| 05.13.14 | HIPAA hammers hospitals; Hackers hunt XP holes

If you are unable to see the message below, click here to view.

Editor's Corner: Hire a CISO? Great, but it's just not that simple What's New: 1. Hospitals hit with largest-ever HIPAA fine over patient data exposed to search engines 2. Hackers scour Windows 7 patches for clues to XP flaws 3. Newly rich Bitcoin users likely target for fraudsters, SEC warns 4. 'Swatting' Brian Krebs earns Canadian teen arrest Spotlight: Maybe buying more stuff isn't the best way to fix the problem Also Noted: Bitly compromised; FFIEC planning security assessment for banks; more Much more... News From The Fierce Network: 1. 5 tips for Target's new CIO 2. Don't worry about Heartbleed--worry about your home router 3. Microsoft TechEd 2014: The move from Windows Server to Azure May 13, 2014 Subscribe | Website Refer FierceITSecurity to a Colleague This week's sponsors: HP HP HP Follow @fierceitsec on Twitter This week's sponsor is HP.   Cyber Risk The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat landscape. It provides information you need to effectively plan your cyber security strategy and deploy your defenses. The summary concludes that security is about an integrated, systematic approach that includes both protective and reactive measures. Read it to learn more. Editor's Corner Hire a CISO? Great, but it's just not that simple By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn Here's a widely noted fact: Target didn't have a CISO. Of course there are other companies without CISOs who haven't reported data breaches. And there are companies *with* CISOs who have been breached. Still, SearchSecurity asks the question: Does it make any sense for a large company to fail to fill such a position, given the pervasiveness of business technology and the degree of security risk it currently presents? Target has indicated they plan to hire one soon, which could be argued as a case of closing the barn door a bit late. I spent 10 years working at CSO magazine. You won't find a more ardent advocate of intelligent security management. Even so, I find myself rolling my eyes at the SearchSecurity article.  It's not bad. It's solid. It's just a bit naive. Two points:  First, again, having a CISO doesn't make you secure, and lacking a CISO doesn't make you inherently insecure. What matters is a company's commitment, backed by action and money, to protecting its assets and customers. This commitment will often manifest itself in the hiring of a CISO who is given the authority and support to take intelligent risk mitigation steps. (The article gets to this conclusion eventually, but it's really where the discussion has to start. Not where it ends.) Second, interviewing a bunch of CISOs (smart as they are) about the necessity of having a CISO is unlikely to persuade any of the foot-draggers. More interesting would be candid interviews with CEOs and CFOs about why they do or don't have a top IT security executive.  Good luck on the 'candid' part.  Based on my observation of real-world situations over the past decade, reasons various companies lack CISOs include: They're willing to take the risk that a breach won't hit them, or will do minimal damage. They had a CISO and found him or her to be an obstruction to business goals and velocity. They don't want business risks documented.  They don't want to spend the money. They think it's the CIO's job. They think it's a purely technical and tactical function that's appropriately run by a manager or maybe director. Conversely, reasons companies hire CISOs include: They want to do a better job managing risk. They want to stay out of the headlines. They also want somebody to sack if they do wind up in the headlines. They have to, for regulatory compliance reasons. And lastly, CISOs present a wide range of skills and sophistication. Some really are tactical and technical. Some are master politicians. Some are profound thinkers when it comes to risk management, employee motivation and psychology, epidemiology, philosophy, information warfare, criminal ecosystems and more. Some just really aren't up to the job. So that's why I don't necessarily stand up and cheer every time somebody hires a CISO.  Corporate security just isn't that simple. - Derek (@derekcslater) Read more: When you go to the board, speak their language, not yours 2 fatal flaws in risk appetite statements W. Edwards Deming hates your approach to IT security (FierceCIO) Read more about: data breach, CISO Sponsor: HP Webinars > Reduce Datacenter Energy Costs by up to 15%: Software Meets Datacenter ROI - Friday, May 16, 2014 - 2 pm ET / 11 am PT > WEBINAR: Rethinking Enterprise Mobility Management ? Beyond BYOD - SPONSORED BY: CA Technologies Marketplace > Whitepaper: Finding ROI in Document Collaboration > Whitepaper: Delight & Engage Customers with Mobile APIs > Whitepaper: Running Out of Bandwidth? Take a Fresh Look at 100G > Whitepaper: 5 Unsung Tools of Dev Ops > eBook: Getting to DevOps (And Getting the Payoff) > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks > eBook: eBrief | Best Practices in Mobile Application and Management Delivery > Whitepaper: Hardware Test Equipment is the Key to Accurate Network Testing > Whitepaper: APIs Drive Opportunity Explosion > Whitepaper: