Heartbleed struck again this week, stealing the personal data of 4.5 million patients in the process.
Security consultancy TrustedSec LLC disclosed in a blog post yesterday that the OpenSSL flaw was behind the Chinese hackers' recent breach of Community Health Systems (CHS), a Tennessee health network -- and heartache ensued. Names, birth dates, phone numbers and Social Security numbers were among the HIPAA-protected patient records stolen.
In another revelation Wednesday, UPS' spokeswoman said that its customers' credit and debit data may have been stolen at 51 of its franchises. A security investigation uncovered malware on the cash register systems at those locations.
SearchCIO and our sister sites at TechTarget have written about how enterprises and their CIOs must take a preemptive security stance -- and some are. They're also getting more dollars dedicated to information security than before.
But despite these developments in security awareness and presumably in improved defenses, there continues to be startling gaps in many organizations' security systems. Take CHS' Heartbleed breach, for instance. Lookingglass Cyber Solutions, a cybersecurity firm, found that many IPs associated with the health network showed signs of being infected as early as January 2014 and as recently as yesterday, but the vulnerabilities went unpatched -- not for a few days or weeks, but for eight months. "If an advanced nation-state penetrated this network, they probably didn't have to work very hard to gain a foothold," wrote Jason Lewis, Lookingglass' chief intelligence and collections officer, in a blog post.
How is it possible that attackers were able to penetrate these companies' systems and go undetected for so long before action was taken? Yet, UPS and Community Health Systems are not alone in dragging their feet. Two months after the Heartbleed vulnerability was publicized, for example, 300,000 websites remained vulnerable, according to a report from Errata Security.
What do CIOs and their security colleagues need to do sooner rather than later? It sounds like a no-brainer, but information security vendor TrustedSec's recommendation is probably as good a place as any to start: "Having the ability to detect and respond to an attack when it happens is key to enacting incident response and mitigating the threat quickly," it said in its blog post. "We need to focus on addressing the security concerns immediately and without delay."
Immediately and without delay -- and over time as well. Another piece of advice: "[The UPS breach] shows the necessity of Enterprises to start using security tools that are able to detect attacks not just in real time (e.g., IPS, NextGen Firewalls, etc.), but more importantly, over time (e.g., by analyzing historical and ongoing traffic logs)," said cybersecurity firm Seculert's CTO and chief researcher, Aviv Raff.
If this week's breaches have underscored anything, it's that attackers are persistent and they don't take summer vacations or any other holiday. Once their malware is in your network, they won't stop until they've stolen personal data. It's not enough to anticipate a breach; once attacked, a quick response is required. And once a breach is patched, constant vigilance is vital.
CIO news roundup for week of Aug. 18
In a nod to the season, some light fare from around the Web:
- Microsoft's former CEO Steve Ballmer is stepping down from its board, citing -- in a perfectly civil email to successor Satya Nadella -- his $2 billion purchase of the Los Angeles Clippers as a motive. Less composed was his (HARDCORE!) speech at the Clippers' press conference.
- Twitter's taking a page from Facebook with yet another experiment: It's injecting tweets into your timeline from users you don't follow, based on content its algorithm deems "popular or relevant." Many users, including a TechCrunch writer, are less than enthused.
- Facebook, on the other hand, is testing out an experiment of its own: It's taking a stand against the burgeoning fake-news industry by tagging parody sites like The Onion, The Daily Currant and Clickhole as "satire" in its related-links box. Duh.
- Take a guess: What's the most-watched YouTube channel in the U.S.? The answer isn't a publisher of cat videos. A New York Times' writer and mother writes about her unsettling exploration of toddler-aged digital natives' fascination with videos on "unboxing," or the unwrapping of newly purchased items.
- Personal transportation startup Uber is throwing its bets in with tech and retail giants Google, Amazon and Walmart. It's trying out Corner Store, its version of a rapid home delivery service that uses its sprawling network of drivers.
Check out our previous Searchlight roundups: While SpiderOak canary defies NSA, CIOs ponder their privacy bind and Use Russian hackers to demand better security on SearchCIO.
A SANS expert's analysis of Heartbleed
CIO Essential guide to adequate data protection
In wake of Heartbleed, what's an enterprise to do?