Experts Push Guidelines to Halt Data Breaches
After a series of high-profile attacks and security lapses, government and private sector experts pull together a list of recommendations.
February 26, 2009 By Richard Adhikari
Amid increasing scrutiny over U.S. cybersecurity, experts from both the private and public sectors are pushing a set of recommendations they say are sorely needed to help shore up the nation's defenses against data breaches.
The resulting Consensus Audit Guidelines (CAG) map out requirements for security controls needed to protect IT installations in government and the private sector.
… Aiming to shut the door on such attacks, the new CAG recommendations (available here) call for organizations to adopt 20 key security controls to safeguard themselves against current and future threats.
Recommendations include inventorying hardware and software, [You can't secure it if you don't know it exists! Bob] maintaining and analyzing security audit logs, setting up boundary defense measures and implementing secure configurations for hardware, software and network devices. [Perhaps encrypting laptops? Bob]
… One key recommendation ensures that security efforts can pass a real-world litmus test, project participants said.
"The best item in the list is the shortest -- how do you test whether or not what you put together is effective?" Alan Paller, director of research at the SANS Institute, a security training group that brought together many of the CAG's participants, told InternetNews.com. "If you don't have a way to test, how do you know when you're done?"
Related An interesting philosophy.
http://securitywatch.eweek.com/identity_theft/pci_chiefs_defend_standards_plans.html
February 26, 2009 11:31 PM
PCI Chiefs Defend Standard(s), Plans
It's a gross oversimplification of an utterly staggering technical and social challenge, and he knows it as well as anyone, but it's hard to argue with PCI Security Standards Council General Manager Bob Russo's assertion that when it comes to improving electronic data security and related matters of individual privacy, "something is much better than nothing."
Unfortunately, disclosure to third parties is limited only when it is for “marketing purposes.” This still allows third parties to hold (and breach) the data in other contexts.
http://www.pogowasright.org/article.php?story=2009022811355380
Judgment For Disclosing PII To Business Partners: Explicit Opt-In Is Required
Saturday, February 28 2009 @ 11:35 AM EST Contributed by: PrivacyNews
Rebecca Herold offers some commentary on a court case:
Basically the District of Columbia Circuit upheld a Federal Communications Commission rule requiring phone carriers to obtain prior opt-in consent from customers before disclosing their PII to partners or independent contractors for marketing purposes
Source - IT Compliance
Statistics and quotes. Probably accurate even if the supporting numbers are missing.
IT experts say card fraud will spike in 2009 affecting one in three
United Kingdom - 25th February 2009 - Based on its observations in the e-crime marketplace - and reports in recent months from a wide number of third-party organisations - Fortify Software is predicting that one in three adults in the UK will be affected by card fraud in the coming year – last year the card fraud affected 1 in 4.
… Further, Fortify's VP says that, whilst card fraud identikits - which typically include a card number, start/expiry dates, three digit CVVs plus other relevant data extracted from the magnetic strip of the payment card - were selling for around $15.00 each 18 months ago, that figure had fallen to around $2.00 by last October.
"And, as card identikits are shared between cybercriminals, this form of card data is increasingly being sold by the thousand, meaning that kit prices are dropping to just a dollar a pop, when sold in volume," Kirk explained.
… What is driving the cost of identikits? The economic recession.
"Just as the average person in the street is having to tighten their belt, so is the average card criminal. They are having to increase their sales volumes by reducing the cost of each card indentikit, and so compete with the growing number of people in possession of this data," he explained.
… "We are reaching the stage where the card fraud market is becoming commoditised, and the card indentikit price being dictated by what is effectively a glut in the market," he said.
Security compromised because someone just had to listen to their tunes on a computer containing classified data? (If the helicopter pictured is the one compromised it's probably no big deal. If memory serves they are at least 20 years old.)
http://news.cnet.com/8301-1009_3-10184558-83.html?part=rss&subj=news&tag=2547-1_3-0-5
Data on Obama's helicopter breached via P2P?
by Charles Cooper February 28, 2009 4:06 PM PST
An Internet security company claims that Iran has taken advantage of a computer security breach to obtain engineering and communications information about Marine One, President Barack Obama's helicopter, according to a report by WPXI, NBC's affiliate in Pittsburgh.
