Nov 06 2009

Laptop Heist Exposes Doctors’ Personal Data

Category: hipaa,Security BreachDISC @ 6:50 pm

doctor

Another stolen laptop puts thousands of people’s personal data at risk but this time it’s the caregivers — not the patients — who are at risk.

November 6, 2009
By Larry Barrett:

More than 10,000 physicians’ and dentists’ personal data was exposed last week in New Hampshire after an employee at Anthem Blue Cross and Blue Shield transferred the health care providers’ Social Security numbers and other data to a personal laptop that was later stolen.

Anthem spokesman Christopher Dugan said the security breach took place at the national level and the files did not include any patients’ personal data.

The Blue Cross Blue Shield Association said the employees’ ill-fated decision to transfer the sensitive information to a personal laptop violated the insurer’s security policies.

Just last week, more than 33,000 patients receiving care from a Daytona Beach, Fla. medical center were notified that their data may have been compromised when a laptop was stolen from an employee’s car.
New Hampshire is one of 43 states that require companies and organizations to notify people when their personal or financial information is accidentally or deliberately compromised.

Anthem officials said it will provide free credit-monitoring services to all the affected physicians and dentists for a year.

It’s not been the best of months for the insurer.

On Oct. 5, Blue Cross warned another 39,000 doctors that a yet another laptop stolen from the company’s Chicago headquarters could have potentially exposed an assortment of personal information including Social Security numbers and tax identification numbers.
A Ponemon Institute by Traverse City, Mich.-based data security researcher Ponemon Institute estimates that more than 12,000 laptops are stolen or lost at airports alone each week.

It also found that the average large company has 640 laptops, 1,985 USB memory sticks, 1,075 smart phones and 1,324 other various data devices stolen or lost each year — ;a total of 800,000 data-sensitive memory devices a year.

Reblog this post [with Zemanta]

Tags: arra and hitech, crime, data breach, data security, Health Insurance Portability and Accountability Act, hipaa, laptop, Physician, Security, stolen laptop

Nov 05 2009

Senate Panel Clears Data Breach Bills

Category: Information Privacy,Security BreachDISC @ 6:29 pm

The Senate's side of the Capitol Building in DC.
Image via Wikipedia
Legislation Heads for a Senate Vote

November 5, 2009 – Eric Chabrow, Managing Editor
The Senate Judiciary Committee Thursday approved two companion bills that would require businesses and government agencies to notify individuals of security breaches involving sensitive personally identifiable information. Both bills go to the Senate for consideration.

The Personal Data Privacy and Security Act, or S. 1490, designates as fraud unauthorized access of sensitive personally identifiable information, which would lead to racketeering charges. The measure, sponsored by Committee Chairman Patrick Leahy (at left), D.-Vt., also would prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim.

The other measure, the Data Breach Notification Act, or S. 139, would require federal agencies and businesses engaged in interstate commerce to notify American residents whose personal information is accessed when a security breach occurs. An exception: if notification would hinder national security or a law enforcement investigation. S. 139, sponsored by Sen. Dianne Feinstein, D.-Calif., also would require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached has information on more than 1 million people, is owned by the federal government, or involves national security or law enforcement.

Among the objections raised by Sens. Jeff Sessions of Alabama, the committee’s ranking Republican, and Jon Kyl of Arizona, the Republican whip, focused on the provisions defining personally identifiable information (PII) to include an individual’s full name along with at least two of the following: the person’s birth date, home address, telephone number and mother’s maiden name.

Sessions said this information is available from other public records, such as a telephone directory, and would place an undue financial burden on businesses to notify customers of the breach if that was the only information exposed. Kyl said if the bill results in too many notices being sent, consumers might ignore them, similar to how the public views the orange alert on terrorism. “With frequent notices, customers may not worry about it,” he said.

Another objection raised by a few Republicans – a point dismissed by some of their Democratic colleagues – was the bankruptcy provision in the Leahy bill. The consensus of committee members was that a person victimized by identity theft should face bankruptcy but several GOP members worried that the provision might be used to get persons facing bankruptcy for other reasons off the hook if they also had their identities compromised.

Still, Leahy said the legislation, first introduced four years ago, is overdue, and the public is clamoring for it. He cited a Unisys study that contends more Americans are concerned about identity theft than the H1N1 virus or meeting their financial obligations. Since 2005, the year the bill was first proposed, more than 340 million records containing sensitive PII have been involved in data breaches, he said, citing a Privacy Rights Clearinghouse report.

“This loss of privacy is not just a grave concern for American consumers; it is also a serious threat to the economic security of American businesses,” Leahy said. “The president’s recent report on Cyberspace Policy Review noted that industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion. The FBI’s latest annual report on Internet crime found that online crime hit a record high in 2008 – a 33 percent increase over the previous year. This loss of data privacy is a serious and growing threat to the economic security of American businesses.”

Reblog this post [with Zemanta]

Tags: Cyberspace Policy, Data Breach Notification, Dianne Feinstein, Identity Theft, loss of privacy, Personal Data Privacy and Security Act, Personally identifiable information, S. 139, S. 1490, Senate Judiciary Committee, United States Senate

Nov 03 2009

Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges

Category: hipaaDISC @ 6:22 pm

medical-symbol
Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
HIMSS News
The Healthcare Information and Management Systems Society releases its 2nd Annual Security Survey, sponsored by Symantec

CHICAGO (November 3, 2009) – With the American Recovery and Reinvestment Act underway, healthcare organizations face new challenges to maintain privacy and security of patient health data. However, data gathered from healthcare IT and security professionals indicate that many organizations may not be ready to meet some of the HITECH components of the ARRA legislation and other security challenges, according to the results of the 2009 HIMSS Security Survey, sponsored by Symantec Corp. (Nasdaq: SYMC).

