Kroll Cyber Security Blog – A Dialogue on Data Security

Last week, Howard Schmidt, a cybersecurity coordinator and special assistant to the President, blogged about the White House efforts to advance legislation that would address cybersecurity. This particular topic is nothing new – countless others have discussed the need for federal legislation. But what is interesting is how this post encapsulates the progression of the argument over the past few years.

What was once considered largely a consumer issue has transformed into a matter of state security. Accountability to consumers is still very important, but as the technology utilized by companies, governments and even individual citizens – not to mention the bad guys – advances at a dizzying pace, the objectives of a federal law now include much more than just breach notification.

Please join Kroll’s own Karen Schuler, CAE, senior managing director and practice leader for Cyber Security & Information Assurance, at the International Association for Asset Recovery (IAAR) 3rd Annual Conference: Winning the Endgame of Financial Crime. The conference takes place at the Planet Hollywood, in Las Vegas, Nevada on November 17-18, and Schuler will be a featured speaker in four sessions at the event:

• General Session 1: Osama bin Laden’s Data Haul – The Asset Tracing and Operative Lessons It Teaches Through ‘Analog’ and Digital Investigations, Thursday, November 17th – 9:00 AM – 10:15 AM

It is estimated there are over 5 billion mobile phones in use around the world. A staggering number considering a world population of roughly 7 billion people!

With the prevalence of mobile devices around the globe, securing the data contained on them has become an increasingly common challenge encountered by Kroll’s information assurance experts. Added to this is a company’s struggle to ensure that their security procedures keep pace with the dizzying array of new devices introduced into the corporate environment. Although many companies have implemented end-point security measures such as encryption on laptop computers, similar protection for other devices that leave the corporate environment are lagging behind. At conferences and meetings, we’ll often ask attendees: “Is the mobile device in your possession encrypted or, at a minimum, password protected?” On a good day, we may see 25-30 percent of the audience positively respond.

In my experience as a forensic and cyber-security practitioner, I am often engaged to advise clients on a wide range of issues when they are faced with a possible data breach: Validation of breach occurrence, confirmation of the breach population, whether records were accessed or acquired, and assistance  with remediating the vulnerability that may have led to the breach in the first place.

After conducting cyber investigations for the last eight years, approximately seven of which were in various locations around the United States with the FBI, it is amazing to me how frequently zombie attacks, or botnets, are used as the minions of hackers to accomplish their criminal intent. I have conducted investigations in which botnets were the conduit used in successful attempts to send mass quantities of pharmaceutical spam, run pornography trading sites, and drain corporate bank accounts.