Tuesday, January 31, 2012

Privacy in the EU

The EU has proposed some new rules around privacy for companies. This of course could affect multinational companies directly, but also will have an important impact in the global debate on privacy. The proposals are not legislation and it seems likely that there will be a protracted debate within the EU before they become legislation.

The proposals call for more prescriptive solutions to some of the issues involving privacy. For example they propose a new "data protection officer" who would be charged with the administrative responsibilities, working with companies to make the rules happen.

The proposals also establish a "right to be forgotten" under which people could request that their information be removed from a company or organization where there is not a strong reason to retain it. This is a natural extension of the established "purpose of requesting" rules, under which companies must state their reasons for retaining the information.

For a write-up on the new proposals, check this link..

Monday, January 23, 2012

Encryption Matters

Online retailer Zappos recently announced that hackers have broken into its system and stolen personal customer information. They then notified the customers and advised them to change their passwords.

The hackers broke into the system through one of their offsite servers. They then found their way into the customer data files.

The files contained passwords for the customer accounts, which were encrypted. However, the company is concerned that the encryption may be broken through the use of rainbow tables. Such tables are pre-computed algorithms that can calculate in reverse the encryption ciphers and then reveal the original text of the passwords. A common defense against rainbow tables is the use of salted encryption, under which a layer of (salt) or unique identifiers is applied to the password files, which causes the ciphers to be unique to each password. Therefore solving one cipher does not open up the other passwords. The Zappos concern about the use of rainbow tables might be an indication that salted encryption was not used.

The big take-away from this incident is that the the type of encryption used in a system is critical. Most everyone knows by now that encryption of sensitive data is crucial to system security, but not everyone is aware of the many ways to execute the encryption and the risks that can accompany some of them.\

For a write-up on the announcement, check this link.

Tuesday, January 17, 2012

Advanced Persistent Threats (APT)

Security budgets of many organizations are being stretched by APT, a form of cyberattack that has been around for years, but which has been growing in occurrence and getting increasingly sophisticated.

APT, as the name indicates is a persistent kind of attack as distinct from a one-off assault by a passing hacker. In an APT attack, the hacker employs stealthy techniques, hangs in there for long periods of time, launches monitoring and intrusive software and generally persists towards achieving the target. Normally, the target is to steal sensitive or otherwise valuable information, often intellectual property. For a more complete description of APT, check this article.

The incidence of APT reportedly arose from the activities of certain foreign interests, notably but not exclusively from China and Russia.

A recent survey indicates that security budgets have gone up by 6 - 10% among 32% of the respondents and by more than 10% by others, showing that APT is being taken seriously by those organizations and their executive. For more on the survey, check this link.

Friday, January 13, 2012

Turning Risk Into Advantage

The KPMG Institute periodically posts cases of considerable interest. In this one, it deals with risk, which is central to the field of IT controls and assurance. It.s called Turning Risk into Advantage. As the Institute says, it's:

"A case study [that] provides an overview of a company that transitioned from a siloed, passive approach to risk management to one that looks at risk in a holistic, enterprise-wide fashion, and in the process, gained a competitive advantage.

This case study examines how the company fostered clear accountabilities and responsibilities for risk management; balanced risk and return through an understanding of risk and what the appetite for that risk is; embedded risk management as part of the overall business strategy."

Read Turning risk into advantage: A case study

Friday, January 6, 2012

Newly Published Security Books Raise an Important Question - The Risk in Peripheral Devices

"Two recently-published books, "America the Vulnerable" by Joel Brenner, a former official at the National Security Agency (NSA) and "When Gadgets Betray Us," by writer and security analyst Robert Vamosi, have one theme in common: We've come to depend on modern networks and technology, but the compromise of them by attackers is a serious threat to both individuals and society as a whole."

In our modern world, we have so many devices that are vulnerable to intrusion or data theft it boggles the mind. Such devices include RFID chips, security web-cams (paradoxically), power girds (a National Security issue), and automobile systems like keyless entry and vehicle immobilzation. For example, hackers "could falsify readings from the fuel gauge and speedometer; disable the antilock brakes, selectively brake individual wheels on demand, and even stop the engine. Researchers found they could do this even while the car was speeding down a highway." Also, there are home security systems, building keyless entry, and a growing number of home appliances, like oven ranges, refrigerators, and entertainment systems.

To some, these may seem relatively harmless, but these systems might contain private information and also could be used to compromise a home or business for break-ins or sabotage.

It's a growing issue for IT Professionals and security specialists. For a good article on this area, check this link.    

Tuesday, January 3, 2012

Mobile Security Ramps Up

The growth of the use of smart phones is widely known. The fact that companies are allowing, even encouraging BYOD (Bring Your Own Device) for their employees is another known trend. A newer trend is the use of smart phones for payment - by swiping them near a device attached to a cash register. Put these together and you have a pending problem with security.

Devices that can be used for payments have connections to bank accounts. Devices that are used for corporate purposes have connections to corporate data. So hackers are showing a renewed interest in mobile devices. They are encouraged by the known fact that hardly anyone places security on their phones. Not even a basic password. And yet, much more than passwords are needed. Those other basics of security - encryption and security software - are also needed. And the average person gives it little thought.

Time to think about it. Check out this article.

Monday, January 2, 2012

Cloud Security in Choosing a Supplier

Security is important for cloud applications, of that there is no doubt. However, security processes vary among suppliers, and the differences can be significant. For example, encryption is usually an indispensible part of the security structure. Most will offer encryption of some kind, but there are several questions to explore. Who does the encryption and who controls the keys. Is there security on the wire or just when it is in storage? Is the encryption secure when data is transferred from storage to memory and back? These and other questions can make all the difference in the security of a system, For more, check this link.