Top Vendors Join Forces for IT Security
Five major top vendors in the IT&C field, namely Cisco, IBM, Microsoft, Juniper Networks and Intel, have joined to launch the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASi is a dedicated IT security forum with the main goal of allowing co-operation between companies from all over the world in addressing security threats.
As Computing.co.uk pointed, ICASI will also provide a government-neutral approach to resolving global, multi-vendor security incidents.
“It is critical that the technology industry strengthen its ability to combat the ever-changing nature of the global cyber threat landscape,” said Malcolm Harkins, general manager of Intel’s information risk and security IT group.
Public Access vs. Private Records Protection
The European Data Protections Supervisor Peter Hustinx stated he was unhappy with the proposed law aimed at improving public access to EU documents. The European Commission proposed the law as a means to improve European government transparency.
Yet according to Computing.co.uk, Hustinx is concerned the security measures to protect personal data from public documents are inefficient. His concern was trigger when a reference to possible harm to “the privacy and the integrity” of the individual was deleted from the initial proposal.
“Public access on the one hand and privacy and data protection on the other are fundamental rights which represent key elements of good governance,” said Hustinx.
We’ll just have to wait and see what the will happen, and if the right to right to public access will win the battle, we could recommend some DLP solutions :).
HMRC Breach Caused By Poor Security
A formal inquiry on the now notorious security breach reported last October at HM Revenue & Customs (HMRC) has recently been published. The breach exposed 25 million personal records and has been proved to be caused by “major institutional deficiencies”, reports SearchSecurity UK.
The inquiry extensively details the operation procedures implemented at HMRC before the data breach. It also describes the circumstanced that have led to the loss of two CDs holidng personal and financial information on Child Benefit recipients.
The inquiry, led by Kieran Poynter of management consultants Pricewaterhousecoopers (PwC), concluded that “information security simply wasn’t a management priority as it should have been, and HMRC had an organizational design which was unnecessarily complex and crucially, did not clearly focus on management accountability.”
The report of the investigation provides a detailed blow-by-blow account of events leading up to the data loss, with extracts of emails showing who said what to whom. However, since the blame for the breach is attributed to cultural and organizational weaknesses, the staff members involved are given anonymity, and referred to only as employee A, B, C and so on.
Researchers Call for Measurable Security Objectives
The next big step in security policies should be heavily focusing on ways to quantify completed and ongoing security objectives, says Pete Lindstrom, senior analyst at the Midvale, Utah-based research firm. The purpose of this move would be to both justify spendings and highlight the value yielded by ongoing projects.
This message was presented during the Burton Group Catalyst Conference ‘08 and as SearchSecurity.com noted, Lindstrom is sketching a new model to help security experts measure and articulate security program successes and failures to senior management.
“We need to get objective and quantitative in our environments in order to better manage our programs,” Lindstrom said. “We have to collect ourselves together as a profession and define what it means to meet our security objectives.”
New PCI Standards Disregard Inside Threats
Starting June 30, new measures inserted in the Payment Card Industry (PCI) standard will be inforced. However, representatives of a database security firm point out that the new additions do nothing to address inside threats.
As Vnunet.com shows in a recent article, the new measures require that companies dealing with stored credit card and other consumer financial data either install firewalls around all internet-facing applications or have all customer application code reviewed for common vulnerabilities.
Secerno representatives showed that the new and “improved” standard does not address real threats effectively:
“The PCI Data Security Standard has the best intentions but, as is the case with many compliance directives, it barely addresses the most immediate and upcoming threats to consumer data,” said Paul Davie, founder of Secerno.
“It is generally inadequate for addressing the sort of internal threat that can be exploited easily, such as by general or privileged users.”
Other than completely ignoring ill willed insiders, the PCI standard also fails to regulate data encryption requirements, database security policies, measures of protecting data on private networks.
There’s No DLP without Encryption
Any enterprise considering to implement data loss prevention technology in the future must keep one aspect in mind: efficient DLP comes hand in hand with a sound encryption strategy. Given this aspect, Dark Reading states DLP solutions are surely moving from quick-fixes aimed at reducing data breaches to being seen as a core strategy with the purpose of identifying corporate sensitive information as such and controlling access to it.
