The long awaited international standard to the implementation of an information security management system, ISO/IEC 27003:2010, is now available.
It’s a must have –
Buy the hard copy here:
or the download here:
Key Features and Benefits:
Get your copy today >>
Buy the hard copy here:
or the download here:
The Associated Press
SAN FRANCISCO—The medical records of more than 4,000 patients at the University of California, San Francisco may have been compromised after a laptop they were on was stolen.
Officials with the university said Wednesday the laptop was recovered earlier this month after it was taken from a medical school employee during a flight in November. It does not appear that anyone gained access to the computer or the confidential patient information, but officials say the records still could have been exposed.
The files contained patients’ names, medical record numbers, ages and clinical information, but no Social Security numbers or financial data.
School officials say they are notifying the 4,400 patients whose records were on the computer. They were all treated in 2008 and 2009.
———
Information from: San Francisco Chronicle, http://www.sfgate.com/chronicle
Here we have another unnecessary major security breach in a large healthcare organization which resulted in a loss of patient data demonstrating poor baseline security. They clearly are not ready for the new HIPAA provision ARRA and HITECH. Evaluate your current business and system risks to make sure this does not happen to you.
Contact DISC for any question if you think, this may apply to you.
The Practical Guide to HIPAA Privacy and Security Compliance
By Jordan Robertson, AP
The recent hacking attack that prompted Google’s threat to leave China is underscoring the heightened dangers of previously undisclosed computer security flaws — and renewing debate over buying and selling information about them in the black market.
Because no fix was available, the linchpin in the attack was one of the worst kinds of security holes. Criminals treasure these types of “zero day” security vulnerabilities because they are the closest to a sure thing and virtually guarantee the success of a shrewdly crafted attack.
The attackers waltzed into victims’ computers, like burglars with a key to the back door, by exploiting such a zero-day vulnerability in Microsoft Corp.’s Internet Explorer browser. Microsoft rushed out a fix after learning of the attack.
How did the perpetrators learn about the flaw? Likely, they merely had to tap a thriving underground market, where a hole “wide enough to drive a truck through” can command hundreds of thousands of dollars, said Ken Silva, chief technology officer of VeriSign Inc. Such flaws can take months of full-time hacking to find.
“Zero days are the safest for attackers to use, but they’re also the hardest to find,” Silva said. “If it’s not a zero day, it’s not valuable at all.”
The Internet Explorer flaw used in the attack on Google Inc. required tricking people into visiting a malicious Web site that installed harmful software on victims’ computers.
The attack, along with a discovery that computer hackers had tricked human-rights activists into exposing their Google e-mail accounts to outsiders, infuriated Google and provoked a larger fight over China’s censorship of the Internet content. Google has threatened to shut down its censored, Chinese-language search engine and possibly close its offices in China.
Pedram Amini, manager of the Zero Day Initiative at the security firm TippingPoint, estimated that the IE flaw could have fetched as much as $40,000. He said even more valuable zero-day flaws are ones that can infect computers without any action on the users’ part.
Zero days refer to security vulnerabilities caused by programming errors that haven’t been “patched,” or fixed, by the products’ developers. Often those companies don’t know the weaknesses exist and have had zero days to work on closing the holes.
In this case, Microsoft actually knew about the flaw since September but hadn’t planned to fix it until February, as companies sometimes prioritize fixing other problems and wait on the ones they haven’t seen it used in attacks.
Microsoft often fixes multiple vulnerabilities at once because testing patches individually is time-consuming and costly, said Chris Wysopal, co-founder of security company Veracode Inc.
But criminals know how the patch cycle works, and Wysopal said the Google attackers may have realized their zero-day flaw was getting old — and thus struck in December just before they thought Microsoft was going to fix it.
“They likely thought the bug would be fixed in January or February,” he said. “They were right.”
Microsoft certainly could have fixed the bug earlier and prevented it from being used on Google, but security experts caution that an adversary that is well-funded or determined could have easily found another bug to use.
