CIPP Information Privacy & Security News

You systems administrator knows more about you than you think.

More than one-third of information technology professionals abuse administrative passwords to access confidential data such as colleagues' salary details or board-meeting minutes, according to a survey. Data security company Cyber-Ark surveyed more than 400 senior IT professionals in the United States and Britain, and found that 35 percent admitted to snooping, while 74 percent said they could access information that was not relevant to their role. In a similar survey 12 months ago, 33 percent of IT professionals admitted to snooping. "Employee snooping on sensitive information continues unabated," Udi Mokady, CEO of Cyber-Ark, said in a statement. Cyber-Ark said the most common areas respondents indicated they access are HR records, followed by customer databases, M&A plans, layoff lists and lastly, marketing information. "While seemingly innocuous, (unmanaged privileged) accounts provide workers with the 'keys to the kingdom,' allowing them to access critically sensitive information," Mokady said. When IT professionals were asked what kind of data they would take with them if fired, the survey found a jump compared with a year ago in the number of respondents who said they would take proprietary data and information that is critical to maintaining competitive advantage and corporate security. The survey found a six-fold increase in staff who would take financial reports or merger and acquisition plans, and a four-fold increase in those who would take CEO passwords and research and development plans.

Many people are scaling back their summer vacation plans because of the current economic situation. Some are staying closer to home. Others may be taking shorter vacations. But it's important to remember that when you travel, your risk of exposure to fraud and identity theft may increase. It's a fact that people tend to let their guard down while on vacation. Criminals know this. Identity theft is often a crime of opportunity. Don't be a vacationer who presents a crook with that opportunity. Your personal information, credit and debit cards, driver's license, passport, and other personal information are the fraudster's target. A few minutes spent planning before you travel can help reduce the risk that a fraudster will ruin your vacation. Here are some tips to help you avoid any nasty surprises:

Being privacy saavy while on vacation - Priceless

If you think the biggest threat to your sensitive information lies in network security, think again. Once a criminal is inside a building, there are limitless possibilities to what that person can access or damage. Take a look at your building's security. How easy is it to get inside?

Good awareness video to make employees & employers think about physical security ramifications

Did we need more proof that a chain is only as strong as its weakest link?

A secure Web mail company that challenged hackers to break into the company's Web mail system is paying out a US$10,000 prize, just days after launching the contest. A team of hackers managed to hack into StrongWebmail CEO Darren Berkovitz's Web mail account, using what's known as a cross-site scripting (XSS) attack, the company confirmed Monday. "They did it using an XSS script that took advantage of a vulnerability in the backend webmail program," StrongWebmail said in a statement. StrongWebmail launched the contest at the end of May as a way of promoting the voice-based identification technology sold by its parent company, Telesign. Hackers were given Berkovitz's e-mail address and password and challenged to break into the account. The company thought this would prove difficult because StrongWebmail requires a special password that is telephoned to the user before e-mail can be accessed.

TSA terrorist watchlist changes affect travel industry, document coordination requirements, security & privacy concerns. Over-strengthening one set of regulations and ignoring others simply means that the terrorists will move to safer (for them) modes of attack.

The Transportation Security Administration is getting ready to take over responsibility from the airlines for checking passengers' names against terrorist watch lists, and is advising travelers to start booking airline tickets using their full name as it appears on their driver's license or passport.

Another report on Sears getting slapped on the wrist for questionable data collection. Gee, why don't businesses take information law seriously? Maybe because it is more profitable to ignore it and pay a small fine? Not impressed by Obama's enforcement of privacy law.

Sears today agreed to settle Federal Trade Commission charges that it failed to disclose the depth of consumers' personal information it collected via a downloadable software application. The settlement calls for Sears to stop collecting data from the consumers who downloaded the software and to destroy all data it had previously collected. If Sears advertises or disseminates any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor, record, or transmit, the FTC stated. Sears must also disclose whether any of the data will be used by a third party, the FTC said.

