Jun 12 2013

Why you should care about your digital privacy?

Category: Information Privacy,Information SecurityDISC @ 4:25 pm
English: Infographic on how Social Media are b...

English: Infographic on how Social Media are being used, and how everything is changed by them. (Photo credit: Wikipedia)

Surveillance Countermeasures

When we use internet browser for a web search, social media site, communication (skype), buy something from a site, we are leaving digital tracks all over the internet. Your service provider of the above services have access to this information because they are collecting  this treasure trove to identify and figure out what you like and don’t like so they can serve you appropriate ads and services accordingly. Most importantly they want to know that what you may buy or do next on the internet.

Well now we know that our government is utilizing that data as well from these providers to figure out if you may have some ties with the bad elements out there. To elaborate a bit at this point, for example, if a bad guy call you and left a message on you voice mail, you are presumed guilty by association and you and your friends may come under heavy surveillance after this incident.  So far all this collection and analysis of data has been done without your knowledge and permission.

As Mark Zukerberg said that Facebook only provide information which is required by law. Well in this case the law (PRISM) wants everything without warrant. By using social media we create a treasure trove of data, which can be analyzed to figure out patterns, one may deduce what that person may do next. You may want to remember that when you post next time on a social media.

Tags: Business, facebook, Internet Marketing, PRISM, Social media, Social network, Twitter, YouTube

Jan 24 2013

Controls against Mobile Code

Category: ISO 27k,Mobile SecurityDISC @ 12:16 pm

ISO 27002 control A 10.4.2 of the standard requires that mobile code execution should be restricted to an intended environment to support an authorized organization mobile code policy.

What is a mobile code so let’s first start with the definition: ‘Program or a code that can execute on remote locations without any modification in the code can travel and execute from one machine to another on a network during its lifetime.’ Some of the computer languages used for mobile code include but not limited to Java, JavaScript, Active x, VB script, C++, C#, ASP.NET, macros and postscripts.

Mobile code could be use for some benign to a very malicious activity which basically depend on coder intentions. Malicious activities may include collection of personal and private information, patient healthcare information, introducing Trojans & worms, and sometime used to modify or destroy information.

Different mobile code languages are used to achieve various goals by the the coder, most pop-ups are coded in JavaScript, Active x for downloading apps and patches. Only If a coder/hacker is enable to execute a mobile code on an organization infrastructure (PC, router, switch, server..) will make it possible to download, collect personal and private information and for that matter any other malicious activity.

example, if one window or frame hosted on one server tries to access the properties of a window or a frame that contains a page from a different server, then the policy of the browser comes into play and restricts that type of action from happening. The idea behind such restrictions is to prevent hackers from putting their pages inside the original page and extract unauthorized information where codes inside their pages are written for that purpose

Protections for Mobile Code
One of the solutions to secure the JavaScript from using it to write a mobile code and run it on the client-side is to perform parsing of the code before execution. If the code can be parsed before execution i.e. having access to the stack, where control over the execution of the code can be achieved the malicious virus can be prevented.

The best and the easiest way to block mobile code is to have an authorized policy to ban or restrict the mobile code into your organization. To implement this policy, an organization can build a rule set on their firewall to block all the mobile code at the perimeter and stop entering into the organization. At the same this may not be feasible for many organizations since languages like JavaScript and active x are used heavily in building website to add bells and whistles. This takes us back to familiar risk assessment question, how much and what mobile code should be allowed into the organization. Organization should assess the related risk to each mobile code and allow or disallow based on the risk it pose to business. If there’s an exception make sure the business owner sign off the exemption form.

Ongoing user awareness to mobile code policy and risk assessment process will be necessary to minimize risk. Block mobile code should be monitored or scanned based on the policy and appropriate measures should be taken if rogue mobile code is detected.

Do you check your verdors or partners are not downloading malicious mobile code on your website?

To know more about Mobile Code….
Titles on eBay
Titles on DISC InfoSec Store

Tags: ActiveX, Business, ISO/IEC 27002, Java, JavaScript, Mobile code, Personal computer, VBScript

Nov 06 2012

New Tools for IT and Security professionals

Category: BCP,Information SecurityDISC @ 11:40 am

IT Governance continually striving to create, source and deliver products that can help IT and Information Security professionals in the real world. Check out their latest on Business Continuity, ITIL & ITSM and Information Security products below to help you in your current and future projects. This is a perfect time of the year to start adding some of these tools in your wish list and stay abreast in your area of expertise.

ISO22301 BCMS Implementation Toolkit
New release


ITIL Lite: A Road Map to Full or Partial ITIL Implementation – ITIL 2011 Edition
New release


ITIL Foundation Essentials: The exam facts you need
Published on 6th November


Resilient Thinking: Protecting Organisations in the 21st Century
Published on 8th November


ISO19770 SAM Process Guidance: A kick-start to your SAM programme
Published 13th November


Tags: Business, business continuity, Information Security, Information Technology, Information Technology Infrastructure Library, it service management, SAM, Software asset management

Jul 08 2011

How to protect ourselves from Payment Fraud

Category: Cyber Threats,Cybercrime,pci dssDISC @ 11:26 pm

Some basic advice has been issued by Apacs, and includes:

    * Don’t let your cards or your card details out of your sight when making a transaction
    * Do not keep your passwords, login details or Pins written down
    * Do not disclose Pins, login details or passwords in response to unsolicited emails
    * Only divulge card details over the phone when you have made the call or when you are familiar with the company
    * Access internet banking or shopping sites by typing the address into your browser. Never enter your personal details on a website you have accessed via a link from an e-mail
    * Shop at secure websites by checking that the security icon is showing in your browser window (a locked padlock or an unbroken key)
    * Always log out after shopping and save the confirmation e-mail as a record of your purchase

      For more advice you can visit:

      Spotting and avoid common scams, fraud and schemes online and offline

      How the scam works and what you need to do about it.


