under HIPAA Omnibus, not only are covered entities, such as hospitals, physicians and health plans, liable for HIPAA compliance; so too are their business associates. That includes cloud services providers and other technology services vendors who handle patients’ protected health information, as well as their subcontractors.

As a result, business associates are now subject to breach investigations by OCR as well as HIPAA compliance audits.

Covered entities and their business associates need to keep in mind that many HIPAA cases start out as relatively minor complaints “that are really customer-service oriented,” Holtzman says. “Many of these [conflicts] could be resolved by the healthcare provider or facility,” he says. But if organizations don’t respond well to consumers’ concerns, they may file a complaint with OCR, which then could conduct an investigation resulting in fines as well as federal monitoring of compliance with specific security recommendations.

Risk Assessment

To avoid becoming a target of OCR scrutiny, a crucial step is conducting a thorough security risk assessment to ensure vulnerabilities and threats are identified and appropriate steps are taken to protect patient data at risk. And that assessment should cover encrypting mobile devices because so many health data breaches have involved lost or stolen unencrypted devices.

“Doing a risk analysis that is consistent with HHS guidance is critical,” says privacy attorney Adam Greene, a partner at the law firm Davis Wright Tremaine. HHS has made available the protocol used for its preliminary HIPAA compliance audits and tip sheets that can aid organizations in their risk analysis. Those tools can also provide healthcare organizations and their business associates with a sense of what OCR might look for during an audit or an investigation following a breach.

Organizations also need to recognize the importance of carefully documenting the findings of the analysis as well as the steps taken to mitigate the risks identified.

HHS will demand such documentation if it investigates a breach or conducts an audit, Greene notes. Plus, hospitals and physicians that have qualified for the HITECH Act electronic health record incentive payment program, which provides bonus payments from Medicare and Medicaid, also must attest to having conducted an assessment.

Holtzman expects that HHS’ Office of Inspector General will more closely scrutinize HITECH incentive payouts in 2014. That includes conducting more audits that look at whether a risk analysis was actually performed.

Unfortunately, many healthcare organizations are unprepared with documentation about HIPAA compliance, experts say.

“I’ve worked with many CEs and BAs large and small who could not illustrate how they were compliant with the HIPAA security rule,” says independent security consultant Brian Evans. “One important step is to verify and validate your compliance status. Conducting a HIPAA security compliance gap analysis can provide insight as to what requirements need to be addressed in priority order.”

A lack of a thorough risk analysis was found to be a major weakness at many organizations during OCR’s preliminary HIPAA compliance audit program in 2012. OCR Director Leon Rodriguez “has repeatedly highlighted the importance of continually conducting a risk analysis in his comments and speeches,” Evans

notes. “This includes documenting its recommendations and the actions taken to address the most severe risk factors.”

Greene points out that a risk analysis is not only critical in order to withstand regulatory scrutiny; it’s also essential to having good privacy and security practices.

“A risk analysis will tell you what you need to do in your organization, whether it’s implementing central auditing software, more robust training, data loss protection, encryption programs, or whatever is particular to the needs of your organization,” Greene says. “One size does not fit all.”

Enforcement in 2014

Susan McAndrew, OCR’s deputy director for health information privacy, says OCR enforcement activities in 2014 will, indeed, include a focus on risk analysis.

OCR’s permanent HIPAA compliance audit program will take into account key findings from the agency’s evaluations of 115 pilot audits in 2012, she notes.

The most significant finding of the pilot audits, as well as OCR investigations into HIPAA breaches, is that “the failure to do an accurate and complete risk analysis was a failure across the board,” McAndrew says.

An aim of OCR moving forward is to make certain organizations are conducting risk assessments “so that we can help get ahead of the curve” in preventing breaches and other HIPAA violations, she says.

Even if an organization isn’t chosen for a random audit, a reported breach can also launch an OCR investigation. And it’s pretty much a sure bet that investigators will demand evidence of a thorough and timely risk analysis.

Policies and Procedures

Another important step in avoiding the scrutiny of regulators is implementing sound privacy and security policies and procedures and making sure they’re documented.

Those policies and procedures need to ensure that organizations are following the requirements of the HIPAA rules.

