February 5, 2012

Posts Comments

You are here: Home / Archives for Security / Cybersecurity

Privacy and Security Controls in Your Corporate Board Room — Perhaps a Review is Necessary

January 27, 2012 By Leave a Comment

Photo courtesy of blog.dattobackup.com

In a recent article written by NICOLE PERLROTH a potential risk mitigation event was revealed and should be cause for all organization’s to re-verify that camera’s used in their corporate board rooms are properly and verifiably protected from hackers.

Ten years ago, videoconferencing systems were complicated and erratic, and ran on expensive, closed high-speed phone lines. Over the last decade, however, videoconferencing — like everything else — migrated to the Internet.

Now, many businesses use Internet protocol videoconferencing — a souped-up version of Skype — to connect with colleagues and customers. Most of these new systems were designed with visual and audio clarity — not security — in mind.

Click here to read this full article and become aware of how easily professional security experts were able to hack into the board room conference cameras of unsuspecting companies of all sizes.

If applicable, please pass this info along to those risk management and IT / information security team members in your own organization.

Filed Under: Corner Office Viewpoint, Cybersecurity, Information Security Tagged With: , , , , , , , , , ,

Google Plans to Alter Privacy Policy and Terms of Service

January 25, 2012 By Leave a Comment

Photo courtesy of blog.mclane.com

The actions and decisions of Google can potentially affect many information security teams in organizations across the globe.  With that thought in mind, a recent announcement by Google to alter its privacy policy and terms of service to reflect the fact that it is now going to combine data from its various services into a single user profile may well be an event that requires close study, review and evaluation regarding an organization’s own existing privacy policy – i.e. particularly where services such as Google are involved.

It goes without saying that this privacy change by Google needs to also be closely reviewed where individual use of Google is employed as well.

In a recent article written by Thomas Claburn, Claburn is quick to point out that critics of the change have been quick to question Google’s decision.

This article also references Sen. Richard Blumenthal (D-Conn.) who said in a reaction blog posting that he’s troubled by the lack of an opt-out mechanism, and, David Jacobs, consumer protection fellow at the Electronic Privacy Information Center (EPIC), expressed concerns that Google’s changes decrease the ability of users to control how their personal information is being used.

Click here to read Claburn’s full article, and, be sure to utilize the useful links in that article to dig more deeply into the reference documents and related postings to this potential privacy risks.

Additional stories about this controversial decision by Google are also listed below:

Google Says Privacy Change Won’t Affect Government Users” by Jaikumar Vijayan

Google Stirs Up Privacy Hornet’s Nest” by Sharon Gaudin

Google Privacy Policy: Who Will be Affected and How You Can Choose What Information Gets Shared” by Cecilia Kang

Google Seeks to Clarify New Privacy Policy” by Doug Gross

Lawmakers Press Google on Privacy Policy Changes” (Reuters)

If applicable, please pass this information along to those information security and risk management team members in your organization, those members of privacy rights protection groups in your community and to members of your family who use Google on a daily basis.

Filed Under: Cybersecurity, Information Security, Risk Management Tagged With: , , , , , , , , , ,

E-Discovery No Stranger on Campus

January 18, 2012 By Leave a Comment

Photo courtesy of sonian.com

In response to a few recent inquiries and comments from readers working in the educational field, and, in particular for those readers working in a university campus information security department, who requested that more discussions and information be presented on the topic of e-discovery relevant to a university campus environment, our staff would like to present a listing of recent postings and articles addressing this growing dynamic within the “discovery” process itself.

Dian Schaffhauser, a writer who covers technology and business related topics for a number of various publications, has recently written and posted an article entitled “An e-Discovery Primer”  — and, this information may be a great reference resource to offer anyone who wants to learn the basics of e-Discovery.

To this point, it is also important to realize that the “discovery” process is neither something new nor is this process limited to the digital era.  As Seth Gilbertson, associate counsel for the State University of New York states, “…discovery is the process of saving and producing records and other evidence pertaining to an activity that may be the subject of litigation.”

If applicable, or even if you are new to the discussions and risk mitigation potentials embedded in the e-discovery process, click here  to read Schaffhauser’s full article.