Supporting VDIs and Thin Clients > Whitepaper: Four Ways to Improve IT Efficiency This week's sponsor is HP. eBook | Critical Infrastructure and Cybersecurity Critical infrastructure industries vary in the sophistication of their digital defenses. In this FierceITSecurity eBook, industry experts discuss how to stay ahead of cuber security threats and maximize their defensive efforts.Download this eBook today. What's New 1. Hospitals hit with largest-ever HIPAA fine over patient data exposed to search engines By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn Two hospitals in New York state have agreed to pay $4.8 million to settle with the Department of Health and Human Services over HIPAA violations. The two organizations are the New York-Presbyterian Hospital and the Columbia University Medical Center, which jointly were involved in a data breach in 2010. Health data for 6,800 patients--status, vital signs, medications and laboratory results, according to HHS--was exposed online in 2010 and picked up by search engines including Google. A New York-Presbyterian spokesperson told Business Insider the error occurred "when a computer server was errantly reconfigured." An HHS report on the incident concluded that neither organization had sufficient controls in place and neither conducted a full risk assessment to identify risks to the data. For more: - Read Business Insider's account - And TechTarget's coverage More on HIPAA and healthcare security: Move to the cloud generates compliance worries for IT pros HHS slaps $2M fines on two healthcare firms for unencrypted laptop breaches Healthcare organizations face multiple risk analysis requirements under federal law     Read more about: healthcare security, PHI back to top This week's sponsor is HP.   Network refresh The next generation of network technology promises to make networks faster, more capable and more flexible. Organizations are beginning to deploy updated network technologies. But these network innovations increase the attack surface of organizations implementing them. And hackers often capitalize on the lag between the release of new technology and the availability of updated security protections. Read this paper to understand how these new technologies can increase your vulnerability and to view a set of common-sense recommendations to keep your business safer as you refresh your network. 2. Hackers scour Windows 7 patches for clues to XP flaws By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn Microsoft issues eight security updates today; hackers are expected to use them as a blueprint for finding and exploiting holes in older software, reports Computerworld's Gregg Keizer. The company is no longer issuing patches for its Windows XP operating system, but the OS remains widely used. Net Marketshare says 26 percent of Windows users are still on XP. Microsoft's support for XP ended last month, so this month's Patch Tuesday updates are the first that may provide attackers with an idea of remaining holes that will go unpatched.  "By conducting before-and after-patch code comparisons, attackers may be able to figure out where a vulnerability lies in Windows 7--which will be patched--then sniff around the same part of XP's code until they discover the bug there," Keizer writes. One of this month's security updates addresses Internet Explorer for Windows versions Vista, 7, 8 and 8.1. Keizer flags this as an example of a patch likely to be reverse-engineered in the search for a vulnerability in XP. For more: - Read Keizer's report - See more coverage on Digital Trends More on Windows security: Microsoft steps up to the plate, patches critical zero-day IE hole As Windows XP support deadline approaches, security concerns mount 7 deadly sins: The most dangerous new attack techniques for 2014 Read more about: Patch Tuesday back to top 3. Newly rich Bitcoin users likely target for fraudsters, SEC warns By Robert Bartley Comment | Forward | Twitter | Facebook | LinkedIn The Securities and Exchange Commission has released an investor alert to educate Bitcoin users about the potential schemes con artists have pulled off using the cryptocurrency. The agency said in its statement that many of the illegal tactics follow traditional patterns, but the nature of virtual currencies and the new--and newly rich--audience they attract makes the unaware more susceptible. Some characteristics of cryptocurrency the SEC highlighted as worrisome were its lack of central authority, lack of government backing, history of volatility and other general security concerns. "Fraudsters target any group they think they can convince to trust them," the alert states. "Scam artists may take advantage of Bitcoin users' vested interest in the success of Bitcoin to lure these users into Bitcoin-related investment schemes. The fraudsters may be (or pretend to be) Bitcoin users themselves." While the SEC's investor alerts carry no authority or directives, this marks the latest advisory from federal agencies or representatives about the dangers of virtual currencies. The Department of Defense is investigating the use of cryptocurrency to fuel terrorist plots, and the Department of the Treasury has pointed out its prevalence in bankrolling identity fraud, credit card theft, online scams and