Jul 29 2010

Hacker finds a way into ATM computers

Category: CybercrimeDISC @ 6:23 pm
Nice ATM
Image via Wikipedia

Understanding and Managing Cybercrime

by Jordan Robertson
A hacker has discovered a way to force ATMs to disgorge their cash by hijacking the computers inside them.

The attacks demonstrated Wednesday at a security conference were done at stand-alone ATMs. But they could potentially be used against the ATMs operated by mainstream banks, the hacker said.

Criminals use many ways to tamper with ATMs, ranging from sophisticated to foolhardy: installing fake card readers to steal card numbers, and even hauling the machines away with trucks in hopes of cracking them open later.

Computer hacker Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. These were stand-alone machines, the type seen in front of convenience stores, rather than the ones in bank branches.

His goal was to find ways to take control of ATMs by exploiting weaknesses in the computers that run the machines.

He showed off his results at the Black Hat conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

In one demonstration Tuesday, Jack, director of security research for IOActive Inc. in Seattle, showed how to get ATMs to spit out money:

He found that the physical keys that came with his machines were the same for all ATMs of that type made by that manufacturer. He figured this out by ordering three ATMs from different manufacturers for a few thousand dollars each. Then he compared the keys he got with pictures of other keys, found on the Internet.

He used his key to unlock a compartment in the ATM that had standard USB slots. He then inserted a program he had written into one of them, commanding the ATM to dump its vaults.

This article appeared on page D – 6 of the San Francisco Chronicle

Tags: ATM, Automated teller machine, Barnaby Jack, BlackHat, Computer security, San Francisco Chronicle, Seattle, Silicon Valley

Jul 05 2010

Risky business

Category: hipaaDISC @ 11:02 pm
Information Security Wordle: NIST HIPAA Securi...
Image by purpleslog via Flickr

By Mary Mosquera

Last year’s HITECH Act toughened the rules and enforcement penalties health information handlers must follow to protect patient privacy.

Under the new policy regime, providers will have to pay more attention to the confidentiality and safety of patient information as they move more of their operations toward electronic health record-keeping.

Without sound security policies and practices, privacy “will be just a principle,” said Sue McAndrew, deputy director for privacy in the Office of Civil Rights, the Health and Human Services Department office that was given responsibility for health privacy and security policy under the new law.

OCR-draft-guidelines-for-security-risk-analysis

“We want it to be a reality for consumers,” she said at a recent privacy and security conference sponsored by OCR and the National Institute for Standards and Technology.

One of the most basic requirements is that providers must now perform a security assessment, a first step in understanding systems and electronic data over which they are temporary stewards.

OCR recently drafted guidance to help providers and payers figure out what is expected of them in doing a risk assessment. While it might sound onerous, a risk assessment might not be as difficult or costly as some providers might believe, even for small practices, privacy.

“When you say, ‘do a security risk assessment’, people’s eyes glaze over,” said Lisa Gallagher, security director of privacy and security for the Healthcare Information and Management Systems Society. “But really, it’s asking, ‘what are the risk areas?’, ‘how could someone get to it?’ and ‘what controls can you put in place to protect it.’”

In its guidance, OCR said organizations should identify and categorize their data collections, document threats to information that might lead to a disclosure of protected data and check to see if their current security measures are adequate.

“For a small organization, it sounds overwhelming and time-consuming, but in a lot of ways, it’s things that they already do,” said Pat Toth, a computer scientist in NIST’s computer security division.

“What small providers need to do is get an understanding of the framework and break down each step,” she said. “It is something that’s going to be living in their organization, so if they do their categorization and get that right, it will set the correct tone for the rest of the process.”

NIST has developed a quick-start guide, a “Cliff’s Notes” of its security publications detailing its risk management framework and risk assessment, in addition to frequently asked questions, to help providers, especially small practices.

For large organizations, risk management starts in the planning and architecture of systems across the enterprise and system life cycle, Toth said.

