Archive for August, 2008

The IT Policy Compliance Group (IT PCG) has published its annual report on IT Governance, Risk and Compliance. The 2008 Report, which can only be downloaded by members, looks at research conducted with more than 2600 organizations.

According to the published brief, security and compliance spending can lead to higher profits, lower expenses and improved customer satisfaction. Although many companies dread spending on compliance and security, even with the risks associated with cost-cutting methodologies, the report indicates that companies that move up the IT governance, risk and compliance (IT GRC) maturity scale are seeing a high return on their efforts.

IT GRC encompasses practices to deliver greater business value from IT strategy, investment and alignment, as well as mitigating risk and conforming to compliance mandates. What the data shows us is that IT GRC mature companies enjoy higher revenues & profits while spending less on regulatory compliance. These best practices also lead to a reduced risk if a data loss were to occur – from .4% of revenue in mature organizations vs 9.6% for less mature companies.

Those companies considered most mature were not necessarily large business, but businesses that have effectively adapted security process frameworks to their businesses. Less-mature companies tend to over-focus on operational process frameworks.

You can continue reading about this report from Network world, where there’s a great overview.

Who Breached: Graphic Data (holding 3rd party data)
Number Affected: Millions
Information breached: Financial records
How: Computer sold on eBay

Several million people have been affected after a computer was sold “inappropriately to a third party” via eBay. The computer contained sensitive information on customers from the Royal Bank of Scotland, American Express and NatWest.

A former employee of the archiving company Graphic Data (owned by MailSource UK) sold a machine that contained the banking information. Information included account numbers, passwords, phone numbers and signatures. The computer was sold on eBay for £35 to an IT manager, Andrew Chapman, who came forward after noticing the data on the hard drive.

Click here for a video of Andrew Chapman being interviewed about buying the computer & its data.

A Information Commissioner’s Office (ICO) has launched an investigation into how this mistake happened and what steps will be taken to avoid a similar incident from happening. According to MailSource UK, the computer was sold without authorization.

“The IT equipment that appeared on eBay was neither planned nor instructed by the company to be disposed” – Nicole Morgan, MailSource UK

The data on the hard drive was not wiped prior to the computer being sold (although wiped data can be recovered).

Via daily mail, forbes, bbc Tags: banking breach, financial breach, ico, graphic data, data breach, data loss, breach, ebay, data sold, it security, data security

A group of over 60 voting companies in the health care industry have come together to create a set of security & privacy best practices that will go above and beyond those laid out in the Health Insurance Portability and Accountability Act (HIPAA). The new consortium that will create these best practices is called the Health Information Trust Alliance (HITRUST).

The HIPAA standards are aimed to protect the privacy of personal health information by giving patients more control over their information and setting boundaries on the use and release of health records. HIPAA requires that companies adopt privacy procedures and to ensure they’re followed, but many in the health care industry feel that more can be done to secure the privacy of patient information.

According to a survey HITRUST commissioned earlier this year, 96% of health information technology executives think it’s important to have a uniform way to verify the security of sensitive healthcare information. 85% of those surveyed think the health industry should pull together to create the comprehensive framework, which is exactly what HITRUST is now doing.

The new consortium, HITRUST, aims to develop a Common Security Framework (CSF) – a set of tools to aid organizations in protecting information and managing the risks, costs and complexities in managing these assets. They have published an overview of the framework and its components here [PDF].

The issues surrounding the protection of health information are complex and diverse but critical to the broad adoption, utilization of and confidence in health information systems, medical technologies and electronic exchanges.

Standardizing a higher level of information security will build greater trust and efficiencies in the electronic flow of information through the healthcare system and will instill confidence within regulators, business partners and consumers.

The document outlines challenges faced in protecting electronic health information including: risk and liability from data breaches, confusion about implementation and baseline security controls, complexities involved with inconsistent standards and varying interpretations, and outside scrutiny from regulators, auditors, partners and customers.

The HITRUST CSF is aimed to help organizations that create, store, access or exchange electronic health information. The CSF framework includes three parts: an Information Security Implementation Manual, a Standards and Regulations Cross-Reference Matrix and a Readiness Assessment Toolkit. You can view a sample of the Security Implementation Manual, one part of CSF, here [PDF]. The CSF is expected to be released January 2009.

Via information week Tags: hitrust, hipaa, health information, health industry, health privacy, healthcare, private information, csf, common security framework, security framework, data security

The Office of the National Counterintelligence Executive (ONCIX) has prepared a mobile security booklet for US citizens who travel abroad. The booklet offers advice for traveling with mobile phones, laptops, PDAs and other mobile devices.

