http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2009-03-16 13:20:40 - Jeff Bardin Conspiracy to Commit Security : There are many bloggers out there in the blogosphere but a couple thatneed some recognition Andreas Wuchner of Novartis maintains a bloghttp://itriskspacecom/ of international flavor named IT Risk Spaceand Jim Reavis of the Reavis Consulting Group drives home the messagehttp://wwwriskbloggerscom/ with RiskBloggers Their messages aretimely and one the mark - Take a look and leave them a message,comment on their content and like always who respond, be honest don'thold backhttp://www.secuobs.com/revue/news/71321.shtmlhttp://www.secuobs.com/revue/news/71321.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - The US Army's 304th Military Intelligence Battalion has issued areport that says that the micro-blogging service Twitter could be usedas a tool for terrorist groups such as al Qaeda The report found thatterrorist groups and others "with extremist ideologies" could useTwitter in conjunction with other technologies--such as GPS locators,cell phone cameras, and voice changing software--for a number ofmalicious purposesFor example, the report found that extremist groups could send Twittermessages on a mobile phone with a camera to relay troop movements foran ambush The report also noted that Twitter could be used to trackpolice movements, as protestors did during the Republican NationalConvention last monthIn addition, terrorists could "friend" US troops on a socialnetworking site in order to get infomation that could be used foridentity theft or a cyber attack, the report noted Finally, thereport found that extremist groups could use Twitter in conjunctionwith other technologies to detonate explosiveshttp://www.secuobs.com/revue/news/69540.shtmlhttp://www.secuobs.com/revue/news/69540.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - How do you respond when employees complain about privacy and theydon't know you havedeployed a data loss prevention solution What if someone in theC-suite asks you "Are yousure we have the right to surveill our employees" Here is a potentialanswer to these questions:Privacy is a flash point for varying opinions that elicits highlysubjective and emotional responses Let me relate our conversation toindustry standards, laws and our own policies regarding privacyPrivacy rights in the workplace are largely non-existent There arefew situations where an employee has a due process right to challengeinformation collected or held by the employer There are some stateand federal laws that grant employees limited rights However, thereare no general protections of privacy where the employer violates theemployee's reasonable expectation of privacyA recent survey by the American Management Association AMA foundthat 92% of companies conduct some type of electronic surveillanceMany do so without notification since there are no state laws thatrequire it Our Code of Conduct and Board of Directors certifiedacceptable use policy clearly indicates that no employee has anexpectation of privacy when using corporate assets, and that nonon-corporate owned assets are to connect to or store any corporateinformation We cannot control what we do not own All employees arerequired to read and acknowledge these policies Although we surveilour employees, they are not currently awareThe AMA survey indicates that most employers surveilled employees insome way, shape or form:• 73% monitored email messages;• 66% monitored web surfing;• 48% monitored with video surveillance;• 45% monitored keystrokes and keyboard time;• 43% monitored computer filesThe survey goes onto indicate that 28% of employers who fired workersfor e-mail misuse did so for the following reasons:• violation of any company policy 64%;• inappropriate or offensive language 62%;• excessive personal use 26%;• breach of confidentiality rules 22%30% of bosses who fired workers for Internet misuse cite the followingreasons:• viewing, downloading, or uploading inappropriate/offensive content84%;• violation of any company policy 48%;• excessive personal use 34%;We utilize the information gathered from our surveillance program inthe same fashionThere is a new Massachusetts bill effective January 1, 2009 if youlive in Massachusetts or collect Massachusetts resident’s info Weare in the process of rewriting our acceptable use policy and creatingan awareness campaign to communicate to our employees on the use ofour new data loss prevention tool:• the information which is to be collected, how it is collected, andwhen it is collected;• the use to be made of the information which is collected;• the identity of the employees who will be monitored allWe are fully within our rights as a corporation in protecting ourassets and hope that we continue to behave in this mannerhttp://www.secuobs.com/revue/news/69539.shtmlhttp://www.secuobs.com/revue/news/69539.