Besides a risk assessment, OCR is planning stricter reporting of disclosures of health information when electronic health records are used, even when the disclosure is for treatment and billing purposes. Providers will also have to give the reason for the disclosure. In May, OCR published a request for comments on its rulemaking.

The most effective method of accounting for disclosures is by using automated logging features in electronic health records and other computer systems, according to Mac McMillan, chief executive officer of Cynergistek Inc., an IT security consulting firm.

System logs are used to document and maintain a permanent record of all authorized and unauthorized access to and disclosure of confidential information so providers can recover evidence of that access.

“A lot of the difficulty to get accounting of disclosures in place is because of a lack of industry auditing capabilities,” he said at the OCR and NIST conference. “Most systems don’t have the functionality.” Moreover, IT security folks he works with have logging activated, “but they are still manually digesting them,” McMillan said, adding that manual audits are a time-consuming and imprecise process.

Even so, such practices must now be the order of the day under the new privacy and security framework. “The security rule says wherever you have electronic health information, you need to protect it,” said HIMSS’s Gallagher. “You may not even apply for meaningful use incentives. But if you’re keeping data in electronic form, you have to comply with the security rule.”

Related articles

hitech-act-increases-hipaa-security-requirements

healthcare-organizations-may-not-be-prepared-for-hitech-and-other-security-challenges

Related articles by Zemanta

Tags: arra and hitech, Civil and political rights, Computer security, Consultants, Electronic health record, General and Freelance, hipaa security, hitech, National Institute of Standards and Technology, Risk management, Security

Jun 22 2010

Symantec: SMBs Change Security Approach with Growing Threats

Category: BCP,MalwareDISC @ 1:50 am
Image representing Symantec as depicted in Cru...
Image via CrunchBase

By: Brian Prince

A survey of small to midsize businesses from 28 different countries by Symantec found that companies are focusing more on information protection and backup and recovery. Driving these changes is a fear of losing data.

Today’s small to midsize businesses (SMBs) are facing a growing threat from cyber-attacks, and are changing their behavior to keep up.

In a May poll of 2,152 executives and IT decision makers at companies with between 10 and 499 employees, Symantec found SMBs are now spending two-thirds of their time dealing with things related to information protection, such as computer security, backup and archival tasks, and disaster preparedness. Eighty-seven percent said they have a disaster preparedness plan, but just 23 percent rate it as “pretty good” or “excellent.”

Driving the push for these plans, as well as the interest in backup and recovery, is the fear of losing data. Some 42 percent reported having lost confidential or proprietary information in the past, and all of those reported experiencing revenue loss or increased costs as a result. Almost two-thirds of the respondents said they lost devices such as smartphones, laptops or iPads in the past 12 months, and all the participants reported having devices that lacked password protection and could not be remotely wiped if lost or stolen.

In the past, SMBs would settle for having antivirus technology, said Bernard Laroche, senior director of product marketing at Symantec. Now, however, they are starting to realize the threat landscape is changing, he said.

“If you look at endpoint usage … in most SMBs that’s the only place where the information resides because people were not backing up 
 so if somebody would lose a laptop at the airport or somebody steals the laptop in the back of car or something, then your information is obviously at risk and that can bring a lot of financial impact to small business,” he said.

The survey also found SMBs are spending an average of about $51,000 on information protection. The financial damage for those who suffer cyber-attacks can be significant. Cyber-attacks cost an average of $188,242 annually, according to the survey. Seventy-three percent said they were victims of cyber-attacks in the past year, and 30 percent of those attacks were deemed “somewhat/extremely successful.” All of the attack victims suffered losses, such as downtime, theft of customer or employee information, or credit card data, Symantec reported.

“The concept of, ‘I’ve got an antivirus solution, I’m fully protected,’ I think those days are gone,” Laroche said.

