Global Security Week is September 4 – 10 this year.  Have you started planning any awareness activities around it for your organization?

In case you haven’t heard of it, Global Security week…

"…is an opportunity to join forces with other security professionals worldwide and promote security to the masses.  The theme for Global Security Week 2006 is identity theft. Find out about the truth behind the headlines. Is ‚Äúphishing‚Äù a genuine threat? What are the banks doing about it? What can ordinary members of the public do about it? Participate in Global Security Week to help spread the word about identity theft and encourage ordinary law-abiding citizens to be on their guard."

This is a great opportunity to provide awareness messages and activities, as well as training classes, within your organization to raise the awareness of issues that impact not only your own organization, but your workers personnally.  You could also take advantage of this week to provide awareness and training to your customers, business partners, outsourced vendors, and anyone else who touches the information for which your organization is responsible.

The site has created a planning calendar to get you started.

Check out the Global Security Week FAQ for more information, as well as some great links to other information security and privacy sites and information.

Technorati Tags
information security
IT compliance
Global Security Week
data protection
password security
awareness and training
privacy

CNN published an interesting report today by Peggy Mihelich, "Price of virtual living: Patience, privacy."  It contains many interesting and thought-provoking statistics and other info, many of which impact information security and privacy directly or indirectly.

When was the last time you walked through a public area, such as a grocery store, airport, and so on, and did NOT see someone using or posessing some type of technology device, such as a cell phone, blackberry, or digital camera?  How many of these devices on the street contain business information along with the device-user’s own assorted types of information?

I found the loss of patience associated with technology discussion interesting.

"Time in the virtual world takes us away from time spent in the real world. Though studies are inconclusive and ongoing, some psychologists warn that too much virtual exposure can undercut face-to-face interaction, lead to depression and isolation, and erode our patience. "We don’t have the tolerance any more to wait," Rosen said. "Listening to people talk slowly or talk, period — we just can’t tolerate it."  A recent Associated Press poll found that Americans start to feel impatient after 5 minutes on hold on the phone or 15 minutes in line.  Technology has brought us to a world where we have to have it when we want it, and we want to have it all simultaneously.""

Well, I’ve always gotten perturbed if I’m kept on hold for more than 5 minutes (actually less) when calling a company.  This has more to do with good customer service than with technology, however.  I also have never waited more than 10 or 15 minutes in line, such as waiting to be seated in a restaurant.  I don’t care how good the food is, I’ve always felt more than 10 minutes of doing nothing but sitting in an overcrowded bar just to be seated is wasting way too much time I could be spending doing something productive.

However, this loss of patience issue is something to keep in mind when addressing customer questions about their PII, your company’s privacy and security practices, and so on.  Be prepared for how you handle these questions ahead of time, and don’t give them the run-around.  Remember, everyone tends to be impatient.

The impatience issue is also something to keep in mind when you are creating your information security and privacy training and awareness materials.  Get to your point clearly and succinctly…don’t make your audience impatient and lose their attention with a lot of unnecessary information, or by using delivery methods that take up more of their time than is really necessary.

"E-mail lets us send a quick response, and IM lets us carry on a real-time conversation with someone halfway around the world – a great and inexpensive convenience, but a behind-the-screen form of communication."

Email and IM brings along with them their own unique and significant information security and privacy concerns…something to explore in another post or paper…

"A Federal Trade Commission survey found that from 1999 to 2003 more than 27 million Americans were victims of identity theft, costing them and businesses more than $50 billion. Personal data used to be protected by "practical obscurity," meaning that public records existed on paper or in isolated databases in courthouses and government offices. The information was legally within reach, but accessing it usually took hours or days and a lot of leg work.  But that’s changing, Steinhardt said. Communication, transaction and other public and private records have moved online, and they can be pulled together in minutes to create a picture of our lives.  Typing someone’s name into a search engine or online phone directory can reveal where they live. Going to their local government Web site can reveal how much their house is worth – and how much they pay in property taxes. Checking another Web site can reveal how much they contributed to political campaigns."

There are still too many people…too many business executives, leaders and decision-makers…who believe that obscurity is a form of security.  The abundance of electronic PII stored in so many different places puts the PII at risk…and truly does create ways to tell much more about people than just one or a few of the PII items alone could provide.