For instance, under HIPAA Omnibus, patients now have a right to request an electronic copy of their digitized health information. And patients that pay cash for services can also request that their healthcare providers refrain from sharing information about their treatment with their health plan.

It’s also crucial that policies and procedures are well communicated to the workforce, experts say.

“Conducting a HIPAA security compliance gap analysis can provide insight as to what requirements need to be addressed in priority order.”

- CONSULTANT BRIAN EVANS


“Education is a very big prerequisite for business associates and covered entities alike,” says Stevie Davidson, CEO of Health Informatics Consulting, a New Jersey-based health IT and compliance consulting firm. Many organizations, particularly smaller vendors who are now considered business associates, are unclear what is required of them under HIPAA, Davidson says.

And one of the big mistakes that Davidson sees smaller healthcare organizations making is assuming their electronic heath records vendors, and other vendor partners, are taking care of all HIPAA compliance issues for them.

“Sure, [vendors] have a role that they play, but they are not responsible for managing [covered entitites’] entire compliance programs,” she says. She points out that even if a business associate is responsible for a breach, for example, the covered entity is ultimately responsible for notifying patients.

Beware of Breaches

The HIPAA Omnibus Rule changed the guidelines for breach notification. Now, breach incidents must be reported unless the risk of compromise is low, taking into consideration four factors in assessing the incident:

• The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;

• The unauthorized party who used the PHI or to whom the disclosure was made;

• Whether PHI was actually acquired or viewed; • The extent to which the risk to the PHI has been mitigated.

Having a breach response plan in place to deal with an incident is essential, says Michael Bruemmer, vice president at Experian Data Breach Resolution. “It’s good to have a breach response plan, but you have to practice it,” he says. “It’s like doing a fire drill.”

More than half of the major breaches reported to HHS since September 2009 have involved unencrypted devices and storage media, with laptops often involved. So encryption is a vital component of any breach prevention strategy, experts say.

“No matter what physical safeguards you have in place, it’s becoming more challenging to convince the government that it was reasonable and appropriate not to encrypt,” says Greene, the attorney.

“Reported breaches continually demonstrate the importance of encryption for protecting data in motion, such as e-mail, or at rest, such as on mobile devices,” adds Evans, the consultant. “Since encryption is now provided either out of the box or through add-on products, this no-cost or low-cost solution can significantly reduce the likelihood of breaches from occurring.” n

Marianne Kolbasuk McGee is managing editor of HealthcareInfoSecurity.

Modern malware can empty bank accounts in secondsIf you are depending on technology from

the 1990’s to protect your customers from corporate account takeover loss, that’s not

good enough

Today’s advanced malware threats need more than

firewalls and anti-virus. Add strength to your defenses

against cybercrime with Wontok SafeCentral

Wontok SafeCentral is part of a comprehensive

Information Security Strategy for FFIEC regulations

wontok.com

Stop by booth #2502 to learn more about how to protect your customers

Add depth to your defenses

ad2.indd 1 12/19/2013 10:44:30 AM


INTERVIEW


The Federal Trade Commission in 2012 issued recommendations that technology companies should build in consumer privacy protections at every stage in developing their products.

While the FTC calls this idea “privacy by design,” others refer to this as “baking in privacy policy into technology.”

In this interview excerpt, Michelle Dennedy, chief privacy officer at security products and services vendor Intel Security, discusses how this applies in the healthcare sector.

At Intel Security, Dennedy is responsible for privacy policies, procedures and governance efforts. Before coming to Intel Security, Dennedy founded The iDennedy Project, a consulting and advisory company specializing in privacy and security sensitive organizations. Earlier, Dennedy was vice president for security and privacy solutions at Oracle Corp. Dennedy is co-author of the upcoming book, “Privacy Engineering: Getting from Policy to Code to QA to Value.”

Privacy Policy

Marianne Kolbasuk McGee: Describe the concept of baking in privacy policy into technology.

Michelle Dennedy: There’s been a great groundwork that’s been laid by the universal adoption across many nations of “privacy by design,” the concept that you should start with privacy at the beginning of the design cycle and move out. And we believe that privacy engineering is a discrete discipline or field of inquiry and that innovation can be defined in using engineering principles and processes to build the controls and measures into the processes, systems, components and products that enable authorized processing of personal information.

