The report sharply criticizes the agency's cyber security performance, calling its personnel "substantially under-qualified." Interior required that staff only get self-certified training; only 13.5 percent of self certifications were relevant and complete.
In preparing for this Insight, I read an enlightening article published by the Society for Human Resource Management (SHRM) in its August 2008 issue of HR Magazine titled, "Out of the Breach: Reduce the Risk of Litigation and Build Confidence in Data Handling by Becoming a Privacy Champion." In this cover story, senior writer Rita Zeidner presents a case for building a "culture of privacy" in the workplace. According to Zeidner, privacy experts recommend training, along with taking other precautionary steps, as the best defense for avoiding breaches of privacy.
it is the required thing to do in order to comply with the numerous federal and state laws that may be applicable, which both define protected employee/customer data and identify related restrictions with respect to the access, use, storage and dissemination of the same. If you want to build a culture of privacy in your workplace with respect to the protection of personal data, the following summary of Zeidner’s steps might serve as a useful reference:
Finally employers should train employees so they know how to recognize threats to the security of protected data and report suspicious activities. If employees cannot attend and participate in this training, their access to such information should be blocked until they attend the training. Once employees are trained, and as a way to encourage and reinforce these behaviors, employers should publicly acknowledge and reward employees who alert the company of potential problems.
Since you want to make sure that rank-and-file employees are well trained, you will initially want to provide complementary, mandatory training and development opportunities for the managers to whom these employees report. In doing so, you can develop a benchmarking program, which can be used as a tool for checking on and evaluating managerial goals. For instance, managers can be held responsible for signing off on benchmarks such as follows:.
Completing a privacy-data inventory that identifies where information is stored.
Establishing and communicating a privacy policy statement program.
Verifying policies and practices for security measures.
Setting aside off-network computers that employees can use during break times or off-hours that will not compromise your network files; and
Taking steps to ensure that contractor-software providers take regard for ensuring protection, the same as you do.
"While employees necessarily forfeit a good deal of privacy when using company-owned equipment and facilities for their personal interests and benefits, employers today must be concerned about maintaining privacy and confidentiality for customers and employees alike with respect to those individuals' legally protected personal information such as social security and driver's license numbers."
Providing a resource like the Google Dashboard that presents all associated information in one place may actually create more privacy and security issues than it solves though.
If you know the right queries to use you can find usernames and passwords, financial spreadsheets, confidential documents, and more by leveraging the vast database of indexed information stored at Google.
Google delivers all of the juicy details it has about you in a one-stop-shopping resources like the Google Dashboard which also provides a juicy one-stop-shopping target for attackers
"Google Dashboard is akin to putting all of one's eggs in a single basket. The problem is that the average end-user is clueless on how to guard that digital basket.
So once that Google account is breached/hacked, the victim has their entire Google experience compromised."
"The new Google Dashboard addresses concerns that users have regarding just how much Google knows about them. Providing a resource like the Google Dashboard that presents all associated information in one place may actually create more privacy and security issues than it solves though."
Facebook “change-your-password” spam scam[s] are circulating
There are at least two Facebook "change-your-password" scams circulating in spam. Here's the first one. It tries to lure you to a malicious site to steal your Facebook login information.
"Facebook "change-your-password" spam scam[s] are circulating
There are at least two Facebook "change-your-password" scams circulating in spam. Here's the first one. It tries to lure you to a malicious site to steal your Facebook login information."
"Commonwealth Equity Services LLP of Waltham, Mass., agreed to pay the penalty for failing to have anti-malware software on its reps computers or written security policies to deal with security breaches. Securities brokers and registered investment advisors are required by SEC regulations to have written procedures to protect customer information."
"The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs - or "red flags" - of identity theft in their day-to-day operations. Are you covered by the Red Flags Rule? Read Fighting Fraud with the Red Flags Rule: A How-To Guide for Business to:
Find out if the rule applies to your business or organization;
Get practical tips on spotting the red flags of identity theft, taking steps to prevent the crime, and mitigating the damage it inflicts; and
Learn how to put in place your written Identity Theft Prevention Program.
By identifying red flags in advance, you'll be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft.
Take advantage of other resources on this site to educate your employees and colleagues about complying with the Red Flags Rule."
1. Client-side software remains unpatched in general According to the report, major organizations on average take at least twice as long to patch client-side vulnerabilities as they take to patchoperating system vulnerabilities.
More than 60 percent of the total attack attempts on the Internet are against Web apps
"Companies are finding more than ever before that they really need to have good access policies and the right level of controls associated with those policies," said Chris Young, senior vice president of products at RSA. "Organizations often try to start out with a model of trust between permanent and temporary employees, but they also have to balance that trust with controls."
