Risk Management and Compliance &#187; security

http://twitter.com/kraasecurity
Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Analyst Study Shows Employees Continue to Put Data at Risk (newswire.ca)
Perception of Data Security at Odds with Reality, Accenture Study Finds (eon.businesswire.com)
Data protection a priority for CEOs (newstatesman.com)
HSBC admits to understating data theft (v3.co.uk)
Breach numbers fall while costs rise Ponemon study finds (v3.co.uk)
Symantec Shells Out $370 Million For Data Encryption Companies PGP and GuardianEdge (techcrunchit.com)

Data Lifecycle Management: How to reduce risk (part1)

admin — Thu, 22 Apr 2010 01:42:53 +0000

What is Data Lifecycle Management?

The Data Lifecycle goes through 5 steps: creation, usage, transport, storage and destruction. Most companies have parts of this lifecycle under control, but that means there are lots of areas for gaps in the control measures that could let a threat affect the data. The multiple part blog, (I am not sure how many parts it will take), will walk through the steps of the data lifecycle and what a company can do to implement a good process for all the data management challenges.

Data lifecycle management (DLM) is a policy and procedure based approach to manage information movement. Data has to be classified and evaluated to properly protect it with the right resources. Ownership is a key factor in managing and maintaining data throughout the lifecycle

The 5 Steps

Creation – How does data creation get managed?
Usage – What limitations are on data usage?
Storage – What controls are in place for storage?
Transportation – How is data transmitted between company, customers and business partners?
Destruction – What is the validation and verification process over data destruction?

The Data Management Problem

Weak processes in place to track creation usage, transportation, storage and destruction
Weak ability to monitor and manage a customer record throughout the lifecycle
Inconsistent processes across each phase of data movement
Lack of enforcement capabilities

What should be the goal of data lifecycle management?

Provide practical steps to manage each step of the customer record management process
Provide cost effective solution for risk mitigation
Provide framework for data management
Reduce risk of data loss

Challenges to Customer Data Records Management

Rarely does a company have a centralized process to track controls over data, over management processes around data, over logging and monitoring, and removal
Organizations rely on technology to secure data not processes that drive technology purchases
The 5 steps of data management are not followed by all functional groups in a company
No clear ownership and classification of customer data elements

Did you know…

1 in 400 emails contains confidential information
1 in 50 network files contains confidential data
4 out of 5 companies have lost confidential data when a laptop was lost
1 in 2 USB drives contains confidential information
Companies that incur a data breach experience a significant increase in customer turnover—as much as 11%
Over 35 states have enacted security breach notification laws
Can openers were invented 48 years after cans

Infosec 2010: A quarter of all firms have seen data integrity attacks (computing.co.uk)

Washington State implements PCI law

admin — Tue, 30 Mar 2010 18:56:39 +0000

: Image via Wikipedia

PCI laws are expanding around the country. Washington State is the latest to add a law to their books. Washington state follows Nevada and Minnesota in implementing Payment Card Industry Data Security Standard (PCI), the law is HB 1149. It changes the breach notification law they already had on the books. The key point is that it allows issuing banks a method of collecting the costs to reissue payment cards after a breach.

Organizations who must abide by the law

It defines “business(es)” as merchants processing more than six million cards and sell to Washington state residents. “Processors” manage account information for others and “vendors” sell software or equipment that processes, transmits or store account information. Account information can is not so clearly defined. It will be interesting to see how companies outside of the state are affected. PCI Security Assessments are going to become even more prevelant.

How is the law implemented?

Entities that fall under the law are required to provide reasonable security measures. They can be liable for damage and if they have to reimburse their banks for reissuance of card, that can get very expensive. The law should probably have been more clear on this point

Determining a breach has been defined as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” There is the possibility of confusion between account information and personal information. That will probably cause problems in the future lawsuits. Encryption is also going to be a challenge in the implementation and review for compliance requirements.

How this law integrates or conflicts with PCI requirements will news worthy. The different levels of PCI compliance and the levels identified by the law are now completely consistent. Can PCI SAQ assessment be enforced by the law? Can you be PCI compliant and not compliant with the law, or vice versa? I would venture to say yes.

If only we have a National Standard for all of this. Wouldn’t that be a progressive move?