      Online payment Security and Fraud Prevention

      Tags: Australia, Business, Credit card, Financial services, fraud, Internet fraud, Online banking

      Apr 29 2011

      Top Five Hollywood Hackers Movie

      Category: cyber security,Information SecurityDISC @ 11:23 am
      Hollywood Sign

      Image via Wikipedia

      In movies the hacker tries to hack into a Department of Defense computer by speed-typing passwords. We all know reality is nothing like this and we see it as the joke that it is.

      But business management don’t see the inherent risks as affecting business bottom line but a hindrance to another new project; they don’t see the research, the probing, the social engineering, risk impact, risk probability and overall risk as security professional do. It is our job as a security professional to show the risks in business terms to management so they can make a reasonable decision based on business risk threshold rather than emphasis on hinderance to bottom line. Remember the return on investment in security is part of doing business, it’s about reducing risks on ongoing basis and keep the company profitable on long term basis (keep making the money).

      Emphasize management’s accountability for the risk and most importantly for residual risks (remaining risk after implementing a control). Put the onus on the Information Asset Owner who should be at the management level not a technical staff (may delegate responsibilities in small companies). Make clear recommendations but let them make the key decisions AND make them accountable if things may go wrong.

      So yes, management is more impressed by flash and glamour, Because they know and good at analyzing the business risks but take the security risks as business inhibiting to their new project and may like to accept the risks rather than taking the time to address the issue which should be a corrective control to mitigate the existing risk to acceptable level.

      What do you think – Do the Hollywood movies add any value in a sense to emphasis the information security risks as a threat to business folks or they just fictional stories which make business people ignore the information security threat?

      Which one is your favorite hacker movie….

      Below are the top three hackers movies

      3-Hackers, 2-Untraceable, 1-WarGames

      Tags: Business, Cinema of the United States, Hollywood, Information Security, Management, Risk, United States Department of Defense, WarGames

      Jan 06 2011

      The Basics of Stuxnet Worm and How it infects PLCs

      Category: MalwareDISC @ 1:01 pm
      Future of Mobile Malware & Cloud Computing Key...
      Image by biatch0r via Flickr

      Considered to be the most intricately designed piece of malware ever, Stuxnet leverages attack vectors onto industrial control systems, a territory rarely ventured into by traditional malware. Stuxnet targets industries, power plants and other facilities that use automation and control equipment from the leading German industrial vendor, Siemens. The term, critical infrastructure refers to industrial systems that are essential for the functioning and safety of our societies. Considering the profound dependence of critical infrastructure on industrial control and automation equipment, it is essential to reassess the impact this new generation of malware on the stability and security of our society.

      Download WhitePaper

      Has Israel Begun A Cyber War On Iran With The Stuxnet ‘Missile’?: An article from: APS Diplomat News Service

      The New Face of War: How War Will Be Fought in the 21st Century

      Tags: Business, Control system, Critical infrastructure, Industrial control systems, Iran, Malware, Siemens, Symantec

      Dec 19 2010

      Protect your credit card information and avoid Fraud

      Category: cyber securityDISC @ 10:51 pm
      NEW YORK - MAY 20:  In this photo illustration...
      Image by Getty Images via @daylife

      Essentials of Online payment Security and Fraud Prevention

      As we all know that credit card frauds are on the rise and crooks are utilizing more advanced techniques to acquire credit card information. In these circumstances anyone can lose their private and credit card information to crooks. Individual due diligence is necessary to protect credit card information and below are few measures which can help to protect it.

      – At least once a year (or preferably every 6 months) report each one of your cards missing, so that your credit card company would issue you a new card. This is because often crooks steal credit card info but they wait to collect many (at least a million) before they sell them and this process typically takes a year (according to FBI) so most of the times your credit card info may be compromised but you don’t know about it until the crook sells it to a buyer and then in a matter of 1-2 weeks you get hit by tons of purchases and before you know it you credit card is maxed and you are stuck with proving it wasn’t you.

      – Sign up with www.LifeLock.com, instead of the many identity theft programs that your bank offers. This program costs about $80-$100 a year (similar in cost to what banks like Chase and WFB offer) but this program TRULY covers all the costs of when your identity is stolen and cards are maxed. They do by far MORE than the other programs that banks offer and they cover all the costs that you may incur (including replacing your PC that maybe infected with a virus).

      – If anyone calls you (from Visa, MC, AmEx or any credit card company) and told you anything like your credit card has been used, stolen, etc, get their telephone number and tell them you will call them back before you say ANYTHING to them. And then call the 800 number on the back of your card and verify that the phone number they gave you is indeed a valid number. Do NOT give anything, specially the 3 digit off the back of your card to anyone who calls you.

      – As always, do NOT enter your ATM card PIN into any email.

      – Do NOT open any emails from anyone that you do NOT know. If you do, and there is a .pdf file is attached, make sure it makes sense that the sender has sent you this file otherwise do NOT open the .pdf file. Many viruses are embedded in .pdf files (Not pictures or txt files, just .pdf)

      – If you do on-line banking (as we all do) do NOT do bill payment or if you do then once a day check the balance in your account. Also, if possible contact your bank and BAN any WIRE TRANSFERs from your account. Tons, tons of wire transfer fraud has happened during the past year or two and people have LOST THEIR MONEY, the banks have NO obligation to repay even if you can prove you didn’t do the transfer. They say that your computer was hacked and that is YOUR fault not theirs. Check your bank account balances DAILY as with wire transfer you have 24 hours (in most cases) to reverse it but if it is gone then your money is GONE and you may never be able to collect it back.