“Zero days aren’t difficult to find,” said Steve Santorelli, a former Microsoft security research who now works with Team Cymru, a nonprofit research group. “You don’t have to have a Ph.D. in computer science to find a zero-day exploit. It really is a factor of the amount of energy and effort you’re willing to put in.”
In fact, such exploits are widely available for the right price. VeriSign’s iDefense Labs and 3Com Corp.’s TippingPoint division run programs that buy zero-day vulnerabilities from researchers in the so-called “white market.” They alert the affected companies without publicly disclosing the flaw and use the information to get a jump on rivals on building protections into their security products.
There’s also another, highly secretive market for zero days: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.
TippingPoint’s Amini said he has heard of governments offering as high as $1 million for a single vulnerability — a price tag that private industry currently doesn’t match.
Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.
One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system.
Whether to pay — and seek payment — is hotly debated among researchers.
“I basically had to make a choice between doing something that would protect everybody and remodeling my kitchen — as terrible as that is, I made that choice, and it’s hard,” Miller said. “It’s a lot of money for someone to turn down.”
Companies whose products are vulnerable generally won’t pay outside researchers for bugs they’ve found. Microsoft said offering payment “does not foster a community-based approach to protecting customers from cybercrime.” The company declined further comment on its practices and the timing of the fix for the flaw used in the Google attack.
On Thursday, Google announced that it will start paying at least $500 to researchers who find certain types of bugs in its Chrome browser, calling the program an “experimental new incentive.” That mirrors a reward that Mozilla has been offering for critical bugs found in its Firefox browser.
Computer vulnerabilities are so dangerous that one day private companies such as Microsoft might be pressured into buying from the black market to prove they’re doing all they can to keep customers secure — especially the most critical ones such as the military and power companies.
“I think it’s only a matter of time,” said Jeremiah Grossman, founder of WhiteHat Security Inc. “Something really bad has to happen first, and it hasn’t yet. When a virus runs through a children’s hospital and causes loss of life, it’s going to matter a lot.”
by Ashlee Vance, NYTimes
Back at the dawn of the Web, the most popular account password was “12345.”
Today, it’s one digit longer but hardly safer: “123456.”
Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.
According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.
“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”
Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)
The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.
“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.
Imperva found that nearly 1 percent of the 32 million people it studied had used “123456″ as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123″ and “princess.”
More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.
That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.
“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”
Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.
To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.
Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place.
Even commercial sites like eBay must weigh the consequences of freezing accounts, since a hacker could, say, try to win an auction by freezing the accounts of other bidders.
Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123″ and “password.”
Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?
Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.
“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”
In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.
But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.
Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.
“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”
What is Cloud Computing and does it provide more protection to your business?
Cloud Computing will bring many benefits to organisations, some of which include reducing operating costs, reducing power consumption and freeing you up to focus on your core business.
The concept of shifting computing to a shared service provider is not new. What may be new is that the cost of Cloud Computing is falling so dramatically that considering outsourcing to the Cloud is no longer rare, and it is now accessible enough that any individual or organisation can use it to their advantage.
Above the Clouds: Managing Risk in the World of Cloud Computing
For Cloud Computing to be a viable option, you need to be confident that your business information will be secure and that the service you offer to your customers will still be reliable. So if you want to adopt a Cloud Computing strategy, you need to make sure you carry out due diligence on the service provider before you entrust this firm with your vital data. However, the author challenges the assumption that Cloud Computing will offer less protection to your data than relying on an in-house server. Buy Now!>
Cloud Computing not only allows you to make economies of scale; it can also offer you the increased security that comes from sharing the resource. The author argues that moving over to Cloud Computing can actually help to defend your organisation from threats such as denial of service attacks, viruses and worms.
Cloud service providers will tell you that Cloud Computing is bound to be better, faster and cheaper. The reality is that before switching over to Cloud Computing, you need to think carefully about whether it will really work for your business. This book shows you what you need to do to ensure that with Cloud Computing you will continue to give the standard of service your customers require. It also offers you some valuable tips on how to choose your provider of Cloud services.