While healthcare organizations recognize that patient data must be protected, the survey results show that:

  • Security budgets remain low
  • Organizations often don’t have a response plan for threats or a security breach
  • A designated Chief Security Officer or Chief Information Security Officer is not in place

    • In addition, the survey reveals that healthcare organizations are not using the current security technologies available to keep patient data safe. Respondents to this survey widely use audit logs with data from firewalls, application logs and server logs as common information sources. Yet, when analyzing the log data, only 25 percent of respondents reported electronic analysis of that data. Respondents indicate they are using firewalls and user access controls, but are not implementing all available technologies to secure data. Only 67 percent of responding organizations use encryption to secure data in transmission, and fewer than half encrypt stored data.

    “Healthcare organizations are continually looking for ways to save money,” said David Finn, health IT officer, Symantec Corp. “One of the best ways to accomplish these goals is through investing in technologies that will automate and reduce the risks of a security incident and lower the chances of a compliance issue. Although awareness about these issues is high, many providers have not yet made significant moves to the address these concerns.”

    Other key survey results include:

    Security Budget: Approximately 60 percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security. This is consistent to the level of spending identified in the 2008 study.

    Maturity of Environment: Respondents characterized their environment at a middle rate of maturity, with an average score of 4.27 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.

    Formal Security Position: Fewer than half of respondents indicated that their organization has either a formally designated CISO (Chief Information Security Officer) or CSO (Chief Security Officer).

    Patient Data Access: Surveyed organizations most widely implement user-based and role-based controls to secure electronic patient information. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information. Patients/surrogates are most likely to be granted access to high level clinical information, such as diagnosis or lab results.

    Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. However, only half have a plan in place for responding to threats or incidents related to a security breach.

    Security Controls: Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization. About 85 percent of respondents reported that they monitor the success of these controls and two-thirds of these respondents measure the success of these controls.

    Risk Analysis: Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year. Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Conducting this analysis positions organizations to identify gaps in their security controls and/or policies and procedures.

    Security in a Networked Environment: Nearly all respondents reported that their organizations share patient data in electronic format. Respondents are most likely to report that they share data with state government entities. Respondents also reported that the area in which they are most likely to share data in the future is with Health Information Exchanges (HIEs)/Regional Health Information Organizations (RHIOs). Approximately half of these organizations (41 percent) indicated that these sharing arrangements have resulted in the use of additional security controls beyond those that were already in place at their organization. This is consistent with the data reported in the 2008 survey.

    Future Use of Security Technologies: E-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

    Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. However, only a handful of these organizations experienced direct consequences from the breach.

    “Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies,” said Lisa Gallagher, HIMSS Senior Director, Privacy and Security. “IT and security professionals must recognize the need for securing patient data by using available technologies and preparing for compliance with current ARRA laws and future regulations. This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery.”

    Targeting Chief Information Officers and Chief Security Officers and other Information Technology (IT) executives, the 2009 HIMSS Security Survey focused on an assessment of 196 information technology (IT) and security professionals in the healthcare field of their own readiness for today’s risks and security challenges.

    About Symantec
    Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

    About HIMSS
    The Healthcare Information and Management Systems Society (HIMSS) is a comprehensive healthcare-stakeholder membership organization exclusively focused on providing global leadership for the optimal use of information technology (IT) and management systems for the betterment of healthcare. Founded in 1961 with offices in Chicago, Washington D.C., Brussels, Singapore, and other locations across the United States, HIMSS represents more than 23,000 individual members, of which 73% work in patient care delivery settings. HIMSS also includes over 380 corporate members and nearly 30 not-for-profit organizations that share our mission of transforming healthcare through the effective use of information technology and management systems. HIMSS frames and leads healthcare public policy and industry practices through its educational, professional development, and advocacy initiatives designed to promote information and management systems’ contributions to ensuring quality patient care. Visit www.himss.org for more information.

    For more information, contact:
    Joyce Lofstrom/HIMSS
    312-915-9237 – jlofstrom@himss.org

    Pamela Reese/Symantec
    424-750-7858 – pamela_reese@symantec.com

    Reblog this post [with Zemanta]

    Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", Chief Information Security Officer, Chief security officer, Computer security, Health care, Healthcare Information and Management Systems Society, hipaa laws, Information Technology, Security, status of arra and hitech, Symantec

    Oct 31 2009

    Lawmakers and an accidental disclosure

    Category: Security BreachDISC @ 12:04 am

    View of Capitol Hill from the U.S.
    Image via Wikipedia

    By Ellen Nakashima and Paul Kane
    Washington Post Staff Writer
    Friday, October 30, 2009

    House ethics investigators have been scrutinizing the activities of more than 30 lawmakers and several aides in inquiries about issues including defense lobbying and corporate influence peddling, according to a confidential House ethics committee report prepared in July.

    The report appears to have been inadvertently placed on a publicly accessible computer network, and it was provided to The Washington Post by a source not connected to the congressional investigations. The committee said Thursday night that the document was released by a low-level staffer.

    The ethics committee is one of the most secretive panels in Congress, and its members and staff members sign oaths not to disclose any activities related to its past or present investigations. Watchdog groups have accused the committee of not actively pursuing inquiries; the newly disclosed document indicates the panel is conducting far more investigations than it had revealed.

    Shortly after 6 p.m. Thursday, the committee chairman, Zoe Lofgren (D-Calif.), interrupted a series of House votes to alert lawmakers about the breach. She cautioned that some of the panel’s activities are preliminary and not a conclusive sign of inappropriate behavior.

    “No inference should be made as to any member,” she said.

    Rep. Jo Bonner (Ala.), the committee’s ranking Republican, said the breach was an isolated incident.

