Governance, risk, and compliance should be at the heart of AWS security procedures

Another day, another AWS security breach, and this one is particularly bad because of the extraordinarily sensitive nature of the data that was compromised: Over 9,000 documents containing personal data on job applicants holding U.S. security clearances, some of them Top Secret, were discovered sitting on an insecure AWS S3 bucket, where they may have been for as long as a year. Gizmodo reports:

[T]he cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the US Department of Defense and within the US intelligence community.

Other documents reveal sensitive and personal details about Iraqi and Afghan nationals who have cooperated and worked alongside US military forces in their home countries, according to the security firm who discovered and reviewed the documents. Between 15 and 20 applicants reportedly meet this criteria.

The AWS bucket belonged to a company called TalentPen, a third-party vendor hired by private security firm Tiger Swan to process job applications.

Sound GRC Can Prevent AWS Security Breaches

The TalentPen breach is only the latest in a long line of AWS security incidents, most of them involving third-party business associates of larger firms, such as Verizon and the Republican National Committee. The problem is so pervasive that Amazon itself recently sent out a mass email to customers with unprotected AWS S3 buckets, imploring them to review their security settings, and many companies are now questioning how secure the AWS service really is.

However, the problem isn’t with Amazon Web Services. AWS security is quite sound – if it is configured correctly, and if the enterprise using it follows sound GRC practices and applies them to on-premises data, data residing in the cloud, and, in the case of the companies hiring IT service providers, data being handled by those service providers.

It’s Your Data, and You’re the One Who Has to Secure It and Maintain Compliance

While AWS offers security protections such as encryption of PII both at rest and in transit, and AWS S3 buckets are set to private by default, these protections are only as good as the company that’s utilizing AWS. In the Verizon, RNC, TalentPen, and other recent breaches, someone went into the system and took specific steps to override the default AWS settings and open the buckets up for public viewing.

This raises very serious questions regarding data security and governance within these organizations. Who went into the AWS accounts and made these buckets public? Why did they do this? Why did they have the system privileges to access this data and make this change, and why did the change go unnoticed (in the case of TalentPen, perhaps for as long as a year)? Why was data this sensitive uploaded to the cloud in the first place? Comprehensive, consistent cloud security and AWS security protocols, combined with appropriate user access credentials and continuous system monitoring, would have prevented all of these breaches.

Compliance is another issue when using AWS or other cloud services. While AWS contains tools that customers can use to ensure they comply with major IT audit frameworks, such as HIPPA, PCI DSS, NIST, and FISMA, it would be impossible for AWS, or any other provider, to ensure that all of their customers are covering every aspect of the specific compliance requirements that apply to them. Thus, AWS operates on a “shared responsibility” model, where AWS itself is responsible for the security and compliance of their cloud, while their customers are responsible for the security of the data they store within it.

In the end, it is your data, and you are the one who is ultimately responsible for it – even if a third-party vendor is the one who mishandles it.

Addressing governance, risk, and compliance in the cloud and throughout your cyber ecosystem can be a challenge, but in the end, proactive GRC is much less expensive than cleaning up after a data breach.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

New Anthem breach underscores the need to manage cyber risk throughout the enterprise ecosystem

Anthem – yes, that Anthem – has been hacked again. About a month after the beleaguered health insurer agreed to fork over a record-setting $115 million to settle a class action lawsuit related to its massive 2015 breach, it was breached again, or rather, one of its third-party vendors was. The 2017 Anthem breach involves approximately 18,000 Medicare members whose personal information was stolen by a malicious insider employed by LaunchPoint Ventures, a Medicare insurance coordination services firm. Healthcare IT News reports:

LaunchPoint discovered on April 12 that an employee was likely stealing and misusing Anthem and non-Anthem data. The employee emailed a file containing information about Anthem’s members to his personal address on July 8, 2016.

The file contained Medicare ID numbers, including Social Security numbers, Health Plan ID numbers, names and dates of enrollment. Officials said limited last names and dates of birth were included.

Takeaways from the Latest Anthem Breach

The Anthem breach is the latest to underscore the need for organizations to manage cyber risk throughout their entire enterprise ecosystem. Anthem’s own systems weren’t hacked; their third-party vendor was. Other recent victims of third-party breaches include Netflix, the Republican National Committee, Trump Hotels, Verizon, and Google (which was impacted by a breach at third-party vendor of one of their third-party vendors).

As organizations outsource more and more IT services, from payroll to billing to web development, hackers are increasingly targeting these service providers. It is estimated that 63% of all enterprise breaches can be traced back to a third-party vendor. Hackers may choose to attack these service providers because many of them are smaller firms whose cyber security may not be as robust as that of the national or multinational corporation whose data they really want.

Know Your Vendors

The danger of third-party data breaches is one of the reasons why the U.S. Department of Defense is requiring not only its primary contractors, but any firm they subcontract DoD work to, to be compliant with the DFARS security standard by the end of 2017.

Private-sector organizations should take a cue from the DoD and only do business with IT service providers who have released AICPA SOC / SSAE16 reports and/or who have important IT security certifications such as NIST, ISO, or FedRAMP. These organizations have proven their commitment to the highest levels of data security by undergoing rigorous security audits that require them to adhere to certain procedures and controls and put them in writing.

