Information Security: Uncommon Knowledge

Note: Kevin M Nixon, MSA, CISSP, CISM and his team are the leading authorities on control-bypass and information security issues, and will be instrumental in resetting the IT industry’s governing protocols. Kevin’s team is the first group actively addressing information security issues not only as a consumer, investor & corporate governance issue, but also as a Global and National Security Issue. Kevin’s research has demonstrated that these are solvable problems, and his team will be making concerted efforts to elevate this discussion to national and international levels. I have been honored with an invitation to assist in a portion of Kevin’s research, and would appreciate any an all input from readers that address both the specific nature of information breaches in our industries, as well as any suggestions for best practices and protocol reform. Please leave your comments, or contact me directly:  anthonymfreed@gmail.com

 

Un-Common Knowledge

By Kevin M Nixon, MSA, CISSP, CISM

Question:  What do the Division of Motor Vehicles Colorado, the University of Utah Hospitals and Clinics in Salt Lake, Monster.com, the University of Miami and Fidelity National Information Services all have in common? (Hint: Think TJ Maxx) Give up?

Answer:  Each was the victim of a data security breach that resulted in the exposure of over 2 Million computer records which contained confidential, non-public, private information. 

In the case of Fidelity the total number of computer records exposed exceeded 8.5 million. You can monitor the events yourself the Privacy Rights Clearinghouse where you will find a frightening amount of information.

Just yesterday, November 1st, 2008, privacyrights.org reported that the Seattle Washington School District released 5000 social security numbers to a local union representing some of the district workers. More than half of the district’s workers were affected by leak.

No wonder that the FBI and the National White Collar Crime Center saw Americans report losses of $239 million as a result of online fraud.

Don’t assume that an “identity thief” is a “hacker” in the computer crime underworld.  The “identity thief” may simply obtain the information from a source and then sell the information.  However, “identity thieves” are now recruiting “hackers” to obtain access to electronic databases which contain the most choice data.

The trafficking of stolen data is a quick operation.  The hard earned reputation, financial & banking records as well as personal information such as age, marital status, and children’s names can all be sold for a few dollars each.  Think about that:  If 2 million records are stolen and sold for $2 per record, the “ID Thief” has made a cool $4 million off of what took you years of honest hard work to create.

The same technology used to steal your information is often used to sell your information. Your data is often sold through large instant-message groups or via online auctions, both of which may only exist for a few hours or days to avoid detection by authorities.

Here are a few tips that may alert you that your credit information has been compromised:

1)  When ever possible go “paperless”. You simply receive an email stating that your statement is available online for viewing and you can pay electronically too.

2)  If you can’t go paperless and you have a mailbox on the curb that anyone can walk by and open, consider getting a PO Box or a lockable mailbox. It is real easy for a thief to simply take a credit card statement containing most of the info they need out of the box on the curb.

3)  Monitor your statements. Did you really put $2 worth of gas in the car? One of the ways thieves validate that a stolen card is still active is to charge a very small amount and if the transaction goes through they know that the card is still good.

4)  Be alert to creditors calling to verify a telephone number! Creditors performing information verification often call telephone numbers associated with credit applications. The 3 big agencies are not offended when you question why the information is needed. Thieves often take personal information and attempt to open “business accounts” which makes the transaction more difficult to trace.

5)  And last but not least, your Social Security Card (and number) should only be used for tax purposes. Says so right on the card. Do not use for ID.

Your social security number is not “required” for anything else under the law. It serves one purpose, to associate your earnings with your taxes. Banks, insurance companies, and others are required by law to use alternative photo ID cards. If the person or company won’t do business without your Social Security number, ask to borrow their telephone, and call the local Social Security Office and report the company. Then take your business someplace else. 

(The writer gives permission to link to, post, distribute, or reference the above article for any lawful purpose, provided that attribution is provided to the writers. This article will also be posted at the writers’ own sites)

©2008 – Kevin M Nixon, MSA, CISSP, CISM - All Rights Reserved 

 

Kevin Nixon’s Specialties:

Certified Information Systems Security Professional (CISSP)

Certified Information Systems Manager (CISM)

Master Security Architect (MSA)

Extensive experience in:

Gramm-Leach-Bliley Security Audits

Data Privacy Policy

Investigation & Litigation Support

Mergers & Acquisitions

FFIEC/OCC/OTS Regulations

EU & Basel II Regulations

Sarbanes-Oxley

Domestic & International Regulatory Compliance

USA PATRIOT ACT

Kevin Nixon’s Honors:

Consultant to the Federal Trade Commission on the roll out of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) providing input regarding web security best practices for the website: www.annualcreditreport.com

Disaster Recovery Workgroup for the Office of Homeland Security under Richard Clarke, Special Advisor to the President for Cyberspace Security and Chairman of the Critical Infrastructure Protection Board.

