Information Security

 

ISR News: IRS On-Line Vulnerable  According to an audit report from the Treasury Inspector General for Tax Administration, the US Internal Revenue Service (IRS) launched an on-line tax filing system despite known security concerns. Although testing of the fourth release of the IRS Modernized e-File system revealed 13 security vulnerabilities, the system was launched in January 2007.

ISR News: ‘Downandup’ WORM Up  In October, Microsoft took the unusual step of issuing an out-of-band Security Bulletin, MS08-067, for a vulnerability affecting its Server service. “Because the vulnerability is potentially wormable on those older versions of Windows [XP and earlier], we’re encouraging customers to test and deploy the update as soon as possible,” said Christopher Budd, a Microsoft Security Response Center security program manager, in a blog post.

ISR News: Recession Crimps Security  Businesses in Asia that are driven by the recession to strive for leaner, meaner IT, need to consider how their cost-cutting impacts security, warn industry experts. Even as frugality is expected of IT departments this year, the move to options that support cost-cutting-including software-as-a-service (SaaS) and cloud computing-should be assessed for risk to the business, said Lawrence Ong, regional business manager for security at Datacraft Asia.

ISR News: Terrorists Aim for Online 9/11  Henry said terrorist groups aim for an online 9/11, “inflicting the same kind of damage on our country, on all our countries, on all our networks, as they did in 2001 by flying planes into buildings.”

 ISR News: 35MM Records Breached in 2008  It documents 656 breaches in 2008 from a range of well-known U.S. companies and government entities, compared to 446 breaches in 2007, a 47 percent increase. Information about the breaches was collected by tracking media reports and the disclosures companies are required to make by law.

ISR News: Top 10 Threats from 2008  A municipal network held hostage, the hacking of a public official’s private e-mail account, court battles to gag security researchers, and dire warnings about the Internet’s Domain Name System were just a few of the highlights of the IT security landscape in 2008.

 ► Consumer Reports Buys Consumerist.com By Laura Wilson, JD, CISA Candidate, ♦ ISR Corporate Liability Editor  Combining the unimpeachable credibility and expertise of Consumers Union, the publishers of Consumer Reports since 1936, with the widely read, shoot-and-move Consumerist format that nets over 10 million pages views per month is a big win for the public and their advocates.

ISR News: Experts Hack VeriSign  With the help of about 200 Sony Playstations, an international team of security researchers has devised a way to undermine one of the algorithms used to protect secure Web sites – a capability that the researchers said could be used to launch nearly undetectable phishing attacks. 

ISR News: Economy Spurs Cybercrime  “The damage that insiders can do should not be underestimated. It can take just a few minutes for an entire database that has taken years to build to be copied to a CD or USB stick,” said Adam Bosnian, a spokesman for Cyber-Ark.

ISR News: Data Theft Spurs Lawsuits  The lawsuits stem from the arrest of Rene Rebollo Jr., 36, of Pasadena, Calif., a former senior analyst for Countrywide, and Wahid Siddiqi, 25, of Thousand Oaks, Calif. Investigators said Rebollo used a flash drive to download data from about 20,000 customers a week for two years, from 2006 through August 2008, then sold the information to Siddiqi for a total of $50,000. 

ISR News: SSI Numbers Breached  RBS WorldPay, a subsidiary of Citizens Financial Group Inc. said law enforcement agencies are investigating a Nov. 10 breach of the company’s cyber security. The breach affected the personal information of 1.5 million cardholders. Up to 1.1 million Social Security numbers could have been accessed, according to the company. 

ISR News: 16,000 Katrina Records Posted  FEMA has confirmed that an “unauthorized breach of private information” resulted in the information release of 16,857 names, Social Security and phone numbers, and other private details of people who had applied for benefits. The information was flashed on a pair of privately run Web sites, but for how long was unclear.

ISR News: “Paring Down” Security  “The intensive projects that require a lot of capital outlay and work on the integration side are probably going to be throttled back,” Hochmuth said. He also expects companies to look more closely at integrating their security, networking and operations teams and reducing their staffing levels.

ISR News: Employee Arrested for ID Theft  Hospitals’ increasing reliance on computerized record-keeping has provided new avenues for identity theft and invasions of medical privacy. As recently as May, a Glendale man was convicted of using the names of hundreds of Los Angeles County and city employees to submit fraudulent claims for diagnostic services amounting to more than a quarter-million dollars. 

ISR News: Hackers Steal 22K SSI Numbers  “Educational organizations accounted for nearly one-third of all U.S. data-breach incidents during the past three years, according to the Privacy Rights Clearinghouse. About 58 percent of college IT officials nationwide have dealt with at least one computer-security incident in the past year with the increase in cyber attacks on college campuses has dramatically increased between 2006 and 2007 with 67.5 percent more incidences being reported in just one year.”