      – NEVER give your laptop for repair or upgrades to anyone that you do NOT know really well. Once your laptop or computer is in the hands of a crook he can install spyware and other programs that will go into the core of your PC and nothing, as in NOT EVEN FORMATTING YOUR HARD DISK, can get rid of the virus or spyware. Your only option is to throw away your PC and buy a new one.

      – When online, if you happen to go to a website that had many different items on it; such as “Sarah Palin’s info”, “Earthquake victims”, “Las Vegas Deals”, etc. DO NOT open any files or documents (don’t click on them). These websites are put together by very smart crooks who want to attract people so they have a variety of info posted but each article has a virus/spyware loaded in it and if you click on it the virus will be loaded into your PC and from that point on they can monitor your keyboard entries, even the screens you look at. Avoid any website that has an unusual or strange collection of info on them.

      – Have one credit card with a low limit ($1000-$2000) only for use on internet purchases.

      – Have another card with even a lower limit ($500) only for use in Gas stations. Gas stations have the highest rate of fraud because the pumps have Readers/Pin pads in them that are really old and do NOT have any security feature in them. So have a very low limit card only for use in Gas stations.

      – Have one/more high limit cards that you only use when you purchase something that you SIGN for, and always check your statements at the end of the month.

      Tags: Business, Consumer, Credit card, Financial services, Identity Theft, Merchant Services, Sarah Palin, Wire transfer

      Oct 01 2010

      Stuxnet, world’s first “cyber superweapon,” attacks China

      Category: CybercrimeDISC @ 2:01 pm
      Computer worm
      Image by toastiest via Flickr

      Stuxnet, the most sophisticated malware ever designed, could make factory boilers explode, destroy gas pipelines, or even cause a nuclear plant to malfunction; experts suspect it was designed by Israeli intelligence programmers to disrupt the operations of Iran’s nuclear facilities — especially that country’s centrifuge farms and the nuclear reactor in Bushehr; it has now infected Chinese industrial control systems as well; one security expert says: “The Stuxnet worm is a wake-up call to governments around the world— It is the first known worm to target industrial control systems”

      To read the remaining article …..

      Tags: Bushehr, Business, Computer worm, Control system, Iran, Israel, Malware, Nuclear

      Sep 15 2010

      Cloud Computing: A Treasure Trove for Hackers

      Category: Cloud computingDISC @ 10:10 am
      IBM Cloud Computing
      Image by Ivan Walsh via Flickr

      Above the Clouds: Managing Risk in the World of Cloud Computing

      By Dick Weisinger
      Security usually tops the lists of concerns that people have about the cloud. And now it seems like there is good reason. On a recent survey of 100 “elite” hackers at the 2010 Defcon conferenece, 96 of them said that the cloud offered up more opportunity for them to hack. 89 of them said that they thought that cloud providers weren’t being proactive enough in beefing up their security, and 45 of them admitted to already have engaged in cloud hacking, and 12 of them said that they hack for financial gain.

      When asked about what areas of the cloud that they thought were most vulnerable, 21 percent said Software as a Service (SaaS), 33 percent said problems with the Domain Name System (DNS). 16 percent said that cracking the information in log files was on their list of things to hack, and 12 percent said that they’ve hacked into communication profiles.

      Barmak Meftah, chief products officer at Fortify, sponsor of the survey, said that “more than anything, this research confirms our ongoing observations that cloud vendors – as well as the IT software industry as a whole – need to redouble their governance and security assurance strategies when developing solutions, whether cloud-based or not, as all IT systems will eventually have to support a cloud resource.”

      Another highlight at the Defcon conference was a $1500 device that was able to intercept any GSM mobile phone call.

      Tags: Barmak Meftah, Business, Cloud computing, Defcon, Domain Name System, Hacker (computer security), Information Technology, Software as a service

      Aug 30 2010

      Cyber attacks against Water, Oil and Gas Systems

      Category: CybercrimeDISC @ 9:49 am
      National Security Authority
      Image via Wikipedia

      “This summer the Norwegian National Security Authority (NSM) discovered for the first time targeted computer attacks directed against internal process and control systems to ensure supply of electricity and water. Similar attacks were discovered in Germany and Belarus. EU’s cyber-security unit, ENISA, will in late October or early November carry out the first ever pan-European cyber security exercise.”

      Cyber Criminals Attack Critical Water, Oil and Gas Systems

      Tags: Belarus, Business, Computer security, Control system, European Union, Germany, National Security Authority, NSM

      Aug 23 2010

      13 Things an Identity Thief Won’t Tell You

      Category: Identity TheftDISC @ 11:10 am
      Identity Thief, Incognito
      Image by CarbonNYC via Flickr

      Stopping Identity Theft: 10 Easy Steps to Security

      by Reader’s Digest Magazine, on Thu Aug 12, 2010 Interviews by Michelle Crouch

      Former identity thieves confess the tactics they use to scam you.

      1. Watch your back. In line at the grocery store, I’ll hold my phone
      like I’m looking at the screen and snap your card as you’re using it.
      Next thing you know, I’m ordering things online-on your dime.

      2. That red flag tells the mail carrier-and me-that you have outgoing
      mail. And that can mean credit card numbers and checks I can reproduce.

      3. Check your bank and credit card balances at least once a week. I can
      do a lot of damage in the 30 days between statements.

      4. In Europe, credit cards have an embedded chip and require a PIN,
      which makes them a lot harder to hack. Here, I can duplicate the
      magnetic stripe technology with a $50 machine.

      5. If a bill doesn’t show up when it’s supposed to, don’t breathe a sigh
      of relief. Start to wonder if your mail has been stolen.

      6. That’s me driving through your neighborhood at 3 a.m. on trash day. I
      fill my trunk with bags of garbage from different houses, then sort

      7. You throw away the darnedest things-preapproved credit card
      applications, old bills, expired credit cards, checking account deposit
      slips, and crumpled-up job or loan applications with all your personal

      8. If you see something that looks like it doesn’t belong on the ATM or
      sticks out from the card slot, walk away. That’s the skimmer I attached
      to capture your card information and PIN.