Healthcare Applications

MCGEE: How can this be applied in the healthcare sector?

DENNEDY: If you think about the substantive right to privacy, it isn’t a right of secrecy; it really is a right to have your own self-determination, to have information about yourself be treated with the respect that we would assume in a personal person-to-person context.

‘Baking in Privacy’ in Healthcare ArenaBuilding in Consumer Protections During Product Development

“And with personalized medicine and more and more measurement going around patient outcomes, I think you’re going to start to see the natural extension of that will be the baking-in of privacy.”

- MICHELLE DENNEDY, INTEL SECURITY

Michelle Dennedy


So when you’re talking about technology that supports healthcare, health is one of the few topics that universally across the globe is agreed upon as a sensitive type of information.

When you build in the mechanisms from the technology layer such that information is treated as a design principle, you actually have a much higher chance of being able to spread that respect across a very diverse type of workforce.

You’ve got a lot of different organizations, payment servers, government people, doctors, nurses, wellness and pharmacy … involved. And family members, when somebody becomes incapacitated, want to make sure that they are getting appropriate access to medical information. So there couldn’t be something more personal than health information.

And so baking in or engineering in or planning for personal information to be respected in healthcare could not be more important.

Help for Developers

MCGEE: How might baking in privacy policies into technology help the developers and engineers of healthcare software and other health IT?

DENNEDY: … It helps the developers and engineers to understand exactly what needs to be done when you bake in processes. The process that we highlight in our book is actually UML processing, taking a data center code, looking at the data that is required to actually perform functions for the business … and determining what the end goal is.

Once you figure out what that end goal is, what are the data elements that are required? Now you’re starting to speak the language of engineering. How do we map out various data map scenarios? How do we build activity diagrams so that we understand where there can be sensitivities or there may be vulnerabilities, where you maybe need escalated authentication, in the case of children or maybe a non-custodial parent who wants to see what’s going on with a child?

We can start to look at those as discrete data-centric, patient-centric UML diagrams and activity diagrams, and it gives the engineer actually a much wider latitude for development so they can be creative in their own field and their own language. …

Compliance Issues

MCGEE: How might baking in privacy policies into healthcare information technology help organizations in their privacy and security compliance efforts?

DENNEDY: Well, it rolls up from the development. Everyone has a role. Everyone who touches personal information, whether it’s the patient all the way back to the payment processing people, is a privacy engineer.

So … if you start with a data-centric network and you start with developers and engineers and vendors that understand the respect for data, engineering techniques, you start to see the bubble-up of an organization that can plan for data as an asset, that can plan against risk of loss and make sure that there are alternative ways of layering in-depth defense. ...

You can also look at how that implies training at the organizational level. And it actually also helps to contain and manage and acknowledge risk so that they can also understand if they are making the appropriate investment. It becomes a business and a value discussion, but not in the way it is today. …

When you start to bake in the engineering practices that become patient-centric and data-centric and doctor-centric, then you start to understand where those investments really do help patient care overall. …

Status Report

MCGEE: What is the current status of the healthcare industry in terms of baking in privacy policies into their technology?

DENNEDY: You’re seeing organizations coming together and talking about privacy technologies as an industry. So I definitely am seeing movement from the healthcare industry. …

We’re in the very, very early days on [using] privacy by design as an element of policy and … on the privacy engineering front. … And with personalized medicine … and more and more measurement going around patient outcomes, I think you’re going to start to see the natural extension of that will be … the baking-in of privacy.

MCGEE: So what else is on the horizon?

DENNEDY: … I’m hoping within five years that every major engineering school will offer at least a master’s program in this type of discipline. I would like to see every code slinger out there having to go through privacy engineering training. I’d like to see ethics as a requirement for anyone who’s issued an engineering degree.

I think we’re going to start to see more and more professionalization of the engineering discipline as well, just as we did in the law schools. Over the last 10 years, there were … a handful of law schools that offered privacy as a legal course of study. There was nothing when I was in law school, and now you see almost every single law school has a dedicated course on data privacy. I think you’re going to start to see that coming up to the technical disciplines. n


“When you start to bake in the engineering practices that become patient-centric and data-centric and doctor-centric, then you start to understand where those investments really do help patient care overall.”

