Showing posts with label qotd. Show all posts
Showing posts with label qotd. Show all posts

QOTD - PrivacyProf on tracking PII

Most business leaders, especially in business units, and in the legal office, just assume that all storage locations for PII are known and that there is a 100% complete inventory for it somewhere. Infosec, IT and most privacy practitioners know the real deal; it is rare that PII is formally defined, and even rarer to have an inventory of all PII. Considering the ease with which PII can be copied and distributed literally thousands of times with just one press of a button, and stored in any number of mobile devices and outside storage locations, it is very hard to have a complete PII inventory. But, it must be done. And doing so will help to determine the controls and other safeguards that need to be placed around PII to keep from having it stolen, leaked or lost.
Rebecca Herold, The PrivacyProf, blogging about the news that the University of Central Missouri didn't know that two printed reports (w/ 7,000 student names, SSNs, addresses, and birthdates) were stolen from a location on campus.

I have had similar findings in many of the information security assessments that I conducted in that management was often shocked to hear about the various sources and destinations of sensitive information throughout an organization. Until an organization traces the flow of sensitive data generated and consumed, management cannot hope to have an accurate inventory that data, its location, or whether it has been properly disposed of.

[Note: emphasis is mine]

Src: Stolen Print Documents With PII Found On Crook; Otherwise UCM Would Not Have Known The Reports Were Stolen - Realtime IT Compliance
Posted by DrInfoSec on 7/02/2009 0 comments
Labels: , , , ,

QOTD - Rafal Los' Dose of Security Reality

In a typical company where risks are a-plenty, and IT is up to its eyeballs in delivery issues it's a little difficult to suddenly step in and talk about security vulnerabilities like they're somehow more important than the 10,000 things that are already on fire. When the whole forest is on fire... which tree do you save first?

Enterprises and SMBs alike are looking to save money, cut corners (whether they want to admit it or not) and unfortunately security sometimes falls off the docket. Whether it's the security team's fault for not properly articulating the issue or the CIO's for simply not understanding the risks... the result is often the same. Somewhere in your business are thousands of lines of insecure, exploitable, and very lucrative code. Worse yet - that stuff has been there for years and now when you review a small snip that's changing and find that the whole thing has to be re-done... no one wants to pony up the money to do the work - right? --Rafal Los, IT Security Risk Strategist, blogger at http://preachsecurity.blogspot.com/
Src: [RANT] Call Me a Realist | Digital Soapbox - Preaching Security to the Digital Masses
Posted by DrInfoSec on 7/01/2009 0 comments
Labels: ,

Zero Day Threat, the book

As I wrap up reading Zero Day Threat, written by USAToday's Byron Acohido and Jon Swartz, I wanted to share with you one of the paragraphs that best outlines the current mess of the US (and beyond) financial system. [emphasis is my own]
In the fast emerging cybercrime industry, hackers and scam artists morph and advance magnitudes of order faster than the banking and tech industries have been willing to shore up basic security. From corporate America's point of view, convenience and speed are the drivers of the business models of the new millennium. Security is a perception challenge.
I highly recommend this book to anyone charged with safeguarding data. It will open your eyes to a system of actors (banks, credit bureaus, scammers, drug-addicts, and malware authors) revolving around maximizing profit at the expense of the consumer. The book links the murky world of the "exploiters" with the ingenious capacity for "expediters" to generate new and better malware, while the "enablers" sit mainly idle, unwilling to commit to much-needed enhancements to secure consumers' financial records and credit histories.

As security professionals, we must engage in critical evaluation of the risks to the data we are entrusted with. This book is sure to generate many lively discussions among security pros, and one would hope, executive management, about the nature of the threat, the drivers, and the baseline security that ought to be implemented.

Src: Zero Day Threat official web site
Src: Cybercrime Book Excerpt: 'Zero Day Threat' | Wired.com
Src: You won't guess who's the bad guy of ID theft | USAToday
Posted by DrInfoSec on 7/01/2009 0 comments
Labels: , , , , , ,