Cybercriminals are improving a malicious software program that can be installed on ATMs running Microsoft's Windows XP operating system that records sensitive card details, according to security vendor Trustwave. The malware has been found on ATMs in Eastern European countries, according to a Trustwave report. The malware records the magnetic stripe information on the back of a card as well as the PIN (Personal Identification Number), which would potentially allow criminals to clone the card in order to withdraw cash.

Windows XP is an obvious choice to run ATMs! Sigh!

Fun economic facts

Largest US Bankruptcies When automaker General Motors announced they were filing for bankruptcy today, the company joined the ranks of the largest companies in history to do so. Take a look at ten of the biggest corporate filings in US bankruptcy court, based on pre-bankruptcy assets. Source: BankruptcyData.com Updated June 1, 2009 »Slideshow: World's Biggest Debtor Nations »Slideshow: S&P's Leanest Companies

Is your bank on the list?

Failed Banks Thirty-six banks have failed this year, up from the 25 that shut down in 2008, which included Washington Mutual, the largest bank failure in US history. While the banks that have closed this year are not as large as WaMu, there have been some substantial banks that failed with assets in the billions. Click on to find out which of them rank as the 10 largest failures so far in 2009. Source: FDIC Posted June 4, 2009 »Slideshow: Largest Bankruptcies »Slideshow: World's Safest Banks

The SEC will charge Angelo Mozilo, former chairman and CEO of Countrywide Financial, with insider trading, according to people familiar with the situation. The SEC will also charge the company's former chief operating officer, David Sambol, and former financial chief, Eric Sieracki, with securities fraud for failing to disclose the firm's relaxed lending standards in its 2006 annual report. The charges, which are expected to be announced by the SEC later today, will not be accompanied by any criminal indictments.

Another example of misuse of company data for personal gain.

Better to settle with the FTC than get your company's reputation as consumer-friendly (deserved or not) dragged through the court of public opinion.

Sears Holdings has agreed to settle allegations it collected personal data from customers without adequate disclosures, the Federal Trade Commission said on Thursday. The FTC had accused Sears Holdings, created in 2005 with the merger of Sears and Kmart, of paying online customers $10 to allow the company to track their online browsing. But the FTC said Sears also collected information on non-Sears sites, such as online bank statements, drug prescription records and emails. "The software would also track some computer activities that were not related to the Internet," the FTC said in a statement. Sears did disclose all it would monitor in a lengthy user license agreement, but the FTC argued it was not enough. "The complaint charges that Sears' failure to adequately disclose the scope of the tracking software's data collection was deceptive and violates the FTC Act," the FTC said in a statement. Sears did not immediately reply to two telephone calls and one email seeking a comment. Under the settlement, Sears is required to destroy the data collected and make future disclosures more prominent.

This week, the Government Accountability Office issued a report related to privacy and security issues at FDA and another report about the agency's plans to modernize its IT systems, Government Health IT reports. Privacy and Security Report On Monday, GAO released a report suggesting that FDA has not included sufficient privacy and security protections in its plans for a medical product safety monitoring system called the Sentinel Initiative. The system would use data from insurance companies, academic institutions, government agencies and health care providers to track the performance of medications and medical devices. According to the FDA Amendments Act of 2007, the initiative would have access to data from 25 million people by mid-2010 and 100 million people by mid-2012 (Foxhall, Government Health IT, 6/2). For the report, GAO conducted an audit of FDA's planning process for Sentinel from May 2008 to May 2009.

Privacy has been so poorly defined by opponents and proponents alike, that people have yet to realize its value.

While concerns about Internet privacy grab headlines, not everyone is bothered, or even aware, of how their online activities are being tracked. "On one extreme, there are Web cams in bedrooms, and the other extreme are people who won't wear a nametag at a conference," said Anne Toth, Yahoo's chief privacy officer. "Most people are in the middle. What's interesting is that consumers need to better understand how [privacy options] operate and where they can exercise their choices." Toth spoke at a consumer privacy panel here yesterday at the Tech Policy Summit. In general terms, she said "clear notice and robust choice is the right standard" for consumer privacy. But others in the audience and on the panel took issue with whether things like opt-in choices to receive information from e-tailers provide enough information or easily convey to consumers what they're agreeing to.