    The 22-page “Committee on Standards Weekly Summary Report” gives brief summaries of ethics panel investigations of the conduct of 19 lawmakers and a few staff members. It also outlines the work of the new Office of Congressional Ethics, a quasi-independent body that initiates investigations and provides recommendations to the ethics committee. The document indicated that the office was reviewing the activities of 14 other lawmakers. Some were under review by both ethics bodies.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: aides, breach, committe chairman, ethics committee, ethics violations, House ethics investigators, Lobbying, United States Congress, United States House Committee on Standards of Official Conduct, washington post

    Oct 30 2009

    HIPAA and business associate

    Category: hipaaDISC @ 10:14 pm

    medical-symbol
    How ARRA and HITECH provisions affect HIPAA compliance
    AIS reported taht the new HITECH Act requires hospitals, providers, health plans and other HIPAA covered entities (CEs) to meet a February 2010 deadline for revising their business associate (BA) agreements. New language in BA amendments should require BAs to comply with (a) the HIPAA Security Rule,(b) new security breach notification rules and related strategies that CEs choose to implement, and (c) new privacy obligations imposed on CEs by the HITECH Act. Developing and maintaining effective BA relationships should be a top compliance priority for CEs, since privacy and security breaches often take place at the BA level and can be just as damaging to a covered entity’s reputation. With February approaching and lots of tricky questions to resolve, covered entities need a quick crash course in what their options are for designing and implementing these amendments in the next three months.

    While the HITECH Act did not come right out and say “business associate agreements must be revised,” it does stipulate that certain provisions “shall be incorporated into the business associate agreement between the business associate and the covered entity.” Among them: business associate agreements must be amended to reflect the new mandate that BAs must comply with the Security Rule, should be amended to provide the covered entity with adequate notice in the event of a security breach, and should incorporate new privacy obligations imposed on CEs by the HITECH Act

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", breach of privacy, covered entities, health insurance, hipaa, hipaa privacy, hippa compliance, hitech, hitech act, hospital, privacy, SOX HIPAA, status of arra and hitech

    Oct 27 2009

    Clear Policies and Effective Controls

    Category: Policies & ControlsDISC @ 2:19 pm

    PDCA-Cycle
    Image via Wikipedia

    Writing Information Security Policies

    Policy defines law of an organization what is acceptable and less risky way of doing business. Having a law in-place is one thing (a good start for an organization) but how you enforce or change policies over time is a key to successful policy implementation.

    To control your environment context is everything, what you want to allow as well as actions that you will take to safeguard your environment to enforce suitable policies. The policies will determine who can access your infrastructure under what circumstances and what conditions and especially what actions needed to be taken when users or devices are in non-compliance.

    Over the passage of time you need to re-access policies to determine what new policies need to be added and which one need to be edited or discarded based on current business needs. Policy control should be transparent to user and balance need to be maintained between usability and security. During maintaining this balance policy is more of an art than science. If security control cost more than the benefit attain from business activity, at that point we might need to readdress, how much we want to control the environment which is acceptable to current business needs and does not thwart business activity.

    Regularly reassessing policies, education users and enforce current policies to help limit your organization liability. Make sure your practice matches your policies; you may be creating a liability that you believe you have protected yourself against.

    You got to try out your new policies to see how well they work in your environment. In this regard you might want to issue policy position statement to receive open feedback from user community before adding into to your company policy. By re-assessing policies on regular basis, and issuing policy statement before enforcing a policy, you can achieve better control over your environment by understanding your user’s requirements and business needs. Deming PDCA (Plan-Do-Check-Act) model apply to the process of building policy, you build this process to perfection over time.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: clear policies, effective controls, information security policy, infrastructure control, PDCA, pdca model, position statement, secrity control

    Oct 26 2009

    ChoicePoint fined for security breach

    Category: Security BreachDISC @ 1:10 pm

    Seal of the United States Federal Trade Commis...
    Image via Wikipedia

    Into The Breach; Protect Your Business by Managing People,

    Atlanta Business Chronicle reported on Monday, October 26, 2009 that ChoicePoint Inc. will pay federal regulators $275,000 for a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft, the Federal Trade Commission reported.

    The company, now owned by Reed Elsevier Inc., also agreed to strengthened data security requirements. ChoicePoint now must report to the FTC every two months for two years detailed information about how it is protecting the breached database and certain other databases and records containing personal information.

    The moves settle Federal Trade Commission charges ChoicePoint failed to implement a comprehensive information security program protecting consumers’ sensitive information, as required by a previous court order.

    In April 2008, ChoicePoint turned off a key electronic security tool used to monitor access to one of its databases, and for four months failed to detect that the security tool was off, according to the FTC. During that period, an unknown person conducted unauthorized searches of a ChoicePoint database containing sensitive consumer information, including Social Security numbers. The searches continued for 30 days. After discovering the breach, the company brought the matter to the FTC’s attention.

    The FTC alleged that if the security software tool had been working, ChoicePoint likely would have detected the intrusions much earlier and minimized the extent of the breach. The FTC also claimed ChoicePoint’s conduct violated a 2006 court order mandating that the company institute a comprehensive information security program reasonably designed to protect consumers’ sensitive personal information.

    The FTC’s prior action against ChoicePoint involved a data breach in 2005, which compromised the personal information of more than 163,000 consumers and resulted in at least 800 cases of identity theft. The settlement and resulting 2006 court order in that case required the company to pay $10 million in civil penalties and $5 million in consumer redress.

