Latest Entries »

Data Sharing – What policies should be in place?

Filed under: UncategorizedLeave a comment
December 15, 2007

At the end of November, Information Security Magazine online did a news article about current data sharing.  According to a survey about the costs of data breaches, there has been a 43% rise of cost since 2005.  This is a huge increase and should be taken into account when gauging the costs of security and what actions or additons should be made for security.  TJX, who I blogged about yesterday, had a major breach and they are paying the cost for damages through banks of over 40 million.  This is just one example of current breach costs.

 But back to the main point of the post, data sharing.  The article talks about how companies are sharing intellectual property to their suppliers, customers, and clients without policies in place to monitor or restrict that sharing.  This can lead to some information “donations” to people outside the company that are not wanted by the executives.  Most times, people are trustworthy but it only takes one bad apple to lead to a security breach or costs for the company in intellectual property leaks, bad publicity, and lost business. However, you don’t want to over-regulate data sharing in a company because it does lead to cost savings.  If a company over regulates, the employees start to find ways to get around the regulations, working under the radar and that leads to sometimes even larger security problems. 

 As the article states, companies need to have security audits and make sure to educate their employees about what information is vital to the company and should be guarded and what information can be used to pave the way with clients and other outside entities.  Policies should be written and IT solutions should be investigated that help to aid ease of complience with employees.  Risks and solutions should be evaluated.  Knowledge of risks help to decrease being blindsided by a breach.

Tags: , , , , ,
Comment

The costs of not being prepared

Filed under: UncategorizedLeave a comment
December 14, 2007

I was reading the security news at Information Security Magazine online portal and I came across a great example of what can happen if you aren’t ready for a security breach. TJX is in court for a security breach where information was lost on more than 94 million credit card accounts.  Banks are suing TJX to try to recoup some of the costs of reissuing all of those credit cards to customers.  It seems that TJX didn’t update their Wifi connection to the newest WPA security and keeping customer information for too long.  It was also reported that TJX took almost 2 months to respond to the incident and get security professionals to check out the breach.  This shows a lack of pre-planning on the part of TJX. 

One of the main things I have learned in this area i that having a plan of response is critical in an incident such as a breach.  TJX also did not seem to take security as a priority as well.  They are obviously paying for the company not keeping up with security measures.  The offer that TJX is extending to VISA is 40.9 million.  This doesn’t account as of yet for the MASTERCARD members who were affected as well.  

Tags: , , , , ,
Comment

CAPTCHA – Being knowledgeable about security technology

Filed under: breach, infosecurity, securityLeave a comment
December 13, 2007

An early CAPTCHAAn early CAPTCHAAn early CAPTCHAAn early CAPTCHASo I ran across a blog post by Jeff Atwood, that talks about CAPTCHA which is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”.  These are those nice little images we have to decide what letters they contain.  I added a picture for reference.  An early CAPTCHAAn early CAPTCHAAn early CAPTCHAAn early CAPTCHAWikipedia has a great reference to this technology.  This blog talks about how new technology has been coming out and making these easier to break by computers.  One of the biggest websites with such a problem is Ticketmaster.  People have found a way to get around the CAPTCHAs.  One recent instance where this has been shown to be a problem is for the Hannah Montana concert “Best of Both Worlds”. Tickets were swept off Ticketmaster and started to be sold on e-Bay for on average of $237. 

This leads into talking about the necessity of Information Security employees to be tech savvy and tech forward.  Hackers and people are always looking for new and better ways to get around security features.  The security of five years ago is not as secure as it was five years ago.  Security hacks and vulnerabilities are being found everyday and circulated on-line.  (So make sure to update your software regularly.)  Being aware of these vulnerabilities is the first step.  As a security professional, you must then gauge the riskiness of the vulnerability and the cost of the fix.  (Will it be painless or will the fix have to be tweaked in order for it to keep from interfering with the current network?; will any equipment have to be replaced?; etc)   Then weigh the benefits against those costs. 

Ticketmaster should definitely re-evaluate their ticket security.  The Hannah Montana incident received a huge amount of  bad publicity.  The lack of good security may lead Ticketmaster to make more than they usually would due to overbuying by scalpers.  However, you have to weigh the increased revenues against the effects of the bad publicity when the lack of good security reaches mainstream media. Over 195 news articles show up on the subject at Google news.