QOTD - US Cyber Commander on Defending IT

On May 5, 2009, Army Lt. Gen. Keith Alexander, Director of NSA, and now poised to become new commander of the US Cyber Command, spoke before the Terrorism, Unconventional Threats, and Capabilities Subcommittee of the US House Armed Services Committee:
[The US must maintain] the capabilities to use cyberspace as a medium to deter, deny or defeat any adversary seeking to harm U.S. national and economic security; while ensuring actions are undertaken in a manner that protects our Constitutional liberties.
...
The rapid expansion and global dependence upon cyberspace required the Defense Department to evolve its warfighting doctrine to include cyberspace as a viable domain on par with the domains of the land, sea air and space. Cyberspace is unlike the other warfighting domains, it is a man-made technological phenomenon solely reliant upon human activity. The Department of Defense defines cyberspace as 'a global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems and embedded processes and controllers.
...
More than the speed of the communications, the rate of change of cyberspace, and the applications that use it, is continuous, making this domain ever evolving. However, the convergence of communications devices being driven by cyberspace is fueling an integration that has far reaching consequences, both positive and negative, that must be appreciated if one is to understand this domain.
[Emphasis is my own]
Src: Defending IT: Words from the New Military Cyber Commander | GovInfosecurity.com
Direct link to PDF of testimony
Posted by DrInfoSec on 6/24/2009 1 comments
Labels: , , , ,

QOTD Heartland CEO on PCI Compliance

Just because you have a certificate of compliance doesn't mean that you can't get breached.

People had asked me for years 'what keeps you awake at night' and I would keep telling them it was the fear of a data breach. -- Robert Carr, CEO, Heartland Payment Systems
Src: Heartland CEO says data breach was 'devastating' | ComputerWorld
Posted by DrInfoSec on 6/17/2009 1 comments
Labels: , , ,

RSA chief: The job of security guy is not to be 'Doctor No'

The job of the security guy is not to be "Doctor No." It's not to say "you can't do stuff," but rather how you can embrace these technologies and how you can do it securely. You can never do security perfectly, but if you do it in the context of risk, you can minimize your exposure... Your job then is to shift from protecting the container to protecting the data and information itself. -- Art Coviello, RSA president
I've said it before and I'll say it again: one too many "No!" and your users will start getting IT business done without IT or security's involvement.

Src: RSA chief: The job of security guy is not to be 'Doctor No'
Posted by DrInfoSec on 6/10/2009 0 comments
Labels: , ,

QOTD - Geer on Rate of Change in InfoSec

The world we live in now is one where the rate of change is so great it is hard to develop a skilled craft because by the time you do, the problem set has moved on.

I think information security is quite possibly the most intellectually challenging profession on the planet. For that reason that what was true yesterday may not be tomorrow. In information security in particular, the rising fraction of R & D that is done by the opposition, and is funded by the opposition by its own revenue, is quite fascinating and makes things very difficult. At the same time, have we made progress? Sure. But the challenging aspect to this continues to be this rate of change and the degree to which you need to be on your toes all the time. -- Dan Geer, CISO at In-Q-Tel
Src: Geer: Risk Management Should Change the Future | CSO Online
Posted by DrInfoSec on 5/16/2009 0 comments
Labels: , ,

QOTD - Patrick Gray on Security vs Dancing Bears

Given a choice between a dancing bear screen-saver and adhering to a company security policy, the end user is going for the dancing bear every time. -- Patrick Gray, host of the Risky Business Podcast, Episode RB78: Interview with Geekonomics author David Rice
Also worth listening to is the audio of the GOVCert presentation by Geekonomics author David Rice
Posted by DrInfoSec on 5/04/2009 0 comments
Labels: ,

Study: Users will route around firewalls

Application developers are making it easy for users to negate corporate firewalls, and users are happily taking advantage of this, while corporate IT networks are constantly playing a cat and mouse game with these users.
...
A lot of the risks detailed in this report could be managed rather easily by giving users access to a comparable set of approved tools.
I've always been of the opinion that IT needs to work with users instead of trying to "control" them. One too many "No!" and a user will find his/her own way for getting things done.

Study: Employees Will Find Ways to Route Around Corporate Firewalls | ReadWriteWeb [tx @security4all]
Posted by DrInfoSec on 5/01/2009 0 comments
Labels: , , ,

QOTD on Moving to the Cloud

If you think it's tough managing identities, devices, malware, exploit attacks, mitigating software vulnerabilities, and conducting meaningful audits today -- you haven't seen anything yet compared to what's coming with the hyper-connected nature of data, people, infrastructure, devices, and applications in 'The Cloud.' -- George Hulme writing in Information Week
Src: Cloud Security Needs Its Rainmaker | InformationWeek [Tx georgevhulme]
Posted by DrInfoSec on 4/30/2009 0 comments
Labels: ,

QOTD on Data Handling

Commenting on a story in which Aberdeen Royal Infirmary lost a laptop containing almost 1,400 PII records, David Hoelzer, Director of Research & Principal Examiner for Enclave Forensics, wrote:
Somewhere in our information security program there needs to be an analysis of what data really needs to be where. The best way I've seen to do this is to develop matrix based policy that shows how each type of data may be handled. Something as simple as that should tell us very clearly that it's just never OK to have sensitive data of this level on a portable device. Organizations may consider selecting controls out of ISO-27000 that deal with management approval for movement of sensitive data.
Src: SANS NewsBites Vol 11 Num 33
Posted by DrInfoSec on 4/28/2009 0 comments
Labels: , , ,

