Group items tagged

The global economic crisis has become the biggest near-term U.S. security concern, sowing instability in a quarter of the world's countries and threatening destructive trade wars, U.S. intelligence agencies reported on Thursday. The director of national intelligence's annual threat assessment also said al Qaeda's leadership had been weakened over the last year. But security in Afghanistan had deteriorated and Pakistan had to gain control over its border areas before the situation could improve. "The financial crisis and global recession are likely to produce a wave of economic crises in emerging market nations over the next year," said the report. A wave of "destructive protectionism" was possible as countries find they cannot export their way out of the slump. "Time is our greatest threat. The longer it takes for the recovery to begin, the greater the likelihood of serious damage to U.S. strategic interests," the report said. The report represents the findings of all 16 U.S. intelligence agencies and serves as a leading security reference for policymakers and Congress. Besides reviewing adversaries, it also considered this year the security impact of issues including climate change and the economy. It said a quarter of countries have already experienced at least "low-level" instability, such as government changes, linked to the economy.

Buying and renting tools used by cybercriminals to conduct attacks and steal credentials is becoming much easier for the average person. "For Rent" signs hang on botnets, automated hacking toolkits are sold at bargain prices, and the data reaped by the criminal activity is sold and traded in online forums on a daily basis. Researchers at networking giant Cisco Systems Inc. are warning of the increasingly sophisticated cybercriminal underground economy and how it could be attractive to those having trouble finding work or facing layoffs in a troubled global economy. Meanwhile, cybercriminals are borrowing some of the best strategies from legitimate companies and forming partnerships with one another to help make their illegal activities more lucrative, according to Cisco.

An Italian judge on Wednesday gave the go-ahead to a case in which Google (GOOG) could be held responsible for content it hosts but does not produce. The case centers on a 2006 video of four Italian youths taunting a child with Down syndrome. In the video, one of the youths incorrectly claims to be part of a small Down syndrome advocacy group called Vivi Down. The video was uploaded to the Google Video site, where it stayed for two months. Prosecutors have filed charges against five Google executives, saying they were in violation of Italian privacy laws and of contributing to the defamation of Vivi Down. At the heart of the case are two main questions: Should sites such as Google Video be held responsible for the content they host? And should such non-brick-and-mortar New Economy companies be subject to the laws in countries where they are not based? "The outcome of this will be to determine how big companies like Google should be expected to act," said Raffaele Zallone, a former chief counsel for IBM's Italian offices and the attorney representing a woman seeking damages in a secondary case tacked onto the main charges. FIND MORE STORIES IN: Italy | Google Inc | International Bus. Machines | Milan | New Economy Zallone, along with Milan prosecutors, the city's ombudsman and an attorney for Vivi Down, the advocacy group, say Google should have become aware of the offending video sooner and removed it sooner. Guglielmo Pisapia, Google's lead attorney in the case, denies any wrongdoing and says Google could not have acted differently. "Google did not produce the video, and when they received an official complaint, they removed it within five hours," said Pisapia, a former member of the Italian parliament. "If the argument is that they should have evaluated the video before it was posted, then that is a dangerous precedent." Oliviero Rossi, an author and commentator on technology issues, says unusual cases that push the limits of the law as this one does are

Consumer Sentiment rose up by 1.8 points in early January to 61.9%, compared with market expectations for a slight decline to 59.0%. Despite this surprising gain, sentiment is still 8.4 points below its September level and 21.0% below its year ago level. The current level remains well below its recessionary average of the past 50 years. Current Conditions slipped by 0.3 points to 69.2%. This is 5.8 percentage points below its September level and 26.7% below its year ago level. Consumer Expectations jumped by 3.2 points to 57.2%. Nevertheless, they are still 10.0 percentage points below their September level and 16.0% below their year ago level. Bottom Line: Consumer sentiment climbed in early January. However, sentiment had collapsed in October in reaction to the intensification of the financial and credit market turmoil. Overall assessments of the economy, as well as assessment of current conditions and consumer expectations, are still significantly below their September level and well below their year ago levels. Thus, despite this month's increase, household assessments of the economy are still mired at recessionary levels. The causes of consumers' pessimism are also dampening real consumer spending.

