Group items tagged

Small business owners' cybersecurity policies and actions are not adequate enough to ensure the safety of their employees, intellectual property and customer data, according to the 2009 National Small Business Cybersecurity Study. The study, co-sponsored by the National Cyber Security Alliance (NCSA) and Symantec [Nasdaq: SYMC], as part of this year's National Cyber Security Awareness Month, surveyed nearly 1,500 small business owners across the United States about their cybersecurity awareness policies and practices.

The survey shows discrepancies between needs and actions regarding security policies and employee education on security best practices.

The study found that while more than 9 in 10 small businesses said they believe they are safe from malware and viruses based on the security practices they have in place, only 53 percent of firms check their computers on a weekly basis to ensure that anti-virus, anti-spyware, firewalls and operating systems are up-to-date and 11 percent never check them.

The new partnership appears to be part of an effort to move past previous agency turf wars. Last March, for example, Rod Beckstrom resigned from his position as director of the DHS' National Cyber Security Center, citing insufficient funding and support. In his letter of resignation to Napolitano, Beckstrom said the DHS's cybersecurity efforts are "controlled" by the NSA. Meanwhile, it is not uncommon for government departments and agencies to enter into formal agreements to work together on certain issues and to “swap” employees to improve synchronization, Marcus Sachs, director of the SANS Internet Storm Center, told SCMagazineUS.com on Thursday. This agreement is particularly important because the DoD and DHS have a joint mission to protect the United States in cyberspace, he said.

This would in effect shift FISMA implementation responsibility away from the Office of Management and Budget (OMB) and the National Institute for Standards and Technology (NIST) to DHS, “where the knowledge of attacks informs the defense”, Paller said.

“DHS has already demonstrated that they are focusing on the critical controls....They are focusing on effectiveness measures, rather than make work”

The proposal would also expand the DHS authority over cybersecurity of private networks, particularly critical infrastructure. DHS would have the authority to develop and conduct risk assessments of private sector critical infrastructure systems and share information with the private sector about threats and best practices.

Content, for now, is meager. A list of tips for individuals to secure their personal computers is found in the website's resources page as well as links to Langevin's and McCaul's press releases regarding cybersecurity in the site's media center.

Yet those data centers, according to EPA figures cited by NIST, consume 1.5% of all electricity generated in the United States (compared with 0.6% worldwide in 2000). Globally, IT produces 2% of CO2 emissions.

Businesses that go with cloud computing could improve sustainability in two ways. First, companies maximize servers by sharing them, so fewer machines are chugging away. Second, on-demand usage means that firms needn’t consume way above their needs during slow times in order to be ready for busy times.

APT is the new way attackers are breaking into systems.

APT is a sophisticated, mercurial way that advanced attackers can break into systems, not get caught, keeping long-term access to exfiltrate data at will. 

APT focuses on any organization, both government and non-government organizations.

So what amount of grit does your institution have when it comes to backing up its security policies?

Think about your answer. It's not just jobs at stake here; it's the integrity and security of entire organizations.

The security failure, one of the several largest in nearly two years, involves nearly two-thirds of the insurers' subscribers. It became known only after The Inquirer requested information Tuesday evening. The insurers said the drive was missing from the corporate offices on Stevens Drive in Southwest Philadelphia. It noted that the same flash drive was used at community health fairs. "That seems grossly irresponsible," said Dr. Deborah Peel, a Texas psychiatrist who heads Patient Privacy Rights, an advocacy group.

The news of the breach comes at a time when there is more emphasis - and billions of dollars in federal funding - to develop protocols for electronic medical records, with information being shared among providers, insurers, and consumers.

Paul Stephens, director of policy for the Privacy Rights Clearinghouse, said that data breaches in the finance and retail sectors tended to involve more people, but that health data are very sensitive and may also contain payment information.

Thing is, the pitch is less believable these days, and the atmosphere is becoming downright hostile. We face more and larger breaches, increased costs, more advanced adversaries, and a growing number of public control failures.

Behavioral Advertising Online behavioral advertising – the practice of tracking someone’s online activities to deliver targeted advertising – can raise potential privacy issues.  Do you disclose your practices to your customers and honor your promises? Children’s Online Privacy The Children’s Online Privacy Protection Act (COPPA) gives parents control over what information websites can collect from their kids. If you run a website designed for kids or have a website geared to a general audience but collect information from someone you know is under 13, you must comply with COPPA’s two main requirements. Credit Reports Does your business use credit reports to evaluate customers’ credit worthiness? Do you consult credit reports when considering evaluating applications for jobs, leases, and insurance? Here is information about your responsibilities when using, reporting, and disposing of information in those credit reports. Data Security Many companies keep sensitive personal information about customers or employees in their files. Having a sound security plan in place can help you meet your legal requirements to protect that sensitive information. Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data. Health Privacy If you offer or maintain personal health records online, you could be covered by the FTC’s Health Breach Notification Rule. Are you familiar with your legal obligations in case of a security mishap? Red Flags Rule The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs  – or red flags – of identity theft in their day-to-day operations.

ONE: If your enterprise isn’t in energy, defense, or finance, it’s not a high priority target so don’t spend money like it is.

TWO: If you do lead a company in one of those 3 sectors, there’s nothing on the market today that will stop an adversary from stealing your most valuable data. The best that you can hope for is to raise the cost to an adversary to mount a successful attack against you, which means he’ll target a less well-protected company instead. This is known as the You-Don’t-Have-To-Outrun-The-Bear School of Security.

THREE: Your IT department’s job is not to protect you. It’s to protect the enterprise’s network. That makes you and your C-level colleagues the “10 ring” of the target.

During the hack, he set up his own wireless hotspot, which he simply called BT Openzone. As delegates used the wireless service, Hart was able to get hold of whatever usernames and passwords were being typed into web applications, just by using an easily downloadable password recovery tool called Cain & Abel.

When Hart and his team tested out the method across cafes in the UK, 100 per cent of web browsers in the various establishments used the fake BT Openzone service.

“That’s how easy it is, it is instant,” said Hart.

Here are five steps your company can implement quickly and cost-effectively.

1. Deploy comprehensive endpoint security to check endpoint devices for spyware and malware.

2. Ensure that user devices adhere to defined corporate security policies before, during, and after network connection.