This shift in views over DLP solutions, data loss prevention might be what’s needed to bring pack to life previously designed and now stagnant data encryption projects.
“Every major DLP vendor has, or is developing, encryption capabilities or partnerships,” says Rich Mogull, founder and principal analyst at Securosis, a security consultancy. “File/folder encryption and DLP should be integrated.”
If this prediction is the right one, we have complex and highly effective corporate security strategies to look forward to. As laws don’t stop breaches or identity thefts, nor significantly reduce them, a comprehensive policies might prove to be a much better alternative.
Breach Disclosure Laws are Pointless
Researchers at the Carnegie Mellon University have just released data showing information security breach laws enforced in the US have failed to reduce identity theft. According to the Register, these findings come at a time when there’s an increased demand for similar laws in Europe that would oblige organizations to notify customers in cases where their personal details become exposed.
Research findings were based on a state-by-state analysis of data from the US Federal Trade Commission (FTC). They analyzed identity theft complaints made to the FTC from 2002 to 2006, trying to spot differences after states introduced data breach disclosure laws. California was the first state to introduce such regulations and 43 other states have since followed its lead.
The researchers determned that factors such as changes in average income and population in a state or overall levels of fraud had a much greater impact on fraud rates than these laws, as a Register reproduction of the abstract to the paper shows:
We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses and improving a firm’s security and operational practices.
“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” Sasha Romanosky, a PhD student at Carnegie Mellon and one of three authors of the study, told Computerworld.
The Army Investigates Breach Exposing 1,000 to Identity Theft
The Walter Reed Army Medical Center has just released information on a security breach exposing about 1,000 patients of both Walter Reed and other military hospitals to identity theft. The incident has raised great concerns, thus the Army is currently investigating the incident.
According to Associated Press, the exposed private records contained names, Social Security numbers, birth dates and other personal details. However, the compromised computer file did not include medical records, or the diagnosis or prognosis for patients, hospital representatives quoted by AP said.
The disclosure marked the latest in a series of breaches of government computer records.
Walter Reed officials declined to explain exactly how the information was compromised, pending an ongoing investigation by the hospital and the Army. They would only say that the computer file was found on a “non-government, non-secure computer network.”
A New Approach to Stealing Identities
Research company Gartner is about to release it’s new forecast showing us what security threats we’ll be dealing with in the future. To raise interest in their soon to come data, they’ve given away some of the details, as a teaser that seems to be working great. Their statements have been also reported by Dark Reading.
What is really interesting here is their view on where new threats will emerge. Hackers and all types of wrong doers will target all things shared and social. While this will be mostly to facilitate the quick spread of malware, social networks will also be targeted to obtain credentials. So beware what personal data you post on your social profiles, make sure you find out how your email passwords are handled when you import contacts or send out invitations. Try these easy steps to make sure your identity isn’t then misused.
Our blog will fill you in with other interesting findings as soon as the official Gartner Forcast hits the market, so see you all soon!
Malware Infected Giveaways at Security Conference
One would expect security to be a major concern for those advertising at and attending security conference. But reality shows otherwise. Integrated telecommunication provider Telstra distributed malware-infected USB drives at the 2008 AusCERT security conference.
According to SerchSecurity, as soon as the security issue was discovered, the USB drives have been recalled. The AusCERT security conference was attended by up to 1200 delegates, all of them potentially exposed to a serious infection.
IT Security journalist Davey Winder states security problems at such conferences are no longer surprising. In a blog post published on DaniWeb, he provides insight on how potential breaches are facilitated at security events:
I have lost count of the number of such events where I have been able to quickly scan and detect numerous unsecured wireless networks and where ‘researchers’ attend with the express intention of finding such security holes and jumping in with both feet to see what resources can be compromised. Often it is the people who should know best who seem most liable to suffer from complacency, and security conferences are a great example of this genre of should have known better syndrome.[…]
So you could say I am not easily surprised, but what does surprise and rather shock me about this particular case in Australia is that the USB sticks being distributed by a large telco were apparently pre-owned, second-hand ones. I mean, how cheap do you have to be to use pre-owned USB sticks? These things are so cheap brand new that you will be finding them in Xmas crackers soon…