Is the price to safeguard America's information systems and networks on a collision course with efforts to rescue the economy? One would hope not, but the $789 billion stimulus package that contains nearly $10 billions for IT-related projects offered very little for cybersecurity. Still, the president sees protecting government and private-sector information systems as crucial to the economic vitality of the country. So, when Acting Senior Director for Cyberspace Melissa Hathaway hands the President her recommendations on securing the nation's information infrastructure later this month, a sharper picture should emerge on how much money the government will need to spend to do just that. What Price Security? The government isn't a spendthrift in protecting its IT networks; it earmarked $6.8 billion a year on cybersecurity this fiscal year, up from $4.2 billion five years ago, according to the White House Office of Management and Budget. But is that enough? Appropriating money to find new and innovative ways to protect our critical information infrastructure doesn't seem to be a government priority, at least not yet. Of the $147 billion the government planned to spend on all types of research and development this fiscal year, only $300 million or 0.2 percent was slated for cybersecurity, according to the Securing Cyberspace in the 44th Presidency report issued by the Center for Strategic and International Studies. By comparison, the budget contained five times as much money $1.5 billion for nanotechnology R&D.

America's civil engineers think the nation's aging and rusty infrastructure is just not making the grade. The American Society of Civil Engineers issued an infrastructure report card Wednesday giving a bleak cumulative ranking of D. "We've been talking about this for many many years," Patrick Natale, the group's executive director, told CNN. "We really haven't had the leadership or will to take action on it. The bottom line is that a failing infrastructure cannot support a thriving economy." Video Watch what the report had to say » The ranking -- which grades the condition of 15 infrastructure entities such as roads, bridges and dams -- is the same as the the last time such a report was issued, in 2005. In 2001, the grade was D+, slightly better but still poor. Roads got a D-, with Americans spending more than $4.2 billion a year stuck in traffic. "Poor conditions cost motorists $67 billion a year in repairs and operating costs. One-third of America's major roads are in poor or mediocre condition and 45 percent of major urban highways are congested," the engineers' report said. Drinking water, D-. "America's drinking water systems face an annual shortfall of at least $11 billion to replace aging facilities," the report said. "Leaking pipes lose an estimated seven billion gallons of clean drinking water a day." Inland waterways, D-. "The average age of all federally owned or operated locks is nearly 60 years, well past their planned design life of 50 years. The cost to replace the present system of locks is estimated at more than $125 billion." Wastewater systems, D-. "Aging systems discharge billions of gallons of untreated wastewater into U.S. surface waters each year." Don't Miss * Congress looks to boot zoos, golf from infrastructure list Levees, D-. Many levees are locally owned and maintained, but they are aging and their "reliability" is not known. "With an increase in development behind these levees, the risk to public health and safety from f

Today's post provides an example of an organizational change being discussed in many firms contemplating the use of social media, and its evolution to social business in a global economy. Adoption of "social" introduces new risks and opportunities to US corporations. The likelihood of doing business

"The ubiquity of online advertising is a product of its importance to the internet economy, said a group of consumer advocates Wednesday during a debate on the future of online advertising. But the impact of new targeted advertising methods on consumer privacy and its potential to manipulate online experiences was the subject of heated argument at the event, sponsored by the Information Technology and Innovation Foundation. Privacy does not mean the same thing to all consumers in all situations, said Progress and Freedom Foundation Senior Fellow Berin Szoka. Advertisements are attempts to capture user attention - the "great currency of the Internet" - and when successful support a wide range of valuable content, he said. But in online life, "consumers have many values," Szoka added. "Privacy is one of them," he said, but it is not an absolute. Consumers must sometimes trade privacy for content, he said. "There is no free lunch." As more information and entertainment migrates to the internet, Szoka said it is "critical…that we find a way to support this media." Targeted advertising can fit the bill, he suggested - especially if technology gives users more control over their own preferences. Most consumers don't understand that advertising is a necessity for today's internet, he said. New technologies like targeting need to be given a try, he said, so content providers can recoup the value of their advertising - down 25 percent since 2000, he noted. Center for Digital Democracy founder Jeff Chester said Szoka's ideas about advertising's future represented a "false dichotomy." The real debate should be over the rules that regulate advertiser content, he said. Chester warned of a "Targeting 2.0″ system in which neuroscience combined with massive databases not only serve ads, but target content to users. "It's about influencing our behavior without our consent," he said. Chester pointed to the subprime lending cr

