Tuesday, June 05, 2007

No surprise, but should be a concern for the Board of Directors

http://www.eweek.com/article2/0,1759,2141544,00.asp?kc=EWRSS03119TX1K0000594

Businesses Struggle to Secure Data

June 4, 2007 By Brian Prince

Business leaders rank the importance of securing their own data above securing their customers' data, according to a recent survey of IT executives.

Customer data ranks third on the list of items business leaders worry about protecting from data breaches, according to a poll of 649 IT executives for a study by the Ponemon Institute. Intellectual property and confidential business information took top billing.

The report, a survey of IT executives from businesses and governmental organizations in the United States, Europe, the Middle East and Africa, included further unsettling results. Only 45 percent of IT staffers surveyed felt they were adequately protected against data loss; 40 percent of the respondents said their organizations don't monitor suspicious database activity or are they didn't know whether such monitoring occurs; and 68 percent said they felt their databases were well protected against hackers, but only 43 percent expressed confidence that they were safe from malicious insiders.

... Some of the key problems facing respondents are the sheer number of databases being used and the difficulty of knowing where those databases are and what is in them. Thirty percent of respondents said their organizations had between 101 and 500 databases, while 23 percent reported having in excess of 1,000. Another 16 percent could not determine how many databases they had.



Another take on Security

http://www.net-security.org/secworld.php?id=5217

Global computer security study reveals employees take unnecessary risks

Posted on 05 June 2007.

SurfControl released an international Trust & Risk in the Workplace Study, conducted by Dr. Monica Whitty of Queen’s University Belfast. The study surveyed 1000 mobile and desktop employees across five countries – Australia, the Netherlands, Singapore, the United Kingdom and the United States – on the risks taken over company networks. The study demonstrates that employees in all regions take security risks, and mobile users take more risks than desktop users.

The study also found that across all activities surveyed, laptop users took more risks than their deskbound colleagues and some laptop users access the Internet through potentially insecure networks. According to the study, two thirds use wireless hotspots.

... Please visit the following link for access to the complete study: http://www.surfcontrol.com/default.aspx?id=491&mid=32



Another Security Survey...

http://www.sourcewire.com/releases/rel_display.php?relid=31770&hilite=

Security survey shows uncontrolled network access causing CTO's sleepless nights

London, UK, 5 June 2007

A survey of more than 200 CTOs has revealed that internal security – protection within the Local Area Network (LAN) – is currently UK organisations’ Achilles heel, leaving them open to dangers such as loss or theft of sensitive information, fraud and litigation.

Employees with unrestricted access to all LAN assets’ was the number one concern for CTOs. [Can you think of any reason why an employee would have unrestricted access? Bob] Rounding out the top concerns were controlling contractors, protecting against malware, and documenting user activity. Together, these issues represented almost 70% of near-term investment plans to improve internal security.

This focus isn’t surprising, given that nearly half (47%) of respondents had either very basic or no network access restrictions in place. Meanwhile, almost half (44%) admitted to having little or no LAN auditing capability, leaving themselves with no formal records should litigation take place. In addition, they have no way to verify what suspect users, such as those announcing they’re leaving a company, have done on the LAN with regard to accessing inappropriate materials.

ConSentry Networks... surveyed the CTOs in April

... Additional findings that illustrate many organisations’ current vulnerabilities include:

· License to Look – when asked where respondents felt they had to invest more heavily, ‘Controlling access to the network’ was the top priority. ‘Restricting access for guests and contractors’ and ‘Controlling what information employees can reach’ each generated 18% of responses – this shows an awareness of the need to protect the LAN. However…

· Enemy at the Gates – when asked about their level of confidence in perimeter security that would protect against external threats, nearly one fifth (19%) said they had ‘little’ or ‘no confidence’

· The Devil Inside – there was even less confidence around internal security, as nearly a third of respondents (30%) had ‘little’ or ‘no confidence’

· Communication Breakdown - nearly one fifth (17%) of respondents admitted to only meeting heads of strategic functions such as Sales, HR and Finance on either a six-monthly or annual basis, leaving them out of touch with the business’ evolving technology needs



Well, it's a start... (Includes a short tour of the Bill of Rights...)

http://www.pogowasright.org/article.php?story=2007060413004918

Data Mining and the Security-Liberty Debate

Monday, June 04 2007 @ 01:00 PM CDT - Contributed by: PrivacyNews - Surveillance

Dan Solove has written an essay, "Data Mining and the Security-Liberty Debate," for an upcoming symposium on surveillance for the U. Chicago Law Review.

The essay's abstract:

In this essay, written for a symposium on surveillance for the University of Chicago Law Review, I examine some common difficulties in the way that liberty is balanced against security in the context of data mining. Countless discussions about the trade-offs between security and liberty begin by taking a security proposal and then weighing it against what it would cost our civil liberties. Often, the liberty interests are cast as individual rights and balanced against the security interests, which are cast in terms of the safety of society as a whole. Courts and commentators defer to the government's assertions about the effectiveness of the security interest. In the context of data mining, the liberty interest is limited by narrow understandings of privacy that neglect to account for many privacy problems. As a result, the balancing concludes with a victory in favor of the security interest. But as I argue, important dimensions of data mining's security benefits require more scrutiny, and the privacy concerns are significantly greater than currently acknowledged. These problems have undermined the balancing process and skewed the results toward the security side of the scale.

