While their cybersecurity czar plans have been delayed for so long we were all a bit tired for waiting, the White House approach to fighting cyber threats seems to have found a new focus these days: recommending training, exams and detailed certification requirements for cybersecurity professionals employed or contracted by the federal government. And this is going through the careful review of a commission whose main purpose is to advise the Obama administration on cybersecurity policy.

The Commission on Cybersecurity for the 44th Presidency, which in December 2008 issued its Securing Cyberspace for the 44th Presidency report to Congress, is currently working on a sequel to that report, due sometime in late June or early July. The commission, made up of a who’s who of experts and policy-makers, is debating strategies for building and developing a skilled cybersecurity workforce for the U.S., as well as issues surrounding an international cybersecurity strategy and online authentication.

Of course, the discussion got a bit stuck in the first part of the future report, the cybersecurity workforce. With no one knowing if the new certification recommendation will take into account existing certifications or not, with people in the commission and in the field of cybersecurity having different takes on the issues, and given the need to details qualification needed for each type of IT security pro, I assume it will take a while to get to a common decision on this one

According to Tom Kellermann, a member of the Commission and vice president of security awareness at Core Security Technologies, the federal government has bigger problems: an insufficient workforce that’s about to shrink some more if certifications become mandatory requirements:

“I would suggest that we need to increase our workforce, but not ostracize those that don’t have certifications to get them or lose their jobs. They should be grandfathered in,” Kellermann says.

Exploring a movie-like scenario, I have to wonder – If they ever want to cut a deal with a genius hacker and have him/her do some anti-hacking work for them, would they care if that person has the required certifications?

Yet another warning about data loss, company policy and how easily all your files can be liked over the internet comes into the security world, this time from the Federal Trade Commission. Long overdue some would say, including Robert Siciliano in a recent post on Information Security Resources.

Yes, it is quite bewildering to see how after warning after warning and a long line of data breach incidents, companies still allow the misuse of software and hardware resources. It is also confusing to see the FTC now getting ready to directly warn about 100 companies about the risks of peer-to-peer. It’s a bit late, years and years after the problems appeared.

But if there are any IT managers or CEOs who don’t know what peer-to-peer can lead to, here are a few quotes from Siciliano’s article:

Last year the House Committee on Oversight and Government Reform responded to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software.In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers.

I’ve found family rosters which include usernames, passwords and Social Security numbers for entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

In some cases, the benefits of technology are far more important than the risks. It happens with all gadgets that make work fun, efficient and portable. But if you do allow your employees to install software that’s easily hacked, at least protect your files by restricting access to them…

A data breach that results in exposing private details usually means bad consequences. Especially when an institution fails to properly inform those affected of what had happened. Such is the case of the recent Blue Cross Blue Shield’s (BCBS) loss of confidential information, including tax identification and social security numbers, for about 800000 healthcare providers from all US.

The data breach in question is currently being investigated by Connecticut Attorney General Richard Blumenthal as BCBS may have broken the state law by suffering the breach and then failing to inform those affected on time.

The information in question was lost back in August when a laptop containing it was stolen. Although the theft has affected providers all across the US, the Connecticut AG is only investigating on behalf of 18,817 of its Connecticut health care providers. What he aims is to obtain credit monitoring for more than just one year, as commonly offered, and seek additional identity theft protection.

On the other hand, BCBS states they started notifying those involved within days from the incident, not a month later as implied by the AG. Either way, they are more than willing to offer credit monitoring for two years, or at least a branch of the institution is!

The data breach rules that become effective on September 23^rd have been harshly criticized by a security firm specializing in encryption. According to the Health Information Technology for Economic and Clinical Health (HITECH) Act, US health organization using encryption will no longer be required to    notify their clients of data breaches, regardless of how ineffective the encryption system is.

According to the act, only healthcare providers and plans that have implemented the HIPAA standards but fail to encrypt the sensitive data they keep on their clients will have to let individuals know their private details have been breached. Even in such a case, explains The Register, it will be up to each organization to decide if there is a real risk for those affected and only afterward issue data breach notices.

“The protection law should address everyone – including those who have already implemented encryption, since most encryption systems are point-to-point even when they say otherwise,” said Mark Bower, director of information protection solutions at Voltage Security.

In its present form, the HITECH Act provides a quick and often inefficient fix to make ammends with data security rules.

The Federal Trade Commission has recently issued a final rule that requires Web-based companies to notify consumers when the security of their electronic health information has been breached. The new rule was put into place by Congress as part of the American Recovery and Reinvestment Act of 2009.

As explained by Dark Reading, the rule applies to both vendors of personal health records “which provide online repositories that people can use to keep track of their health information ” and entities that offer third-party applications for personal health records.

The FTC’s Final Rule comes to complete the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which left out many types of organizations that could have exposed health related information.

