Equifax Faces $70 Billion Lawsuit

As every business becomes more interconnected across the state, cybersecurity is no longer just an information technology (IT) problem, it is a business problem.

Cybertech and the State of Indiana will hold its kick-off Cybertech Midwest event on Oct.  23, 2018 for executives, managers, critical infrastructure owners and operators to learn how to strategically prepare, respond, and recover from a cyber attack.  Sentree Systems, Corp. will host a booth at this awesome event, so come out and see our latest solutions.

 

“We are absolutely thrilled to bring the Cybertech to Indiana for our flagship U.S. event,” said Amir Rapaport, founder of Cybertech. “We see Indiana as the ideal location for our Cybertech event due to its vibrant cyber eco-system, with incredible involvement and passion from the state, industry, academia and local government when it comes to cybersecurity, protection and innovation.”

This thought-provoking conference and exhibition will present on global cyber threats, solutions, innovations, and technologies. Speakers and panelists will focus on cyber threat and strategies for meeting diverse challenges in sectors such as healthcare, utilities, small businesses and local government.

Attendees will also meet decision-makers from the leading companies, startups, government officials, investors, academics, and other professionals changing the global cyber landscape.

Speakers will include Indiana Governor Eric Holcomb, Indiana Lt. Governor Suzanne Crouch, Secretary of State Connie Lawson, Director of the National Initiative for Cybersecurity Education (NICE) at the National Institute of Standards and Technology (NIST) Rodney Petersen, as well as speakers from Eli Lilly and Company, Purdue University, Indiana University, KSM Consulting, Indiana Department of Homeland Security, Indiana Office of Technology, and more.

 

For more information or to register, visit midwest.cybertechconference.com.  

For many industrial and commercial purposes, there are tremendous benefits, in terms of system management, for increased connectivity with the technological innovations of the Internet of Things (IoT). This also brings many new security issues to consider. A new level of security risk comes from the expansion of the IoT to connect devices. These risks come from connected devices that are communicating in less-than-secure ways. Every piece of equipment that is connected through the IoT may create a security breach.

Risks Caused by Medical Devices

An example of this new type of risk is experienced by healthcare organizations that are becoming aware of the cyber vulnerabilities of medical devices. The U.S. Department of Homeland Security (DHS) issued six alerts since April 2018 advising major healthcare organizations about the security risk of medical imaging equipment and patient monitoring devices. The DHS has a special Industrial Control System Emergency Response Team that is tasked with the goal of discovering vulnerabilities in all types of equipment.

Recent security alerts from DHS include notices about devices with these problems:

  • Improper authentication procedures
  • Personal information exposure
  • Missing encryption
  • Memory read/write vulnerability
  • Denial of service potentials

These risks can cause harm to patients if they are exploited.

Risk Mitigation

Healthcare companies now are encouraged to conduct security audits that include an evaluation of connected medical devices. These organizations must also track and record any security risks found in their operations caused by devices and the remediation steps taken to remove the risk.

The challenges include finding things with vulnerabilities that the organization can update with software security patches, checking for proper configurations, and adding system architecture controls. Other things may need to be fixed by the vendors. There should be an ongoing effort to identify vulnerable devices. Taking them offline to fix them or relocate them may cause operational problems. There is a balance between managing the devices to improve security and understanding the effect on operations when the equipment is not available for clinical procedures.

Conclusion

Companies, especially those in the healthcare industry, need to be aware of the risks caused by devices used in their operations. Contact Sentree Systems Corp. for a security review and to get advice about how to manage security risk caused by devices that are connected to the IoT. Sentree serves Indianapolis, Avon, Plainfield, Carmel, Fishers, Noblesville, and the surrounding areas in Indiana.

New privacy and data security rules are now in effect for any company that has some of its operations in Europe or has some customers from there. The European Union (EU) passed a law called the General Data Protection Regulation (GDPR) that requires businesses to give EU customers more control over how their personal data is collected, what permissions are required for a company to use it, and what can be done with the information. This law went into effect on May 25, 2018.

Any American company that has customers from the EU needs to be in compliance with the GDPR regulations. It is likely that over the next few years similar regulations will be imposed by the U.S. government on companies in the USA as well.

GDPR is in Response to Data Breaches

The GDPR law is in response to the continuing problem of data breaches being experienced by many companies including large online retailers and companies that are tech giants. Facebook got into serious trouble over the Cambridge Analytica data hack of its system.

Under the GDPR rules, any company that has any data on any person from the EU must notify regulators within 72 hours of the discovery of a major data breach. This means that even U.S.-based companies need to be in compliance if they have an office in the EU, share data with a company there, or have online customers from the EU.