The four walls around a company's data servers are continuing to erode as end users are finding it increasingly easier to use Web-based tools and bring their work home and on the road. The latest survey finds that companies are more concerned than ever about unintentional employee errors that can lead to data leakage.
The Federal Trade Commission ("FTC") intends to apply the Red Flags Rule to lawyers and law firms, and those in the legal profession should prepare themselves by putting into place written programs to detect and mitigate against identity theft involving client accounts. Section 114 of the Fair and Accurate Credit Transactions Act of 2003 ("FACTA") directed the FTC and federal banking agencies to issue regulations requiring "financial institutions" and "creditors" to develop identity theft prevention programs designed to identify and detect "Red Flags" signaling possible identity theft. The FTC and the federal banking agencies finalized the regulations, commonly known as the "Red Flags Rule," in late 2007.
Like the real world, technology and the internet present dangers as well as benefits. Equipment fails, attackers may target you, and mistakes and poor judgment happen. Just as you take precautions to protect yourself in the real world, you need to take precautions to protect yourself online. For many users, computers and the internet are unfamiliar and intimidating, so it is appropriate to approach them the same way we urge children to approach the real world. What are some warnings to remember?
* Don't trust candy from strangers * If it sounds too good to be true, it probably is * Don't advertise that you are away from home * Lock up your valuables * Have a backup plan
Why are these warnings important?\n\nLike the real world, technology and the internet present dangers as well as benefits. Equipment fails, attackers may target you, and mistakes and poor judgment happen. Just as you take precautions to protect yourself in the real world, you need to take precautions to protect yourself online. For many users, computers and the internet are unfamiliar and intimidating, so it is appropriate to approach them the same way we urge children to approach the real world.\nWhat are some warnings to remember?\n\n * Don't trust candy from strangers \n * If it sounds too good to be true, it probably is \n * Don't advertise that you are away from home \n * Lock up your valuables \n * Have a backup plan \n\nClick on the link for details.
* How Do I Make Cybersecurity a Habit? * How Do I Fight Phishing Scams?
Cybersecurity is the responsibility of everyone that uses the Internet. To remind us of this important issue, October has been designated as National Cybersecurity Awareness Month.
The National Cybersecurity Division of Homeland Security is responsible for helping the protection of the cyber infrastructure. Each citizen uses this cyber infrastructure each time we use the Internet. By proactively educating everyone about cybersecurity, it will lower our Nation's vulnerabilities on the Internet and lower our collective risk. Securing cyberspace is a difficult strategic challenge that requires coordinated and focused effort from our entire society-the federal government, state and local governments, the private sector, and the American people.
By protecting yourself on the Internet, you also protect others. How Do I Make Cybersecurity a Habit? Start with the Basics: Three Core Practices
* Install anti-virus and anti-spyware programs and keep them up to date. * Install a firewall and keep it properly configured * Regularly install updates for your computer's operating system
Make Ongoing Learning Easy with US-CERT Tips
Cybersecurity is an evolving issue. The U.S. Computer Emergency Readiness Team (US-CERT) Security Tips provide advice on common security topics, such as privacy, email spam, and wireless protection. The tips are sent to your e-mail once a month so that you can continuously stay up to date with changing technologies and threats. Visit US-CERT and sign up to receive US-CERT's Security Tips.
The thinking behind shifting responsibility to DHS from OMB is that Homeland Security has the cybersecurity expertise whereas OMB's proficiency is budgeting. "Already, the Department of Homeland Security is the coordinating agency on cybersecurity," the staffer said. "Now, what you're doing is drastically strengthening the role of DHS by putting into law and then also, giving them the ability to say, with FISMA, approve or not to approve agencies plans, controls, frameworks, the way they secure their systems."
The bill also continues the role of the National Institute of Standards and Technology as the key government agency to develop IT security guidance, but leaves it to DHS the decision which guidance has priority.
The responsibility to oversee information security among federal agencies would shift to DHS from the White House Office of Management and Budget under revisions of the measure, nicknamed U.S. ICE, that updates IT security guidance detailed in the seven-year-old Federal Information Security Management Act (FISMA), according to a senior cybersecurity staff member on the Senate Committee of Homeland Security and Government Affairs.
FTC officials announced in a statement that they would not begin enforcement of what they call the "Red Flag Rule" until Nov. 1. In the meantime, the statement said, the agency plans to add more information to its Web site. The agency is also emphasizing that it is unlikely to bring enforcement actions "if entities know their customers or clients individually, or if they perform services in or around their customers' homes, or if they operate in sectors where identity theft is rare and they have not themselves been the target of identity theft."
This is the third time the FTC has delayed enforcement of the new identity-theft rules, which under a 2003 law require businesses that act as "creditors" to set up a program to minimize risk. Lawyers, doctors and other professionals have protested the FTC's broad interpretation of "creditors" to include businesses that bill clients some time after providing services.