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers.

The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must also notify the FTC.

An EU committee of data protection regulators has recently announced that all social networking sites such as Facebook or MySpace are legally responsible for their users’ privacy. According to the Register, the European data watchdogs regard such sites as “data controllers”, thus they have to abide by all legal obligations such a status entails. Even if they are headquartered in a different country, social networking companies still are data controllers under EU laws.

Also, the site users hold a similar position, making them all legally responsible for all information posted on behalf of a club, society or company.

“SNS [Social Network Service] providers are data controllers under the Data Protection Directive,” it said. “They provide the means for the processing of user data and provide all the ‘basic’ services related to user management (e.g. registration and deletion of accounts). SNS providers also determine the use that may be made of user data for advertising and marketing purposes – including advertising provided by third parties.”

Although the numbers of data breaches reported in the UK has been significant this year, the UK Government has recently announced it will not implement a compulsory data breach notification law for the private-sector companies. The decision was made after reviewing a recommendation made in July by information commissioner Richard Thomas.

On the other hand public-sector organizations are obligated to report any significant potential or actual data loss. Their private-sector counterparts should report the losses in the spirit of “good business practice”. So if your data is exposed by a public-sector institution and only 2 others have been affected, or if a private company looses thousands of private record but does not see reporting the incident as good practice, you will never find out.

“After considering the analysis of the experience of the US in the area of data-breach notification legislation, the government is not intending to implement similar legislation to that in operation in the US,” states the Response to the Data Sharing Review Report.

Private-sector companies are not clear of all consequences, as fines for organizations found in breach of data-protection laws will soon be raised. According to the same report, The Ministry of Justice is working with the Information Commissioner’s Office to determine the level of the maximum fine.

TechCrunch definitely seems to think so. So what’s Sarbanes-Oxley? Also known as Public Company Accounting Reform and Investor Protection Act of 2002, SOX or Sarbox, enacted on July 30, 2002. It’s purpose was to prevent major disasters such as Enron or WorldCom. Through its stipulation it also enforces some specific requirements on security policies, thus most endpoint security solutions try to help cover this aspect, some better than others.

While complying with SOX is mandatory in the US, it also works as a marketing tool for endpoint security solutions on other markets. This positioning, as legally and international standard compliant, helps developers sell their product easily.

So what’s wrong with SOX? According to TechCrunch, all flaws are related with business strategy aspects and not with security policies. The main problem is that SOX affects the way companies can prepare and have their initial public offering (IPO), fact that causes them to turn to either mergers instead of IPOs or to getting listed on foreign stock exchanges. They can always wait for 12 years to get listed or entirely give up the going public idea. All these because of huge compliance costs that most businesses can’t really afford.

It would be interesting to see if there other voices will rise agains SOX and how it will be changed in the future, business and security wise.

As more and more data breaches are revealed and debated online, the number of victims of such incidents increases. From never-ending sales calls to having items charged on your card to seeing credit ratings go down the drain to identity theft, these people are the ones who feel the most powerful consequences, not the companies where the breaches occur.

So what are these people to do to protect themselves and get back to how things were? In what credit ratings are concerned, UK victims are advised to use the Data Protection Act to rebuild them. According to E-Victims org, a former support group for cybercrime victims quoted by the Register, even after establishing fraud and absolving themselves of liability to fraudulent debt, data breach victims still have poor credit ratings.

As credit agencies rely on data from lenders, not on corrections communicated by those who borrow money, the organization says the Act could be used to force lenders to correctly communicate the status of fraud and data breach victims. Otherwise, even if they get a new credit, victims of such breaches will still have to pay higher interest rates. The Register also directs victims to a factsheet published by E-Victims.org aimed to help them with their credit reports.

According to recently released data, US mid-sized companies are more concerned about information security than cutting down costs. The survey conducted by Arrow Electronics Inc collected data from 200 US companies with annual revenues from less than $ 100 million to over 1 billion. 80% identified security as a top business issue, while only 60% referred to cost reduction and 64% target improving their customer service.

Although they admit IT security is of utmost importance, few are satisfied with the level of security already implemented in their mid-sized businesses. Only 32 percent of respondents said their company is properly handling all threats. That leaves 68% of companies concerned, yet highly vulnerable.

Yet the 32% might also be quite vulnerable to all kinds of threats, as shown by David Vellante, co-founder and principal contributor of the Wikibon user group. His statement, quoted by Dark Reading, shown these respondents are only unaware of what’s really at stake.

”I believe that the 32 percent of respondents that are ‘very satisfied’ with how their company is addressing security concerns are deluding themselves — they should wake up and smell the coffee,” wrote Vellante. “As an industry, since 2000 we’ve spent billions on security in the form of virus protection, network security, firewalls and other infrastructure… do you feel more secure? No way!”