Editor : Martin Simamora, S.IP |Martin Simamora Press

Rabu, 29 Desember 2010

Faces of Fraud 2011: Beware Cross-Channel Threats

Survey Results Reveal Top Fraud Threats to Banking Institutions
Billshrink
Fraud in all its forms will continue to strike banking institutions across all channels in 2011. And until banks and credit unions increase their investments in analytics and channel integration, they will continue to suffer losses.

That's the overall message from the Faces of Fraud: Fighting Back survey, whose results have just been released in an Executive Summary by Information Security Media Group. The results, which include responses from more than 230 financial leaders and security officers at financial organizations of all sizes, reveal keen insights into the fraud landscape.

Among the survey's top findings:
  • Credit and debit card fraud ranks No. 1 among current forms of fraud, with 81 percent of respondents saying they have been impacted by payment card incidents this year. Check fraud comes in second, with 63 percent saying it remains a problem.
  • Phishing and vishing-related fraud comes in third, getting 48 percent of the respondents' votes. Interestingly, only 20 percent of respondents say they are prepared to fight and prevent phishing and vishing attacks.
  • Cross-channel fraud detection is not being widely implemented, with 55 percent saying they continue to rely on manual fraud detection techniques. Only 26 percent have a plan or team in place for cross-channel fraud detection; and 63 percent collectively say they either have no cross-channel plan or team, are working on a plan or team, or simply don't know.
  • And 76 percent of respondents first learn of fraud incidents only when their customers and members notify them.
  • To reduce vulnerability to fraud, 63 percent say they have improved customer and employee awareness through education, 40 percent say they have invested in new technology and 17 percent say they have increased their budgets and/or staff.
  • In 2011, 34 percent of respondents say they will increase budgetary investments and/or personnel to improve fraud prevention. 

Reactions to the Results

"Many institutions only know about fraud when they get notified by the customer, and that is not indicative of an industry that is really trying to address the problem," says George Tubin, a senior research director for TowerGroup, focusing on delivery channels and financial security.
Tubin's perspective is not isolated. His is one of a handful of opinions solicited in response to the Faces of Fraud survey results.
Matthew Speare, senior vice president of information technology for Buffalo, N.Y.-based M & T Bank Corp., says fraud detection at banks and credit unions is still evolving.
"It's still an afterthought," Speare says during a panel discussion included in the Faces of Fraud Survey Results webinar. "No one seems to have been able to have made a lot of traction, and no one seems to be doing a lot to detect multichannel fraud."
But Speare is quick to point out factors that have contributed to banks' and credit unions' stagnation in multichannel detection. "What we see is that as organizations get larger, you get more and more siloed," he says. "It's an incredible challenge, especially if you scale over time, to get the full view of your customer and all of their transactions."

Fraud Awareness: 'It's Pretty Sad'

Others who reviewed the survey's results are less lenient, saying it's time for banking institutions to catch up. Avivah Litan, a distinguished analyst and vice president at Gartner, says banks and credit unions have for years continued to face the same fraud issues and rely on the same detection methods. "It seems fraud detection is really getting short-changed," she says. "It also says there is a lot of fraud they are never detecting."

With more than three-quarters of the survey's respondents saying they learn about fraud when customers notify them, Litan says, "I see that year after year, and it's pretty sad." It's clear cross-channel fraud is a problem, yet continues to fly under the radar. "There's not enough money being spent on cross-channel fraud detection, and that is disappointing to me," she says. "So much emphasis is being put on education for consumers and employees, but they aren't investing in technology."

Application Fraud

Tower's Tubin says many small to mid-sized financial institutions simply don't believe cross-channel fraud is a problem. According to the survey, 39 percent say cross-channel fraud accounts for less than 10 percent of all fraud incidents. "Institutions have a hard time determining when cross-channel fraud actually occurs," Tubin says. "When they do see fraud, they see the end result, such as check fraud, and they classify it as a fraud that occurred that way," rather than working their way back to follow the fraud trail.
Criminals are exploiting that inability on the part of institutions to link channels. "They recognize that an institution typically works in a siloed environment," Tubin says. But banks and credit unions are not poised to change that siloed environment anytime soon. According to the survey's findings, 27 percent do not even have teams or defined plans dedicated to cross-channel fraud detection. Mike Urban, senior director of fraud solutions for FICO, which provides data analytics and fraud-detection systems, says none of that is so surprising. "The advancements and investments institutions are making are taking place on the card-fraud side," says Urban, who also analyzed results during the Faces of Fraud survey webinar. "I was not surprised that institutions felt they were most covered on the card fraud and AML (anti-money laundering) sides," he says. "That's where most of the investments go."

More Integration Needed

Without cross-channel integration, however, and a so-called 360 view, Urban says account takeovers could be hitting several accounts simultaneously and going completely unnoticed. "Fraud detection needs to be in real-time, across channels, even in batch processing," he says. Analytics and efficient rules engines, which tie analytics and customer behavior scores to an action, are the only ways to effectively fight fraud. But getting that kind of integrated view is not so doable in practice, says M & T's Speare. Most financial institutions are nowhere close to having readily available real-time customer/member analytics and data. Innovations have been made for some channels, such as the ATM, through best-of-breed systems and architecture from third-party vendors, he says. But those innovative architectures have to connect to existing infrastructures, which are often "extremely old, so you're forced to have something that is not close to real-time."
What institutions can do, Speare says, is dedicate teams to review fraud statistics from disparate channels. A manual process, but "probably the closest we are going to get for a while."

Manual Detection: A Bright Spot for ACH?

According to the survey, most institutions, 55 percent, do rely on manual reports for fraud detection. Only 16 percent say they use tools to detect cross-channel patterns. Most disturbing for experts who reviewed the results: 40 percent say current anti-fraud technologies fail to detect cross-channel patterns. 
That's a red flag, Tubin says. "Manual processes, going forward, are not going to hit the mark, he says. "Neural-net detection is important," and 33 percent of respondents say they do plan to invest in neural fraud detection. That kind of integrated detection, which relies on adaptive analytics to pick up subtle anomalies and patterns, will allow institutions to detect "something that might be missed otherwise," Tubin says.

While manual detection is not ideal, the results could reveal a relative bright spot for ACH-fraud detection, Litan says. "Maybe the numbers are not so bad," she says. "More than half say they have invested in internal monitoring for ACH-fraud detection, which could be manual or automated, depending on how they read the question." According to the survey, 53 percent have increased internal monitoring of ACH transactions and 18 percent are using out-of-band authentication.