Detail information on Symantec SMBs Suites:

Symantec Endpoint Protection Small Business Edition 12.0

Symantec Protection Suite Small Business Edition 3.0

Tags: Backup, Business, Computer security, Credit card, Emergency Management, Small business, SMB, SMB suites, Symantec, Warfare and Conflict

Dec 16 2009

Internet security breach found at UCSF

Category: hipaa,Security BreachDISC @ 2:38 pm

University of California, San Francisco
Image via Wikipedia

By Erin Allday, SF Chronicle

Hackers may have had access to personal information for about 600 UCSF patients as a result of an Internet “phishing” scam, campus officials said Tuesday.

The security breach occurred in September when a faculty physician in the UCSF School of Medicine provided a user name and password in response to a scam e-mail message. The e-mail had been sent by hackers and made to look as though it came from UCSF workers who are responsible for upgrading security on internal computer servers.

The university is not identifying the physician.

A UCSF audit in October found that e-mails in the physician’s account included personal information about patients, including demographic and clinical data, and the Social Security numbers of four patients. It is unknown whether hackers actually accessed the e-mails.

The patients have all been notified of the security breach.

Phishing scams are designed to get people to reveal private information – such as Social Security numbers, credit card information and passwords – when they reply to e-mails that pretend to come from legitimate organizations.

For years, financial institutions and other corporations have been educating people to be cautious of such scams and wary of revealing private information on the Internet.

In response to the latest scam, UCSF officials said the university has been re-educating employees about protecting their user names and passwords.


Here we have another unnecessary healthcare data breach in a university due to phishing which resulted in a loss of private data demonstrating poor baseline security and lack of security awareness training. Healthcare organizations are not ready for HIPAA (ARRA and HITECH provision) compliance. Checkout why Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.


Considering healthcare standard electronic transaction (compliance date, Jan 1, 2012) and HITECH provision (compliance date, Feb 17, 2010) are in the pipeline for healthcare organizations. Do you think it’s about time for them to get their house in order?

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: arra and hitech, arra hitech provisions, Computer security, Credit card, Health Insurance Portability and Accountability Act, hipaa, Identity Theft, phishing, social security, Social Security number

Dec 10 2009

What is a risk assessment framework

Category: Information Security,Risk AssessmentDISC @ 5:46 pm

Computer security is an ongoing threat?!?
Image by Adam Melancon via Flickr

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

Definition – A risk assessment framework (RAF) is a strategy for prioritizing and sharing information about the security risks to an information technology (IT) infrastructure.

A good RAF organizes and presents information in a way that both technical and non-technical personnel can understand. It has three important components: a shared vocabulary, consistent assessment methods and a reporting system.

The common view an RAF provides helps an organization see which of its systems are at low risk for abuse or attack and which are at high risk. The data an RAF provides is useful for addressing potential threats pro-actively, planning budgets and creating a culture in which the value of data is understood and appreciated.

There are several risk assessment frameworks that are accepted as industry standards including:

Risk Management Guide for Information Technology Systems (NIST guide) from the National Institute of Standards.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) from the Computer Emergency Readiness Team.

Control Objectives for Information and related Technology (COBIT) from the Information Systems Audit and Control Association.

To create a risk management framework, an organization can use or modify the NIST guide, OCTAVE or COBIT or create a framework inhouse that fits the organization’s business requirements. However the framework is built, it should:

1. Inventory and categorize all IT assets.
Assets include hardware, software, data, processes and interfaces to external systems.

2. Identify threats.
Natural disasters or power outages should be considered in addition to threats such as malicious access to systems or malware attacks.

3. Identify corresponding vulnerabilities.
Data about vulnerabilities can be obtained from security testing and system scans. Anecdotal information about known software and/or vendor issues should also be considered.

4. Prioritize potential risks.
Prioritization has three sub-phases: evaluating existing security controls, determining the likelihood and impact of a breach based on those controls, and assigning risk levels.

5. Document risks and determine action.
This is an on-going process, with a pre-determined schedule for issuing reports. The report should document the risk level for all IT assests, define what level of risk an organization is willing to tolerate and accept and identify procedures at each risk level for implementing and maintaining security controls.

