Wednesday, April 27, 2011

Sony Playstation Data Stolen

Continually increasing connectivity means there are more vulnerablity points than ever. Recently Sony announced that their Playstation database has been hacked and customer data stolen. Most of the data appeared to be name, address, purchase information but Sony could not rule out the possibility that credit card information had been stolen too.

Playstations are connected to the internet and have the capability to buy products online. So they make a prime target for data theft. This attack demonstrates how the security of data must be structured to take into account all  such points of vulnerability and finding such points calls for more imagination than in the past. For more details on the Sony breach, check out this article.

Monday, April 18, 2011

Comments Welcome on New COBIT Process Assessment Model
ISACA® recently conducted a global survey to learn about related market needs, and the results showed that 89 percent of the nearly 1,400 respondents said that they need, and would find value in, a rigorous and reliable IT process capability assessment. Based on this research, an exposure draft of the COBIT Process Assessment Model (PAM) was developed. This exposure draft is now available for review and comment on ISACA’s web site through Thursday, 12 May 2011. This is a great opportunity to have an impact on this globally recognized guidance that has helped thousands of enterprises around the world. To comment, go to this link.
A New Threat for Firewalls

Firewalls are one of the mainstays of corporate security. They form in many cases the crucial point for establishing adequate security. However, a new threat has emerged.

"NSS Labs of Carlsbad, Calif., recently tested half a dozen network firewalls to evaluate security weaknesses, and all but one of them was found not to be vulnerable to a type of attack called the "TCP Split Handshake Attack" that lets a hacker remotely fool the firewall into thinking an IP connection is a trusted one behind the firewall." To read more, click this link.

Thursday, April 14, 2011

The Internet - A False Sense of Security

With the extensive use of the internet, including the movement to the cloud, the growing and pervasive use of social media and the extensive use of the internet for email, messaging and simply finding information, people generally have grown accustomed to the Internet, and familiar with the major providers of applications, such as Facebook, Microsoft, Google, etc.

While at one time not so long ago, people generally were wary of the internet, refusing for example to purchase on websites for fear of having their payment information stolen (or the payment itself), now a certain complacency has crept in, prompted not only by this familiarity but also by an increased sophistication of most users - a sophistication that enables them to identify simple phishing expeditions and phony offers of large sums of money.

But the problem is that the growing sophistication is more than offset by the deviousness of the various hacking and phishing attempts and the speed of change in such ploys.

A recent report by Symantec, the security company, shows that the complacency is dangerously misplaced. The report reveals that web based attacks increased an incredible 93% from 2009 to 2010. The attacks were high prior to 2009, so the base is not modest. One presumes that increases of considerable magnitude have continued in 2011. So it is getting much harder to avoid being a victim.

One of the more common tools employed by the phishers is the use of shortened URLs; the kind that people have become familiar with on social networking sites. These shortened URLs effectively hide the real URL, making it possible for a message to masquerade as being, say, from a well known bank, while the URL has nothing to do with the bank. Regular users of the Internet can notice with regular URLs whether the URL is likely to be legitimate. With shortened URLs, this is difficult or impossible. And the flavour of the day is targeted attacks, directed to particular companies or individuals, often in an attempt to obtain the personal information of customers.

People can't afford to be complacent about web based security, meaning they need to take precautions seriously. It also means web based providers need to ramp upo their security efforts. 93% increases are simply not acceptable.

Tuesday, April 12, 2011

PIPEDA Due for an Update

The US Congress is now in process of considering updating its Electronic Communications Privacy Act (ECPA) to deal with the impact of smart phones, social media and cloud computing. None of these areas were serious issues when the act was first written in 1986. In Canada we have the Personal Information Protection and Electronic Documents Act (PIPEDA). Although this act is newer, last updated in 2008, there may be a case for further update to reflect the fast changing issues around mobility, the cloud and social media.

Now those areas are huge. For example, the use of location based marketing and location based information for investigations have escalated greatly with the growing power of mobile units, bringing forward the question of just how private is a person's location at any point in time. Social media raises a host of issues around the provision of information about users on the sites, some of which have been addressed in Canada by the Privacy Commissioner, particularly in reference to the privacy practices of Facebook. However, the question is - does the act adequately address the issues arising from other social media?

The US Department of Justice objects to the Congressional thinking of updating the Act. They feel that the principles of privacy are adequately covered in the existing act. The Privacy Commissioner of Canada keeps a watching brief on these issues and the need for legislative changes. But the challenge is growing more complex daily. Are general principles enough?

Tuesday, April 5, 2011

Conquering the Security Silos

You would think that with all the attention in recent years to organizational silos and the need to work across them or at least interact, that this problem would be largely licked.

Such is not the case, at least in the area of IT Security. A recent survey carried out at the 2011 RSA conference looked into coordination between IT Security, It Operations and Risk Management teams across the organization and found that, while coordination between those groups has jumped considerably, it still stands at 47%. Or less that half of the organizations conduct such coordination.

Security in organizations needs to be managed organization wide because the alternative is to invite holes in the overall security umbrella. That's one of the reasons why organizations need Chief Security Officers with the authority to require cross organizational coordination. Hopefully this aspect of IT Security continues to improve. For a summary of the report, click this link.