Cloud Security vsTwitter Security Incident

The recent incident at the Twitter on the information leakage shall not be considered as a cloud security weakness. Reading through various blogs and the description from Twitter , it looks like the real cause is the weak security practices followed by a Twitter employee.

Like many other users, I use the Google Apps for various solutions and email is one among them. So, if there is a security issue at the google cloud, it will be a threat for my applications as well. This made me to look into the details of this security incident.

The outcome of my thoughts are the following:

• You need to establish good security practices
• You need to educate your staff on the password management practices
• You should have a solid password policy. I will suggest 8 characters of alphanumeric and if possible special characters with a 45 days expiry

Another interesting this I saw in the twitter blog is that, the twitter CEO's wife's account had the family personal details and no official information. This is another key aspect to be concerned.

There should be an email/internet usage policy which should detail the restrictions of using the personal account for business use. The policy should also clearly state that the personal emails shall neither be used for communicating the business information nor for storing them.

Remember the Sarah Paulin's email hacking case where the hacker claims to have obtained the government information by hacking into her personal email account

The twitter incident is a personal security incident and not a cloud security concern at this point.

I can have good sleep without any nightmares about cloud security at least for a while

PCI DSS guideline on Wireless Network

The PCI Council published the guideline prepared by the PCI SSC Wireless Special Interest Group (SIG) Implementation Team named as PCI DSS Wireless Guideline (Information Supplement) to address the wireless security in the cardholder data environment (CDE)

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_Wireless_Guidelines.pdf

This guideline has come out after 4 years of the security incident (TJ MAXX) which triggered the need for such a standard

France Creates New National IT Security Agency

France has created a new national IT systems security agency to better defend its IT networks.

The French Networks and Information Security Agency (FNISA) will conduct a round-the-clock watch on sensitive government networks in order to detect and respond to cyberattacks.

That mission is increasingly important, as U.S. and South Korean government authorities have battled this week with attacks on their information infrastructures.

The French agency will also advise government departments and commercial network operators on best practices, and provide information about information security threats and how to avoid them to the general public.

In addition, FNISA will help develop trusted IT products and services for use by French companies and government networks. The possibility that key network infrastructure purchased from foreign suppliers could contain hidden “back doors” allowing them to spy on communications has become a concern for governments in recent years. A plan by Chinese network equipment manufacturer Huawei Technologies to acquire a stake in U.S. vendor 3Com in 2007 fell apart after U.S. lawmakers raised questions about the potential effect on national security.

FNISA was set up at the request of President Nicolas Sarkozy following a review of defense and national security last year. Its creation was announced in the government’s Official Journal on Wednesday.

The agency is recruiting, and the vacancies to be filled give a taste of what concerns it.

For one post, it is looking for an engineer with experience in securing VOIP systems — on desktop and mobile systems.

Another post will deal with the security of the physical layer of wireless communications systems, including Wi-Fi networks and contactless payment systems.

source : PC world. http://www.pcworld.com/article/168135/france_creates_new_national_it_security_agency.html