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - The head of your software development group is pushing back on abusecase testing, software vulnerability scans and overall regressiontesting of production changes to mission critical systems Thecomplaints are getting load and boisterous with threats of ignoringthe security efforts within the SDLC What do you do this time inresponse to the nasty email IMAGE You might wish to respond likethis:Please accept my apologies for the miss-communication that seemsto have occurredWe are not requiring regression testing on allproduction software changes at this timeIt is something we striveto achieve as part of our strategic plan outlined to the CIOduring the first quarter of this year, but it is not on the docketfor 2008 Instead, we are focusing only on Mission Critical,Internet Facing MCIF applicationsWe started the process inOctober of 2007 if you remember the meetings we held on increasedsecurity activity within the systems development lifecycleInaddition, we are quite active in the change review boardactivities for any and all changes associated with MCIFapplications We also fund training activities for yourdevelopers, all quality assurance QA staff and select architectswhile providing an application scanning plug-in to the QA teamthat works in conjunction with the new defect tracking solutionThe QA team is quite excited about the tool using it for overthree months now In fact, the QA team tested several MCIFapplications during those three months treating the issues arenormal programming defectsYou may not realize it, but your staffre-works issues associated with the scanning today Combined withthe testing we performed starting in October, the metrics arequite telling and indicate where we need to direct our resourcesas we work to mitigate the risk to the business relative toapplication vulnerabilitiesThe regression testing performed today is quite different frompast testing The test today incorporate abuse-case testing Abusecase testing does not test to see if ten plus ten equals twentywithin the application but test to see if I can enter ten billionplus ten billion to try an break the application, for examplePart of the defensive programming training offered by PeopleSecurity directly teaches QA and all students the intricaciesassociated with abuse-case testing It is quite an excitingsubject since most who take it gain skills in ethical hackingWith the number of probes, scans, and attacks at our perimeter atnearly 15M per day we can ill afford a breach and subsequentpublic embarrassmentThe CIO recently requested information on our readiness forWeb-based, e-commerce initiatives relative to security coveringtraining, threat modeling, application layer firewalls,encryption, prevention technologies and new physical controlsnon-inclusivelyThe CIO is quite concerned we are prepared toaddress the issues associated with this business shiftMuch ofwhat we are doing today is in response to this initiativeAgain, accept my apologies for the miss-communication We shouldmeet to go over the strategic plan to ensure your concerns areincorporated, the timelines agreed upon and the trainingsufficientI look forward to working with you as we support thenew business initiativeshttp://www.secuobs.com/revue/news/69538.shtmlhttp://www.secuobs.com/revue/news/69538.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - A risk governance model describes the organizational structure,management oversight, roles, responsibilities and accountabilitiesthat support the development, implementation and maintenance Yourrisk functions need broad jurisdiction to facilitate policy compliancethrough integration across business and technology senior managementteams and through strong support from the Board of Directors, C-Suite,and Corporate Audit Committee The risk function emphasizesintegration of security responsibilities and controls as part ofstandard business processes, and requires clear accountability forpolicy compliance and execution of centralized or distributed securityresponsibilities Risk outlines corporate governance at several levelsthat ensures awareness of and participation in risk managementactivitiesGovernance Roles Responsibility duties Accountability liabilitiesBoard of Directors • Oversight of the effectiveness of the Program• Provide management with guidance and feedback for:o Central oversight and coordinationo Areas of responsibilityo Risk measuremento Monitoring and testingo Reportingo Acceptable risk• Receive periodic reports • Approve the following written documentsat least annually:o Risk Management Programo Information Security Policieso Risk Management Strategy• Review risk management summary and security posture statement twotimes per year to support regulatory requirementsRead the whole reporthttp://www.secuobs.com/revue/news/69537.shtmlhttp://www.secuobs.com/revue/news/69537.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - There have been many discussions over the years on leadership; how youbecome a leader and what makes a leaderIn my years in the informationtechnology industry, as an information security professional andduring my years of military service, I’ve come to learn thatleadership comes from a foundation of earned respectIt is notsomething you can command but something that must be earnedRespect is a two-way street You can order your staff to show youcustoms and courtesies, but you cannot demand voluntary respectJustlike everyone wants to be respected, everyone wants to feel like theyare important It's just part of our nature as human beings You needto ensure your staff knows you care by demonstrating this through bothwords and actions Words without action are nothing more than hollowpromises that lead to a lack of integrity since trust is eroded Ifyou say you are going to do something, you must follow throughWhen you are placed in a position