TC68-SC2 & US TC68-SC6 Member to the International Standards Organization (ISO) on Financial Data Protection, Privacy, and Security Standards.

 Press Release 11-3-2008:

PRIVACY PIRACY HOST, MARI FRANK INTERVIEWS
PRIVACY ADVOCATE, ATTORNEY, AND BUSINESS CONSULTANT FOR TECHLEX SOLUTIONS, LAURA WILSON
 
WEDNESDAY, NOVEMBER 5, 5-6 PM PACIFIC TIME, KUCI 88.9 FM IN IRVINE, CA AND AUDIO STREAMING ON WWW.KUCI.ORG
 
Ms. Wilson will answer the following questions and more!
 
1.   What kind of financial services companies have lapses in their information security protection?   Don’t the larger companies have multiple protections in place? 
 
2.   Why gaps in the protection of systems and data are concerning. 
 
3.   What controls do the financial services companies have to protect sensitive information.
 
4.   How are the controls bypassed?
 
5.   What are some of the red flags that a financial services company should look for?
 
6.   What are the implications for the company, and for customers and shareholders, if these information security controls are bypassed?
 
 
Don’t miss this fascinating interview with Laura Wilson!
 
Here’s some background about Ms. Wilson:
Laura Wilson will be discussing finding and fixing information security and other compliance gaps in the financial services industry. Despite the great concern expressed by consumers, shareholders, and regulators, significant gaps and bypasses of controls remain. An information security breach has implications for consumers, investors, and the larger market, and may compromise national and global security, so it’s important to know that many of these bypasses can readily be fixed.

The companies for which Laura has negotiated and managed complex outsourcing and vendor relationships include:
A publicly-traded global credit card company that co-authored the PCI (Payment Card Industry) standards.
One of the largest publicly-traded mortgage companies in the U.S.
A publicly-traded international investment advisory firm.
Laura works in governance / risk / compliance, deal analysis, and problem resolution related to highly-sensitive systems and data. Her experience encompasses business and legal roles for highly-regulated organizations, including publicly-traded international financial services (banking / payment card industry / mortgages / insurance / investment advisors), venture capital portfolio companies, and numerous software and services projects involving regulated systems and sensitive data.

Laura has trained colleagues on industry standards, gap analysis and risk mitigation. She writes training materials to help stakeholders identify and remedy compliance and security gaps, and verify appropriate due diligence. She volunteers with professional groups and not-for-profits interested in the regulatory, governance, information security and national security implications of financial systems and regulated data.

Laura holds a Juris Doctor, (licensed as an attorney in California), and is a CISA (Certified Information Systems Auditor) candidate (passed CISA exam; certification pending). She is pursuing security certifications including CISSP (Certified Information Systems Security Professional), CFE (Certified Fraud Examiner), and CGEIT (Certified in the Governance of Enterprise IT).

Laura served on active duty for over 8 years in the United States Army. She was a Staff Sergeant, paratrooper, TV / radio broadcaster; served in Military Intelligence, Psychological Operations, Communications, and Public Relations positions; and won several Soldier of the Year awards.
 
To learn more about Privacy Piracy- visit www.kuci.org/privacypiracy- listen to previous interviews, download podcasts and see upcoming VIP guests.
 
First Mate Mari
Radio Host KUCI 88.9 FM in Irvine www.kuci.org
Mari J. Frank, Esq.
Attorney, Mediator
Certified Information Privacy Professional
28202 Cabot Road, Suite 300
Laguna Niguel, Ca. 92677
Phone :949-364-1511
Fax: 949-363-7561
www.identitytheft.org
www.MariFrank.com
www.kuci.org/privacypiracy
E-mail contact@identitytheft.org
Mari@MariFrank.com
 
To order Mari’s books:
Call Porpoise Press 800-725-0807