Jul 28 2009

PCI DSS Law and State of Nevada

Category: Information Security,pci dssDISC @ 12:09 am

Information Security Wordle: PCI DSS v1.2 (try #2)
Image by purpleslog via Flickr

45 States followed California when they introduced “SB1386”, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!

From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

Not only does this effect Navada-based organisations, it affects EVERY organisation that collect or transmit payment card information about any person who lives in Nevada.

Where One leads – others WILL follow!


Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: california, Credit card, Nevada, Payment card, pci dss, privacy, Security, Texas

Jul 16 2009

Common Information Security lapses

Category: Information SecurityDISC @ 4:36 pm

Information Security Wordle: RFC2196 - Site Se...
Image by purpleslog via Flickr
User Security
  • Opening email attachments with integrated email clients

  • Not updating client software

  • Downloading untrusted software

  • Not creating or testing backups

  • Using wireless router connected inside the LAN

    • Strategic Security

  • Not providing training to security personnel

  • Only addressing physical security, neglecting data security

  • Not validating security fixes

  • Relying on firewall for all security needs

  • Not evaluating impact on reputation and data of security breach

  • Not implementing long term security decisions, relying on hot fixes to put out fires

  • Not addressing issues, neglecting security as policy

    • Operational Security

  • Not hardening internet connected host

  • Connecting test systems to the internet

  • Not updating systems on a regular and emergency basis

  • Using unencrypted protocols for management, reporting

  • Choosing bad default user passwords, changing passwords in insecure manner, or notifying users in insecure manners

  • Not testing or maintaining backups, not understanding the intricacies of backup software and procedures


    • Tags: Backup, Information Security, poor security, Security, security mistakes

    Jul 08 2009

    Cyber attacks on US Government websites

    Category: CybercrimeDISC @ 4:51 pm

    cyberattack
    Image by Boyce Duprey via Flickr
    Associated Press reported by Hyung-jin Kim, Wed Jul 8 “South Korean intelligence officials believe North Korea or pro-Pyongyang forces committed cyber attacks that paralyzed major South Korean and U.S. government Web sites, aides to two lawmakers said Wednesday.”

    See the details at the link below:
    Cyber attacks on South Korean and U.S. government Web sites

    Information Warfare: How to Survive Cyber Attacks

    Cyber Threat

    Cyber Security


    Tags: cyber attack, cyber attacks, cyber crime, cyber criminals, cyber security, cyber terrorism, cyber threats, Cyber-warfare, cybergeddon

    Jul 07 2009

    Cloud Computing Pros and Cons

    Category: Cloud computingDISC @ 6:19 pm

    Cloud Application Architectures: Building Applications and Infrastructure in the Cloud

    Cloud computing is the future of the computing, which happens to provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Basic idea behind cloud computing is the accessibility of application and data from any location as long as you are connected to the internet. Cloud computing makes the laptop the most essential tool to get the job done.

    For example Hosted Email (SaaS) Security provides safeguards at the Internet level, eliminating spam and malware before they reach your internal network infrastructure. The hosted email provides centralized security with built-in redundancy, failover, and business continuity, while easing network and security administration. In the hosted email software as a service the security controls are at work at the internet level. It’s about time to expand the corporate perimeter beyond firewall and one of the major benefit of cloud computing is to give organizations capability to implement security controls at internet level and eliminate threats before they reach the internal network.

    An online backup service is another example of software as a service (SaaS) which provides users with an online system for backing up and storing computer files.

    Cloud computing incorporates several different types of computing, including:
     software as a service (SaaS)
     platform as a service (PaaS)
     infrastructure as a service (IaaS)

    It is a range of technologies that have come together to deliver scalable, tailored and virtualized IT resources and applications over the Internet.

    Cloud Computing have several benefits and potential risks which you may want to know before signing a contract with a cloud vendor.



    Cloud Computing benefits

  • Users can avoid capital expenditure on hardware, software, and other peripheral services, when they only pay a provider for those utilities they use;

  • Consumption is billed as a utility or subscription with little or no upfront cost;

  • Immediate access to a broad range of applications, that may otherwise be out of reach, due to:

  • The lowering barriers to entry;

  • Shared infrastructure, and therefore lower costs;

  • Lower management overhead.

  • Users will have the option to terminate a contract at any time, avoiding return on investment risk and uncertainty.