Top attorneys for Microsoft and Google today reiterated their companies' support for tougher government rules to protect consumer privacy. But when it comes to the details, some watchdog groups say they are concerned that Web firms will continue to fight against specific provisions that would limit the ways they can collect and use people's information to serve more targeted ads. Today's panel discussion, held here at the Computers, Freedom and Privacy conference, revisited a longstanding policy debate over the government's role in online privacy. The talk ran along some familiar plotlines, with Jeff Chester of the Center for Digital Democracy thundering about the detailed personal profiles being assembled by advertising companies who are using neuroscience to manipulate consumer behavior, while industry representatives assured the audience that their data-collection practices are benign, not to mention essential to providing free content and services on the Internet. But this wasn't just an idle debate. Rep. Rick Boucher, the Virginia Democrat who chairs a House subcommittee on the Internet, is developing legislation that could seek to impose sweeping restrictions on behavioral targeting. A few blocks up Pennsylvania Avenue at the Federal Trade Commission, the principal regulatory agency with authority over online advertising, newly minted Chairman Jon Leibowitz has spoken often about the need for industry to get serious about privacy. "The FTC's central concern here is transparency, consumer control," said Jessica Rich, assistant director of the agency's privacy and identity protection division. "We don't think consumers really know what's happening with their data."

Advertisers are your friend, and the government is here to help. If consumers don't take responsibility for their data, then all the regulation in the World won't matter.

OPT-OUT becomes untenable when users have to visit 40 - 50 or more sites to do it.

The online advertising industry and U.S. policy makers need to give online users more control over the collection of personal data and surfing habits beyond the traditional opt-out approach, some privacy advocates said Wednesday. Dozens of online ad networks allow users to opt out of being tracked as a way to deliver behavioral advertising, and in most cases, the opt-out is stored in a cookie that goes away every time the users clear their browser cookies, privacy advocates said during a discussion of online advertising at the Computers, Freedom and Privacy Conference in Washington, D.C. Some advertisers require that people opt out of targeted advertising every month, and some advertisers make the opt-out link difficult to find, said Christopher Soghoian, a fellow at the Berkman Center for Internet & Society at Harvard University. Some opt-out mechanisms aren't even functional, he said. Soghoian, while creating a single opt-out mechanism for the Firefox browser, found more than 40 advertising networks, he said. "How can we expect consumers to visit 40 or 50 different online advertisers, opt out, then revisit these sites every six months or every year, and then, when they delete their cookies, go back again?" he asked.

At last, my summer reading list is complete!

In what it described as an historic document, the National Institute for Standards and Technology issued a special report entitled Recommended Security Controls for Federal Information Systems and Organizations. Special Publication 800-53, Revision 3, is historic in nature. For the first time, and as part of a continuing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for national security and non-national security systems in its latest revision, No. 3, of Special Publication 800-53. "The important changes described (in the publication) are part of a larger strategic initiative to focus on enterprise-wide, near real-time risk management; that is, managing risks from information systems in dynamic environments of operation that can adversely affect organizational operations and assets, individuals, other organizations, and the nation," Ron Ross, NIST's Federal Information Security Management Act implementation project leader, said in a message incorporated into the 220-page report. According to the document, the updated security control catalogue incorporates best practices in information security from the Department of Defense, intelligence community and civilian agencies to produce the most broad-based and comprehensive set of safeguards and countermeasures ever developed for information systems.