Related articles by Zemanta

Tags: Business, COBIT, Computer security, Data, Fire and Security, Information Technology, iso 27001, iso 27002, National Institute of Standards and Technology, NIST, OCTAVE, Risk management, Security, security controls, Technology

Dec 04 2009

Five ways to lose your identity

Category: Identity TheftDISC @ 2:42 pm

beconstructive12

By Jaikumar Vijayan
The rush by shoppers to the Web makes the season a great time for online retailers. It’s also a great time for hackers looking to steal data and money from the unwary millions expected to search for great deals online.

Checkout huge savings on Today’s Hot Deals on Information Security Solutions for the holidays

The growth of holiday hackers has annually prompted security analysts, identity theft awareness groups, and various government agencies to come up with lists of precautions that consumers can take to avoid becoming a victim of online fraud. Such lists can prove a benefit to consumers, but unfortunately some people ignore it.

Below are the identity theft awareness tips which can help maximize your exposure to online fraud.

Tip No. 1: Open all attachments from strangers and click on all embedded links in such e-mail messages. Such actions remain one of the most effective ways to provide thieves with personal information and financial data. All a hacker needs to do is find computer users who instinctively open e-mail messages from strangers, even those who write in a foreign language. The action can open the door to keystroke loggers, rootkits, or Trojan horse programs. Crooks can also easily install backdoors to easily steal data without attracting any attention. Once installed, hackers gain unfettered access to personal data and can even remotely control and administer systems from anywhere.

Tip No. 2: Respond to Dr. (Mrs.) Mariam Abacha, whose name is used by many hackers who say they have close friends and relatives in Nigeria who have recently been widowed or deposed in a military coup and need your help to get their millions of dollars out of the country. Users are told they will undoubtedly be rewarded for helping to get their “well-packed trunk boxes” full of cash out of Nigeria. And to make sure to provide bank account information, login credentials, date of birth, and mother’s maiden name so that they can wire the reward directly into a checking account in time for the holidays.

Tip No. 3: Install a peer-to-peer file-sharing client on your PC and configure it so all files, including bank account, Social Security, and credit card numbers, along with copies of mortgage and tax return documents, are easily available to anyone on the same P2P network. Your personal data will stream over the Internet while you check out what songs you can download for free without getting sued by the RIAA.

Tip No. 4: Come up with passwords that are easy to crack. It saves hackers from spending too much time and effort trying to access your PC. Clever sequences such as “123456” and “abcdef” and your firstname.lastname all make fine, easy-to-remember default passwords for you and for hackers. For maximum exposure, keep passwords short, don’t mix alphabets and numerals, and use the same password for all accounts.

Tip No. 5: Avoid installing the latest anti-malware tools and security updates. Keeping operating systems properly patched and anti-virus and anti-spyware tools updated make life hard for hackers. Users can help them out by making sure their anti-virus software and anti-spyware tools are at least 18 months out of date or by not using them at all. Either way, it’s very likely that your computer will be infected with a full spectrum of malware.

For additional tips on how to shop securely on Christmas and holidays season:
How to shop safely online this Christmas
Identity theft tip-off countermeasure and consequence | DISC

Please comment below regarding any other new and emerging threat which needs to be addressed during holiday’s season?

Reblog this post [with Zemanta]

Tags: antivirus, Christmas and holiday season, Computer security, Credit card, File sharing, hacker, Identity Theft, Malicious Software, Malware, Online shopping, Personal computer, Security, shop safely, shop securely, Spyware, threats, trojan, Trojan horse

Nov 03 2009

Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges

Category: hipaaDISC @ 6:22 pm

medical-symbol
Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
HIMSS News
The Healthcare Information and Management Systems Society releases its 2nd Annual Security Survey, sponsored by Symantec

CHICAGO (November 3, 2009) – With the American Recovery and Reinvestment Act underway, healthcare organizations face new challenges to maintain privacy and security of patient health data. However, data gathered from healthcare IT and security professionals indicate that many organizations may not be ready to meet some of the HITECH components of the ARRA legislation and other security challenges, according to the results of the 2009 HIMSS Security Survey, sponsored by Symantec Corp. (Nasdaq: SYMC).