  • Greater flexibility and availability of ‘shared’ information, enabling collaboration from anywhere in the world – with an internet connection.


    • Cloud computing associated risks

  • Cloud computing does not allow users to physically possess the storage of their data which leaves responsibility of data storage and control in the hands of their provider;

  • Cloud Computing could limit the freedom of users and make them dependent on the cloud computing provider;

  • Privileged user access – how do you control who has access to what information?

  • Security of sensitive and personal information lay with the vendor. How do you explain this to your customers when their data is compromised without sounding like you’re ‘passing the buck’?

  • From a business continuity stand point, can you rely on each vendor to have adequate resilience arrangements in place?

  • Long-term viability — ask what will happen to data if the company goes out of business; how will data be returned and in what format?



    • Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

    Recomended books on cloud computing

    Reblog this post [with Zemanta]

    Tags: Cloud computing, cloud computing article, cloud computing benefits, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing network, cloud computing platform, cloud computing risks, cloud computing security, cloud computing services, cloud computing solutions, cloud security, cloud services, Infrastructure as a service, Platform as a service

    Jun 30 2009

    Security controls and ISO 27002

    Category: Information Security,ISO 27kDISC @ 1:56 pm

    seeyourdataUsually security breach occurs due to lack of basic security controls or lack of effective control which is not relevant over the time. Security controls also disintegrate over the time due to lack of maintenance and monitoring.
    According to Privacy Rights Clearinghouse survey, the top three breaches resulted from laptop theft, software or human error, and hackers. Most of these breaches could have been prevented by procedural, management and technical security controls. Most of the security breaches happen during the state of non-compliance. The most famous TJX security breach happens in 2007, at the time of the breach TJX complied with only 3 out of 12 PCI-DSS requirements.

    Small organizations sometimes don’t have enough resources to comply with all the requirements of regulations and standards like HIPAA and PCI. But that is not an excuse of not understanding the relevant regulations and standards requirements to your business and having a clear security strategy which explains how to achieve the compliance down the road. Also your security strategy will be an evidence of your due diligence to secure your critical assets. On the other hand big organizations have enough resources to implement security controls, but for whatever reason they often do not have clear strategy how to establish security controls.

    Information security is not a onetime static process but an ongoing assessment of risks in your business, where you need to understand the your critical assets, classification of those assets based on CIA, sensitive data and its access, policies, standards, procedures , training, security reviews and continuous monitoring.

    One of the most popular baseline for security controls is the international standard ISO 27002 – Code of Practice for Information Security management. ISO 27002 have 11 security clauses and 133 security controls are high level which provides a reasonable guidance for implementing an Information Security Management System (ISMS). Due to ISO 27002 broad scope, it’s relevant to every industry and size of business.

    Organization should have a baseline of security controls before barging onto complying with PCI or HIPAA regulation. ISO assessment will help you to understand what controls are in place and assist you with security strategy and later will become a measuring stick for your ISMS.

    Ongoing compliance is achieved by monitoring the relevant controls. Ongoing compliance will depend on the quality of your information security management system (ISMS). ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time. You can develop an automated monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.

    Related articles by Zemanta

    [TABLE=2]


    Reblog this post [with Zemanta]

    Tags: Computer security, Health Insurance Portability and Accountability Act, Information Security, Information Security Management System, ISO/IEC 27001, pci dss, Privacy Rights Clearinghouse

    Jun 22 2009

    Access to computers on sale

    Category: CybercrimeDISC @ 3:09 pm

    Cybercrime

    According to SF chronicle article by Deborah Gage (June 17, 2009, c1) a troublesome online network for buying and selling access to infected computers has been discovered by security researchers. The name of the group is GoldenCashWorld which sell access to online infected computers such as web server, mail server, database server etc. Infected computers are utilized to send spam, SQL injections, XSS attacks, buffer overflow attacks and spread viruses and worms.

    According to the article this underground network already have access to more than 100,000 websites and 40% of these compromised computers reside in the United States. This is a growing threat to individuals and business assets in United States which should be taken seriously by National Cyber security Divisions.
    GoldenCashWorld is a global underground ring which requires an international law to crack this nut.