E-Discovery Guideline and Toolkit offering posted on the EDUCAUSE website presents e-discovery issues for universities to consider.

E-Discovery Trends: Potential ESI Sources Abound in Penn State Case” by Doug Austin

E-Discovering Reference” article by Spolanka

School districts wrestling with ABCs of electronic discovery, compliance” by Beth Pariseau, Senior News Writer

“Hey @wfryer looking for the 411 on eDiscovery: http://bit.ly/9hcxe9 (your wiki) Bottom line: do schools have to archive STUDENT email?”

The E-Discovery Question   – Don’t panic over the new regulations, but make sure your school’s policy is clear.

If applicable, please add your inputs, comments and experiences of e-discovery challenges you might have had to face in your university campus environment.

Filed Under: Cybersecurity, Information Security, Risk Management Tagged With: , , , , , , , , , ,

Information Security Lesson from Recent Zappos Breach Incident

January 16, 2012 By Leave a Comment

Photo courtesy of searchtimes.com

In the event that anyone on your organization’s information security team becomes complacent about the need to be ever diligent about maintenance and updating of information security levels in your organization — a privacy breach incident recently announced at Zappos.com should be adequate reminder that risk mitigation in this area is a 24/7 ongoing area of responsibility.

Zappos CEO Tony Hsieh had to recently notify customers by email stating that the Zappos web marketplace system location that houses customer privacy centric information was compromised — asking them to create a new password for their accounts immediately.

We’ve spent over 12 years building our reputation, brand, and trust with our customers,” Hsieh said in his email. “It’s painful to see us take so many steps back due to a single incident. I suppose the one saving grace is that the database that stores our customers’ information was not affected or accessed.”

Click here to view a copy of that email along with Hsieh’s email message to Zappo’s employees.

Although you never want to face such a situation in your own organization, certainly, Zappos’ reaction to this incident may contain valuable lessons to pass along to your own in-house information security, crisis and risk management and disaster preparedness teams.

Filed Under: Cybersecurity, Information Security Tagged With: , , , , , , ,

Hacker “Yama Tough” Threatens Release of Source Code for Norton’s Antivirus Software

January 16, 2012 By Leave a Comment

Photo courtesy of reuters.com

For our readers who utilize Norton’s Antivirus software applications as part of their organization’s information security plans, be aware of a story recently released on the Reuters’ news related website announcing that “Hackers are to release full Norton Antivirus code on Tuesday”.

It appears that a hacker who goes by the name of “Yama Tough” is threatening to release the full source code for Symantec Corp’s flagship Norton Antivirus software.

Click here to read more about this developing story as reported by Frank Jack Daniel.

If applicable, please pass this information along to those disaster preparedness and network security planning team members in your organization.

Filed Under: Cybersecurity, Information Security, Risk Management Tagged With: , , , , , ,

Online Privacy Risks and Predictions for 2012

January 5, 2012 By Leave a Comment

 

Photo courtesy of intellicorpintouch.com

With 2012 now well on its way, online privacy related risks will become an important issue to information security and risk management team members in today’s global village of organizational inter-relationship activities, as well as, for the growing number of consumers who are relying more and more on online communication tools and applications to conduct their day to day purchases.

As online businesses grew in 2011 – through innovative technologies in advertising, cloud services and mobile apps – the call for improved levels of online privacy controls rang loudly and repeatedly throughout the industry.

With the collection and usage of consumer data spreading like wildfire across a myriad of emerging online businesses, 2011 was a year of extraordinary change for online privacy,” said Chris Babel, CEO of TRUSTe.   “Along with the excitement about the potential of innovative online technologies, the industry was also forced to address both trepidation and concern for the safety and respect of consumers’ personal privacy. TRUSTe  is pleased to share some of our privacy expectations for the New Year.”