While healthcare organizations recognize that patient data must be protected, the survey results show that:

  • Security budgets remain low
  • Organizations often don’t have a response plan for threats or a security breach
  • A designated Chief Security Officer or Chief Information Security Officer is not in place

    • In addition, the survey reveals that healthcare organizations are not using the current security technologies available to keep patient data safe. Respondents to this survey widely use audit logs with data from firewalls, application logs and server logs as common information sources. Yet, when analyzing the log data, only 25 percent of respondents reported electronic analysis of that data. Respondents indicate they are using firewalls and user access controls, but are not implementing all available technologies to secure data. Only 67 percent of responding organizations use encryption to secure data in transmission, and fewer than half encrypt stored data.

    “Healthcare organizations are continually looking for ways to save money,” said David Finn, health IT officer, Symantec Corp. “One of the best ways to accomplish these goals is through investing in technologies that will automate and reduce the risks of a security incident and lower the chances of a compliance issue. Although awareness about these issues is high, many providers have not yet made significant moves to the address these concerns.”

    Other key survey results include:

    Security Budget: Approximately 60 percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security. This is consistent to the level of spending identified in the 2008 study.

    Maturity of Environment: Respondents characterized their environment at a middle rate of maturity, with an average score of 4.27 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.

    Formal Security Position: Fewer than half of respondents indicated that their organization has either a formally designated CISO (Chief Information Security Officer) or CSO (Chief Security Officer).

    Patient Data Access: Surveyed organizations most widely implement user-based and role-based controls to secure electronic patient information. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information. Patients/surrogates are most likely to be granted access to high level clinical information, such as diagnosis or lab results.

    Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. However, only half have a plan in place for responding to threats or incidents related to a security breach.

    Security Controls: Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization. About 85 percent of respondents reported that they monitor the success of these controls and two-thirds of these respondents measure the success of these controls.

    Risk Analysis: Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year. Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Conducting this analysis positions organizations to identify gaps in their security controls and/or policies and procedures.

    Security in a Networked Environment: Nearly all respondents reported that their organizations share patient data in electronic format. Respondents are most likely to report that they share data with state government entities. Respondents also reported that the area in which they are most likely to share data in the future is with Health Information Exchanges (HIEs)/Regional Health Information Organizations (RHIOs). Approximately half of these organizations (41 percent) indicated that these sharing arrangements have resulted in the use of additional security controls beyond those that were already in place at their organization. This is consistent with the data reported in the 2008 survey.

    Future Use of Security Technologies: E-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

    Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. However, only a handful of these organizations experienced direct consequences from the breach.

    “Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies,” said Lisa Gallagher, HIMSS Senior Director, Privacy and Security. “IT and security professionals must recognize the need for securing patient data by using available technologies and preparing for compliance with current ARRA laws and future regulations. This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery.”

    Targeting Chief Information Officers and Chief Security Officers and other Information Technology (IT) executives, the 2009 HIMSS Security Survey focused on an assessment of 196 information technology (IT) and security professionals in the healthcare field of their own readiness for today’s risks and security challenges.

    About Symantec
    Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

    About HIMSS
    The Healthcare Information and Management Systems Society (HIMSS) is a comprehensive healthcare-stakeholder membership organization exclusively focused on providing global leadership for the optimal use of information technology (IT) and management systems for the betterment of healthcare. Founded in 1961 with offices in Chicago, Washington D.C., Brussels, Singapore, and other locations across the United States, HIMSS represents more than 23,000 individual members, of which 73% work in patient care delivery settings. HIMSS also includes over 380 corporate members and nearly 30 not-for-profit organizations that share our mission of transforming healthcare through the effective use of information technology and management systems. HIMSS frames and leads healthcare public policy and industry practices through its educational, professional development, and advocacy initiatives designed to promote information and management systems’ contributions to ensuring quality patient care. Visit www.himss.org for more information.