    Online Secure Remote Backup solution
    Online crime ring detected
    Guide to Computer Forensics and Investigations

    Cyber Crime Growing Global Threat
    httpv://www.youtube.com/watch?v=ZHmFiueQm5A


    Reblog this post [with Zemanta]

    Tags: buffer overflow, cyber crime, GoldenCashWorld, NCD, online infected computer, San Francisco Chronicle, Spam, SQL injection, xss

    Jun 17 2009

    Credit card authorization process weakness

    Category: Information Security,pci dssDISC @ 3:09 pm

    A diagram showing the front side of a typical ...
    Image via Wikipedia

    Credit Repair Kit For Dummies (For Dummies (Business & Personal Finance))

    Credit card authorization sequence:

    1) Creditholder swipes card at merchant. A request is sent to merchants bank
    2) Merchants bank “asks” processor to determine the cardholder bank
    3) Processing network finds cardholders bank and request approval for purchase
    4) Cardholders bank approves purchase and generates a approval code
    5) Processor sends an approval code merchants bank
    6) Merchants bank sends approval code to merchant
    7) Purchase is complete and cardholder receives a receipt

    “Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.”

    Weak security enables credit card hacks

    Credit Card Fraud Made Easy
    httpv://www.youtube.com/watch?v=m5UE5fXRyKs

    Related articles by Zemanta


    Reblog this post [with Zemanta]

    Tags: Credit card, credit card privacy, credit card secure, credit card security, credit card theft, secured card, visa card

    Jun 10 2009

    How ARRA and HITECH provisions affect HIPAA compliance

    Category: hipaaDISC @ 4:02 pm
    HIPAA Compliant Seal

    Image by Kestelnon via Flickr

    HIPAA Plain and Simple

    How ARRA and HITECH provisions will affect HIPAA compliance. We will highlight the changes to HIPAA due to these new provisions and discuss a possible solution, how to comply with these new HIPAA security and privacy requirements. American Recovery and Reinvestment Act of 2009 (ARRA) was signed into a law on February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA include important changes in Health Insurance Portability & Accountability Act (HIPAA).

    2/17/210 applies to business associate – Covered Entity (CE) can apply the HIPAA provisions to Business Associates (BA) through business associate agreement. The HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. CE should revise their business associate contracts to reflect the changes before the deadline.

    Civil Action & Penalties – State Attorney General can prosecute neglect and individual can receive monetary compensation. HIPAA now have teeth with monetary, civil and criminal prosecution.

    Breach Notification – Notification to individual, HHS and media – Notification become more formal if the affected residents are more than 500. Use appropriate public media for cases involving more than 500 individuals. A breach requires notification, which is activated when there is an incident of “unsecured protected health information”.

    Accounting for disclosure – CE is accountable for its BA disclosure of Protected Health Information (PHI)

    Sale of Protected health Information – CE and BA cannot receive payment in exchange of PHI without an individual authorization. CE and BA are required to tell patients about disclosure of PHI for payment, treatment and administrative operation.

    HIPAA compliance and how to manage your risks to healthcare assets:

    HIPAA requires CE to have appropriate administrative, technical and physical safeguards to protect the privacy of health information. However HIPAA did not provide specific guidance as to what measure and controls will be appropriate.

    ISO 27001 provides the basis to build an Information Security management System (ISMS), where organization can develop its own ISMS by applying controls from ISO 27002 code of practice. Only those controls apply which relate to its business objectives and the potential risks to the business. One document which is required to build ISMS is the Statement of Applicability (SoA) which explains why each of the 133 controls from ISO27002 is included in SoA and justification of the remaining controls which are not included. You can build ISMS suitable to your HIPAA needs, a healthcare organization could use its ISMS to ensure that HIPAA security standards required controls were selected from ISO 27002 and appropriately implemented. You need to certify ISMS (ISO 27001) to provide an ongoing assurance to HHS and healthcare business associates which can provide an edge in this downturn economy and more opportunities to enhance business worldwide.

    5 HIPAA Rules Regarding Text Messaging

    Resources:
    CMS audit checklist
    NIST guide for implementing HIPAA

    Reblog this post [with Zemanta]

    Tags: American Recovery and Reinvestment Act of 2009, arra, Health Insurance Portability and Accountability Act, hipaa, hipaa laws, hipaa privacy, hipaa security, hippa compliance, hitech, Protected Health Information

    Jun 04 2009

    Virtualization and compliance

    Category: Cloud computing,VirtualizationDISC @ 1:04 am

    Virtualization madness
    Image by lodev via Flickr

    The core technology utilized in the cloud computing is virtualization. Some organization may not want to jump into cloud computing because of inherent risks can take a shot at virtualization in their data centers. Virtualization can be utilized to reduce hardware cost and utility cost. Organization that might have 100 servers can consolidate into 10, where each physical machine will support 10 virtual systems will not only reduce the size of data center, but also hardware cost, and huge utility bill savings.

