identity theft

Nov 2 2009   9:30PM GMT

Improve public and private cybersecurity partnerships, says Hathaway

Posted by: Alexander Howard
United States, White House, Melissa Hathaway, Federal Emergency Management Agency, National security, cybersecurity, cybersecurity threats, Security, identity theft, DDoS, cyberwar

Melissa Hathaway, former acting senior director for cyberspace for the National Security and Homeland Security councils, spoke of the need for better public-private cooperation at a cybersecurity panel in Washington last week.

Hathaway was part of a panel at the International Spy Museum in Washington, D.C., held to draw attention to the growing dangers online as National Cybersecurity Month drew to a close.

“Thank god for Akamai, who redirected a lot of the bandwidth and kept the Department of Transportation and NYSE up and running,” she said, referring to the DDoS attacks on the U.S. government earlier this year. Hathaway highlighted the importance of moving forward on enacting the 25 recommendations included in the cybersecurity report she delivered to the White House.

Her remarks followed the same theme as the speech on cybersecurity threats she delivered to the ArcSight Conference earlier this month.

Hathaway was proud of the attention that the Obama administration has paid to the issue, observing that when President Obama spoke, it was “the first time the leader of any country spoke about cyberspace or cybersecurity for any length of time.” Obama’s speech on cybersecurity is embedded below.

Hathaway noted that cybersecurity threats are a personal issue to the president, referring to attacks against his BlackBerry, and to his staff, given “their data breaches, and policy documents that he lost.”

“Many people don’t realize their computer is already infected by a botnet” she said, emphasizing the importance of raising awareness of the risks. “How many people realize that when they buy a thumb drive that it comes with extra executables for marketing purposes to send data home?”

Hathaway called endemic data breaches in the business world “one of the biggest secrets that no one is talking about publicly” and drew attention to a rising tide of electronic fraud worldwide. “In Bulgaria,” she said, “one of our colleagues said you can’t withdraw cash at an ATM unless you have your cellphone and it geolocates you.” How many people now have to put ZIP codes in for gas? “That’s because POS terminals have been hijacked.”

Cybersecurity threats extend beyond fraud, identity theft and data breaches. “There is generally a lack of agreement about what is a crime in cyberspace, much less what is an act of war,” Hathaway said. “In the event of a digital disaster, who is going to restore the infrastructure?” Also key: Who will pay? “It’s not going to be the government,” she said, at least not under current Federal Emergency Management Agency frameworks. “There’s no equivalent of a national disaster in cyberspace yet.”

Oct 2 2009   7:21PM GMT

NIST, smart grid privacy and social networking for security pros

Posted by: Alexander Howard
Smart Grid, Twitter, National Institute of Standards and Technology, Google, Personally identifiable information, identity theft, smart grid privacy, privacy, Security, Google Docs, cybersecurity

Last month, the National Institutes of Standards and Technology (NIST) outlined a framework for building more intelligence and interoperability into the electrical system of the United States. Such a system is generally known as the “smart grid.” Commerce Secretary Gary Locke released a plan for smart grid interoperability that’s meant to lead to a “secure, more efficient and environmentally friendly” system. A draft of the report from NIST is available for download as a PDF: “NIST Framework and Roadmap for Smart Grid Interoperability Standards Release 1.0″

Building more intelligence and efficiency into the network, however, has relevance to more than energy policy. As a working group of information security professionals determined over the course of the summer, there are significant smart grid privacy concerns to consider.

These considerations can be neatly summarized in the following excerpt from the NIST report: “The major benefit provided by the Smart Grid, i.e. the ability to get richer data to and from customer meters and other electric devices, is also its Achilles’ heel from a privacy viewpoint. Privacy advocates have raised serious concerns about the type and amount of billing and usage information flowing through the various entities of the Smart Grid … that could provide a detailed time-line of activities occurring inside the home.”

As privacy expert Rebecca Herold explains on her blog, smart grid privacy needs to be considered as utilities move to a next-generation infrastructure. Those implications were concisely listed by Herold as follows:

1. Identity theft.
2. Determining personal behavior patterns.
3. Determining specific appliances used.
4. Performing real-time surveillance.
5. Revealing activities through residual data.
6. Targeted home invasions.
7. Providing accidental invasions.
8. Activity censorship.
9. Decisions and actions based upon inaccurate data.
10. Revealing activities when used with data from other utilities.