But Tubin points to a larger problem: Most institutions don't see ACH fraud as posing a great threat. Only 37 percent say they were impacted by ACH and wire fraud in 2010. Credit and debit, check, and phishing and vishing attacks were deemed more prevalent and threatening. "Institutions do not see ACH and wire fraud as being a big issue because they don't pay for the loss," Tubin says.

Investments in ACH-fraud detection are increasing, especially at larger institutions. But a shift in attitude, Tubin says, among banks and credit unions will ultimately be the best catalyst for change. "The survey indicates the institutions are just not taking it seriously," he says. "The traditional attitude between the institution and its (commercial) customer is one of equals. As long as the institution is putting a reasonable effort toward decreasing fraud, the onus is put back on the customer to fight the fraud; and in today's environment, that is really not fair."

Institutions Favor Education

Across the board, 76 percent of respondents say customer and employee education is the best way to fight fraud. But industry analysts beg to differ. "They are relying too much on customer education and manual processes, rather than on automated fraud-detection processes and workflow," Litan says. "You need to spend money to save money." 
While Tubin agrees banking institutions must focus on customer and employee education, it appears to be relied upon too much for fraud detection. "Employee education is absolutely necessary," he says. "But because of the sheer volume of transactions and the move to electronic transactions, we have to invest in more technology for fraud detection. We have to do more."

Institutions are expected to invest more heavily in measures to cut fraud in 2011, with 34 percent of respondents saying they will increase fraud-prevention budgets and/or personnel. That's good news, Litan says.

"There is much more demand for enterprise fraud management than there ever has been," she says. "I also think the banks want to cut down on the number of vendors they work with, so they want to consolidate their fraud operations. I'm sure they want the budget to invest in more, but they just can't get the budget," she says. "Financially, they're struggling."

(Bank info Security)

Selasa, 28 Desember 2010

Will 2011 be the year of mobile malware?

blog.trendmicro.com
Perhaps one of the most common predictions of the last six years has been that mobile malicious software will suddenly proliferate, driven by widespread adoption of smartphones with advanced OSes.

None of those prognostications have really come to fruition, but it's likely that the coming year will bring a host of new malicious applications. Users -- while generally aware of threats aimed at their desktop computers and laptops -- have a good chance of being caught flat-footed with their mobile phones.

In the third quarter of this year, up to 80 million smartphones were sold around the world, which accounted for about 20 percent of the total number of mobile phones sold, according to statistics published last month by analyst firm Gartner. Smartphones are Internet- capable and therefore more vulnerable to attack than other mobile devices.

The threats against those devices are going to come in several categories:

Rogue applications: Marketplaces for mobile applications are becoming increasingly popular for platforms ranging from Apple's iOS and Google's Android to Microsoft's Windows Phone 7 and Symbian. Apple maintains tight control over its App Store, which has helped reduced rogue applications from being offered. But bad applications for other platforms have popped up.

In September, researchers from security vendor Fortinet discovered a mobile component for Zeus, a notorious piece of banking malware that steals account credentials. The mobile component, which targeted Symbian Series 60 devices or BlackBerrys, intercepted one-time passcodes used to verify transactions.

The mobile app carried a legitimate signing certificate, which allowed it to be downloaded and installed on devices. The development was particularly disconcerting as many banks are looking at using mobile phones to send one-time passcodes by SMS (Short Message Service) rather than issuing separate devices that can generate the code.

There's little defense from sneaky rogue applications, but users should be generally careful about downloading programs, particularly for platforms where those applications may not be vetted so closely.

Traditional malware: While desktop OSes such as Windows are plagued by malware, there have been far fewer malicious programs aimed at mobile devices as of yet. But researchers have seen applications such as rogue dialers, which will send SMSes to premium-rate numbers owned by the fraudsters. Other threats include worms spread by communication protocols such as Bluetooth.

With the increase in use of tablet computers that use mobile operating system, those devices will also be subject to those same threats. "We do believe that is going to arrive in the next 12 months," said Bradley Anstis, vice president of technical strategy for security vendor M86. Malicious hackers are "lazy people, they will always go after the low-hanging fruit."

Privacy, data collection issues: Mobile applications can also have other privacy-related risks such as collecting, transmitting or storing data. Advertising networks and mobile application developers are often highly interested in metrics around how and where people are using their applications. Data may include information identifying a specific device, with users unaware they are being tracked. Apple, however, allows application developers to collect location information but only as long as users are notified.

Social engineering: Just like on desktops and laptops, fraud doesn't have to involve a technical trick. Phishing -- the practice of using a fake website to trick users into revealing sensitive information -- is as much or more of a threat on mobile devices. People often trust their mobile device more than their computer and are therefore more vulnerable to phishing.

If a person is on a corporate network, phishing sites are usually blocked, Anstis said. But if someone is using a work mobile device over 3G, that connection is not going through a corporate gateway but the operator's network, which may not block those harmful sites. M86 has been developing a browser-based system that would send URLs to its data center for analysis and block malicious ones, Anstis said.

Other companies are also seeing opportunities for new services around mobile devices. Juniper Networks, for example, acquired SMobile Systems in July for US$70 million. SMobile has a laboratory in Columbus, Ohio, that focuses on studying mobile malware, said Amir Khan, business development manager for the U.K. and Ireland.

"The reason we set that up is because we realize the threats in the mobile space are very specific," Khan said. "It's not just that desktop threats have migrated to the mobile world."

(CSOONLINE)

Jumat, 24 Desember 2010

S'pore tweaks telecom policies to 'safeguard' consumers

The Infocomm Development Authority (IDA) has tweaked the country's Telecom Competition Code to prevent service providers from pressuring consumers into making payment of disputed charges and subscribing new services.

In a statement released Wednesday, the ICT regulator said the amendments reflected market developments since the last review between 2003 and 2005, and feedback from consumers and the industry.

Effective from Jan. 21 next year, the changes will "further safeguard consumers' interests" and drive competition in the local telecommunications market, the IDA said.

It highlighted two key changes, one of which will bar licensees from "cross-terminating" service agreements should the consumer breach terms and conditions of another service agreement from an affiliated operator, or if the consumer has subscribed to a basic telephone service.

"This would mean that telecom operators cannot exert undue pressure on consumers to make payment of disputed charges through threatening to terminate services offered by an affiliated telecom operator, unless the services are offered under the same service agreement," the regulator explained.