Gary Bahadur

*Vulnerability Management

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Compliance & Policy Development

*PGP Security

What are the challenges with protecting electronic documents?

admin — Mon, 29 Mar 2010 12:36:37 +0000

: Image via Wikipedia

We have seen a lot of problems with Adobe vulnerabilities. Adobe has been getting beat up with all the negative publicity in the past few months. Apple is restricting access to Adobe on their devices. Has anyone tried their remote desktop sharing? I wonder if some vulnerability will be release in that application. What is the real problem with electronic document sharing and what are some of the solutions? Adobe is just an example; the whole industry of electronic documents is finally coming into its own.

Problems with Electronic Douments

How are people accessing electronic documents and how are they signing them and verifying them? Well there are multiple companies out there touting secure signature applications for documents. When do you use these companies? Some questions to ask include:
1. When and how do you determine the importance of the document?
2. Have you implemented a data classification scheme for electronic documents?
3. Who has the right to sign and read these documents?
4. How do you track usage and distribution?
5. Is there a time frame associated with the life of the document?
6. Can you prevent screen scraping of the secured document?
7. What is the “hackability” of the secure document?

Signing an electronic document can be a challenge for the technology challenged. Some documents might trigger antivirus or malware protection applications. If some intrusion detection applications can read a document or data loss prevention applications do not have access, you could be blocked from that document. Convenience of use is a major hurdle for the adoption of secure documents.

Printing, modifying, viewing, and deleting these documents require all kinds of levels of authorization that is probably difficult to manage. If you can have a location based “bomb” in the document for when it left the organization domain, that would be an interesting play on data loss prevention. We know client side options are easily broken, how do we change the mentality of secure document management?

I do not see how secure documents make too much sense in any public forum. Its not worth the effort to worry about secure documents outside of a strictly controlled corporate environment. Different forms of watermarking have their place in identification but not much in control.

The most likely areas are in Research and Development, Legal, Banking and Healthcare. These should be the quickest to adopt a secure framework for electronic documents. Some industry standards need to be followed and a process developed that all companies can follow. This would make it into all the data loss prevention applications eventually and really provide some security.

Gary Bahadur

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

McAfee unveils new data loss prevention tools (v3.co.uk)
Hackers used malicious PDFs to attack Google and Adobe (infoworld.com)
Certified Document Services (CDS) Program Grows to Six with Post.Trust Announcement (blogs.adobe.com)

Can you protect yourself on Social Media?

admin — Tue, 02 Mar 2010 02:44:56 +0000

: Image via Wikipedia

One of the greatest challenges to privacy and security in the next several years is Social Networks and Social Media. Sites like Facebook, Twitter, LinkedIn, MySpace and others can be the downfall of valuing information. The ability to share and provide information is completely the opposite of network security requirements. This is really encouraging people to do things that are not security conscious activities. Social media encourages:

Lack of privacy
Encouraging information sharing
Giving away answers to security questions
Social engineering

As we have seen recently, a lot of spam, spyware and malware is attacking social network. Just in the past week I have probably recieved a 100 requests to be my friend on Facebook from people who I do not know and funny enough, all the message have the exact same personal message. Malicious people are attracted to social networks because of the ease of gaining trust and availability of data for social engineering. Relationship building is easier through social media which can easily lead to phishing attacks.

With these sites, people install applications without knowing what goes on in the background, and its easy to download malicious code to your computer. There are no external third party audits of these applications before the make it to your Facebook application. Your computer can be easily infected by a virus or spyware.

What does the Social Media user to protect their information?
No Personal information – This is anti-social network, but there are things you can limit about what you post. Don’t post your Birthday! Or your address or your mothers middle name or any really personal data.

Limit who can view and contact you – Don’t let your profile be truly public, restrict to people you know for requested users. Remember you can’t retract information you put out there.

Don’t trust strangers – Your mother was right, don’t open the door to strangers. Limit who you accept chat or friend requests from and well as even communicate with.

Trust no Profile – People lie, it’s sad but true. So profiles lie, they might say they went to your college or high school. They might be interested in your groups, so don’t take anyone at their word.

Restrict your privacy – There are some configuration setting in all the social media applications that can allow you to turn on some restrictions on your privacy. Take a minute to actually look at them. One easy example is in Facebook you can create groups that you can place friend in; you don’t want business people seeing what your friends are posting.

Password management – An oldie but a goodie, always use a strong password and don’t share it. And change it periodically.

Layers of protection – You should be running a personal firewall and antivirus software on the machine you are viewing social networks. This will help if a malicious piece of software tries to download something to your machine. Keep your protection software up to date as well and run the patch management software on your machine, this is especially important for you Windows users.

