Thursday, October 25, 2012

Barnes and Noble POS Breach: My Interviews with Store Managers

Now before we begin, I'm a big fan of reading and of Barnes and Noble in general so I found this particular breach very interesting. After working with them as a customer a few years back and even being considered for a few security positions in their organization I felt somewhat enamored by them. During these encounters I was always left with a good impression of the people, culture and  business. So knowing this I became very interested in their breach and wanted to find out the most I could about it and how they handled the situation.

Once I heard they were breached I spoke with two store managers regarding the incident and their impression of how it was handled. The first store I visited wasn't part of the breach, but I went there to get a better view on how they were handling the incident in general. Once a POS is breached it's imperative that you not only replace and remediate the systems which were abused, but to also eradicate the possibility of an attacker coming back. This would be part of the containment and eradication phases in the incident handling process. During my visit to the store I talked with the store manager on staff who spoke freely about the incident, or of which she was aware of, without questioning me or why I was there.

From her responses, only the PIN pads were effected and altered by an outside party. To her knowledge this was not an inside job. She also mentioned that they knew about the incident for the past month or so and were working with federal agents to gather more information. The store manager also said that as soon as the breach was found they removed all PIN pads from each of their 700 stores in the same day and are now looking into further details. This to me shows that Barnes and Noble took this breach seriously by moving quickly to erradicate the threat of additional theft, especially with the upcoming holiday season arriving. I went to this store on purpose to see how they were dealing with the incident as a whole, and not as isolated incidents. They passed this test.

After first going to a store that wasn't hit, I than spoke with a store manager via a phone call at a site that was targeted. This store happens to be about 10 miles from the first store I visited and in a much wealthier part of town, which leads me to think that the thieves had a good idea of where they were aiming based off the store locations. This is a theory, but it would make sense if you're trying to make money, hit the place with debit/credit cards that have the most on them; common sense really.

Anyway, when speaking with this store manager he seemed very helpful at first when I asked him the same questions about how it happened, when it happened and if they'd be getting the PIN pads back, if at all. At first he was very helpful and gave me the same canned answers as the first store manager, but after he realized that I was starting to ask more technical questions he diverted me to another associate after a few minutes of hold time. Apparently, I was taken as a someone from the media and was forwarded to someone that was slightly more polished with their answers, which I found very reassuring once again. They passed another test.

Overall, everyone at one point in time is vulnerable to attack, but when in reality it's how you deal with the fall out that keeps you from becoming an even bigger mess. After a first glimpse of how Barnes and Noble responded to the incident by removing the effected systems and giving the people at their shops the knowledge to speak, without giving to much away, and diverting curious folks like myself to more "in the know" individuals is a sign that they're taking this breach very serious; as they should. And in the long run this could very well save them from additional embarrassment. They also have a list of stores that were targeted on their site and are being transparent about the breach. It's my opinion that as of right now they're dealing with this breach in a responsible manner, which in the long run could be one of their saving graces.

You can view the breach notification released by Barnes and Nobel here for further details:

Wednesday, October 24, 2012

Risky Business: 5 Common Business Activities That Put Corporate Data at Risk

Most firms acknowledge that there is risk associated with the exposure of their confidential information.

This can be in the form of legal risk, if it relates to personal information, or competitive risk, in the case of commercial information, like trade secrets and client lists.

Most firms maintain security policies and procedures to mitigate these data security risks. These can range from adding passwords on smart phones used outside the office, to signing complex NDA agreements with third parties when confidential information is shared, like in an M&A transaction or a licensing deal.

However, while these measures provide some level of risk mitigation, many firms still continue to engage in risky day to day business activities that can jeopardize these efforts.
For the most part, these risky activities are an afterthought, as they center on three necessary components of every business person’s day – email, third parties and being out of the office.
Your confidential information is at an increased risk of being exposed if you engage in even one of the following activities:

1. Send confidential or sensitive documents to third parties via email

2. Share confidential or sensitive documents with third parties for a limited time

3. Access confidential or sensitive documents outside of the office

4. Transport confidential or sensitive documents using zip drives or hard drives

5. Store confidential or sensitive documents on your own servers in your office

Below are a few examples of what can happen if just one confidential document gets emailed to the wrong person, or a firm relies of ‘traditional’ methods to deliver sensitive information.

Flash Drives

In November 2011, the personal information of current and former employees at Regions Financial Corp was compromised after a flash drive went missing. The flash drive, which contained information about thousands of 401k retirement plan participants, including their names and social security numbers, was mailed by an external auditor to another one of its offices. To make matters worse, the flash drive was put in the same envelope as the decryption code, and when the package arrived, the flash drive was gone.


In September 2009, a California judge ordered Google temporarily de-activate a Gmail account after a bank employee mistakenly sent sensitive data to the wrong recipient. When the employee realized his mistake, he immediately sent a second email, instructing the recipient to delete the email and attachment without opening it. When he got no response, the bank contacted Google to find out if the account was still active. However, Google would not disclose such information without a court order, so the bank had to sue Google to obtain the account holder’s name and contact information.