Research from Ponemon Institute Reveals Company-wide Strategy Governing the Use of Data Encryption Technologies Reduces Risk of Breach
LONDON, July 8 /PRNewswire/ -- PGP Corporation, a global leader in enterprise data protection, has announced the results of the third annual study by The Ponemon Institute, identifying the steps UK organisations are taking in order to safeguard their confidential data. The 2009 Annual Study: UK. Enterprise Encryption Trends study, which polled IT security professionals at 615 enterprises and public sector organisations, found that 70% of UK organisations have been hit by at least one data breach incident within the last year, up from 60% in the previous year. The number of firms experiencing multiple breaches was also up, with 12% of respondents admitting to more than five data loss incidents in the twelve month period (up from 3%). Less than half of these breaches (43%) were publically announced; there was no legal or regulatory requirement to disclose the remaining 57% of incidents.
Research from Ponemon Institute Reveals Company-wide Strategy Governing the Use of Data Encryption Technologies Reduces Risk of Breach
LONDON, July 8 /PRNewswire/ -- PGP Corporation, a global leader in enterprise data protection, has announced the results of the third annual study by The Ponemon Institute, identifying the steps UK organisations are taking in order to safeguard their confidential data. The 2009 Annual Study: UK. Enterprise Encryption Trends study, which polled IT security professionals at 615 enterprises and public sector organisations, found that 70% of UK organisations have been hit by at least one data breach incident within the last year, up from 60% in the previous year. The number of firms experiencing multiple breaches was also up, with 12% of respondents admitting to more than five data loss incidents in the twelve month period (up from 3%). Less than half of these breaches (43%) were publically announced; there was no legal or regulatory requirement to disclose the remaining 57% of incidents.
Focus on the Privacy of Individuals on Social Networking Sites is Well Founded, but Security Impact
Print article
Refer to a friend
2009-07-18 11:11:38 - Based on the Privacy Commissioner's recommendations to respect PIPEDA as well as the privacy of Canadians, Facebook has promised to review its practices. Companies should also pay close attention, as social networking sites can increase security risks and introduce new attack methods.
Toronto, ON July 18, 2009 -- The Commissioner's report sternly voices the common concerns of privacy-conscious Facebook users about the social networking site's approach to data collection, sharing and retention. By demanding changes to current practices, the Privacy Officer seeks to help Facebook implement protective controls that comply with Canada's federal law Personal Information Protection and Electronic Documents Act. "The added
disclosure practices and transparency around the use of personal information will go a long way towards building the trust of individuals and in my personal opinion, will improve Facebook's business rather than curtail its potential" according to Claudiu Popa, a recognized security expert and Informatica's founder. "However we must remember that social networking sites as a whole are information aggregators, they accumulate and consolidate detailed information about people and even employers. That's why we advise corporate clients to enforce policies regarding social networking and other online activity that could pose a threat to information security
". Over the past few years, organized criminals have improved phishing techniques, social engineering and other targeted attacks to the point where exploits are precisely targeted to individuals and organizations. This year, Informatica's Research division has observed a definite
Researchers at networking giant Cisco Systems Inc. are warning of the increasingly sophisticated cybercriminal underground economy and how it could be attractive to those having trouble finding work or facing layoffs in a troubled global economy.
"There's a lot of business sophistication," said Patrick Peterson, Cisco fellow and chief security officer. "Cybercriminals are taking a lot of Harvard Business School approaches, making them very difficult to combat, and it really does increase their success rate and the impact they have on us."
researchers are also seeing lower-volume, but more frequent botnet attacks. Peterson said it's a sign cybercriminals are trying to stay under the radar. Researchers from the University of California, Santa Barbara, who studied the Torpig botnet, discovered that it had been operating for several years, stealing login credentials for hundreds of thousands of online bank accounts.
The report also highlights how smartphones and social networking websites are being increasingly targeted by cybercriminals, lured by the massive amount of personal data displayed over time on websites such as Twitter, MySpace and Facebook.
Cisco has been tracking a rise in malicious SMS text messages, appearing from a trusted source prompting victims to call and reveal sensitive account information
"It's really all about social engineering to trick users, and with the amount of data people place in the public eye, it's become easier to conduct these attacks,"
Researchers at networking giant Cisco Systems Inc. are warning of the increasingly sophisticated cybercriminal underground economy and how it could be attractive to those having trouble finding work or facing layoffs in a troubled global economy.
The report sharply criticizes the agency's cyber security performance, calling its personnel "substantially under-qualified." Interior required that staff only get self-certified training; only 13.5 percent of self certifications were relevant and complete.
Snapshot