    Virtualization was being utilized to increase efficiency and cost saving, which is now turning into centralized management initiative for many organizations. In centralized management patches, viruses and spam filter and new policies can be pushed to end points from central management console. Policies can be utilized to impose lock out period, USB filtering and initiate backup routines, where policies can take effect immediately or next time when user check in with the server.

    The way virtualization works is OS sits on an open source hypervisor which provides 100% hardware abstractions where drivers become irrelevant. With OS image backed up at management console, which allows virtualization technology a seamless failover and high availability for desktop and servers.

    As I mentioned earlier, virtualization allows enforcing of policies on end points (desktops). As we know compliance drive security agenda. If these policies are granular enough which can be map to existing regulations and standards (SOX, PCI and HIPAA) then virtualization solution can be utilized to implement compliance controls to endpoints. It is quite alright if the mapping is not 100% that is where the compensating controls come into play. The compliance to these various regulations and standards is not a onetime process. As a matter of fact standard and regulation change over time due to different threats and requirements. True security requires nonstop assessment, remediation’s and policy changes as needed.

    Related articles by Zemanta

    Reblog this post [with Zemanta]

    Tags: Cloud computing, Data center, Health Insurance Portability and Accountability Act, hipaa, Hypervisor, Open source, PCI, Security, sox, Virtualization

    May 28 2009

    PCI compliance is essential and why you have to

    Category: pci dssDISC @ 3:18 pm
    Image result for pci dss compliance

     

    During this down turn economy organized cyber crime is a booming underground business these days. Most of the security expert and FBI agree that cybercrimes are on the rise and pose a biggest threat to US vital infrastructure. Cybercriminals are thieves in cyberspace who will swipe the sensitive data and sell to other criminals in their community, who might turn around and ask for ransom to keep the data private or perhaps resell to the highest bidder again in the black market. The risk of getting caught is minimized by legal jurisdiction and neglected by huge monetary gains. Motivated by potential gains, cybercriminals are determined to exploit the vulnerabilities of the target rich environment. Another issue to this problem is that our personal and private information has potential to be exploited at various locations such as banks, credit card companies, credit debit card processor, credit report companies and merchants etc…

    Level 1, 2 and 3 merchants usually follow security best practice, allocate enough resources and try to maintain PCI compliance. On the other hand level 4 merchant are usually not compliant and have security vulnerabilities which are easy picking for cybercriminals, which is a primary reason why more security breaches happens to level 4 merchants. PCI was apparently created to safeguard the credit card and debit card data. PCI DSS standard are managed by PCI Security Standard Council.

    The most significant reason to comply with PCI is because you have to.

     

    PCI DSS address the baseline security for payment card infrastructure and ROI is a total cost of ownership. PCI DSS cannot guarantee absolute security but making organization to adhere to due care security justify its cost and use. As far as liability goes the security breach will be very detrimental in the state of non compliance which will include fines, legal fee and possibly lose the credit card processing ability. To motivate themselves, merchants should also remember that their customer’s data is worth a lot of money to cyber criminals.

    The trick is keeping the state of compliance – true security of credit card holder data requires nonstop assessment and remediation to ensure that likelihood and impact of the security breach is kept as low as possible. PCI compliance is not a project; it’s an ongoing process of assessment. PCI assessor utilized defined set of controls objectives to assess the state of compliance. PCI provides an option of doing internal assessment with an officer sign off.
    Merchants should monitor and assess to keep compliance on ongoing basis. Implement defense in depth mechanism and apply security control at every layer (network, application, operating system, and data). The idea is to make their job hard enough so the attacker moves on to easier target.

