Monthly Archives: February 2018

How a Sneaky Data Hack Increases Liability Risks for Corporate Directors

Adsero Security develops long-term solutions that are supported by written policies. Issues arise such as hacking. This can be prevented via penetration testing. Check out this article about how easy it is for organizations to be hacked.

Directors Facing Increased Liability for Data Breaches

Because two of my clients – 360 Advanced and Adsero Security – provide IT data breach auditing and remediation services, I was especially interested when I learned of how a major corporation had been so easily hacked recently.

The hackers got inside the corporation’s accounts payable department and had a pretty hefty check sent to them, which was cashed and cleared. The corporation’s vice president for information technology (IT) and his team reported to the board at its monthly directors and management meeting that “everything’s OK now.”

Is it? Could the hackers still be inside, or worse, inside the company’s vendor and partner IT systems?

“Duty of care” Demands Auditing Risks as Hacks Increase

Statistics show that once data thieves are in, they can hide for months undiscovered until they strike again – this time at an even greater cost to the victim and their vendors and partners. Data thieves got inside Target through an air conditioning/heating vendor and loitered at their leisure, and Yahoo! and Equifax still aren’t certain who or how they were breached.

Which brings me back to the corporate board of directors. The corporation victimized by the hackers in this instance has not had an outside, third-party audit of its IT systems and data security processes and protocols by a QSR – Qualified Security Assessor. Could that failure lead to a lawsuit against its officers and directors for failure to exercise the concept of duty of care when there is another future hack? With news of major hacks every day now, should boards be more diligent in ordering management to have such audits? Read more »

Hacked at Sea: Concerns Grow Over Lax Cybersecurity for Ships, Ports

With a combined 45 years in IT security, Adsero’s principals have seen it all. There is no problem we can’t solve. By land or sea, we always have your back. Check out what happens when you are hacked at sea,

As hacking risks grow and maritime operations become more digitally connected, experts in industry and government have long said no one is prepared. This summer was a wake-up call.

THE PORT OF New York and New Jersey is the largest port on the east coast of the United States, touted by officials as the “gateway to one of the most concentrated and affluent consumer markets in the world.” But for a few weeks last summer, the goods moving through one of its terminals slowed to a crawl because of a global cyber attack that originated 4,500 miles away.

“The delays were six to eight hours to pick up a container,” said Jeffrey Bader, chief executive of the trucking company Golden Carriers, recalling when a terminal in Elizabeth, New Jersey, switched to manual operations while its systems were down. “The line was many, many miles long. Trucks, trucks, trucks.”

The terminal’s operator, APM Terminals, is a subsidiary of the world’s largest container shipping company, A.P. Moller-Maersk Group. The company, which transports roughly 20 percent of the world’s cargo containers, was among the hardest hit by the NotPetya ransomware. NotPetya sprouted in hacked accounting software in Ukraine in late June, and by exploiting a weakness in Microsoft Windows operating systems, quickly went global as it infected corporate networks and locked down the data of contaminated computers. Hackers would usually restore access after a ransom payment is made, but NotPetya was engineered to cause chaos more than extort funds, cybersecurity experts say.

Maersk and many other global firms affected, such as FedEx and pharmaceutical giant Merck, were not specific targets of the attack, but that didn’t matter. In a “heroic effort” over 10 days, Maersk reinstalled 4,000 servers, 45,000 personal computers, and 2,500 applications, chairman Jim Hagemann Snabe said at the World Economic Forum meeting in Davos last month

Read more »

What your employees need to know about cybersecurity

An IT Security audit merely observes the status of your environment, and always requires follow-up to address the deficiencies the audit identified. Most firms don’t have the staff to effectively execute implementation and develop written policies to continually safeguard their businesses. That is where Adsero Security has demonstrated expertise. Adsero Security can teach your employees what they can do to be safe. Read on to learn some office basics to prevent cybersecurity issues.

f you are not educating your employees on cybersecurity best practices, you are missing the biggest opportunity for improvement in your cybersecurity profile.

Employees have business-need access to a lot of important data, and their ability to protect that data – or to inadvertently let it walk out the door of your organization – is vital.

Lack of education was at the heart of a number of incidents of a major security breach. You probably heard about the new human resources employee who got an email from the president of the organization asking for tax information on every employee, so that person sent them exactly as instructed.

The employee did not recognize the email came from a hacker impersonating the CEO, and there was a major security breach.

Entire business models are based on this kind of fraud. Let’s pretend I am going to build a site with the world’s best collection of cute pet pictures. I’ll give you the first 10 for free (and those 10 are the most adorable pictures you have ever seen), but to see more, you need to set up a username and password. The access is still free, though.

No big deal, right? Wrong. In this scenario, I own this website and I am a criminal, and my business model is to try to use the username and password you just entered at every major banking website, on all major email providers, on your company’s VPN portal, and anywhere else that I think you might have used the same username and password.

Read more »

Equifax, Strava, And Russian Facebook Ads: How To Hold Websites Accountable For Data Breach

Luckily, Adsero Security has the knowledge and experience to prevent data breaches from happening to your organization. You will sleep better at night with Adsero on your side. Read on to see how security breaches happen to other people.

Pollution was the negative product of an industrialized economy. Misuse of Big Data is the new pollution—the negative artifact of a digital economy. And it is occurring with increasing frequency. Strava, a fitness app, may have weakened the U.S. military by posting data that exposes the geographical location of users, many of whom are military personnel. Facebook may have weakened the U.S. democracy by showing ads purchased by foreign manipulators to swing voters. And Equifax may have weakened the U.S. financial security by exposing a large database of consumer finances to hackers.

One common thread running through these notorious cases of recent privacy breaches is the potential harm arising from tracking people. Strava, Facebook, and Equifax created phenomenal databases of people’s behavior. Each of these platforms uses the data for many good purposes, but they also, unintentionally and sometimes negligently, expose the data to harmful uses.

Another less noticed a common thread running through these cases of privacy breach is the social nature of the harm they caused. The injury from the exposed data was not always to the individual users being tracked and exposed. Rather, it is more akin to pollution: the injury arises from the aggregation of exposure and it is affecting many others.

Take Strava’s case. The extraction of publicly-shared location tracking data from Strava and using it to map out military locations does not specifically harm the individuals being tracked, but rather the military interests. It is only by clustering many individuals that a meta-picture about the concentrated military activity can emerge. The injury is labeled “privacy” breach, but the informational harm here is distinctly social, not private. Read more »