of leadership, you must not onlycommunicate the expected standards of conduct and action, you mustexceed themYour demonstration of behaviors over and above normalexpectations is what makes you stand out as a first among equalsBeinga first among equals with your staff ensures you demonstrate empathyto their struggles while leading the efforts of the team ensuring youtake the hits when and from wherever they comeIn the information security space, leadership is essentialI have seenmany in this space demand respect through force of will acting as a‘bull-in-a-china-shop’ using FUD and threatening peers and staff alikewith consequences of one sort or anotherThey run from one fire toanother expending great energy and resources to put out the fire thatthey may in fact started themselvesThis is thearsonist-calling-in-the fire syndrome demonstrated by many who believethemselves to be leaders using fires that should not burn in the firstplace to assume operational command Once the fire is out, it is backto business as usual until the next self induced fire is startedI have also seen many who demand execution and action without properplanning and forethoughtThis usually leads to a work hard but notsmart effect demonstrating immediate returns but no mid or long termbenefitsThese people are doomed to repeat history and waste valuableassets / resources at a time when they are scarce Theexecution-without-planning syndrome also has a basis in the need to beseen as the savior or hero of the dayMuch like thearsonist-calling-in-the-fire, the execution-without-planning-syndromeis seated in their own lack of confidence and inherentinadequaciesEventually, staff will not respond since the blocking andtackling never gets to a mature levelIt is just one tactical effortafter another with little or no true gains only periods of immediategratificationWhen you have someone of this sort in a leadership position within asecurity organization, you are now putting your stockholders,stakeholders, customers and employees alike at riskEven though theymay not carry fiduciary responsibility as an officer of the company,they will impact the financials through negligence and incompetenceIn most cases, they will not be aware of their own negligence insteadplacing the blame on some other person, third party or other perceivedthreatThese people tend to build a security program based upon what could bebut not what truly isAfter months and even years of doing this, oftelling part of the story and not the full story; of tellinghalf-truths and not the full truth; of being partially accurate butnot completely; of communicating value when none exists; the securityprogram becomes a movie set that is nothing more than a façade usedduring presentations to corporate governing bodies There is no goingback since to do so would invalidate every comment and written word upto that point It is a house of cards that can fall at a moment’snoticeAs a true security professional, when you encounter such a person orsituation, you must maintain your personal and professional integrityat all costsIt is required by the ethos of the CISSP and the CISM Itis rooted in the beliefs instilled in you through years of upbringing,education, training, whether it is corporate or in the military as anofficer True leaders know that regardless the outcome and regardlesswhat is thrown your way, you will stand and take the body blowsIn theend you may find that you have lost something of material worth withtimes looking tough and bleakRegardless the outcome, know that thearsonist will eventually succumb at the hands of their own fire Thehope is that the corporation does not suffer greatly during this fireIn the end, you will have gained the respect and admiration of thoseyou lead, your peers and those in your professionhttp://www.secuobs.com/revue/news/69536.shtmlhttp://www.secuobs.com/revue/news/69536.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - What do you do when ethical behavior, integrity, corporate duediligence and attorney-client privilege collide in a cacophony ofopinion and negligence How do you survive when you find yourself inthe absolute middle of this vortex The job of a security professionalis to protect corporate information assets while ensuring securityobligations are met for the business To ensure shareholders,investors, employees, our customers and their interests are protectedIt is to provide the appropriate level of security for data and datatransactions in preventing, detecting and responding to breaches As asecurity professional, we do in fact live by a code of ethics, anethos that demands we do what is right As a CISO / CSO, you aretasked with several duties; the duty to warn; the duty to disclosebreaches to those who may be impacted; and the duty to disclose thestate of security readiness, no matter how difficult the message Whatif you don’t do this What if the CISO/CSO tells half truths Beforewe go further, let’s provide definitions to the vernacular at hand:Ethics: The rules or standards governing the conduct of a person orthe members of a profession The study of the general nature of moralsand of the specific moral choices to be made by a person; moralphilosophy A set of principles of right conductIntegrity: The quality of possessing and steadfastly adhering to highmoral principles or professional standardsDue Diligence: is the effort made by an ordinarily