Most states have provisions whereby if the system is recovered or you can otherwise prove that there is no chance the data will be used to commit a crime, then you don’t have to disclose it. I believe that this is why solutions that track and recover portable computers like laptops are becoming so popular. Awareness Technologies has one that not only allows you to track and recover the physical asset, but then go back and review exactly what was done on the computer during the period of time it wasn’t in your control. If no one accessed the data, there is no requirement (in most cases) to announce a data breach. This little piece of software could save you millions of dollars. If nothing else, I encourage people to use software like this on all their laptops.

Employee productivity has become a huge issue lately, especially with the explosion of social networking websites and games that are available through them.  Employers are starting to turn towards software that allows them to filter websites, limit access to undsafe or undesireable software apps like chat, IM, and social networking sites.  They are tracking work output and even creating productivity reports on each employee.  Companies that use this type of software quickly see that employees stop using their computers for time wasting activities.  Instead they will likely go back to hanging out at the water cooler…so be prepared for an increased bill from them.

From what I have seen, Awareness Technologies offers a very unique product. It is an agent that sits on the end-point, but has multiple technologies built into it. The technologies include a remote monitoring feature that allows the company to watch everything that is happening on the remote computers screen. They are literally recording snapshots/screenshots every few seconds and you can play it back like a video recording. They have a data loss prevention component. They have a web filtering component. And they also have a component that allows you to remotely wipe data from a computer or physically locate it if it is lost or stolen.

The combination of these features offers some pretty interesting risk mitigation from the threat of insiders. And all from within a single agent. But what I thought was really cool was that they don’t require any hardware to try, deploy or use their system. It isn’t a client/server app like most out there are. They have built it in a cloud/SaaS model so you access a web portal to view all the required information. What this platform also enables is a way to monitor and control devices that aren’t on the corporate network. This includes travelers, telecommuters, and anyone else, anywhere else.

These guys at ATI have really thought through the real world IT administrators problems and addressed them in a very elegant way. I am very impressed with this product so far. I am going to dig into each separate technology separately (in future posts) to compare how each one stacks up with competitors and market needs, but from the 10,000 foot view, ATI gets 5 stars from us.

In an article I read recently it said this: “Whatever the reasoning and whatever the task, employers are less than pleased when their employees waste company time and money to do non-work related tasks online. Most people would feel the same way if they were a business owner, but business values aside, sometimes the temptation to surf is too great to resist. As a result, a vast number of employers have turned to surveillance technology to monitor their employees’ Internet usage at work.”

As it says, many employers have already turned to surveillance technology to monitor employees. While some employees are outraged, if they were in the employers shoes, they might not be as angry. I am a big proponent of employee monitoring. Certainly a company should tell employees they are doing it. Internet use and other things should be clearly set out in policy and procedural documents that the employees have read and understand. But once the legalities are taken care of, employees not only have the right to know what the employees are doing, but need this technology to keep their organizations safe.

The 1 to 2 hours spent by employees on personal web surfing each day is the time when they are most likely to compromise their system by falling prey to phishing, pharming, social engineering, or other attacks. Beyond that, shouldn’t they be working! Monitoring employees dramatically reduces wasted time. This results in the need for fewer employees or just an overall increased work volume. Either way, monitoring software more than pays for itself. In fact, the cost of monitoring software becomes a small fraction of the money saved. I really can’t imagine any company that would not want this kind of software on every one of their employees workstations…including remote works, travelers, and telecommuters.

Some employers say that the management of software like this is overwhelming and why they don’t do it. There are software packages available today that do a great job of centrally managing ALL workstations and giving you a complete view into your employees productivity.

Employers should be worried about how much time employees are spending on social networking sites like Facebook. While there are lots of solutions out there that allow employers to see where employees are going on the Internet, many lack the details and overall context needed to really understand the waste of productivity this is. One tool that I have seen that is really good at giving employers a complete picture is one from Awareness Technologies. It seems far superior than traditional web content filtering solutions. Plus it looks like the agent can do a bunch more stuff to help increase productivity and decrease the risk of an information security breach.

This is an EXTREEMLY low figure to settle a class-action case. This really goes to show that Heartland proved well that they had followed stipulations outlined in the Payment Card Industry Data Security Standard. So while they were still breached, they had followed protocol even though they could have done some simple things to prevent the exploit. Compare this to the Veterans Administration case a couple of years ago where a laptop was stolen that had 26.5 million records on it (1/5 of the Heartland case), they got the laptop back, no fraud was ever reported, and they still had to settle a class-action lawsuit for 20 million dollars. Endpoint security is critical today and will only become more so in the future.

http://www.computerworld.com/s/article/9176431/Court_gives_preliminary_OK_to_4M_consumer_settlement_in_Heartland_case?taxonomyId=84

http://www.bankinfosecurity.com/articles.php?art_id=2498

Organisations are typically over-investing in some areas, while neglecting other parts that would yield significant gains, said Peter Tippett, vice-president of technology and innovation at Verizon Business.

