Wednesday, March 28, 2012

Black Holes a Major Security Concern

Scotiabank recently named black holes as its major security issue for 2011. They encountered a concerted effort by hackers to draw their people into them through setting a variety of traps (some 50 types of them they said). When users click on the URLs in the traps, they are drawn into a series of illicit domains that search their computers for vulnerabilities and then plant viruses that exploit these vulnerabilities. The viruses are shielded so that the anti-virus software can't recognize them. The most effective way to safeguard against these black hioles is to block the URLs that lead to them, but this is a big job and depends on having a knowledge of what those URLs are. Scotiabank managed some success in dealing with them, as explained in this article.

Friday, March 23, 2012

Growing Security Issues  - IBMs Response

It's no secret that security has been increasingly challenging in recent years. And the challenges have been growing at an alarming rate, with some security experts claiming that the situation is becoming unmanageable. The scale and sophistication of hacker organizations, such as the one called "Anonymous" has outstripped the capabilities of most security systems except (perhaps) some of the world's most secure sites.

IBM has announce the formation of a new business unit IBM Security Systems - a complete unit of the company that combines its massive data analytics capability with its IBM Managed IT Services, another area for which IBM is well known. Amazingly, IBM  security systems monitor some 13 billion security incidents PER DAY. Which indicates the company's expertise is beyond question.

This announcement comes on the heels of the announcement by Big Blue of a new security tool QRadar, which applies powerful data analytics to security related data. These are significant events, and important advances in the interests of fighting cyber crime. Here's an article on the subject.

Wednesday, March 21, 2012

Need for Better Security on Smartphones

The Privacy Commissioner of Canada is calling for people to use passwords on their smartphones. She points out that they already contain a lot of personal information (and often sensitive corporate information) that should be protected. Security on phones is very lax now, but the need for it is growing daily. Also, the pending movement into mobile payment systems will make smartphones much like wallets, with perhaps even greater risk.

Some experts say it is time that the manufacturers should be required to install mandatory password systems.Not an unreasonable proposition, given the security risks out there. Here's a write-up on the Commissioner's thoughts.

Monday, March 19, 2012

Courts Strengthen Privacy Law

In a recent case involving two bank employees, Jones vs Tsige, one of whom accessed the bank records of the other for personal reasons, the Ontario Court of Appeal granted the offended party the right to pursue an action, despite the fact that there was not a clear legislative basis for the action. Current privacy laws do not cover such events.

The decision also did not require a measure of damages, which is one of the normal foundations for civil litigation. Instead it established a standard remedy based on a scale of importance.

The decision could trigger a new era in privacy law, whether or not it is followed up with new or revised legislation. The court indicated that in making the decision, it is trying to keep pace with rapidly changing technology, which is making access to information increasingly difficult to protect.

For a summary of the case, check this article.

Thursday, March 15, 2012

COSO Exposure Draft - Comments Due Soon

On 19 December, an updated Internal Control – Integrated Framework (COSO) was released for public comment. Deadline for comments is March 31, 2012.  ISACA provided a Webinar on February 23 which is archived on its site. For further information and to provide comments, visit the COSO site at

Monday, March 12, 2012

How Security Attacks are Gaining Intensity

Internet based security attacks are becoming more sophisticated with incredible intensity. Hackers now have an arsenal of tools suitable for all stages of a user's activity cycle, including

  1. Prelogin - before the user initiates a transaction
  2. Login - while the user is logging into the Web application
  3. Postlogin - immediately after authenticating to an online banking site
  4. Transaction - while the user is conducting a sensitive business transaction
  5. Post-transaction - after the transaction has been approved
The user is never safe, and must be on guard at all stages. This gets complicated. For more, check out this article.

Wednesday, March 7, 2012

10 Lessons from the RSA Conference

If there is any summation of the RSA conference this past week, it is that The spread of mobile units, social networking and the cloud have changes the way security is handled in organizations, creating vast new challenges. In this article, 10 lessons from the conference that support this result are succinctly summarized.

Saturday, March 3, 2012

Gloom and Doom at the RSA Conference

In San Francisco, the world's security experts are meeting and discussing the latest hacking episodes that have plagued industry and in particular highly sensitive companies like those in the defence industry. RSA is the organization behind the high end codes that safeguard computer systems and their data. However, even RSA has been hacked and the codes used to hack into Lockheed Martin, the major defence contractor.

At stake is national security as many of the current and most intrusive hackers are sponsored by foreign governments interested in gaining information about the latest technologies going into defence systems in the US. Clearly some strong action is needed.

If high end defence contractors can be hacked, with their super strong encryption and password systems, what chance does a regular company have? Probably none if a serious hacker gets interested.

This is our greatest security challenge of modern times, and innovative solutions are needed to address it. Eventually it will be addressed effectively. But in the meantime, close monitoring is the order of the day. Check out this news release on the subject.

Thursday, March 1, 2012

RSA Conference -A Gloomy View

The annual RSA Conference is taking place in San Francisco this week. Arguably the most prominent security conference in the world. This year, the participants seem to be particularly gloomy about our ability to control cyber threats, even to the point of suggesting the development of an Internet kill switch! The specifics are well known - such as big data and the threat to privacy and mobile units as a back door to corporate systems. For a good rundown, check out this article.