Author Archive for Jeff Reich

Tips to Guard Against Hacks and Attacks

Published on April 29, 2013 in Events, Industry Events, Industry Expert, Layered Technologies, Security, Security News and Uncategorized. 0 Comments
Posted by Jeff Reich

I attended the 2013 InnoTech San Antonio Technology Innovation Conference & Expo on April 17th. InnoTech is the region’s largest business-to-business technology event.

This conference has grown to the point of needing to move to the Henry B. Gonzalez Convention Center.

Along with the tracks offered in Mobility, Women in Tech, Infrastructure, Big Data with Analytics and IT Leadership, I participated in the Cyber Security Symposium. I moderated a panel of experts on Security – It’s All About Perspective. The panel had representation from corporate leaders, consultants and higher education. The panel members were Mark Krisak, Director of Information Security, HEB; Chip Meadows, Sr. Security Analyst, UTSA; Joe Oranday, Vice President, Enterprise Information Security, Frost; Steve Werby, President and Senior Information Security Consultant, Befriend.

We had a lively discussion with the audience of around 100 people. Even though we discussed technology and some of the newer techniques to deal with hacks and attacks, the takeaway from the gathered experience on the panel was to focus on the basics. When the panelists were asked what the one best thing was that an organization can do to protect itself, the answers were:

Keep your patches current
Focus on user security awareness training
Deliver metrics on your program to track progress and get support
Work with your users

These solutions are not new and do not require deep technical knowledge. I think we can all learn a lot from these experts.

I will be presenting a session on Hacktivism at the 2013 ETA Annual Meeting & Expo on April 30th through May 2nd in New Orleans, LA. I hope to see you there.

About the Author: As Chief Risk Officer at Layered Tech, Jeff Reich (@LayeredTechCRO, +Jeff Reich) drives the company’s security and compliance services and guides risk mitigation efforts for clients. With more than 30 years of experience, Reich is a well-known risk management and security expert in the industry. He holds CRISC, CISSP and CHS-III certifications and is an ISSA Distinguished Fellow.

Hospital Data Breaches

Published on January 23, 2013 in Security. Closed
Posted by Jeff Reich

Earlier this month, Lisa Vaas published an article on the Naked Security web site on the Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security funded by ID Experts. Ms. Vaas did a good job of summarizing the most significant finding in the report, that of increase of data breaches over the past three years are due mainly to a lack of secure devices and staff negligence (see graph from report below).

Data Breach Graph

I strongly suggest that you download and read this report. The Ponemon Institute always does a good job in these areas and if you are in healthcare, chances are you will see some trends similar to what happens in your organization in the report.

The takeaways here are that breaches are expensive, and it’s not just patient data. Just look at the numbers in the report.

In my opinion, the saddest statistic is that most of the breaches were discovered in an audit. One of the main reasons to conduct an audit is to demonstrate that these types of conditions do not exist. Employee discovery follows in second place. If an employee can discover it, an employee should be able to help prevent it.

Rather than try to scare you with FUD (Fear, Uncertainty and Doubt – see my blog post of January 3, 2013) – and there are plenty of items with which to scare you, I would like to see the community come together and share the ideas and practices that help protect data. We always work with our clients to ensure that they have an environment that is both compliant and secure but it takes everyone working together.

If you have seen a healthcare provider in the U.S. during the past six months, you probably noticed the additional type of paperwork needed and, in fact, the move away from paper. As healthcare related information transitions towards digitization, the opportunities for a breach increase unless we all take the necessary steps.

When you decide to host the data that you manage with a provider, demand that they secure the environment, demonstrate compliance and do it all with full transparency. Anything short of that, sells everyone short.

I will be attending HIMSS Conference in New Orleans on March 3-7 in order to help bring all of us to the right place with healthcare data. I hope to see you there!

Security as a Subset of Risk Management

Published on January 3, 2013 in Security. 3 Comments
Posted by Jeff Reich

What does Risk Management mean to you? If you have read my blog you know that I focus on topics like Security or Compliance. You may have noticed, as well, that my title is Chief Risk Officer and you may have wondered how this fits together. Compliance cannot exist without the appropriate controls (security) in place. Moreover, Risk Management can be said to be the art of balancing the value of the cost of a control versus the value of the benefit derived from the control.

I have spent most of my career dealing with security controls and compliance. After a while, it occurred to me that in order to convince someone, usually an executive, of the need for spending money on a control, I had to convince that executive of the value derived from implementing that control. The value of the cost for a control can have multiple factors. The most obvious being the cost to initially acquire the control, whether that is software, processes, personnel or any other number of costs. One sometimes ignored component of the cost of a control is the cumulative cost effect. Just about every control has costs associated with acquisition, administration, maintenance, and regression testing to name a few. Every time you add an additional control, the costs for administration, maintenance, testing and complexity are at a value greater than if the control were stand alone. This is because some controls conflict with others or make administration more complex.

Many executives see security professionals demonstrate this concept repeatedly. The rational used for justifying these costs are Fear, Uncertainty and Doubt (FUD). Claims of utter destruction and the end of the world (with all due respect to those that thought the Mayans were doing just that) are often used to generate FUD. These security professionals are often frustrated that executives do not support their programs or believe their claims.

Another perspective taken is that with more controls, you reduce your risks from the negative effect of attacks, calamities and such. Although this is true, to a degree, bringing those risks down to a negligible level often requires many controls. Now we circle back to the ever increasing costs of controls. Even if FUD is used successfully for the initiation of a security program, it can neither be sustained nor repeated for it would leave the executive out on a limb on the tree of FUD.