Technology is great…it is a very powerful business tool.  "With great power comes great responsibility."  Yes, I’m a Spiderman fan.  🙂  However, this statement is very true with regard to the power businesses wield over the PII they possess.

Isn’t it amazing to consider that just a little over a decade ago emails were primarily shared within organizations, through mainframe-based systems…now most businesses would be lost without the ability to communicate with all their business associates and customers via email.  Cellphones have virtually replaced the pagers.  It will be very interesting to see what types of technology dependencies will be created for business in the coming few years.  I’m sure most, if not all, will have significant information security and privacy issues.

Technorati Tags
information security
IT compliance
technology
privacy law
password security
awareness and training
privacy

On Friday, 7/14/06, Silicon Valley reported:

"An FBI computer consultant who pleaded guilty to hacking the secret passwords of Director Robert Mueller and others will not serve any time in prison, a federal judge has ruled. Joseph Thomas Colon of Springfield, Ill., was sentenced Thursday by U.S. District Judge Richard Leon to six months of home detention and ordered to pay $20,000 in restitution to the FBI.

Colon pleaded guilty in March to four misdemeanor counts of intentionally exceeding his authorized computer access. He faced up to 18 months in prison after he acknowledged using two computer programs available for free on the Internet to extract the information and decode the passwords of Mueller and others.  Prosecutors do not believe Colon was trying to damage national security or use the information for financial gain. But the FBI said it was forced to take significant steps to make sure there was no harm from Colon’s actions.

“Joseph T. Colon was granted a substantial level of trust. He betrayed that trust,” FBI assistant director Charles S. Phalen Jr. said. “Once we identified the breach of security, we took quick and appropriate action to neutralize its impact.” Colon had said he was given a password to the FBI’s secret computer system to speed work he was hired to perform in the FBI’s Springfield office."

This points out that an insider is not always an employee.  It is anyone who has access within your facilities or to your network or computer systems.  In this case a contracted consultant. 

It would be interesting to know how they arrived at the $20,000 restitution amount.

This is a good example of an insider threat incident to add to your files and use in your awareness and training messages.

Technorati Tags
information security
IT compliance
insider threat
privacy law
password security
FBI
awareness and training
government incident
privacy

Earlier this week the FBI and Department of Homeland Security in partnership made available free posters, "PROTECT YOUR WORKPLACE: What You Need To Know"

The press release about this:

"What if we told you there’s a way you can improve security at your workplace‚Ķtoday? That it’s fast, easy, and completely free? And that it will not only enhance your personal safety on the job‚Ķbut also help ensure the financial health of your organization?

It’s all true‚Äîthanks to a new ‚ÄúProtect Your Workplace‚Äù campaign launched by the Department of Homeland Security and the FBI.

Specifically, we’ve teamed up to produce a series of posters with practical suggestions for protecting your workplaces from both physical and cyber threats—everything from robberies and break-ins…to computer intrusions and corporate espionage…to identity theft and intellectual property violations…to even potential terrorist attacks.

By hanging these posters in common, highly-trafficked areas, you can raise security awareness and help prevent and reduce crime and terrorism in and around your place of work‚Äîwhether it’s a business, a non-profit, or a government agency.

The four posters, which are being distributed electronically to workplaces across the nation, cover the following topics:

• Protect Your Workplace: Physical Security Guidelines, including monitoring who enters your workplace, reporting broken windows and locks, making back-ups of sensitive and critical information, and reporting suspicious activity and packages.
• Protect Your Workplace: Cyber Security Guidelines for both employees and managers/IT Departments, such as managing passwords, establishing clear policies and procedures, implementing a layered defense strategy, and monitoring and logging successful or failed intrusions into your networks.
• Report Suspicious Cyber Incidents, including suspicious e-mails and questions, system failures, and unauthorized access or use.
• Report Suspicious Behavior and Activity, such as surveillance, suspicious persons, dry runs, tests of security, and improper attempts to get supplies.

We’ve also created a brochure that combines all the information on the four posters into a tri-fold that can be kept at your desk and shared with colleagues, family, and friends.

So how can you get the posters and brochure? It’s easy! Just click on the graphics above to download each of the posters. You can also download the brochure and all of the materials as a series at http://www.us-cert.gov/reading_room/distributable.html#work.

So take our advice‚Äîplease. Security is everyone’s responsibility. Do your part to prevent crime and terrorism and to protect your organizations by putting up these posters at work today‚Ķand telling your friends and associates to do the same."

