Tag Archives: media

Despite what you may think, IT security “is” your business

Many executives feel that IT security is only an issue for the IT department.  The problem is IT security is a bigger issue than just your IT department.  Everyday your company faces viruses, lost devices, stolen data, and intellectual property walking away with recently dismissed or disgruntled employees.  According to the DataLossDB project, 126,749,634 medical records, bank account numbers, names, and addresses were stolen or accidently leaked in 871 separate incidents in 2011.  Costing companies an estimated $26 billion in 2011.  Now you might say, “We aren’t in the business of IT or security.  We make widgets.  We maximize investor returns by buying, selling, and trading subsidiaries to create wealth.”  The fact is currently, for an organization to ignore IT security is clearly risky.   As reported in Forbes magazine on January 2, 2012 “If data loss continues on its current trends, it will cost the U.S. economy $290 billion by 2018”. As most cases go unreported, check out the cases that made headlines in 2011:

  • RSA
    The security division of data storage firm EMC was hit by a hack that compromised their popular SecurIDcryptographic keys, forcing them to offer replacements to their clients.  The stolen information was later used in an attack on defense giant Lockheed Martin.  RSA has provided a useful working definition of the term advanced persistent threats, or APTs, as “military-grade cyber-attacks on commercial entities.”  In the face of APTs, businesses need a new defense doctrine, which is under discussion by an increasing number of corporate chief information security officers.
  • Texas Comptroller
    A server mistakenly left open to the public contained the Social Security Numbers of 3.5 million teachers and other state employees.  No hacking was necessary to access this server.
  • Sony
    In nine different incidents, the conglomerate lost names, addresses, and credit card and bank account numbers as hackers pillaged its online game, music, and movie divisions.  Hackers made off with 77 million names, e-mail addresses, and passwords after breaching Sony’s PlayStation network.  The Sony breaches followed several similar data breaches by online service suppliers such as Play.com and Lush, so what effects are they likely to have on the online services industry?
  • SK Communications
    A complex attack on the Internet company netted the personal information of 35 million South Korean users.  That’s in a country of 50 million people.
  • SAIC
    A few of the defense contractor’s backup tapes were stolen out of an employee’s car.  The tapes contained the medical records of more than 5 million military patients.
  • Sutter Medical Foundation
    A stolen laptop from the health-care provider contained 3.3 million names and other identifying information, along with 943,000 patient diagnoses.  This incident brought on a class action suit, alleging negligence in securing data.

Can you afford to have your company on this list?  I did not think so.  All of us have a role to play in a more secure internet and it is clear  we have a problem and need to get on with fixing the issues as quickly as possible.  If your company has customer information, takes credit cards or has computers that use passwords then IT security is in fact your business.

 

 

(ISC)² Security Congress 2011

The congress was held Sept 19-22 at the Orange Country Convention Center in Orlando. This was (ISC)²’s first annual Security Congress, hopefully not the last! It was co-located with the ASIS International’s 57th annual seminar and exhibits, a move that recognizes the convergence of physical and information security.

After attending this congress, I realized how big the physical security world is. To give you the numbers, there were 280 attendees from (ISC)² versus 20,000 from ASIS, and enough exhibitors for this crowd to visit: 700.

There were 3 hour-long educational sessions per day, with about 25 topics to choose from for each session.

What were they talking about?

The 3 topics that was heard and discussed and debated on in almost every session (among the 10 or so (ISC)² sessions that I attended) were:

  1. Cloud Security
  2. Mobile Device Security
  3. Social Media

The trend and the focus for the information security industry in the next couple of years will be on addressing the above 3 topics with policies, regulations, products, and services. Below I’ll expand a little bit on why each area is attractive, and what are the security risks. 

1. Cloud Security

Why cloud? – Flexibility and scalability, cost savings, availability and disaster recovery

Threats? – Data loss/leakage, abuse of cloud, account/service hijacking, shared technology

What to do? – Like any other technology, cloud has risks associated with its benefits. All the classic principals of information security should be applied to it, having it in mind from the design/architecture phase. Have an incident response plan. Consider private/community/public/hybrid cloud options. 

2. Mobile Device Security

Why mobile devices? – Business rewards (response time, availability, flexibility), employee experience (ubiquitous mobile devices, employee owned), executive adoption

Threats? – Data loss/leakage, employee privacy concerns, compromise of corporate network from mobile device

What to do? – Look into device ownership (= liability) issues, have a corporate and a personal mobile device use policy, provide training to go along with that policy, harden mobile devices 

3. Social Media

Why social media? – It’s ubiquitous and unavoidable, it is the basis for Web 2.0, it has great potential to be used as a marketing and customer communication tool for the enterprise

Threats? – Faster spread of malware through the ‘trust’ factor, phishing attacks, worms, shortened URL’s, Evil Twin attack, session hijacking, identity theft, all leading to information leak and corporate liability issues

What to do? – Social media use policy (AUP), education and awareness, use of content filtering and DLP products to control traffic to and from social media sites

Some interesting notes:

  • Security is not about security, it’s about risk management
  • What is the perimeter of your network? It’s the end user!
  • A smartphone on your network should not be treated ANY differently from any other computer on your network
  • 1 out of 5 tweets names a product brand
  • Facebook mobile users are 50% more active than other users of the site
  • Sources of social media risk include: clients, employees, vendors, competitors, activists, and cyber criminals

Some interesting links:

Some interesting speakers:

  • Jeb Bush, Former Governor of Florida
  • Vicente Fox, former president of Mexico
  • Burt Rutan, designer of SpaceShipOne
  • Janet Napolitano, US DHS Secretary
  • Winn Schwartau, celebrity and power thinker on security/privacy/infowar/cyber-terrorism
  • Charlie Blanchard, Manager of Security & Privacy Services, Deloitte & Touche LLP
  • Simon Hunt, VP and CTO, Endpoint Security, McAfee
  • Shayne Bates, Director Security Cloud Strategy, Microsoft Global Security
  • James Hewitt, Director of Security Governance, CGI Federal

Vahid A.