    Choice Point Victim
    httpv://www.youtube.com/watch?v=90qWVtAuE_A

    Reblog this post [with Zemanta]

    Tags: ChoicePoint, Choicepoint breach, ChoicePoint fined, Federal Trade Commission, FTC, Identity Theft, Reed Elsevier, Security Breach, social security, Social Security number

    Oct 23 2009

    ‘China using elite hacker community to build cyber warfare capability’

    Category: CybercrimeDISC @ 4:44 pm

    The Hacker Files
    Image via Wikipedia

    Hacking: The Art of Exploitation

    London, Oct 23 (ANI): The Communist regime in China with the help of a elite hacker community is building its cyber warfare capabilities and appears to be using a long-term computer attack campaign to collect US intelligence.

    An independent study released by a congressional advisory panel found cases that suggested that China’s elite hacker community has ties to Beijing, although there is no substantial proof.

    The commission report details a cyber attack against a US company several years ago that appeared to either originate in or came through China and was similar to other incidents also believed to be connected to that country, The Telegraph reports.

    The data from company’s network was being sent to multiple computers in the US and overseas, according to an analysis done by the company over several days.

    The report contends that the attackers targeted specific data, suggesting a very coordinated and sophisticated operation by people who had the expertise to use the high-tech information.

    An Internet Protocol (IP) address located in China was used at times during the episode, the paper reports.

    The Chinese Government is said to view such cyber prowess as critical for victory in future conflicts, similar to the priority on offensive cyber abilities stressed by some US officials.

    Potential Chinese targets in the US would likely include Pentagon networks and databases to disrupt command and control communications, and possibly corrupt encrypted data, the report says. (ANI)

    Reblog this post [with Zemanta]

    Tags: chinese hacker, cyberwarfare, elite hacker, hacker, hacker files, uber hacker

    Oct 20 2009

    Identity Theft Tip off, Countermeasure and Consequence

    Category: Identity TheftDISC @ 3:30 pm

    Grand Theft Scratchy: Blood Island
    Image by włodi via Flickr
    Americans fear having their identities “stolen” by cybercriminals more than they do becoming victims of a terror attack, getting mugged or having their homes burglarized, according to a new survey released by Gallup, a polling firm.

    Stopping Identity Theft: 10 Easy Steps to Security

    Identity theft is a crime in which an attacker/hacker obtains your personal information, such as Social Security, credit cards numbers or driver’s license numbers etc. The attacker/thief can use your personal information to obtain credit, merchandise, and services in your name which will ruin your credit and may even create a criminal record.

    An identity thief can be any stranger who steals your personnel information or may be someone posing as a bank representative (social engineering) to get your personal information over the internet.
    The problem is you may not realize that you have been victimized by identity theft until you receive your statement. That’ why it is important to have some check in place which will tip off that you might have been victim of identity theft until it is too late. As the saying goes “trust but verify”.

    10 million Americans fell victim to identity theft last year (08) alone. In a recent story from the Dayton Daily News, the Better Business Bureau’s John North noted that some criminals are using text messages when hunting for consumers’ credit information. The practice, which has been dubbed “smishing”, combines text messaging and the practice of “phishing

    Identity Theft Tip Off:
    Sacramento county detective Sean Smith told how to detect credit card fraud and potential identity theft by looking for a cheap transaction on your statement.
    He said some thieves will charge $1 on a credit card to test whether the card is active. The detective told viewers that’s a red flag that’s something suspicious is going on with your account, and you need to call the credit card company immediately.

    Identity Theft Victims:
    If you are the victim of identity theft, file a police report and take the following steps:

    Notify the Credit Bureaus
    Contact the fraud departments of any of the three major credit bureaus to
    place a fraud alert on your credit file.

    TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance
    Division, P.O. Box 6790, Fullerton, CA 92834-6790

    Equifax: 1-888-766-0008; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241

    Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013

    After cleaning your records from identity theft incident, check credit report periodically to make sure no new activity has occurred.

    Identity Theft Consequences:
    Consequences of identity theft can be serious. Your credit history can be ruined, a loan could be denied because of a negative credit report, you could even be arrested for crimes you didn’t commit because someone has been using your identity.

    Identity Theft Countermeasures:

  • Check your credit card, medical and bank statements regularly, even weekly, to look for any unusual activity or any charges on your card that you didn’t make.

  • Before throwing any document out that contains your personal information, you need to shred the document. Cross-cuts shredder is recommended.

  • Do not carry your Social Security card in your wallet.

  • Only carry the credit card you may be using on the trip.

  • Do not give personnel information unless you can verify the person.

  • Avoid business online, unless the site is secure meaning your data is encrypted during the transaction.

  • Close the accounts that you know or believe have been tampered with or opened fraudulently.

  • Place a freeze on your credit report.

    • Reblog this post [with Zemanta]

    Tags: credit card fraud, identity fraud, identity theaft, Identity Theft, Identity Theft Consequences, Identity Theft Countermeasures, Identity Theft Tip Off, Identity Theft Victims, social security fraud, Stopping Identity Theft

    Oct 19 2009

    Hacks hit embassy, government e-mail accounts worldwide

    Category: CybercrimeDISC @ 1:46 pm

    1,000,000,000px
    Image via Wikipedia
    Hacks hit embassy, government e-mail accounts worldwide
    By Daniel Goldberg and Linus Larsson
    Computer Sweden
    August 30, 2007

    Usernames and passwords for more than 100 e-mail accounts at embassies
    and governments worldwide have been posted online. Using the
    information, anyone can access the accounts that have been compromised.

    Computer Sweden has verified the posted information and spoken to the
    person who posted them. The posted information includes names of the
    embassies and governments, addresses to e-mail servers, usernames and
    passwords. Among the organizations on the list are the foreign ministry
    of Iran, the Kazakh and Indian embassies in the U.S. and the Russian
    embassy in Sweden.

    Freelance security consultant Dan Egerstad posted the information. He
    spoke openly about the leak when Computer Sweden contacted him.