QOTD on the Importance of Internet Identity and Anonymity

It's so easy to be anonymous on the Internet, that people can launch the equivalent of cyberwar and cyber-terrorist attacks from their living room, anywhere in the world, and with complete anonymity...
We are seeing this in sociopolitical and geopolitical hotspots. Organizations are reaching out individuals, telling them that if they install attack bots on their PC, that their system will be used to wage war. People can go to terrorist Web sites and download and install bots on their own. And those that are installing these applications built to attack will do so in total anonymity. -- Andrew Storms, Director of Security Operations at nCircle
The importance of internet identity, and anonymity | Threatpost [tx to @GeorgeVHulme and @digiphile]
Posted by DrInfoSec on 4/22/2009 0 comments
Labels: , , , , ,

QOTD - Brian Honan on Fire Alarms

I often see people argue whether the [fire] alarm is real or not; me, I have that discussion outside the building. -- Brian Honan of BHConsulting.ie
replying to one of my tweets about a 2am fire at the Hotel I happen to be staying at.
Posted by DrInfoSec on 4/22/2009 0 comments
Labels: , ,

QOTD - EnCase, FTK, and Hammers

EnCase Enterprise is not “court validated.” FTK Enterprise is not “court validated.” And they never have been. In competent hands, computer forensics is not a black box, pushbutton art, so the integrity of process hinges on the carpenter, not on the hammer. -- Craig Ball
Src: "We're Both Part of the Same Hypocrisy, Senator" | EDD Update [tx @robtlee]
Posted by DrInfoSec on 4/15/2009 0 comments
Labels: ,

QOTD - Schultz on Conficker vs Academia

Sorry, University of Utah, but saying that patient information was not compromised is by no means any kind of moral victory or assurance to the public. How could this university be so naive to think that somehow a vulnerability for which a patch was available *last fall* could not cause damage and harm to medical patients and experimental subjects? -- Eugene Schultz, CTO of Emagined Security
Src: SANS NewsBites Vol 11 Num 29
Posted by DrInfoSec on 4/15/2009 0 comments
Labels: , , ,

QOTD - Liston on unencrypted laptops

Almost every week, we have stories of laptop theft that contain the phrase, "...the data was not encrypted." Wake up people! If you have sensitive information on a machine that is DESIGNED to be carried off, you NEED to encrypt that data. It isn't all that hard, it isn't expensive, and I think we're to the point now where it should be considered negligence if it isn't being done. -- Tom Liston, SANS ISC handler and Senior Security Consultant and Malware Analyst for Inguardians
Src: SANS NewsBites Vol 11 Num 29
Posted by DrInfoSec on 4/15/2009 0 comments
Labels: ,

QOTD - Northcutt on Incident Response

The majority of security appliances report what happened, but not who was behind the activity, historical information about that system or similar events.
...
With log monitoring, nothing succeeds like success.
...
Logging, which is usually considered dull and boring work, becomes exciting. -- Stephen Northcutt, President of the SANS Technology Institute
Src: Whodunnit? | SearchSecurity.com
Posted by DrInfoSec on 4/14/2009 0 comments
Labels: , , , ,

QOTD on Default Settings

Don't assume default privacy settings are appropriate or sufficient.
is one of the 10 tips listed by the Sidney Morning Herald to protect yourself on Facebook (and other social networking sites). It seems that the security community is once again having to reinvent the "secure by default" wheel.

Src: Case of stolen online identity - Technology | smh.com.au
Posted by DrInfoSec on 4/14/2009 0 comments
Labels: ,

QOTD on Web Application Security

CAUTION - This machine has no brain use your own
is quoted in this blog article about a reminder that should be provided to users of web applications. Gunter Ollmann also introduces an interesting concept, that of "security ergonomics."

Src: Ignorance is bliss (in Web application security) | Technicalinfo.net Blog
Posted by DrInfoSec on 4/13/2009 0 comments
Labels: ,

Go ahead and steal this database

Adopt a hacker's mentality and assume that your employees might be tempted to pilfer information.
was the message in a recent article in Forbes.com on data masking, which modifies the data to remove its sensitive nature. The main drivers for this technology are the changes in compliance regulations and the need to ensure the security of the data given that outsourced software development is essentially "surrendering company databases to unknown, and possibly unvetted, programmers at home and abroad..."

Src: Steal This Database | Forbes.com
Posted by DrInfoSec on 4/13/2009 0 comments
Labels: , ,
Subscribe to: Posts (Atom)