It also protects the consumer's right to the use of a basic telephone service, it added.

In addition, licensees will no longer be able to automatically charge consumers after the end of a free service trial without first obtaining expressed agreement to do so from the consumer.

Other changes to the telecom code were made specifically to drive market competition, the IDA said. One amendment will give the regulator the ability to seek prohibition against the abuse of dominant position to any licensees which are identified to have "significant market power", even though they may not be classified "Dominant Licensees" under IDA's policy.

This will apply to licensees that may have gained market power in some market segments over time, allowing the IDA to investigate and take necessary steps to address actions that restrict competition.

The authority said it will continue to monitor market developments and consumer feedback, and make further amendments when necessary to "improve consumers' experience".



(zdnetasia)

India needs 'inclusive innovation'

NEW DELHI--Economists and business leaders here are urging entrepreneurs to focus on society and disruptive innovation in order to launch ultra-low cost products aimed at low-income groups in India.

"Entrepreneurs need to be socially responsible," Nobel Laureate Professor Amartya Sen said at the inaugural The Indus Entrepreneurs (TiE) summit held here Tuesday. Attended by 2,000 participants, the three-day annual conference gathers several first-generation business leaders such as Shiv Nadar, who is the founder of HCL, N.R. Narayana Murthy, who serves as chairman and chief mentor at Infosys Technologies, and NIIT Chairman Rajendra S. Pawar, alongside economists, bankers, venture capitalists and inventors to share their insights on entrepreneurship.



According to Sen, India cannot rely on the trickle-down effect alone to alleviate poverty. "High economic growth leads to high growth in public revenue. This gives governments the opportunity to use public fund to do a lot of good things," he said.

TiE is a global not-for-profit organization focused on promoting and fostering entrepreneurship through mentorship, networking and education. It has 53 chapters spread across 13 countries, including the Delhi-NCR chapter, over 12,000 members and 2,500 charter members who are experienced entrepreneurs, venture capitalists, lawyers and management professionals in their chosen field.
Also a speaker at the summit, R.A. Mashelkar, scientist and former director-general of Council of Scientific and Industrial Research (CSIR), said India needs "inclusive innovation" and acknowledged that "the good thing is the government is aware of this".

In August this year, India Prime Minister Manmohan Singh had approved the establishment of a National Innovation Council to prepare a 10-year roadmap, extending to 2020. The council is headed by Sam Pitroda, an IT expert who helped revolutionize ICT in India in the late 1980s.
According to Mashelkar, there is a stupendous task before India--a country that is doing well but in which nearly 50 percent live below the poverty line. "It's important that all Indians do well. The 'I' in India should stand for innovation, and not for imitation," he said.

He added that innovation should include the excluded, be accessible and affordable, and get more from less. "It's important for businesses to do well," Mashelkar said. "They need to make higher profits and give back more value to the shareholders. However, entrepreneurs need to do well by doing good."

India does not need low-cost but ultra-low cost products, the scientist noted. "The products need to be extremely affordability and that can only happen through disruptive innovation," he added.

British High Commissioner Richard Stagg said both India and the United Kingdom need innovation. "The U.K. needs innovation because it is a very high cost-economy. Innovation will help maintain the high standards of living and prosperity that the people from Britain are used to," Stagg said. The U.K. has been the country partner of the Delhi-NCR chapter of TiE for the last three years.

Speaking at the summit, filmmaker Shekhar Kapur said 80 percent of innovation is not socially just. "Entrepreneurship comes out of nothing, so if we can force entrepreneurship down to the bottom of the pyramid, we can become a truly great nation," Kapur said

Scarcity, aspirations lead to innovation
The summit also highlighted that much of the innovation in India is emerging out of scarcity and aspirations. For instance, Mashelkar described how a student in Kerala, Remia Jose, had a lot of household chores to do when her mother fell ill. She would return from school and wash clothes because her family could not afford a washing machine.

To cope, then 15-year-old Remia created a washing machine that ran on pedals and did not require electricity to operate. The machine cost just US$45 (INR 2,000).

Mansukhbhai Prajapati also invented an earthen refrigerator, called Mittikool, which is priced at US$77 (INR 3,500). The refrigerator has separate compartments for storing water and vegetables and also runs without electricity, making it ideal for rural areas.

Prajapati operates a small-scale industrial unit in Rajkot, which has been producing clay products since 1988. Besides the refrigerator, Prajapati's company also manufactures non-stick pans made from clay, as well as Mittikool water filters, cookers and dinner sets.

The TiE summit will also feature upcoming entrepreneurs such as S. Venkatesh from Goli Vada Pav, which is India's first ethnic fast-food chain with products made in fully automated HACCP-certified hands-free plant. Other entrepreneurs scheduled to share their journey at the conference include Mittikool's Prajapati, and Sumita Ghose, who founded Rangsutra to provide employment to artisans.

Entrepreneurs from other countries such as Philippine fast-food chain founder, Tony Tan Caktiong, and Israeli entrepreneur Zohar Zisapeland will also be at the summit. Sessions at the conference will also encompass topics such as sports, education and clean technology, as well as feature women entrepreneurs.

(zdnetasia| Swati Prasad is a freelance IT writer based in India.)

Kamis, 23 Desember 2010

'Fingerprint' Software to Stem Cyber Crime

The system uses CCTV monitoring to build up a sequence of the hacker's activity
Revolutionary digital fingerprinting software invented by Edinburgh computer scientists could be set to stem the growing tide of cyber crime.The technology, developed at Edinburgh Napier University, allows CCTV-style monitoring of online systems. It digitally mimics the DNA matching process used in the real world.

The software, which will be on sale in six months, works out what classified data has been accessed by the hacker before alerting the company's managers.The CCTV-style monitoring builds up a sequence of the hacker's activity.

It means cyber criminals can be tracked down in seconds, potentially saving companies worldwide millions of pounds every year.The researchers have now created a company called Inquisitive Systems to market the software, GuardInQ.


The fledgling company has attracted £170,000 of new funding from private investors as well as a Smart:Scotland award and Seed funding package, both from Scottish Enterprise.
Inquisitive Systems has also been shortlisted at the recent Global Security Challenge summit in London on the back of its ability to fight cyber espionage and cyber terrorism.
Dr Jamie Graves, chief executive and co-founder of Inquisitive Systems, said: "Put simply, we can now track cyber criminals 24/7.