Too many companies leave themselves vulnerable to employees' ignorance or purposeful flouting of the rules when it comes to information security, suggests a survey conducted by (ISC)2. Focused on the 'basics' of policy management, the survey revealed that organisations are becoming confident in their ability to comply with the policies and procedures set out to secure their organisations. Analysis of the results, however, reveal education efforts to be immature, with most concerns relating to accountability and company-wide understanding of what is required. The survey questioned 737 information security professionals last month about their organisation's efforts in policy and awareness management. A great majority, 80 percent, said their company's ability to comply with security policy was satisfactory, good or very good, leaving only 20 percent saying they were dissatisfied. However, this confident stance was tempered by concerns from nearly half of the respondents over a lack of training (48 percent) and poor employee understanding of policy (46 percent); a lack of defined accountability (42 percent); and an unsupportive company culture (48 percent). These obstacles to compliance with policy were cited by significantly more respondents than other issues of traditional concern, including a lack of budget, which only 22 percent were concerned about, and the ability to procure the latest technology, which concerned only 19 percent of respondents. "The challenges are shifting from the systems to the people," says John Colley, CISSP, managing director for EMEA (Europe, Middle East, Africa) for (ISC)2. "The relatively little concern expressed over budgets suggests security continues to be viewed as a business imperative, even in the current economic climate. Unfortunately, security requirements are not yet well understood, or worse flouted, often with management support, in order to get a job done. There is a colossal task ahead to ensure all emplo

Ignorant People are a big security risk.

The intersection of dr/bc, privacy & security should be preservation of business value.

What are the key elements of disaster recovery (DR) planning and design? While there's no one-size-fits-all solution, a data asset inventory that includes conducting a data classification project and assessing the potential risk for disaster from within your company will help you protect all of your data resources. In broad terms, you need to determine the recovery point objective (RPO) and recovery time objective (RTO) for different parts of the business and put together an effective data protection plan to achieve this. You should start by performing a business impact analysis.

Things to think about for auditors during a downturn

As IT environments are becoming more complex, enterprises are relying on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, told attendees at an ISACA CACS audit and compliance conference. He identified 10 areas in which complexity makes IT more difficult to monitor. "This list is designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate this risks," Juergens said. "The list is in no particular order, is by no means a comprehensive list, and will vary by environment. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors," he added. He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. A key risk for compliance is simply keeping track of the data and recovering it if part of the cloud goes down. IT administrators must have insight into the cloud to enable forensics if an investigation is required. Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds. The key issue is finding and tracing data, which can move to different servers within a virtualized environment. During this economic downturn, many companies will face disgruntled employees and will need to be able to control their access. "Specific attention items should be: timely removal of access, periphery security, internal security architecture, physical security and badge location, help desk procedures, workstation security and IDS management," Juergens said. Layoffs can harm an organization even without disgruntled employees. Many help desks and incident response teams will be understaffed, and Juergens advised that now is a good time to re-examine security procedures. A related risk could occur if an employee takes on the responsibilities of another, combining tasks that were previously segregated for compliance purposes. En

Data classification is a cornerstone of good privacy & security management. If you can measure it, you can manage it, right? First you have to know where it is.

Why classify data? Classifying data can help make data more accessible (or less accessible) to the users in your environment who need it. For example, suppose the Human Resources department created a folder on the file server within their department called Litigation. In this folder they place files that are needed for any litigation the company is associated with. The permissions on the folder are configured so that HR employees can edit the contents of the folder and add documents. Senior management can read the documents in the litigation folder, and the HR manager can remove documents that are no longer needed. The question is, how is it determined that a document is no longer needed and how do we apply these criteria to existing files in such a way that minimizes user interaction with them? The new classification feature in Windows Server 2008 R2 makes it possible to automatically assign classification information to files on file servers and apply policy to them based on that information. Classification in Windows Server 2008 R2 consists of several elements: properties, rules, and a policy segment including reporting and file management. Properties are the fields that you wish to assign a value for, and the rules are the criteria that set these values. There are other methods of classification available as well, including applications and scripts. More detailed examination of the methods of configuring the File Classification Infrastructure will follow in a future post. For the above example, a rule would be used to label a set of files in the Litigation folder. Adding a label such as Litigation-Case Number X (where X is the number of the case) can allow easy organization of files for each litigation case. When the classification rule is run against the specified folder, all files meeting the rule conditions would be classified with an appropriate label. You could use an expiration date here, but doing that might require reclassification of files if the ex