      9. Why don’t more of you call 888-5-OPTOUT to stop banks from sending
      you preapproved credit offers? You’re making it way too easy for me.

      10. I use your credit cards all the time, and I never get asked for ID.
      A helpful hint: I’d never use a credit card with a picture on it.

      11. I can call the electric company, pose as you, and say, “Hey, I
      thought I paid this bill. I can’t remember-did I use my Visa or
      MasterCard? Can you read me back that number?” I have to be in
      character, but it’s unbelievable what they’ll tell me.

      12. Thanks for using your debit card instead of your credit card.
      Hackers are constantly breaking into retail databases, and debit cards
      give me direct access to your banking account.

      13. Love that new credit card that showed up in your mailbox. If I can’t
      talk someone at your bank into activating it (and I usually can), I
      write down the number and put it back. After you’ve activated the card,
      I start using it.

      Tags: Automated teller machine, Business, Credit card, debit card, Financial services, Identity Theft, MasterCard, Visa

      Jul 10 2010

      FTC Says Scammers Stole Millions, Using Virtual Companies

      Category: CybercrimeDISC @ 11:23 pm
      Seal of the United States Federal Trade Commis...
      Image via Wikipedia

      100% Internet Credit Card Fraud Protected

      by Robert McMillan
      The U.S. Federal Trade Commission has disrupted a long-running online scam that allowed offshore fraudsters to steal millions of dollars from U.S. consumers — often by taking just pennies at a time.

      The scam, which had been run for about four years, according to the FTC, provides a case lesson in how many of the online services used to lubricate business in the 21st century can equally be misused for fraud.

      “It was a very patient scam,” said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. “The people who are behind this are very meticulous.”

      The FTC has not identified those responsible for the fraud, but in March, it quietly filed a civil lawsuit in U.S. District Court in Illinois. This has frozen the gang’s U.S. assets and also allowed the FTC to shut down merchant accounts and 14 “money mules” — U.S. residents recruited by the criminals to move money offshore to countries such as Bulgaria, Cyprus, and Estonia.

      “We’re going to aggressively seek to identify the ultimate masterminds behind this scheme,” Wernikoff said. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.

      Wernikoff doesn’t know where the scammers obtained the credit card numbers they charged, but they could have been purchased from online carder forums, black market Web sites where criminal buy and sell stolen information.

      Small Thefts Overlooked

      The scammers stayed under the radar by charging very small amounts — typically between $0.25 and $9 per card — and by setting up more than 100 bogus companies to process the transactions.

      U.S. consumers footed most of the bill for the scam because, amazingly, about 94 percent of all charges went uncontested by the victims. According to the FTC, the fraudsters charged 1.35 million credit cards a total of $9.5 million, but only 78,724 of these fake charges were ever noticed. Typically they floated just one charge per card number, billing on behalf of made-up business names such as Adele Services or Bartelca LLC.

      As credit cards are increasingly being used for inexpensive purchases — they’re now accepted by soda machines and parking meters — criminals have cashed in on the trend by running this type of unauthorized charging scam.

      “They know that most of the fraud detection systems won’t detect anything under $10 and they know that consumers won’t complain about a 20 cent fee,” said Avivah Litan, an analyst with the Gartner research firm who follows bank fraud. “What’s different here is the scale, and that they got away with it for so many years,” she said.

      Similar Cases Show Trend

      In March Alexsandr Bernik of Roseville, California, was sentenced to 70 months in prison for running a similar scam. He put tens of thousands of charges on Amex accounts, each ranging from $9 to $15. Neither federal authorities nor American Express would explain how Bernik obtained his card numbers.

      Bernik made his charges on behalf of a fictional corporation called Lexbay Ltd., but in the FTC case, the scammers would mimic legitimate companies — taking real federal tax I.D. numbers and then setting up fake businesses with nearly identical names that appeared to be located nearby. In a move that apparently tricked credit card processors into granting it a merchant account, Adele Services, for example, was set up to mimic a legitimate Bronx, New York group called Adele Organization.

      When the scammers tried to register merchant accounts with credit card processors, the processors would do some investigating, but using tricks like these, the scammers were always one step ahead.

      In fact, the FTC’s description of their operation reads like a textbook on how to set up a fake virtual corporation in the Internet age.

      The criminals used a range of legitimate business services to make it appear to credit card processors as though they were legitimate U.S. companies, even though the scammers may have never set foot in the U.S.

      For example, using a company called Regus, they were able to give their fictional companies addresses that were very close to the companies whose tax IDs they were stealing. Regus lets companies operate “virtual offices” out of a number of prestigious addresses throughout the U.S. — the Chrysler Building in New York for example — forwarding mail for as little as US$59 per month.

      Mail sent to Regus locations was then forwarded to another company, called Earth Class Mail, which scans correspondence and uses the Internet to deliver it to customers in pdf format.

      They used another legitimate virtual business service — United World Telecom’s CallMe800 — to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

      When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

      One of the largest payment processors in the U.S., First Data, was a favorite of the scammers. Of the 116 fake merchant accounts the FTC uncovered, 110 were with First Data. The scammers also set up bogus accounts with Elavon and BBVA Compass.

      First Data would not comment on the measures it had taken to improve its merchant vetting process, but the company did confirm that it cooperated with the FTC investigation.

      Aided by ‘Mules’

      To get the money out of the U.S., the scammers had to recruit money mules. These were U.S. residents who were recruited online, often with spam e-mail messages. Under the impression that they were helping offshore businesses, the money mules set up bank accounts and helped the fraudsters move money offshore.