You don’t have to provide any information to download the PDFs, so if you are not comfortable providing your contact information to obtain the printed posters and you have the tools to print off the PDFs, download them! 

Many organizations are strapped for awareness and training budget dollars.  If your budget is strained, you might as well take advantage of the awareness materials the U.S. tax dollars pay for.

Technorati Tags
information security
IT compliance
government
awareness and training
regulatory compliance
privacy

Network World today (7/12) published "Mobile users face knotty security issues." 

There are some good points and information contained within.  Many are information security basics that good information security professionals already know, that information security must be implemented in depth and in layers, as transparent to the end-user as possible, to be effective.  It’s good to reiterate these messages to the IT folks who tend to read these publications. 

Too many times it seems folks outside the information security and privacy area think that security is addressed through just one action or tool…we need to raise the awareness of IT and business leaders so they understand that information security is achieved through a combination of many processes, plans, tools and activities…not just through a firewall or just by using anti-virus software.

"…secure mobile computing is a complex business."

Indeed!!  So many incidents occur…daily…involving mobile computing and storage devices.  Most are not reported to the public.  Most involve huge amounts of data.  Putting mobile computing devices and storage in the hands of your end-users is kinda like leaving your 6-month-old baby under the total care and oversight of your 7-year-old neighbor…some will be pretty responsible, but most will soon forget about the security and safety of that precious and valuable bundle you’ve entrusted to them; their attention spans are short and their awareness of the security issues is likely very low.

I personally love USB micro storage devices; they are so much handier to use than CDs.  Plus, some of the devices are very cool, too…I love the Swissbit USB tool.  However, the small small size and large storage capacities (I’m looking at some really small 2GB storage units right now) of these many different USB devices scare me.  How many workers are putting confidential company data onto these devices?  How many organizations know their workers are doing this?  How many of these are lost?  How many actually encrypt the data stored on these devices?  How many visitors to your facilities use these to take information out with no one the wiser?

USB storage is just one of the many complex issues to tackle with mobile computing.  There are so many more.

Technorati Tags
information security
IT compliance
mobile computing security
awareness and training
regulatory compliance
privacy

An interesting story just appeared on CNN, "Hackers target State Dept. computers."  Some of the more interesting excerpts from the story:

"Investigators believe hackers stole sensitive U.S. information and passwords and implanted backdoors in unclassified government computers to allow them to return at will, said U.S. officials familiar with the hacking."

The break-ins were reportedly discovered in mid-June.  It would be interesting to know how the hackers implanted backdoors into the computers.  Perhaps the admin and supervisor passwords were some of those stolen?  Were the passwords clear text files?  Or, were they poorly constructed so that they allowed a password cracker to gather them?  Sounds like at least two-factor authentication would be a good idea for all government computer systems, doesn’t it?

""The department did detect anomalies in network traffic, and we thought it prudent to ensure our system’s integrity," department spokesman Kurtis Cooper said. Asked what information was stolen by the hackers, Cooper said, "Because the investigation is continuing, I don’t think we even know.""

Well, it is refreshing to finally have a representative of an organization that has experienced an incident honestly report that he doesn’t know what was taken or compromised.

"After the State Department break-ins, many employees were instructed to change their passwords. The department also temporarily disabled a technology known as secure sockets layer, used to transmit encrypted information over the Internet."

"Many diplomats were unable to access their online bank accounts using government computers because most financial institutions require the security technology to be turned on. Cooper said the department has since fixed that problem."

I find the disabling of SSL interesting…wonder what type of protection they implemented as a compensating control?

Technorati Tags
information security
IT compliance
government computer security incident
hacker
security breach
awareness and training
regulatory compliance
privacy

Today was the culmination (at least I hope there is no more of this to deal with) of over two weeks of dealing with notebook computer hell…created through a combination of wireless woes (I just got wireless in May, but after a computer crash it was not been working correctly) and computer woes (got the "old" computer fixed to use as a backup and bought a new one…a LEMON…which I just exchanged for a brand new one out of the box this morning). 

I was elated with how well my new computer was running today…so fast…so quietly…so good I did a happy dance with my sons.  All was well…Internet access…email service…until…I installed Norton Internet Security Center and viola…I could no longer send or receive email, even after many Norton setting changes…I could no longer get to some Internet sites, or some sites just loaded the HTML code, even after many Norton setting changes. 