- MICHELLE DENNEDY, INTEL SECURITY


RSA CONFERENCE PREVIEW

By Tom Field

Every breach response plan looks good on paper, but what about when it’s time for action? What are the critical do’s and don’ts for post- breach response?

As the recent Target Corp. and Neiman Marcus incidents proved yet again: It’s not just a matter of what you do or say in the wake of a breach. Also to be considered: When do you say it? To whom? And are you certain enough about the facts of the incident that you are willing to stake your organization’s reputation–and your own–on your messaging?

Post-breach communication is one of the most overlooked aspects of breach response, and it’s the key discussion point of the RSA 2014 session, “Anatomy of a Data Breach: What You Say (or Don’t Say) Can Hurt You,” to be held on Feb. 25, from 2:40-3:40 p.m., at Room 2020 of the Moscone Center West.

RSA 2014 Preview: Anatomy of a Data BreachSneak Peek at a Panel Discussion Hosted by ISMG


Moderated by Tom Field, vice president of editorial at Information Security Media Group, this expert panel includes two veteran breach response professionals, Michael Bruemmer of Experian Data Breach Resolution and Alan Brill of Kroll, as well as Ronald Raether, an attorney with the firm Faruki Ireland & Cox P.L.L.

In this preview of the session, the expert panelists discuss:

• Key breach trends to watch in 2014;• Critical do’s and don’ts of breach response;• Essentials of post-breach communication.

TOM FIELD: As we begin the New Year, what are some of the key breach trends that you’re watching based on 2013 incidents?

RONALD RAETHER: I think a particular interest, and thus concern, for companies is the question about policies and procedures. Number one, do you have the right policies and procedures in place at the time [a breach] happened to have reasonable procedures in place? And then there’s also the trend of companies having … policies and procedures, but then not following those. So regulators [are] looking for those inconsistencies and being able to identify basically a “gotcha.”

ALAN BRILL: One of the things we’ve seen is that there are sometimes tendencies to not wait long enough before making definitive statements about what happened. There is always a tendency to be able to say, “Yes, we have a breach, we’re taking care of it, here’s how we’re remediating it, and here is how we’re taking care of the people.” But as forensic specialists, we find that what appears to have happened when you first look into a breach may not accurately reflect the breach universe. It may affect more people than you think. It may be less or even none.

Do’s and Don’ts

FIELD: Mike, what do you see as some of the critical do’s and don’ts for organizations when they first discover a breach?

MICHAEL BRUEMMER: First is absolutely work with outside counsel. Second, work with an independent forensics firm and, to Alan’s point, make sure you take the time to get all the facts before you go through the notification phase. And then, finally, make sure you encourage the [organization] to put themselves in the shoes of the consumer that they’re going to notify and craft the letter accordingly. You want to get the information that you would like to receive yourself.

Don’t shortcut the due process of an incident response plan. Make sure you follow the steps and be patient with [the plan]. Second, don’t miss the opportunity to give a heads-up to the regulators. More and more, the regulators - particularly

“Don’t shortcut the due process of an incident

response plan.”- MICHAEL BRUEMMER, EXPERIAN


the state AGs - are asking for [organizations] to reach out even before a security incident comes to the level of absolute notification.

Post-Breach Steps

FIELD: Ron, from a legal perspective, what are some of the immediate post-breach steps organizations must take to protect themselves?

RAETHER: I’ve always seen [a comparison between] breach response … and responding to a temporary restraining order motion. The temporary restraining order motion is something that requires you to act quickly, to be concise, but also to be thorough and to make sure that you’ve formulated a very consistent, concise message that somebody … can understand and appreciate.

The other thing is to mitigate the risks. We talk a lot about identifying the facts to assess whether a notice is required, but it is also key to make sure that the company is taking quick action to mitigate against the event happening again. So, like Mike mentioned, reach out to the regulators as soon as the event occurs. Even if it is just calling them to tell them that [you’ve] had an event and are going to get back to them shortly with the details of it.

One of the questions they’re going to ask us is: “What have you done to prevent this from happening again?” And you have to not only be able to identify what

those actions are, but you have to have a timeline, and hopefully your timeline includes some checkmarks of things you’ve already been able to accomplish.