      In a letter to the judge presiding over the case, one of the mules, James P. Smith of Brownwood, Texas, says he worked for one of the scammers for four years without realizing that anything illegal was going on. Smith now says he is “ashamed” to be named in the FTC action, and offers to help catch his former boss, who used the name Alex Moore.

      The FTC’s Wernikoff believes that whoever is responsible for this crime lives outside of the U.S., but with the money-cashing operation now busted up, the scammers will have to start again from scratch, if they want to keep bilking consumers. And criminal investigators now have a trail to follow.

      “Does it prevent the people from ultimately responsible from building up again from scratch?” he asked. “No. But we do hope that this serously disrupts them.”.

      Tags: American Express, Business, Credit card, Federal Trade Commission, First Data, fraud, FTC, United States

      Jun 30 2010

      Security glitch exposes WellPoint data again

      Category: hipaa,pci dss,Security BreachDISC @ 11:53 am
      Image via Wikipedia

      By Tom Murphy

      INDIANAPOLIS – WellPoint Inc. has notified 470,000 individual insurance customers that medical records, credit card numbers and other sensitive information may have been exposed in the latest security breach of the health insurer’s records.

      The Indianapolis company said the problem stemmed from an online program customers can use to track the progress of their application for coverage. It was fixed in March.

      Spokeswoman Cynthia Sanders said an outside vendor had upgraded the insurer’s application tracker last October and told the insurer all security measures were back in place.

      But a California customer discovered that she could call up confidential information of other customers by manipulating Web addresses used in the program. Customers use a Web site and password to track their applications.

      WellPoint learned about the problem when the customer filed a lawsuit about it against the company in March.

      “Within 12 hours of knowing the problem existed, we fixed it,” said Sanders, who declined to identify the outside vendor.

      WellPoint is the largest commercial health insurer based on membership, with nearly 34 million members. It runs Blue Cross Blue Shield plans in 14 states and Unicare plans in several others.

      Sanders said the insurer notified customers in most of its states. That includes about 230,000 customers of its Anthem Blue Cross subsidiary in California.

      About 356 million records of U.S. residents have been compromised or exposed due to security breaches since 2005, according to Privacy Rights Clearinghouse, a consumer advocacy group that tracks such reports.

      WellPoint’s security breach doesn’t crack the top 10 in terms of number of people who may have had information exposed, said Paul Stephens, the organization’s director of policy and advocacy. Even so, he labeled the breach “very serious” because it possibly involved both financial and medical information.

      “There are obviously multiple concerns there for consumers,” he said.

      Two years ago, WellPoint offered free credit monitoring after it said personal information for about 128,000 customers in several states had been exposed online. In 2006, backup computer tapes containing the personal information of 200,000 of its members were stolen from a Massachusetts vendor’s office.

      WellPoint’s latest breach affected only individual insurance customers and not group coverage or people who buy Medicare Advantage insurance. Sanders said the company believes a “vast majority” of the unauthorized access of customer information came from the plaintiff and her attorneys.

      The insurer notified all individual insurance customers who had information in its application tracking program from October through March. It will provide a year of free credit monitoring.

      WellPoint shares fell 69 cents to $50.10 in Tuesday afternoon trading, while broader trading indexes slid more than 2 percent.

      Tags: Anthem (insurance), Blue Cross and Blue Shield Association, Business, Insurance, Privacy Rights Clearinghouse, Security, WellPoint

      Jun 22 2010

      Symantec: SMBs Change Security Approach with Growing Threats

      Category: BCP,MalwareDISC @ 1:50 am
      Image representing Symantec as depicted in Cru...
      Image via CrunchBase

      By: Brian Prince

      A survey of small to midsize businesses from 28 different countries by Symantec found that companies are focusing more on information protection and backup and recovery. Driving these changes is a fear of losing data.

      Today’s small to midsize businesses (SMBs) are facing a growing threat from cyber-attacks, and are changing their behavior to keep up.

      In a May poll of 2,152 executives and IT decision makers at companies with between 10 and 499 employees, Symantec found SMBs are now spending two-thirds of their time dealing with things related to information protection, such as computer security, backup and archival tasks, and disaster preparedness. Eighty-seven percent said they have a disaster preparedness plan, but just 23 percent rate it as “pretty good” or “excellent.”

      Driving the push for these plans, as well as the interest in backup and recovery, is the fear of losing data. Some 42 percent reported having lost confidential or proprietary information in the past, and all of those reported experiencing revenue loss or increased costs as a result. Almost two-thirds of the respondents said they lost devices such as smartphones, laptops or iPads in the past 12 months, and all the participants reported having devices that lacked password protection and could not be remotely wiped if lost or stolen.

      In the past, SMBs would settle for having antivirus technology, said Bernard Laroche, senior director of product marketing at Symantec. Now, however, they are starting to realize the threat landscape is changing, he said.

      “If you look at endpoint usage … in most SMBs that’s the only place where the information resides because people were not backing up … so if somebody would lose a laptop at the airport or somebody steals the laptop in the back of car or something, then your information is obviously at risk and that can bring a lot of financial impact to small business,” he said.

      The survey also found SMBs are spending an average of about $51,000 on information protection. The financial damage for those who suffer cyber-attacks can be significant. Cyber-attacks cost an average of $188,242 annually, according to the survey. Seventy-three percent said they were victims of cyber-attacks in the past year, and 30 percent of those attacks were deemed “somewhat/extremely successful.” All of the attack victims suffered losses, such as downtime, theft of customer or employee information, or credit card data, Symantec reported.

      “The concept of, ‘I’ve got an antivirus solution, I’m fully protected,’ I think those days are gone,” Laroche said.