"The GuardInQ technology enables us to identify their digital fingerprints and prove that a certain person was behind illegal changes made to data, which gives a higher level of proof when it comes to prosecuting data crime."
He added: "It's like CCTV for computers and ultimately means a more rapid detection of security breaches, which means significant savings for organisations.
"Where others in the market can highlight that there has been a security breach, they fail to say who, what, when or why it happened. We can.
"We go to the heart of the matter, not only detecting criminal activity but intervening in real time to reduce cyber crime."

(BBC News)

EU Could Turn to 'Crowd Sourcing' in Cyber Crime Fight

Millions of internet users across the EU could be encouraged to join the fight against cyber crime if a ground breaking experiment in "crowd sourcing" goes ahead.
The director of Europol told peers he wants to get net users directly involved in catching cyber crime gangs.
Rob Wainwright briefed a Lords EU sub-committee on plans for a European cyber crime centre.
He said the extent of the problem was often underestimated in the EU.
And criminal gangs were becoming more sophisticated in their use of technology, which was spreading into the world of "offline" crime such as drug and people trafficking and VAT fraud, which netted criminals in the EU 100bn euros (£85bn) last year alone.
Scams

Europol officials say criminals are increasingly communicating with each other through online phone services in the mistaken belief that they are untraceable.

They are also carrying out more "traditional" cyber crimes such as botnets, malicious software that can secretly steal credit card details, and phishing scams, in which people are tricked into handing over confidential details.

Mr Wainwright, a former senior official with the UK's Serious and Organised Crime Agency, said Europol was stepping up its fight against internet-based crime ahead of the opening of a planned cyber crime centre, funded by the European Commission.

Europol, an EU-wide police intelligence agency based in The Hague, already had a "dedicated intelligence project designed to identify the most significant cyber criminals operating in Europe", Mr Wainwright told the committee.

He said the next stage was to launch an "internet crime reporting online system".

This initiative, originally conceived by the French Presidency of the EU in 2008, would, for the first time, "collect all internet crime reported online at a national level, in a harmonised way across the EU," he told the committee.
'Empower citizens'



It would have the ability to alert police in the 27 member states to "connections between different investigations".
"For the first time the EU will have a comprehensive overview of reported cyber crime from within its own borders and this could even include, in the future, a component of direct engagement with the public," said the Europol chief.
Europol strategic analyst Victoria Baines later explained to BBC News that the organisation was interested in eventually using a form of "crowd sourcing" to gather examples of suspected cyber crime so it could build up a fuller picture of illegal activity.
This would involve concerned net users scouring the net for possible examples of crime and reporting it, possibly through a dedicated website.
It could operate along similar lines to America's Internet Crime Complaint Center (IC3), a joint venture between the FBI and the National White Collar Crime Centre, which for the past 10 years has allowed victims of cyber crime to make a complaint online.
But the Europol system could potentially go further because it would not be restricted to people who had themselves been the victim of cyber crime or who wanted to make a formal complaint to a law enforcement agency.
'Empower citizens' Ms Baines said the idea was to raise awareness of crimes such as the "online solicitation of children", payment card transaction fraud or "social engineering", in which people are tricked into giving their passwords or other personal details.
And then "to empower citizens not only to look out for themselves but to report criminal activity".
But Mr Wainwright stressed in his evidence that Europol's first priority was to involve private industry and academia in the fight against cyber crime.
The crowd sourcing plan is in its embryonic stages, and will depend on the setting up of the European cyber crime centre, which is planned by 2014, if funding can be secured.
But Mr Wainwright told BBC News he was keen to "scope out" crowd sourcing and saw it as a potentially vital part of the the war on cyber crime.
The Lords EU Home Affairs sub-committee is investigating the EU's internal security strategy.

(

Rabu, 22 Desember 2010

F.C.C. Poised to Pass Net Neutrality Order

The chairman of the Federal Communications Commission appears to have the votes he needs to pass new rules for net neutrality. Net neutrality — which broadly speaking is an effort to ensure open access to Web sites and online services — is on the agenda of an F.C.C. meeting Tuesday in Washington. The F.C.C.’s chairman, Julius Genachowski, outlined a framework for net neutrality earlier this month, touching off a debate about the role of the government in regulating Internet access.

As it stands now, the order would prohibit the blocking of any Web sites, applications or devices by fixed-line broadband Internet providers like Comcast and EarthLink, essentially forbidding the providers from picking winners and losers on behalf of consumers, F.C.C. officials said Monday.

The F.C.C. officials also said that the order would broaden the government’s enforcement powers over  broadband. They spoke only on condition of anonymity ahead of Tuesday’s meeting on the matter. The F.C.C. order has not been made public.

If approved, the rules “will give some assurances to the companies that are building Web applications — companies like Netflix, Skype, Google — that they will get even treatment on broadband networks,” said Rebecca Arbogast, a regulatory analyst for Stifel Nicolaus, a financial services firm.
The prohibitions, however, are subject to what the F.C.C. calls “reasonable network management,” and they are considerably watered down for wireless providers. “It is by definition a compromise,” Ms. Arbogast said.
Critics have condemned Mr. Genachowski’s proposal as “fake net neutrality.” One of those critics, Senator Al Franken, Democrat of Minnesota, said over the weekend that the F.C.C. was effectively allowing discrimination on the Internet by adopting weak rules for wireless Internet access.

“Maybe you like Google Maps. Well, tough,” Mr. Franken said on the Senate floor on Saturday. “If the F.C.C. passes this weak rule, Verizon will be able to cut off access to the Google Maps app on your phone and force you to use their own mapping program, Verizon Navigator, even if it is not as good. And even if they charge money, when Google Maps is free.”

He continued, “If corporations are allowed to prioritize content on the Internet, or they are allowed to block applications you access on your iPhone, there is nothing to prevent those same corporations from censoring political speech.”

On Monday afternoon, two Democratic commissioners, Michael Copps and Mignon Clyburn, the other Democratic commissioners, signaled that the order was not as strong as they would have liked, but that they would not oppose it. Their votes along with Mr. Genachowski’s would be enough to approve the order. Two Republican commissioners, Meredith Baker and Robert McDowell, are expected to oppose it. In an op-ed in the Wall Street Journal on Monday, Mr. McDowell asserted that “nothing is broken that needs fixing.”
Mr. Copps staunchly disagreed. In a statement Monday afternoon, following three weeks of discussions with Mr. Genachowski about modifying the order, he said he wanted to ensure that the Internet “doesn’t travel down the same road of special interest consolidation and gate-keeper control that other media and telecommunications industries—radio, television, film and cable—have traveled.”

