Data Management

From the Dodd-Frank bill to eDiscovery, the impetus for data/records management is increasing. See below for another view. http://www.bbc.co.uk/news/business-12842944

Tablet Security

The link below is to a nice article on tablet security. I believe the market for mobile device management (MDM) is going to grow exponentially in the next several years for all devices (Android, RIM BlackBerry, Apple iPhone/iPad). By the way, has anyone tried Juniper's Junos Pulse product (http://www.juniper.net/us/en/products-services/software/junos-platform/junos-pulse/mobile-security/)? http://searchmobilecomputing.techtarget.com/tip/Tablet-security-Best-practices-for-the-tablet-tsunami

SIEM Ramblings Post RSA Breach & Ponemon Cost of Cyber Crime Report

So, after the RSA breach and Ponemon's Cost of Cyber Crime report I have to say the case for SIEM is stronger than ever. I advocate Splunk whenever I can due to its versatility; however, I say each to their own when it comes to SIEM tools. Just use one and make sure it works correctly....test, test, and test some more!

Server Baselines

The link below, which is to a tool called Security Compliance Manager from Microsoft, leads me to question the need for documented server baselines versus automated tools. I ask as I do not know of any tools for the other platforms, which may lead some shops to just have a baseline for Microsoft only. I suppose this is the case for the SMBs.... http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5534bee1-3cad-4bf0-b92b-a8e545573a3e&displaylang=en

AppSec & ROI

Apparently Microsoft has a need for ROI with their security efforts (AppSec, InfoSec, etc.) too.... http://www.microsoft.com/downloads/en/details.aspx?FamilyID=813810f9-2a8e-4cbf-bd8f-1b0aca7af61d&displaylang=en

There is a privacy 'Commercial Bill of Rights' coming out that uses the term 'Covered Entity', much like HIPAA. I think the FTC will confuse people with this.

Cloud-based PCI DSS, PA DSS & HIPAA Compliance

The wisdom given below can be extended to HIPAA, GLBA, etc...

http://searchcloudsecurity.techtarget.com/news/2240033583/PCI-DSS-compliant-cloud-providers-No-PCI-panacea?asrc=EM_NLN_13525922&track=NL-102&ad=821279

Cloud Service Brokerages, Personal Health Records, and Electronic Health Records

So I keep hearing, and reading, about these Cloud Service Brokerages (CSBs) and I wonder how this model will be applied to the healthcare industry. Will this model extend to Electronic Health Record (EHRs) and/or Personal Health Record (PHR) systems?

Cloud, Vendors & Maturity Model

I received a document (see link) this morning, and it got me thinking about how a holistic maturity model is needed for vendor audits/assessments as there are so many different types of guides/frameworks/certs (i.e. PCI/COBIT/SAS 70/FISMA/HITRUST/BITS/ISO). Would something like a CMM/GARP maturity model work?

http://www.ncontrol-llc.com/ISF_Cloud_Computing_Executive_Summar_Public_version_170311.pdf

Symantec's Internet Security Threat Report

Some highlights from the link below:

-$0.85-$30.00 USD/Credit Card Number/PAN
-Physical Theft Accounted for 37% of Breaches Related to Identity Theft
-Attacks on Browser-based Applications is Increasing
-88% of Email is Spam
-Hacking Exposed 60% of Identity Theft Incidents

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf

Monitoring Employees' Personal Social Media Content

Does your HR department need to monitor your employees' personal tweets, etc.? If so, is this explicitly in your Acceptable Use policy?

http://itknowledgeexchange.techtarget.com/total-cio/using-social-media-and-networking-to-spy-on-understand-your-employees/?track=NL-964&ad=817927&asrc=EM_NLN_13443889&uid=8266525

Call Centers, Recorded Calls & PCI Security Compliance

When I read the PCI SSC's (Security Standards Council) advice/clarification on protecting credit card information over the phone (call center recordings) I think of call recording/Business Activity Monitoring (BAM) solutions like Verint, and the large amount of recorded data.

I know of several clients/organizations that have years/months of legacy data in this context (including WAV files that have been sent as email attachments). My advice is to encrypt this legacy data before/after archiving it to tape/disk, and to scrub new recordings prior to being archived.

https://www.pcisecuritystandards.org/documents/protecting_telephone-based_payment_card_data.pdf

Records Compliance & Management

The second example of a HIPAA civil case in the link below highlights the need for proper records compliance and management controls. I assume this person intended to take some work home; however, if the right controls/safeguards were in place I would think this person would have be given an encrypted CD/DVD versus hard-copies.