Critical Controls

FIELD: Alan, what are some of the critical controls to have in place and the measures that organizations ought to take in the event of the breach?

BRILL: There are some organizations that seem to operate under the belief that a breach is never going to happen to them. Maybe they have a plan written down, maybe they don’t. And when [a breach occurs], it’s a huge shock. And we see in a number of cases that the very limited amount of time to do an investigation under the various state laws - and now more and more the international laws - is being burned up trying to select and contract for resources.

Also, very often we find that the evidence that we need to really understand what happened, whether it is a log file on a website or whether it is application logs, they are sometimes never turned on or not held long enough. So, if you are in the belief that you could be the next victim, then the next step is to say, “Well, if it happened tomorrow, would I have the evidence that the investigators need to do their forensics and get a much better result?”


“Don’t engage your spokesperson any more

than is necessary until you have a really good

view of technically what has happened or not

happened.” - ALAN BRILL, KROLL


What to Say

FIELD: What are some of the specific things that organizations both should and should not say after a breach?

BRILL: The key is: Don’t engage your spokesperson any more than is necessary until you have a really good view of technically what has happened or not happened. Now, we had one client who we asked for an investigative period of 24 hours to run down what happened. They got other advice from their in-house public affairs people who said, “No, we should call the news conference immediately.” Well at the news conference they announced that there had been a breach of over a quarter of a million records, and that they were going to work to fix the problem. They were going to provide monitoring, and that was all great. But the next day, within the 24 hours that we had asked, we had to tell them that the breach never occurred. The stolen laptop that reportedly had all that data had [actually] been stolen before the data was loaded on to it, and there was no breach. At that point, they were committed and spent millions of dollars remediating a breach that had in fact never occurred.

BRUEMMER: I would also say, looking at a breach notification from a consumer’s point of view, you really want to tell them what happened, why it happened … and then, most importantly, what specific steps someone should take to protect

themselves. Whether there is free advice, self-help or actual products to be able to help them, they need to understand very clearly what they can do so that they are not any more confused or have any more resentment to the [organization] that breached their data.

RAETHER: My belief, from experience, is that each individual matter requires customization. And so obviously one of the failings that I see is for individuals that just take a form letter that they found on the Internet, that some other company has sent out, and just scratch out the names and put their company’s names on there and send that out.

The other thing is accountability. I find too many companies want to blame somebody else. They want to take the role of the victim. And while there are certain truths to the fact that the company has been often times victimized by a criminal, ultimately the consumer or the customer is not going to see it from that perspective. You’re the trusted entity that they have provided their information to, and so you need to avoid taking on the victim mantle and take on accountability.

BRUEMMER: And one of the rules that every company should remember is that the worst possible time to try to learn crisis management is in the middle of a crisis. n

Tom Field is VP – Editorial of Information Security Media Group.

“We talk a lot about identifying the facts to

assess whether a notice is required, but it is also

key to make sure that the company is taking

quick action to mitigate against the event happening again.”

- ATTORNEY RONALD RAETHER


By Eric Chabrow

The intersection of government and the private sector is a theme found in a number of sessions at RSA 2014.

Here are my picks for some key sessions government information security practitioners should consider attending. All of the sessions mentioned here will be held in Room 2009 at the Moscone Center West.

Seeking Balance

Two panels address vulnerabilities that could be baked-in to information technologies furnished by foreign manufacturers. Allan Friedman, co-author of “Cybersecurity and Cyberwar: What Everyone Needs to Know,” and Jon Boyens, senior adviser for information security at the National Institute of Standards and Technology, are among the experts who will explore the impact on policies regarding technology acquisition in the panel: “Can Government Cybersecurity Policies Balance Security, Trade and Innovation?” It will be held Tuesday, Feb. 25, at 1:20 p.m.

Later Tuesday, at 2:40 p.m., Debora Plunkett, National Security Agency information assurance director, participates in the panel: “Facts vs. Fear: Foreign Technology Risks in Critical Industry Sectors.” Experts will describe the necessary steps to effectively vet technologies to assure they’re safe to employ.

