Problems continue with Access Control and Data Theft

A recent public survey found that more than 60 percent of medical IT staff believed that access control was their most important security issue. In other news, a cyber attacker was sentenced to 18 months prison for his attack on a government employee, while a hacker successfully installed an illicit scanner on a supermarket ATM machine.

Focal Points:

• A recent study found that hospital IT staffs were most concerned about access control, from a security perspective. While staff have acknowledged that there is an increase in overall awareness of access control as an issue, most still find difficulty in both the security and compliance aspects of this issue. The survey was conducted by Courion Corp. at the 2008 Health Information Management and Systems Society Conference. Other security issues healthcare staffs were concerned about, in decreasing importance, included problems with password sharing, orphaned user accounts, and inappropriate systems access. Access issues are of particular concern since it directly relates to healthcare provider's ability to comply with Health Insurance Portability and Accountability Act (HIPAA) requirements.
• A man from Nigeria was given an 18 month jail sentence for establishing a relationship with a NASA employee in order to put software on the person's computer. This enabled him to get access to banking information, passwords and over 25,000 screenshots. The offender pled guilty and was sentenced by a court in Nigeria. Prosecutors for the case said the attacker was not targeting government workers, but rather targeting women he could strike up a romance with. The intrusion first occurred in November 2006, when the NASA employee and the criminal met each other at an online dating site. He sent a phony picture of himself to the woman, which downloaded spyware onto her machine when she opened the picture. NASA officials said this employee's machine was the only one infected.
• A recent investigation found that over 100 people had become victims of identity theft by a card reader at a local supermarket in California, which was set up to steal debit and credit card information. The criminals used the stolen information to manufacture fake cards, which were then used to steal money from the accounts of the victims. The average money stolen per account was $1000. Police suspect multiple people were involved in setting up this system. It is unclear whether or not this crime was an inside job. This attack is similar to one that happened at a local California gas station ATM.

Experton Group believes companies will need to become much more proactive in identifying potential security attacks and data loss. Instead of waiting for a breach to occur, security personal should work on developing potential attack scenarios and building models to identify different combinations of multi-vector attack scenarios. In addition, security managers should focus on data loss prevention as the key to mitigating the risk posed by security attacks when they occur.