► U.S.Banks Vulnerable to Sabotage Feature Article By Anthony M. Freed, ♦ ISR Financial Editor  2009 will prove to be the year that this systemic weakness comes to the forefront of politics and the news:  The United States is unprepared for a major hostile attack against vital computer networks, government and industry officials said Thursday after participating in a two-day “cyberwar” simulation.  “There isn’t a response or a game plan,” said senior vice president Mark Gerencser of the Booz Allen Hamilton consulting service, which ran the simulation.  Democratic U.S. Rep. James Langevin of Rhode Island, who chairs the homeland security subcommittee on cybersecurity, said: “We’re way behind where we need to be now.” Dire consequences of a successful attack could include failure of banking or national electrical systems, he said. 

►Cyber Security Tops 2009 Agenda  By Laura Wilson, JD, CISA Candidate, ♦ ISR Corporate Liability Editor  “Last week, a group of outside experts recommended cybersecurity be moved from DHS – which “isn’t equipped to protect the federal government against cyberattacks” – to an office within the Obama White House. Many members of the Commission on Cyber Security for the 44th Presidency “felt that leaving any cyber function at DHS would doom that function to failure,” according to its recently-released 96-page report.” Security expert Bill Brenner of CIO.com

ISR News: Our Biggest Threat in 2009?  “The selection of cyber crime as the mega trend most likely to be a high or very high risk in the next 12 to 24 months can be partly based on the fact that 92 percent of respondents in our study reported that their companies have had a cyber attack. The biggest security risk associated with cyber crime is that such an attack will cause a business interruption followed by the theft of customer and employee data.”

ISR News: Joe Knows Too Much  “At some point later that evening, he logged in and set all the modems in the POP to autodial 911 repeatedly. None of our customers could use the broadband service, but even worse, Joe effectively throttled the local 911 lines for many hours.”

ISR News: Data Exposure: Who Pays?  “Employees at the University of North Carolina at Greensboro were notified Monday of a security breach of a computer that contained personal information used to process the school’s payroll.”

 

Introducing Information-Security-Resources.com

Recently I learned an important lesson about the importance of information security and regulated access to systems and data. 

Unfortunately, it was a painful one, with potentially untold repercussions yet to come.  But my experience with unauthorized access is not unique, as literally millions of consumers are threatened with exposure to fraud and identity theft every year.

 

In this case, it was due to my own carelessness, but for many others the exposure is beyond their control, and are due to lapses in security protocols, inadequate third-party controls, and plain old human error. 

 

Financial companies, banks, government and non-government organizations routinely lose data of the most sensitive nature, exposing hundreds-of-thousands of people to potential financial ruin and personal loss. 

 

More shocking yet  is that the black-market value of personal data has produced a healthy trade in people’s personal information, and this is increasing the instances of wholesale data theft by employees and staff within these supposedly secure and trusted institutions.

 

The record unemployment levels in the financial industries, the threat of further bank closures, government sponsored take-overs, and outright buyouts by the competition has created an environment where the temptation to misuse private information for personal gain.

 

Aside from the obvious damage to the folks whose data is sold and possible used for illicit purposes, there is growing concern amongst the corporate executives, boards of directors, and legal departments of these organizations that they also may be exposed to tremendous risk and potential professional liability from these breaches of security.

 

The threat of criminal liability as well as civil and class-action litigation is greater than ever before.

 

Then there are also the losses borne by the equity stakeholders in these organizations, the devaluation of their portfolio holdings, the risk of diminished returns, and ultimately insolvency. The losses could begin to reach levels that exceed investors tolerance for risk, and the access to much needed capital may dry up.

 

I am pleased to announce our new website Information Security Resources, which will examine these issues from both a financial and a technical perspective, examining areas of lax governance and inadequate security protocols, and more importantly we will be offering solutions and best practices advice from some of the leading players in information security and financial analysis in the nation:

Our goal is to help financial industry stakeholders, government regulators, and the public better understand and address the mounting information security threats inherent in the current financial crisis. 

Our concern is centered around the failure of organizations to adequately protect regulated systems and data.  Our current focus is on the exposure of private info and sensitive systems during the financial meltdown, including identity theft, privacy breach, info stolen, credit card fraud, and other enormous liabilities. 

In addition to the obvious threat to market stability, the financial debacle has the added element of national and global security concerns. We believe we are among the very first working to highlight this national security problem.

We believe this is the next national security, shareholder derivative, D&O liability, regulatory, consumer product safety, and class-action issue.  We teach you how to find this problem, and fix it.

 Information-Security-Resources.com