Another new GDPR rule requires companies to make it very easy to opt-in and opt-out of data collection. Companies who fail to do this correctly face a fine of up to 4% of their annual level of global sales or about $23.5 million, whichever is a greater amount.

Conclusion

The new GDPR rules are considered the best practices. Many American companies are taking the proactive stance to be in compliance with GDPR regulations even if they are not required to follow the GDPR rules by law. Work with the experts at Sentree Systems Corp. to find out how to change information collection, storage, and usage procedures to be in compliance with the new GDPR rules.

Not all things need to be online. In fact, there are some systems and information that should never be online and instead be secured by a private offline network. This strategy is known as using an “air gap” between systems and the public Internet.

Improved Security Using Offline Systems

Using an offline network for critical path functions and data security reduces the risk of a data breach. This is an excellent strategy, however, it is not 100% secure. In any security review, the IT security experts look at outward-facing systems that connect directly with the Internet, opportunities to manage system networks offline to improve security, and the risk of “human engineering” hacking attempts. Human engineering security breaches come from the tricking people into doing something that allows a security breach. Using an air-gap strategy needs to be enhanced with increased personnel security, such as extensive background checks, limiting personnel access to systems, and physical security barriers to access sensitive data.

Offline Protection of Personal Data

Any organization that handles personal data, such as credit card information or medical records, has a severe obligation to make sure the data is protected. Access to this information should be managed on a need-to-know basis. For example, credit card data only needs to be used for secured transactions. If it is stored by a company that information should be stored offline and secured by encryption.

For medical records, there are severe penalties for data breaches under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In some cases, these penalties have been in the many millions of dollars. This means anyone handling such data needs to protect it like they are guarding the gold at Fort Knox. This is the kind of information that benefits from offline storage using a private network, with point-to-point information tunnels that pass data from one place to another only when it is encrypted in order to only permit authorized access to the data.

Conclusion

The risk of experiencing a data breach when there is unnecessary exposure of data to the public Internet can be better managed by taking the sensitive data offline.

Consult with Sentree Systems about how to manage an online presence combined with a private offline network for better security. Every business of any size can benefit from this approach.

The beginning of a new year is a great time to have a comprehensive data security analysis and to create a new strategic data security plan. There is plenty to be worried about when it comes to data security. Data security is something that needs to be constantly monitored in order to be effective. New threats are coming up every day.

Luckily, a small-to-medium-sized business does not have to go at this alone. In fact, having a service contract with a specialist in data security is probably one of the smartest things a business can do.

Here are a few significant things to consider when making a strategic data security plan for 2018:

Internal Security Breaches

It does little to stop a security breach if the entire focus is on external attacks and the security breach comes from within. Authorized users have been known to simply make copies of sensitive data files and walk out the door with them. Disgruntled employees can wreak havoc on data security when leaving a job.

Best practices include using high-quality background checks, restricting access to data on a need-to-know basis, and being able to immediately terminate access for any user.

Ransomware

Ransomware is a type of malware that when a user downloads it, it installs itself, and then encrypts the data on a system to lock the users out. An extortion demand is made for a payment in anonymous cryptocurrency like Bitcoins in order to get the encryption key to unlock the data. These extortion demands range from a few hundred dollars to millions. There is not even a guarantee that paying the ransom will get the data back.

Best practices to avoid this risk are to maintain real-time data backups that are made and then kept in protected storage offline. If a ransomware attack occurs, these backups can quickly bring the organization back to current working-status.

Two-Factor Authentication

All external-facing systems need to have a two-step authentication process using one-time use authentication code for the second step. The benefits of this strategy are significant in blocking unauthorized access. The way it works is an authorized user logs in with a complex password and then the second step sends a text message to a secured mobile device that is used by that person to complete the login process. If the mobile device is lost or stolen the second-step is canceled.

Sentree Systems Corp. is a highly-qualified data security consulting company that works with small businesses in Indiana, serving Indianapolis and the surrounding areas including Avon, Carmel, Fishers, Plainfield, and Noblesville Every business should assume they have either been attacked, are being attacked, or will be attacked. Fast detection and swift response are the small business owner’s only defense. Contact us today to learn more about these strategies at www.sentreesystems.com

 

[contentblock id=72 img=gcb.png]

What do email scams, death threats and bitcoin have in common? Together they are being used by scammers to steal money from innocent victims. This is by no means a new threat (it’s been around since 2006) but it’s one that’s getting some new recognition. The FBI recently issued a warning about the uptick in these scams and we know if the FBI is talking about it, it’s a big deal.