Leveraging its unique vantage point, TRUSTe  posted on the ITBusinessEdge website  the following predictable events or trends to take place in the year ahead:

  1. There will be increased levels of activity by the FTC to go after websites with high levels of privacy violations related to 3rd party tracking.
  2. Mobile self-regulatory guidelines regarding online behavioral advertising (OBA) will grow In 2012.
  3. Knowledge of and practical applied experience with laws and regulations regarding privacy will become an even hotter job skill to have in 2012.
  4. There will be much more use of location-based technologies.
  5. Yanks abroad will most likely be forced to follow the EU individual privacy standards whenever doing business in Europe.
  6. Most likely there will be no comprehensive privacy legislation passed by the U.S. Congress in 2012.
  7. One of the 2012 Presidential candidates will announce plans for a new cabinet post — Secretary of Online Privacy.

If any of our readers have come across additional privacy related predictions for 2012, please share them in the comments section below…..

If applicable, pass this information along to those risk mitigation specialists in your organization who might view an online privacy breach issue as a serious economic disruptive event to their organization.

Click here  to view more details of these predictions.

Filed Under: Cybersecurity, Information Security, Personal Preparedness, Regulatory Compliance, Risk Management Tagged With: , , , , , , , , , , , , , , , , , , , , , , ,

Data Security and Privacy Issues Predicted in 2012 — NO SURPRISES

January 2, 2012 By Leave a Comment

 

Photo courtesy of thinkstock.com

As many of our readers, who are risk management team members in their organizations, work on their 2012 disaster preparedness plans and risk mitigation strategies relevant to their organizations, information security and privacy will remain high on their lists of considerations. 

Recently, an article, written by Richard L. Santalesa, attempted to address these concerns by providing a list of several events predicted to occur in 2012 that will occur across the privacy and data security landscape…. 

A quick summary of just some of those predicted events are as follows: 

     There will most likely be a significant revamp of the EU’s Data Protection Regulations – e.g. a potential requirement to designate a privacy officer within an organization, increased enforcement powers and penalties, and perhaps stronger protection for children under 18. 

     Perhaps the final version of the U.S. HIPAA breach notification rule will make a long awaited appearance, along with guidelines per Stage 2 of the electronic record incentive program within the HITECH Act, in 2012. 

     In 2012, the FTC will likely its finalized Privacy Report, formally titled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” 

     Better development of information security and data protection language in contracting agreements for cloud services will help provide guidance on cloud contracting issues addressing audit assurances, cloud security and accreditation, e-discovery issues, security controls and allocation of liability and responsibility for data security, to name but a few. 

     Continued data breach activity in 2012 will force many organizations to review their existing insurance policies to see what is and what is not covered in their business interruption insurance policies.  

     A growing importance in 2012 “of key buzz words that implicate data security and privacy issues, such as are BYOD (“Bring Your Own Device”) and COIT (“Consumerization of Information Technology”). 

Click here to view more about the predictions listed above as well as to read the full collection of Christine Marciano’s predictions of data security and privacy related activities to occur in 2012.

 

If applicable, please pass this information along to your other risk management or information security team members.

Filed Under: Cybersecurity, Regulatory Compliance, Risk Management Tagged With: , , , , , , , , , , , , , , , , , , ,

Is Google Wallet Secure?

December 16, 2011 By 1 Comment

 

Photo courtesy of worldmate.com

Our staff has reviewed reader’s comments and requests for more discussions regarding mobile devices along with reference information related to the levels of risk associated with those devices.

In response to those requests, our staff has decided to direct our readers to a recent article regarding  the Google Wallet application.

Google Wallet is a new offering from Google which allows consumers to use their Android device to perform contactless payments at retailers.  It incorporates Near Field Communication (NFC) technology and in the initial release supports 1 major credit card as well as some gift and loyalty cards.  Google Wallet is the first real payment system leveraging NFC on Android.

Click here  to view the appWatchdog review of Google Wallet offered recently.

Click here to view the full forensic security analysis of Goggle Wallet upon which the appWatchdog review was based.

If applicable, please pass this cyber security related information along to those information security and risk management IT team members in your organizations, as well as, to those individuals you know who are currently using this Google Wallet application on their Android smartphones. (View  an 85 page Mobile App Security Study focusing on iPhone and Android in the Enterprise)

Hopefully, this information will also open a dialogue with our readers to further explore this growing risk management issue for individuals, organizations and communities where smartphones have quickly become a critical communication tool.