    “I did an experiment and came across the information by accident,” he
    said.

    Egerstad says he never used the information to log in to any of the
    compromised accounts in order not to break any laws.

    Computer Sweden confirmed that the login details for at least one of the
    accounts is correct. Egerstad forwarded an e-mail sent on Aug. 20 by an
    employee at the Swedish royal court to the Russian embassy. The person
    who sent the e-mail, in which she declines an invitation to the Russian
    embassy, has confirmed that she sent the e-mail.

    “Yes, that is right. We did decline the invitation. As far as I can
    remember I did send the e-mail,” she said.

    Computer Sweden has not been able to confirm the authenticity of any of
    the other information that has been posted.

    “When something like this happens you usually contact people and ask
    them to fix it. But in this case it felt too big for that, calling to
    other countries,” Egerstad said.

    Of the compromised accounts, 10 belong to the Kazakh embassy in Russia.

    Around 40 belong to Uzbeki embassies and consulates around the world.

    Login details for e-mail accounts at the U.K. visa office in Nepal were
    also posted. Login details for the foreign ministry of Iran, the Kazakh
    and Indian embassies in the U.S. and the Russian embassy in Sweden were
    also posted.

    “I hope this makes them take action. Hopefully, faster than ever before,
    and I hope they become a bit more aware of security issues,” Dan
    Egerstad says.

    Computer Sweden has contacted both the Russian and Indian embassies in
    Stockholm for comment. The Russian embassy confirmed the leaks and says
    that logins have now been changed. The Indian embassy declined to
    confirm the information and give comment.

    Computer Sweden has not published where the login details can be found.
    The information in this story has been verified by Computer Sweden
    without using any of the published login details.

    Computer Sweden is an InfoWorld affiliate.

    Reblog this post [with Zemanta]

    Tags: government hack, government security breach, hack attack, Iran, Nepal, Rusia, Security Breach, Stockholm, Sweden

    Oct 16 2009

    Web Services and Security

    Category: Cloud computing,Information SecurityDISC @ 4:01 pm

    Cloud Security and Privacy

    Because of financial incentive, malicious software threats are real and attackers are using the web to gain access to corporate data. Targeted malicious software’s are utilized to steal intellectual property and other confidential data, which is sold in the black market for financial gain. With use of social media in corporate arena, organizations need to have web services use policy, to ensure employees use the internet for business and comply with company web use policies. To have an effective web use policy makes business sense and to implement this policy efficiently is not only due diligence but also assist in compliance. After implementing, the key to the success of web use policy is to monitor the effectiveness of the policy on regular basis.

    webservices

    Hosted web security services operate at the internet level, intercepting viruses, spyware and other threats before they get anywhere near your network. These days if malicious software has infected your gateway node the attacker is home free and it is basically game over. How to fight this malice is to use hosted web security services, which is transparent to users and stop the malwares before they get to the corporate network.

    Things to look at web security hosted services are protection, control, security, recovery and multilayer protection.

    Protect your corporation from anti-virus, anti-spam, and anti-spyware
    Content Control of images, URL filtering and enterprise instant messages, all web request are checked against the policy
    Secure email with encryption
    Archive email for recovery
    Multilayer protection against known and unknown threats including mobile user protection

    Web Security Anti-Virus, Anti-Spyware – stops web-borne spyware and viruses before they infiltrate your network, protecting your business from information theft and costly diminished network performance.

    Web Filtering – enables you to block access to unwanted websites by URL, allowing you to control Internet use and enforce acceptable Internet usage policies


    Download a free guide for the following hosted solutions

    Hosted email solution
    Hosted email archiving
    Hosted web monitoring
    Hosted online backup

    Tags: archive email, boundary encryption, content control, email archiving, email solution, image control, Malicious Software, Malware, multilayer protection, online backup, Spyware, url filtering, web filtering, web monitoring, wen security

    Oct 15 2009

    eDiscovery and planning

    Category: eDiscoveryDISC @ 7:47 pm

    eDiscovery Plain & Simple: A Plain English Crash Course in e-Discovery

    Electronic discovery (also named e-discovery or eDiscovery) related to processes in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. eDiscovery can be carried out offline on a particular computer or it can be done in a network. Examples of electronic documents and data subject to e-discovery are e-mails, voicemails, instant messages, e-calendars, audio files, and data on handheld devices, animation, metadata, graphics, photographs, spreadsheets, websites, drawings and other types of digital data.

    Steps to practical eDiscovery planning:

    Cross functionality:
    Members from cross disciplinary team (legal, compliance, IT etc.) are one of the most important steps to a success of an effective eDiscovery planning. Every step in the eDiscovery process should be documented and should be tested on regular basis. eDiscovery should have enough resources, in case of small company; you may have to bring some people together on ad-hoc basis, and should have a single point of contact for eDiscovery. Team lead for eDiscovery should be a neutral person rather than having particular bias against IT, Compliance or Legal. Legal has to lead the charge for eDiscovery and then delegate what you can preserve and how to maintain the data. Since the legal team has better understanding of legal implication, such as of a legal hold, a legal hold is a process which an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. eDiscovery steering committee with legal involved will also help you address compliance issues like HIPAA, PCI and SOX. Vendors need to be involved in the eDiscovery process early as well.

    Plan for eDiscovery policy before the data is generated to decide things like either digital signature or trusted time stamps will be utilized. eDiscovery policy should be consistent and repeatable and should be tested by internal audit on regular basis. Establish simple, reasonable and repeatable policies.