Sarah Cortes, a contributor for SearchCompliance.com, was the project manager for the Privacy Sub-group of the NIST’s Cyber Security Coordination Task Group.

Key points in the current release of the smart grid privacy document include the following issues, according to Cortes:

1. Enforcement of state privacy-related laws is often delegated to agencies other than public utility commissions.
2. State utility commissions currently lack formal privacy policies or standards related to the smart grid.
3. The lack of consistent and comprehensive privacy policies throughout the entities that will be involved with the smart grid creates a privacy risk.
4. Comprehensive and consistent definitions of personally identifiable information do not typically exist.

The body of the privacy groups work may be found in this draft: NISTIR 7628 Smart Grid Cyber Security Strategy and Requirements (PDF).

Social networking and distributed collaboration sped up report writing for infosec team

One aspect of the report’s generation is worth recognizing: the role that the various collaborative technologies and social networking platforms played in gathering, synthesizing and producing the final deliverable for NIST. As Cortes explained in an email, preparing the current release of the Smart Grid privacy document included the following considerations:

1. Ensuring adequate input from each of the 50 state NARUC energy commissions and other sources in a very short time frame.
2. Aligning recommendations with the plethora of existing laws.
3. Documenting concrete privacy risks.
4. Separating privacy risks from security and other risks.

According to Christophe Veltsos, a Midwestern-based information security professional who participated in the NIST CSCTG, the team used the suite of collaborative technologies common to many enterprises in late 2009.

“Gal Shpantzer and I used Google Docs to do live edits, both of us working at the same time,” said Veltsos. “We used either a live phone line or GChat to help facilitate the conversation.” The team members, including Herold, also used email, free conference-calling websites and tweets to send quick bursts of info/updates to each other.

Cortes also said NIST involved Twitter users from the start.

UPDATE: Christophe Veltos wrote to correct the record on the central role that DC-based information security consultant Gal Shpantzer played in organizing the CSCTG. Veltsos points out that “while Sarah was the project manager, Gal was the catalyst and is considered by NIST to be the team leader of the privacy group.”

“When forming the group, NIST staff turned to the industry professionals they most respected across the U.S.: members of Twitter’s online information technology privacy, compliance and security community,” she explained. ”One by one, Gal recruited respected members of the IT professional community, met with prospective members in person at times, and sought out suggestions for additional members. All prospective members could quickly and easily be thoroughly checked out as far as qualifications, accomplishments, and references, all informally through common Twitter features. The breadth and depth of advisory group members was substantial compared to similar panels formed with more traditional methods taking far longer.

”All meetings were organized by conference call, and drafts of the Smart Grid Privacy policy documents and project plans were exchanged by email. In between meetings, members interacted informally on Twitter, similar to running into colleagues in the hall when everyone works physically in the same building. These informal Twitter dialogues facilitated relationship-building among the team and problem-solving between meetings.”

According to Cortes, “Twitter has become the medium of choice for networking IT professionals for a few reasons, among them:

1. If you’re in IT and you’re not comfortable with Twitter, you are lacking a basic technical skill.
2. Twitter enables members of the IT community to check out each other’s static Web pages and credentials, but then get to know members of their own industry over time through their communications streams. How professional and informative is this person, over a period of time? How respected are they by other well-respected professionals, apparent through the interlocking web of followers? How many others respect this person, apparent from absolute numbers of followers, quality of followers, and mentions by others?
3. Twitter communication allows personality to come through and thus enables people to feel comfortable with each other much more quickly than other mediums.
4. It allows for a combination of private and public messages, allowing swift reaction to breaking industry developments.
5. It allows professionals to get a quick response to a technical question.
6. It enables professionals to know at a glance whether they are up to date on developments on our field or out to lunch, a constant problem in this field. What are other respected IT professionals talking about each day? What are they not talking about?”

If you have thoughts and comments about either smart grid privacy or the utility of social networking for collaboration between compliance and security professionals, please leave them in the comments. Or, if you like, @reply on Twitter. You’ll find SearchCompliance.com there under @ITcompliance, as well as this author as @digiphile.