– TRUE – This is especially true because organizations don’t stop and look at the current threat landscape and evaluate if their existing technologies are best to mitigate the current risk. Usually they just stick with what they currently have.

“Up to 40% of money spent on IT security is wasted,” he told Computer Weekly.

– I would tend to agree with this. That 40% could be spent on effective solutions that truly reduce the organizations risk.

Many organisations are increasingly spending money on insider threats, but in reality only 11% of successfully exploited data breaches in the past five years have been internal parties alone, according to the latest Verizon Business Data Breach Investigations Report.

– I question this statement and here is why. Verizon Business usually bases these reports on their caseload, which means only the companies that have called them to do forensic analysis are the ones in the study. Well not every company that has a breach calls Verizon. In fact, stop and think for a minute. If you have an insider breach, usually you know about it. Usually it is low tech. Usually you don’t need Verizon for that type of case. Also, companies do not like to disclose insider breach cases. If a hacker gets them, most people say “boy those hackers are really smart” but if an insider gets away with a bunch of stuff people say “what kind of company hires a person like that” or “what lousy policies and procedures that company must have to have that incident occur.” An insider breach is the companies fault (at least that is the perception).

Most breaches involve multiple sources, but even then research shows that only 20% overall involved internal parties.

– I don’t agree with this either. This is a fundamental problem with the way people look at breaches. If a hacker exploits a vulnerability on a web server and gets access to internal systems and downloads a database of sensitive information, everyone blames the hacker 100%. Isn’t there some responsibility on the internal IT person that didn’t patch the system? Couldn’t we blame the IT person for misconfiguring the web server to allow the hacker in? When looked at in this way, insider play a much larger role in information security breaches than many might think.

The research shows that being able to patch systems faster will reduce enterprise security risk by about 2%.
I agree with this. Verizon in a separate report several months ago showed how infrequent hackers are using 0-Day exploits. In nearly all cases were hackers using old, established, well known vulnerabilities and exploits. It isn’t about patching faster, it is about patching and patching consistently.
“But by simply eliminating systems with default passwords that are easy to guess will cut risk by at least 25%, 10 times more than patching faster,” said Tippett.

– I agree with this as well. Default passwords and easily guessable credentials are one of the top ways external breaches occur.

“An organisation can reduce its risk by 85% simply by finding out where all its servers are, where all its data is stored and what connections there are to it,” he said.

– I 100% agree with this. Most organizations that go through a system and data discovery can’t believe all the places that sensitive data resides.

Even though bigger companies tend to look for default passwords, they look only at critical systems and tend to ignore those that have nothing to do with the business, but this is another mistake, said Tippett.

– This is a big mistake because “less important systems” are often used by individuals who have access to the mission critical systems and once you compromise one system, you can have access to anything that system has access to.

“Hackers don’t care what is critical and what is not – they just use their tools to find the things that are easiest to get into, and once they are in, they move from there.”

– True, although I think is changing a little bit when hackers are getting better at analyzing the systems they compromise for potential value.

“Discover is the most important thing you can do. It is the first step in every risk-management programme. Yet it is the thing almost everyone ignores.”

– Certainly one of the most important things you can do.

lastly…. Verizon Business needs to learn how to spell OrganiZation!