      Detail information on Symantec SMBs Suites:

      Symantec Endpoint Protection Small Business Edition 12.0

      Symantec Protection Suite Small Business Edition 3.0

      Tags: Backup, Business, Computer security, Credit card, Emergency Management, Small business, SMB, SMB suites, Symantec, Warfare and Conflict

      Jun 01 2010

      The Smart Grid needs to get smart about security

      Category: Information Security,Information WarfareDISC @ 6:17 pm

      A terminus of the Nelson River HVDC system, no...
      Image via Wikipedia

      by Larry Karisny
      While following the Connectivity Show in Santa Clara California, I thought I should follow-up on the at Greentech Media’s annual Smart Grid conference in Palm Springs last week. I wanted to focus this article on Smart Grid security so I thought I should find some clear explanation of where we are now and then add my thoughts on where we need to be in smart grid security. To get an indication of where we are I couldn’t pass up this simultaneously humorous and cautionary anecdote opening panel discussion from Smart Grid security guru, Massoud Amin of University of Minnesota, drawn from his most recent whitepaper:

      Now with all due respect to the power companies, why should they even know how to spell IP? Their history in communications was to build stand alone power facilities and substations connected with point to point microwave communication links (many times upgraded to their own dark fiber point to points). With this kind of money and private network capabilities, why would you ever worry about security? You lived on your own island with your own power and communications grid and every thing was just fine. Then came the smart grid. By definition, the smart grid requires a two-way digital technology to control appliances at consumers’ homes to save energy, reduce cost and increase reliability and transparency. A big change for power companies and admittedly a whole new learning curve with many power companies like PG&E setting up their own test labs begin learning this who knew an complex smart grid system (See: Inside PGE’s Smart Grid Lab Chris Knudsen, director of the technology innovation center at PG&E, shows us what they’re tinkering with).

      It didn’t take long for problem to occur. Again, you need to understand that even smart meters were just dusted off 20 year old designs that were lying around waiting for someone to push the power companies into the 21 century. These designs were never meant to securely send a store data real time. It wasn’t long before serious security issues were found and were reported by respected security form like InGuardian and IOactive. And we are not talking about someone hacking you PC. When it comes to the power grid, the costs of remote hack attacks are potentially more dramatic. “The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC,” said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco . So now with little knowledge of the Internet and security the power companies have billions of dollars of grant in hand with one big problem. The grants mandate an iron clad security platform.

      To add to the smart grid security problems some people think the power grid is the main target in the new battle in cyber wars.

      Richard Clarke, the former anti-terrorism czar, has now turned his attention to a new national security threat, putting an attack of the power grid on the front lines. In a recent NewsWeek article Clarke was quoted as saying, “I think the average American would understand it if they suddenly had no electricity.

      The U.S. government, [National Security Administration], and military have tried to access the power grid’s control systems from the public Internet. They’ve been able to do it every time they have tried. They have even tried to issue commands to see if they could get generators to explode. That’s the famous Aurora experiment in Idaho. Well, it worked. And we know there are other real cases, like the power grid taken out in Brazil as part of a blackmail scheme. So the government knows it can be done, the government admits it can be done, the government intends to do it to other countries. Even the Chinese military has talked publicly about how they would attack the U.S. power grid in a war and cause cascading failures.”

      So what can we do to secure the grid now while upgrading it to smart grid capabilities?

      Ed Smith, CEO of WirelessWall has one word, “Attack.” Having a military background he understands that you begin an attack by crippling an enemy’s communication and critical infrastructure. His civilian background has a long history of Situational Crisis Management, using Rapid Response Teams to facilitate the successful conclusion to crisis situations. Armed with security that exceeds the DoD 8100.2 (DoD Directive on wireless security) and FIPS 140-2 End-to-End Security that was developed for the U.S. Navy to provide secure, mobile shipboard networks, Smith knows he has an immediately implementable data security solution that is simply not being recognized.

      “People in the civilian sector are not upgrading their security for business reasons, basically to save money, not for security reasons. That can be tolerated if you are protecting data that involves a loss of money, but it is inexcusable when the lack of protection of data involves the loss of life. Let there be no doubt that an attack on critical infrastructure is an act of war and it is absolutely appropriate to use an available military solution to protect civilian lives.”

      “We can’t afford not to put good enough security in our power grids. My company has offered our platform of higher security to VISA and others in the financial industry and made it clear that the retail industry POS terminals Data Security Standard (PCI DSS) has already been hacked, but nothing will be changed unless there are more attacks that cause greater losses. The PCI DSS standard will have to be raised, and ultimately will, but the Smart Power Grid protection has to be implemented now.”

      “If you are a Smart Grid Integrator offering a solution, someone that has been breached, or better yet, don’t want to be breached, you have to be proactive. Where are the power companies? What are they waiting for? PG&E, Duke Power, Florida Power and Light, Progress Energy, Sacramento Municipal Utility District (SMUD), we are right here in Silicon Valley California, WirelessWall can even be installed remotely and proven in a matter of hours so there is really no excuse for not putting this in their labs and testing it. After about 10 years of real-life military testing and the only wireless protection allowed by the DoE to secure nuclear sensors for the last 6 years, there is not a lab test that can come close to disputing the protection capabilities of WirelessWall. It is a time and situation proven solution and our Rapid Response Team approach is designed to install protection immediately”.

      Like the old David and Goliath story, the power companies need to start embracing smaller company expertise and leverage their learning curve. Like the security story of WirelessWall, the expertise of how to build these wireless network platforms resides in the companies that have had their products tested in real world municipal, public safety and military environments. Companies like Tropos Networks, Trillium (SkyPilot), Mesh Dynamics, Strix Systems and Proxim, just to name of few, they were the trail blazers that learned along the way and can now bringing tested wireless network expertise to the smart grid. With secure wireless solutions out there, power companies need to leverage the expertise of these wireless pioneers that have been there, done that and are ready to support a secure a wireless smart grid network with their tested solutions.