Aug 26 2009   3:15PM GMT

Twitter security hole highlights need for a social media policy today

Posted by: Alexander Howard
Twitter, identity theft, Security, Social network, Phishing, Cross-site scripting

Once again, Twitter security is in the headlines. Yesterday, SEO expert Dave Naylor posted that James Slater had found a cross-site scripting vulnerability in Twitter. Cross-site scripting (XSS) is a common - and nasty - security exploit allows a malicious hacker to insert JavaScript code into links that a user believes are trustworty. Instead of sending a user to a given website, that script would then execute, which could allow any number of ugly outcomes, including worms, malware infections or harvesting of session cookies.

While no apparent damage to privacy or senstive data has occurred through this XSS exploit, the lesson from the past 24 hours is that a social media usage policy needs to be drafted, promulgated and enforced ASAP.

Although Ben Parr wrote on the social media blog Mashable that Twitter exploit had been fixed, echoing Twitter staff comments, Naylor followed up today with evidence that the Twitter exploit still works - just visit @APIfail2 for a (harmless) example. You’ll need to view the account using a Web browser, given that 3rd party clients are not affected by the issue.

TechCrunch has picked up the lack of resolution to the Twitter security issue. Robin Wauters, the author of the post, has sought further comment from the startup. Although the security team at the online social messaging startup is no doubt working overtime to address the issue in a more substantive way, this episode only adds fresh concerns about the Twitter security risks I reported on in June. Twitter may need to hire a CISO soon.

Such online security concerns, however, aren’t hardly limited to Twitter. If anything, Facebook is an even bigger target, both because of its size and the likelihood of more personal information in profiles. That reality hasn’t gone unnoticed by hackers, as rogue Facebook phishing applications popped up last week.

What does this all means for the compliance and security community? It’s time to get serious about addressing the risk by drafting a social media policy that uses available DLP technology, sets expectations for online privacy and, perhaps most importantly, includes user education about Web app security, social engineering and phishing. As I reported earlier this month in a story exploring social media and compliance, “fewer than one-third respondents in a recent survey said their organization had a policy in place governing social media use” - and “only 10% of the companies surveyed indicated that they had conducted employee training on such use.”

According to a another survey, from security firm AVG, only 27% social networking users are taking steps too protect themselves against similar online threats. According to “Bringing Social Security to the Online Community,” conducted with the CMO Council, 20% of social networking users have been the victim of identity theft. 55% experienced a phishing attack. And 47% said that they’ve had to deal with malware. Stark numbers.

In other words, if social media security wasn’t on your task list already, it should be now.

Jul 22 2009   2:29PM GMT

Compliance resources: Tips and news from around TechTarget

Posted by: Alexander Howard
Health Insurance Portability and Accountability Act, Cloud computing, Information security, identity theft, Security

Did you know that TechTarget now has more than 60 different websites, each of which focuses on a different form of technology? You can find compliance resources on nearly every one of them.

As a former editor at WhatIs.com, I’m familiar with the thousands of tips, news stories and learning resources around the network. For the time-starved reader, especially a busy compliance professional, simply being aware of what compliance resources are available can be a challenge. Here’s the best of what you’ll find on our sister sites from the past months:

CIOs and compliance

On SearchCIO.com, senior news writer Linda Tucci writes that according to research consultancy Gartner, IT security jobs will morph into risk management. The work of our contributors and the IT practitioners we talk to here at SearchCompliance.com confirm this trend. The staff at SearchCIO.com also put together a briefing on enterprise risk management solutions for CIOs and a selection of information security and IT governance guides for CIOs.

  iRobot CIO Jay Leader. During the video interview, addresses the importance of a solid IT strategy – no small issue for this midsized company that must maintain a high-level of security and secrecy given its defense contracts.

Compliance in the cloud

Tucci is similarly focused on the compliance issues that are presented to the enterprise CIO considering cloud computing for data backup and storage. In addressing compliance requirements in cloud computing contracts, as Tucci makes clear, regulatory compliance requirements must be both expressly defined and then addressed – “or the data brought back down to earth.”

One of TechTarget’s newest websites, SearchCloudComputing.com, naturally has published stories on similar issues. In “Cloud computing skepticism: IT security and compliance,” research director Andi Mann explores whether security and compliance concerns in the cloud can be reconciled.