    With respect to eDiscovery, the key is to manage the largest risk, namely, the risk of being held responsible for deleting information in a bad faith effort to destroy evidence. (which is called as spoliation)

    Documentation retention:
    Classify the records which need to be move to record management systems to decide what you are retaining and for how long. Now courts are looking into company’s internal processes to verify if they have a documented retention policy and implemented it properly. By implementing document management systems you know where your data is and DLM can be use to limit the scope of eDiscovery data.

    eDiscovery training:
    Personnel’s should be trained on how to testify in the court

    eDiscovery cost:
    Real cost come in during the analysis of the data, technologies can be utilized to streamline the cost. The cost of the analysis will be more if use outside vendors including attorneys. Have some process in place to analyze the data in-house under the supervision of legal counsel.

    Continuous improvement:
    Conduct regular reviews, audit, and training to refine the process. Apply the effective technology to automate the process and lower the cost when you can.



    Download a free guide for the following solutions

    Hosted email archiving
    Hosted online backup

    Tags: e-discovery, eDiscovery, ediscovery course, electronic discovery, plain ediscovery, simple ediscovery

    Oct 08 2009

    Security Controls and Principles

    Category: Information SecurityDISC @ 3:08 pm

    checklist

    Principles of Information Security

    For security controls to be effective apply the pillars of information security

    –Principle of least privilege
    –Separation of duties
    –Economy of mechanism
    –Complete mediation
    –Open design

    Least Privilege
    • “Need to Know”
    • Default deny – essentially , don’t permit any more to occur than is required to meet business or functional objectives
    • Anything extra introduces risk

    Separation of Duties
    • The idea is that we don’t want to give any one individual so much power that they cloud take dangerous actions without any checks and balances in place.
    • You trust them with their job responsibilities but they should be accountable for their actions which is only possible when you measure or monitor their performance.

    Economy of Mechanism
    • Complexity is an enemy of security, it’s much more difficult to create a simple mechanism and keep it that way.
    • The more complexity added to a system, the more chance for error or flaw

    Complete Mediation
    • The control cannot be bypassed (organization firewall, by creating a backdoor)
    • This principle says no unofficial backdoor (no disabling the anti-virus software)

    Open Design
    • The security of a system must not be based on the obscurity of the mechanism
    • Proprietary software are not tested properly and sometime include an undisclosed back door (ballot counting software)


    [TABLE=9]

    Tags: Complete mediation, Economy of mechanism, open design, Principle of least privilege, security controls, security principles, Separation of duties

    Oct 01 2009

    Sophisticated phishing attack and countermeasures

    Category: Cybercrime,Email Security,Identity TheftDISC @ 12:36 am

    phishing

    Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft

    Phishing is a practice of luring unsuspecting Internet users to a fake Web site by using authentic-looking email with the real organization’s logo, in an attempt to steal passwords, financial or personal information. In daily life people advise to retrace your steps when you lose something. The question is how you retrace your steps on cyberspace where some uber hackers know how to erase their footsteps to avoid detection. It is difficult to find phishers in cyberspace, and jurisdictional issues make it even harder to prosecute them. Then there is an issue of trust that phishers dupe people to believe that their web site is not fraudulent to collect personal/financial information.

    Below is an example of sophisticated phishing attack
    Link to phishing email

    It looks very legit, with all the correct data, logos, graphics and signatures.

    One giveaway: the TSA rule change has nothing to do with rental cars. It only affects your airline ticket vs your photo ID (drivers license, passport, whatever.)

    To verify that this is bad stuff, right click on the links. You get “http://click.avis.com/r/GDYHH9/16HY8/6V5I29/M93XX4/YCCJP/A5/h”, which looks OK on first glance, since it says “avis.com”. But myAvis should not send me to “click.avis.com”. I also noticed that all the other links send you to the same location.

    The clincher (here comes the geeky stuff:)

    To open a terminal window, press the “Windows key” and the letter “R”.

    You will see the “Run Dialog Box”. Type “cmd”, and press “OK

    Open a terminal window and run nslookup:

    C:\> nslookup
    > www.avis.com <<< check IP address of the real AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: www.avis.com canonical name = www.avis.com.edgekey.net. www.avis.com.edgekey.net canonical name = e2088.c.akamaiedge.net. Name: e2088.c.akamaiedge.net Address: 96.6.248.168 <<< get IP address of the real AVIS web site > click.avis.com <<< now check IP address of the bogus AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: click.avis.com canonical name = avis.ed10.net. Name: avis.ed10.net <<< not the same domain as the real AVIS domain Address: 208.94.20.19 <<< note IP address is in a totally different sub net > 208.94.20.19 <<< now do a reverse lookup of the fake AVIS web site Server: 4.2.2.3 Address: 4.2.2.3#53 ** server can't find 19.20.94.208.in-addr.arpa.: NXDOMAIN <<< it should give you the web site name > avis.ed10.net <<< bogus AVIS web site name Server: 4.2.2.3 Address: 4.2.2.3#53 Non-authoritative answer: Name: avis.ed10.net Address: 208.94.20.19 > 208.94.20.19

    Moral of the story: be very careful with links in emails and web pages. To check the authenticity of the link, right click on the link, copy that to a text file and take a good look.
    Don’t click on the phisher’s email. Type URL into web browser yourself

    ——————————————————————————————————————————–
    In the table below are the 12 threats to your online identity which can be manipulated in phishing scams, and possible countermeasures to protect your personal and financial information. Some threats are inadequate or no security controls in place. The last row of the table is a monitoring control to identify the warning signs of identity theft.
    ——————————————————————————————————————————–
    [TABLE=7]



    Download a free guide for the following cloud computing solutions

    Hosted email solution
    Hosted email archiving
    Hosted web monitoring
    Hosted online backup

    Tags: email archiving, Email Security, Identity Theft, online backup, phishing, phishing countermeasures, phishing threats, web security

    Sep 21 2009

    Due Diligence, and Security Assessments

    Category: Information Security,Security Risk AssessmentDISC @ 9:21 pm

    Microsoft Baseline Security Analyzer
    Image via Wikipedia

    Fighting Computer Crime: A New Framework for Protecting Information

    Risk assessment demands due diligence, which makes business sense and derives organization mission. Due care care is also about applying the specific control that counts. In information security, due diligence means a complete and comprehensive effort is made to avoid a security breach which could cause detrimental effects and identify various threats that may be exploited for a possible security breach.