Data security represents both a new market opportunity to sell insurance coverage and a new risk - especially for independent insurance agencies that may not be compliant with data security laws or have plans in place to protect their own companies from data breaches. While data security is an evolving issue, failing to protect data can have a huge financial impact on a company. The average total per-incident cost of a data security breach was $6.65 million, compared to an average per-incident cost of $6.3 million in 2007, according to the "U.S. Cost of Data Breach Study" conducted by data protection company PGP Corp. and information management research firm The Ponemon Institute. The PGP/Ponemon study indicated that data breach incidents cost U.S. companies $202 per compromised customer record in 2008, meaning that companies incur additional costs with an abnormal churn in lost customers. More than 84 percent of data breach cases in 2008 involved organizations that had more than one data breach. And, more than 88 percent of all cases in the study involved insider negligence. The cost of lost business continued to be the most costly effect of a breach, averaging $4.59 million or $139 per record compromised. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study. "After four years of conducting this study, one thing remains constant: U.S. businesses continue to pay dearly for having a data breach," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute. "As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy." Includes video: Data Security Creating Insurance Agent Sales Opportunities

Legislation to reform the Federal Information Security Management Act of 2002 will be introduced in the Senate on Tuesday, a Senate staffer who helped draft the bill told a panel at the RSA Conference in San Francisco on Thursday. Erik Hopkins' presentation provided further evidence that the White House could assume greater control in coordinating federal government security. In the panel - The New FISMA: Security Finally Transcends Compliance - Hopkins offered a diagram illustrating the bill that showed a cyber office reporting directly to the president. Hopkins, who works for the Senate Committee on Homeland Security and Governmental Affairs, was the third federal official addressing conference attendees to suggest the White House will be given more authority in safeguarding federal government information systems. On Wednesday, Obama administration cybersecurity advisor Melissa Hathaway - who last week submitted to the president an assessment of federal cybersecurity policy - said the White House must lead federal government cybersecurity efforts. A day before, National Security Agency Director Keith Alexander said NSA would not lead the nation's cybersecurity efforts, suggesting a greater role for the White House. Hopkins said the benefits of FISMA reform includes improved coordination of security efforts, better economies of scale and greater situational awareness of security threats such as knowing where they originate and how the government will respond.

A South Korean court acquitted a blogger on Monday of spreading false information, in a case that triggered debate about freedom of speech in cyberspace and critics said was only launched because his economic doom postings angered authorities. Defendant Park Dae-sung, who went by the pseudonym "Minerva" after the Greek goddess of wisdom became a household name last year for his predictions of sharp falls in the won and the local stock market and the collapse of U.S. investment bank Lehman Brothers. "He's been found not guilty," a court official said by telephone. The court threw out charges that he purposely harmed market sentiment by posting false information on his blog. Prosecutors said a posting Park made in December led to volatility in the local currency and caused financial authorities to inject billions of dollars to stabilize the Korean won. "Even if there was recognition that it was false information, he cannot be seen as having acted on purpose to harm public interest considering the situation at the time including the special nature of the foreign exchange market," the court said. As the markets tumbled last year, the main financial regulator warned it would crack down on what it considered malicious rumors. Some economic analysts said they had come under pressure from authorities not to voice negative views on the economy.