“What an historic tragedy it would be,” he said, “to let that fate befall the dynamism of the Internet.”
He said he could not wholeheartedly vote to approve the order, but that he would not “not block it by voting against it. I instead plan to concur so that we may move forward.”

Ms. Clyburn said similarly in her own statement, “The open Internet is a crucial American marketplace, and I believe that it is appropriate for the F.C.C. to safeguard it by adopting an order that will establish clear rules to protect consumers’ access. The commission has worked tirelessly to offer a set of guidelines that, while not as strong as they could be, will nonetheless protect consumers as they explore, learn and innovate online. As such, I plan to vote to approve in part and concur in part the Open Internet Order during the F.C.C.’s open meeting tomorrow.”

The Democratic commissioners received sharp rebukes from public interest groups that favor stricter steps toward fair Internet access. Craig Aaron, the managing director of one such group, Free Press, said “these rules appear to be flush with giant loopholes, and the FCC chairman seems far more concerned with winning the endorsement of AT&T and the cable lobbyists than with listening to the millions of Americans who have pleaded with him to fix his proposal.”

Updated
Mr. Genachowski’s office on Monday night released excerpts of the remarks he will give on Tuesday about the net neutrality order. They are reprinted in part below:
As we stand here now, the freedom and openness of the Internet is unprotected. No rules on the books to protect basic Internet values. No process for monitoring Internet openness as technology and business models evolve. No recourse for innovators, consumers, or speakers harmed by improper practices. And no predictability for the Internet service providers, so that they can manage and invest in broadband networks.
That will change once we vote to approve this strong and balanced order…
On one end of the spectrum, there are those who say government should do nothing at all.
On the other end of the spectrum are those who would adopt a set of detailed and rigid regulations.
I reject both extremes in favor of a strong and sensible framework – one that protects Internet freedom and openness and promotes robust innovation and investment.
We are told by some not to try to fix what isn’t broken, and that rules of the road protecting Internet freedom would discourage innovation and investment. But countless innovators and investors say just the opposite, including many who generally oppose government action. Over the course of this proceeding we have heard from so many entrepreneurs, engineers, venture capitalists and others working daily to maintain U.S. leadership in innovation. Their message has been clear: the next decade of innovation in this sector is at risk without sensible rules of the road…
At the same time, while acting to preserve Internet freedom and openness, government must not overreach by imposing rules that are overly restrictive or that pretend to knowledge about this dynamic and rapidly changing marketplace that we simply do not possess.
 (The New York Times)

Selasa, 21 Desember 2010

8 Best Ways to Secure Wireless Technology

 GAO: Agencies Inconsistent on Ways They Secure Wireless Assets
The government's efforts to safeguard federal wireless networks and technologies have not fully secured them, the Government Accountability Office said in a report issued Tuesday entitled Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk.


"Until agencies take steps to better implement these leading practices, and OMB takes steps to improve governmentwide oversight, wireless networks will remain at an increased vulnerability to attack," GAO Director of Information Security Issues Gregory Wilshusen and Chief Technologist Nabajyoti Barkakati wrote in the 50-page report.
To help agencies secure their wireless networks and technologies, GAO came up with eight leading practices:
  1. Develop comprehensive security policies that govern the implementation and use of wireless networks and mobile devices, implement secure encryption with enterprise authentication, establish usage restrictions and implementation guidance for wireless access and enforce access controls for connection of mobile devices.
  2. Employ a risk-based approach for wireless deployment.
  3. Use a centralized wireless management structure that is integrated with the existing wired network.
  4. Establish configuration requirements for wireless networks and devices in accordance with the developed security policies and requirements.
  5. Incorporate wireless and mobile device security component in training.
  6. Use a virtual private network to facilitate the secure transfer of sensitive data during remote access.
  7. Deploy continuous monitoring procedures for detecting rogue access points and clients using a risk-based approach.
  8. Perform regular security assessments to help ensure wireless networks are operating securely.
"Many of these practices are consistent with the key information security controls required for an effective information security program ... and reflect wireless-specific aspects of those controls," the Wilshusen and Barkakati wrote in the report requested by the chairs and ranking members of the Senate and House Appropriations Subcommittees on Financial Services and General Government.
GAO said the approach to securing wireless technologies is inconsistent among the agencies for most of the following leading practices:
  • Most agencies developed policies to support federal guidelines and leading practices, but gaps existed, particularly with respect to dual-connected laptops and mobile devices taken on international travel.
  • All agencies required a risk-based approach for management of wireless technologies.
  • Many agencies used a decentralized structure for management of wireless, limiting the standardization that centralized management can provide.
  • Five agencies where GAO performed detailed testing generally securely configured wireless access points but had numerous weaknesses in laptop and smart-phone configurations.
  • Most agencies were missing key elements related to wireless security in their security awareness training.
  • Twenty agencies required encryption, and eight of these agencies specified that a virtual private network must be used; four agencies did not require encryption for remote access.
  • Many agencies had insufficient practices for monitoring or conducting security assessments of their wireless networks.
In preparation of the report, GAO reviewed publications, guidance, and other documentation and interviewed subject matter experts in wireless security. GAO also analyzed policies and plans and interviewed agency officials on wireless security at 24 major federal agencies and conducted additional detailed testing at these five agencies: the Departments of Agriculture, Commerce, Transportation, and Veterans Affairs, and the Social Security Administration.
Responding to the report, Commerce Secretary Gary Lock said he concurred with the GAO's recommendations to instruct the National Institute of Standards and Technology, a Commerce Department agency, to develop and issuance guidance on:
  • Technical steps agencies can take to mitigate the risk of dual connected laptops;
  • Government-wide secure configuration for wireless functionality on laptops and for BlackBerry smartphones;
  • Appropriate ways agencies can centralize their management of wireless technologies based on business needs; and

  • Criteria for selection of tools and recommendations on appropriate frequencies of wireless security assessment and recommendations for when continuous monitoring of wireless networks may be appropriate.

  (GovInfo Security)


WikiLeaks: Stronger Access Mgt. Needed

Eric Chabrow
Not adequately implementing access management - deciding who should gain entry not only to an IT system but to specific data, as well - is a major process failure that led to the WikiLeaks leaks, the unauthorized access and downloading of 250,000 sensitive and classified diplomatic cables and other files.