prudent orreasonable party to avoid harm to another party Failure to make thiseffort is considered negligenceAttorney-Client Privilege: Where legal advice of any kind is sought,from a professional legal advisor in his capacity as such, thecommunications relating to that purpose, made in confidence, by theclient are permanently protected, from disclosure by himself or by hislegal advisor, unless the protection is waivedSecurity professionals SP are bound by multiple federal regulationsand state laws that require diligence and competence in enhancing thesecurity posture of the corporation that pays their salary SP aredriven by risks, threats, vulnerabilities, controls, likelihood ofoccurrence of the threat, impact and residual risk The greater therisk of harm, the higher the degree of care necessary to constitutedue care diligenceSeveral federal regulations and state laws have been passed ensuringthat public companies adhere to a set of rules that should be adoptedinto their IT governance models Sarbanes-Oxley, Graham-Leach Bliley,HIPAA, and 44 state laws as of this writing Considering this, youmay think that most IT organizations and CIOs/CISOs/CSOs would insiston adopting many if not all of the strategies, standards, andguidelines brought forth in regulations and state laws What you willfind many times is just the opposite Human nature within corporatewalls is morphed into an ugly byproduct of corporate greed andindividual ego under the umbrella of perception management I wouldhave to say that not all organizations have gone this route but manyhave The regulations and state laws have become just another set ofguidelines that public companies use to obfuscate the truth behind theimmaturity of their information technology organizations In manycases, the C-Suite is intent on delivering software and solutions ontime and within budget at all costs turning a blind eye to theinformation security and privacy requirements embedded in theseregulations and state laws The corporate risk associated with theseactions is enormous The risk to the public, universal The risk tocustomers, absoluteIt amazes me that many CIOs/CISOs/CSOs do not thoroughly learn theseregulations as they as senior leaders of the company are beholden tothem and are required to provide their signature attestationsindicating compliance on a periodic basis What I have found is aninstitutionalized effort to manage the perceptions around ITorganizations ensuring that the illusion of due diligence is acorporate function and engrained into the fabric of the corporatecultureTJX and Choicepoint along with all the others who have had publicizedbreaches is but the tip of the Titanic iceberg Many companies do notreport their breaches Most companies are dodging bullets every dayMany believe it can never happen to them regardless to the amount ofsensitive email that exits their borders on a daily basis Do youthink that companies allow thousands of sensitive emails per day toflow out of the confines of their infrastructure If there is creditcard data in these emails, is it reportable If the CISO/CSO knows ofthis, what is his or her professional obligation What if he or she isfully aware of a lack of segregation of duties within financiallysignificant systems and has known for years that IT has no asset ifyou don’t know what you have, how can you secure it or configurationmanagement Should the attestation indicate this Is this consideredto be material to the company relative to SOX and the financiallysignificant systems If the corporate 10K indicates that all is fineand reasonable measures have been taken, let’s make a jump hereshould the SEC investigateSample CFO Attestation:CERTIFICATION PURSUANT TO 18 USC SECTION 1350 AS ADOPTED PURSUANTTO SECTION 906 OF THE SARBANES-OXLEY ACT OF 2002I, CFO NAME HERE, certify, pursuant to 18 USC Section 1350, asadopted pursuant to Section 906 of the Sarbanes-Oxley Act of 2002,that, to my knowledge WHAT IF THE CFO KNOWS OTHERWISE AND HAS BEENINFORMED OF SUCH:1The Annual Report on Form 10-K of PUBLIC CORPORATION for the fiscalyear ended December 31, 200#, as filed with the Securities andExchange Commission on the date hereof fully complies with therequirements of Section 13a or 15d of the Securities Exchange Actof 1934; and2The information contained in the Report fairly presents, in allmaterial respects, the financial condition and results of operationsof PUBLIC CORPORATIONCFO SIGNATURE HERECFO NAMEChief Financial Officer---------------------------------------------------------------------ISC² Code of Ethics CISSP – ISACA Code of Professional Ethicshttp://wwwisc2org/ethics/defaultaspxterms=codeofethicsISC² members who intentionally or knowingly violate any provision ofthe Code will be subject to action by a peer review panel, which mayresult in the revocation of certification There are only fourmandatory canons in the code By necessity, such high-level guidanceis not intended to be a substitute for the ethical judgment of theprofessional A couple items stand out:Promote and preserve public trust and confidence in information andsystemsTell the truth; make all stakeholders aware of your actions on atimely basisISACA has its own Code of Professional Ethicshttp://wwwisacaorg/TemplatecfmSection=Code_of_Professional_Ethics1etTemplate=/ContentManagement/ContentDisplaycfmetContentID=20454:Support the implementation of, and encourage