300px-Nortel_Ottawa

DND Move to Nortel Questioned Again

Nortel Ottawa
Nortel Ottawa (Photo credit: Wikipedia)
In 2010, it was announced that the future home of Canada’s Department of National Defence was going to be at the old Nortel Networks complex, in Ottawa.  Many voiced a concern over the cost of renovating the Nortel campus, estimated at over $600 million on top of the $200 million purchase of the land. The security of the campus was also a major concern for the new owners according to recent DND briefing documents. Now the location choice has again come into question over recent findings lurking in the building.
A new report by the Ottawa Citizen reveals that electronic listening devices were found at the former Nortel campus.  This report also disclosed that Defence Minister Peter MacKay was warned that the DND moving into the complex before it could be properly secured created a major problem. Keith Murphy, CEO of Defence Intelligence said “There are more than enough problems with the proposed move already. Drastic budget increases, questionable benefits, unsubstantiated savings forecasts, and now the inherent security of the location itself. This might just be the final nail in the coffin for the proposal.”
Though it is unknown if the devices are still functioning or even transmitting, this could be the problem that the briefing document was referring to. DND spokeswoman Carole Brown said in response to the recent discovery that “The DND/CAF must maintain a safe and secure environment at all of its facilities, in order to maintain Canada’s security posture at home and abroad” but it hasn’t been stated if the persons who discovered the devices were even from the DND. Another unanswered question is whether the devices were intended to spy on DND or were remnants of espionage against Nortel. “While we don’t know with certainty of any active campaign targeting DND” said Murphy, “we do know that the site was compromised for over a decade while Nortel was the primary tenant.”
Hackers allegedly based in China, using malware and stolen credentials, carried on a decade-long campaign of stealing technical papers, R&D reports, employee e-mails, and other sensitive documents from the network company. Some believe that the former Canadian technology giant went bankrupt because of the Chinese hackers. Brian Shields, the former senior systems security adviser at Nortel, stated in an interview with CBC’s As It Happens that spying by hackers “absolutely” was a “considerable factor.” 
What happened to Nortel isn’t an isolated incident in Canada.  In January 2011, CBC News ran a story, foreign hackers attack Canadian government. Computer systems at 3 key departments were penetrated, including access to highly classified information at the Finance Department, Treasury Board, and Defence Research and Development Canada. So why take the chance with moving Canada’s Department of National Defence into a site that has already been compromised?

“DND told CTV News it may abandon the move, and sources said it’s unlikely any other department would take over the former Nortel site because of the security risks.”
The full CTV story with the Keith Murphy interview can be found at www.ctvnews.ca.

Enhanced by Zemanta
300px-Outside_the_fence_Menwith_Hill_Spy_Base_-_geograph.org_.uk_-_266893

Cyber Risk No. 3: Direct Loss From Malicious Acts

English: Outside the fence, Menwith Hill Spy B...
English: Outside the fence, Menwith Hill Spy Base This photo was taken on the ‘Foil the Base’ demonstration in March 2003. Founded in the 1950s (RAF) Menwith Hill has been operated since 1966 by the United States’ National Security Agency (NSA), and has grown to become the world’s largest intelligence-gathering ground station outside the US. (Photo credit: Wikipedia)
In previous posts, we’ve covered how loss or theft of confidential information and loss of reputation can affect the cyber security of a 21st Century business. Today, we turn our attention to direct loss from malicious acts (i.e. hackers, malware).  
So many businesses are open to this risk because they don’t know how to protect their security, leaving them vulnerable to malware threats that can quickly cause advertisers, partners, and customers to abandon ship. 
Perhaps scariest of all, is that no business is immune.
Take the recent case of Tor, the encrypted web security browser designed to allow businesses and privacy-concerned users to browse the Internet without fear of reproach.  Tor had given so many people peace of mind until a recent malware attack, which many are attributing to the National Security Agency (NSA), toppled user confidence.
Researchers claim that malware responsible for bringing down Freedom Hosting, the biggest service provider on the anonymous Tor network, was hard-coded to send information to the NSA, reported TechWeek europe.  In one fell swoop, the product became forever in question.
According to Verizon’s 2012 Data Breach Investigations Report, 69% of data breaches in 2012 were attributed to malware infections. 174 million data records were lost in 855 separate incidents.  The rate of infection grows each year. McAfee, in a The State of Malware 2013, reported they cataloged 100,000 new malware samples each day.  
So what does data theft malware really cost us? Globally, the cost of a data breach averaged $136 per compromised record, up from $130 the previous year (2013 Cost of a Data Breach: Global Analysis, Ponemon Institute and Symantec). With even 120 million data records (69% of the total) from 2012, that’s over $16 billion in loss from malware data breaches.
Here are two things to consider as you attempt to bring security to your business. 