Not all technology is useful in all areas. Then again, should we blame the tool or the tool user?
http://news.cnet.com/8301-13846_3-10184580-62.html?part=rss&subj=news&tag=2547-1_3-0-5
The case against enterprise micro-blogging
by Dave Rosenberg February 28, 2009 5:41 PM PST
As a consistent Twitter user, I've the found the service to be a valuable marketing tool as well as an entertaining pastime for my friends and I to shoot one-liners at each other.
… The lack of threaded messages amongst the users and the challenging interfaces of most micro-blogging services also affect communication styles by enforcing a shortened message. That sounds like a good idea until you are forced to spend more time trying to figure out what someone meant in 140 characters. The reality is that most people are poor communicators and they are even worse when it comes to their writing and editing skills.
When it comes to business, you don't want to read between the lines as you do in your personal Twitter-verse. Even with enterprise email overload, and a never ending-supply of documents flying back and forth, at least you have the ability to state and substantiate a point.
Related. Politicians believe in secrets only so they can be 'leaked' whenever a political advantage can be realized. Sounding “in the know” is sufficient advantage, as is “mocking the opposition,” “disrupting sensitive negotiations,” and “Monday morning quarterbacking.”
http://news.cnet.com/8301-10787_3-10184568-60.html?part=rss&subj=news&tag=2547-1_3-0-5
Suddenly, Twitter's the rage with D.C. politicos
by Charles Cooper February 28, 2009 4:21 PM PST
Did Missouri's U.S. senator, Claire McCaskill, just use Twitter to blab the timing of President Barack Obama's choice to run the Department of Health and Human Services?
… Besides, McCaskill has carved out a reputation as one of the most avid Twitter users in the Senate. When she noticed that Supreme Court Justice Ruth Bader Ginsberg showed up for President Obama's speech to Congress Tuesday night, following an operation related to her pancreatic cancer, McCaskill posted the following: "I did big wooohoo for Justice Ginsberg (sic). She looks good." [This fits none of my categories, so I'll create a new one: “Twit!” Bob]
Last week, much was written after several members of Congress were found to have twittered during the president's nationally televised speech.
Very interesting collection of forensic resources.
http://www.bespacific.com/mt/archives/020705.html
February 28, 2009
New on LLRX.com - Criminal Law Resources: Social Networking Online and Criminal Justice
Criminal Law Resources: Social Networking Online and Criminal Justice - The activities of users and the information being posted on social networking sites are having wide ranging effects on the administration of justice, law enforcement investigation, prosecution and defense. Ken Strutin's guide provides a snapshot of many of the novel and varied uses of social networking evidence in the field of criminal justice.
Is this the best business model they could come up with? How does it compete with “free” content? Does it suggest they are abandoning the advertising model? (Clearly I don't get it.)
http://news.cnet.com/8301-1023_3-10174003-93.html
Hearst developing e-reader, charging for e-news
by Dong Ngo and Zoë Slocum February 27, 2009 12:48 PM PST
… Hearst, one of the largest media conglomerates in the world, announced on Friday that it has developed an electronic reader for newspapers and magazines, the way Amazon.com's new Kindle does for books. The publisher is also planning to put at least some of its online content behind a pay wall, according to a report in The Wall Street Journal.
Geeky stuff
http://news.cnet.com/8301-13846_3-10184539-62.html?part=rss&subj=news&tag=2547-1_3-0-5
Mozilla Bespin: Cloud code editing via browser
by Dave Rosenberg February 28, 2009 1:34 PM PST
Bespin is a Mozilla Labs experiment that "proposes an open, extensible Web-based framework for code editing that aims to increase developer productivity, enable compelling user experiences, and promote the use of open standards."
… There are a number of browser-based editors already, but check out the video, and you'll see why Bespin is interesting.
No comments:
Post a Comment