Morning Security Brief: Montana Health Department Data Breach, Phone Spyware, Data-Centric Security, and CISO Overconfidence

By Ann Longmore-Etheridge

► Montana officials have revealed that a data security breach of the state's health department server has resulted in the exposure of the health care and financial account information of approximately 1.3 million people. A press release says that cause for concern is minimal. "State of Montana officials said today that 1.3 million people will be notified regarding the incident where hackers gained entry to a Department of Public Health and Human Services (DPHHS) computer server, though officials said there is no knowledge that information on the server was used inappropriately, or was even accessed," according to the release. "Ron Baldwin, the state’s chief information officer, said they noticed what appeared to be unauthorized Internet access to the DPHHS computer and that a private security contractor later confirmed the breach. Further investigation indicated that hackers had gained access to the computer last July," states The Montana Standard.

► reports that security researchers have discovered the tools that the U.S. National Security Agency may have been using to spy on mobile phones. Edward Snowden has maintained that "eavesdroppers [can] hear us even if the phone seemed off and everything on our devices was open to a dedicated hacker. But he never said how it was done. Now we know… at least partially. The app used is called RCS/Galileo [and is produced] by an Italian company, The Hacking Team," Notes Techcrunch. "The app allows for full control of the data on the phone and allows users to activate the microphone on Android, iOS, and Blackberry devices. In two very detailed and independent posts, both Citizen Lab and Kaspersky have produced some very interesting documentation of the program and have even traced a piece of Hacking Team software to a Trojan horse that had been modified to look like an Arabic news reader." Techcrunch notes that direct links to the NSA are still circumstantial, but that "thepower of the remote control app is clearly disconcerting. An iOS phone left in a hotel room could be easily attacked and compromised at any time and Android phones are especially susceptible."

►A June 2014 data-centric security study by Informatica has resulted in some surprising findings. The study reveals that "the majority of respondents (80 percent) recognize that not knowing the location of sensitive data poses a threat, but only slightly more than half are prioritizing security initiatives," according to InformaticaData-centric security is an approach that assigns a security policy to data at its creation and follows it as it flows throughout an organization and beyond. It is independent of the technology, geography, or hosting platform. The study was based on a survey of 1,587 global IT and IT security practitioners in 16 countries and was designed to "determine the readiness of organizations to embrace data-centric security practices and tools as part of a mission to protect the burgeoning reservoirs of corporate data assets," according to Dr. Larry Ponemon, founder and chairman of the Ponemon Institute and leader of the survey. The study found that "only 16 percent of respondents said they knew where their organization's sensitive structured data resides, [and a] mere 7 percent of respondents said they know the location of all sensitive unstructured data, including in e-mails and documents," notes InformationWeek Government. "Not knowing where their organization's sensitive or confidential data is located was the No. 1 worry of the IT security respondents, eclipsing both hacker attacks and insider threats, according to the study," the site says.

►Research commissoned by Courion and conducted by Onepoll has found that "Chief Information Security Officers (CISOs) and IT managers may be too confident in their capabilities to ensure their organisations' security and defences against a data breach. A majority (63 percent) of IT security managers believe it is 'easy' to govern staff access rights and privileges, despite the fact that 42 percent admitted they either do not have or are unsure of their ability to monitor and prevent breaches caused by accidental or deliberate staff actions.... The survey also confirmed the pressures IT managers and CISOs face in managing data security, with 45 percent saying their organisation had suffered a data breach. Any confidence they may exhibit masks fears over job losses (42 percent), severe reprimands (41 percent) and demotion (34 percent) if their organisation suffered a data breach."


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.