What is the best way to avoid FUD, put in enough controls and not spend too much on them? Consider the chart below. Life is never quite this simple but if we accurately articulate the costs of controls AND the associated reduction in potential losses, achieving the answer is always easy. Never spend more on a control than you would lose if you did not have the control.

Recognize that the value of the benefits is multi-faceted. Increased productivity, opportunity costs, competitive advantages are just some of the values that need to be factored in. By keeping this perspective in mind, good and effective security controls will play a vital part in your risk management program.

Fear, Uncertainty and Doubt (FUD)

The Payment Processing Chain – Holistic Risk Management

Published on December 20, 2012 in Security. Closed
Posted by Jeff Reich

A lot of people in the credit card industry focus on the compliance and security component of the payment processing chain that they control. This is expected and is the right thing to do. Most people do not have an appreciation of the steps needed for a successful transaction. Some merchants, cards and banks could have varying processes but most transactions involve, at a minimum, a consumer, a merchant, a payment gateway or processor, the card brand and the bank issuing the card. In order for a transaction to complete, the reverse path is taken to validate the transaction. Add in credits, refunds and loyalty programs and that’s a lot of moving parts in a system that appears to act instantaneously. The system works well and we all depend on that.

Like any complex ecosystem, components need occasional maintenance. Operators for every component of the ecosystem should be cognizant of the controls in place for the entire ecosystem as well as recognizing their place in the system. A credit card and its associated transactions will be as secure as the weakest spot in the processing chain. The consumers that believe they should be able to depend on the security of payment processors and banks are correct in their assumptions. In the same vein, banks and payment processors should be able to depend on the security practices of consumers and merchants.

What does this mean to all of us? For the issuing banks, this means monitoring the behavior patterns of consumers to facilitate better and faster fraud detection. Acquiring banks do the same for merchants. For merchants, a demonstration of security and compliance competence is needed. If merchants do not have this expertise, they should engage with a firm that does and allow them to do that. Many merchants have not grown security and compliance expertise, focusing instead to grow their business on their core competency. Banks have regulators for oversight and examiners for validation.

That leaves the consumer. Every consumer plays a vital role in the risk management chain but many do not recognize that and do not utilize the tools available to them. Some of these tools are:

Credit Card Statements
- Perhaps the best tool available to consumers – address unexpected activity!
- Use online statements to see current (very recent) activity.
- Use SMS and email alerts for higher than expected volume or value of activity.
Credit Reports (things to look for are below)
- Higher balances than expected
- Unexpected new accounts opened
- Unexpected accounts closed by credit grantor
ATM Machine Activity
- In addition to being aware of ATM fees, make sure you trust the machine.
- When using a machine for the first time, consider techniques such as entering an invalid PIN once to see if it is rejected. If it is and the valid pin works, the machine is on your network.
- Watch your surroundings. If someone sees you enter your PIN, your chances of a compromise increase.
Utilize the security and control measures of your merchants and banks
- If you cannot rely on them, ask them to change or move your business.

At any point in the chain, inspect the controls and ring the bell if they do not meet your standards.

Image Credit: Catatronic

Holiday Security – Manage Your Risks

Published on November 20, 2012 in Security. Closed
Posted by Jeff Reich

Welcome to the holiday season! Along with the holiday cheer, parties, presents and spending come some risks of which we should all be aware. Situational Awareness is a phrase that some might not recognize. Situational Awareness entails being aware of your surroundings and environment and adapting your behaviors to address the risks being presented.

One special area of interest is web sites. Some web sites will present offers that seem too good to be true. If you cannot confirm that you are visiting a web site that you know and trust, be very wary of entering any identifying information about yourself, especially items such as account numbers, social security numbers and credit card numbers.

Another problem that is related to web site scams is unsolicited email messages. My simple recommendation for this is that any email message that you receive and was not the result of a request on your part, asking for information or prompting you to click a link should be deleted.

In both of these cases, should any situation persist, at a minimum, you can report the offending web site or message to abuse@domain.com where domain.com is the end segments of the sender’s email address or of the web site in question. Should you believe that a crime has been committed, contact law enforcement. At Layered Tech, we manage inbound abuse complaints for most of the domains hosted by use and we take complaints very seriously.

One bit of data that the bad guys would like to get is your Credit Card information. I have already talked about being cautious on web sites and with email. The same cautionary tales apply to unrequested telephone solicitors. One of your better defenses against credit card fraud is to examine your charges often. I make it a point to examine all of my credit card charges at least five times per week. As soon as I see a charge that is suspicious, I notify the credit card company. Most are very willing to work with you on fraud issues.

If you do not have a Smartphone or Tablet, you may be receiving one this holiday season. Between apps that allow you to shop, bank and engage on social media, your device contains a treasure trove of data. Regardless of when you get your device, I recommend taking the following measures:

Lock it – Most devices have either a swipe pattern or PIN or password capability. Activate this feature as soon as you have your device. A longer password is better than a four-digit PIN and a complex swipe is better than a simple one.
Backup your data – Whether through your synchronization software or other means, do this often.
Hang on to your device – If they don’t have it, they can’t use it.
Determine how to find it – Using Find My iPhone, Where’s My Droid, Plan B, Lookout or similar apps will allow you locate, message and even wipe your device clean of data, should you lose it. Of course your data is still backed up if you followed the second step.
Report missing devices – Your carrier and local police department may be able to take steps to locate or prevent reuse of your device.

Knowing that you are aware of your surroundings and the value of your data allow you to be a happy and safe holiday consumer. Here’s to a great start to the holiday season this year!

Image Credit: 401(K) 2012