malware operations. While the schemes may be similar to tried and true tricks criminals have historically used, they could have a different effect on Bitcoin users. The SEC notes in its advisory that virtual fraud victims are much less likely to recover their money, not only because of the difficulty in tracing funds, but also the lack of insurance and government regulation that protects cryptocurrency. "Before making any investment, carefully read any materials you are given and verify the truth of every statement you are told about the investment," the SEC advises. For more: - read the investor alert from the SEC Related Articles: DoD probes cryptocurrencies as potential terrorist funding mechanism Bitcoin mining malware hidden in Google Play apps Heartbleed undermines Bitcoin client, developers advise update Read more about: SEC back to top 4. 'Swatting' Brian Krebs earns Canadian teen arrest By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn An Ottawa teenager has been arrested on suspicion of placing more than 30 "swatting" incidents, calling bomb hoaxes and other threats to police and emergency responders. Unfortunately for Curtis Gervais, among the targets of his alleged misdeeds was security writer Brian Krebs. Krebs has previously been the victim of a swatting call, as he reported in detail on the Krebs on Security blog. This time a persistent Twitter user @ProbablyOnion harassed Krebs online, and apparently placed an emergency call reporting a hostage situation at Krebs' street address. The person also hung out a shingle on Twitter for swatting-as-a-service, and claimed responsibility for calls targeting schools and other public locations in the U.S. and Canada. @ProbablyOnion subsequently was identified as Gervais in a document posted to the information-sharing web application Pastebin. The Ottawa Citizen reports that Gervais faces 60 criminal charges, including uttering death threats and public mischief. For more: - Read Krebs' account of the incident - See the Ottawa Citizen's report More on swatting, online harassment and fraud: Call center employee, others indicted for stealing AT&T customer data, money Identity theft still top consumer complaint, says FTC (FierceCIO) Hacker breaks into baby monitor to harass sleeping child (FierceCIO:TechWatch) Read more about: Swatting back to top Also Noted TODAY'S SPOTLIGHT... Maybe buying more stuff isn't the best way to fix the problem Hooray, you got 5 percent more budget this year. Don't spend it all in one place. No really. Don't spend it all in one place. One of the great and fundamental challenges of corporate life is to allocate every penny in the most efficient manner possible. And how do we do that in IT security? George V. Hulme has some tips on CSOonline: Avoid shiny distractions. Mercilessly eliminate shelfware. Make sure to allocate for incident response. And look carefully at the balance of staffing-versus-technology; if you're paying three people to manage 10 firewalls, maybe you should cough up the money for better firewalls instead. Read more.   > Bitly compromised, users urged to change passwords (ThreatPost) > Regulators planning cybersecurity assessments for banks (ThreatPost) > FBI seeks license to hack bot-infected PCs (Dark Reading) > Want 'perfect' security? Then threat data must be shared (Infoworld) And Finally... Los Angeles air traffic control crash caused by memory shortage (The Register)     Webinars > Reduce Datacenter Energy Costs by up to 15%: Software Meets Datacenter ROI - Friday, May 16, 2014 - 2 pm ET / 11 am PT Join us for a look at two Intel Datacenter Software solutions, sample use cases, and implementation overviews. Intel Data Center Manager (Intel DCM): Energy Director provides device-level power and thermal monitoring and management for groups of servers, networking, storage, and other IT equipment. Register Today! > WEBINAR: Rethinking Enterprise Mobility Management ? Beyond BYOD - SPONSORED BY: CA Technologies Enterprise mobility management is about more than just getting handle on the flood of BYOD devices coming into the organization. It is about managing the explosion of new devices, applications, content and transactions, which threatens to overwhelm IT managers. Our panel of experts will help you understand how to develop effective strategies that accelerate mobility transformation and prepare your organization for the mobile future. Register Today! Marketplace > Whitepaper: Finding ROI in Document Collaboration Read this Accusoft whitepaper to learn about the factors that make document collaboration more difficult than it should be, and about how to create a collaboration strategy that makes sense for your organization. Download Now! > Whitepaper: Delight & Engage Customers with Mobile APIs Read this success story and learn how a robust API and secure API Management powered Keep’s iOS app to become one of the most popular apps in the Lifestyle category in the iTunes App Store. > Whitepaper: Running Out of Bandwidth? Take a Fresh Look at 100G This white paper describes each of these technological advances and how this 100G benefit in scale can even be accomplished with existing, fully depreciated, legacy 10G DWDM systems. Download this white paper today. > Whitepaper: 5 Unsung Tools of Dev Ops Jonathon Thurman shares