A friend of mine just released a great data breach study, please see the link below:
http://www.digitalforensicsassociation.org/storage/The_Leaking_Vault-Five_Years_of_Data_Breaches.pdf
or click here.
After some modifications, a senate committee has approved the controversial “The Protecting Cyberspace as a National Asset Act of 2010″. The most controversial portion of the bill was the provision allowing the president to shut down the internet which has been modified somewhat. Details of the bill are here.
Imagine for a moment, that we take all of today’s technological developments and remove security and compliance completely from them. Then we put ourselves through a single day in our lives, just one harmless fun loving day. Lets just see what happens along our merry way.
So the day starts with me waking in the morning at SIX to my Chumby alarm playing. I get up and start to get ready for work with my normal routine, 2 cups of coffee, shower, walk the dog, eat a quick tangerine. I call my dog in from her early morning walk, she runs in and I then shut the door behind her and I hear a quick pop. This time though the door doesn’t shut, it simply bounces. The door is now missing a knob and a lock. So now the door simply glides open and closed lightly with the breeze like a windsock I suppose. Shortly thereafter my dog gets a glimpse, of a cat posing outside she pushes the door open and shoots outside in a cinch. I run rapidly after my dog and finally catch her, return her back to the house and prop the door with a chair so as to not let her escape again.
Now I’m ready to leave for you so I walk to the garage and I open the door to my car and hop on in. I have some nice electronics for my listening and driving pleasure. You know, the pleasures such as the Ipod with stereo integration, a navigation system and mp3 playing stereo system. But wait just a moment, why was GPS invented? Oh yeah, the Department of Defense created that for security, so since this is a day without security my GPS no longer worked. Well, I sat into my car and realized that the door locks were missing from my car, someone grabbed all my stereo equipment. I never heard my alarm (remember this is a day without security).
Then I quickly jump in my car and I’m then dumbfounded by the fact that oh my, I no longer have keys to start it. So I’m now forced to become quickly familiar with hotwiring my car. I twist together some wires under my dash, and luckily get the engine started for my trek to work.
I jump onto the freeway and I’m trying to change lanes to merge and for some reason everyone is doing 120 MPH past me and being real jerks just flying by with no regard to anyone at all. They all seem to own the road. I wonder to myself, why oh why would this be happening? And then it dawns on me… no police, no highway patrol (oh my, I guess they are for security too). So I speed up rapidly (my 4 cylinder maxed out) and join the ever speedy flow of annoying and law breaking citizenry, each time I change lanes my doors fly open since there are no latches to hold them. I feel like going back home. But alas, I press on.
I finally get to work and I’m totally overwhelmed, I park my car in the garage and walk to the entrance of the building and notice people running with boxes, computers, electronics and other various expensive items. My gosh, they are robbing the place, no security of course. The entryway have no badge readers and the doors no locks. Finally I enter the building and go up the elevator to my floor. I then arrive at my desk with a sigh of relief and collapse into my chair and plug in my mouse. I power up my laptop I’m ready to start my day. My computer boots up with no password to again my dismay. I launch a browser to go check my mail and low and behold its a task that will fail, because without logins and passwords at boot personalization and customization is all totally moot.
I pop up a website and shown right at the top is a small little news clip “There’s a new worm we must stop”. My computer starts spittering and sputtering and junk and before you know its an unusable hunk. So tell me again out there that security is just a cost, when without it I’m telling you your business is a complete loss.
Just fyi… I’ve recieved a report from Microsoft that the latest McAfee dat 5958 is causing system issues and not to install it. The URL’s provided are below:
QUOTE:
“Do not download the 5958 DAT file. Reports are coming in where this is causing major issues. Info from the community can be found:
http://community.mcafee.com/thread/24056?start=15&tstart=0
Most recent info I have is this: https://kc.mcafee.com/corporate/index?page=content&id=KB68780
“
As many security professionals know, Symantec in the last couple of years seemed to have stumbled a bit. The merger with Veritas which left IT professionals scratching their heads and lead many to feel they were losing their focus. Later they acquired Altiris and everyone said “ho hum” to that and struck it up as just another crazy purchase. The interesting thing is how this seems to be all coming together in 2010…
McAfee on the other hand was still recovering from their stock option scandal, brought in a completely new management team in with a billion dollars in the bank. At the same time, Sophos, Kaspersky and other anti-virus companies were pounding the pavement as well. This created a hyper competitive marketplace for Symantec’s leadership. Then last year, McAfee announced their “Security Innovation Alliance” which basically allowed them to bring smaller vendors in and integrate functionality into their ePO console providing McAfee a better integration story against Symantec.