compliance with,appropriate standards, procedures and controls for informationsystemsPerform their duties with objectivity, due diligence and professionalcare, in accordance with professional standards and best practicesServe in the interest of stakeholders in a lawful and honest manner,while maintaining high standards of conduct and character, and notengage in acts discreditable to the professionMaintain competency in their respective fields and agree to undertakeonly those activities, which they can reasonably expect to completewith professional competenceFailure to comply with this Code of Professional Ethics can result inan investigation into a member's, and/or certification holder'sconduct and, ultimately, in disciplinary measuresSo, what do you do when ethical behavior, integrity, corporate duediligence and attorney-client privilege collide in a cacophony ofopinion and negligence What would you do if you were that CISO/CSOand were fully aware of these issues Should you disclose this as partof your professional responsibility What law, statute, standardand/or corporate rule takes precedence Are you prepared to bestripped of your CISSP and CISM Should you self nominate thestrippinghttp://blogscsoonlinecom/blowing_the_whistle_why_it_is_demanded_of_security_professionalshttp://www.secuobs.com/revue/news/69535.shtmlhttp://www.secuobs.com/revue/news/69535.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - Twas the night before DR, when all in the data center,Not an admin was keying, nor using a mouseThe coffee cups were stacked by the racks with care,In hopes that a refill soon would be thereThe managers were nestled all snug in their beds,While visions of blade-servers danced in their headsAnd CSO in his glory, and me filling in his gaps,Had just closed our laptops for more encryption crapWhen on the raised floor there arose such a clatter,I sprang from my cube to see what was the matterAway to the SOC I flew like a flash,Logged into the console and looked at the graphIntrusions were high as the console did showThe firewall was down, boy does that blowWhen, what to my wondering fingers should appear,But a transfer of information and data quite dearWith a little old trojan, moving ever faster,I knew in a moment it must be like SasserMore rapid than pink slips, the zombies did grow,By IRC channels, the data did flow"Now McAfee Now, Sophos, Now, Symantec and WebrootOn, Kaspersky On, Panda On Trend Micro, please don’t rebootScan the network Remove the malware Even use StingerCleanup the servers Wipe away the virus Don’t let it linger"As the botnet grows and the hack goes deeper,The cost of the cleanup will grow ever steeperThe SOC is a beehive as we fend off the attack,Anomaly and behavior based, this is more than a hackOver privileged user, over privileged code,One by one it destroys each nodeI sit in my SOC chair and start to squirm,Down the main pipe comes a malicious wormIt’s not from an injection but maybe an overflow,Sweat drips from my brow, I just want it to goDid we patch our systems, is the configuration built right,Do we know all our assets, is this an attack of spiteThe dot dats are dated, the push didn’t workThe scanner broke down from some little quirkThis was not a phish nor was it a pharm,What I can tell you is it is causing great harmIt’s not a hoax, it’s a nasty infection,I should have moved us to preventionIt is not a spoof, of that I’m aware,I warned them this would happen, I yelled bewareOn my console screen an image began to take shape,It was chubby and plump with a big red cape,And I laughed when I saw him, since it was SantaA wink of his eye and a twist of his head,Soon gave me to know I had everything to dreadHe spoke not a word, but held up a sign,The data you’ve given me has been oh so fine,I planted a rootkit six months back,The keylogger I used help perpetuate the hackHe sprang to his chip, to his malware gave a whistle,Down came our consoles the screens began to fizzleBut I heard him exclaim, ‘ere the screen went out of sight,"Happy DR to all, and to all a good-night"http://blogscsoonlinecom/the_twelve_days_of_audithttp://www.secuobs.com/revue/news/69534.shtmlhttp://www.secuobs.com/revue/news/69534.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - Some companies have hired former policemen to be their CISO’s only tofind out later that it was a huge mistake Let’s take a look at theTop Ten Issues When a Cop Becomes the CISO:10 Providing proper controls over corporate information does notrequire the protection of life we have yet to progress to organiccomputing9 They are trained to patrol, prevent and discover the commission ofcrimes and to enforce traffic regulations; taking the necessary policeaction, which really doesn’t wash around the halls of mostcorporations and I don’t believe ‘no parking’ signs at the watercooler or in the bathroom will work much8 They are tasked with interviewing suspects, prisoners, andwitnesses This requires an onsite detention facility that will housethe most hardened programmer7 They need to be skilled in the use, care and safe handling offirearms Hey hacker, get out of that server before I shoot6 They reports automobile accidents and interviews witnesses,something that really doesn’t occur much in the data center and if itdoes, you have a much bigger problem5 They search individuals, personal property, vehicles, premises andland; Conducting temporary