    For more information, contact:
    Joyce Lofstrom/HIMSS
    312-915-9237 – jlofstrom@himss.org

    Pamela Reese/Symantec
    424-750-7858 – pamela_reese@symantec.com

    Reblog this post [with Zemanta]

    Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", Chief Information Security Officer, Chief security officer, Computer security, Health care, Healthcare Information and Management Systems Society, hipaa laws, Information Technology, Security, status of arra and hitech, Symantec

    Jun 30 2009

    Security controls and ISO 27002

    Category: Information Security,ISO 27kDISC @ 1:56 pm

    seeyourdataUsually security breach occurs due to lack of basic security controls or lack of effective control which is not relevant over the time. Security controls also disintegrate over the time due to lack of maintenance and monitoring.
    According to Privacy Rights Clearinghouse survey, the top three breaches resulted from laptop theft, software or human error, and hackers. Most of these breaches could have been prevented by procedural, management and technical security controls. Most of the security breaches happen during the state of non-compliance. The most famous TJX security breach happens in 2007, at the time of the breach TJX complied with only 3 out of 12 PCI-DSS requirements.

    Small organizations sometimes don’t have enough resources to comply with all the requirements of regulations and standards like HIPAA and PCI. But that is not an excuse of not understanding the relevant regulations and standards requirements to your business and having a clear security strategy which explains how to achieve the compliance down the road. Also your security strategy will be an evidence of your due diligence to secure your critical assets. On the other hand big organizations have enough resources to implement security controls, but for whatever reason they often do not have clear strategy how to establish security controls.

    Information security is not a onetime static process but an ongoing assessment of risks in your business, where you need to understand the your critical assets, classification of those assets based on CIA, sensitive data and its access, policies, standards, procedures , training, security reviews and continuous monitoring.

    One of the most popular baseline for security controls is the international standard ISO 27002 – Code of Practice for Information Security management. ISO 27002 have 11 security clauses and 133 security controls are high level which provides a reasonable guidance for implementing an Information Security Management System (ISMS). Due to ISO 27002 broad scope, it’s relevant to every industry and size of business.

    Organization should have a baseline of security controls before barging onto complying with PCI or HIPAA regulation. ISO assessment will help you to understand what controls are in place and assist you with security strategy and later will become a measuring stick for your ISMS.

    Ongoing compliance is achieved by monitoring the relevant controls. Ongoing compliance will depend on the quality of your information security management system (ISMS). ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time. You can develop an automated monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.

    Related articles by Zemanta

    [TABLE=2]


    Reblog this post [with Zemanta]

    Tags: Computer security, Health Insurance Portability and Accountability Act, Information Security, Information Security Management System, ISO/IEC 27001, pci dss, Privacy Rights Clearinghouse

    May 18 2009

    Security breach and notification

    Category: Security BreachDISC @ 1:05 am

    California Flag
    Image by victoriabernal via Flickr

    California was the first state in the nation to pass a data breach notification law in 2003, and it’s now planning to broaden the notification for companies doing business in the state. Notification will require specific information about the breach to the consumer and send notices to the state authorities at the same time.

    The notices which consumers currently receive are basically too little too late, meaning they might say that your information may have been compromised and these notices may be released several months after the incident.

    notice

    California’s new legislation will force the organization to admit the extent of the compromise, so consumers can assess their own risks in a timely manner. Heartland, the credit card processor, has been sued by the banks to recover the breach notification cost. Should the credit card processing company which had a security breach be responsible for the cost of the notification?