Securing Data Centers

Teri Takai, the Department of Defense chief information officer, joins the former top cybersecurity policymaker at the Department of Homeland Security, Mark Weatherford, in a Wednesday, Feb. 26, 9 a.m. panel: “Securing Our Nation’s Data Centers against Advanced Adversaries.” Hear the panelists assess the

standards and best practices being deployed to secure data centers around the world.

Cybersecurity Framework

Earlier this month, the federal government issued the cybersecurity framework, a set a voluntary best practices aimed to protect the information assets of the nation’s critical infrastructure. Adam Sedgewick, the NIST official who shepherded the framework, will join other NIST experts and Samara Moore, White House director for cybersecurity critical infrastructure, in a session called: “An Overview of the Executive Order Cybersecurity Framework,” at 9:20 a.m., Wednesday, Feb. 25.

State-Federal Collaboration

Cybersecurity requires a challenging degree of collaboration among different government offices, particularly when responding to cyber-incidents. The panel “Government x2: State and Federal Collaboration on Cybersecurity,” will be held Thursday, Feb. 27, at 9:20 a.m. It will be moderated by Cheri Caddy of the White House national security team and include the state of Michigan’s Chief Security Officer, Dan Lohrmann.

DHS Insight

“View from the Inside: DHS Priorities in Cybersecurity,” at noon Thursday, Feb. 27, will feature the head of Homeland Security’s National Protection and Programs Directorate, Suzanne Spaulding, and Phyllis Schneck, deputy undersecretary for cybersecurity, addressing the areas where DHS will concentrate on cybersecurity.

Continuous Monitoring

CISOs David Stender of the Internal Revenue Service and Darren Van Booven of the House of Representatives will join moderator and former U.S.-CERT Director Mischel Kwon Friday, Feb. 27, at 9 a.m., for the panel: “Leading Cybersecurity: Technically Sexy, Programmatically Dowdy.” They’ll discuss continuous monitoring in the federal government and how it has broadened the security leaders’ job.

These are just a sampling of the panels, keynote addresses and other events at the conference of interest to the government information security professional. Let me know what you think of the conference.

Eric Chabrow is executive editor of GovInfoSecurity and InfoRiskToday.


RSA for Government Security Practitioners Editor’s Picks of Sessions at RSA 2014

Eric Chabrow

Here’s a sampling of

the many sessions

that will provide

timely insights for

security specialists

in the government

sector.



By Tracy Kitten

Fraud and security are always hot topics in the financial services arena. But this year, some risks – such as data breaches linked to third parties and increasingly insecure authentication practices - will definitely get more attention from security pros.

How financial institutions address those risks will be key, whether it’s through more reliance on data analytics or a better understanding of emerging malware strains and the cybercriminals and adversaries behind the attacks. Fortunately, all of these areas of concern are on the agenda at RSA 2014.

In reviewing this year’s lineup of speakers and sessions, a few highlights stand out. There are far too many sessions for anyone to attend, of course. But here are some presenters that will offer timely insights for those in the financial services industry:

• Daniel Cohen, a phishing expert and head of knowledge delivery and business development at RSA;

• Nick Selby, an encryption expert and CEO of StreetCred Software;

• Adam Sedgewick, senior adviser of information technology for the National Institute of Standards and Technology and a leading contributor to guidelines for securing the financial services critical infrastructure.

As for sessions, here are several that will offer important insights:

Securing Critical Infrastructure

On Feb. 25, 4 p.m. to 5 p.m. in Moscone West, Room 3002, Sean McBride, director of analytics for cyber-intelligence firm Critical Intelligence, will discuss how the United States delivered malware to industrial objectives within Iran during his session, “Effects-Based Targeting for Critical Infrastructure.”

Data Analytics

On Feb. 25, 4 p.m. to 5 p.m. in Moscone West, Room 2006, Jay Jacobs, senior data analyst, and Wade Baker, both of Verizon, will review why big data is not the only data that organizations should rely on in their presentation, “From Data to Wisdom: Big Lessons in Small Data.” Their session will examine the state of security data analysis.

Knowing Thy Enemy

On Feb. 25, 2 p.m. to 2:20 p.m. in Moscone West, Room 3022, and again on Feb. 28, 11:40 a.m. to 12 p.m. in Moscone North, Room 130, Dmitri Alperovitch of CrowdStrike will explore why it’s not just the

attacks, but the attackers, that organizations need to understand during his presentation, “The Art of Attribution: Identifying and Pursuing your Cyber Adversaries.”