Threat: Death Threat Scams

Do You Need to Worry: Yup! Everyone is at risk. The scam goes a little something like this: recipient receives a threat via email and is ordered to pay in virtual currency (like bitcoin) or prepaid cards otherwise they or their family will be harmed. Keep in mind that this scam could also come in the form of a text message and they might be after more than just money – they may try to obtain your personal information, account numbers, etc.  

What Can You Do About It: Contact the police immediately and follow their advice. You should also file a complaint with the FBI’s Internet Crime Complaint Center (IC3.GOV).

 

 

There is a massive scam campaign going on, this time a very well executed Netflix phishing attack.

The scam targets subscribers telling them that their account is about to be canceled. The well-designed, individualized fake email convinces customers to update their account information to avoid suspension. This results in stolen personal and credit card information.

The email has the subject line “Your suspension notification” and includes a link where the subscriber is taken to a fake Netflix page which requires their log-in information as well as credit card number.

The scam was detected Sunday and it targeted nearly 110 million Netflix subscribers. As mentioned, the fake site includes Netflix’s logo as well as popular Netflix shows like “The Crown” and “House of Cards” to make it seem legitimate.

Organizations in Russia, Ukraine and the U.S. are under siege from Bad Rabbit, a new strain of Ransomware with similarities to NotPetya the last horrible outbreak.

The outbreak started Tuesday and froze computer systems in several European countries, and began spreading to the U.S., the latest in a series of attacks.bigstock-Manager-Pushing-Ransomware-Ons-116826572-

Department of Homeland Security’s Computer Emergency Readiness Team issued an alert saying it had received “multiple reports” of infections.
Russia’s Interfax news agency reported on Twitter that the outbreak shut down some of its servers, forcing Interfax to rely on its Facebook account to deliver news.

Bad Rabbit Starts With Social Engineering

The outbreak appears to have started via files on hacked Russian media websites, using the popular social engineering trick of pretending to be an Adobe Flash installer. The ransomware demands a payment of 0.05 bitcoin, or about $275, from its victim, though it isn’t clear whether paying the ransom unlocks a computer’s files. You have just 40 hours to pay.

Bad Rabbit shares some of the same code as the Petya virus that caused major disruptions to global corporations in June this year, said Liam O’Murchu, a researcher with the antivirus vendor Symantec Corp.

Based on analysis by ESET, Emsisoft, and Fox-IT, Bad Rabbit uses Mimikatz to extract credentials from the local computer’s memory, and along with a list of hard-coded credentials, it tries to access servers and workstations on the same network via SMB and WebDAV.

The hardcoded credentials are hidden inside the code and include predictable usernames such as root, guest and administrator, and passwords straight out of a worst passwords list. (Note To Self: all user passwords need to be strong, guide all employees through a strong password training module ASAP.)

As for Bad Rabbit, the ransomware is a so-called disk coder, similar to Petya and NotPetya. Bad Rabbit first encrypts files on the user’s computer and then replaces the MBR (Master Boot Record).

Ouch, that basically bricks the workstation!!!

[contentblock id=97 img=gcb.png]

 

When news broke that the credit reporting agency Equifax had suffered a data breach, consumers around the country began to question the safety of their personal information.

After all, credit reporting agencies have access to most of your personal identifiable information (PII): name, address, birth date, Social Security number, and more.Finding out that the PII for more than 143 million US consumers had been stolen was upsetting, to say the least.

Now, consumers are being cautioned about what can happen with that information, and what steps they can take to protect themselves.

1. Beware of phishing attempts in “news” articles:

Immediately after the announcement of the data breach, articles began circulating that contained a link that lets you find out if your data was stolen. While Equifax has a dedicated web page that lets you enter your information and see if you’ve been exposed, it takes no work at all for scammers to create their own link, request your information for “verification” purposes, and then steal your data. Before clicking any links or entering any personal data, make sure you’re using a verified link that was issued by the correct source.

2. Emailed phishing attacks have already been reported:

There are already scam emails in circulation that suggest you check your credit report by using their handy link. The easiest way to verify an email’s sender is to hover your mouse over the sender’s name. The actual address used will appear in a small box. To be on the safe side, don’t click through from any emails you receive; if you’re told to check your credit report, use a verified request service or form instead of the emailed link.

3. Be on the lookout:

Because genuine information was stolen, be extra diligent about monitoring your account statements, looking for unauthorized charges, tracking and reporting any suspicious activity, and keeping a close eye on your credit reports. Never provide your sensitive information for verification purposes; if you receive a warning or alert, contact your financial institution directly using an approved contact method.

