Tag Archives: Privacy

What to Secure…

encryptionRecent News articles detailing the NSA surveillance monitoring has shown to extend to other countries and that of their high-level officials. A more recent article states the following:

“The U.S. monitored the phone conversations of 35 world leaders, according to a National Security Agency document provided by its former contractor, Edward Snowden, according to The Guardian newspaper.”

Although most people cannot communicate using secure phone calls, it does raise the importance that the data be what is secured, not just the mode of transport. A phone call or even Internet usage should not be considered secure. There are numerous hops and intermediary systems that connect the signal being used. Each of those points of connection are a potential point of surveillance. Add the additional discoveries regarding ATT, Verizon, and other carriers, the expectation of privacy should no longer be expected.

This means that only the data, if encrypted or secured, provides the potential expectation of privacy. Insuring securing data at rest and during transport is critical to insure privacy. It may take more time and resources, but in an age of “continuous monitoring” of everything, it is the best way to provide the assurance most people and businesses desire.

Tagged , , , , , , , , ,

South Carolinas’s Majority of Social Security Numbers Exposed…

In an article in Dark reading, South Carolina officials announced that more than three-quarters of the states social security numbers were exposed in a recent hack. The data included debit and credit card information for the states residents as well. The most concerning issue was that the database that was compromised was not encrypted. As a state agency, it should have been an example to follow rather than one to avoid. The state’s Department of Revenue should have been held to not only federal regulatory requirements, but also PCI. This type of failure is not acceptable.

While not everything has been released as to the cause other than the database was breached and not encrypted, the article states the following:

Although state officials referred to the hack as a “database” breach, they didn’t specify just what flaw was exposed. Security experts say it was most likely a SQL injection or other vulnerability in the Web-based application that ultimately led to the data breach.

Chris Eng, vice president of research for Veracode, says it sounds like a SQL injection attack against a Web application. “That’s the simplest way in,” he says.

It is easy to make conjecture about how the breach occurred, but it would seem that the necessary due diligence was not followed. Security should be more than a check-box. States and Federal governments should be setting the examples for the rest of business…Another instance where measure twice and cut once should have been put in place…

Tagged , , , , , , , , , , , , ,

More on Cyber Security Executive Order…

Dark Reading published an article on October 9 about the pending Executive Order on cyber security and what it will mean to an enterprise. As mentioned in a previous post, the executive order is the Obama administration’s response to the fact that Congress did not pass cybersecurity legislation, specifically the Cybersecurity Act of 2012.

Now while the Executive Order would be focused on national critical infrastructure, the article brings up some good points about what impacts and insights this could have on a business. The article noted that the Executive Order would not deal with one of the key points of the act, the sharing of information between government agencies. According to the article:

The issuance of an executive order would not address one of the key elements of the Cybersecurity Act of 2012 – information sharing between the private sector and government. According to former NSA Deputy Training Director Cedric Leighton, information-sharing has to span both sharing between the government and private sector as well as between entities in the private sector itself.

A key point about what businesses are looking for is stated in the article…more specifically three key items:

Rather than checklists, organizations are looking for three distinct things: the current state of a threat, what others are doing about security, and what are the guiding principles that should be considered when developing a security program and strategy, Granado argues. Protecting intellectual property means complicating the process of acquiring inappropriate access, detecting threats and neutralizing threats before they expand, he says.

As noted in the article, a purely defensive “knee-jerk” mentality is not enough and a pro-active stance is needed to effectively secure the information assets of the business and in turn improve the overall risk posture. The idea that the minimum is enough is not enough, that will leave business always behind a curve.

Tagged , , , , , , , , , , , , ,

Academics and Security Are Not Always Hand-in-Hand…

In two separate articles in SC Magazine, there seems to be a slew of issues with universities maintaining privacy and security.

In the first article, the University of Chicago sent out post cards to their 9,100 employees reminding them of their benefits open season. They added the extra bonus of including the employees social security number on the cards as well. The school stated:

A school official said there is no reason to believe outsiders had misused any of the information. The university also recommended that employees securely get rid of the postcards.

The problem is that it only takes one “outsider” to misuse the information once to potentially ruin someones life.

In the second article, the anonymous hacktivist group GhostShell posted data from multiple universities recently. The leader of the group tweeted about the hack and a link to the pastebin data.

In the Pastebin message, GhostShell said that the recent attacks were launched to bring attention to various grievances the group holds toward the educational systems in the United States, Europe and Asia. The hackers cited growing tuition fees, frequently changing laws and heavily regulated teaching.

Furthermore, the group also noted that many of the systems targeted had already been infected with malware. Since these universities are meant to educate the future in various fields, one of them computer science and technology, it would make sense for these universities to apply the concepts and principles of security within the systems they use.

While governments and other organizations make mistakes, it is understandable that similar things would occur in academia, but regardless of where it happens, the old saying “measure twice, cut once” needs to be driven home in everything we do. If it is sending out a mail merge or a network, good security practices need to be a part of the thought process and the routine.

Tagged , , , , ,
%d bloggers like this: