Managing an Information Security and Privacy Awareness and Training Program
Aug 27 2011
12 Steps to IT Security
This video outlines 12 steps to take to protect your business from the threat of e-Crime.
Jul 20 2011
8 tactics for mobile data privacy and security
By Mary Mosquera
With the sweeping use of mobile devices by healthcare providers, physicians and hospitals need to embrace best practices for protecting sensitive patient data, privacy experts say. For example, encrypt sensitive data when it is necessary to store on wireless devices.
Sixty-four percent of physicians own a smartphone and one third of them have an iPad, with another 28 percent planning to buy one within six months, according to research cited by ID Experts, which offers data protection and response services, in a July 20 announcement
Many of the current 10,000 mobile healthcare applications were designed to enable their users to access to electronic health records (EHRs). At the same time, in the past two years, the Office of Civil Rights has reported that 116 data breaches of 500 records or more were the direct result of the loss or theft of a mobile device and led to the exposure of the personal health information of 1.9 million patients, which started many consumers questioning the security of EHR systems and the data they house.
The Office of Civil Rights oversees health information privacy in the Health and Human Services Department and publishes on its website incidents involving the sensitive information of at least 500 individuals.
To more effectively protect patient data, Rick Kam, president of ID Experts recommended the following practices:
1. Donât store sensitive data on wireless devices. If required, encrypt data.
2. Enable password protection on wireless devices and configure the lock screen to come on after a short period of inactivity.
3. Turn on the âremote wipeâ feature of wireless devices.
4. Enable Wi-Fi network security. Do not use wired equivalent privacy (WEP). Wi-Fi protected access (WPA-1) with strong passphrases offers better security. Use WPA-2 if possible.
5. Change the default service set identifier (SSID) and administrative passwords.
6. Donât transmit your wireless routerâs SSID.
7. Only allow devices to connect by specifying their hardware media access control (MAC) address.
8. Establish a wireless intrusion prevention system.
âMany Wi-Fi networks in hospitals and doctorâs offices are not secure,” Kam cautioned, “and coupled with the increased mobile device usage, patient data is at risk.”
Jul 03 2011
Identity Theft Prevention | Credit Reports & Fraud Alerts
“Identity theft is the information age’s new crime. A criminal collects enough personal data on the victim to impersonate him to banks, credit card companies and other financial institutions. Then he racks up debt in the victim’s name, collects the cash and disappears. The victim is left holding the bag.
While some of the losses are absorbed by financial institutions–credit card companies in particular–the credit-rating damage is borne by the victim. It can take years for the victim to completely clear his name.” Bruce Schneier
http://www.youtube.com/watch?v=wyLzWYRC8CA
More Info on Identity Theft Countermeasures and Safeguards
Jun 29 2011
The weakest link in computer hacking?
Image by copyfighting via Flickr
The weakest link in computer hacking? Human error
By Cliff Edwards, Olga Kharif,Michael Riley, Bloomberg News
The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.
Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.
“There’s no device known to mankind that will prevent people from being idiots,” said Mark Rasch, director of network security and privacy consulting for Falls Church, Va.’s Computer Sciences Corp.
The test showed something computer security experts have long known: Humans are the weak link in the fight to secure networks against sophisticated hackers. The intruders’ ability to exploit people’s vulnerabilities has tilted the odds in their favor and led to a spurt in cybercrimes.
In real-life intrusions, executives of EMC Corp.’s RSA Security, Intel Corp. and Google Inc. were targeted with e-mails with traps set in the links. And employees unknowingly post vital information on Facebook or Twitter.
It’s part of a $1 trillion problem, based on the estimated cost of all forms of online theft, according to McAfee Inc., the Santa Clara computer security company.
Hundreds of incidents likely go unreported, said Rasch, who previously headed the Justice Department’s computer crime unit. Corporate firewalls costing millions to erect often succeed in blocking viruses and other forms of malware that infect computers and steal data such as credit card information and passwords. Human error can quickly negate those defenses.
“Rule No. 1 is, don’t open suspicious links,” Rasch said. “Rule No. 2 is, see Rule No. 1. Rule No. 3 is, see Rules 1 and 2.”
A full report on the Homeland Security study will be published this year, Sean McGurk, director of the department’s National Cybersecurity and Communications Integration Center, said at a June 16 conference in Washington.
Tactics such as spear-phishing – sending a limited number of rigged e-mails to a select group of recipients – rely on human weaknesses like trust, laziness or even hubris.
That’s what happened in March, when attackers used a clever ruse to exploit their discovery that RSA – the company that provides network-access tokens using random secondary passwords – was in a hiring campaign.
Two small groups of employees received e-mails with attached Excel spreadsheets titled “2011 Recruitment Plan,” the company said in April. The e-mails were caught by the junk-mail screen. Even so, one employee went into the folder, retrieved the file and opened it.
The spreadsheet contained an embedded Adobe Systems Inc. Flash file that exploited a bug, then unknown to San Jose’s Adobe, that allowed hackers to commandeer the employee’s PC. RSA said information related to its two-factor SecurID authentication process was taken.
Banks may be forced to pay $50 million to $100 million to distribute new RSA SecurID devices, according to Avivah Litan, a Gartner Inc. research analyst.
“The team that hacked us is very organized and had a lot of practice,” Uri Rivner, head of new technologies at RSA Security, said at a June 17 conference in Spain. “I can compare them to the Navy Seals Team Six, which hit Osama bin Laden.”
The FBI began warning in early 2009 about a rise in spear-phishing attacks. To succeed, they require the target to open a link presumably sent by someone they know or trust.
Total phishing attacks increased by 6.7 percent from June 2010 to May 2011, according to Symantec Corp.’s State of Spam & Phishing monthly report. The number of non-English phishing sites increased 18 percent month over month.
Spear-phishing is evolving into what Rasch calls whale phishing: Targeting senior-level executives whose computers may have access to far more sensitive information that rank-and-file workers.
Technology executives are attractive targets because their positions give them access to a trove of information, and they tend to believe they’re better protected from computer hackers than their employees, Rasch said.
Hackers research decision makers by browsing social networks, reading up on news about the company, and creating e-mails and links that appear to be genuine and come from people that the targets know.
“Phishing is on a different trajectory than it’s been in the past,” said Malcolm Harkins, Intel’s chief information-security officer.
This article appeared on page D – 2 of the San Francisco Chronicle on June 28, 2011
Hacking: The Art of Exploitation
Related articles
- Phishing emerges as major corporate security threat (deurainfosec.com)
- Spear phishing (charlotte.news14.com)
May 19 2011
Paying attention to basics is key to healthy security ecosystem, says panel
Employee security awareness, firewalls, data leakage protection, and collaboration are all key components of a healthy information security ecosystem, according to a panel at the MIT Sloan CIO Symposium held Wednesday.
The moderator, Owen McCusker of Sonalysts, asked the panel to describe what companies can do to create a healthy information security ecosystem.
Michael Daly, director of IT security services at Raytheon, said that his company has developed information security guidelines that include employee security awareness training, firewalls and data segregation, and âcommand and control blockingâ that focuses on outbound traffic.
âThere are always going to be vulnerabilities on your systems that are unpatched. There is nothing you are going to be able to do about it. So you ask yourself, âIf Iâm attacked, what am I going to do next?â Watch for the traffic that is leaving your network. That is a key pointâ, Daly told conferences attendees.
Defense in depth is a key information security strategy, noted David Saul, chief scientist at State Street, a Boston-based financial institution. âYou need to use all of the tools you have availableâ, he stressed.
âYou need to have firewalls, you need to have data leakage protection….You need to have a combination of technologiesâŚas well as employee awarenessâ, he said.
Saul also recommended information security collaboration across industries. He noted that there is an organization in New England called the Advanced Cyber Security Center that brings together information security experts from the financial, defense, health care, energy, and high-tech industries to share best practices and threat information and expertise.
Kurt Hakenson, chief technologist for Northrop Grummanâs Electronic Systems, added that collaboration should be not only across industries but also among industry peers.
âSecurity folks tend to be protective about information about breaches. There is always a balance about sharing that information with your industry peers. You will find that for the operational folks that are involved in the day-to-day work, relationships are critical. Being able to get on the phone is so important, because the adversaries who are targeting you are using the same techniques. They are socially awareâ, Hakenson said.
Daly noted that Raytheon and Northrop Grumman are involved with the US government in Project Stonewall, a defense industry group that shares threat information in real time.
Allen Allison, chief security officer at cloud service provider NaviSite, said that providers also share information about security threats. âWe undertake analysis of what traffic should look like, does look like, or can look like compared to the norm. We share that with all of our partnersâ, Allison noted.
This article is featured in:
Compliance and Policy ⢠Data Loss ⢠Internet and Network Security ⢠Security Training and Education
There are always going to be threats and vulnerabilities in your infrastructure that are unaddressed, there is no such thing as an absolute security. Watch for the traffic leaving your company to monitor an incident and have a comprehensive incident handling program to manage an incident.
It’s all about priortizing risks and mitigating them in cost effective way.
Related Titles for Information Security Awareness
« Previous Page