      SP AusNet selects GE for world’s first 4G communications smart grid solution, delivering revolutionary security and reliability benefits.(CONTRACTS): An article from: Home Networks

      Tags: Business, Electrical grid, Federal government of the United States, Sacramento Municipal Utility District, San Francisco, Security, Smart Grid, United States

      May 25 2010

      Tips for building security organization

      Category: Security organizationDISC @ 5:54 pm

      Image representing Forrester Research as depic...
      Image via CrunchBase

      By: Brian Prince

      Businesses have increased expectations on the security team in recent years, sometimes producing a disconnect between what is expected and what the security team can deliver. In a new report, Forrester Research lays out some advice for building an effective security organization.

      As IT security has become a bigger part of business discussions, security teams have increasingly shifted their focus from operations to strategic business objectives.

      For businesses building their security groups, there needs to be a balance between fulfilling operational and strategic goals, and a new report from Forrester Research offers advice on how businesses can find it.

      “In a few cases we found that the strategic aspect of security was so important or was so highlighted in terms of the CISO [chief information security officer] role that the CISO was sometimes moved outside the IT organization, [and] sometimes wasn’t as connected with the operation [of] the IT…[but] much more connected with the business side and the strategy side,” explained Forrester analyst Khalid Kark. “What that does is basically creates an ivory tower for the chief security officers, and then they are not able to operate.”

      To avoid that, there are several steps Forrester recommends organizations take. Here are a few of them.

      — New Roles: To make your security practice more strategic, add these three positions: a business liaison to advocate for the business unit within the security team and communicate the security perspective to business; the third-party security coordinator to address outsourcing, assessments and cloud computing; and a security engineer focused on working with the enterprise architecture team to build security into the architecture and integrate specific infrastructure security components into the architecture.

      — Understand IT security vs. information risk: “Many security organizations fail to get management attention because they’re always focused on the IT security activities, which the business doesn’t understand,” according to the report. “On the other hand, the business understands risk well, and if you articulate those same problems in the risk context, the business is much more likely to react and respond to them.”

      — Develop a cross-functional security council: “Focus on ‘who’ not ‘how.’ Forrester has long professed the benefits of a security council, but one thing that is absolutely essential for the success of this council is its composition,” the report continues. “The trick is not to aim for the highest ranking businessperson but the one most interested in security and risk issues who has a reasonable level of visibility in the business. When you have a passionate team working on the security issues, the ‘how’ will be easy to determine.”

      — Equip the business to perform risk assessments: “To meet the security and risk obligations effectively, you have to delegate, and risk assessments are ideal for this,” Forrester said. “Provide the checklists and basic training to the business to perform the basic risk assessment tasks so that it takes the pressure off your resources. Make it easy and seamless for the business to incorporate these into its existing processes.”

      Complicating things is today’s economic environment in which businesses may be forced to reshuffle or even cut their security personnel. When that happens, organizations may have to refocus their attention from strategic projects and get back to basics, the report noted.

      “As security organizations get leaner, delegation, formalized and documented processes, and good monitoring and metrics become key,” said Forrester analyst Rachel Dines, who worked on the report with Kark. “Security organizations don’t need to have direct ownership of all security-related processes, but they do need to monitor and control them.”

      How to create a security culture in your organization: a recent study reveals the importance of assessment, incident response procedures, and social engineering … article from: Information Management Journal

      Tags: Business, Chief Information Security Officer, Cloud computing, Consultants, Forrester Research, General and Freelance, Information Security, Security

      May 18 2010

      Taking Credit Card Security Seriously

      Category: pci dssDISC @ 1:33 pm

      NEW YORK - MAY 20:  In this photo illustration...
      Image by Getty Images via Daylife

      PCI DSS v1.2: A Practical Guide to Implementation

      By David F. Carr @ Forbes

      The easiest way for small businesses to address the information security requirements imposed by credit card companies is the wrong way. I’m talking about lying and praying.

      In 2004 the major credit card companies got together to define a common Payment Card Industry Data Security Standard (PCI DSS, often referred to as just PCI). They are gradually ratcheting up the pressure on merchants of all sizes to comply. Large companies, and some smaller ones that process a large volume of transactions (particularly if they’re doing it on the Web), are required to have an independent review of their processes and systems by a security professional credentialed as a qualified security assessor (QSA). Most small businesses can instead complete a self-assessment questionnaire, where they essentially grade themselves. That’s where the lying comes in. It’s not so hard to check off all the right answers (“Sure, I review my e-commerce server logs on a daily basis.”) without actually making them true.

      If you’re lying, you had better also be praying. If caught, you could be fined for non-compliance, to the tune of tens or hundreds of thousands of dollars–enough to put many a small organization out of business. Expect even harsher treatment if someone hacks your systems and downloads card data you claimed you weren’t even storing.

      Most of the requirements are basic security, like making sure there is a firewall between your Internet connection and any system that stores credit card numbers. Factory default passwords on your network equipment must be changed, so that no one can log on as user “admin,” password “admin.” And so on. More specifically, you’re responsible for protecting card holder data, and there’s some data you’re never supposed to store–like the full contents of a card’s magnetic strip.

      Many small businesses are still under the impression that the rules don’t apply to them because they’re too small, or because they don’t conduct e-commerce. Actually, the rules apply to any business–and even any nonprofit–that takes credit card payments. You can look for ways to lighten the compliance burden, but you can’t get yourself off the hook entirely. Even if no one has yet compelled you to complete a questionnaire or conduct an automated scan of your networks, you’re still supposed to be locking down your systems.

      Some businesses complain this all sounds too complicated and expensive. But they are missing the point, says Anton Chuvakin, author of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. The PCI rules really represent the minimum security standards businesses must meet to be fair to their customers, who, after all, are trusting the merchant every time they hand over a credit card number. In the wake of a card security breach, a larger business might suffer from the fines, damages and adverse publicity resulting from a card security breach. By contrast, “a small business is more likely to be GONE,” Chuvakin said. “Businesses that endanger their customers really do deserve to die.”

