This is a video created for the US Federal Courts on IT Security. The video illustrates the challenges of defending against security threats (the video uses the online digital world). SecondLife was used as an illustration of a layered security defense approach.

The video talks about building layers to your security policy: putting up strong layers of defense against security issues. This layered approach is being described as a “walled” approach in the discussions on Schneier’s blog, and has sparked quite a debate about the approach to security.

Aside from differences of opinion, the video illustrates many of the questions that corporations face when creating IT Security policies.

Tags: security policy, it security, security video, walled security, layered security, security defence, computer security, network security

Bruce Schneier, a strong voice in computer security, gave a presentation on identity theft to the IT Security Summit in Johannesburg, South Africa. The opening reception featured a theatrical example of the dangers associated with identity theft. The skit involved an actor pretending to be Bruce, carrying examples of his identity:

An impostor burst in on the scene and claimed to be Bruce. He produced a passport that identified himself as Mr. Bruce Schneier. He then had his interlocutor check images on Google, FBI.gov and CIA.gov, all of which identified this bloke as Bruce. It was only after Bruce solved a simple block cypher of the words “I am Bruce” that the impostor fled the scene.

The real Bruce Schneier then explained the point of this exercise in a video you can watch here:

Bruce points out the problems with authenticating an identity. Government identifications and websites can all be manipulated to associate a person with a stolen identity. If your identity is solely tied to information that can be breached and stolen, authentication of identity becomes a major issue. This is an issue we all face today.

Via ZDNet Tags: identity theft, identity authentication, identity, bruce schneier, security

Check out this week’s interesting news stories from around the web:

• Concord Hospital has fired the billing system contractor (Verus) who accidentally left 9000 private records on the web.
• Florida’s K12 Online Conference is planned for the fall: October 15-19 and October 22-26. Topics include Classroom 2.0 and New Tools/Technology
• New malware attack focuses on tricking users to download a program (malware well hidden) needed to view a website.
• Wired for Health Care Quality Act of 2007, and IT Health bill, was introduced at the Senate
• The Pentagon’s Office of the Secretary of Defense (OSD) shut down 1500 computers after a security breach.
• Michael Moore is backing national health care reform - his new movie on the same topic, Sicko, will soon be released.

Tags: security, malware, health it, it, government reform, security breach

The Federal Trade Commission (FTC) Chairman, Deborah Majoras, shared with Kimberly Palmer from US News, some advice about identity theft.

The subsequent article covers how vulnerable the average person is to identity theft, how one can protect themselves, what to do when information goes missing, and the Chairman’s perspective on national identity theft legislation.

We’ve been moving so quickly in this information age with new technology that is so fabulous, but we left some of these safety issues behind. What we’re trying to do now is to literally catch up and develop a culture of security. It’s important not just that consumer data not be stolen, but it’s important that consumers keep confidence in the marketplace and that they know that if they go online and make a purchase, or they go into a store and hand over their credit card, that they’re not at great risk. That is really important because the marketplace is all built on consumer confidence.

63% of identity theft cases can be prevented by the consumer. Be vigilant in checking your bank information, shred private information, don’t share confidential email over email or IM, and check your credit report periodically.

Tags: ftc, deborah majoras, identity theft, identity theft prevention

As we swing into the weekend, here are some security news items for your edification:

• David Canton of the London Free Press writes an editorial on how “Online Records Pose Risks”
• A Southern Ontario school announces a new stringent electronic policy in response to cyberbullying. All Internet activity will be monitored, and offenders face stiff penalties.
• Send your dad a “Phish & Tips” e-card via the FTC for Father’s Day - complete with tips on keeping personal information secure
• Nestor Arellano of ITWorldCanada writes about new Spammer tactics
• A DC school administrator is being investigated for identity theft of DC school employees
• The FBI released a report indicating that there are “Over 1 Million Potential Victims of Botnet Cyber Crime” [via Brandon Sun]

Tags: security, identity theft, security news

The following theft report identifies the importance of protecting not just computers, but also peripheral devices.

64,467 employees of the Government of Ohio are at risk of identity theft after an intern left a computer back-up tape containing employee names and Social Security numbers in his car, which was subsequently robbed. Governor Ted Strickland sent out a news release today regarding the data breach. Although the theft occurred on June 10, state employees were not notified until today.

Subsequent to the theft, state employees spent 4 days trying to determine what data was on the back-up tape. A policy is in place for storing backup data off-site, but the intern had been told to store the data at his home. The Governor has ordered that this practice stop immediately.

The Ohio Government is launching a new ID Protection section on their website today and employees will be provided with credit protection for one year. Strickland has issued an executive order that all technology managers review their security policies and make changes, including mandatory data encryption.

Via daytondailynews ; Tags: ohio state, ohio government, data theft, identity theft, data breach, peripheral security, security policies, ted strickland

The big security news of the day in the UK is the theft of a laptop containing private information for 500 employees from an environmental project known as the Eden Project.

The stolen laptop is believed to have personal information such as names, addresses, bank info, and phone numbers for 500 employees of the Eden Project. The laptop was stolen from the car of a contractor working for the Project since June 1, 2007.

An employee of Moorepay, the company that handles employee payroll for the Eden Project, left a laptop in his car - one of the highest risk places for laptop theft. The Eden Project’s IT security policies were apparently not stringent enough to prevent the theft.