Source - Concurring Opinions (blog)

Download full article: "Data Mining and the Security-Liberty Debate" [pdf]
Info on Symposium



E-surveillance

http://yro.slashdot.org/article.pl?sid=07/06/04/144243&from=rss

Concerns Over Microsoft's Internet User Profiling

Posted by CmdrTaco on Monday June 04, @10:42AM from the like-they-don't-already-know dept. Microsoft Privacy

jcatcw writes "Microsoft research on Internet user profiling could lead to tools that help repressive regimes identify anonymous dissidents, the Reporters Without Borders advocacy group warned last Friday. Microsoft's new algorithms correctly guessed the gender of a Web surfer 80% of the time, and his or her age 60% of the time. "In China, it is conceivable that this type of technology would be used to spot Internet users who regularly access such 'subversive' content as news and information websites critical of the regime," the group said."



To Google or not to Google... Shouldn't it be mandatory?

http://www.bespacific.com/mt/archives/014999.html

June 03, 2007

Harvard Business Review Case Study on Googling Job Candidates

  • We Googled You (Harvard Business Review Case Commentary), Diane L. Coutu, John G. Palfrey Jr., Danah M. Boyd, Jeffrey A. Joerres, Michael Fertik, June 1, 2007: "This case depicts an executive who, through an online search, discovers information about a job candidate that causes him concern about her qualifications. The reader considers issues such as the legal implications of Internet searching practices, the veracity of information found online, and the wisdom of expecting job candidates to have spotless online reputations."



Is this overly “picky” or a simple expectation that the lawyers control what happens?

http://ralphlosey.wordpress.com/2007/06/03/litigation-hold-is-not-enough-sanctions-imposed-under-rule-26g-for-negligent-search-and-preservaton/

Litigation Hold Is Not Enough: Sanctions Imposed Under Rule 26(g) for Negligent Collection and Preservaton

Sanctions were recently imposed under Rule 26(g) for errors in the collection and preservation of computer files. Cache La Poudre Feeds, LLC v. Land O’Lakes Farmland Feed, LLC, 2007 WL 684001 (D.Colo. March 2, 2007). Rule 26(g) requires an attorney to sign all discovery requests, responses and objections.

... Even though the sanctions imposed were relatively minor, the case is still important, not only because Rule 26(g) was applied, but also because of the facts found to be sanctionable. These facts make clear that it is not enough to simply issue a litigation hold to key employees, and then assume they will properly locate, preserve and produce the relevant computer files and other ESI. Counsel have a duty under the rules to follow-up on the hold notice, and make reasonable efforts to independently verify that the hold directive has been followed, and the relevant ESI has been preserved and produced. This is part of the so called “Zubulake duties” discussed at length in the “Duties” blog page above. See Zubulake v. UBS Warburg LLC, 229 F.R.D. 422 (S.D.N.Y.2004) (”Zubulake V“).

The defendant in this case, Land O’Lakes, sent out a litigation hold notice to key employees within days after the trademark violation suit was filed. The court found the timing was acceptable, but faulted Land O’Lakes’ in-house and outside counsel for the procedure chosen to preserve and collect the ESI, and for the poor follow-up to the hold notice.

After the written hold notice was sent, there were interviews with key witnesses, but the Land O’Lake employees were essentially on their own to locate and preserve the emails and other files that they considered to be related to the trademark dispute. The employees looked through their files, and although they located 50,000 pages of documents related to the mark “Profile”, they only found 415 emails. Counsel simply accepted all of this as correct. No attempt was made by either in-house counsel, or by outside counsel who signed the discovery responses under Rule 26, to independently verify their efforts. Counsel simply took the files they produced and assumed that it was complete and the search was thorough. Further, no system-wide key word search was ever run on defendant’s systems, or the key employees, as plaintiff’s argued strenuously should have been done.



RIAA strategy unraveling...

http://arstechnica.com/news.ars/post/20070604-riaa-throws-in-the-towel-in-atlantic-v-andersen.html

RIAA throws in the towel in Atlantic v. Andersen

By Eric Bangeman | Published: June 04, 2007 - 04:04PM CT

One of the most notorious file-sharing cases is drawing to a close. Both parties in Atlantic v. Andersen have agreed to dismiss the case with prejudice, which means that Tanya Andersen is the prevailing party and can attempt to recover attorneys fees.

... As we noted earlier today, counterclaims accusing the RIAA of all sorts of wrongdoing have become increasingly common. Late last month, Andersen filed a motion for summary judgment, saying that the plaintiffs have "failed to provide competent evidence sufficient to satisfy summary judgment standards" to show that she engaged in copyright infringement. Most notably, a forensic expert retained by the RIAA failed to locate "any evidence whatsoever" on Andersen's PC that she had engaged in file-sharing.


...resulting in:

http://arstechnica.com/news.ars/post/20070604-florida-defendant-goes-after-riaa-for-fraud-conspiracy-and-extortion.html

Florida defendant goes after RIAA for fraud, conspiracy, and extortion

By Eric Bangeman | Published: June 04, 2007 - 01:21PM CT

As the RIAA has continued its legal assault on file-sharing, defendants are responding with what amount to boilerplate defenses and counterclaims against the RIAA's allegations of copyright infringement. One recent RIAA target, Suzy Del Cid, is fighting back with a counterclaim that accuses the RIAA of all sorts of nefarious misdeeds.

UMG v. Del Cid is being heard in the US District Court for the Middle District of Florida, and in a counterclaim filed late last week, Del Cid accused the RIAA of computer trespass, conspiracy, extortion, and violations of the Fair Debt Collection Practices Act.



Dilbert introduces us to a new terror weapon!

http://www.unitedmedia.com/comics/dilbert/archive/images/dilbert2061099070605.gif

No comments: