Sep 26, 2010

CIOs more concerned than ever about social media and data loss

Posted by Binoy at 10:37 AM Labels: ,

Survey finds security breaches due to social networking more pressing than ever

A new survey from email security firm Proofpoint finds more organisations are dealing with data loss and security breaches due to employee use of social media sites. Proofpoint polled 261 IT decision makers at organisations with more than 1000 employees. Respondents were asked about the frequency of data loss events in the past 12 months, as well as their concerns, priorities and policies related to email, the web, social media and other sources of data loss risk.

The survey found 20 percent of companies polled had investigated the exposure of confidential, sensitive or private information via a post to a social networking site. In many instances, the events have been severe enough to lead to job loss or disciplinary action, with seven percent of companies reporting termination of an employee for social networking policy violations. Another 20 percent disciplined an employee for not following social networking policy.

read more...

 

0 comments

Interpol head has identity stolen on Facebook

Posted by Binoy at 10:28 AM Labels:
He’s one of the most powerful people in world policing, but on Facebook Interpol chief Ronald K. Noble is just as vulnerable to identity theft as anyone else. At last week’s inagural Interpol Information Security Conference in Hong Kong, secretary general Noble revealed that criminals had set up two accounts impersonating him on the networking site during this summer’s high-profile global dragnet, ‘Operation Infra-Red’.

The fraud was discovered only recently by Interpol’s Security Incident Response Team. “One of the impersonators was using this profile to obtain information on fugitives targeted during our recent Operation Infra-Red," Noble told delegates.
read more...
0 comments

Infosys CEO: People willing to trade privacy for tech benefits

Posted by Binoy at 10:27 AM Labels:

"You allow that privacy to be compromised for a benefit," says CEO Kris Gopalakrishnan

People are willing to adjust their ideas about privacy if they can benefit from revealing more of their personal information, the CEO of Infosys Technologies said Thursday.

"You allow that privacy to be compromised for a benefit," CEO Kris Gopalakrishnan said during a talk at MIT's Emerging Technologies conference. The definition of privacy must now take into account whether personal information is "properly used to give additional benefits," he said.
read more... 
0 comments

Mar 9, 2010

Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach’

Posted by Binoy at 9:46 AM
NIST has recently released the final publication of the "Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach".

This NIST special publication (NIST Special Publication 800-37, Revision 1) can be downloaded from csrc.nist.gov website.

As per this guide, the Certification and Accreditation process of the federal government information systems transformed into a Risk Management Framework that stresses security from an information system’s initial design phase through implementation and daily operations

It places equal emphasis both on defining the correct set of security controls and on implementing them in a robust continuous monitoring process.

This is similar to the various Secure Software Development processes such as MS SDL and OWASP CLASP.
The guide can be downloaded from here
0 comments

Guide to ISO 31000

Posted by Binoy at 9:37 AM Labels: ,
Three risk associations, Airmic, Alarm, and the IRM, have collaborated to publish a free guide to ISO 31000 titled "A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000".

The guide is organized in two parts each containing four chapters with two appendices. The document is neatly organized and is useful for organizations implementing/ following ISO 31000

The full guide is available here
0 comments

Top Cloud Security Threats Report

Posted by Binoy at 9:10 AM Labels:
The Cloud Security Alliance (CSA) and HP have published new research findings that detail the potential threats surrounding the use of cloud services.

This seems to be a serious effort to bring up the security concerns related to the cloud.This 14 page report identifies 7 threats namely
  1. Abuse and Nefarious Use of Cloud Computing
  2. Insecure Interfaces and APIs
  3. Malicious Insiders
  4. Shared Technology Issues
  5. Data Loss or Leakage
  6. Account or Service Hijacking
  7. Unknown Risk Profile
The full report is available here
0 comments

Feb 9, 2010

Money Mules

Posted by Binoy at 9:39 AM Labels: , , , , , , ,
In the recent days, we have seen many emails claiming to be from your bank and asking you to provide the user name, password, ATM Number PIN etc... First of all let me emphasize the fact that these are fake emails. Banks or any other responsible companies will never ask for these details of yours for any reason.

Let me reiterate that never ever respond to such emails. Do not click on the links in these emails as this will lead to fake sites. Entering your online banking username and password to these fake sites will make an attacker to take control of your account and withdraw all the money you have in your account. This scam is normally known as Phishing

I will post another post on the phishing later. In this post, I would like to emphasize the money mule scam which is the hidden side of the phishing.

Extract from Wikipedia about money mules

"Money mule is a person who transfers money and reships high value goods that have been fraudulently obtained in one country, usually via the internet, to another country, usually where the perpetrator of the fraud lives.
The need for money mules arises because while a criminal in a developing country can obtain the credit card numbers, bank account numbers, passwords and other financial details of a victim living in the first world via the internet through techniques such as malware and phishing, turning those details into money usable in the criminal's own country can be difficult. Many businesses will refuse to transfer money or ship goods to certain countries where there is a high likelihood that the transaction is fraudulent. The criminal therefore recruits a money mule in the victim's country who will receive money transfers and merchandise and resend them to the criminal in return for a commission"

There are various stages where people are recruited as money mules
Read more »
0 comments

Jan 19, 2010

Typical data leakage scenario's

Posted by Binoy at 6:48 AM Labels: , , , ,
Data leakage is a key threat which could give sleepless nights for any business executive and is definitely on the top priority of the CISO's and information security managers.

I have looked into the DLP scenario's and various solutions. I have not found a single solution which covers more than 75% of the DLP, may be my expectations are higher.Many of my vendor's used to tell me that I will have to use multiple solutions, still the reach did not go beyond 90%

The following are the areas I need protection, can anyone suggest solutions?
  • Removable Media - I have zeroed down to a product from Checkpoint for the endpoint security, which gives fairly good protection from data leakage through endpoints. I have not (yet) found a mechanism for automating the installation and reporting of the same on all the client machines. I expected a mechanism similar to the one in most, if not all, of the anti-virus solutions
  • Internet - The Secure computing webwasher is a pretty good tool, a key solution I liked is the possibility of stoping the internet uploads, by user, groups and some other parameters. This may be the same in the competing products. I have tested another product named webmarshal, which did not have this feature. Now in Internet, how do we stop posting to a text area, such as a blog? can someone do text analysis and stop the content being posted?
  • EMail - I have seen many tools with text analysis capabilities with options to block and quarantine the messages, what about data which is altered? Can the system still read the logic? For example an excel sheet where the numbers are replaced with alphabets like acbd for 1324.
  • What about corporate web mails? Many of the companies allow access to the corporate email through a webmail server such as in MS Exchange (Outlook web access). One can save data including large files in a draft email and download it from home. How can this be protected?
  • What about the mobile computing devices such as laptops, Blackberry etc? If they connect to networks outside the corporate network, how much impact will the corporate policies have on these devices?
I think, there are many opportunities for those who wants to take data out. The present solutions does a great job in terms of data leakage, however; in my opinion fail to protect from stealing data.
    2 comments

    Jan 17, 2010

    ISACA Kuwait chapter in formation

    Posted by Binoy at 9:03 PM Labels: , , ,
    We had a meeting today for the ISACA Kuwait chapter in formation. It was a good one. We were 10 people from various organization. The meeting started at around 6:15 which extended till 7:30.

    We had the meeting at the Salhiya complex in Kuwait City, which is graciously  organized at the Conference room of Deloitte.

    A public event is planned for a wider audience during the first week of February. We hope to have monthly meetings, which will eventually create some interest for those who are interested in ISACA 
    1 comments
    Subscribe to: Posts (Atom)