Filed Under: Cybersecurity, Information Security, Risk Management Tagged With: , , , , , , , , , , , , ,

Benchmarking Opportunity — ENISA Releases Cyber Security Incident Reporting Guideline Documents

December 15, 2011 By Leave a Comment

 

Photo courtesy of ENiSA

If your information security planning team is looking for additional benchmarking regarding cyber security incident reporting guidelines, perhaps, you might want them to read about some recent developments, information releases, and guidelines for cybersecurity incident reporting just released by ENISA, the EC’s “cyber security” agency.

The first guideline describes how to implement the mandatory cybersecurity incident reporting scheme, while the second describes specific security measures that telecom operators need to integrate, implement, and execute.

Important to also note is that the new telecommunications legislation (EU directive 2009/140/EC) among other things offers protection for consumers against security breaches.

For many of our readers employed by organizations with several locations throughout both the United States and Europe, and potentially affected by these recent EU national regulatory authority (NRA) guidelines, this information should be read and reviewed by all information security, risk management or disaster preparedness team members in those organizations.

Click here  to download – “Technical Guideline on Incident Reporting”  – this document defines the scope of incident reporting, the incident parameters and thresholds for reporting significant incidents to ENISA and the EC and ad hoc notification of incidents to other NRAs in case of cross-border incidents.  This document also contains a reporting template for submitting incident reports to ENISA and the EC, and it explains how the incident reports will be processed by ENISA.

Click here  to download – “Technical Guideline for Minimum Security Measures” — this guideline advises NRAs on the minimum security measures that telecom operators should take to ensure security of these networks.

Filed Under: Cybersecurity, Risk Management Tagged With: , , , , , , , , , , , , , , ,

December is National Critical Infrastructure Protection Month

December 9, 2011 By Leave a Comment

 

Photo courtesy of DHS

Just a reminder — the month of December is recognized in the U.S. as “National Critical Infrastructure Protection Month”.

For those readers who are not quite sure of the significance of this declaration, or how it relates to them in their place of work, their community or where they live, it would be helpful to read the information on the Department of Homeland Security’s (DHS) website  to learn exactly what critical infrastructure is, what each of us can do to assist its protection as a shared responsibility, and, finally which industry sectors are most directly affected by this effort.

A quick summary of some of that information is:

  1. Definition of Critical Infrastructure:  “… a summation of all the assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof.”
  2. Why is Critical Infrastructure Important
    1. Attacks on critical infrastructure could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident.
    2. Direct terrorist attacks and natural, manmade, or technological hazards could produce catastrophic losses in terms of human casualties, property destruction, and economic effects, as well as profound damage to public morale and confidence.
    3. Attacks using components of the nation’s critical infrastructure as weapons of mass destruction could have even more devastating physical and psychological consequences, and
  3. What are the critical infrastructure sectors of the U.S. (in alphabetical order with links attached to provide more details and information)?

                     a.    Agriculture and Food

                     b.    Banking and Finance

                     c.    Chemical

                     d.    Commercial Facilities

                     e.    Communications

                     f.     Critical Manufacturing

                     g.    Dams

                     h.    Defense Industrial Base

                     i.      Emergency Services

                     j.      Energy

                     k.    Government Facilities

                     l.     Healthcare and Public Health

                    m.   Information Technology

                     n.    National Monuments and Icons

                     o.    Nuclear Reactors, Materials and Waste

                     p.    Postal and Shipping

                     q.    Transportation Systems

                     r.     Water

As just this short summary above indicates, this listing of industry sectors surely includes almost every aspect of commercial, industrial and community dynamics important to each and every U.S. citizen.

To protect these sectors we must also recognize that an informed and engaged public is another important line of defense to build resilient communities. 

The “If You See Something, Say Something™” campaign continues to educate the American public on the behaviors and indicators of suspicious activity and encourages all Americans to be vigilant and to report suspicious activity to local law enforcement – all certainly in support of this National Critical Infrastructure Protection Month.

Click here  for more details and information.

If you found this information valuable, please pass it along to those business continuity, risk management, disaster preparedness or community first responder teams where you work and where you live.

Filed Under: Cybersecurity, Environmental Security, Information Security, Risk Management Tagged With: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
« Older Posts