So where’s the “Trump card”?
The real trump card for Symantec against McAfee and others in the security industry is the Altiris management console. The key benefit for Symantec is the framework that Altiris provides to the multi-faceted agent based technologies that Symantec has acquired over the years. Altiris is very well known for their asset management technology and the ease of management of agent based technologies. This combo will provide Symantec a significant advantage against McAfee mostly in the ease of adding new integrated agents. I feel the Altiris integration framework is superior to that of McAfee’s ePO so if Symantec is successful in making this their main console to manage their endpoint protection products this could be a game changer and bring much greater competitiveness to Symantec’s story. Stay tuned….
As many of you know, Massachusetts has been a leader in the state based information security legislation as of late. The latest law 201 CMR 1700 has a deadline that has already been extended twice due to business pressure however I do believe that legislators will not provide any more cushion. With a March 10th 2010 date looming, security professionals must scramble to apply the law to their environments or face a really tough response if a breach occurs and you are found negligent. Check the new law here.
It appears that the Commodity Futures Trading Commission (CFTC) is disclosing user’s email addresses who post comments on the regulations that they are proposing right on their website. Check their website here: http://www.cftc.gov/lawandregulation/federalregister/federalregistercomments/2010/10-001.html
You would think these days that companies and regulators would have a greater respect for the privacy (at least of a user’s email address) of user’s who comment on regulations. Regulators should be held to the same privacy requirements that companies are. If any company were to post a user’s email address from customer comment form without allowing the user to prevent the disclosure of their email address they would be roasted for it. I don’t object with disclosing someone’s home address, but I feel that disclosing user’s email addresses is a bit over the line especially when the user has no choice on it’s disclosure. I can’t wait for spammers or scammers to target these comments to send malware. This is scary in my opinion.
Send your CFTC privacy concerns to secretary@cftc.gov or informationquality@cftc.gov.
Please accept with no obligation, implied or implicit, my best wishes for an environmentally conscious, socially responsible, low-stress, non-addictive, gender-neutral celebration of the winter solstice holiday, practiced within the most enjoyable traditions of the religious persuasion of your choice, or secular practices of your choice, w ith respect for the religious/secular persuasion and/or traditions of others, or their choice not to practice religious or secular traditions at all. I also wish you a fiscally successful, personally fulfilling and medically uncomplicated recognition of the onset of the generally accepted calendar year 2010, but not without due respect for the calendars of choice of other cultures whose contributions to society have helped make America great. Not to imply that America is necessarily greater than any other country nor the only America in the Western Hemisphere. Also, this wish is made without regard to the race, creed, color, age, physical ability, religious faith or sexual preference of the wishee.
I’m not sure if many of you have heard, but Nevada’s SB227 mandates that all “personal information” be encrypted. During the introduction of this law there originally was a clear definition of what “personal information” was that was later removed by the 716 amendment which stated this bill would rely on the definition provided in NRS 603A.040 which defined Personal Information as the following:
1. Social security number.
2. Driver’s license number or identification card number.
3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.
THE PROBLEM:
The passed SB227 does not define what is meant by “Personal Information”, which means that it seems they wish to have lawyers define it in case law. Who knows where this will go in our future…..
Original WSJ Article http://online.wsj.com/article/SB125537784669480983.html
-=-=-=-=-=-==-=- My Response -=-=-=–
Hi Julia,
You know, I am a security professional, and it saddens me when others write stories like this. It’s almost like saying that murder isn’t really a problem cause it only happens to a few people. Bruce is an idiot if he’s going to sit there and say that he’s got no protection for identity theft. I myself have been doing information security work for years and I have dealt with cases of identity theft that have directly affected me and one of my own past businesses.
I just founded a new social network BloopBleep.com and the main reason I’ll probably looking to outsource payment processing is that I don’t want any responsibility (or expense) that goes along with the fraud detection and prevention technologies that are needed to ensure transactions. Payment fraud is very common with credit cards and costs businesses enormous money and it’s not “just the cost of doing business” as you have surmised. Seriously, please don’t do us security folks favors by downplaying real problems like these, we have a tough enough time getting the budgets to deal with the problems we face as it is and don’t need people sitting around making data theft and security a joke in the public.
