Group items tagged

When the director of IT at a Boston-based, midsize pharmaceutical firm was first approached to participate in a data leakage audit, he was thrilled. He figured the audit would uncover a few weak spots in the company's data leak defenses and he would then be able to leverage the audit results into funding for additional security resources. "Data leakage is an area that doesn't get a lot of focus until something bad happens. Your biggest hope is that when you raise concerns about data vulnerability, someone will see the value in allowing you to move forward to protect it," the IT director says. But he got way more than he bargained for. The 15-day audit identified 11,000 potential leaks, and revealed gaping holes in the IT team's security practices. (Read a related story on the most common violations encountered.) The audit, conducted by Networks Unlimited in Hudson, Mass., examined outbound e-mail, FTP and Web communications. The targets were leaks of general financial information, corporate plans and strategies, employee and other personal identifiable information, intellectual property and proprietary processes. Networks Unlimited placed one tap between the corporate LAN and the firewall and a second tap between the external e-mail gateway and the firewall. Networks Unlimited used WebSense software on two servers to monitor unencrypted traffic. Then it analyzed the traffic with respect to company policy. Specifically, Networks Unlimited looked for violations of the pharmaceutical firm's internal confidentiality policy, corporate information security policy, Massachusetts Privacy Laws (which go into effect in 2010), Health Insurance Portability and Accountability Act (HIPAA), and Security and Exchange Commission and Sarbanes-Oxley regulations. Auditor Jason Spinosa, senior engineer at Networks Unlimited, says that while he selected the criteria for this audit, he usually recommends that companies take time to determine their policy settings based on their risk

A national security panic spread through the Internet yesterday after a report by The Wall Street Journal suggested "terabytes" of classified data on the F-35 Lightning II had been stolen by hackers. Today the Pentagon and Lockheed Martin responded to the allegations saying they are untrue, and I believe them. Defense Department spokesman Bryan Whitman said, "I'm not aware of any specific concerns." That's a key phrase. Lockheed Martin--the F-35 superjet's primary contractor--also commented "We actually believe The Wall Street Journal was incorrect in its representation of successful cyber attacks on the F-35 program." And the company's CFO Bruce Tanner added "I've not heard of that, and to our knowledge there's never been any classified information breach." While it's easy to argue that these responses are merely a smokescreen to save political face, the language is much more direct than a plain old "no comment." Typically, companies protect themselves in this sort of situation by denying the existing or potential hackers any public information on the success or failure of hack attempts, obscuring the level of secrecy of any stolen data. In the F-35 case it looks like the denials are much firmer, and that suggests the developers of the JSF are confident in their security systems. It's an echo of alleged data leaks via F-35 contractor BAE Systems last year, that were later withdrawn due to lack of evidence that leaks had occurred. Government and defense contractor computer networks face a pretty continuous rate of hack attempts. As a result such companies have even more stringent data security protocols in place than normal organizations. They're still not absolutely impervious to hacking, of course, as no such system ever is. So that's why the most highly classified data--critical to the super-secret offensive and defensive capabilities of hardware like the F-35--is typically stored on computers that have an extremely low-tech "air gap firewall". They're not co

Netbook web surfers beware. That low-cost netbook you're using could be a high-speed gateway into your life, bank accounts, passwords and other personal data. Netbooks have made headlines since their 2007 launch, making PCs accessible to millions of non-traditional users. But their cheap cost could also carry a steep price tag due to lax security that makes them easier prey for viruses and hackers. Since their introduction less than two years ago by Taiwan's Asustek, nearly all major PC makers, including Hewlett-Packard, Dell, Acer and Lenovo, have jumped on the netbook bandwagon. But their no frills nature, combined with low computing power and relative lack of sophistication among their users could combine to create the perfect storm for hackers and virus creators looking for easy targets, analysts say. "The Internet is full of dangers, regardless of what computer you are using," said Sam Yen, greater China marketing manager at anti-virus software maker Symantec. "But keeping in mind that the netbook is primarily used to surf the Internet, those dangers are possibly multiplied many-fold, especially if there is no anti-virus software installed in the machine." Price tags as low as $300 mean that netbooks often lack such standard gear as firewalls and other anti-virus software typically found in other computers, leaving them highly vulnerable to attacks. "Frankly, netbook security is not there yet," said Pranab Sarmah, an analyst at the Daiwa Institute of Research. "The positioning of the netbook means PC brands are going to do whatever it takes to make the price point attractive to consumers, which means keeping costs low." Many netbook users are relative Internet newcomers, and may not be aware of precautions they can take to protect themselves. Low computing power also means savvy netbook users may shut down critical security programs to boost speed. "It's a Catch-22 situation," said Gartner analyst Lillian Tay. "If you're running too many security prog

In honor of this day, the California Office of Privacy Protection--the first governmental privacy office in the nation--has created a presentation which you can download from their Web site at www.privacy.ca.gov. It's called "Secure Your Computer to Protect Your Privacy," and it explains why computer owners should use Internet firewalls, install and maintain anti-virus and anti-spyware software, and keep their operating systems and applications up to date to protect themselves from malicious attacks. The state privacy office offers lots of other information on how Californians can protect themselves and their data. You can visit their Web site, call them toll-free at (866) 785-9663, or go Wednesday at 5:30 p.m. to the main San Francisco Public Library, where Joanne McNabb, the state's privacy chief, is scheduled to appear on a panel with representatives from Microsoft, Intel, the Center for Democracy and Technology, MySpace and Teen Angels. The panel is free and is part of an international effort to raise awareness about privacy practices and privacy rights

A third (34 per cent) of discarded hard disk drives still contain confidential data, according to a new study which unearthed copies of hospital records and sensitive military information on eBayed kit. The study, sponsored by BT and Sims Lifecycle Services and run by the computer science labs at University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US, also found network data and security logs from the German Embassy in Paris on one purchased drive. Researchers bought 300 drives from eBay, other auction sites, second-hand stalls and car boot sales. A disk bought on eBay contained details of test launch routines for the THAAD (Terminal High Altitude Area Defence) ground to air missile defence system. The same disk also held information belonging to the system's manufacturer, Lockheed Martin, including blueprints of facilities and personal data on workers, including social security numbers. Lockheed Martin denies that the disk came from it. The arm manufacturer has launched an investigation that aims to uncover just how the sensitive data might have been wound up on the disk. Two discs bought in the UK apparently came from Lanarkshire NHS Trust, including patient medical records, images of X-rays and staff letters. Lanarkshire NHS Trust runs the Monklands and Hairmyres hospitals. In Australia, the exercise turned up a disk from a nursing home that contained pictures of actual patients and their wound photos, along with patient details. A hard disk from a US bank contained account numbers and details of plans for a $50bn currency exchange through Spain. Details of business transactions between the bank and organisations in Venezuela, Tunisia and Nigeria were also included. Correspondence between a member of the Federal Reserve Board and the unnamed banks revealed that one of the deals was already under scrutiny by the European Central Bank, and that federal investigators were also taking an interest. Yet anothe

Cyber espionage, attacks, breaches, viruses - they are all among the concerns President Barack Obama cited Friday when he announced he will create a new White House office of cyber security, with that cyber czar reporting to the National Security Council as well as to the National Economic Council. The nation's vulnerability to cyber attacks has long been a concern. The Center for Strategic and International Studies said in a December report that the U.S. Defense Department alone has said its computers are probed hundreds of thousands of times each day. These publicly known cases of hacks, thefts and viruses at government, military, utilities and educational sites are just some examples