Malware for Defense

On Feb. 26, 9:20 a.m. to 10:20 a.m. in Moscone West, Room 3002, Trustwave’s Ryan Barnett, lead security researcher, and Ziv Mador, director of security research, will walk through how security products can be used against hackers during their session, “An Arms Race: Using Banking Trojan and Exploit Kit Tactics for Defense.”

Taking Down Citadel

And on Feb. 27, 10:40 a.m. to 11:40 a.m. in Moscone West, Room 3002, presenters Errol Weiss of Citigroup, John Wilson of online security firm Agari and Richard Boscovich of Microsoft will review the June 2013 takedown of more than 1,500 command-and-control servers for botnets based on Citadel. During their session, “How Microsoft, FS-ISAC & Agari Took Down the Citadel Cybercrime Ring,” they will discuss the coordinated takedown led by Microsoft, the Financial Services Information Sharing and Analysis Center and Agari.


RSA for the Financial Services Security Pro Editor’s Guide to Key Sessions & Speakers at RSA 2014

Tracy Kitten

RSA 2014 offers

many insights

on how banking

institutions can

address a wide

variety of security

threats.




This year, healthcare information security professionals faced a dilemma: whether to attend RSA 2014 in San Francisco or the annual HIMSS conference in Orlando, put on by the Healthcare Information and Management Systems Society.

Usually the two events are held on separate weeks – often back-to-back – but this year they are scheduled concurrently.

It’s possible, of course, to split your week and attend parts of both events. And for those healthcare security pros attending RSA 2014 – in whole or in part - there are plenty of meaty topics of appeal. A review of the RSA 2014 agenda shows several seminars, panels and speakers of particular interest to healthcare-focused attendees. Some of my recommendations:

Mobile Device Security

Because so many major health data breaches involve lost or stolen mobile devices, healthcare security pros might consider taking advantage of a mobile security tutorial being offered by the SANS Institute.

The two-day course, called simply “Mobile Device Security,” takes place Sunday, Feb. 23, and Monday, Feb 24, from 9 a.m. to 5 p.m. in Moscone West, Room 3008. This offering is designed to teach attendees about the threats mobile devices pose. The hands-on class will offer lectures, labs and real-world insights. Larry Pesce, a SANS certified instructor, is leading the course. FYI, he’s now a senior security

analyst with InGuardians, but he previously worked in security and disaster recovery in healthcare, performing penetration testing, wireless assessments and hardware hacking.

Medical Device Hacks

If you’ll be attending RSA later in the week, consider the session: “Turning Medical Device Hacks into Tools for Defenders,” scheduled for Thursday, Feb. 27, from 10:40 a.m. to 11:40 a.m. in Moscone West, Room 3006. The session will be led by consultants Jamie Gamble and Tim West of Accuvant Inc. They’ll discuss research that compiles cybersecurity threats and vulnerabilities into guidelines for the security community for hardening or assessing medical devices. “Our hope is to help manufacturers, clinicians and practitioners in securing their environments,” the presenters say. Breach Response

Another session of interest to healthcare security pros is: “Anatomy of a Data Breach: What You Say (or Don’t Say) Can Hurt You,” that’s taking place on Tuesday, Feb. 25, from 2:40 p.m. to 3:40 p.m. in Moscone West, Room 2020. The session will look at the critical do’s and don’t’s for post-breach communication, including what to say (and what

not to say), who to involve and when and how to inform customers, regulators and the media. Panel participants include Tom Field, vice president of editorial at Information Security Media Group; Alan Brill, senior managing director, Kroll; Michael Bruemmer, vice president of Experian Data Breach Resolution; and Ronald Raether, partner at law firm Faruki Ireland & Cox P.L.L.

Privacy vs. Security

Health data security professionals seeking a better understanding of privacy issues should consider attending the seminar, “Privacy Intensive for Security Professionals: Are You Prepared?” that’s slated for Monday Feb. 24, from 1:30 p.m. to 5:30 p.m. in Moscone West, Room 2002. The event, hosted by the International Association of Privacy Professionals, will help attendees understand why privacy is an increasingly bigger concern and a growing requirement in an information security professional’s day-to-day job responsibilities.