Compliance and Security

Over at SearchSecurity.com, you’ll find dozens of resources in its audit, compliance and standards topical section. You can watch instructional videos about testing PCI compliance requirement 11 or using IAM tools to improve compliance.

Recent news included coverage of MasterCard’s increase in PCI compliance requirements for some merchants (Visa says it won’t follow suit) or the increasing risks to identity theft, in “Researchers predict SSNs, crack algorithm putting identities at risk.”

Security expert David Mortman recently addressed the recent changes to HIPAA regulations that resulted from the HITECH Act in “HIPAA compliance: New regulations change the game.” Enterprise security teams charged with safeguarding PHI will find his insights useful. Mortman has also written this month about how to find virtual machines for greater virtualization compliance.

We’ve also partnered with SearchSecurity.com to produce both events and in-depth content like the recent log management e-book. Download the e-book (free registration required) to learn how automation can reduce the operational burdens of regulatory compliance.

SearchFinancialSecurity.com, given its focus on the financial industry, naturally features content to help security officers in that highly regulated vertical manage compliance. For instance, in “Tokenization and PCI compliance,” Ed Moyle explains what this relatively new technology may mean for the protection of sensitive credit card data. Our sister website also includes a video on Red Flags Rule compliance featuring John Carlson, senior vice president of regulatory affairs for BITS, a division of the Financial Services Roundtable.

Compliance and the channel

Our colleagues at SearchSecurityChannel.com are also covering the security aspects of compliance. As Neil Roiter writes in “Vulnerabilities, regulatory compliance drive data protection market,” while risk and vulnerability management are the two headings under which security spending often falls, the ultimate goal of both is data protection.

SearchSystemsChannel.com also features compliance coverage, in particular the specific U.S. laws and regulations that represent compliance and security concerns for Microsoft Office SharePoint.

Compliance and storage

Over at SearchSMBStorage.com, contributor Kevin Beaver recently wrote about making sense of regulatory compliance and data storage for SMBs.

Feedback

If you found this roundup useful, please let us know at editor@SearchCompliance.com or at @ITCompliance on Twitter. If so, I’ll do it again in August.

Jun 25 2009   6:51PM GMT

Add Twitter security to the top information security threats

Posted by: Alexander Howard
Twitter, Facebook, LinkedIn, RSA Conference, identity theft, Social Enterprise, Social network, malware, Information security

Last week’s 140 Characters Conference presented dozens of examples of how people are using Twitter creatively, effectively and disruptively. What didn’t get as much attention are the security risks and compliance challenges Twitter presents as the wildly popular microblogging platform continues to see adoption by enterprise users.

I talked with Erin Jacobs, chief security officer for UCB Inc., about Twitter security. If you haven’t found her on Twitter yet, she tweets as @SecBarbie. She sent her list of top information security threats about Twitter to us via email, which we published below.

---

Information leakage
Corporate networks try to protect themselves from email, IM and other means of sending information outside of the network. There are new services for updating Twitter popping up daily, so it is impossible at this time to completely block the ability to access Twitter. Network security professionals are constantly racing to fill in the holes to ensure that information cannot be leaked. Information leaks could include:

• Identity information from inside organizations.
  • Identity theft
  • Credit card fraud
  • Account numbers
• Business IP leakage.
  • Business plans
  • Code leakage
  • Copyright infringement
• Facility information.
  • Business operating hours could be used in targeted physical theft attacks.
  • Personnel locations or schedules.

Malware/viruses/Oh-MY!
Since Twitter communicates over port 80 and 443, there really isn’t much to protect users from inadvertently bringing malicious code into the network. Bit.ly and other URL shorteners can easily send users to different addresses than the user expects.

Improper use of Twitter
Direct messages are not secure email. Education about potential vulnerabilities is essential for executives and top-level management to understand that they must keep business off of Twitter. Issues around human resources and online harassment are also a consideration.

---

After Erin wrote in, I used Twtpoll to ask my followers on Twitter the same question, using her list and adding a few other options.