IT and business both understand the need to protect regulated customer and business data -- so long as they're in business, analysts say. Here's a look at how some folding businesses are falling short protecting data and the possible liabilities for the IT group and CIO. From HIPPA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds-and more are folding every week given the economy-what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan? "Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they've gone out of business and left those offices," says Jacqueline Klosek, a senior counsel in Goodwin Procter's Business Law Department and a member of its Intellectual Property Group. "In addition, company computers, often containing personal data, will find their ways to the auction block," she adds. "All too often, the discarded documents and computer files will sensitive data, such as credit card numbers, social security numbers and driver's licenses numbers. This is the just the kind of data that can be used to commit identity theft." Discarded and unguarded data is now low-hanging fruit for criminal harvesters and corporate spies. "Recent client activity supports that competitors are beginning to buy up such auction devices specifically with the intention of trying to salvage the data," says James DeLuccia, author of IT Compliance & Controls. "Hard drives are being removed and sold online, or whole servers are sold via Craigslist and Ebay." In some cases, the courts insist data be sold during a bankruptcy. "Company servers, once I restore

Heartland Payment Systems Inc., which announced a breach of potentially millions of credit and debit cards last month, said it plans to vigorously defend itself against lawsuits filed as a result of the data breach. In a filing with the Securities and Exchange Commission, Heartland Chairman and CEO Robert Carr acknowledged the claims that cardholders, card issuers, the credit card brands, regulators, and others have asserted, or may assert, against the payment processor as a result of the breach and the impact it could have on the business. Several class action lawsuits have been filed against Heartland, claiming that the payment processor issued belated and inaccurate statements when it announced a security breach of its systems. Carr He said the company could not "reasonably estimate the potential impact of the breach on the day-to-day operations" of the business. "We intend to vigorously defend any such claims and we believe we have meritorious defenses to those claims that have been asserted to date," Carr said. "At this time we do not have information that would enable us to reasonably estimate the amount of losses we might incur in connection with such claims." The Princeton, N.J.-based payment processor announced Jan. 20 that its systems were breached last year when intruders installed malware to pilfer data crossing the company's network. Since then, Sherriff's authorities in Tallahassee, Fla. arrested three suspects for using stolen credit card numbers to make purchases at local Wal-Mart stores. The credit card numbers used by the trio were allegedly stolen from the Heartland processing center in New Jersey. Carr said the company's sales force was doing well despite the obvious challenges caused by the combination of the downturn in the economy and the data security breach. The payment processor's current customer base has responded positively, he said. "In the weeks since our announcement of the breach, we have installed more margin, and have a bit

Banks and financial firms are placing more emphasis on internal threats to cut the flow of data leakage as a result of employee mistakes or workers disgruntled with layoffs and downsizing during the economic crisis, according to a recent survey. The report, "Protecting What Matters: The Sixth Annual Global Security Survey," is based on a Deloitte survey of 250 CISOs in the financial-services industry. It found that 36% of respondents believe the internal threat represents the greatest risk to organizations, compared to 13% who said external threats are the biggest concern. Mark Steinhoff, head of Deloitte's financial services security and privacy practices, said an organization's biggest mistake would be to let its guard down. While the number of security breaches may have declined over the last year, cybercriminals are not rationing back their efforts. "The number of breaches that are occurring are really at the hands of insiders and organizations are understanding that there is a real threat of malicious attacks and exposure of personal information by insiders," Steinhoff said. The failing economy may be driving the increased concern over insider threats, Steinoff said. "The climate we're in today causes concerns about disgruntled employees," he said. "We are seeing the layoffs and other forms of downsizing. Frankly with limited budget and less than satisfied employees, it really raises the parameter on that threat." Human error is the leading cause of information systems failure, and is likely to be the main cause of security attacks in the near future, according to 86% of those surveyed. To protect against employee mistakes that lead to a breach, financial firms should focus on risk rather than compliance to protect themselves, Steinhoff said. "[Organizations] need to look at what they want to protect and look at various types of threats internally and evaluate who has access to the data and who has access to which system, and approach it from that persp

Cash-squeezed privately held companies are facing another threat in this struggling economy: rising employee fraud. Employee fraud -- from check-forgery schemes to petty-cash theft -- tends to rise during tough economic times, when workers are feeling financial pressure in their personal lives, experts say. And small companies are especially vulnerable because they often lack stringent internal controls to prevent fraud. Sometimes, managers at affected companies attribute lost funds to lower sales -- never even suspecting foul play.