Tags: , , ,
Comment

Ignoring Privacy in the Current Day and Age can be Expensive

Filed under: UncategorizedLeave a comment
December 12, 2007

Facebook recently had to pull their Beacon advertising program for a while due to inadequate privacy features.  They started the service off as having to opt- out on a case by case basis instead of giving the option of a complete opt-out.  However, information from companies was still being sent to Facebook in batches and then they claim to be deleting any information that is not a Facebook member or those who have opted out of the service.  Customers are outraged and the company has been feeling the heat.  Zuckerman apologized for their actions on December 5th among advertiser drops such as Coca-cola, overstock.com, and Travelocity.  A full list of advertisers that were scheduled to user the service can be found on a post by dcoates.

As a society, we are becoming more open with our information and we love having the ability to easily share the information to the group of friends we WANT to know.  However, when people start to feel that they are out of control and that their information is being used for the wrong purposes or without their permission, they are becoming more frugal and not so community focused.  As seen in the above case, people start to protest which leads to uncertainty of more risk adverse partners.  Reduced revenue follows as these partners decide to wait out the beginning upheavel.  Travelocity, Coca-cola, and Overstock.com are major accounts and don’t want that kind of bad publicity.  Any company hoping to expand and give their customers more collaborative online features should make sure to check the security of the data being stored or transfered.

Tags: , , , , ,
Comment

Worst Information Practices – how employees can get in trouble

Filed under: UncategorizedLeave a comment
December 11, 2007

It is interesting to read some of the dangerous day to day information practices employees take part in that can lead to security breaches.  For example, with email,  email forwarding, auto reply, HTML email, and instant messaging can lead to problems for a corporate system.  The email forwarding can contain viruses and clog up the system. Auto reply will send replies to any and everyone which can help spammers to verify email addresses.  HTML email can hide use of malicious offsite applications and instant messaging systems are often un-secure.  Employees also must be careful with their sharing of information.  Hidden excel columns can be easily unhid to show confidential information.  Peer to Peer networks can be used to unknowingly download viruses and free downloads can pose as security hazards.  Employees should not allow others to use their computers or information devices and public wireless networks should be used with care, personal firewalls, password protection and encryption.  All of these must be known by employees as unacceptable use of the network.  Without training or distribution of this information, employees don’t know that these can pose a risk to the network.

 Since knowledge is the key to fighting these types of security threats, I decided to find out what the most recent email hoaxes have been.  Sophos has a list of the most recent as well as the most prevalent hoaxes.  Principals and Practices of Information Security by Volonino names jdbgmger or the (Teddy Bear Virus)  hoax is one of the most common hoaxes.  The site still shows this hoax to be the 8th most prevalent hoax.  It is interesting to see that this hoax is still so prevalent after a few years.  And I know that I have gotten the Visa and MasterCard telephone credit card scam chain letter a few times.  Some of these have been from friends or family.

Over the past few years, I have become increasingly more skeptical about any emails I get from people that looks like a chain letter.  Every time I get one of these letters, I have started checking the email online to see if they are real or hoaxes.  About.com has an Hoax encyclopedia that is very useful and usually if you take the email subject and google it, you can get some great information.  I guess what I’m trying to say is the best defense against these kind of scams is scepticism.

Tags: , , , , ,
Comment

E-Evidence

Filed under: UncategorizedLeave a comment
December 10, 2007

A few weeks back, I was reading about Electronic Evidence and ERM or Electronic Records Management and I wondered about what were some current examples of how e-evidence is being used in cases.  So I decided to take a stroll on google and see what I could find.

One of the first sites I found was actually a dedicated site to e-evidence information center site.  The latest news article on this site detailed how IM and email messages were held as evidence for a murder investigation where a girl, her boyfriend and a mutual friend severely beat the girl’s mother and left her in the house to die.  The girl and her boy friend had been talking about it for months through the internet.  This is more personal crime instead of corporate. 