    Donn Parker defines due care as a “use of resonable safeguards based on the practices of similiar organizations”

    Fred Cohen defines “due diligence is met by virtue of compliance review.”

    Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
    (FIPS 200, Section 3, Minimum Security Requirements)


    Reblog this post [with Zemanta]

    Tags: donn parker, due care, due diligence, Fred Cohen, security controls

    Sep 10 2009

    Way beyond the edge and de-perimeterization

    Category: Cloud computing,Information SecurityDISC @ 2:59 pm

    Wie eine Firewall arbeitet / how a firewall works
    Image by pittigliani2005 via Flickr

    De-perimeterization term has been around almost for a decade and finally industry is taking it seriously because of virtualization and cloud computing popularity. Is it time for businesses to emabrace de-perimeterization?

    De-perimeterization is a double edge sword for industry which creates scalable options for operation and huge challenges for safeguarding the assets beyond the edge. One of the major advantages for de-perimeterization is that user can access corporate information over the internet; in this situation user can access corporate data from any where, it’s hard to draw the line where the edge begins and where it ends. All you basically need a functional laptop with internet connection. On the other hand, de- perimeterization poses a great challenge due to possibility of viruses, spywares and worms spreading in your internal protected infrastructure.

    In de-perimeterized environment, security attributes shall follow the data, wherever the data may go or reside.

    In security architecture where firewall was considered a very effective perimeter defense has been weakens by virtualization and cloud computing. In early days of firewall defense, organization only needed to open few necessary protocols and ports to do business. Internet accessible systems were located on the DMZ and the communication was initiated from the corporate to internet. Now there are whole slew of protocols and ports which needs to be open to communicate with application in the cloud. As corporate application move out of the organization network into the cloud, the effectiveness of firewall diminished.

    Defense in depth is required for additional protection of data because as new threats emerge, the firewall cannot be used as an only layer of security. The key to the security of de-perimeterization is to push security at each layer of infrastructure including application and data. Data is protected at every layer to ensure the confidentiality, integrity and availability (CIA). Various techniques can be utilized for safeguarding data including data level authentication. The idea of data level authentication is that data is encrypted with specific privileges, when the data move, those privileges are moved with the data.

    layered-defense

    Endpoint security is relevant in today’s business environment especially for laptop and mobile devices. Agents on laptops and mobile devices utilized pull/push techniques to enforce relevant security policies. Different policies are applied depending on the location of the laptop. Where security policy will ensure which resources are available and what data need to be encrypted depending on the location of the device.

    When corporate application and important data reside in the cloud, SLA should be written to protect the availability of the application and confidentiality of the data. Organizations should do their own business continuity planning so they are not totally dependent on the cloud service provider. For example backup your important data or utilize remote backup services where all data stored is encrypted.


    Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance


    Download a free guide for following cloud computing applications

    Hosted email solution
    Hosted email archiving
    Hosted web monitoring
    Hosted online backup


    Reblog this post [with Zemanta]

    Tags: business continuity, Cloud computing, cloud computing article, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing security, cloud computing services, cloud security, cloud services, de-perimeterizations, DMZ, iso assessment

    Sep 01 2009

    Audit of security control and scoping

    Category: Risk Assessment,Security ComplianceDISC @ 3:53 pm

    scope

    Information Technology Control and Audit

    The audit is utilized as a tool to check compliance control based on standards such as ISO 27002 or NIST 800-53 etc. Some other terms which are not sometime rigorous audit have been used to asses controls are gap analysis, benchmarking and control review.

    Scoping sets the boundaries of the audit, where dependencies are marked and exclusions are sorted out.

    The consultant/team lead that has a thorough understanding of security risk management ought to carry out these reviews. The quality of the work depends on correct scoping, fieldwork assignment, and appropriately reporting the findings to management.

    Team lead should have a clear understanding of audit scope before the initial briefing to client. Basically what exactly the client wants and who are the target audiences in the final report and presentation. Clear understanding of the scope includes making sure that the whole organization is included in the audit or just part of it. Before starting an audit, the auditor should have a complete list of assets included in the scope. Sort the assets list into different group of infrastructure which could be handed over to technical consultant for validation of the controls. At this point team lead should point out to technical consultant, the minimum number of assets which are required to be validated to satisfy sampling requirement.

    Scope of final report/presentation should be clear regarding the list of non-compliance, prioritized recommendation or action plans which needs to be included in the report. During presentation of the findings, and to keep C level folks interested in the presentation, presenter needs to relate the findings to business risk and avoid using security acronym.

    Scoping will take into account the length of the time available for field work, analysis, reporting and size and competence of the team to perform a successful audit. Especially if limited time is available for field work, the competence of the team matter to cover various infrastructure, to validate and document the controls effectively.


    Tags: assessment profile, assessment scope, iso 27002, NIST 800-53, security audit, security control, security review, Security Risk Assessment

    Aug 24 2009

    Vulnerability management and regulatory compliance

    Category: Security ComplianceDISC @ 8:09 pm

    Threat and Vulnerability Management in the Ent...
    Image by Michele Mondora via Flickr

    Information security requirements are growing for financial, healthcare and government sectors. Especially a new ARRA and HITECH provision for HIPAA mandates compliance for business providers/vendors.
    The business owners have seen growing number of government and industry specific regulations for protecting the confidentiality, integrity and availability of data from ever growing threat landscape. Now most of the regulatory compliance has some teeth, organizations who may not fully comply shall face serious penalties which include but not limited with fines, civil and criminal penalties.