detention “stop and frisk” of suspiciouspersons could lead to sexual harassment lawsuits – Does that mean thehallways need to have double yellow lines down the center4 Use holds or devices to control or take suspect down especially ifthey continue to park next to the water cooler3 Advise persons of constitutional rights Miranda warning - You havethe right to remain silent does key stroking count Anything you saycan and will be used against you in a court of law I was just parkedat the water cooler You have the right to talk to a lawyer and havehim/her present with you while you are being questioned I reallywasn’t speeding in the hallways, honest If you cannot afford alawyer, one will be provided for you at government expense not atmost companies I know of2 Confront, in a riot formation, groups of agitated people likeusers who cannot get to Web 20 sites because the CISO has themblocked1 Administer roadside sobriety tests Oh crap, here comes the CISOsirens blaring as I weave down the hallway after a long drink at thewater coolerIt just doesn’t work They are more concerned with detection andarrests hey let’s get the bad guy than actual protection andprevention based upon what the corporation really wants If you want atrue CISO, hire one with the proper education, training andtemperament Don’t hire a cop for the role unless you can get HowardSchmidthttp://www.secuobs.com/revue/news/69533.shtmlhttp://www.secuobs.com/revue/news/69533.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - According to a recent Forrester Research study, encryption is the topexpenditure for 2009 From whole-disk encryption to file-levelencryption, companies are still fighting the battle to protect data atrest or in transit What seems to be disturbing at least to me isthat we are in 2009 and encryption is at the top of the expenditureheap What this truly means is that laptops have been unprotected formonths and even years; that data in transit still flows in the clearwithout a protection strategy This flies in the face of statutes andregulatory issues and shows that many organizations are taking undorisks with corporate and customer dataLooking at data-loss prevention as another high on the list technologyand at least companies are starting to realize that encrypting datadoes nothing to prevent it from making its way out of corporatevirtual boundaries This is of course if the company has the properrisk appetite and the tools have the proper capabilities to filter andstop the exit of sensitive data without blocking too much Manycompanies deploy DLP solutions but only report on ‘some’ of theleakage since they do not deploy all filters or only watch from themonitor windows as the data flows through multiple protocols That isto say if they watch multiple protocolsEncryption Top IT Security Initiative in 2009Network World 01/05/09; Messmer, EllenIT budgets for 2009 are expanding in order to accommodate newencryption technologies and maintain current securitytechnologies, according to a new Forrester Research study of 942IT managers The study found that personnel and securitymaintenance account for more than 50 percent of IT securitybudgets overall The study found that for every $5 spent on ITsecurity, at least $1 will be set aside for security outsourcing,while another 185 percent will go toward new and emergingsecurity solutions Full-disk encryption is the most popularsecurity technology to be rolled out in 2009, followed byfile-level encryption, desktop data-leak prevention, andnetwork-based data-leak prevention Respondents to the survey alsoexpressed interest in the deployment of identity and accessmanagement platforms such as activities monitoring and individualsign-onhttp://wwwnetworkworldcom/news/2009/010509-forrester-it-securityhtmlSome positive news for those of us who were RIF’d are the stats onincreased security spending up to 126% from 11/7% of the overall ITspend Of the total security budget, 20% is for some sort ofoutsourcing or contracting initiativeAccess as always is still a hot topic driven by governance andcompliance issuesIt looks like security has a long way to go to reach adolescence whichcan only spell positive results for security vendors who can deliverhttp://www.secuobs.com/revue/news/69532.shtmlhttp://www.secuobs.com/revue/news/69532.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - Although 15 years old, the CIP Report on Cyber Insurance still ringstrue with respect to several areas Before discussing these areas,let’s take a look at the general theme of the reportAccording to George Mason University, the market for cyber insuranceis at $350M Many organizations use cyber insurance as another layerof defense in their efforts to combat threats to their computingenvironments As data grows exponentially and the systems used tohouse, process and transmit this data expands in equal amounts, so toodoes the level of riskInsurance firms use historical data to predict risk, mining actuarialtables gathered from proven statistics These same firms find it verydifficult to provide a comprehensive product when the data availableis not complete and the risk is difficult to measure What theinsurance firms face is exactly what information security andassurance professionals face; the inability to accurately predictprobability of occurrence and subsequently, the associated risk Cyberinsurers have not progressed very quickly