Corporations, government agencies and academic institutions have formed together to study issues surrounding cybercrime, terrorism, narcotics trafficking and identity management. Together they have formed the Center for Applied Identity Management Research (CAIMR).

CAIMR is hosted by Indiana University and is a non-profit corporation of thought leaders who share a common interest in identity management. Their mission is to “study identity issues impacting commerce, government, and national security, their social implications, and the processes, technologies and policies designed to deal with them.” However, despite all that, the goal is to develop real world solutions to these issues. The outcomes may be in the form of industry or law enforcement best practices, technologies, policy adjustments or training and educational materials.

CAIMR notes that the goal is to be able to adapt more quickly to evolving identity fraud and cyber crimes, understanding the constraints and challenges faced by each set of stakeholders. Gary R. Gordon, scholar in identity management at Indiana University School of Law, will be executive director at CAIMR.

Four initial areas of study will be:

1. Public safety: identity theft, cybercrime, fraud, sexual predator detection, etc.
2. National security: cybersecurity, human trafficking, terrorist tracking, etc.
3. Financial and corporate fraud: mortgage fraud, data breaches, insider threats, healthcare fraud, etc.
4. Individual protection: identity theft, fraud, etc.

Partners in CAIMR include the US Secret Service, VISA, Wells Fargo & Company, and many more.

Via network world, security watch

31Consumerist has published an insider report that gives a disturbing look into the data security threats present when call centers are outsourced.

The insider, a former Chase call center rep, tells the story of a thief able to repeatedly commit credit card fraud by calling an outsourced security department. All he needed to know was a name, Social Security number and a mother’s maiden name.

The Chase call center employee, who worked in the US, flagged the caller as a potential thief. He had called repeatedly trying to sleuth out all the security questions that come up when attempting to access an account. As a result, the Chase employee forwarded the call to security - which had been outsourced to the Philippines.

The US security department had access to LexisNexis to verify more personal information, while the Philippine security department did not. As a result, for weeks the thief would be bumped to security, only to be approved and cleared back to the call center to complete his transactions. Some employees knew enough of the situation to block the transaction, but enough “newbies” did not so that the account holder (the same one each time) was stripped of more than $40,000 over time.

Although the account was repeatedly locked, the thief was able to unlock it with these details over and over again. Why? Because the handbook that the call center went by, the how-to guide that was followed word-for-word, was not set up to deal with this scenario. Although the US security department flagged the account and put on blocks and notes, the outsourced security department would unblock the account. The fraud only ended when the thief was caught.

This is just one example of the issues that arise when security is outsourced. Cultural issues, such as the gender associated with a name, could also come into play. Security is not a cut and dry issue, so many clever thieves are taking advantage of black-and-white security manuals in the hands of outsourced security departments to commit fraud.

Here are some additional stories I was able to dig up on outsourced call centers:

• Security Karma - Outsourced Call Centers + Security = !Sleep
• Paid article - Outsourced or Outsmarted?
• Tech Republic - Outsourcing, good and bad.
• Dark Reading - Hacking the Call Center

Image: milica sekulic

In addition to the Kent SD case study highlighted here last week, Absolute Software is profiling how a US Federal Government Agency uses Computrace to protect their assets.

In 2006, a Federal agency realized that its higher profile meant that they needed to increase existing data and computer security measures. Government regulations require that data breaches be reported with, and dealt with, quickly. With these two considerations in mind, the agency began a pilot project in 2007 with 3,500 computers. After the success of the pilot project, they purchased 30,000 licenses of Computrace to protect their entire laptop population.

The agency can now inventory computers in the field, report on installed software, and delete classified data if computers go missing. For more information about Computrace, read here.

For more case studies from Absolute Software, check out here.

CSO Online has released the results of its annual survey with The Global State of Information Security 2008 [PDF]. The survey indicates that security spending is on the rise - a trend is projected to continue, despite current economic uncertainty.

The survey includes answers from more than 7,000 senior executives and shows some surprising results - such as that 14% of security incidents in the past year involved devices. This shows a growing trend in the use of mobile devices, and the lag evident in mobile security planning.

With the IT group still strong as a source for information security funding, the survey found that the “IT Toolbox” is more comprehensive than before. More companies now have malicious-code detection tools, application-level firewalls, intrusion detection & prevention tools, encryption, automated password reset tools and wireless handheld device security.

Despite all those positive increases in the use of IT security tools, some numbers are still quite low. For example, only 50% of companies have laptop encryption tools, with even fewer (42%) having wireless handheld device security. There is no data available on additional laptop security measures such as Absolute’s laptop tracking & recovery solution. Encryption alone is only a base level of laptop security planning.