I found another useful site by Sensei Enterprises, Inc, that holds an Electronic Evidence Case Digest. In June, in an ATM fee Antitrust Litigation case,  through a suit for price-fixing.  The plaintiff wanted all electronic files from the defendant to comply will the 2006 amendments to Rule 34 of Federal Rules of Civil Procedure.  This amendment made defendants have to produce TIFF files of all transactions.  However, due to the fact that this amendment was almost 2 years after the lawsuit was filed, the court says it wasn’t enough to break the agreement made already by the two parties.  In September, there was a case between Sun and Lawson.  Lawson wanted information in electronic copy and Sun gave him a great deal of information in hard copy.  The court ruled in the favor of Lawson due to a letter sent to Sun about his wish for electronic copy.  This site is a great resource to view how the courts are ruling with electronic evidence along many different categories such as Electronic Evidence Protocols, Emails, Metadata, Preservation of Evidence, etc.

 From my jaunt through Google results, I’ve found that electronic evidence is becoming more and more prevalent in court cases, both corporate or personal.  Its definitely important to keep on top of where the court is ruling and what electronic files a company needs to preserve and what files should be deleted within the company. 

Tags: , , , , , , ,
Comment

Info Security Issues with Outsourcing

Filed under: UncategorizedLeave a comment
December 5, 2007

I have received an offer for a job from Wipro, an Indian based company that specializes in BPO or Business Process Outsourcing and IT services.  I would be an account manager.  As I was reading my Info security information, I started thinking about the security issues that could be concerns that management must face down before outsourcing their IT services.  Since my job would be acting as the go-between for the client and the development team, as well as working with the client to strengthen our relationship, it is important that I know the concerns that services such as outsourcing or offshoring bring.

Principles and Practice of Information Security by Linda Volonino only mentions outsourcing very briefly.  The book touches on the risk that outsourcing brings.  When a company outsources, they are placing their information security in the hands of the outsourcing company and trusting them.  Control is transfered outside the company and with this comes added risk that the company that they entrust their information does not have the correct security.  However, management should take into account the current security of information within their company.  It may be quite lax if the IT department is understaffed or underfunded or mismanaged.  Placing information security in a specialized company’s hands like Wipro can actually lead to much higher standards at lower costs  since the company works with large corporations where ISO standards and Six Sigma are key.   Trust is KEY in these relationships.

Another aspect that must be addressed is confidentiality.  If sensitive data is being handled by the outsourcing company, precautions should be taken and an agreement about correct usage of information should be specified in the contract.  HRO Today had a great article written by Thomas C. Greble about security risks that companies that are outsourcing should be aware of.  The following list is a number of issues that should be discussed and specified withing an outsourcing agreement.

  • Identify confidential information and specify the types of security mechanisms the employer expects of the provider.
  • List applicable privacy laws and regulations.
  • Require the provider to limit access to authorized personnel; keep security patches current; install, maintain, and monitor computer systems that require passwords, use encryption technology, and contain firewalls and similar intrusion detection systems.
  • Specify that the provider shall be liable for complying with applicable laws and regulations and the breach of its confidentiality or security obligations.
  • Provide employer access to and control over the information; impose restrictions on how information may be used, transferred, or shared; and grant employer audit rights over the provider’s security procedures.

Another issue that might carry some risk for the company outsourcing is cultural differences. According to a 2004 post on the Outsourcing Times website,  standards of privacy are much looser in India.  However, this IS a 2004 post, and I’m sure that in order for Indian outsourcing firms like Wipro to survive, they have had to meet very strict privacy standards.  Wipro has been one of the leading companies in achieving ISO standards in many different aspects of business.  Information security was one of the most important ISO standards for an IT based company. The article Offshore Outsourcing: Is Your Data Safe?   written in April 2004 details that the large offshoring companies such as Wipro and InfoSys already had very stringent information security policies.  This article was also very interesting and went into some more indepth security issues as well.   I also think it is a very good sign that all articles being displayed in my Google search are 2003-2004.  This leads me to believe that security has become more of a company risk and less of a culture different.

Tags: , , , , , , ,
Comment

Online Security Threats of 2008

Filed under: Facebook, infosecurity, planning, security, UncategorizedLeave a comment
November 29, 2007

As we become more of an online society where we live and interact through the internet through sites like Facebook and Myspace, we add more information to our profiles and our devices.  This leads to there being more information available that hackers can exploit to gain email addresses, personal information, etc. Unless this is correctly secured and users are knowledgeable of what ploys are being used to lure people into vulnerable situations on the internet, hackers have more venues to gain information from internet users.  For example, cell phones are becoming more versatile and useful.  However, to be useful, we must start to upload information such as our contacts onto our phones.  Security professionals have already shown that many of the promenant platforms can be easily hacked.  We have already seen the iPhone security holes being taken advantage of.