his five favorite DevOps tools which have been around a long time. They may not be flashy but they're time tested and just work. He also tells you how to use them and how to configure them for maximum value. Download 5 Unsung Tools of DevOps to see which tools make the cut and why. > eBook: Getting to DevOps (And Getting the Payoff) DevOps is a more holistic approach to application development, more fully taking into account deployment and ongoing operational needs – and tossing a lot of automation into the mix. This FierceEnterpriseCommunications eBook provides step-by-step guidance on implementing DevOps for CIOs and IT and application development managers. Download this eBook today! > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies Download the White Paper "802.11ac in the Enterprise: Technologies and Strategies" to learn from industry expert Craig Mathias about the technologies behind 802.11ac, deployment misconceptions and review steps that every organization should take in getting ready for 802.11ac. Download today! > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats Today's most-damaging targeted attacks don't occur by happenstance. They are carefully planned and executed by a new breed of professional adversaries. Read this white paper, Defense Against the Dark Arts: Finding and Stopping Advanced Threats to gain a practical understanding of today's Advanced Threat Landscape and strategies for detecting and stopping Advanced Threats. Download today! > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks The last few years have seen a dramatic increase in the use of email as a vehicle for cyberattacks on organizations and large corporations. Recently, Proofpoint researchers identified a new class of sophisticated and effective, large-scale phishing attack dubbed "longline" phishing attacks. Download this whitepaper to learn about the unique characteristics of these attacks, how they are carried out, and the alarming effectiveness they have. Download today! > eBook: eBrief | Best Practices in Mobile Application and Management Delivery Your organization knows that mobile productivity is important, and it may have already started down the road toward Mobile Device Management (MDM) and Mobile Application Management (MAM). But have you developed a holistic view of application management and delivery -- and its impact on the business? Download this free eBrief to learn about best practices for your mobile deployment. > Whitepaper: Hardware Test Equipment is the Key to Accurate Network Testing Surprisingly, many organizations are not adequately testing their networks. Network testing is crucial for any IT organization that wants to ensure availability, security and performance of applications and services running on their networks. Download this whitepaper now to learn more! > Whitepaper: APIs Drive Opportunity Explosion Argos took bold, transformative measures to respond to market disruption from competitors selling online in addition to the move by grocers into non-food product ranges. Learn how APIs paired with a secure API Management solution can enable a digital transformation by delivering content and purchasing capabilities to customers any where at anytime. Download Today! > Whitepaper: Supporting VDIs and Thin Clients Companies have already begun deploying VDIs and thin clients (like Google's Chromebook) on a massive scale. The low-cost, easily deployed workstations present a significant cost savings for companies, but require unique tools to support them. This whitepaper, written by Proxy Networks, outlines the best way to do that. Download now. > Whitepaper: Four Ways to Improve IT Efficiency The role of the help desk within businesses has expanded considerably over the last decade, becoming an integral piece of the overall corporate strategy. In this whitepaper, Proxy Networks outlines the best way to align your IT department with that strategy in order to improve overall departmental efficiency. Download now. ©2014 FierceMarkets, a division of Questex Media Group LLC This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778. Refer FierceITSecurity to a Colleague Contact Us Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger. Advertise General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit. Email Management Manage your subscription Change your email address Unsubscribe from FierceITSecurity Explore Our Network You may enjoy these publications from FierceMarkets: FierceBigData FierceBiotech FierceBiotechIT FierceBiotech Research FierceCable FierceCIO FierceCIO:TechWatch FierceCMO FierceCFO FierceContentManagement FierceCRO FierceDeveloper FierceDiagnostics FierceDrugDelivery FierceEMR FierceEnergy FierceEnterpriseCommunications FierceFinanceIT FierceGovernment FierceGovernmentIT FierceHealthcare FierceHealthFinance FierceHealthIT FierceHealthPayer FierceHealthPayerAntiFraud FierceHomelandSecurity FierceITSecurity FierceMedicalDevices FierceMedicalImaging FierceMobileGovernment FierceMobileHealthcare FierceMobileIT FierceMobileRetail FierceOnlineVideo FiercePharma FiercePharmaManufacturing FiercePharmaMarketing FiercePracticeManagement FierceRetail FierceRetailIT FierceSmartGrid FierceTelecom FierceVaccines FierceWireless FierceWireless:Europe FierceWirelessTech Hospital Impact