New Information Security and Cybercrime Initiatives Planned in the EU

June 4th, 2007

As cybercrime continues to occur in more varied ways, as more incidents are reported every day, as new threats emerge, as more vulnerabilities are found within software and systems, often within those products that companies buy to improve security, the more bills, plans, initiatives and laws that emerge worldwide to address these issues.

Read the rest of this entry »

New Tennessee Law Prohibits Using Federal Individual Taxpayer ID as Proof of Immigration Status

June 3rd, 2007

I recently did a very interesting project doing a data flow analysis and risk assessment of I-9 documents processing for a large multi-national company.

Read the rest of this entry »

Web Hackers Fined $15 Million by SEC

June 3rd, 2007

I remember reading in an issue of 2600 The Hacker Quarterly magazine several years back about how easy it is to commit crime, without being noticed, by hacking poorly secured web sites.
Hacking is often viewed to be a safe, almost anonymous, type of crime that is often very hard to pin upon one individual.

Read the rest of this entry »

If People Aren’t Trained The Best Security Will Go For Naught

June 2nd, 2007

This week there has been much talk in the U.S. news about how Andrew Speaker, the now notorious TB patient (more specifically extensively drug-resistant tuberculosis, or XDR-TB), apparently very easily circumvented security controls to come back into the U.S. via Canada.
My heading is a paraphrase of a longer quote I really like from Charles Schumer that he made about this incident, but that also applies very nicely to all information security practices.

Read the rest of this entry »

It’s Hard to Keep Secrets When You Entrust Them To Others

June 1st, 2007

When you entrust sensitive information to a contracted company or individual, you are also accepting risk. If you do not perform due diligence to ensure your contractor has effective safeguards in place, and understands that your information is sensitive, and if you do not have specific security requirements within your contract, you are opening yourself up to a major embarassment, major incident, or both.
The U.S. State Department entrusts many of their secrets to many different contractors. They have found themselves with yet some more bad press as a result of one of their contractors.

Read the rest of this entry »

The Eyes of IT are Upon You! Curiosity Often Trumps Do The Right Thing According to New Study

May 31st, 2007

At a company I did work for there was a middle manager in the IT area who liked to be the person “in the know.” At meetings he always would talk about ideas or plans that otherwise he should not have been privvy to.

Read the rest of this entry »

Handling Complex and Difficult Privacy and Information Security Issues

May 30th, 2007

Only 10 more days until my 2-day seminar, “Handling Complex and Difficult Privacy and Information Security Issues” in Scottsdale, Arizona on June 9th and 10th (Saturday and Sunday)!

Read the rest of this entry »

Outsourced Company’s Unsecure Application Makes U.K. Passport Applicant PII Available to Everyone On the Internet

May 30th, 2007

On May 18 the U.K. Data Protection Commissioner said in a Channel 4 news report he’s going to investigate why an online visa application system allowed the personally identifiable information (PII) of around 50,000 applicants from India who had applied for U.K. passports viewable on the Internet.

Read the rest of this entry »

Insider Threat Example: Leaked Clinton Memo Provides At Least 5 Good Security Lessons

May 29th, 2007

Mid-last week it was widely reported, probably more so in the national news than here in Iowa, that one of Hillary Clinton’s top campaign folks had written a memo to her urging her to skip Iowa and focus on other states. This leaked memo was the grist of much discussion on the political talk shows over the weekend.

Read the rest of this entry »

A Twist Within a New State Breach Notice Law: Maryland’s Also Requires Information Security Safeguards

May 28th, 2007

Here’s something that you don’t see in other states…
On May 17, Maryland Governor Martin O’Malley signed into law two identical bills, one from the House and one from the Senate, that require businesses to notify state residents if their unencrypted or unredacted personal information, whether in electronic or paper form, is breached. In addition to mandating breach notification, the new law contains data security and data destruction requirements for companies doing business in the state.

Read the rest of this entry »