    Check my previous posts regarding PCI DSS.
    pci-dss-misconceptions-and-facts
    pci-dss-significance-and-contractual-agreement

    Vulnerability Scanner that scans your machine, reports back on vulnerabilities, and provides solutions to fix them

     

    Recommended books to implement PCI DSS compliance process

     

    Tags: Credit card, defense in depth, level 4 merchant, Merchant Services, pci dss, PCI Security Standard Council, roi, Security, Total cost of ownership

    May 18 2009

    Security breach and notification

    Category: Security BreachDISC @ 1:05 am

    California Flag
    Image by victoriabernal via Flickr

    California was the first state in the nation to pass a data breach notification law in 2003, and it’s now planning to broaden the notification for companies doing business in the state. Notification will require specific information about the breach to the consumer and send notices to the state authorities at the same time.

    The notices which consumers currently receive are basically too little too late, meaning they might say that your information may have been compromised and these notices may be released several months after the incident.

    notice

    California’s new legislation will force the organization to admit the extent of the compromise, so consumers can assess their own risks in a timely manner. Heartland, the credit card processor, has been sued by the banks to recover the breach notification cost. Should the credit card processing company which had a security breach be responsible for the cost of the notification?

    Current notification does not inform you where and how your credit card information was compromised so that at least you can stop shopping from that merchant. When consumers ask specific questions regarding the breach to the credit card company customer service representative, they will deny any knowledge of the breach and will say something along the lines of, when all the legal information has been taken care the credit card company will send you a detailed letter about the breach.
    Now in case of a processor security breach, the credit card company might issue notices to several hundred thousand people. Without specifics, that particular notice might have “crying wolf” effect and consumers might not take any action.

    Last week a well publicized security breach at UC Berkeley exposed the records of 160,000 people. The hackers had access to the vulnerable system for more than six months before they were discovered, which clearly shows lack of monitoring control and due care.
    When a young college student affected by the breach receives a “may have been breached” notice he or she immediately will worry about his/her credit and possibility of identity theft. Now the question is why a student has to bear the burden of the negligence by the merchant or campus and lack of reasonable security safeguards. After issuing such notice that the private information “may have been compromised,” the responsibility of keeping an eye on your credit is transferred to you. The problem is some fraudulent transactions might not be noticed for at least a year.



    Reblog this post [with Zemanta]




    Tags: Computer security, Credit card, due care, Identity Theft, Law, privacy, sb 1386, University of California Berkeley

    May 06 2009

    Rise of cybercrime and management responsibility

    Category: Information Security,Information WarfareDISC @ 5:08 pm

    ITIL Security Management
    Image via Wikipedia
    According to SF Chronicle article by Deborah Gage (May 8, 2009, c2) consumer reports magazine’s annual “State of the Net” survey finds that cybercrimes has held steady since 2004, with one out of five consumers becoming victims in last two years at a cost to economy of $8 billion. Consumer report can be found on at www.consumerreports.org

    Uncertain economic time brings new threats and scams and most of the security experts agree that there’s a possibility of increase in cybercrime for this year. Survey also found that around 1.7 million people were victims of identity theft and 1.2 million had replaced their computers because of infected software.

    First why all the signs are showing uptick in cybercrimes and second what are we going to do about it.

    Management should start considering security as total cost of ownership instead of wasting time on what is ROI of information security. If there is a security breach, somebody in the management should be held accountable not an IT or security personnel. Management will keep demonstrating lax attitude toward data protection and security in general unless there are serious consequences like spending time in jail for lack of security controls (basic due diligence) and not taking appropriate actions for the risks that posed a significant threat to the organization.

    PCI, HIPAA and SOX compliance are a good start in a right direction for management to take information security into consideration, but these compliance initiatives don’t address the security of a whole organization. They address security risks of a business unit in an organization. If management is really serious about security then ISO 27002 code of practice is one of the option which should be considered to address the security of the whole organization and ultimately organization should achieve ISO 27001 certification which will build a comprehensive information security management system to manage ongoing risks.

    [TABLE=2]

    Related articles by Zemanta

    Reblog this post [with Zemanta]




    Tags: Information Security, International Organization for Standardization, isms, iso 27001, iso 27002, Operating system, Policy, Security

    Apr 28 2009

    PCI DSS Misconceptions and Facts

    Category: pci dssDISC @ 7:13 pm

    Information Security Wordle: PCI Data Security...