      If your organization is not equipped to handle credit card data securely, maybe you should not be handling it at all. Look for ways to shift as much of the burden as possible onto a service provider that specializes in secure payment processing. Services such as PayPal and Authorize.net let you forward customers to their websites for payment processing; credit card numbers never pass through your hands at all

      Small businesses such as restaurants that use an older generation of countertop credit card terminals may be breaking the rules inadvertently because the device stores magnetic stripe data or otherwise violates the PCI requirements. So consider upgrading to a payment device that is certified PCI compliant. Basic terminals capable of encrypting Personal Identification Number (PIN) codes and protecting other sensitive information are available for as little as $100 and might even be offered free by merchant account services trying to win your business. The PCI Security Standards Council publishes a list of approved devices. Just remember that using a compliant device is only one element of making your business compliant.

      Even if you’re not storing anything explicitly prohibited, you may be storing more credit card data than you need to. Small merchants typically store a day’s worth of credit card numbers on a card swipe terminal, then process all the transactions in a batch at the end of the day. Bigger retailers may record the card numbers in a centralized database so they can track all a customer’s purchases, and so they can retrieve the number if they need to issue a refund. But do you need to retain those numbers at all?

      Possible Solutions
      Perhaps not. Martin McKeay, a QSA and author of the Network Security Blog, recommends looking at new strategies for using end-to-end encryption and “tokenization.”

      For example, payment processor First Data ( FDC – news – people ) and security software firm RSA Security have developed a product called TransArmor that allows merchants to get authorization for a credit card number and then immediately dispose of the card number, replacing it with a token. The token is another number that acts as a stand-in for the credit card number itself. First Data keeps track of which tokens correspond with which credit card numbers. So if you’re executing previously authorized transactions at the end of the day, you send First Data a batch of tokens, and it relays the card numbers on to the bank. But if the tokens are stolen, by themselves they are worthless to anyone else.

      “With this, the only time you need the true credit card number is when you do the authorization,” says Craig Tieken, First Data vice president of merchant product management. “The merchant, in our opinion, no longer needs the card number.” TransArmor is still in beta testing, scheduled for release in the summer of 2010.

      PCI DSS v1.2: A Practical Guide to Implementation

      Tags: Business, Credit card, First Data, Payment Card Industry Data Security Standard, PayPal, Personal identification number, Qualified Security Assessor, Tokenization

      May 11 2010

      OCR draft guidelines for security risk analysis

      Category: hipaa,Security Risk AssessmentDISC @ 12:42 am

      US Department of Health & Human Services
      Image by veeliam via Flickr

      The Health & Human Services Department published draft guidance to help healthcare providers and payers figure out what is expected of them in doing a risk analysis of their protected patient health information.

      The security rule of the Health Insurance Portability and Accountability Act (HIPAA) requires that providers, payment plans and their business associates perform a risk assessment, but does not prescribe a method for doing so, according to draft guidance from HHS’ Office of Civil Rights (OCR). The HITECH Act directed that OCR oversee health information privacy.

      Risk analysis is a technique used to identify and assess threats and vulnerabilities that may hamper the success of achieving bsuiness goals. In risk analysis determines if the security controls are appropriate compare to the risk presented by the impact of threats and vulnerabilities.

      The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

      Some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST), OCR said

      OCR guidance document explains several elements a risk analysis must incorporate, regardless of the method employed. So basically the auditor will be looking for all the elements required by the guidelines during an audit.

      OCR dratf guigelines details

      Information Security Risk Analysis, Tom Peltier

      Tags: Business, Civil and political rights, Health care, health insurance, Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, Optical character recognition, Security

      Jan 22 2010

      How to manage risk in the cloud

      Category: Cloud computingDISC @ 3:06 am

      What is Cloud Computing and does it provide more protection to your business?

    1. Pre-order the Softcover;

    2. Pre-order the eBook.
    3. Cloud Computing will bring many benefits to organisations, some of which include reducing operating costs, reducing power consumption and freeing you up to focus on your core business.
      The concept of shifting computing to a shared service provider is not new. What may be new is that the cost of Cloud Computing is falling so dramatically that considering outsourcing to the Cloud is no longer rare, and it is now accessible enough that any individual or organisation can use it to their advantage.

      Above the Clouds: Managing Risk in the World of Cloud Computing
      For Cloud Computing to be a viable option, you need to be confident that your business information will be secure and that the service you offer to your customers will still be reliable. So if you want to adopt a Cloud Computing strategy, you need to make sure you carry out due diligence on the service provider before you entrust this firm with your vital data. However, the author challenges the assumption that Cloud Computing will offer less protection to your data than relying on an in-house server. Buy Now!>

      Cloud Computing not only allows you to make economies of scale; it can also offer you the increased security that comes from sharing the resource. The author argues that moving over to Cloud Computing can actually help to defend your organisation from threats such as denial of service attacks, viruses and worms.

      Cloud service providers will tell you that Cloud Computing is bound to be better, faster and cheaper. The reality is that before switching over to Cloud Computing, you need to think carefully about whether it will really work for your business. This book shows you what you need to do to ensure that with Cloud Computing you will continue to give the standard of service your customers require. It also offers you some valuable tips on how to choose your provider of Cloud services.

      Published date: 9th February 2010.

      Pre-order this book using Voucher Code: “cloud2010” to save 10%!

    4. Pre-order the Softcover;

    5. Pre-order the eBook.
    6. Tags: Business, cloud, Cloud computing, cloud computing benefits, cloud computing concerns, cloud computing risks, cloud computing security, cloud security, cloud services, cloudcomputing, Computer Science, Denial-of-service attack, Distributed Computing, due diligence, Economy of scale, Outsourcing, Security

      Next Page »