The document, which appears to be a revised subset of their more popular “Be Alert!” document to avoid being a victim of foreign intelligence collection, breaks up the information into four sections: “You Should Know,” “Before You Travel,” “While You’re Away,” and “When You Return.” The first section is really a series of “worst case” scenarios involving travel abroad; monitored phone calls, searched hotel rooms, intercepted messages, tracked movements, etc. However, the other sections provide valuable tips that all travelers should consider.

Some of the tips include:

• Delete any information you don’t need before you go
• Use a different mobile phone when traveling, if you can
• Create strong passwords for your devices, and change them regularly (including when you return). Don’t store the passwords anywhere.
• Make sure you have all the latest security updates for your software
• Encrypt sensitive information* & have a personal firewall
  *Some countries may not allow you to enter with encrypted information, it notes
• Keep your SIM card with you if you need to stow your device
• Avoid wi-fi networks and turn off ports and features you don’t need

You can download the 2-page brochure here. [PDF]

Via Security Watch ; Tags: ncix, oncix, overseas travel, mobile security, security, it security, business security, business travel

The Centre for the Protection of National Infrastructure (CPNI) released a report recently entitled “Security Assessment of the Internet Protocol.” The report is aimed to raise awareness of security threats that are based on the IP protocol – both current threats as well as future ones. For IT professionals, the report also offers advice on the secure implementation of the IP.

The report highlights that it is difficult to produce a secure TCP/IP implementation now because there is no single document that serves as a security roadmap. And the Internet Engineering Task Force (IETF) did not issue official documents (RFCs) addressing many known security problems, so systems built around “official” specifications may have known security flaws.

This document attempts to rectify that on an ongoing manner, with the preface indicating a willingness to revise this document to keep it as accurate as possible. Security professionals are encouraged to contribute to the accuracy of the data. Revisions of the document will appear here.

Download the report here [PDF]

Via security focus Tags: tcp/ip, ip, internet protocol, web security, internet security, security, it security

ISACA, a non-profit serving IT governance professionals, has published the results to their May 2008 member survey on the top business / technologies issues being faced today.

The survey looked at 21 current business issues facing IT managers, as identified by its task force, and respondents were asked to rate these issues on their importance / impact during the next 12 – 18 months.

The survey was completed by 3173 members of ISACA. According to the survey, the Top 7 Business Issues Overall are:

1. Regulatory compliance
2. Enterprise-based IT management and IT governance
3. Information security management
4. Disaster recovery / business continuity
5. IT value management
6. Challenges of managing IT risks
7. Complicance with financial reporting standards

This data was based on a weighted score based on the importance ranking – from 1 to 5 – listed for each item.

Each item listed as a top business issue had a drill-down section to examine the underlying concerns. For example, a drill-down importance into regulatory compliance reveals the top concerns include privileged access monitoring and compliance process management. A drill-down into information security management reveals concerns with effectiveness of controls not being properly monitored and with security risks not being known or only partially assessed.

The ISACA survey highlights that regulatory compliance has yet to move beyond “project” mode:

“Keeping on top of legislative and regulatory requirements is a critical responsibility made more difficult because compliance efforts are still operating in ‘project’ mode and have not yet been embedded into business processes. IT projects still lack alignment with business objectives at many organizations, and as a result, they are unable to realize business benefits.” – Anthony Noble, member of the ISACA Assurance Committee and vice president of IT audit at Viacom

The challenge of IT is to design & maintain systems to comply with changing legislative and regulatory requirements, while also aligning IT operations with the goals and objectives of the business.

Download the survey results here. [PDF]

Via network world Tags: regulatory compliance, it security, business security, business issues, business planning, it planning, information security, isaca

Sean Aune has put up a very useful piece on Mashable entitled “35 Tools for Teachers, Tutors and Students.” Great timing for an article like this with school so close around the corner again. The list of tools encompass sites and services for everything from learning management to social networking.

Head to Mashable for full descriptions of each service, but here are some that pop out for me:

• Grading services like Engrade.com – a free gradebook & attendance chart that students, parents & administrators can also access. There are several services that do this, some free, and some with the ability for parents and teachers to message privately.
• Learning platforms like Blackboard.com – an online learning platform for virtual course delivery and classroom instruction. Many of these allow for personalized learning opportunities, student progress monitoring, and the opportunity for parents to get involved. Some, like Blackboard, offer professional development for teachers. Also check out HaikuLS.com
• Organization systems like Studeous.com – kind of like the learning platforms above, this helps teachers stay organized. Organize your classes, post homework, upload files, embed videos or podcasts, and more. You can create quizzes quickly, communicate easily with students with the chat feature, and even has events and club pages within the system.
• Educational social networking sites like Classroom20.com – a site for teachers to connect socially, but also to share best practices. HotChalk is another site that is meant to connect students, teachers and parents. It has a big user base and many free learning resources.