Published date: 9th February 2010.
Pre-order this book using Voucher Code: “cloud2010″ to save 10%!
An Easy-to-Use, All-in-One Suite
Symantec™ Protection Suite Small Business Edition is an easy-to-use, all-in-one suite that protects critical business assets by securing them against today’s complex malware and spam threats, and rapidly recovering computer systems. By upgrading, you will receive multiple layers of protection through award-winning technologies from the market-leading endpoint security, messaging security, and backup and recovery provider. The new Symantec Protection Suite Small Business Edition includes:
This all-inclusive suite creates a secure environment and unmatched defense against email-borne threats and security risks. It also enables reliable recovery of data in seconds or complete systems in minutes, ensuring high availability and avoiding business-interruption threats. Small businesses can now save both time and money with this ready-to-go, comprehensive suite that is trouble-free and straightforward to install, deploy and manage. Symantec protection suite protect critical business data and meet compliance requirements. Comes with 12 months free support.
Checkout detail features and key benefits for Symantec Protection Suite SBE
The long awaited international standard on scoping a Service Management System, ISO/IEC TR 20000-3, is now available.
It’s a must have -
It may seem a little backwards buying part 3 of the ISO 20000 series ahead of parts 1 and 2 but this makes perfect sense, let me explain…
This part of ISO/IEC 20000 will help you if you are considering using ISO/IEC 20000-1 for implementing a service management system (SMS). It will also be of aid if you need specific advice on whether ISO/IEC 20000-1 is applicable to your organisation.
It shows you how to define the scope of your SMS based on practical examples, for assessment, irrespective of whether you have previous experience with other management system standards.
Key Features and Benefits:
Will assist those looking to define a scope statement for implementing an SMS that is fully aligned with ISO/IEC 20000-1. Saving time and money over hiring expensive IT service management consultants to help you with you SMS paperwork.
Explanations, guidance, and recommendations shed light on implementing an ISO/IEC 20000-1 SMS. Providing information which is complementary to that in ISO/IEC 20000-2.
The information in this standard is generic, thus it is applicable no matter the size, type or location of the organisation.
Get your copy today >>
Malware: Fighting Malicious Code
By FBI NPO
The FBI warned consumers today about an ongoing threat involving pop-up security messages that appear while they are on the Internet. The messages may contain a virus that could harm your computer, cause costly repairs or, even worse, lead to identity theft. The messages contain scareware, fake or rogue anti-virus software that looks authentic.
The message may display what appears to be a real-time, anti-virus scan of your hard drive. The scareware will show a list of reputable software icons; however, you can’t click a link to go to the real site to review or see recommendations. Cyber criminals use botnets—collections of compromised computers—to push the software, and advertisements on websites deliver it. This is known as malicious advertising or “malvertising.”
Once the pop-up warning appears, it can’t be easily closed by clicking the “close” or “X” buttons. If you click the pop-up to purchase the software, a form to collect payment information for the bogus product launches. In some instances, the scareware can install malicious code onto your computer, whether you click the warning or not. This is more likely to happen if your computer has an account that has rights to install software.
Downloading the software could result in viruses, malicious software called Trojans, and/or keyloggers—hardware that records passwords and sensitive data—being installed on your computer. Malicious software can cause costly damages for individual users and financial institutions. The FBI estimates scareware has cost victims more than $150 million.
Cyber criminals use easy-to-remember names and associate them with known applications. Beware of pop-up warnings that are a variation of recognized security software. You should research the exact name of the software being offered. Take precautions to ensure operating systems are updated and security software is current. If you receive these anti-virus pop-ups, close the browser or shut down your computer system. You should run a full anti-virus scan whenever the computer is turned back on.
If you have experienced the anti-virus pop-ups or a similar scam, notify the Internet Crime Complaint Center (IC3) by filing a complaint at www.ic3.gov.