    Current notification does not inform you where and how your credit card information was compromised so that at least you can stop shopping from that merchant. When consumers ask specific questions regarding the breach to the credit card company customer service representative, they will deny any knowledge of the breach and will say something along the lines of, when all the legal information has been taken care the credit card company will send you a detailed letter about the breach.
    Now in case of a processor security breach, the credit card company might issue notices to several hundred thousand people. Without specifics, that particular notice might have “crying wolf” effect and consumers might not take any action.

    Last week a well publicized security breach at UC Berkeley exposed the records of 160,000 people. The hackers had access to the vulnerable system for more than six months before they were discovered, which clearly shows lack of monitoring control and due care.
    When a young college student affected by the breach receives a “may have been breached” notice he or she immediately will worry about his/her credit and possibility of identity theft. Now the question is why a student has to bear the burden of the negligence by the merchant or campus and lack of reasonable security safeguards. After issuing such notice that the private information “may have been compromised,” the responsibility of keeping an eye on your credit is transferred to you. The problem is some fraudulent transactions might not be noticed for at least a year.



    Reblog this post [with Zemanta]

    Tags: Computer security, Credit card, due care, Identity Theft, Law, privacy, sb 1386, University of California Berkeley

    Apr 02 2009

    Cloud computing and security

    Category: Cloud computingDISC @ 5:55 pm
    File:Cloud comp architettura.png

    https://commons.wikimedia.org/wiki/File:Cloud_comp_architettura.png

    Cloud computing provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Main concern for security and privacy of user is who has access to their data at various cloud computing locations and what will happen if their data is exposed to an unauthorized user. Perhaps the bigger question is; can end user trust the service provider with their confidential and private data.

    “Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.”

    Three categories of cloud computing technologies:

    • Infrastructure as a Service (IaaS)
    • Platform as a Service (PaaS)
    • Software as a Service (SaaS)

    Cloud computing is offering lots of new services which increase the exposure and add new risk factors. Of course it depends on applications vulnerabilities which end up exposing data and cloud computing service provider transparent policies spelling out responsibilities which will increase end user trust. Cloud computing will eventually be used by criminals to gain their objectives. The transparent policies will help to sort out legal compliance issues and to decide if the responsibility of security breach lies on end user or service provider shoulders.

    Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

    Possible risks involved in cloud computing
    Complete data segregation
    Complete mediation
    Separation of duties
    Regulatory compliance (SOX, HIPAA, NIST, PCI)
    User Access
    Physical Location of data
    Availability of data
    Recovery of data
    Investigative & forensic support
    Viability and longevity of the provider
    Economy of mechanism

    Related articles by Zemanta

    Continue reading “Cloud computing and security”

    Tags: Cloud computing, cloudcomputing, compliance, Computer security, iaas, IBM, Information Privacy, Infrastructure as a service, paas, Platform as a service, Policy, privacy, saas, Security, security assessment, Security Breach, Services

    Mar 12 2009

    Cybersecurity and congressional hearing

    Category: Information WarfareDISC @ 2:02 am

    United States Central Command
    Cybersecurity experts were at congress floor this week to discuss security strategy and threats to federal government infrastructure for not having an appropriate strategy and funding.

    “Where are we today in cyber security? From one perspective, we are in remarkably bad shape. In the last year, we have seen the networks of the two Presidential campaigns, secure networks at the U.S. Central Command and computer networks in Congress and other Federal agencies penetrated by outsiders.” Dr. Jim Lewis, Center for Strategic and International Studies

    “But in our rush to network everything, few stopped to consider the security ramifications of this new world we were creating. And so we find ourselves in an extremely dangerous situation today – too many vulnerabilities exist on too many critical networks which are exposed to too many skilled attackers who can inflict too many damages to our systems. Unfortunately, to this day, too few people are even aware of these dangers, and fewer still are doing anything about it.” Rep. Yvette Clarke, D-N.Y., who chairs the subcommittee

    Amit Yoran said that research and development must be bolstered, standards for securing systems must be reformed, and a legal analysis of the governance, authority and privacy requirements is needed. cybersecurity focuses on monitoring adversaries, determining their methods and techniques, tracking their activities to a point of origin, and determination of compromise scope, intent and objective.