Simply, if properly configured, an access-governance system might have prevented an Army private from extracting the diplomatic cables. The government alleges that Pfc. Bradley Manning, an Army intelligence analyst, illicitly downloaded the files through a Secret Internet Protocol Router and saved them to a disk, which he provided WikiLeaks. Though Manning had security clearance - his job was to route intelligence reports to his superiors - it's unclear why he would or should have authorization to access and download State Department reports.

Simply, if properly configured, an access governance systems might have prevented an Army private from extracting the diplomatic cables. 

Was the process failure preordained? Perhaps. A survey released earlier this year of federal IT security executives and staffers suggests that challenges of securing government information assets are more evident to the rank and file than they are to their superiors. The survey, Security in the Trenches: Comparative Study of IT Practitioners and Executives in the U.S. Federal Government, conducted by the Ponemon Institute for enterprise software vendor CA, reveals that the rank-and-file employees were much more likely than executives to see the necessity of certain enabling technologies to reduce or mitigate security risks within their organizations, and the technology with the widest difference: identity and access management systems. Fifty-seven percent of rank-and-file workers said they saw the risk in identity and access management systems versus 41 percent of executives; that's a 16 percentage point difference. On access governance systems, 62 percent of the staffers but only 43 percent of executives saw the risk, a 19 percentage point differential.


Why the gap? "Executives tend to see the big picture, whereas the IT staff-level sees a more focused view," Gilda Carle, a relationship expert who has worked with the Army, Internal Revenue Service and IBM, said in a statement issued with the survey results. "The difference in viewpoints can greatly affect how well an organization achieves its objectives."

The takeaway isn't just the need for government IT security policymakers to be more aware of beefing up access management systems but to become more attentive to what goes on in the trenches where each individual poses a potential threat.

(Govinfo Security)


Electronics Engineers Help Sustain ICT Development

MANILA, Philippines - The past few years have seen some of the most tremendous growth in the information and communications sector in the Philippines, benefiting many other industries and communities.
Investments in ICT, coupled by a widening demand for faster and more efficient services, have opened the doors for new business opportunities, which also contributed to a sustained growth in the country’s economy.


Since the passage into law of Republic Act 8792, otherwise known as the E-Commerce Act of 2000, ICT has become a socio-economic enabler and not just an end-goal.

All aspects of the society, from business to politics, education to the sciences, have relied on the use of ICT to increase productivity, innovate existing technologies, and make new discoveries that have otherwise taken years to do.

Investments in ICT infrastructure among small to medium scale businesses (SMBs) have been growing especially with more entrepreneurs tapping into cyberspace as a platform to sell their products and services.

Many SMBs have expanded their operations by investing in hardware, software, and telecommunication services to centralize and monitor their operations.

Other than the SMBs, large corporations have capitalized on ICT infrastructure not only for competitive advantage but also to streamline their operations, which would have otherwise been a daunting and expensive task.

The unique demands of SMBs up to the large corporations have also given rise to a new breed of service providers that develop specific, modular services, which can be modified to suit the demands of their growing clients.

Even telecom companies have played a role in expanding the use of ICT as they implement next-generation networks, which also have given rise to a variety of unique service propositions, such as cloud computing and hosted services.

Even the “sunshine” industry of business process outsourcing (BPO) also credits its success to strong investments in ICT. This has resulted in the establishment of dozens of BPO providers, providing about 500,000 jobs and contributing at least $10 billion in revenues to the Philippines.

All this growth in the ICT sector also demands expertise and it is also a major challenge to all industries dependent on ICT to find the right professionals to maintain ICT equipment, services, and infrastructure.

This demand is ever growing and the electronics and communications engineering (ECE) sector is taking the challenge of filling up the need for professionals in the ICT sector.

It is the advocacy of the Institute of Electronics and Communications Engineers of the Philippines (IECEP) to provide the ICT sector with skilled engineers.

The organization is built upon a vision of sustainable expansion in all sectors of development. With ICT as one of the fastest growing sectors, it has mandated itself to create a new breed of professionals who are able to fill the specific necessities of ICT.

The passage of Republic Act 9292 or the Electronics Engineering Law in 2004 saw a positive aspect in terms of government support for electronics engineers and professionals.

It also paved the way for opening new channels of opportunities where skills development is intertwined with the various aspects of growth in many industries.

ICT is no exception and it is a positive challenge for the IECEP to produce the best people for the right jobs in this sector.

This year’s IECEP conference dubbed the International Electronics Conference and Expo focused on the ICT sector and its effects on other industries.

The event, held last Dec. 7-9 at the SMX Convention Center, viewed how else the country’s engineers can support traditional industries that are ever depending on ICT. The theme, “Sustainable Professional Excellence for ICT Development,” marks the IECEP’s commitment to be part of a sector that has already been an integral part of all other industries.

(PhilStar.com)

Senin, 20 Desember 2010

BlackBerry 6: Wipe Your Smartphone, Restore Factory Settings

Many reasons exist for why you might want or need to "security wipe" a BlackBerry, or completely erase all personal data stored on your handheld: You got a new smartphone and plan to retire the older device; you're trading in your existing BlackBerry for a new one from your wireless carrier; you and a friend are swapping devices; you loaded too many applications or media and just want to start over from scratch; etc.



Whatever your reason, BlackBerry-maker Research In Motion (RIM) makes it very easy to security wipe a BlackBerry using its latest mobile OS software, BlackBerry 6. Waaaaay back in the fall of 2008, I wrote a post on how to clean or wipe your BlackBerry smartphone running RIM's OS 5, so those of you with a BlackBerry 5 smartphone will want to jump over to that older tutorial.

The security-wipe process is very similar in both BlackBerry OS 5 and BlackBerry 6--in fact it's even more intuitive in the newer OS. And the following four steps will wipe your BlackBerry smartphone clean and restore the handheld to factory settings in no time. Keep moving for specifics. (Note: If you BlackBerry is connected to a corporate BlackBerry Enterprise Server BES, you may be unable to completely restore your device to factory settings, though you should still be able to wipe it clean, depending on the specific IT policies associated with your device. Check in with your BlackBerry administrator if you encounter issues.)