  1. There are many types of malware that can threaten your system’s security, and they’re constantly evolving. You must invest your cyber security dollars with a company that is constantly aware of the changing landscape. Defence Intelligence’s Nemesis 2.0 uses advanced network behaviour analysis in conjunction with real time intelligence to prevent and detect system compromise on your network.
  2. Attacks are inevitable.  Security experts like to say that there are now only two types of companies left in the United States: those that have been hacked and those that don’t know they’ve been hacked.  The news is full of stories of large and small companies that are compromised. Don’t be one of them.
Enhanced by Zemanta
2251266697_5304abac74_m

Cyber Risk No. 2: Loss of Reputation

facebook
facebook (Photo credit: sitmonkeysupreme)
Reputation is a business’s most valuable asset. It is what keeps the customers we have and gives us new opportunities in the marketplace. Any negative event can damage that reputation, putting a business temporarily on the sidelines or even eject them from the game. 
Since whistle blower Edward Snowden revealed the NSA had overstepped boundaries in collecting metadata on millions of Americans, companies like Microsoft, Google and Facebook have been questioned about their involvement.  According to The Guardian (June 2013), the “world’s largest Internet brands claimed to be part of the information-sharing program since its introduction in 2007.” This includes Skype, YouTube, AOL and Apple.  It leaves us to question how this information is being used, whether is it for government surveillance or part of their business model, but the exposure of this secret and suggested misuse of data and betrayal of trust may damage the public opinion of these giants.   
These mega companies, however, can easily recover from suspicion and character damage. Their brands are a household name and the luxury of being a giant is that you are hard to topple. But what about smaller companies and their ability to recover from an unintentional data breach? Most companies collect information on their customers for no other purpose than to run their business and develop products and services. What happens when that private information involuntarily becomes public as a result of a malicious attack, whether via a former employee or malicious software controlling entities?
InformationWeek stated, while commenting on the Ponemon Institute study on the Cost of a Data Breach, “Customers, it seems, lose faith in organizations that can’t keep data safe, and take their business elsewhere.” Negative press and public mistrust are the natural consequences for loss of data, exposure to data misuse, or poor data security. These consequences are far more detrimental to the little guy. One in five small businesses falls victim to cybercrime each year and 60 percent of them go out of business within six months after the attack (National Cyber Security Alliance).
That’s why protecting your business from cyber risks — especially those placing your customers in jeopardy — will be one of the most important business moves you make.  

Related articles
Enhanced by Zemanta
411196422_343c0965a8_m

Is Anybody Listening? The Struggle for More Security

Communication
Communication (Photo credit: P Shanks)
You might know the immense value of IT security, but you probably know at least a few professionals who don’t. Apparently, communicating the importance of security is a difficult task for many people, so you’re not alone if you find this hard to do. 
It can be tempting for some senior executives to only look at the cost of security programs, while others are ambivalent toward their effectiveness.  But either way, the true value of IT security is not getting across, and that’s a breakdown in communication. In fact, according to Infosecurity Magazine, the authors of a study done by the Ponemon Institute for Tripwire claim, “As business leaders are required to disclose more about their organization’s security risks, those business-oriented security executives with good communication skills will be in even greater demand.”
The study – which involved IT professionals from both the US and Britain – found that approximately half of those surveyed admitted they were ineffective at letting management know about security risks. Many say it’s because the security metrics are too complex for their bosses to understand. The result is that companies are allowing security threats to stick around because management simply doesn’t know about their severity.

But with increasing dependence on technology, security risks are not going away any time soon. In fact, there are more now than ever, which means it is increasingly important for security professionals to properly communicate the risks to senior executives. Getting the point across might require the use of graphs or even the ever-popular infographics, but getting management to comprehend the value of IT security is worth the extra effort.
Enhanced by Zemanta