Information Security Awareness Training

By University Alliance
Information Security Awareness Training

The Need for Information Security Awareness Training Is Growing

Information security awareness training is more important now for IT Professionals than ever. Why? In November 2009, SC Magazine released an article titled “Cyberattacks against the U.S. ‘rising sharply.’” The article focused on the rise of cyber attacks from 2008 to the first half of 2009 – the numbers were startling. “During 2008, there were 54,640 total Cyberattacks against the U.S. Department of Defense (DoD), according to the report, citing data provided by U.S. Strategic Command officials.”

A brief breakdown of information from the report:

  • In 2007 there were a reported 43,880 Cyberattacks
  • In 2008 there were a total of 54,640 Cyberattacks targeting the DoD, an increase of 20% over 2007
  • In the first half of 2009 there were already 43,785 cyber incidents targeting the DoD
  • If this pace was maintained throughout 2009, the 43,785 attacks occurring in the first half of 2009 would represent a 60% increase over 2008

A Recent Discovery Gives a Wake Up Call to Information Security Awareness Training

First noticed on January 26, a new attack targeted 10 federal agencies. The most startling discovery made about this recent attack is that it wasn’t fresh.

This specific Cyberattack, nicknamed Kneber Botnet (after the e-mail from which it started and the type of attack), has affected the following:

  • Over 2,400 companies in a little over an 18-month span
  • 80,000 systems in almost 200 countries;
  • and targeted 10 federal agencies since January 2010

Information breached by the Kneber Botnet was login and personal information associated with social networking, e-mail and financial Web sites. Due to privacy disclosure issues, the company that discovered Kneber, NetWitness, will not name the affected companies or individuals at this time.

On one hand it can be argued that it took trained professionals 18 months to discover this attack, but on the other hand… if these professionals did not have information security awareness training, the Cyberattack could have gone unnoticed.

Major Retailer Hit With a Reality Check – A Costly One

MSNBC reported back in 2007, discount retail giant T.J. Maxx (TJX) discovered a major information security breach. Beginning in January 2003 and ending November 23 of that year, 45.7 million credit and debit card numbers had been stolen by hackers. The number for total numbers from November 24, 2003 to June 28, 2004 remains unknown. An additional 455,000 customers who had made returns to the store, also had their driver’s license number compromised.

Technology has come a long way since 2007. If TJX’s IT team had better information security awareness training and processes in place, it’s entirely possible that this breach would not have taken so long to be discovered.

“E-Security Planet’s Top Ten Data Breaches and Blunders of 2009”

Critical information is compromised on a daily basis. It’s everyone’s job from government entities to our insurance companies, etc… to protect personal information from falling into the wrong hands. This is why information security awareness training is stressed so much in the IT world. Especially after the Privacy Rights Clearinghouse reported that over 345 million records containing sensitive data have been involved in incidents within the United States since January 2005. Yes, it gets worse. Sometime in 2009, one breach alone compromised 130 million records.

Here is quick review of E-Security Planet’s top ten list:

10. Los Alamos National Labs (LANL)

70 computers went missing from the labs, including at least 13 PCs that were verified as lost or stolen, and one BlackBerry was left in an undisclosed “sensitive” country. A data breach has not been reported, however their awareness and asset management practices were off.

9. Virginia Department of Health Professions (DHP)

Responsible for licensing health care professionals and enforcing standards of practice, this agency reported that its database of prescription drug records for over 500,000 patients was hacked in April of 2009. To make matters worse, a thief posted a ransom note on their Web site asking for $10M.

8. Network Solutions

In March 2009, hackers were able to steal 573,000 debit and credit card accounts by hacking into the Web Hosting provider’s server. They did this by planting malware that had the ability to intercept all transactions processed by over 4,000 hosted e-commerce merchants. This all took place in just a matter of three months.

7. Arkansas Department of Information Systems

An archive tape containing 807,000 records containing criminal background checks that were performed over a 12-year period went missing.

6. Oklahoma Department of Human Services (DHS)

A parked car was the victim of a smash and grab. Stolen from the vehicle was a laptop containing the names, social security numbers, and birthdates of approximately one million clients – the data was unencrypted.

5. HealthNet

It took six months before the health plan carrier admitted that a portable storage drive was missing. The information on the drive was compressed, but not encrypted.

4. CheckFree

Victim of a malicious phishing scheme, CheckFree’s domains were hit by DNS hijacks. Customers were redirected to a similar looking page and their information was stolen.

3. RockYou

A flaw in SQL programming exposed 32 million user e-mail addresses and clear text passwords in December 2009. E-Security Planet said, “this enormous breach of its entire customer account list can really be attributed to a failure to apply basic security best practices like storing hashed rather than clear text password(s).” In this case, information security awareness training and planning would have been key in preventing this scenario from occurring.

2. National Archives and Records Administration

A broken disk drive used by eVetRec, an online health record and discharge paper systems, was sent to recycling without being wiped clean. Approximately 76 million U.S. Veterans had their records breached as a result. It’s unclear as to whether anyone got their hands on the information.

1. Heartland Payment Systems

The largest reported cardholder data breach in history was reported. Hackers were able to exploit a SQL injection vulnerability and plant a sniffer software. As a result, over 130 million credit and debit card numbers were stolen.

Villanova University’s Intensive, Certificate Programs

The examples listed throughout the article should be compelling argument enough that when it comes to information security awareness training, a company cannot take a risk. Ranked as the #1 Master’s University in the Northern Region by U.S. News & World Report for 20 years, Villanova offers a variety of information security courses, 100% online. These courses will not only help you protect your clients better, but can help prepare you for certifications as well.

For more information about Villanova University’s IS/IT programs, contact us now!

Category: Information Systems Security