How to Security Wipe Your BlackBerry 6 Smartphone

1)Begin the BlackBerry security wipe process by opening up the main BlackBerry Options menu--the icon looks like a wrench when using the default BlackBerry theme. (Learn more about BlackBerry themes here.)
2) Next, scroll down to and select the Security option on the following screen, then choose the Security Wipe listing on the next page.
3) The Security Wipe screen displays a number of options and associated checkboxes that let you specific whether you want to delete E-Mail, Contacts, etc., User Installed Applications and/or all the data stored on your Media Card.
4) Finally, to initiate the process, type in the word "BlackBerry" in the confirmation field on the Security Wipe screen, accept any final confirmation pop-ups you may see, and voila, your BlackBerry device is on its way to its factory state. It may take up to an hour to completely wipe your device, depending on how many messages and other data you have stored on-device, so be patient.
When the deletion process is complete, your BlackBerry will restart and another dialogue box appears to ask if you'd like to run the device Set Up Wizard. At that point, your BlackBerry is wiped clean of all data--unless you chose to let third-party app information remain--and factory settings should be restored.
Got a broken BlackBerry keyboard that's keeping you from wiping your handheld using the process above? No worries, you can use any of a number of workarounds, including the free JL_Cmder application.
Check out a full list of all my BlackBerry tips and tricks stories on the CIO.com BlackBerry Bible page.
=========
Al Sacco covers Mobile and Wireless for CIO.com. Follow Al on Twitter @ASacco. Follow everything from CIO.com on Twitter @CIOonline. Email Al at ASacco@CIO.com.

(NetworkWorld.com)


Internet Hit by Wave of Fake PC 'defrag' Tools

Fake AV has morphed into expensive 'disk fix'

A spate of scareware apps that trick users into buying useless hard disk repair tools appears to be part of a concerted campaign to push fake 'defrag' software, a security company has said.

The Internet abounds with Windows utilities, usually free, some not very good. Users have an unquenchable appetite for them.


According to a GFI-Sunbelt Security blog, a new type of bogus disk software has suddenly become very common on the back of this, with a clutch of convincing examples appearing in recent weeks.
Users encountering new examples HDDRepair, HDDRescue and HDDPlus should ignore them. They are bogus applications that claim to defragment a user's hard disk even though such a requirement is barely needed given that Windows does a lot of this work behind the scenes anyway.

The apps will, however, claim that a user's hard disk is riddled with problems, as will the slightly older examples UltraDefragger, ScanDisk, Defrag Express and WinHDD. Sorting out the non-existent issue can cost anything from $20 and up.

Such apps have been around for some time in fact but have simply been less documented compared to the fake antivirus programs that have caused chaos on the Internet in the last two years.

The phenomenon of fake software is now deeply entrenched on the Internet and criminals have even taken to aping the way security companies are creating all-purpose security programs. Fake apps adopting this verisimilitude tactic include PCoptomizer, PCprotection Center and Privacy Corrector.
A quick trawl of Google reveals that all of the above scareware examples are easy to encounter. So how does a user tell the real and useful from the fake and expensive?
Depending on the type of app, it is sometimes easier to consult lists of real apps that worry about working out which ones aren't genuine. 

As the author points out, the overworked Virus Total is one site that allows files and URLs to be checked against known rogue lists, while certification company ICSA Labs publishes a separate, more high-level list of known vendors. These are not perfect warning systems however. Rogue URLs change constantly and might not be spotted by Virus Total, for instance.

(NetworkWorld.com)



Sabtu, 18 Desember 2010

CIO Gets Six Years for Embezzlement Scheme

Former Auto Warehousing Company CIO gained fame for switching to Apple after Microsoft dispute

The former CIO at a large U.S. automobile processing company has been sentenced to nearly six years in prison for embezzling more than $500,000 from the company by faking expense reports and reselling company equipment.


Dale Frantz, 46, was sentenced Friday in U.S. District Court for the Western District of Washington, after pleading guilty to fraud charges. Auto Warehousing Company (AWC) hired him in 1998, even though he had served a prison stint in the 1990s for a similar crime. Frantz made headlines three years ago for switching the company to the Mac after a software licensing dispute with Microsoft. 

Between 2007 and 2009, Frantz used a number of techniques to steal money from AWC, a Tacoma, Washington, company that delivers cars from ports and manufacturing plants to dealerships. He wrote up fake invoices for expense reports and altered legitimate ones to boost his reimbursements, and used company funds to buy computer equipment that he later resold on the Internet. He had a co-conspirator set up a company called Asyncritus Technology to generate invoices for nonexistent services, taking a split of the profits, the U.S. Department of Justice said.

In 2007, Franz tried to switch AWC to the Mac OS platform, after becoming involved in a public dispute with Microsoft, after the software vendor pressured him to audit his company's software licenses. That project was delayed after employees and partners pushed back, but the company now has more than 100 Macintosh computers helping to run operations, according to Apple's Web site.
In a Dec. 9 letter to the judge in the case, Franz said he led a tortured double life as both successful executive and embezzler, a life that came to an end when he was fired from his job. "I was relieved to be terminated," he wrote. 

In addition to the 71-month sentence, Frantz must pay $516,358 in restitution to AWC.
In 1996, Franz got a four-year sentence for stealing $200,000 while office manager at an Indiana audio shop.
======================
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

(NetworkWorld.com)

Microsoft ends record security year with huge Patch

Microsoft's security team broke all sorts of records for issuing patches this year, and 2010's final Patch Tuesday was the biggest one of all.
"Microsoft is ending this year on a high note, with their highest number of bulletins ever," nCircle director of security operations Andrew Storms notes. "With a record 17 bulletins ... we are getting a huge number of individual bug fixes."


With today's update, Microsoft has issued 106 security bulletins patching a total of 266 vulnerabilities in 2010, both of which are also records for the company. Whether this is due to Microsoft products becoming more vulnerable, or greater attention being paid to vulnerabilities (or a combination of both) is an open question. Microsoft has said its policy of supporting products for up to ten years means a lot of older pieces of software have to continue receiving patches.

In this year's final Patch Tuesday, Microsoft fixed a critical Internet Explorer problem as well as the final known bug exploited by the Stuxnet worm.
"The most important bug this month is clearly the IE update that includes a fix for the outstanding zero-day bug discovered in early November," Storms says. "With more and more people shopping online this time of year, it's important for everyone to patch their browsers."

Storms was referring to MS10-090, which resolves four vulnerabilities that could allow remote code executive when users view malicious pages with IE6, IE7 and IE8. "The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory and script during certain processes," Microsoft said.