    Copies of written testimony from 3/10 proceedings are available on the Committee on Homeland Security site.

    Detection of cyber attacks and emergency response plan is a paramount to be successful against cybersecurity attacks. I think federal government needs a new proactive paradigm for cybersecurity, which inspect the packet (deep packet inspection) to distinguish malicious packet from normal packet. This way malicious packet can be dealt appropriately at perimeter before it create a havoc at inside network or at end user desktop.

    Related articles by Zemanta

    Related videos by YouTube

    httpv://www.youtube.com/watch?v=5rDEw3uSK54

    Reblog this post [with Zemanta]

    Tags: Amit Yoran, Barack Obama, Center for Strategic and International Studies, Computer security, Congress, Federal government of the United States, Security, United States

    Feb 25 2009

    Small business and assessment of IT risks

    Category: Security Risk AssessmentDISC @ 5:02 pm

    Network and Information Security Agency
    According to a study released by European Union ENISA, Small-to-Medium-Sized (SME) enterprises require extra guidance in assessment of IT security risks of their assets.

    Agency also established that in the first implementation it is improbable that SME can utilize a risk assessment & risk management approach without external assistance and simplified information security approach was extremely useful for security awareness on the part of business to improve their information security management approach. One of the main drivers that have pushed ENISA towards a simplified Risk Assessment and Management approach was the idea that SMEs need simple, flexible, efficient and cost-effective security solutions.

    Regarding the entire process applied for the life-cycle of the simplified approach, ENISA has applied the Plan-Do-Check-Act model:
    o PLAN: creation of a simplified Risk Assessment & Risk Management approach for SMEs
    o DO: run pilots in different contexts inside EU
    o CHECK: get feedback from pilots and aggregate and analyze it
    o ACT: review and improve the simplified approach starting from the feedback
    It is expected that through repetitions of the above life-cycle a proper maturity of the simplified ENISA method will be achieved.
    ra-process
    Diagram: Overview of the phases of the ENISA simplified approach
    ENISA simplified and standardized approach for risk assessment for SMEs is designed for untrained users and organization with small IT infrastructure. Security of SMEs is crucial for European economy, since they represent 99% of all enterprises in EU and around 65 million jobs, said ENISA said.

    ENISA report and findings

    As economic slowdown is looming ahead in US economy, it makes sense to adopt a lifecycle approach which is simplified, standardized in managing and securing the SMEs data. SME is the core engine of US economy as well; taking a standard based approach for data protection will not only serve to increase awareness and secure businesses but will also satisfy various compliance needs. Complexity is an enemy of security and SME most of the time don’t have inside expertise to tackle organizations information security needs. The main idea is to build a simple, flexible and cost efficient risk assessment and risk management program for non-expert users and management with relatively less complex IT infrastructure which fits the needs of all SME. This program will serve as an IT risk assessment tool; fulfill the needs of several regulations and serves as a great security awareness tool as well. As business needs change, risk assessment and risk management process can be improved utilizing Deming PDCA model. Start with a base model program and improve the process to tailor your business needs down the road.

    Another methodology which is worth mentioning here for simplified risk assessment approach for SME is Facilitated Risk Analysis and Assessment Process (FRAAP) created by Tom Peltier which can be utilized to identify and quantify threats to IT infrastructure. Tom also teaches a class how to complete a risk assessment in 5 days or less utilizing FRAAP and his book on “Information security risk analysis” where he explains his FRAAP methodology.

    Related articles by Zemanta

    Computer Security
    httpv://www.youtube.com/watch?v=MUQzEJ82TrQ

    Reblog this post [with Zemanta]

    Tags: Business, Computer security, Consultants, European Network and Information Security Agency, European Union, information security risk analysis, Risk management, Security, Security Risk Assessment, Small and medium enterprises, SME

    « Previous Page