Do you have favorite tools you use as a student or a teacher? If so, drop a comment!

Tags: online tools, education, online learning, education online, teachers, teaching, education, education 2.0, education tools, social networking

ConsumerReports.org posted to Yahoo Finance a great guide for consumers entitled “7 Online Blunders That Threaten Your Identity“. It’s a long article with common mistakes that lead to identity theft and things you can do to mitigate the risks. In summary, the 7 blunders are:

1. Assume your security software protects you
   • Software must be activated and updated regularly to be effective.
   • New software bundled with your computer may have an expiry, so be sure to renew.
2. Access an account via an email link
   • Clicking links embedded in emails is risky (fraud potential), particularly for anything that has to do with financial information. Don’t take the bait to update your password, account number or other information.
   • Forward suspect email to spam@uce.gov and reportphishing@antiphishing.org
3. Use a single password for all accounts
   • Use a variety of passwords, even variants, that mix letters, numbers & symbols of at least 10 characters in length (there are more sophisticated password options as well)
4. Download free software
5. Think your Mac shields you from all risk
   • Mac users fall to as many phishing scams. Use Firefox for phishing protection.
6. Click a pop-up ad that says your computer is insecure
   • 15% of survey respondents click pop-up ads that can take you to a spyware site or install malware to your computer
7. Shop online without precautions
   • Use a separate card for Internet shopping and look for https in the URL

All great tips to avoid identity theft and fraud. You can read more of the suggested precautions here.

Tags: id theft, identity theft, web security, browser security, phishing, security, online security

Andreas M. Antonopoulos has written a forceful piece on Network World entitled “No excuses – encrypt all laptops.”

Although encryption is only one piece of a layered approach to laptop security, it is nonetheless crucial. Typically the unencrypted laptops that go missing don’t have any level of protection, or very little. So, the move to encrypt laptops is a step in the right direction. As Andreas notes,

“Encryption provides not only the most cost-effective “data leak” protection but also a safe haven from breach disclosure. No more excuses: If you’re not encrypting laptops, you are not applying due diligence.”

The article weighs the cost of encryption technologies, which can be low, with the higher cost and complexity associated with key management and recovery. Andreas talks a good deal about TrueCrypt, a free open source encryption tool, as an option to reducing the costs associated with large-scale encryption adoption. However there are enterprise solutions out there that can better serve businesses.

Network World also published a “Laptop Losers Hall of Shame” earlier this year for the top 10 data breaches as a result of a lost or stolen laptop.

And here are some new incidents of laptops without encryption that went missing:

• Ireland Department of Social and Family Affairs (380,000 affected)
• United States Transportation Security Administration (33,000 affected)
• Charter Communications (9000 affected)

Via datalossdb.org ; Tags: encryption, laptop security, encrypt, truecrypt, it security

According to the results of a recent McAfee study, small and medium businesses (SMBs) feel they are too small to be targets for cyber attacks. The study reveals the true cost of these beliefs.

The “Does Size Matter?” Report sampled 500 IT decision makers from US & Canadian companies with 1000 – 2000 employees. Darrell Rodenbaugh, Senior VP of the mid-market segment at McAfee notes that businesses of all sizes are affected by viruses, hackers, spyware and spam. These issues can lead to data breaches, downtime, decreased productivity, compliance issues, lost sales and damaged reputation.

“Just because a business is small does not mean it is immune to security threats.”

21% of SMBs admit that an attack could put them out of business (other research indicates downtime costs range from $30k to $225k) but this knowledge has not transferred into pro-active security measures. 42% of SMBs dedicate only one hour per week to pro-active IT security.

Highlights from the study:

• 32% of SMBs have been attacked >4 times in the last 3 years (26% of those attacked took at least a week to recover)
• 88% believe they are adequately protected from security attacks
• 43% accept all default settings on IT equipment (contradicting the confidence above)
• 35% are “not concerned” about being a target for cybercrime
• 52% don’t think they are well known enough to be a specific target for cybercriminals
• 44% think cybercrime is an issue for larger companies
• 45% don’t think they are a “valuable target” for cybercriminals (correlated with a belief that they can’t be a source of profit to them)
• 92% say online access & availability is important to the running of their business

The report indicates that SMBs are a growing target. Darrell Rodenbaugh notes:

“What came out of this (report) was, not only are they are target, but that a lot of the cybercriminals would prefer to go after the small- and medium-sized businesses.”

You can download the McAfee “Does Size Matter” report here (direct PDF here). You can also read up on Absolute Software’s security services for SMBs here.

Via security focus Tags: smbs, smb, small businesses, medium businesses, security, it security, data security, web security, cyber crime, security attacks