The enormous international focus on privacy is growing more urgent in the face of business and government pressure to get the economy moving again and restore trust in our most basic institutions. To help rebuild trust and bolster bottom lines in a down market, it pays to prioritize privacy. The time is right to make smart investments in an organization's privacy professionals-the experts in the eye of the storm that must work collectively to find the right solutions to privacy challenges. The IAPP, which now boasts 6,000 members across 47 countries, is convening its annual Privacy Summit in Washington DC from March 11-13, 2009-the largest and most global privacy event in the world. Attendees will have the unique opportunity to interact with privacy regulators from Canada, France, Spain, Israel, the UK, Italy, the U.S. and the experts who help shape their policies across 60 different educational and networking sessions. Keynote speakers include Frank Abagnale (of Catch Me if You Can fame), one of the world's most respected authorities on forgery, embezzlement and secure documents as well as internationally renowned security technologist Bruce Schneier. The Future of Privacy Forum will be strongly represented at this year's Summit. Jules Polonetsky and Chris Wolf will be co-presenting a session entitled Cheers & Jeers: Who is Doing Privacy Right and Who Deserves Detention. Jules and Chris will also cover Behavioral Advertising Secrets: What Your Marketing and IT Team Didn't Think You Needed to Know. Both topics should be big draws for the expected 1500 attendees at the Summit! It's this sort of event that advances our profession and helps privacy professionals work together to reclaim trust. Registration is open and we look forward to seeing you in DC.

With so many workers being axed, the threat to sensitive customer, corporate, military information should be examined. Once workers leave with sensitive information, good luck controlling exposure. Cross International borders and the issue potentially expands into an national "incident" with dire consequences for corporate reputation. Protectionism vs Patriotism. Issues raised in the Great Depression revisited with more impact due to expansion of the economy to global status.

Microsoft Corp.'s plan to eliminate U.S. workers after lobbying for more foreigner visas is stirring resentment among lawmakers and employees. As many as 5,000 employees are being shown the door at Microsoft, which uses more H1-B guest-worker visas than any other U.S. company. Some employees and politicians say Microsoft should get rid of foreigners first. "If they lay people off, are they going to think of America first or are they going to think of the world first?" Chuck Grassley, a Republican Senator from Iowa, said in an interview. He sent a letter to Microsoft Chief Executive Officer Steve Ballmer the day after Microsoft announced the job cuts last month, demanding Ballmer fire visa holders first. Across the technology industry, some of the biggest users of H1-B visas are cutting jobs, including Intel Corp., International Business Machines Corp. and Hewlett-Packard Co. The firings at Microsoft, the world's largest software maker, came less than a year after Chairman Bill Gates lobbied Congress for an expansion of the visa program. Even before Microsoft announced the cuts, its first-ever companywide layoffs, comments on a blog run by an anonymous Microsoft worker angrily debated getting rid of guest workers first. The author of the Mini-Microsoft blog eventually had to censor and then completely block all arguments about visas, after the conversation "got downright nasty."