Security Metrics: Replacing Fear, Uncertainty, and Doubt
The long awaited international standard on Information Security Measurement, ISO/IEC27004:2009, is now available.
It’s a must have –
Buy the hard copy here
or the download here
Key Features and Benefits:
• Provides guidance on the development, implementation use of metrics to measure the effectiveness of an ISO 27001-compliant ISMS, controls or groups of controls. Helping you to quantify the payback to your organisation of implementing an ISMS.
• Covers not just the development, implementation and use of metrics, but also the communication of the results. Helping you to ensure management buy-in for future projects.
• The use of this standard provides opportunities to identify areas in need of improvement, facilitating continual improvement. Thus leading more secure information, cost savings and increases in efficiency.
If you have not claibrated the model with measurement, only one thing is certain: You will either overspend or under-protect.
Get your copy today >>
Buy the hard copy here
or the download here
By Jerrie Abella, GMANews.TV
Another government Web site was found defaced Sunday night – the fifth attack since last month.
Hackers of the Technical Education and Skills Development Authority (Tesda) Web site, however, took on a bolder approach by leaving a message that seemed to mock the upcoming automated elections.
“Ano ba gagamitin sa Election? Blade server? Juniper Firewall (what is going to be used in the elections? Blade server? Juniper firewall)?” the message read.
HACK YOU. A screen capture of the defaced Tesda Web site as of 11:12 p.m. Sunday.Before Tesda’s, hackers had also victimized the Web sites of the Department of Health (DOH), Department of Social Welfare and Development (DSWD), National Disaster Coordinating Council (NDCC), and Department of Labor and Employment (DOLE).
Malacañang has expressed alarm over the series of hacking attacks on government Web sites, saying it raises new concerns about the security of the automated elections in May.
“Of course we are concerned. This is not just a problem in our country, this is not just something that has happened just recently, it’s happening all over the country so this is certainly something that we are sensitive to as a matter of information policy within government,” said deputy presidential spokesman Gary Olivar at a press conference last week.
Dirty finger
The hacked Tesda Web site also showed a black and white illustration of a man giving the “dirty finger” supposedly directed against several “abusive” military and police units.
A pair of bulging eyeballs also followed the pointer anywhere on the page, and background music was also set up on the site’s second web page to which it automatically transfers.
Aside from the derisive reference to the May elections, message of sympathy to a slain communist rebel and a potshot against an alleged abusive police officer also replaced the original contents of the site.
“Nakikiramay kami sa Iskolar ng Bayan, Freedom Fighter na si Kimay” (We sympathize with the death of scholar of the people, freedom fighter Kimay)” the hackers’ message read, referring to Kemberly Jul Luna, a young New People’s Army (NPA) cadre who was killed last December 15 in an encounter with the military in Bukidnon province.
The message also identified a certain PO1 Ramos as an “abusive” police officer.
The hackers also made the site automatically jump into a second page, which featured a background music; a job announcement supposedly from VenturesLink, one of the partners of Smartmatic-TIM in the automation of the elections, inviting technicians across the country to be part of its team; a quote from the Hacker Manifesto, a short essay written by well-known hacker Lloyd Blankenship after he was arrested in 1986.
The hacking of government Web sites has alarmed Malacañang, considering the attacks’ proximity to the May automated polls.Precautions
Following the attacks on government Web sites by hackers, Olivar urged the Commission on Elections (Comelec) and other agencies to take the necessary precautions to secure their Web sites.
“Other agencies which are not yet hit by this are likewise taking the necessary precautions, especially Comelec because of the automated nature of the next elections,” he said at last week’s briefing.
The Comelec had earlier said that adequate safeguards are in place to protect the election results from hackers. Spokesman James Jimenez said the system to be used in the coming automated polls would operate on a “virtual private network,” making it difficult for hackers to bypass the system’s security mechanisms.
Subscribe in a reader or Outlook