When it comes to security incidents, there still exists a wide knowledge gap. 45% of security incidents in the last year could not be connected back with known vulnerabilities. Of those that could be identified, the method of exploitation was most often at the network level. Employees and former employees, however, remain the largest threat to security incidents (although less this year than in past years). What this indicates is that technology solutions have been rolled out without being a part of a more comprehensive security policy.

“If the goal is to secure information, to make it truly safe, you’d better develop processes and procedures for putting your nails in the right place before whacking anything with a technology hammer. Technology must be part of a larger plan to secure information”

Interesting findings from the study:

• Business continuity and compliance is the lead reason for investing in security (57%)
• 28% of consumer products and retail executives say security spending is poorly aligned with business objectives
• 45% of respondents can’t identify vulnerabilities that led to security incidents
• 43% of respondents audit or monitor user compliance with security policies
• 22% of respondents keep an inventory of the outside companies that use data

The last result is quite telling - considering the number of data breaches that have been the result of third party mistakes, this is an obvious area of concern in security policies. Additionally, only 37% of survey respondents require third parties to comply with internal privacy policies. There appears to be greater confidence in third parties than reality may warrant - 75% believe their partners’ security is effective, while only 28% perform due diligence to understand their security precautions.

Continue reading the CSO Online analysis of this survey here. You can also check out Absolute Software’s whitepaper on endpoint security.

The Broadband Data Improvement Act (S.1492) was recently signed into Federal law. The legislation that would improve the collection of data on broadband availability and fund greater access to high-speed Internet access. As part of the new legislation, schools receiving the e-Rate discounts on telecommunications services will soon be required to teach students about online safety.

The e-Rate program provides discounts for schools of 20-90% for telecommunication services including Internet access. The proposed Broadband Data Improvement Act, introduced by Senate Commerce Committee Chairman Daniel Inouye, has a provision that would require the Federal Trade Commission (FTC) to establish a nationwide campaign to “increase public awareness and provide education regarding strategies to promote the safe use of the Internet by children.”

Originally, a separate bill entitled ‘Protecting Children in the 21st Century Act’, was proposed to congress. The Senate Commerce Committee merged the language of this bill into the Broadband Data Improvement Act, which has now become law. The new law recognizes that education must go hand-in-hand with technology to protect children from online predators.

The Online Safety and Technology Working Group was established, under the legislation, to evaluate online safety education efforts, parental control technologies, and much more. In addition, a section of the Act requires that schools create an Internet safety policy that educates minors “about appropriate online behavior, including interacting with other individuals on social networking websites and in chat rooms and cyberbullying awareness and response.”

I think it is great that steps are being taken to increase the awareness of online safety issues for children.

Via eschoolnews, eweek, consumer affairs, cnet ; Image: Microsoft Office Clipart / iStockphoto.com

According to a new report out of the Brennan Center for Justice, many states are not well prepared to secure the vote on November 4th.

The report, entitled “Is America Ready to Vote?” was released by Common Cause and Verified Voting. The report issues a 50-State report card that grades each state on its preparedness for election system breakdowns and to ensure the accuracy of votes over electronic voting machines. 10 states received inadequate grades in 3 out of 4 categories of safeguards.

“Our elections are so complex and involve so many jurisdictions, technologies, voters, poll workers, technicians and election workers that some concerns are inevitable. As the machinery of our democracy becomes more complicated, however, the opportunity for error increases – and we should be prepared.” - Pamela Smith, president of Verified Voting Foundation.

The report evaluated each state on four areas:

• procedures for issuing emergency paper ballots
• reconciling ballot tallies
• providing paper records of votes cast
• post-election audits.

Currently 24 states use voting machines. Of those states, 8 have no guidance on stocking emergency paper ballots at the polls in case the voting machines break down. This could mean that voters will not be able to cast their ballots, if breakdowns were to occur. Breakdowns can, and do, occur in a number of ways - memory cards that can’t be read, mis-tallied votes, lost votes and more.

The report found that 10 out of the 50 states fall short of best practices when it comes to ballot accounting and reconciliation - the provisions to ensure every vote is counted, and only once, are not well in place. This is just one instance that shows that, while protections against voting fraud and e-voting machine failure have improved in general since 2004, not all states are taking even basic precautions to protect their systems.

You can download the report here. [PDF]

Via CSO Online

The Information Commissioner’s Office (ICO) in the UK, with Information Commissioner Richard Thomas, have made a public statement calling on CEOs to take responsibility for data protection safeguards.

The Information Commissioner, Richard Thomas, announced that the number of data breaches reported since November 2007 has reached 277. November 2007 marks when HMRC lost 25 million child benefit records (story here). Of those 277 breaches, 28 are attributed to the central government. The ICO is investigating 30 of the most serious breaches of this past year.