Leadership Development

Finally, healthcare security leaders might want to check out a session that could prove helpful to their own career advancement. “Information Security Leadership Development: Surviving as a Security Leader,” is slated for Monday, Feb. 24, from 8:30 a.m. to 11:30 a.m. in Moscone West, Room 3018. A panel of security, risk management and privacy experts will discuss topics ranging from “making regulations and audit work for you” to “developing cross-functional leadership skills.” Among the panelists: Doug Graham, senior director, risk management, EMC Corp.; Robert West, chief security officer, Intelligent ID; and Dennis Devlin, CISO, CPO and senior vice president of privacy practice, SAVANTURE.

There’s plenty more to experience at RSA 2014, of course – we haven’t even scratched the surface. I look forward to hearing from you about all the highlights of the event. n


RSA for the Healthcare Info Security Pro Editor’s Guide to Relevant Content at RSA 2014

Marianne Kolbasuk McGee


Come Join Us at Our Session ISMG Hosts a Timely Panel with Industry Luminaries at RSA 2014

Anatomy of a Data Breach: What You Say (or Don’t Say) Can Hurt You

When:Tuesday, February 25, 2014 | 2:40pm – 3:40pm | West | Room: 2020 About: Every breach response plan looks good on paper, but what about when it’s time for action? Breaches are an everyday part of business. What are the critical dos and don’ts for post-breach communications? In a staged re-enactment, this panel of breach and legal experts walks through what to say (and what not to say), who to involve and when and how to inform customers, regulators and the media.

Hostedby: TomField,VicePresident–Editorial,InformationSecurityMediaGroupField is an award-winning journalist with over 20 years of experience in newspapers, magazines, books, events and electronic media. A veteran community journalist with extensive business/technology and international reporting experience, Field has written news, sports, features, fiction and analysis for publications ranging from Editor & Publisher to Yankee

Magazine, and he has held editorial management positions at weekly and daily newspapers, as well as a global business/technology magazine. An accomplished public speaker, he has developed and moderated scores of podcasts, webcasts, roundtables and conferences, and he has appeared on C-SPAN, The History Channel and Travel Channel television programs.

Featuring:

AlanBrill SeniorManagingDirector,KrollBrill is author and co-author of five books, has testified before court and governmental committees and has been an instructor for the FBI and Secret Service, among others.

MichaelBruemmer VicePresident,ExperianDataBreachResolutionWith more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors

through pre-breach and breach response planning and delivery, including notification, call center and identity protection services.

RonaldRaether Partner,FarukiIreland&CoxP.L.L.Raether has handled numerous matters involving technology-related issues in areas including antitrust, contracts, employment, trademark, domain name disputes and federal and state privacy statutes


ISMG Offers In-Depth Coverage of RSA 2014 Videos, Audio Interviews, News Updates and More

Information Security Media Group will have a team of journalists providing extensive coverage of the RSA 2014 Conference.

Look for video and audio interviews with speakers and other information security experts, as well as news updates and blogs featuring insights from the biggest information security event of the year.

Coverage will be available on BankInfoSecurity, CUInfoSecurity, GovInfoSecurity, HealthcareInfoSecurity, InfoRiskToday, CareersInfoSecurity and DataBreachToday.

Many of our interviews will be conducted at our booth, #2507 in the South Hall of the Moscone Center. Be sure to stop by to meet members of our team and view live interviews.

Tom Field, vice president, editorial; Howard Anderson, news editor; Tracy Kitten, executive editor of BankInfoSecurity and CUInfoSecurity; and Eric Chabrow, executive editor of GovInfoSecurity and InfoRiskToday; will be covering the conference.

ISMG’s editors also will be meeting with members of the boards of advisers for our websites at RSA 2014 to help plan our coverage of important trends in the year ahead. Our advisers include CISOs and other infosec practitioners; government advisers; security analysts and consultants; technology experts; and thought-leaders.

ISMG is the only Diamond Media Sponsor of RSA 2014.

Panel interview video from RSA Conference 2013


FULL PAGE AD

(INSIDE BACK COVER)

www.ismgcorp.com

securityagenda · i’ve heard it every year i’ve worked in information security media. there’s...

Documents