IT security typically has been deemed one of those services best provided in-house. But the stigma attached to outsourcing security and Security as a Service -- namely that an outsider does not know your company well enough to protect it -- may be falling away, as businesses look for more ways to cut costs. Certainly, some heavy-hitter providers believe attitudes are changing. This month, McAfee Inc. announced its new SaaS Security Business Unit. Headed by former Hewlett-Packard Co. SaaS executive Marc Olesen, the unit will oversee all McAfee products delivered over the Internet, including security scanning services, Web and email security services and remote managed host-based security software and hardware. Meanwhile, last April, IBM launched some hosted and managed services that it says help midsized businesses better manage risk and improve the security of their IT systems, all while offering cost savings over traditional products. Indeed, much of IBM's security strategy during the next 24 months will focus on moving security technologies into the cloud and expanding its managed services offerings, said Jason Hilling, an enterprise services business line executive with IBM Internet Security Systems. That includes providing some hosted implementations of technologies that once were located only at the customer premises. "Because the economy is struggling, I think there will be enough excitement in the marketplace over the cost benefits of Security as a Service that we are going to see a much higher degree of willingness to look at it as a real viable option," Hilling said. Hilling contended that a midmarket company with between 500 and 700 employees can realize costs savings from 35% to upwards of 60% by doing security as a managed service. Savings diminish as the deployment gets larger and more complicated, and the costs of managed services escalate. Yet outsourcing security is not just about cost. The world is becoming very hostile, said Sadik Al-Abdulla,

Times are tough, and we all continue to hear about the heightened risk of the insider threat. Granted, unauthorized insider access to data has always been a concern. But the concern is increased now because of the tremendous changes that we are seeing in the economy. The term "disgruntled employee" now has a whole new meaning because there are more and more folks concerned about 'What if my job disappears? What kind of information can I keep? What kind of information can I have access to?' As one who's dealt with the insider threat, I have some questions of my own: What do you really mean by an insider? In our borderless world, the terms "insider" and "outsider" overlap. "Insiders" are not just employees and staff, but also service providers, business partners, consultants, contractors -- any number of parties who may work for companies we deal with. What do we really mean by an authorized versus an unauthorized insider? If you take a look at the Societe Generale situation, allegedly a fraud was committed by an authorized user with privileges he was not supposed to have. How? Well, the horribly overused cliché is that if you work with a company long enough, eventually you will have access to everything, and no one will know it. Bottom line: As people change jobs within a company, we are not good at updating their roles and responsibilities. If you look at all the efforts that have been spent on identity and access management products, the biggest challenge is trying to understand: What are the roles and responsibilities you are trying to apply to people? How do you develop these roles and responsibilities and how do group them? How do you really deal with people who have to change roles and responsibilities? How do you add and delete roles and responsibilities as people change jobs?

There were only two of us on the graveyard shift. "If it's not locked up," a colleague at my first newspaper declared as he snatched a folder of papers from our boss' desk and strode towards the office copying machine, "Xerox it." (Old-tongue for photocopy.) That was long before CDs, and USB drives and, certainly, iPods, but the lesson was the same. If you are stupid about protecting company information, shame on you. I guess that's the message behind the "revelation" released in a survey this week that the majority of people who leave their jobs, voluntarily or otherwise, are taking company information with them. Lots of it. My reaction was the same as when I watched my fellow journalist grab and copy whatever it was that had been so carelessly left in the open. I shrugged. (We are by nature an overly curious species, and that overrides our normally dominant ethics gene.) Data Loss Risks During Downsizing conducted by the Ponemon Institute and sponsored by Symantec, was apparently designed to test the hypothesis that in this dire economy (ominous music in background), former employees are going to take important company information out the door. And, in fact, the poll of 945 former employees who left their jobs or were dismissed in the last 12 months showed that 59% stole company data. What kind of data? Email lists, non-financial business information and customer information, including contact lists. Not the secret formula for Coke, not the clinical trial reports on a cure for cancer, no insider information on proposed mergers and acquisitions. Not even a few thousand credit card numbers. Hardly worthy of shock and dismay. This is what a lot of people do when they leave jobs. Are they supposed to? No. Is it wrong? Yeah, but it's sort of like cheating on taxes. Folks rationalize it in a variety of ways, or it just doesn't weigh heavily enough on their conscience to set off an internal alarm. Most of the people who took data - 79% â