Accessing Data outside the Office

In August 2012, a software engineer for Motorola was sentenced to 4 years in prison for stealing trade secrets. The employee was stopped during a random security check at O’Hare International Airport in February and found to be carrying $31,000, along with hundreds of confidential Motorola documents stored on her laptop, four external hard drives, thumb drives and other devices. Prosecutors alleged that among the secrets she carried were descriptions of a walkie-talkie type feature on Motorola cellphones, which prosecutors argued would have benefited the Chinese military. 

These examples remind us that simple day to day activities could be putting your corporate data at risk, undoing all the things that security policies and procedures aim to protect.

Many firms are therefore implementing more secure document sharing methods, like virtual data rooms, to exchange information with clients and third parties.

A virtual data room is a cloud-based document repository used by business professionals to share confidential documents around M&A transactions, litigation, fundraising and government compliance. 

The administrator invites users into their online data room behind a secure login to review confidential documents. These documents are protected with 256-bit encryption and Digital Rights Management, allowing the administrator to control who can access certain documents and what they can do with them (e.g. view, print, or save). Administrators are also able to lock documents to an individual computer, or revoke access remotely, even after the document has been downloaded from the data room.

By using a virtual data room, the firm maintains complete control over how sensitive information is viewed, thereby mitigating the risk of it falling into the wrong hands. 

Wednesday, October 17, 2012

BYOD Initiatives Could Be Risking Corporate Data

The Bring Your Own Device (BYOD) phenomenon is gaining momentum. A recent survey by CIO Magazine revealed that by the end of 2011, nearly half of all mobile devices used in the workplace were employee-owned.

The reason is simple - employees like to use their own stuff.  As consumers, they have access to some of the best devices — iPads, iPhones, Android phones, Android tablets — and all the apps that come with them. Employees don't want to use the clunky laptops and complex software of their employers. And they don't the hassle of carrying around two separate phones.

Rather than fight it, the smart companies are embracing the BYOD trend. Kraft, Whirlpool and IMB are just some of the larger names that have already implemented BYOD guidelines for their employees.

However, at the same time, there are some serious concerns attached to BYOD schemes, especially around the security of corporate data.

BYOD — A Security Nightmare

Without a proper BYOD policy in place, employers can easily lose control over how and where their corporate information is stored. 

Cloud computing technologies now make it easy for employees to self-select and install their own business apps, without the need to consult with IT. This presents a significant security concerns for employers, who have little insight into what apps are being used and whether they are secure enough to house confidential corporate information.

It’s not uncommon, for example, for business users to use personal cloud solutions, like Dropbox, iCloud and Google Drive, to store business files. These applications are relatively cheap, if not free, and provide convenient access to documents from multiple locations. However, because they are designed for personal use, these applications also lack the vigilant security protection needed for confidential corporate data; things like data encryption, managed user permissions and offline document control. 

The recent Dropbox security breach is a timely reminder of how easily information stored through these applications can be compromised.  It’s no surprise that in May 2012, IBM banned the use of Dropbox by all of its employees.

Lax Approach to BYOD Security Causes Major Headaches

Another concern around BYOD is the lax approach some employees take toward mobile device security.

According to a recent survey by Coalfire, 47 percent of respondents had no password protection on their mobile phone, even though 84 percent admitted to using this device for work.
What's more, 36 percent said they reused the same password, and 60 percent are still writing down passwords on a piece of paper!

Employees Unaware of Security Risks

The Coalfire survey also revealed that nearly half (49 percent) of respondents said their IT departments had not discussed mobile security or cyber-security with them. Only 25 percent reported a discussion with IT, suggesting that 75 percent were left to exercise their own judgment.

What’s more, 51 percent said their company did not have the ability to remotely wipe data from their mobile device if it was locked or stolen — a huge problem if the device is also not password protected.

A BYOD Policy is Essential for Every Workplace

In order to reduce BYOD security risks, employers should implement a BYOD policy and update their other existing security policies to include the use of personal devices. They should also consider implementing the following initiatives.

5 Ways to Boost BYOD Security

•    Arm your employees with knowledge: Educate employees on the security risks and best practices for using personal devices in the workplace

•    Power-on passwords: Enforce power-on passwords for all devices containing corporate data; a power-on password buys time to wipe a device in the event that it's lost or stolen. Companies should also extend policies around password-strength and password expiry for personal devices.

•    Monitor business app usage: Require employees to provide IT with a list of the business apps they are using, along with the account information (username and password). IT should have permission to monitor these apps, and check them before they are shut down permanently (especially after the employee leaves).

•    Stronger authentication: Enforce a stronger authentication process if users are allowed to store sensitive data or trade secrets on their smart phones or tablets.

•    Encryption or nothing: Make encryption the price of being allowed to keep corporate data on personal devices. This can be challenging in mobile security because there are different encryption options for various mobile platforms. Build and maintain a list of ‘approved’ devices that meet your security criteria.

While the BYOD phenomenon can’t realistically be eliminated, employers can learn to adapt. Part of this involves being vigilant in protecting their corporate information. Without the proper guidelines and employee education in place, they could stand to lose a whole lot more than they bargained for.

Content courtesy of Firmex Virtual Data Rooms