Child protection software – You should have some kind of child protection software running on machines where children under 13 are using. This will help with all that shady software that is out there.

Gary Bahadur

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Half of Online Adults Use Social Networks at Least Monthly (seekingalpha.com)
Firms worry about social networks, but don’t block access (arstechnica.com)
Google Buzz proves problems with single online identities (thewayoftheweb.net)
Are Consumers Becoming More Suspicious of Social Networks? (marketingvox.com)
Seven Steps to Safe Social Networking (dominica-weekly.com)
13 Essential Social Media Lessons for B2B Marketers from the Masters (mashable.com)
Social Media for CEOs (slideshare.net)

When will Vendors provide Risk Assessments of their products?

admin — Thu, 18 Feb 2010 04:22:56 +0000

: Image via Wikipedia

Vendor risk assessment are not part of everyday corporate managememnt but it should be. If you drive a car and every week you have to get something fixed it would prove pretty annoying, disgusting, outrageous and you probably you would never buy that model again and probably wouldn’t by from that manufacturer either. So why do we accepts buggy software that is vulnerable to things like cross site scripting attacks, buffer overflows, malware and such? But we do that everyday.

Everything from vulnerable operating systems such as Windows to vulnerable applications such as Adobe and weak website such as Facebook. As stated by CIO.com, “SANS and Mitre, a Bedford, Mass.-based non-profit, federally funded technology research and development organization, today is also releasing its second annual CWE/SANS Top 25 list of the most common programming errors currently being made by software developers. The authors say the errors on the list are responsible nearly every major type of cyber attack, including the recent intrusions at Google (GOOG), and numerous utilities and government agencies.” The biggest companies are culprits.

So what are we do to about buggy software? How do you force a vendor risk assessment on all yoru vendors? Maybe scream “I’m mad as hell and I am not going to take it anymore!” Might feel good for a second or two, but not going to solve the almost daily patch process we have to go through for our software. Patch management is a thriving sector!

As I see it, some theoretical things the end user can do to change the deadly cycle of poor software:

Sue! I don’t know if that’s possible, but if you bought a car with bad acceleration problems (ahem Toyota) you might just sue the manufacturer if you got into an accident. What can we do that if some hacker breaks in through buggy software?
Stop buying from that vendor! Apple seems to be taking this tactic by not allowing Flash on the IPad. But can we all move away from Microsoft tomorrow? Probably not.
Make the vendors conduct Risk Assessments of their products prior to release. A third party risk assessment is probably a good idea. Something with more teeth than a SAS70 type review.

Gary Bahadur

http://www.kraasecurity.com

Address: 200 Se 1st St #601 Miami FL 33131

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Apple vs. Microsoft: Making Platform Enemies and Friends (seekingalpha.com)
Adobe Reader And Acrobat Get Yet Another Security Update (ghacks.net)
Microsoft investigates new Internet Explorer flaw (news.cnet.com)
Google readies Flash for Android devices (infoworld.com)
IBM: Vulnerabilities fell in ’09, but other risks abound (computerworld.com)
Update: Adobe issues emergency PDF patches (computerworld.com)
Serious web vuln found in 8 million Flash files (theregister.co.uk)
Hold vendors liable for buggy software, group says (computerworld.com)

Gary Bahadur

http://twitter.com/kraasecurity
Managed Firewall
Managed Vulnerability Scanning

Ponemon Institute Cyber megatrends – Some Additions Needed

admin — Sun, 29 Nov 2009 00:17:38 +0000

Ponemon Institute recently released their Cyber megratrends as listed below. While I agree with these I think there were a couple that could easily be added to the list. First, I would either add or modify Web 2.0 into Web 3.0. Lets look to what is going to happen versus what is happening. Incremental change may not be the trend. Secondly, I suggest adding Vendor Risk Management. The vendor does not have to be offshore to pose a problem. Vendors are so integrated into companies and business processes that they are like an employee but are not subjected to the same Network Security Assessment requirements in many cases.

Its a difficult thing to try and forecast. The good thing about it is that no one really remembers your forecaste anyway.

Regards
Gary Bahadur

http://www.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

++++++++++++++++++++++++++++++++++++++++++++++++
Cyber Security Mega Trends Study
Prepared by Dr. Larry Ponemon, November 18, 2009

HIPAA Vendor Compromised Healthcare Records

admin — Thu, 12 Nov 2009 13:46:50 +0000

This is story that is several months old, but as I came across it, i thought it would make a good point. A vendor handling healthcare records has lost social security numbers of people in March of 2009. In this case, Health insurer Aetna, Inc., is reportedly providing 65,000 individuals with free credit monitoring for a year after its job application Web site was breached, the Associated Press has reported.

The Web site, which was maintained by an outside vendor, had Social security numbers of current and past employees and individuals who received job offers from the insurer, the AP reported.

The site reportedly held e-mail addresses for about 450,000 individuals who had applied for jobs or submitted resumes to the company and were waiting to be notified about job openings. Spokeswoman Cynthia Michener said Aetna doesn’t know how many were copied, but the site has been disabled and is undergoing a “thorough forensic review” or you can say network security audit by an outside company.

So here we have a health insurer compromising personal data. People already recieve so much spam email that their real email is suspect. If your provider Aeata seems to be sending ligitimate emails to you, that can get confusing.

As noted in the article “This is not the first time the Hartford, Conn.-based insurer has had to provide free credit monitoring services. In April 2006, Aetna notified approximately 38,000 members that an employee’s laptop computer containing certain personal member information was stolen from a car in a public parking lot.”

If a compromise occurs once, you would think that a lot of new HIPAA data security protections would be put in place. But as we see in almost all industries, its very hard for a company to learn from its mistakes. Maybe there will not be a third time after this second breach.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com

http://www.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

IPhone Apps Every Road Warrior Entrepreneur Needs

admin — Thu, 22 Oct 2009 09:36:10 +0000

The Blackberry has been the mainstay of the business world for years. But as we know, the IPhone is eating away at market share. There are over 75,000 apps for the IPhone now and growing steadily. For those who have Blackberry Thumb, you can probably look forward to IPhone Index Finger at some point in the future as you switch away from the Blackberry.

Why should you switch from the Blackberry? Well there may not be a good reason. The Blackberry has a number of apps and it is secure, it has encryption and has been beaten up on the security front like network security assessment and application security testing. It’s ingrained in businesses and Blackberry Enterprise Server is well known to many IT administrators.

The Entrepreneur can use both devices. Let’s assume there are at least some people using the IPhone, what apps should they have in their toolkit? Of the thousands of apps, how can you pick a few that would be beneficial to the Entrepreneur Road Warrior? Well the way I picked them is through word of mouth , that are of benefit to me and comes with network security assessment tools. I travel, work in my car, have meetings at all times of day, I am away from the office for days or weeks.

Take these with a grain of salt and do not send any flame emails. But please send in the apps that you think should be shared with the world or at least readers of this Blog.

Urban Spoon

First up is Urban Spoon. You are thinking, well that’s not some kind of spreadsheet or financial app. What is the business purpose? The lifeblood of the Entrepreneur is networking , managed security services, application security risk assessment and deal making. Where deal making most of the time involves some kind of meal. Urban Spoon can find you restaurants by cuisine, by neighborhood, by cost, by distance. Everything you need for a meeting is the most random city.

AroundMe

In the same vein as Urban Spoon, is AroundMe . Say you are on your way to an important lunch you have setup with a restaurant you found on Urban Spoon but you are almost out of gas. Use AroundMe to find the closed gas station. Or if you need cash to pay for that gas because your Amex Card has been cancelled, find the closest bank.

GoogleMaps

Well this is pretty obvious. But when you are traveling and maybe forgot to bring your Garmin GPS and do not feel like paying the rental company an extra $11.99 a day to rent their GPS , this is just as good.

ReQall

This is a pretty useful app. The developers were one of the www.TiE.org Top 50 companies this year at TiECon. The app captures your voice, translates it to text, organizes your calendar based on your voice messages, integrates into Outlook or Google Calendar and provides memory assistance. It’s great when you have no pen or driving in a car or need a memory reminder.

FlightAware

For the true Road Warrior, there is no road, there is the sky. So when you are rushing to the airport or think you need to rush to the airport, track down what is going on with your flight. Check out FlightAware to get an update and help you plan that trip to the airport.

TweetDeck

Social Media, the latest buzz word, actually has some teeth. Small companies and the Entrepreneur have to be connected to the work whether you like it or not. Twitter is a way of life these days even if people seem to be twittering their lives away. How do you tell your followers that you are stuck in an airport in Baltimore? Try using TweetDeck.

These Apps don’t seem very business-like, but the Entrepreneur is practical, cheap, requires network security audit tools and has to get things done today . These help you achieve your million tasks on a timely basis.