Tim Smit, creator of the Eden Project, had this to say:

“We are appalled at the lapse of security and are making sure our personal data is never put in such a vulnerable position again.”

In the U.S. the Data Privacy and Security legislature that is currently before the Senate wants to make more rigid rules for contractors to avoid a similar breach on U.S. soil. The legislature would require that businesses investigate their contractors more closely. For example, are laptops protected with encryption, password protection and equipped with laptop recovery software? Do employees know the best practices of laptop security and data protection?

A successful security policy will apply not just to internal employees, but to all contractors who have access to confidential information. The first principle in creating effective laptop security is knowing who has access to the data. 57% of corporate crimes can be linked to stolen laptops - taking stock is no longer optional.

Via SC Magazine, PC World, ITPro Tags: security policy, eden project, the eden project, laptop theft, laptop security, identity theft, data access plans

The National Retail Federation issued a statement last week that lawmakers considering Federal data breach legislation should consider the different types of consumer data kept, and the risks associated with those data types. The NRF suggests that breaches of sensitive information be treated differently than information that cannot lead to identity theft.

The NRF, the world’s largest retail trade association, stated that they back national data breach notification standards as being in the best interests of both businesses and consumers. However, they say that retailers don’t usually possess the private consumer data needed to commit identity theft. Typically, retail consumer data breaches will pose a risk only for credit card fraud. This theft is easier to detect and resolve than identity theft.

The NRF suggests that data breach legislation distinguish between these different types of information and the risks they pose if breached, as well as the size of businesses affected. They suggest replacing the term “significant risk” in the legislature with “reasonable risk”.

The NRF says that the current legislation would impose a heavy burden on small businesses; they say that smaller businesses are not overtly targeted for data theft, and the strict security standards would greatly affect the small business sector.

The NRF makes some good arguments with regards to differentiating between data types in the data breach legislation. The severity of the breach is much less detrimental in the case of credit card information, and such breaches can be addressed outside the public eye. However, I think that security standards should apply universally across data types, if not business sizes. Every company holds personal employee information, as well as customer information, and we have seen just how many employees have been affected by recent data breach cases.

Via Computerworld Tags: nrf, national retail federation, data breach, data breach legislation, federal law, new legislation, data breach law, identity theft

Pfizer is being investigated by Connecticut Attorney General Richard Blumenthal after they suffered a data breach, including Social Security numbers, affecting 17,000 current and former Pfizer employees, 300 of which are in Connecticut. The data breach resulted from an employee installing unauthorized file-sharing software onto a laptop. The data subsequently appeared on the web.

The Connecticut Attorney General’s Office issued a letter to Pfizer (read it here) requesting that Pfizer take steps to protect its employees and to help those who have been compromised. The Attorney General is also asking that Pfizer provide additional details of the breach to the public, and what it plans to do to handle personal information and security issues.

Compromise of consumer and customer financial information is unacceptably and appallingly common. Pfizer and other companies have a legal and moral responsibility to protect private information. Corporations must make massive improvements in handling and securing sensitive employee and customer data, such as social security numbers and other vital information. Lax information security is an identity thief’s dream and a consumer’s nightmare. Loss of sensitive personal data can create long-lasting and far-ranging problems — ruined credit, difficulty in obtaining loans, harassing calls seeking payment of debts not owed — that take years to resolve.

Pfizer does not know how much information was accessed or copied when the data was breached to the web. Pfizer has sent a letter to employees - although with scarce details - and will pay for employee insurance costs resulting from the breach. Connecticut Attorney General Richard Blumenthal asks that, in addition to more information, that Pfizer freeze employee credit ratings and cover those fees.

Via CNET & CNN Money ; Tags: pfizer, data breach, connecticut attorney general, richard blumenthal, it security, laptop security, identity theft

A survey conducted by Application Security and the Ponemon Institute was released this week at the Gartner IT Security Summit.  The survey reveals that 40% of companies are not monitoring their databases for suspicious activity which places them at high risk for data breaches and identity theft.

According to the survey of 649 IT professionals (60% in CIO or CTO positions), 78% of respondents say their databases are critical or important to their business and contain customer data. IT professionals are increasingly strained by the demands for data and the threat of data breaches. On the one hand, data must be protected from external and internal threats and on the other hand, there is greater demand to this data to make business decisions.

With more than 50% of these organizations managing 500 or more databases, the number of companies not effectively monitoring their databases is staggering at a whopping 40%.

Some of the key problems facing respondents are the sheer number of databases being used and the difficulty of knowing where those databases are and what is in them…

According to Weiss, locating all of an organization’s databases is just one-fourth of the battle. Corporations need to prioritize which databases need to be addressed first, re-mediate any vulnerabilities or security issues and monitor databases for suspicious activity, he said. [eWeek]

As previous posts on this blog have indicated, “people” are the biggest concern IT professionals have when it comes to data security. 57% of respondents say they have inadequate protection against malicious insiders and 55% are not protected against data loss caused by insiders.

In general, only 45% of IT professionals felt adequately protected against data loss.

In addition, the survey indicates that companies are more concerned about securing their own data (intellectual property and confidential business information) than they are about securing their customers’ data.

Via InformationWeek & eWeek Tags: database security, data security, it security, data breach, data loss, data security, data protection