    M1 – We are relatively small company so we don’t have to worry about PCI compliance
    F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data

    M2 – PCI DSS is either a regulation or a standard
    F2 – It‘s a neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants

    M3 – We neither understand PCI and nor have in house expertise to address compliance
    F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data

    M4 – PCI has no ROI and simply too much for a small business
    F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership

    M5 – Why bother when some companies get breached even though they were compliant
    F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it

    M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires
    F6 – Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank

    M7 – My application and POS equipment are PCI compliant
    F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment

    M8 – PCI compliance addresses the security of the whole organization
    F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security

    M9 – Data breach will not affect the business revenue
    F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines

    M10 – We don’t need to scan PCI assets
    F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)

    M11 – Merchants can use any application to transmit, process and store PCI data
    F11 – Not really, beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA-DSS)

    M12 – We have compensating control in place so we are covered
    F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run











    Documentation Compliance Toolkit



    PCI Compliance



    Practical guide to implementation (Soft Cover)



    Practical guide to implementation (Download)



    Reblog this post [with Zemanta]




    Tags: Company, Financial services, Merchant Services, Payment card industry, pci dss, Security

    Apr 22 2009

    RSA and cybersecurity

    Category: Information SecurityDISC @ 6:52 pm

    SAN FRANCISCO - FEBRUARY 6: Art Coviello, Exe...
    Image by Getty Images via Daylife
    This week I was in attendance with thousands of people from all over the globe at RSA conference in Moscone Center San Francisco. The conference offers variety of training tracks and this year included two new tracks physical security & governance and risk & compliance. Since Novell CNE was one of my first professional certification, I was glad to see Novell making some headway’s in information security arena, especially Deloitte was promoting Novell identity management solution in the conference.

    The cloud computing is the buzz word for this year conference. As far as virtual environment boundaries are concerned , it’s hard to say where it start and where it ends which complicate the matters and complexity of the cloud will introduce new threats and risks. With that in mind cyber security appears to be worse than last year. Attendance might be bit low this year due to budget cut but the conference floor was packed with vendors and enthusiastic audiences.

    Most of the security expert understand that companies are cutting budgets and might be decreasing their investment in security. Having a proactive security strategy and spending the security dollars wisely is the key to success of a business in this downturn economy. One thing to understand about information security, there is no ROI (return on investment) in security. ROI is a total cost of ownership.

    Another concern in the conference is that the threats and fraud goes up during downturn economy. Companies should have comprehensive policies to tackle insider threats regarding disgruntled employees who might be at verge of getting laid off to prevent them from stealing intellectual property.

    There is an outstanding line of keynote speakers like Melissa Hathaway, federal acting senior director of cyberspace. She advised the current (Obama) administration. She will be discussing issues like how much federal government should be involved in protecting critical assets like power grids. The conference like RSA helps security professionals to sharpen their skills and work in collaborative manners to successfully defend their organizations from attackers.

    Related articles by Zemanta

    RSA Conference 2009 Highlights
    httpv://www.youtube.com/watch?v=BAxAagvmu6w

    Reblog this post [with Zemanta]




    Tags: Cloud computing, Consultants, Information Security, Melissa Hathaway, Moscone Center, Obama, RSA Conference, San Francisco, Security

    Apr 15 2009

    Growing social networks and widening threats

    Category: Information Privacy,MalwareDISC @ 2:08 am

    Jump on the social media bandwagon
    Image by Matt Hamm via Flickr
    The worm targeted a social network Twitter with four attacks and created havoc for couple of days. This worm happens to self replicated itself when clicked on but didn’t steal 6 million users personal information.
    According to SF chronicle article by Michael Liedtke (Apr. 14 2009, c2) Twitter deleted 10,000 tweets after a worm makes a squirm.

    “The worm was intended to promote a Twitter knock off, StalkDaily.com. It displayed unwanted messages on infected Twitter accounts, urging people to visit the website.”

    With all the resources of a big company Twitter was unable to quarantine the worm and the only way to get rid of the worm was to delete 10,000 Twitter messages, known tweets. The social network growth is widening the threats and making an inviting target for hackers and scam artist with a treasure trove of personal information. People personal and in some cases private information is up for grab unless we enact policy protections against these scam artists to pursue legal action.

    How to clean Twitter worm “StalkDaily” aka “Mikeyy”

    Reblog this post [with Zemanta]




    Tags: facebook, San Francisco Chronicle, Social network, Twitter

    Apr 09 2009

    Social networks and revealing anonymous

    Category: Information PrivacyDISC @ 3:02 am

    Image representing Twitter as depicted in Crun...
    Image via CrunchBase

    Privacy is a fundamental human right and in US a constitutional right. Advancement in technology are breaking every barrier to our privacy; at this rate individuals will be stripped of their privacy unless we enact policy protections. In this situation we need to define reasonable privacy for a society in general while keeping threats and public safety as a separate issue. Social networks are becoming a repository of sensitive information and usually privacy is anonymize by striping names and addresses. Fake profiles have been created on social network to be anonymous and a user may create multiple profiles with contradictory or fake information.

    Arvind Narayanan and Dr. Vitaly Shmatikov from Univ. of Texas at Austin established an algorithm which reversed the anonymous data back into names and addresses.

    The algorithm looks at the relationships between all the members of social networks an individual has established. More heavily an anonymous individual is involved in the social media, easier it gets for the algorithm to determine the identity of anonymous individual.

    One third of those who are both on Flickr & Twitter can be identified from the completely anonymous Twitter graph, which deduces that anonymity is not enough to keep privacy on social network. The idea of “de-anonym zing” social networks extends beyond Twitter and Flickr. It is equally applicable in other social networks where confidential and medical data can be exposed such as medical records in healthcare.

    “If an unethical company were able to de-anonymize the graph using publicly available data, it could engage in abusive marketing aimed at specific individuals. Phishing and spamming also gain from social-network de-anonymization. Using detailed information about the victim gleaned from his or her de-anonymized social-network profile, a phisher or a spammer will be able to craft a highly individualized, believable message”

    Now is it reasonable to say that social network wears no clothes?

    Personally identifiable information
    California Senate Bill 1386 defines “personal information” as follows:
    • Social security number.
    • Driver’s license number or California Identification Card number.
    • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

    Names, addresses, email addresses and telephone numbers do not fall under the scope of SB 1386.

    HIPAA Privacy defines “Individually identifiable health information” as follows
    1. That identifies the individual; or
    2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
    The term “reasonable basis” leaves the defining line open to interpretation by case law.

    Arvind Narayanan and Dr. Vitaly Shmatikov paper.


    Social network privacy video


    httpv://www.youtube.com/watch?v=X7gWEgHeXcA

    Reblog this post [with Zemanta]




    Tags: Anonymity, Flickr, Personally identifiable information, privacy, Security, Social network, Twitter, Vitaly Shmatikov

    Apr 02 2009

    Cloud computing and security

    Category: Cloud computingDISC @ 5:55 pm
    File:Cloud comp architettura.png

    https://commons.wikimedia.org/wiki/File:Cloud_comp_architettura.png

    Cloud computing provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Main concern for security and privacy of user is who has access to their data at various cloud computing locations and what will happen if their data is exposed to an unauthorized user. Perhaps the bigger question is; can end user trust the service provider with their confidential and private data.

    “Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.”

    Three categories of cloud computing technologies:

    • Infrastructure as a Service (IaaS)
    • Platform as a Service (PaaS)
    • Software as a Service (SaaS)

    Cloud computing is offering lots of new services which increase the exposure and add new risk factors. Of course it depends on applications vulnerabilities which end up exposing data and cloud computing service provider transparent policies spelling out responsibilities which will increase end user trust. Cloud computing will eventually be used by criminals to gain their objectives. The transparent policies will help to sort out legal compliance issues and to decide if the responsibility of security breach lies on end user or service provider shoulders.

    Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

    Possible risks involved in cloud computing
    Complete data segregation
    Complete mediation
    Separation of duties
    Regulatory compliance (SOX, HIPAA, NIST, PCI)
    User Access
    Physical Location of data
    Availability of data
    Recovery of data
    Investigative & forensic support
    Viability and longevity of the provider
    Economy of mechanism

    Related articles by Zemanta

    Continue reading “Cloud computing and security”




    Tags: Cloud computing, cloudcomputing, compliance, Computer security, iaas, IBM, Information Privacy, Infrastructure as a service, paas, Platform as a service, Policy, privacy, saas, Security, security assessment, Security Breach, Services

    Mar 26 2009

    Conficker C worm and April fool

    Category: MalwareDISC @ 3:24 pm

    My creation! (APRIL FOOL)
    Image by david ian roberts via Flickr

    Worm like conficker is a digital time bomb which is hard coded to trigger on April 1 (April fool’s day). Antivirus companies are doing their best to minimize the impact of conficker worm. Conficker first variant was introduced few months back and have already caused significant amount of damage to businesses. Conficker is using MD6 hash algorithm, first known case where this new algorithm has been used. Across the globe, there are about 15 million computer infected with conficker worm.