    Those days are gone when manual vulnerability management use to be sufficed to satisfy the auditors. Vulnerability management can assist management in operational compliance. Most of vulnerability management organizes vulnerabilities by severity level. Severity level is determined by business impact and how easily the attacker can exploit the vulnerability. Remediation can be prioritized based on the asset categorization. Asset categorization is based on company scale (L,M,H) which is associated with overall business impact of an asset to the company.
    The best way to automate vulnerability management is to use software as a service (SAAS). SAAS vendor run their application on a secure server (web, database), which user operate with a web browser on a secure SSL connection. SAAS provider handles all the maintenance of SAAS infrastructure. Organization security staff can spend most of their time on remediation rather than running manual vulnerability management. Automated vulnerability management shows ongoing compliance with standards and regulations and provides documentation for audits.


    Reblog this post [with Zemanta]

    Tags: Security, Security Scanners, vulnerability

    Aug 18 2009

    Control selection and cost savings

    Category: Security Risk AssessmentDISC @ 3:53 pm

    rm-process

    Information Security Risk Analysis

    In risk management, risk treatment process begins after completion of a comprehensive risk assessment.
    Once risks have been assessed, risk manager utilize the following techniques to manage the risks

    • Avoidance (eliminate)
    • Reduction (mitigate)
    • Transfer (outsource or insure)
    • Retention (accept and budget)

    Now the question is how to select an appropriate control to avoid or reduce risk. While selecting appropriate control to mitigate and avoid risk we need to consider compensating control to cut cost and supplemental control to increase protection for sensitive or classified assets.

    Compensating control is a safeguard or countermeasure is employed by an organization in lieu of recommended security control from standards such as ISO 27002 or NIST 800-53. Compensating control provides an equivalent or comparable protection for information system to the original control requirement form standard. For example, even though most standards recommend separation of duties, but for a small operation it might be an unacceptable cost to separate the duties of system administration and system auditing. In that case system owner can utilize compensating control such as strengthening the audit and personnel security.

    On the other hand with supplemental control, the system owner may decide to supplement the control to achieve more protection for sensitive and classified assets. If there is high likelihood or magnitude of impact is high should a threat exploit a given vulnerability you might want to consider a supplemental control because overall risk is high. For example you might want to utilize defense in depth method to safeguard your crown jewel.

    Implementing and monitoring security control can be expensive, system owner are pressured by management to look for cost savings without any reduction in the security posture of an organization. The system owner can either inherit the common controls or segment the system exposure to reduce cost and risks.
    Common controls are the security controls which have been implemented by another information system that your system can utilize. Basically working with another system owner who has utilized some of the security controls need to be implemented in your system. For example utilize the corporate office base line hardening configuration for Windows and Unix system instead of developing your own. This will significantly reduce the cost of developing, testing and maintaining a secure baseline configuration.

    Best and cheapest method of cost reduction is to segment the information system into multiple systems which will add different layers and levels of security into each system. Basically you put your crown jewel in multiple layers of security if one control breaks there is another control in place to monitor and protect your assets. This will allow the system owner to focus implementing higher security controls to the segment with most sensitive or classified information instead of entire system


    Reblog this post [with Zemanta]

    Tags: common control, iso 27002, iso assessment, ISO audit, NIST 800-53, NIST audit, risk analysis, Risk Assessment, Risk management

    Aug 10 2009

    Managing Risks and NIST 800-53

    Category: Security Risk AssessmentDISC @ 5:48 pm

    logo of en:National Institute of Standards and...
    Image via Wikipedia

    FISMA Certification & Accreditation Handbook

    The organizations need to establish security program to manage their day to day risks. Before selecting the controls from standards such as (NIST 800-53 or ISO 27002), organizations need to have complete inventory of the assets involved in the scope. Assets involved in the scope would require a comprehensive risk assessment to determine the sensitivity/criticality of these assets. Depending on the categorization of these assets will determine an appropriate control from standard to mitigate relevant risk. In some cases supplemental controls may be required.

    Management of risks involves the risks to the organization with the operation of an information system or information security management system. Risk management is an effective frame work for selecting appropriate security controls for an information system and assist in selecting of appropriate security controls to protect assets.

    Both ISO and NIST standards follow the similar path in control selections. NIST 800-53 has 163 high level controls and 154 medium level controls which have around 95% mapping with ISO 27002 which has 133 controls. While NIST SP 800-53 is required for federal (unclassified) information system, NIST encourages its use in commercial space. Commercial organizations can utilize the NIST standard to create their security program, which will provide a road map to their security strategy and assist in making informed decisions for securing their information assets.

    The management of day to day risks is a key element in an organization’s information security program and both NIST and ISO provide an effective framework for selecting and managing the appropriate security controls for information system. ISO utilize PDCA (Plan, Do Check, and Act) Deming model for selecting the appropriate security controls and managing its information security management system. NIST on the other hand utilize the similar framework for selecting and managing appropriate controls for information system and is called risk management framework security life cycle. Copy of the NIST risk management framework security life cycle is available to see an eerie resemblance with PDCA model.

    nist_rmf1

    Around 80% of critical infrastructure resides in private sectors which required to be protected by various regulations. Both NIST and ISO can be utilized to protect assets, however in some cases one standard might fit better in your environment then the other or perhaps you are able to manage one standard better then the other. Both standards required their information system to be audited or reviewed by authorized organizations to achieve apporpriate certifications.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: iso 27001, iso 27002, NIST 800-53, PDCA, Risk management

    « Previous PageNext Page »