Security at What Cost?
Electronic Frontier Foundation and Asian Law Caucus, two civil
liberties groups in San Francisco, filed a lawsuit to force the government to
disclose its policies on border searches, 
including which rules govern the seizing and copying of the
contents of electronic devices. They also want to know the boundaries for asking
travelers about their political views, religious practices and other activities
potentially protected by the First Amendment. The question of whether border
agents have a right to search electronic devices at all without suspicion of a
crime is already under review in the federal courts.
The lawsuit was inspired by some two dozen cases, 15 of which
involved searches of cellphones, laptops, MP3 players and other electronics.
Almost all involved travelers of Muslim, Middle Eastern or South Asian
background, many of whomÂ… said they are concerned they were singled out because
of racial or religious profiling.
-
more info
Most Data Breaches Caused By IT Administrators and Business Partners
Inside security breaches create more security violations than
those of outsiders say a security breach analysis study published by a major
telephone carries.
-
External breaches pose the greatest
threat (73%), but achieved the least impact (30,000 compromised records
-
Insiders breaches pose the least threat (18%), and
achieved the greatest impact (375,000 compromised records - plus 50% of
these are as a result of IT Administrators
- Business partner breaches posed a mid-sized threat (39%) but compromised
187,500
While these are rudimentary numbers, the relative risk scores are reasonable
and discernable. It is also worth noting that the business partner numbers rose
over the duration of the study, making partner crime the leading factor in
breaches. This is likely due to the ever increasing number of partner
connections businesses are establishing, while doing little to nothing to
increase their ability to monitor or control their partner's security
posture.
-
more info
87% of Data Breaches are Avoidable Says Verizon
Data breaches are a fact of life with the advance of Wi-Fi, 3G, and remote
computing as it is done in todayÂ’s flexible business environment.
Data breaches and network intrusions occur because the personal
information compromised includes data elements useful to identity thieves, such
as Social Security numbers, account numbers, and driver's license numbers. Some
breaches do not expose such sensitive information; however, they still expose
individuals to identity theft and business to a compromise of their electronic
assets and that must be disclosed under Sarbanes-Oxley and various state
laws.
According to Verizon, nearly nine in 10 corporate data breaches could have
been prevented had reasonable security measures been in place.
The Verizon "2008 Data Breach
Investigations Report" spans four years and more than 500 forensic
investigations involving 230 million records, and analyzes hundreds of corporate
breaches including three of the five largest ones ever reported.
They found that 73 percent of breaches resulted from external sources versus
18 percent from insider threats, and most breaches resulted from a combination
of events rather than a single hack or intrusion.
Recommendations for Enterprises
Simple actions, when done diligently and continually, can reap big benefits,
the study notes. Key recommendations include:
- Align process with policy. In 59 percent of data breaches, the
organization had security policies and procedures established for the system,
but these measures were never implemented. Implement, implement, implement.
Create a data retention plan. With 66 percent of all
breaches involving data that a company did not even know was on their system,
itÂ’s critical that an organization knows were data flows and where it resides.
Identify data and prioritize its risk to the organization.
- Control data with transaction zones. Investigators concluded that network
segmentation can help prevent, or at least partially mitigate, an attack. In
other words, wall off data when and where appropriate.
- Monitor event logs. Evidence of events leading up to 82 percent of data
breaches was available to the organization prior to actual compromise. Data
logs should be continually and systemically monitored and responded to when
events are discovered.
- Create an incident response plan. If and when a breach is suspected, the
organization must be ready to respond, not only to stop the data compromise
but to collect evidence that enables the business to pursue prosecution when
necessary.
- Increase awareness. Only 14 percent of data breaches were discovered by
employees of the victimized organization, even though employees are the first
line of defense in safeguarding data. Educate them to be aware.
- Engage in mock-incident testing: Making sure employees are well-trained to
respond to a breach. Run drills and test peopleÂ’s abilities, judgements and
actions during a mock crisis.
A complete copy of the "2008 Data Breach Investigations Report" is available
at http://www.verizonbusiness.com/resources/security/databreachreport.pdf.
-
more info
ID Theft By Those Close To You
ID Theft is not
just by strangers in Eastern European countries. A recent arrest shows how an Ivy League
economics graduate and his girl friend who looked like the Mr. and Mrs. American
couple stole the identities of friends, co-workers and neighbors.
They enjoyed an luxurious life style that included trips to the
Caribbean, Hawaii, and Europe. In a
very brief period they stole over $115,000 and were in process of trying to
steal over $120,000 when they were arrested.
They used simple techniques like
breaking into apartment to get information on neighbors, dumpster diving, and
getting mail box keys for their apartment complex. They applied for credit cards
and then intercepting the cards when they arrived via the mail. They also had fake driverÂ’s licenses
and an industrial machine that made identity cards.
-
more info
Free Wi-Fi May Become a Reality
The U.S. Federal Communications Commission (FCC) plans to vote on a program
to auction a "Free WiFi" spectrum.
The winner of the 25Mhz piece of spectrum in the 2155MHz band would be
required to deliver free wifi Internet access. The operator could choose to use
any technology, but in that range, WiMax or many of the mobile technologies
would make sense.
The FCC believes this is a good idea and demonstrates the FCC's
commitment to supporting initiatives that have a positive impact on the next
phase of broadband innovation. This will give consumers greater choices to
access the Internet said a FCC spokesperson.
The FCC has developed the plan based on proposals from several companies. In
2006 one company proposed that the FCC give the company the spectrum so that it
could offer free wireless Internet access to users. The company planned to fund
the network through advertising and said that it would give the FCC 5 percent of
its gross revenue. The FCC's current proposal would simply auction the spectrum
to the highest bidder and require the free services.
The current proposal also includes a requirement for a content filter that
would aim to prevent minors from accessing adult content over the free network.
The final plan could also include specified data rates for the free service.
-
more info