To visit Equifax’s verified link to discover if your information was stolen, go directly to Equifax’s website and follow the steps they suggest. If you do experience any strange activity on your accounts, report it immediately, no matter how minor it might seem at first. Be sure your antivirus software is up-to-date to block any malicious threats from fraudulent emails or messages, and consider placing fraud alerts and security/credit freezes on your credit report with the three reporting agencies if your information was accessed.

 

Read More Here @ITRC

 

Most everyone has heard something about the Latest breach of Equifax. Here is some of the latest information.

 

The massive Equifax data breach has already led to the filing of more than 30 lawsuits seeking class-action status. One of the lawsuits, filed in Portland, Oregon, is demanding up to $70 billion in damages.

 

The lawsuits are just one measure of the fury generated by Equifax – one of the three biggest U.S. data brokers – revealing Thursday that it suffered a breach, beginning in May, that exposed to hackers 143 million consumers’ personal details, including information that could be used to commit identity theft.

In its alert issued Thursday, Equifax said that it discovered the breach July 29 and launched a website that consumers can use to see if their data was exposed. The company is offering all U.S. Equifax Faces Mounting Anger, $70 Billion Lawsuitconsumers one year of prepaid credit monitoring, which includes freezing their credit reports on Equifax. But it has not offered to do the same with consumers’ credit reports at other data brokers.

Almost immediately following the breach notification, affected consumers began filing lawsuits – more than 30 by Monday, Reuters reports. Meanwhile, attorneys general in at least five states – including New York and Illinois – have also announced formal breach investigations. And several Congressional committees are launching or eyeing breach-related hearings. Equifax has also promised to work with regulators in Canada and the United Kingdom, where some victims reside.

Hardest hit by the breach, however, were those who live in the U.S. The breach exposed information on nearly half of all U.S. adults, including names, birthdates, addresses, Social Security numbers and in some cases, driver’s license numbers. All of that data is regularly used to verify an individual’s identity, and thus it’s also valuable for identity thieves.

“The quality of data potentially compromised is very valuable to cybercriminals,” cybersecurity attorney Imran Ahmad tells Information Security Media Group. “What these guys are looking for is high value bits of information. The reason they like this type of data is because they can easily on the darknet sell these and create virtual profiles and sell them to others.”

 

Seeking Justice

Numerous security watchers have called for Equifax to publicly atone for the breach – and do so quickly – and have called on anyone who has a choice of data brokers to immediately stop working with Equifax. Some also want to see Equifax CEO Richard Smith ousted.

“Smith should resign. If he does not, his board should fire him,” says information security expert William Hugh Murray, who’s a senior lecturer at the Naval Postgraduate School.

Three other Equifax executives sold stock in the company after it learned of the breach, but before it issued a public notification (see Equifax Breach: 8 Takeaways).

The U.S. Securities and Exchange Commission declined to comment to ISMG about whether it will investigate the timing of those stock sales.

Equifax has released a statement saying that the executives – including its chief financial officer – had been unaware that the breach had occurred when they sold shares.

Murray, meanwhile, recommends the three “resign and flee the country before the Feds come after them for insider trading.” And for good measure, he adds, “the CISO should update his resume.” As ISMG has previously reported, however, that job position was, until recently, being advertised as vacant.

 

Lawsuit Seeks Up to $70 Billion

Equifax already faces multiple lawsuits over the breach, including one filed in Oregon by Mary McHill from Portland and Brook Reinhard from Eugene. Their lawsuit seeks class-action status on behalf of everyone affected by the breach and demands damages of as much as $70 billion. It was filed by law firm Olsen Daines PC, together with Geragos & Geragos, which Bloomberg reports is a law firm known for launching splashy, high-octane class actions.

“This complaint requests Equifax provide fair compensation in an amount that will ensure every consumer harmed by its data breach will not be out-of-pocket for the costs of independent third-party credit repair and monitoring services,” according to the complaint.

Reinhard, for example, says that he spent $19.95 to buy “third-party credit monitoring services he otherwise would not have had to pay for.”

The lawsuit also alleges that Equifax failed to invest sufficiently in its information security program. “In an attempt to increase profits, Equifax negligently failed to maintain adequate technological safeguards to protect [individuals’] information from unauthorized access by hackers,” according to the complaint. “Equifax knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach. Equifax could have and should have substantially increased the amount of money it spent to protect against cyberattacks but chose not to.”

Many breach-related lawsuits, however, have failed, with the cases often being dismissed because plaintiffs failed to prove they suffered unreimbursed financial losses (see Why So Many Data Breach Lawsuits Fail).

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282