Gary Bahadur

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

Urbanspoon: Half A Billion Shakes And Counting (techcrunch.com)
Will the iPad make a great car gadget? (blogs.computerworld.com)
What are your favorite iPhone apps? (scienceblogs.com)
My iPhone Apps (lenestrada.com)

Stolen laptop with employee information- yet again

admin — Fri, 07 Aug 2009 22:53:54 +0000

Stolen laptop with employee information- yet again

The Associated Press reported that a Williams Cos. Inc. laptop containing personal and compensation information was stopen from a workers vehicle. The laptop had over 4,400 current and former employees records. Information like names, birth dates, Social Security numbers and compensation data was on it. How many times have wee seen this story?

They said the laptop was password protected. Well then lets not worry eh? A password, run for Ze Hillz! They did not say whether other security measures like application security risk assessment and network security audit tools were used in place other than the PGP Whole Disk encryption , or of any kind of remote wiping utility was in place or even if a hard disk password was used. The people with stolen data can only hope this might be the case.

So not we have the hoke pokey dance of checking credit, getting free one year membership to credit monitoring, buring down the barn now that the horse was stolen, all that good stuff.

Here is a list fo some recent thefts

records	date	organizations
1,084	2009-08-06	Colorado Department of Corrections
131,000	2009-08-04	United States Army National Guard
1,000	2009-08-04	New Hampshire Department of Corrections
4,400	2009-07-31	Williams Companies, Inc.
766	2009-07-28	University of Colorado CO Springs
573,928	2009-07-25	Network Solutions
900	2009-07-24	Hampton Redevelopment and Housing Authority
1,000	2009-07-23	American International Group (AIG), American Life Insurance Co Japan
180,000	2009-07-22	HSBC Holdings plc, HSBC Life
1,917	2009-07-22	HSBC Holdings plc, HSBC Actuaries

The main problem with these events is that the user is uneducated when it comes to security and don’t bother to go for a security penetration test or information security risk assessment. No matter what kind of technology you put in place, the user can find a way around it to compromise your security. First educate them, then worry about technology to protect them from their own stupidity.

Gary Bahadur

o:888-KRAA-911, c: 917-568-7917, f: 866-633-6601

Address: 20801 Biscayne Blvd, Suite 403, Aventura, FL 33180

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

What do you do to protect your laptop’s data on open networks and in case of theft? (smarterware.org)

US to set out cyber security plan -Baha to the rescue

admin — Fri, 29 May 2009 12:59:49 +0000

Why did it takes us over 2 decades to really approach the cybersecurity topic. When I started in informatio security in in 1994, it was the wild west. People were creating processes, developing security frameworks and growing a whole new industry. I like to think I played some part in being on the early team at PriceWaterhouse and we had the first ever corporate “Hacking Lab” in NJ to test our clients security weaknesses. Those were Good time. Now we are just in Regular times.

So what can we expect from the Czar?

The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.

Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is “untenable”.

Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.

Good plan right?

My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.

We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUST have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.

Baha – new Cybersecurity Czar

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.

In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House. Both US government and military bodies have reported repeated interference from hackers in recent years.

In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said. Mr Obama will not discuss the Pentagon plan during Friday’s announcement, the newspaper said.

But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.

Laptop Encryption – Serious lack of security

admin — Thu, 30 Apr 2009 22:00:07 +0000

I believe that more personal information has been stolen than there are actual people in the US. How much was stolen from the government would prove a nice study. And has anyone in the government actually been fired?

So the employee lost the laptop. Do you blame the employee or the agency for not educating the employee and provide wholedisk encryption? The agency believes that an unencrypted harddrive, but that has a “password” is secure? Well maybe someone should explain computer hacking, windows security, encryption and the concept of intrusion prevention to DHS.

Well you will probably see that laptop on Ebay or in a pawn shop. Some halfway intelligent person who buys it might be able to get to the data. Then what?

Five Steps to Laptop Security 101:

1) Encrypt using wholedisk encryption or at a minimum encrypt your data folders. Try PGP encryption (www.auroraent.com)

2) Patch Management, use automated patch management

3) Firewall, use a managed firewall in a corporate environment or a personal firewall, lots of free ones out there and cheap ones.

4) Hard Disk password, you can protect your drive from even booting with a hard disk password. yes this can be broken and have the manufacturer resetm, but its a pain and the casual person will not know what to do

5) Dont let the government have a laptop.

regards

gary