due to the lack of industrydata Insurers look at historical data to predict future issuesWithout this, they are betting blind Sites like datalossdborg canprovide some of this data but this is only what is reported Cybercrime statistics are still limited since only what is known notnecessarily reported is captured Risk models are difficult to createwithout the necessary dataCyber Insurance covers many different areas such as data theft,external hacking, 1st and 3rd party risks, internal sabotage andtheft, computer malfunctions, web content liability, viruses/maliciouscode, copyright infringement, business continuity, crisis management,network outages, network congestion, and other areas related totechnology George Mason University School of Law, 2007 These areasprotect against liability lawsuits related to the loss, disclosure,modification, destruction, and or interruption of systems andinformation There are federal regulations and nearly 45 state lawsconcerning data and data breaches Many federal regulations have beenin a hold pattern for several years George Mason University School ofLaw, 2007 forcing states to establish laws of their own To learnmore on cyber insurancehttp://www.secuobs.com/revue/news/69531.shtmlhttp://www.secuobs.com/revue/news/69531.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - An oldie but a goodieAt the December 2007 Comdex Conference, Bill Gates reportedly comparedthe computer industry with the auto industry and stated:'If GM had kept up with technology like the computer industry has, wewould all be driving $25 cars that got 1,000 miles to the gallon'In response to Bill's comments, General Motors issued a press releasestating:If GM had developed technology like Microsoft, we would all be drivingcars with the following characteristics:1 For no reason whatsoever, your car would crash twice a day2 Every time they repainted the lines in the road, you would have tobuy a new car3 Occasionally your car would die on the freeway for no reason Youwould have to pull to the side of the road, close all of the windows,shut off the car, restart it, and reopen the windows before you couldcontinue For some reason you would simply accept this4 Occasionally, executing a maneuver such as a left turn would causeyour car to shut down and refuse to restart, in which case you wouldhave to reinstall the engine5 Macintosh would make a car that was powered by the sun, wasreliable, five times as fast and twice as easy to drive - but wouldrun on only five percent of the roads6 The oil, water temperature, and alternator warning lights would allbe replaced by a single 'This Car Has Performed An Illegal Operation'warning light7 The airbag system would ask 'Are you sure' before deploying8 Occasionally, for no reason whatsoever, your car would lock you outand refuse to let you in until you simultaneously lifted the doorhandle, turned the key and grabbed hold of the radio antenna9 Every time a new car was introduced car buyers would have to learnhow to drive all over again because none of the controls would operatein the same manner as the old car10 You'd have to press the 'Start' button to turn the engine offhttp://www.secuobs.com/revue/news/69530.shtmlhttp://www.secuobs.com/revue/news/69530.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - The COO just had a briefing on Emergency Management and she is a bitconfused by all the acronyms she heard in the briefing She wants ashort and sweet overview on standard acronyms and what she can do toensure the company is prepared You could start like this:I can lead you through these terms and acronyms providing a brief onwhat I believe you should understand To quote directly from theFederal Emergency Management Agency FEMA, the mission of FEMA now apart of Homeland Security:… reduce the loss of life and property and protect the Nation from allhazards, … by leading and supporting the Nation in a risk-based,comprehensive emergency management system of preparedness, protection,response, recovery, and mitigationWe strive to do the same for our employees, contractors and partnervendorsFEMA uses the National Incident Management System NIMS, a standardtemplate that enables all US government levels and types, theprivate-sector and nongovernmental organizations to work togetherduring domestic incidents, regardless of size or complexity The NIMSuses standards ensuring collaboration during incidents while drivingresponse authority, resource acquisition, and managementThe National Response Framework NRF provides structure and standardsthat partners use to prepare for and provide a unified response to anyemergency Using an all-hazards approach, the NRF focuses onincidentsThe Incident Command System ICS provides fundamental management ofincidents through standard taxonomy and pre-established organizationsthat cross multiple jurisdictions delivering operational support andresourcesThe ICS provides a common, authoritative structure deliveringfeet-on-the-street in the form of personnel, equipment, communicationsand facilities We provide community support while ensuring resiliencyto withstand most any incidentAs part of the overall layered approach to this national program, wework closely with the government as partners in emergency managementThe National Fire Protection Association NFPA drove theestablishment of standards and best practices used in emergencymanagement through the