    “In computer, a worm is a self replicating virus that does not alter files but resides in active memory and duplicates itself”

    This happens to be third variant of conficker in the wild which is named “conficker c” which pose a significant threat to businesses and security expert are still trying to figure out the potential impact of this worm. In new variant, the worm has tendency to morph into something else which makes it harder for antivirus software to detect it. What is known about this worm so far is that at a predefined time on April 1st the infected machine will execute the worm which will be later be exploited by the worm originator. The originator or controller of the worm will control the infected machines and it’s anybody’s guess right now what commands will be given to these zombies. It can be to steal private and personal information, spam, DDoS, or simply wipe the infected machine hard drive. Also bad guys don’t have to give the commands to zombie machines on April 1st, it can be any time after April 1st.

    Possible countermeasures:
    • Keep up-to-date patches (Microsoft Ms08-067 security update)
    • Keep antivirus signature files up-to-date (latest DAT)
    • Disable Auto run
    • Try different antivirus software to verify and take advantage of McAfee free online scan services
    Free Sophos Conficker clean-up tool
    • Make sure your machine is not infected with “conficker c” then you don’t have to worry about April 1st

    Microsoft is offering a $250,000 reward for information that leads to the arrest and conviction of the conficker worm’s makers.

    [TABLE=12]

    Related articles by Zemanta

    httpv://www.youtube.com/watch?v=YqMt7aNBTq8

    Reblog this post [with Zemanta]




    Tags: Antivirus software, April Fools Day, conficker, Malicious Software, McAfee, Microsoft, Security, Viruses

    Mar 20 2009

    Web 2.0 and social media business risks

    Category: Web 2.0DISC @ 3:01 am

    A tag cloud with terms related to Web 2.

    Web 2.0 is major force and has numerous business benefits but it is posing companies to potential new risks.
    Social networking sites, such as Facebook, LinkedIn and Twitter, have become the preferred method of communication for a whole generation of people and the ability to post “Status Updates” is fast becoming the new Email. Linkedin is adding one user per second and Facebook has reached 150 million users in just five years.

    Some of the associated risks which organizations face as a result relate to phishing, harvesting of email addresses and of course the dangers of (relatively) simple social networking, not only to hack the employee’s present organization, say, but to the organization of losing an employee and all their leads because clients follow ‘their man/woman’ to their new job by tracing where they are at through sites such as LinkedIn. Hackers can follow the conversation on social media to identify the user problem or pain point and pretend to offer a solution which happen to be a malware to steal private and confidential data.

    And then of course there is the downside of staff using bandwidth and their work time for purposes other than for which they are employed, and possibly preventing others (due to bandwidth/processing restrictions) from doing what they should. Many of these sites openly encourage people to download video clips.

    The solution?
    Usually the controls in ISO 27002 code of practice can be selected and applied in a manner to address the associated risks through a combination of management and technical policies, but of course this should be as the result of a risk assessment and should balance the three attributes of C, I and A.

    Web-20

    For clear best practice guidance on how to tackle ‘Threat 2.0’, you should download
    Web 2.0: Trends, benefits and risks!




    This 112-page best practice report from IT Governance separates the hype from the tangible reality and provides:


    1. A workable description of what ‘Web 2.0’ is and what it means, within the business environment, complete with a glossary of Web 2.0 terms.
    2. A description of the business benefits to be derived from Web 2.0 technologies, with examples taken from real-life case studies.
    3. An identification and discussion of ‘Threat 2.0’ – the information security risks inherent in Web 2.0 technologies, together with latest best-practice recommendations for mitigation.

    During financial crisis when companies are cutting budgets. It is imperative that information security will have some budget cut but any drastic budget cut might not be wise. A major security breach might put the organization in irrecoverable situation. In this tough economy security professionals have to do an extraordinary job to sell the security to management and show them how security due diligence can make business safe, successful and compliant.

    Do you think the advantages of social media outweigh the potential risks?

    Reblog this post [with Zemanta]




    Tags: facebook, iso 27002, linkedin, Security, Social network, Social network service, Twitter, Video clip, Web 2.0

    « Previous PageNext Page »