Likewise, IT service providers should obtain the appropriate data security certifications and demonstrate to their customers that they have strong security controls in place. Continuum GRC’s IT Audit Machine (ITAM) empowers organizations to get and maintain compliance the easy way, with self-help modules covering numerous compliance standards, including FedRAMP, SSAE 16, COBIT, ISO 27001, ISO 27002, ISO 27005, SOX, FFIEC, PCI, GLBA, HIPAA, CMS, NERC CIP, DFARS, and other federal and state mandates.

Don’t Expect to Pass the Buck

Just because a breach is your vendor’s fault doesn’t mean your organization will be shielded from liability. The $300 million Target breach, which resulted in both the CEO and the CISO losing their jobs, involved a third-party point-of-sale vendor.

The scope of potential liability just broadened; shortly after news of the Anthem breach broke, a U.S. Court of Appeals issued a ruling against health insurer CareFirst, allowing a class-action lawsuit filed by customers impacted by a 2014 breach to move forward. The ruling is expected to have wide implications, allowing customers not only of health insurers but any company to sue if their personal information is stolen.

Ensuring good governance, risk management, compliance, and cyber security throughout your enterprise ecosystem takes far less time and costs far less money than doing damage control after a breach happens.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Cryptocurrency Investors on Edge after Two Ethereum ICO Breaches in a Week

Initial Coin Offerings (ICOs) powered by the Ethereum blockchain platform are the hottest thing going right now, but are they secure? On July 24, 2017, the second Ethereum ICO hack in a week hit the news, as digital wallet firm Veritaseum disclosed to Bleeping Computer that a hacker stole approximately $8.4 million from its Ethereum ICO.

Ethereum has had a rough month. A week before the Veritaseum hack, cryptocurrency trading startup CoinDash had $7 million stolen from its Ethereum ICO within minutes of the offering being launched. A few days later, smart contract coding company Parity issued a security alert regarding a vulnerability in its wallet software that had led to approximately $30 million worth of Ether cryptocurrency being stolen. In early July, an unidentified hacker or group breached and took control of the web domain belonging to Classic Ether Wallet, redirecting the domain to their own server and transactions to their own account.

What is an Ethereum ICO?

An ICO is similar to an IPO (Initial Public Offering). Investors use regular, or fiat, currency to invest in the ICO, but instead of receiving units of stock in return, they get units of cryptocurrency, called “tokens.” The investors can either hold the tokens until the issuing company decides to buy them back or sell them to other users in exchange for units of cryptocurrency. Any unit of cryptocurrency can be used; in ICOs powered by the Ethereum blockchain, the cryptocurrency used is called Ether. If all goes well, the cryptocurrency will increase in value, and the investors will profit off their tokens.

Unlike IPOs, initial coin offerings are completely unregulated. This has made them very attractive to disruptive tech startups that wish to bypass the highly regulated IPO process required by banks and venture capitalists. Ethereum ICOs have become extremely popular due to the power of the Ethereum blockchain platform they run on. Unlike competitor Bitcoin, Ethereum is far more than just a cryptocurrency platform; it was designed to be a virtual machine that uses what are called “smart contracts,” or decentralized, self-executing agreements coded into the blockchain itself. Smart contracts are a disruptive technology with enormous potential to replace all manner of traditional financial, social, and legal agreements, from options contracts to bonds, which is one reason why Ethereum is quickly becoming the ICO platform of choice.

Are Ethereum and ICOs Safe?

Because they are unregulated, ICOs are risky. There is no requirement for companies to provide the voluminous investor disclosures that they would have to for an IPO. There are fears that ICOs could be used for money laundering purposes or that the issuers themselves could “hack” their own ICOs and steal tokens. These problems have not escaped the attention of the SEC, which is reportedly eyeing the ICO market warily in preparation for future regulations. Update: After this article went to press, the SEC, NFA finally weighed in on ICOs, declaring them “securities” and paving the way for regulation.

As to the inherent cybersecurity of Ethereum, Ether wallets, and ICOs launched on the Ethereum platform, it is important to note that, as in the SWIFT Network attacks that rocked the international banking world last summer, the Ethereum blockchain itself was not breached during any of these attacks. Instead, in each case, hackers took advantage of website vulnerabilities or coding errors in third-party tools built to make use of the Ethereum blockchain, such as Ether wallets. The blockchain, in and of itself, is very, very secure – it would take massive amounts of computing power to even attempt to hack it – but the applications used to access it, including those used to buy, sell, and store tokens and cryptocurrency, may not be. The Parity breach, for example, was traced back to a single missing word in a line of code for its Ether wallet. The CoinDash and Classic Ether Wallet breaches were the fault of security holes in the issuers’ company websites.

Although cryptocurrency investors are concerned about the recent spate of Ethereum ICO attacks, only time will tell whether they’re rattled enough for permanent damage to be done to the ICO craze. Certainly, anyone who is considering investing in an ICO, regardless of which platform it is being run on, should tread carefully. The lesson all enterprises can take from these hacks is the importance of website security, secure software development, and proactive cyber security and GRC practices in a digital world where most money, including fiat currency, is moved and stored electronically.

After all, just one missing word in a software program resulted in a $30 million loss.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.