NFPA 1600 National Preparedness Standard NFPA1600 provides the context for multi-jurisdictional standardization* Preparedness, mitigation, prevention, response and recovery, arecore concepts and actions taken to ensure survivability ofincidents and can be found as themes throughout NIMS, the NRF andthe ICS* Emergency management EM begins with a host of preparednessactivities conducted regularly, in advance of any incident EMcombines planning, training, exercises, qualified staff, standardprocesses and procedures and usable equipment* Preparedness helps us reduce the impact of hazards before anincident occurs Preparedness includes plans made to save livesand facilitate response and recovery operations ensuring businessactivity sustainability* Mitigation activities serve to reduce risks, hazards and losses topeople and property or at the very least to lessen incidentconsequences while support corporate and community goals* Prevention means actions taken to avoid an incident or tointervene to stop an incident from occurring altogether It cansave lives and protect property* Response involves putting preparedness plans into action throughrapid assessments and the subsequent prioritization of activitiesnon-inclusively* Recovery is the planning and execution of site-restoration plansfor the corporation and our surrounding communitiesEducated and strong leadership is required to effectively manageincidents As part of our soon-to-be-delivered plan, we areestablishing responsibility matrices for your review and recentlycompleted training programs covering corporate leadership, management,key personnel and employees Your participation would certainly helpthe program ensuring you have the tools as our COO to press the rightbuttons during any potential incidenthttp://www.secuobs.com/revue/news/69529.shtmlhttp://www.secuobs.com/revue/news/69529.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - Massachusetts-based NewRiver Inc, a closely held company thatservices the brokerage industry, has filed a lawsuit against theinvestment-research firm Morningstar in state court accusing it ofusing Internet espionage to copy information from its system forhandling mutual-fund prospectusesAccording to the lawsuit, Morningstar gained access to a secretWeb-site address for the data warehouse NewRiver uses to storeprospectuses the Securities and Exchange Commission releases formutual funds, exchange-traded funds, and annuities NewRiver noted inits lawsuit that Morningstar was able to gain access to the addressshortly before discussions about Morningstar possibly taking overNewRiver broke down It doesn't sound like the site was that secretHow did they get in Who gave them the passwordAfter gaining access to the Web site, Morningstar then allegedlycopied thousands of prospectuses and used them to try to convinceNewRiver's customers to switch to Morningstar Was there no indicationof unusual activity Whose account did they useNewRiver's customers then asked for significant pricing reductions,which they were able to get The lawsuit seeks to prevent Morningstarfrom accessing the site again, as well as unspecified trebled damagesFor its part, Morningstar acknowledged accessing the information butsaid it did so solely for benchmarking purposes and that it did notuse it to develop its own product The Chicago-based company alsonoted that it never accessed a password-protected siteSounds a bit slimey to mehttp://www.secuobs.com/revue/news/69528.shtmlhttp://www.secuobs.com/revue/news/69528.shtml Secuobs.com : 2009-03-10 11:13:18 - Jeff Bardin Conspiracy to Commit Security - There is a growing belief among engineers and security experts thatthe only way to fix Internet security is to recreate the Internet fromscratch What a new Internet might look like is being discussed, butone possible solution would create a "gated community" in which userswould relinquish their anonymity and certain freedoms in return forsafety, which is already the case for many corporate and governmentInternet users As more secure networks are created, the currentInternet will continue to become an increasingly dangerous area thatlegitimate users will want to avoid"Unless we're willing to rethink today's Internet," says Nick McKeown,a Stanford University engineer working on building a new Internet,"we're just waiting for a series of public catastrophes"Last year, a malicious software program believed to have been releasedby a criminal organization in Eastern Europe infected more than 12million computers after bypassing the world's best cyberdefensesInternet security continues to deteriorate globally and even the mostheavily protected military networks have proved vulnerable"In many respects, we are probably worse off than we were 20 yearsago, because all of the money has been devoted to patching the currentproblem rather than investing in the redesign of our infrastructure,"says Purdue University professor Eugene Spafford, the executivedirector of Purdue's Center for Education and Research in InformationAssurance and SecurityThe Stanford Clean Slate project is developing a system that willallow a more advanced network to be established underneath the currentInternet The new network will be running on eight campus networksaround the United States by the end of the summerFor the Full Storyhttp://www.secuobs.com/revue/news/69527.shtmlhttp://www.secuobs.com/revue/news/69527.shtml