I came across a great article entitled Looming Online Security Threats in 2008 that goes into some of the threats we may see in the coming year.  These included exploiting internet users’ trust through Myspace and Facebook, augmented PC attacks that steal personal information, increase in cellular attacks, attacks on corporate databases for proprietary design and engineering information that can be sold, and professionally written email virus scams.  I highly recommend reading this article for a more indepth look.  I wanted to share the following security tips with you though from the article.

— Don’t give away any valuable or sensitive personal information on your MySpace or Facebook profile, or within messages to other members of the network. And don’t click on any links in social network messages from people you don’t know.

— No reputable company will ask for your password, account number, or other log-in information via e-mail or instant message.

— Use one of the many antivirus, antispyware, and firewall programs on the market. Often, vendors offer all three functions in a single package. And many Internet service providers offer them free with your monthly subscription.

— Upgrade your browser to the most current version. From Microsoft, that’s Internet Explorer 7. Mozilla’s Firefox is on version 2, as is Apple’s Safari browser.

— Pay attention to the messages from Windows that pop up on your screen, especially in the new Vista operating system. They often contain helpful security information that many users overlook.

— Turn on Windows’ automatic-update function to get Microsoft’s regular security patches.

Education on the scams that are out there can be very helpful in reducing the effects of these “trusting techniques”.  IT professionals use the acronymn PEBKAC (Problem exists between keyboard and chair) to explain when the reason why security or a computer didn’t work is due to the person operating the computer.  Education can greatly reduce this type of error.  A person can’t be prepared for something they don’t know anything about.

Tags: , , , , , , ,
Comment

Paypal & Google Checkout Usage Increase

Filed under: business, infosecurity, security, UncategorizedLeave a comment
November 28, 2007

Paypal and Google Checkout have started to gain market share with online shopping payments.  Big vendors such as Dell are starting to allow payment through Paypal.  While e-bay is a large portion of Paypal’s transactions, this past third quarter has seen an increase in the non- ebay transactions up to almost 45%. 

 One of the new features Paypal has introduced is the ability to recieve a “dummy” Mastercard number from Paypal to use for online payments.  This helps to decrease the risk of customers when considering identity theft.  More than 15 million Americans have had their financial information stolen online between 2005 and 2006.  This number can induce alot of fear.  Since the new feature that allows people to use Paypal almost anywhere was just released on November 20th, it will be interesting to see how this fear will grow Paypal’s market share in the next quarter.

Tags: , , , , ,
Comment

Security Risk Introduced by Temporary Users

Filed under: breach, business, infosecurity, security, UncategorizedLeave a comment
November 27, 2007

I stumbled upon a great article today about the risks associated with temporary employees. This is expecially important information during the christmas season due to the large increase in temporary employees.  The article outlines three main issues faced with the addition of temporary employees.

  1. Information Leakage
  2. Lack of Basic Data Security Management
  3. Exposure to External Threats

The article outlines the results from a survey given to temporary employees about their behavior and policies at these jobs.  There are some pretty interesting statistics in the article.  Here are just a few of them.

  • 87.7% of respondents were able to access documents from the company network drive or electronic folders that permanent staff use on a day to day basis
  • 52% used someone else’s e-mail account or a general company e-mail address
  • 78.9% of temporary workers said they did not have to sign a PC or Internet use policy
  • 97% said they either didn’t understand or had never heard of the Computer Misuse Act
  • 25.5% accessed download sites during work hours
  • 67% of temporary workers used social networking sites like Facebook during working hours

The complete set of statistics and article can be found at the following link. 
Businesses are ill-prepared for the security risk introduced by temporary workers

As hackers find new and different ways to use the information found on the internet at sites such as Facebook and Myspace, we will start seeing a whole different arena of ways to gain information that we must know about and be caution.

 Salesforce.com just ran into some trouble in October. On Oct. 19, Security Fix reported that payroll giant Automatic Data Processing (ADP) and several banks — including Suntrust — were among a number of institutions that were victimized by a series of highly-targeted phishing scams.  This was done through a spoofed email that asked employees to download a file which was most likely malware to gain passwords and usernames.  More Info

This is just one of the risks of which temporary employees and full-time employees  must be aware. Management must be aware of these threats and take steps to mitigate these risks.

Tags: , , ,
Comment