Regardless, we need to be trained on how to handle manual/paper records, as much as electronic.

http://blogs.healthcareinfosecurity.com/posts.php?postID=896&rf=2011-03-18-eh&hq_e=el&hq_m=1002363&hq_l=25&hq_v=bb1cf70608

RSA hit by Advanced Persistent Threat (APT)

It seems even RSA is not safe from the APT dilemma. Apparently, this affects RSA's SecurID two-factor authentication systems (2FA). If this is not a great use case for defense in depth, then I do not know what is.

http://www.healthcareinfosecurity.com/articles.php?art_id=3444&rf=2011-03-18-eh&hq_e=el&hq_m=1004386&hq_l=28&hq_v=bb1cf70608

8 Breach Prevention Tips

This article is catered to the healthcare market, but I feel it is relevant to all parties.

http://www.healthcareinfosecurity.com/articles.php?art_id=3405&pg=1

Federal HIPAA Audit Program

See the link below for an interview with a honcho from HHS OCR about the upcoming pilot for the federal HIPAA Audit Program.

http://www.healthcareinfosecurity.com/podcasts.php?podcastID=1039&rf=2011-03-14-eh&hq_e=el&hq_m=997025&hq_l=28&hq_v=bb1cf70608

Archiving Logs from the Cloud, to the Cloud

As I have started a trial of Arkivo, which is a social media archiving solution, while concurrently looking at cloud-based log archiving solutions (e.g. Monitis); I wonder when a best of breed one stop shop will be created in the cloud for all archiving needs.

I guess we should get to work on that one....

Social Media In Healthcare

Some good stuff from the Mayo clinic:

http://www.healthcareinfosecurity.com/articles.php?art_id=3421&rf=2011-03-11-eh&hq_e=el&hq_m=995881&hq_l=29&hq_v=bb1cf70608

Archiving Social Media & Integrating It With Email, SharePoint, File Shares, etc.

We have advised clients to implement social media archiving, but we have not done the engineering/implementation yet. Regardless, I wonder when the large archiving software solution providers (Symantec, EMC) will acquire, build and integrate social media archiving solutions with their product. I see this as a separate module versus a completely integrated system, but I unified system just the same.

Incident Response & Notification Systems

There has been an incident at one of the higher education institutions I teach at, which has kicked off their notification system (via texts/SMS, etc.). However, it is pretty apparent the kinks of the system and/or communication process have not been worked out.

This reminds me of how ALL organizations need to test their notification workflow, whether that is manual call flows or an automated system. Such a test should cover the following: (physical/cyber) incident response, business continuity, and/or vendor management.

Cost of a Data Breach: $214/Compromised Record

On average, a data breach costs $214/compromised record.

http://www.symantec.com/about/news/resources/press_kits/detail.jsp?pkid=ponemon&om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2011Mar_worldwide_costofdatabreach

AppSec & Code Reviews

I was at an OWASP meeting last night where this slide deck was presented. Good stuff!

http://www.owasp.org/images/7/79/2010-DC_The_Power_of_Code_Review.pptx

Discovering a Data Breach

I just discovered a data breach for a local municipal authority in the way of hard-copy printouts containing Personally Identifiable Information (PII) flying across the street on this windy day.

I called to report this, so I hope they act on it. I am interested in how well they respond to this incident.

Cloud Security Alliance, Delaware Valley Chapter: 3/22 IT Executive Roundtable

We will be holding our first Cloud Security Alliance, Delaware Valley Chapter (CSA-DelVal) event on Tuesday, March 22nd at 6pm at Widener University. This event will be an IT Executive roundtable regarding the cloud. Additional details are available via the link below.

http://www.ncontrol-llc.com/CSA-DelVal_IT_Exec_Roundtable_Flyer.pdf

Android Malware

It looks as if malware is becoming more prevalent on the Android platform.

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1528123,00.html?track=NL-1647&ad=815672&asrc=EM_NLN_13387858&uid=8266525

Cloud Services versus Splunk in the Cloud

I want to test out Splunk in the cloud and I would like to monitor that (probably AWS EC2) image with Monitis (http://portal.monitis.com/).

Look for future posts to discuss this in more detail.

Top 10 Cloud Providers

Here is a slideshow enumerating the top 10 cloud providers per Cloud Computing Digest.

http://searchcloudcomputing.techtarget.com/feature/Top-10-cloud-computing-providers-of-2011

Testing Cloud Backups

After reading the article below it reminded me to post a recurring thought I've had, which is the ability to test one's online backups. I ask as I have had a difficult time getting SMB orgs with tape backups to test their backups. What about those using the cloud? Has anyone thought of the effect of a regional disaster where limited connectivity exists? Also, in the event of another Katrina, etc. what is the capability for the provider to do multiple restores across the wire?

http://viewer.media.bitpipe.com/1157126723_318/1296839150_593/CloudBackupEGuide.pdf

Legacy Apps & the Cloud

The article below does a good job of articulating that many organizations are running large and/or legacy apps that were not built with virtualization (e.g. the cloud) in mind. What this means to me is that a full cloud distribution model is a long way away for many organizations.

http://searchcloudcomputing.techtarget.com/news/2240032717/Applications-interfere-with-cloud-computing-adoption?asrc=EM_EDA_13369712