This is like deja vu' all over again. Here's another case of a missing computer potentially compromising identities of over half a million injured workers in New York.
(Hat Tip: Martin McKeay, ComputerWorld Security Blog)

Names, addresses, SSNs of these workers from two workers compensation funds are potentially compromised because the computer storing this information has been stolen. No, let me restate that. To be specific - this computer provided by NY state to the CS Star contracting company is not technically stolen but actually "cannot be located" according to a letter sent to those impacted by this situation.

Now, don't get me wrong. I have some sympathy for that excuse...I tend to be forgetful and sometimes the keys to my car "cannot be located" temporarily on a Monday morning...in 10th grade, at times I was found it necessary to tell my math teacher that my homework "cannot be located"...but I think the state of NY could do a little better than that.

See a trend with this and the Veterans Admin situation? In the near future, there are probably going to be far more identities compromised by careless handling of laptops and other computers than from hackers compromising an electronic transaction. We may transact bits & bytes for a living but we live in a physical world. Security policy enforcement must involve connecting the dots between the two.

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

MySpace.com, the popular social networking site for teens have been under the spotlight for their lack of security controls and safety measures to protect teens against predatory adults who might be seeking an easy target...and they've been taking steps to address that:

http://news.com.com/MySpace+reaching+out+to+parents/2009-1041_3-6059679.html

But now comes a warning of a security problem of a different kind as reported by by Brian Krebs on his Washington Post blog. Adware being served up to unsuspecting visitors to MySpace sites.
http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html

That's no isolated incident, either. The prior week - another adware issue with MySpace was reported. Apparently, a developer from Zango, an adware company has set up fake MySpace profiles to push adware to visitors and presumably ring up adware revenue for them.
http://www.techweb.com/wire/security/190301926

Zango insists that their employee in question acted independently and without their consent but nonetheless it highlights how MySpace is becoming a target for increasing adware abuse and other security attacks.

Granted, compared to safety policies for the MySpace teen community, adware may seem like just a mild annoyance. However, it's just a sign of the kind of IT security risks these unregulated sites pose to unsuspecting visitors and corporate security managers should take note - your employees surfing sites like Myspace can punch a hole in your enterprise security policies. Today it's mostly adware. The real problem is... you just never know what might be served up next.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

Over the past 5 years, the need for regulatory compliance has made a difference in the role of the security officer. Arguably security managers must now be equipped with more than simply being able to configure firewalls or set security policies - they must also be minimally comversant, if not completely knowledgeable about regulatory compliance.

Not all reg compliance is created equal and there are several to be aware of depending on the industry segment your company may play in. HIPAA, FISMA, SOX, GLBA... they all call for involvement from IT security. However, my observation is that they share one thing in common - the lack of definition on what is expected from an IT security perspective. Hence, many security managers are left on their own to figure out "where to go from here" when it comes to compliance.

Take SOX as an example - there are a couple of components of the SOX regs that speak to involvement from IT, namely SOX 404 and SOX 802. In particular, SOX 404 has specific implications to the security manager since it involves ensuring proper internal controls over financial reporting. Yet, the nature of that internal control and how it intersects with IT security isn't always well defined. The net result is that security managers are left to interpret that for themselves often without the benefit of experience.

Just a few tips garnered from several articles and experts -

1. Read the reg. If you're seeking to comply with SOX 404, then it might be a good idea to read the reg for yourself

2. The compliance auditor is your new best friend. What makes compliance challenging is that it's not just about auditing the controls or process which the compliance auditor is familiar with...nor is it simply about IT security which is the domain of the security officer...but in fact, it bridges both.

3. It's not about the technology. If anything, it's more about processes and policies...and making users aware of what those are.

4. Conform to industry security standards. The application of standards is a good thing since they are well published. The more you use proprietary standards, the greater level of time consuming audit is required.

5. Finally, security industry groups such as ISACA (Information Systems Audit and Control Association) are leading the way in defining the IT security requirements for compliance. There are a couple of good resources out there but one notable resource is CoBIT. CoBIT (Control Objectives for Information and related Technology) is produced out of a joint effort by ISACA and IT Governance Institute. It is meant to provide guidelines for addressing the IT governance model for SOX. For more informantion, refer to:
www.isaca.org/cobit.htm

Compliance of any kind is challenging because it bridges the worlds of auditing and IT security. The security officer of today must be comfortable and conversant in both worlds in order to be successful. Benign ignorance is simply not an option anymore.

Posted by andreyee in Compliance | Permalink | Comments (0) | TrackBacks (0)

The 9th annual Global Security Survey from Information Week just came out. As security related surveys go, this is actually one of the best ones around. Much of what is discovered is typically similar from year to year with some variability. However, there are always a few interesting nuggets to glean from reading the survey:

http://www.informationweek.com/story/showArticle.jhtml?articleID=190301155

Here are a few interesting (sometimes troubling) points of note

- Customer Data Breaches are on the Rise. The compromise of proprietary customer data is a big problem that appears to be getting bigger. Notwithstanding greater awareness due to highly publicized cases, 11% of US companies reported that customer data had been compromised in some way in contrast to 6% last year.

- InfoSec Tithe by Country. In the US, 13% of IT budget is directed to information security as compared to 14% for China, 16% for Europe, 17% for India. Is this an indication that we don't take security quite as seriously? I'm not convinced of that but I do find it interesting.

- No Answer to Insider Threats. Apparently, more than half of the respondents believe that security technology, policy, and training are ineffective against insider threats from employees. However, insider security breaches appear to be more of an issue for US companies (24%) than in China (15%) or Europe (11%). A couple of possible explanations for that factoid: One conclusion is that US companies are more willing to disclose or because of regulatory demands, must disclose. Another explanation - US employees are more independent, free thinking and hence more willing to act out of bounds versus employees in China who may be more accustomed to a regimented, authoritarian management structure?? Just interesting...

- Three Biggest Security Challenges? Survey says (Letterman style):
... Number 3: Enforcing Security Policies (36% of respondents)
... Number 2: Raising User Awareness (41% of respondents)
... Number 1: Managing the Complexity of Security (48% of respondents)

I think this speaks to how challenging security is for large enterprises. It's plain difficult with a myriad of platforms to deal with, new apps being deployed and increasing variety of attacks. This means there's a premium for security tools that actually reduce complexity, rather than increase it (which unfortunately, some tools do). Also, per challenge # 2, it's not just about technology, it's about people and processes.

- Viruses, Worms and ID Theft, Oh, My! Finally, what are companies consciously defending against? Here's the breakdown - Viruses/Worms (56%), Spyware (40%), Customer Data Theft (36%). Surprisingly low on the list, Spam (27%), Denial of Service (26%)... which may indicate that corporations believe that they have that licked.

Posted by andreyee in Industry Trends | Permalink | Comments (0) | TrackBacks (0)

I'm planning to launch into a short series of posts on the topic of compliance and I wanted to kick it off with this article from Marcia Savage from Information Security Magazine. It's about the sometimes strained relationship between security professionals and their counterparts on the compliance side, the compliance auditors.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1194877,00.html

It's not a matter of who's in the drivers seat - compliance or security? The reality is that this relationship isn't going away, folks. Regulatory compliance is here to stay and in an increasingly digital world, it will involve cooperation and influence from information security professionals in order for corporations to comply with these regs.

By the way, if you have any experiences related to getting your organizations to comply with regs that involve information security, I'd love to hear about it.

Posted by andreyee in Compliance | Permalink | Comments (0) | TrackBacks (0)