You can vote on what your primary Twitter security concern is on Twtpoll. The results, as of today, are embedded below:

As you’ll see, insecure third-party apps leading to stolen accounts is (currently) the top answer – it’s an issue of natural concern to Twitter users. Coming in second, however, was Erin’s concern over data leaks of confidential or proprietary information. Information security threats are at the top of on any CISO’s list; add Twitter security to the list.
Each of these information security threats are valid for other social networking platforms or services as well, like LinkedIn and, in particular, Facebook. Issues around Twitter security and social media in general were frequently discussed at this past week’s Enterprise 2.0 Conference in Boston and, at the RSA Conference earlier this year, where Web application security was at the top of the information security threats list.

May 6 2009   11:16AM GMT

New on our compliance blogroll: Think Privacy

Posted by: Alexander Howard
Federal Trade Commission, Red flag, identity theft, Red Flag Rule, Cloud computing, Security, privacy, compliance, Blogroll

We noticed a new blogger joined ITKE this May Day: Matthew Barach, Esq. CIPP/G.

As his bio notes, Barach, is the founder of Boston Privacy Group, a privacy consulting firm, and the former Internet and Information Privacy Counsel for the New York State Consumer Protection Board (CPB).

Barach will be writing the Think Privacy blog, which will address “timely privacy topics including behavioral advertising, Red Flag Rules, the new Massachusetts regulations, HIPAA, GLBA, data transfer, cloud computing and other emerging privacy issues, laws, regulations and challenges that organizations will continue to face.”

Image via Wikipedia

Since those are all issues and areas we cover, you can expect his posts to show up in our RSS reader. His first post, “The Red Flags Rules are coming, the Red Flags are coming - NOT,” addresses the recent announcement by the FTC that they “will grant a three-month delay of enforcement of ‘Red Flags’ Rule requiring creditors and financial institutions to adopt identity theft prevention programs.” Baruch helpfully linked to the FTC announcement.

As readers of SearchCompliance.com know, enforcement of the Red Flags Rule has been approaching for some time. Compliance and security professionals alike will now have three more months to get their regulatory ducks in a row.

Apr 16 2009   6:20PM GMT

Email to the Editor: 201 CMR 17.00, ID theft and data protection

Posted by: Alexander Howard
identity theft, Gramm-Leach-Bliley Act, Information security, compliance, Email to the Editor, MA data protection law

Great article ["Panels describe risks of noncompliance with Mass. data protection law"]. Numerous thought-provoking statements in this article and in the legislation itself. My first thought is that this regulation shouldn’t be so shocking, surprising and difficult to comply with. It’s all about doing the right things, as Rebecca Herold stated.

Information Security Officers, IT professionals and consulting firms have been telling the companies for whom they work to do this for years. But many firms, even those that are highly regulated, have traditionally taken a wait-and-see approach since they can’t seem to find the ROI. Locking down USB ports, encrypting hard drives and encrypting mail that contains sensitive data is just too “inconvenient” for them. I ask them, “What’s your reputational risk worth?”

This legislation goes hand in hand with the Red Flags Identity Theft Prevention rule that went into effect Nov. 1, 2008, for similar types of business. After a deeper look, it was determined that there were more than 10 million businesses throughout the country that would need to be examined. That’s nearly 10 million more than the number of examiners in the field to assess them.

While a great deal of the focus for Red Flags is certainly on the banking industry, in terms of governance and enforcement, my car dealer never heard of it. Neither has my attorney friend, who is the compliance officer at the insurance agency that wrote my general liability and errors & omissions policy and also provides my life insurance. They have no such program in place. And what about the gas station that still uses multipart forms to take my credit card information? I better ask the attendant how their efforts are going to comply with MA 201 CMR 17.00 before I fill up.

Legislation is great, if practical, but governance and enforcement is even better. I’d love to hear how the regulators plan to enforce it for those outside the banking sector, which at least makes an strong effort to comply and do the right thing. I also wonder about vendor management. Third-party providers must comply with the regulation by Jan. 1. Thus, it’s incumbent upon those who use third parties to ensure that those controls are in place at those third-party companies.