Okay, fine, I’ll disable Norton.  Gee, did that help?  *NO*!!!  Well, then I’ll uninstall it…gee did that help?  *NO*!!!!  According to both my ISP and my hardware/software support service the error codes I was receiving on Outlook indicated that it was Norton still interfering with my computer’s communications with the outside world.  Apparently once Norton is installing it just does not want to go away.  Hmm…doesn’t that make it a type of malicious code itself?

Without going into minute details, suffice it to say that one of the MANY actions I took was calling Symantec’s "SUPPORT" line, and I found myself in a automated phone response nightmare.  What really ticked me off was that the Symantec computer voice indicated that I should get a priority number to be able to be helped most quickly.  It then rattled off the URL so quickly I had to listen to it 3 times to get the URL correct.  But, guess what?  *I COULD NOT GET OUT TO THE INTERNET TO GET THE D*MN PRIORITY CODE BECAUSE OF WHAT THEIR SOFTWARE DID!!!* 

Okay, fine, then I called them back…and after another 45 – 60 minutes of being the virtual silver ball in the Symantec customer support pinball phone system, I hung up.  I have never experienced such poor customer service…not even getting a real human…ever before.

AAAAAARRRRRGGGGGGGHHHHHHHHH

There are literally millions of small to medium sized businesses in the U.S….including sole proprietors such as myself.  Most do not have dedicated tech personnel on staff…we are OUR OWN tech support.  We spend enough time doing our own daily tech support activities without being pushed through a maze of "press number 1" for this and "number 2" for that when we need some technical support for huge problems a vendor’s software causes, making us spend inordinate and valuable amounts of our business time trying to figure out and fix the mess their software…bundled in with my computer and which launched itself automatically…causes.

Okay…thanks for letting me vent.  I also found out today that there *ARE* some vendors with very good customer service skills.  From my own experience today, I am very happy with CompUSA (at least the folks in the Clive, Iowa store), and I’m very thankful for being able to use and connect quickly with their software support partner, Dial-A-Tech, who helped me to finally get rid of all the claws Norton left imbedded in my system…I think I am finally working okay.

And yes, I have installed a different security package…I’ll not comment about it until I see how well it works for at least a week or two.

The lessons of this tale (besides allowing me to vent)?

1. Vendors need to make sure their software doesn’t screw up a computer to an unusable state.  Yes, I know this is nothing new…but it is still worth beating the drum about.
2. Vendors, particularly software vendors, and very critically security software vendors, need to establish GOOD customer service capabilities!  It would be nice if they had GREAT customer service…but you know, I’m starkly realistic right now, and I think just asking for good would be a huge improvement.
3. Small and medium sized businesses often have no dedicated tech staff have to deal with all these tech problems themselves.  If security vendors continue to allow their products to screw up the ability for the businesses to function, most will likely not install security software.  I wrote about data breaches in small businesses in this blog in March; the use of security software would likely increase if less buggy, overzealously agressive and downright disruptive security software were not so heavily marketed and forced upon the businesses purchasing their computing equipment. 

I think my ordeal is not unique.  There are probably thousands of small and medium sized businesses losing days of work and income while trying to address the technical problems caused by security software that does not work like it should.  Security vendors, if you really want to help improve security, improve your security products and improve your customer service.

Technorati Tags
information security
security software
laptop security
awareness and training
customer service
internet security
SMB
privacy

I got a kick out of a story posted yesterday in the Phasetwo blog, "IBM using Napoleon Dynamite quote to encrypt data." I love this movie…and to think it has been incorporated into encryption…"sweet"!  🙂 

""Knock it off, Napoleon! Just make yourself a dang quesa-dilluh!". This phrase, from the movie Napoleon Dynamite, is the cipher key IBM are using to publish encrypted XML at this year’s Wimbledon grand slam. But is this a rather glaring lapse in security, or simply an anticipatory nod to curious hackers, many of whom surely rank amongst the fans of this quirky 2004 movie?"

Kinda looks like the IBM folks were experimenting with encryption in this case…it doesn’t sound like any confidential information was being protected with it.  It wasn’t even any critical IP they owned, was it?  I really can’t tell from my limited, okay, basically nonexistant, knowledge of this "font of live data." 

It’s nice to know some companies enjoy using encryption, isn’t it?  Heck yes!