Kevin Prince is chief technology officer of Perimeter E-Security.
The views expressed are his own. –
Social Networks have grown out of control. Literally. Today, neither users nor social networking companies can control the monsters they have created. Think Jurassic Park: where John Hammond wanted to build something no one else had ever done, a fun theme park combined with a zoo of cloned dinosaurs. He built what he thought would be adequate security, but in reality, didn’t understand nearly enough about the environment he was trying to control. People naturally trusted that proper security was in place and that they would of course be safe. Quickly things spiral out of control, and nearly everyone gets eaten by the end of the movie.
The creators of social networking sites — yes all of them — are just like John Hammond. Their unique ideas caught on in such a viral way that just keeping up with the bandwidth, processing power, storage, development, and everything else required to keep the system online is an amazingly complex, never-ending task. For most of these sites, security is – and has always been – an afterthought. Some of them try, but it’s a bit like closing the amusement park gates after the Tyrannosaurus has bolted.
The users of social networking sites also contribute to the problem. Most are absolutely reckless when it comes to behavior on the sites. A while ago, I ran a social networking experiment on Facebook. I created a new user profile based on a free Google mail account. I chose the name Rebecca Johnson, made her 26, and used a profile picture of a three-year-old girl in a dress that I snagged from a department store website. No other information was in the profile. I wanted to see what would happen when I invited random strangers to be friends with this fictitious person.
Lucky for me, Facebook presents you with people it thinks you might know. Due to a lack of information in my profile, Facebook presented me with people of all ages that live in my county (obviously they were looking at my IP address and correlating that with my city). I of course knew none of these people but went ahead and invited them and others. In all, I invited 250 totally random people to be my friends. The only criteria I used: they had to have profile pictures. My logic: if you don’t have a profile picture, you’re probably not a serious or frequent user. Here’s a timetable of what happened next.
8:00am – Invite Friends
8:02am – My first friend accepts the invitation
9:00am – 6 Friends
10:00am – 12 Friends
3:00pm – 28 Friends
After one week, I had 140 friends. Forty-seven people ignored my request; three questioned me via email saying, “I am kind of embarrassed, how do I know you again?”; I had 60 “pending” requests; and one friend invitation with an email saying, “Hey, I must know you because we know three of the same people.”
If you remove the pending requests, nearly 75 percent of requests ended in the person accepting me as a friend. And it got worse: after one month, I had 187 friends out of that initial 250 friend requests. In other words: A staggering percentage of people will accept a friend request from someone they don’t know.
So, does that really matter? What harm can come from it, right? Well, let me tell you: Rebecca Johnson now has an intimate knowledge of her 187 friends’ lives:
Most have posted recent photos of themselves and their loved ones. One took pictures of every room in her house after a recent remodel and then began “a much needed vacation” to California and announced she wouldn’t be back for two weeks.
Several were young kids still in high school. Facebook is a cyber-stalker’s dream come true. For many friends, you can know their every move. For others, you know the major events in their lives. Even a mildly creative person can come up with hundreds of ways this information could be exploited. Think of the information that most of us have entered into Facebook.
Name, sex, birthday, relationship status and interests, political views, religious views, email address, schools, employment, location, other friends, photos, videos, not to mention whatever comes into our heads and gets posted on our walls. Rebecca Johnson knows when people are coming, when they are going, who they will be with, and much, much more.
Another huge problem is passwords. All-to-often people use simple passwords that are either easy to guess, short, or they use the same password on many different systems. Further, the processes that protect these systems are often flawed. For example, to do a password reset you might have to answer some questions about yourself that you entered when initially registering (like your fathers middle name, or what elementary school you attended). Today, most of these questions are not difficult to discover when combining social networking sites and other Internet resources. This is how Sarah Palin’s email was breached during her campaign.
So it’s no surprise that naive, trusting, apathetic, and unsuspecting users, who don’t think about security, are often the same that become victims of identity fraud.
But there’s another culprit: “cloud computing” providers. Last summer, a hacker broke into the personal Google Mail account of the spouse of an executive at Twitter. And because that account was linked to shared documents in Google Apps (a cloud computing system), hundreds of sensitive company documents were exposed. Is the user to blame or the cloud based services? In the aftermath of the breach, fingers were pointed at a lack of policies and procedures prohibiting links of personal email to corporate resources, the cloud computing service, and everything in between.
And Twitter is not alone: Monster.com, Lexis-Nexis, Facebook, MySpace, and many others have all been compromised at some point. That’s because social network sites make it easy to register, login, remember your login credentials, and even reset your password. They also make it very easy to spoof other users, install malware, send SPAM, or conduct any number of other nefarious acts. Plus, these sites have a growing number of third-party applications and service providers that interact with these services – with little in the way of what most security professionals would consider adequate security.
The combination of weak security procedures, third-party interactions, a user culture of “ease of use” trumping security, and the blending of corporate and personal lives is a formula for disaster. And although social networks have one of the biggest targets on their back, they’re just one type of cloud computing service.
The harsh reality: Cloud-based application providers think application first, and somewhere down on the list is security.
So what can be done?
First, cloud computing services need a ground-up overhaul of their security. They need to build their systems with security and privacy as the top priority rather than an afterthought. They need to stop blaming the “other guy” and shore up their own code and networks. They need to protect themselves from unauthorized access, data manipulation, data exposure, and a myriad of other threats.
Meanwhile, users need to take responsibility for their own identities and information and stop flaunting it on the Internet. They need to assume that if they post something on the Internet, everyone in the world can see it. They shouldn’t connect personal accounts to corporate resources. They need to use strong (long and complex) passwords that change periodically and are different for each service they use. There are many secure applications for smart phones that can store credentials.
Anything less and the risk of identity theft and fraud will only escalate.