T2P Information Protection & Privacy News

Analyst: PCI Security a Devil, 'Like No Child Left Behind'

2009-11-04T05:00:00Z

By obsessing about PCI security compliance and spending money on overly complex and underperforming defenses, companies are ignoring risk management and making themselves a target of state-sponsored cyber villains.

Delayed Again: Red Flags Rule Deadline Now June 1, 2010

2009-11-02T05:00:00Z

Bowing to Congressional pressure, the FTC is delaying enforcement of the Red Flags Rule until June 1, 2010, for financial institutions and creditors. Here, IT security pros weigh in on what the rule means for them.

How to Compare Patch Management Software

2009-11-09T05:00:00Z

Patch management software helps organizations acquire, test and install code to fix known vulnerabilities in operating systems and applications. It also helps them assess exposure and prioritize patches (given your specific environment), identify missing patches that need to be remediated and produce real-time reports for compliance and other auditing needs.

SP 800-53 is Essential for Security in Federal Government IT Systems

2009-11-04T05:00:00Z

The National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-53 provides a unified information security framework to achieve information system security and effective risk management across the entire Federal Government.

FBI warns of $100M cyber-threat to small business

2009-11-03T23:20:00Z

Cyberthieves are hacking into small- and medium-sized organizations every week and stealing millions of dollars in an ongoing scam that has moved about US$100 million out of U.S. bank accounts, the FBI warned.

SOA Security Solutions: Four Patterns to Grow On

2009-11-04T22:25:00Z

How can you combine diverse products into an SOA security solution for today's needs as well as leave a path for tomorrow's demands? Forrester's Randy Heffner shares four broad solution patterns.

The Struggle With DLP

2009-10-30T17:46:00Z

Few security technologies have received as much attention over the past few years as Data Leakage Prevention (DLP) solutions have. The concept behind them is exciting, offering the ability to scan traffic on your network and in your systems, and assign rules-based protections to the data that you want to protect. Someone e-mailing out a copy of customer records with SSNs? The DLP system will block it or encrypt it on the fly. Someone trying to copy IP to a USB drive? Alert management and block the action. It can be a great way to protect your most critical information assets, but as many have found, it is not an end-all, be-all solution to your data leakage problems.

Opinion: Red Flags Rule deadline delayed again, now June 1

2009-11-02T16:07:00Z

ID Theft Red Flags Rule: What Have Exams Uncovered? - BankInfoSecurity.com

2009-11-09T14:44:32Z

ID Theft Red Flags Rule: What Have Exams Uncovered?
BankInfoSecurity.com
It's been one year since federal regulators started examining banks and credit unions for compliance with the Identity Theft Red Flags Rule. ...
Red flags rule delayed until June 2010American Medical News

all 2 news articles »

Thwarting SQL Injection Threats

2009-11-02T18:14:00Z

New Dark Reading report explores what database developers and database administrators can do about the pervasive SQL injection attack

Physical protection of passwords and sensitive information

2009-11-05T09:53:51Z

IT departments often take the time to be proactive (at least if they’re doing their jobs), and educate staff about using complex passwords, changing passwords frequently, avoiding phishing by not clicking on unknown email links and attachments, and all the other standard protections we know to take. But we sometimes forget that amidst all the technical precautions, we must also take physical precautions.

Passwords, PINs, and other sensitive information often comes in printed form before we commit them to memory. It may be in the form of a letter from a bank or a memo from the IT department, or it may even be a password that we wrote down on a piece of paper and stuck in a drawer. What happens to this paper? More often than not, it gets tossed into the waste bin, where it can be easily picked through by an opportunistic identity thief.

A recent survey showed that a surprising 79 percent of all businesses do not destroy sensitive information on paper that is being discarded or recycled. The UK-based survey showed that 64 percent of businesses have a clear policy on handling written documents with sensitive information, and 32 percent of employees admitted to discarding sensitive documents directly into the trash.

The survey, which was conducted as part of National Identity Fraud Prevention Week, says that identity fraud results in over £1.2 billion every year. Forty percent of the companies surveyed said they throw away information on customers, including home addresses, phone numbers, and even photocopies of passports, all of which can be used to perpetrate identity theft. Individuals are as vulnerable as businesses, and the report says that 44 percent of Britons still do not shred documents with sensitive information. And here’s a shocking statistic. The survey showed that half of all households threw away everything a criminal would need to perpetrate identity theft, and that 79 percent of all household waste had at least one item that could help a criminal.

The answer of course, is simple, non-technical and inexpensive. First, put a policy in place that says all documents with any personal information must be destroyed; and second, install paper shredders in convenient locations throughout the office.

Liked this post? Get more email management and administration related news from TheEmailAdmin.com!

Physical protection of passwords and sensitive information

Identity Theft Myths Part 3of3 During PYIW - community blog from Robert Siciliano

2009-10-25T22:50:12Z

Is Behavioral Cybersecurity R&D Necessary?

2009-11-05T18:40:22Z

Human Aspect of IT Security Seen as Critical
Social and behavior research should help the federal government better plan its cybersecurity defenses, says Rep. Daniel Lipinski, chairman of the House Science and Technology's Research and Science Education Subcommittee.

How Data Validation Will Make Your Life Easier

2009-10-30T14:00:24Z

As a clinician, you want to know if data being entered into the system is accurate, clean, correct and useful. Data validation often called “validation rules” or “check routines” are built into systems such as EHR systems. These rules check for correctness, meaningfulness, and security of data. For example, the system would automatically disallow or question a user trying to enter eligibility results into the patient’s address field. Validation rules may be automated because the software company uses a data dictionary, or data may be checked by an explicit application program validation logic. To participate in quality reporting, such as meaningful use, PQRI or ePrescribing reimbursement incentive programs, you want to know if the data extracted from the system will be accurate and relevant.

HIPAA’s Security Rule is as much about good business practices as it is about securing confidential patient information. Data integrity, one of the pillars of HIPAA’s Security Rule, contains overarching security themes that pose layered questions, such as, how does the system’s functionality allow you to know who has been in the system, what did the user do with the content after he or she accessed it, or did the system block a potential intruder who did not use the correct user ID and password?

When evaluating an EHR system, you want to ask how data validation functionalities work. So during the EHR due diligence, I would ask, “How does your EHR software enable the practitioner to generate quality measurement reports, (suggest you hold up the Meaningful Use Matrix), and how do we validate the data going into the system is accurate and placed in the correct fields?” As an EHR project manager, I request a data validation report on the third and fifth day of Go-Live week so that we can quickly catch and retrain data entry errors.

Nigeria Announces Early Results Of Anti-Scammer Initiative

2009-11-05T18:37:42Z

No one's sure how many there are to go, but according to a Nigerian official, there are about 800 scam email addresses and 18 criminals that can be considered "down." Mrs. Farida Waziri, the chairperson of a government agency, announced that some shutdowns and arrests occurred thanks to an initiative called Project Eagle Claw.

Nigeria Announces Early Results Of Anti-Scammer Initiative

Nigeria's Economic and Financial Crimes Commission is the force behind Project Eagle Claw, and with Microsoft's help, has just started ramping it up. Waziri explained in a statement, "We expect that Eagle Claw as conceived will be 100% operational within six months and at full capacity, it will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails."

She then gave some very interesting details, continuing, "[U]pon full deployment, the capacity to take down fraudulent e-mails will increase to 5,000 monthly. Further it is projected that advisory mails to be sent to victims and potential victims will be about 230,000 monthly."

Anything Nigeria can do to address the problem of scammers operating from within its borders will of course be good for the country's image. More than that, it might help honest Nigerians become part of the online world (since some entities have just taken to blocking troubled regions as a whole).

Then there will be the benefit to the rest of the world, with maybe millions of dollars not getting lost. For that reason, Project Eagle Claw is likely to gain a lot of fans.

What Is The "Best" Password Policy?

2009-11-02T14:30:00Z

I recently overheard a colleague mention that, in his opinion, the best form of password security for their enterprise is to not enforce monthly or quarterly password changes for their employees. His reasoning? Enforcing tough passwords and forcing your employees to change them periodically often forces the employees to write down their passwords (even sometimes posting them on a sticky note attached to their monitors or desks). This, in his opinion, is more of a security risk than not enforcing periodic password changes.

At first, I thought that this is one of the craziest ideas that I had ever heard. This goes against one of the most basic security principles out there…make your passwords tough and change your passwords often.

Upon further thought, I decided that the logic behind this idea makes some sense. Allowing your employees to maintain their passwords for an indefinite amount of time may help to alleviate those people that insist on writing down their passwords. This being said, I do not think that this is a viable solution. Whether or not you force your employees to change their passwords or not, there will always be those that like to write them down. In addition, the risk that you would take in allowing indefinite access through a compromised account would outweigh the risk of someone reading a password.

Almost half ISO 27001 'compliant' firms break basic security requirements

2009-11-05T18:36:42Z

InfoSec News: Almost half ISO 27001 'compliant' firms break basic security requirements: http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=17211
By Leo King Computerworld UK October 22, 2009
Almost half of businesses that claim compliance with ISO 27001 are sharing privileged user accounts and breaking other standard guidance, [...]

Defense Department to partially lift flash drive ban

2009-11-05T18:36:18Z

InfoSec News: Defense Department to partially lift flash drive ban: http://news.cnet.com/8301-27080_3-10383372-245.html
By Elinor Mills InSecurity Complex CNet News October 26, 2009
The U.S. Department of Defense ban on USB thumb drives instated nearly a year ago will eventually be partially lifted to allow authorized people [...]

FDIC Warns Banks to Watch for 'Money Mules' Duped by Hackers

2009-11-05T18:36:01Z

InfoSec News: FDIC Warns Banks to Watch for 'Money Mules' Duped by Hackers: http://www.wired.com/threatlevel/2009/10/money_mules/
By Kevin Poulsen Threat Level Wired.com October 29, 2009
Bank customers are increasingly being duped into acting as 'money mules' for hackers, unwittingly laundering cash stolen from business bank [...]

Data Masking Secures Sensitive Data in Non-Production Environments - CIO

2009-10-26T12:40:15Z

Data Masking Secures Sensitive Data in Non-Production Environments
CIO
This helps organizations meet compliance requirements for PCI, HIPAA, GLBA and other data privacy regulations. By , Linda Musthaler Brian Musthaler Fri, ...