Technorati Tags
information security
IT compliance
technology
awareness and training
encryption
privacy

Here is another example of an actual insider threat…how an employee with access to customer funds used this access to commit fraud…

"The Bangalore police have arrested one 24-year old Nadeem Kashmiri, on charges of having leaked confidential customer data from a BPO of HSBC, resulting in a loss of almost 233,000 pounds (Rs 1.95 crores) to the bank’s UK-based account holders.

HSBC says it takes its data protection responsibilities very seriously, and that hence it has initiated legal action against Kashmiri, who until earlier this month was an employee at HSBC’s Bangalore global service center.

Kashmiri was an employee of HSBC Electronic Data Processing India (HDPI), an offshore unit of the multinational bank. The bank approached the police on June 22, once it was convinced about his involvement. The police had been on the lookout for him since then.

Meanwhile, Kashmiri is accused of passing-on confidential information pertaining to certain HSBC customers in the UK that was used to access the bank accounts of the victims through telephone banking services. Impersonating genuine account holders, the fraudsters extracted funds out of these accounts. They also carried out fraudulent transactions through the ATM and debit cards of the victims. It is reported that a gang of scamsters in the UK had paid Kashmiri for carrying out this fraud.

The fraud was uncovered by HSBC’s own security teams, when some customers complained to the bank about discrepancies in their accounts, ultimately leading to Nadeem Kashmiri’s suspension in April pending HSBC’s investigations.

HSBC, convinced that Nadeem Kashmiri had perpetrated the fraud, terminated his employment, and reported the crime to the Bangalore police. HSBC is assisting the Indian police in their investigations, and the bank intends to pursue Kashmiri’s conviction as vigorously as possible.

The Bangalore police will be in touch with their UK counterparts to solve the case; and HSBC is in touch with affected customers who have been assured of full re-imbursement of losses."

Points out the need for good information security controls along with audit logs and the ability to monitor access to sensitive data.  There will always be personnel who will do bad things if they have the opportunity.  However, effective detective controls along with preventive controls will help to address the insider threat.

A good case study for an information security awareness or training exercise.

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
cybercrime
insider threat
bank fraud
privacy

Well…Jim Nicholson, the VA Secretary, must be relieved the much publicized stolen laptop and disk were recovered (more on that later), but then it he announced a backup tape "with more than 16,000 case records is missing from the Veterans Affairs regional office in Indianapolis."

Actually the backup tape was discovered missing on May 5, two days after the laptop and disk were stolen.  Why did they wait to announce this additional incident along with the news of the recovered laptop and disk?  Did the VA think that it would be just too overwhelming for the public to learn that the records of 26.5 million veterans and individuals in active service AND that a backup tape was missing?  Likely they didn’t want to look even more sloppy with information security practices…with incidents occurring at virtually the same time in different locations.  I guess yesterday they saw a good opportunity for a "we have some good news, and bad news" moment.

Or, did they plan not to report the lost backup tape at all, but then decided it would lessen the impact of that incident if they announced it WITH the news that the laptop and disk were recovered?  Both took way too long to be reported to those whose personal information were stored on the devices.

And the statements downplaying the likelihood that the data on the recovered laptop and disk wasn’t accessed are meant to be positive spin, but c’mon!  In this day and age a significant portion of th population know that complete disks and files can be copied without leaving any evidence of such activity.  Regarding the recovered laptop and disk…

"The FBI, in a statement from its Baltimore field office, said a preliminary review of the equipment by its computer forensic teams “has determined that the (Maryland) data base remains intact and has not been accessed since it was stolen.” More tests were planned, however."

Who knows…or will ever know?  It’s very possible the data was not copied.  But it’s also possible it was.  Why can’t the agencies involved with investigations be upfront with their statements and just admit that there is no way they can determine whether or not the data was copied?

Organizations who have incidents, thefts and losses need to realize there are tens of thousands of information security professionals who know better than to believe their spin…they should not release such downplaying comfort statements to the public in the same way a parent talks to their preschool child.  Not only will info sec pros see right through the spin, but those with no info sec savvy will gullibly believe that they have nothing to worry about.  People need to realize there are many more bad things that can be done with personal information than just commit identity theft…and the bad things can occur for a very long time after the incident. 

Technorati Tags
information security
IT compliance
corporate governance
awareness and training
cybercrime
stolen laptop
VA breach
government
privacy