For the banking industry, the third key point of GLBA 501(b) requires oversight of service providers, meaning that even though you’ve assigned your risk by outsourcing a function or process to another company, you’re not relieved of your responsibility to ensure that controls are in place to protect sensitive data and systems. Heartland sound familiar? Hannaford sound familiar? TJX ring a bell? There are many others out there as well but just not as high profile. There’s always a box of tapes with a few hundred thousand customer names, account numbers and SSNs that’s been lost or misplaced or that fell off the truck. Or a dumpster that’s been raided for the sensitive info that employees have haphazardly discarded, despite policy for proper destruction and disposal.

A formal vendor management program is a requirement! And the banking sector has seen tighter and tighter regulatory scrutiny and examiner focus in this specific area over the past year or two, but there’s still a long way to go. There are very specific components to a sound and compliant vendor management program. These include vendor inventory, status tracking, periodic monitoring, due diligence, contract review, risk rating, reporting and policies and procedures. This is a long haul for those not in the heavily regulated banking sector. So, again, it will come to being all about governance and enforcement and the penalties for noncompliance to make this legislation effective.

And my final thought is that Massachusetts should at least be commended for taking a stand. I’ve read countless critiques of the legislation but haven’t seen anyone state in writing that MA should be commended for doing something to try to protect the consumer. Any time you stick your neck out, you’re bound to get slapped.

Mick Kless
Managing partner
R.I.S.C. Associates

Let us know what you think about our stories. Email editor@searchcompliance.com.

Apr 13 2009   3:28PM GMT

Compliance fundamentals: Database logging, privileged access control

Posted by: Sarah Cortes
Security, identity theft, compliance, Intrusion detection system, Information security, log files, access controls, IAM, compliance fundamentals

On April 10, 2009, 10,868 Social Security numbers at Penn State Erie, The Behrend College, were compromised by a detected intrusion. Last October’s data breach of 17 million records at T-Mobile, Deutsche Telekom ranks amongst the largest breaches in history, occurring almost two years after the infamous TJX breach. Given the nearly daily reports of data breaches, ensuring data privacy and preventing identity theft is at the top of the compliance project list for security and IT professionals and businesses everywhere.

These incidents have shifted a great deal of focus onto three types of IT initiatives:

• malware detection and remediation
• vulnerability scanning
• intrusion detection services (IDSes)

Two of the most fundamental types of detection and control strategies, however, are often overlooked:

• Database logging and its partner control,
• Privileged access.

COBIT and most security frameworks consider these controls sine qua non. Unfortunately, neither fundamental is as sexy as IDS or hackers, and thus receive scant press attention.

Database logging is the practice of creating a record of direct access to high-risk data in high-risk databases. It excludes access through user interfaces, so it accurately filters out client or user access. Instead, it records all identities that directly access the data. This would include database administrators, possibly system administrators and likely anyone else who has been granted write privileges into your database.

Are you aware of everyone in your organization who has write access to your high-risk data in your high-risk databases? Do you doubt anyone could possibly have direct access to the banking deposit, withdrawal transactions or trading buys and sells in your firm’s Fortune 500 database?

Let me assure you, they do.

Every firm has individuals to whom this access has been granted. No firm could function without them. Senior business officials often react with outrage and tough talk about firing anyone granting such access to their IT staff. But the reality is that these senior officials should look more closely at both themselves and any budgeting choices that may have denied database upgrades that could have precluded the need for such access. Many institutions have not adequately invested in their applications and database upgrades. As a result, some hapless DBA is often left tasked with daily, high-risk manual database “fixes” to keep business running. The DBA is then blamed if problems crops up as a result.

There are many reasons firms can and do grant write access to IT staff. The primary reasons include:

1. Legacy databases that “freeze” daily and have to be manually unlocked.
2. New transaction types that aren’t adequately handled by applications, resulting in inaccurate data that require a manual “fix.”
3. Access temporarily granted under an emergency change control and never revoked.

Monitoring privileged access is a fundamental compliance practice. Such monitoring that includes a daily automated report personally reviewed by the Information Security Officer (ISO) and signed off with his or her initials should be in your firm’s repertoire. Yes, a daily signature. This report alone will likely raise many useful questions. Once monitoring access is addressed, the daily database logging report should similarly be placed in front of the ISO’s daily for personal review and sign off.

In my next post, I’ll give specifics on how to build these reports so they actually capture the violation information you need. Nothing worse than the false security of a violation report that does not actually capture the required information. Your auditors will know the difference. So should you.