In a speech delivered to the RSA Conference, Commissioner Robert Thomas talked about the state of data security, or “data insecurity“, he adds. The HMRC data breach of 25 million child benefit records merely brought the existing data security issues to public and political attention, Thomas notes.

“The number of breaches brought to our attention is serious and worrying. I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously. More laptops have now been encrypted and thousands of staff have been trained. But the number of breaches notified to us must still be well short of the total.”

Arguing that information can be a “toxic liability” as well as an asset, Robert Thomas challenges CEOs to ensure that they are minimizing the amount of data they hold and that appropriate data security measures are being taken. He says this responsibility lies with the CEO, not with the IT department or other staff.

“It’s no good saying the IT boys are looking after this, it’s no good saying the lawyers are sorting out the policies, it’s no good saying human resources are doing the training - it’s right across the organisation.”

Richard Thomas notes that personal information is the lifeblood of both government and business, but that more responsibility needs to be taken to assure that data remains safe. The first step in that is to understand the risks being faced associated with the vast centralized stores of data and its portability across networks and devices.

The ICO continues to offer advice on data security, from the encryption of laptops to improved data access policies. As noted several times by the ICO in their report, the actual figures for data breaches probably are much higher than 277. Currently there is no legal obligation to report data losses in the UK, and many data breaches may go undetected.

Out of the 277 reported breaches, 67 were due to the loss or theft of a computer or laptop. The National Health Service (NHS), the worst breach offender so far for 2008 with 75 breaches, has had 27 of those breaches the result of lost or stolen computers. Learn how Computrace can help provide multi-layered security solutions for your computers here.

Further Reading:

• ICO Press Release - Privacy watchdog calls on CEOs to take responsibility for data protection safeguards [PDF]
• Transcript - Speech to RSA Conference Europe on data breaches
  Richard Thomas, Information Commissioner [PDF]
• ICO Chart - Data security breaches since November 2007, by breach type and sector

Via BBC

The latest Absolute Software case study involves the education sector. In specific, how the Kent School District in Washington use Computrace to inventory computers and crack down on theft.

Kent School District began introducing notebook computers into its programs back in 1998 - schools with access to mobile technologies and new instructional strategies have performed very well in the district. With laptops spread across the district’s 40 buildings, there were a number of IT challenges in keeping track of those assets. After beta testing Computrace on 90 tablet PCs, Kent SD has now implemented the system across its entire 12,000+ notebook and desktop population.

Before Computrace, Kent SD would assign 10 people to do an inventory check - a process that took 3 months out of every year. Now, Kent SD can run a 5 minute report from Computrace and know where all of the 12,000+ computers are.

Computrace is more than just a theft deterrence product, but with a district of this size, theft was also a consideration in choosing the service from Absolute. After thieves broke into a school facility and stole 30 computers, Computrace was used to track the computers back to the thieves, who are now facing charges. In another theft situation, the remote data delete was used to ensure sensitive information would not breach.

To read more about Kent SD’s IT challenges, and their solutions, check out the full case study here.

For more case studies from Absolute Software, check out here.

On November 5, 2008 at 2pm ET / 11am PT, Absolute Software is sponsoring a webinar on laptop management and theft prevention.

The webinar will be hosted by eSchool News with speakers from two school districts discussing best practices for managing laptops and deterring theft. Paired with the recently published case study of Kent School District’s asset management program, Absolute is offering up some great resources right now for mobile security planning for the education sector.

To register for the 1 hour webinar, click here. And you can learn more about the webinar here.

Some great news from Absolute Software - The ASUS B50 line of business notebooks will now provided embedded support for Absolute’s anti-theft and management solution, Computrace.

ASUS is one of the world’s top 10 notebook manufacturers, with the B50 taking into consideration the needs of mobile business executives. The B50 features an integrated biometric fingerprint scanner, Trusted Platform Module for secure login and encryption, and now embedded Computrace support. You can read more about this news here.

What does embedded support mean?

This means that all the great features of Computrace are embedded at the firmware level, not the software level. When consumers activate the service, Absolute can provide a level of security and recovery capabilities at a higher level.

Embedding support for the Computrace agent into the BIOS provides customers the highest level of persistence and allows the Computrace agent to survive operating system re-installations, hard drive reformats and even hard drive replacements. That means anyone trying to remove the security features to get at your data is going to have a much harder time.

For a full list of computers with embedded support for Computrace (Dell, Fujitsu, etc), check here.

Also in company news, Absolute will showcased it’s laptop security solutions at the Intel Developer Forum (IDF) in Taipei on October 20-21. For more information, read here.