This was one of only two bulletins that were rated "critical" by Microsoft. The other was MS10-091, which patches bugs in the Windows Open Type Font driver. "An attacker could host a specially crafted OpenType font on a network share. The affected control path is then triggered when the user navigates to the share in Windows Explorer, allowing the specially crafted font to take complete control over an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said.

Separately, Microsoft has fixed the fourth and final known vulnerability related to the Stuxnet worm with MS10-092, which affects Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.
MS10-092 was rated important, rather than critical, as were most of the rest of the 17 patches. However, Qualys vulnerabilities lab manager Amol Sarwate says one of the "important" bulletins should have been rated critical by Microsoft.

This particular bulletin, MS10-105, describes a vulnerability targeting numerous versions of Microsoft Office, in which a graphics filter flaw can allow remote code execution.
"I personally think it's critical because you could get an Excel spreadsheet, or any Office document with one of these graphics filters, and it could allow an attacker to execute code on a computer," Sarwate says.
While the vulnerability affects Office 2007 and 2010, it only allows remote code execution on older versions.
Speaking of Office, Microsoft said Office File Validation will be made available for the 2003 and 2007 versions of the software starting in Q1 2011. The software is already available on Office 2010, and opens files in a safe mode when security threats are detected.

But that won't help IT managers who apply today's patches immediately.
As PC World notes, "The security bulletins cover the range of Microsoft software including all versions of Windows, as well as Internet Explorer, Microsoft Office, SharePoint, and Exchange. All 17 of the security bulletins are listed as either 'Requires restart' or 'May require restart', so IT admins should be prepared for the fact that systems will need to be rebooted to complete the patch process."

(NetworkWorld.com)

Jumat, 17 Desember 2010

How to Prevent a WikiLeaks-Like Breach

Technologies and processes exist to prevent a WikiLeaks-style breach, but most IT security experts haven't instituted the proper safeguards, says a leading computer expert on insider threats.
"With the right people, process and technology, you could be able to put a system together that would greatly reduce the impact these types of attacks have," Eric Cole, a SANS Institute faculty fellow and founder of the network security consultancy Secure Anchor Consulting, says in an interview with Information Security Media Group (transcript below).

Cole says one of the biggest failures deals with how organizations control and manage access to data. Individuals should have access to data for a limited time. "If you look at just about everything else we do, your driver's license has an expiration date; your passport has an expiration date; so when you are given access to sensitive data, it is typically infinite and there no expiration," he says. By placing time constraints on entree to sensitive data, Cole says, the burden shifts to the user from the data owner on justifying access. 

Search and indexing technologies also can help limit access to data and reduce the danger of improver exposure. Each document would be indexed by page, paragraph or sentence. Users could conduct a search without getting details or access to the document. "You can get the details you need on a specific area, but the bigger risk of getting more access than what is required to do your job is reduced," Cole says. "At the end of the day ... we see insider threat and information leakage (when) the person needed some of the information in the document but not the entire document, but because most organizations don't know to hand it off in a more granular fashion, it is an all or nothing, and then they end up getting this repository with a lot more information than really is required." 

Another approach to safeguard data that doesn't require new technology is to limit access to sensitive information from a thin client or virtual machine; that means no local storage on users' own devices. Users Cole says, "could have a profile and they could have a directory on the server where they can save their searches, but everything is stored and controlled at the server level and nothing is put at the client level, and then all of the sudden, once again, you are taking away yet another avenue of exploitation from that user."
In the interview, conducted by Information Security Media Group's Eric Chabrow, Cole also:
  • Assesses how the WikiLeaks breach occurred,
  • Laments that most organizations won't learn the lesson from the WikiLeaks episode and
  • Poses three critical questions organizations should answer to assess their vulnerabilities.
Cole is an industry-recognized security expert and has authored several books, including Hackers Beware, Hiding in Plain Site, Network Security Bible and Insider Threat. (with Sandra Ring). He is an inventor who holds more than 20 patents. Cole serves on the Commission on Cybersecurity for the 44th President and is actively involved with the SANS Technology Institute and SANS working with students, teaching and maintaining and developing courseware.

What Went Wrong?

ERIC CHABROW: From an IT security perspective, what went wrong? How preventable was the WikiLeaks breach?

ERIC COLE: That's a very interesting question because typically when we look at security we always look at access control and the idea of the insider threat is people can access information that they need to perform their jobs, but they are using it for other purposes in which it wasn't intended.
And in this particular case, it is interesting because first, I can't imagine, based on the amount of information that was leaked out that one person would need access to all of that data in order to perform their job function. I would immediately think that there was clearly a problem in terms of controlling, managing and limiting access within the enterprise.
While that could never be prevented, that could have been reduced greatly by better controlling and managing who can store what and in which media. But the other important thing gets down to the data loss prevention controls and the classification.

Based on the fact that this information was supposed to be classified, you would think that if they had some monitoring in place they would have once again either been able to be detected or prevented very quickly and the amount of damage would be reduced. Based on the shear size of the leakage, it makes me think that there is minimal detection and minimal outbound controls in place that could have either reduced or greatly prevented the damage.
CHABROW: I wonder in such a large bureaucracy or organization as the federal government is, the responsibility of limiting people access to specific information - I mean this is a situation that if the allegations are to be believed that you had someone in the Army getting access to State Department documents. What kind of challenge does that present in a sense of who governs who gets access?

COLE: That brings up the whole issue of data portability. You always hear different organizations that are being accused of not sharing information with other government entities or other offices that it presents an interesting problem because if you had data at one organizational unit, they could have the best access controls, they could have the best audited, they could have the best manageability of that information, but if they allow one authorized person to be able to copy that information, they can copy it and put it on a different government entity's server and now, in essence, be the owner of that data and be able to create their own access lists, create their own permissions and do whatever they want.

This creates a huge problem because now how do you go in and limit distribution without going in and prohibiting the function. This is where a lot of this new technology is coming into play, which is when you go and view and read information without being able to actually download, save a local copy or do anything with the data, and it brings up an interesting concept because if you could do that, a lot of these problems and a lot of the complexities would go away.

CHABROW: So the technology exists to do that? 

COLE: Some of it exists in commercial products and some of it is how you would set up the data, but the answer is yes, with the right people, process and technology you could be able to put a system together that would greatly reduce the impact these types of attacks have.

The Biggest Failure

CHABROW: When you have information like this, should there be a single owner?

COLE: Well ultimately, with any piece of information, you should clearly define who is responsible for the protection of that data. You should then clearly have guidelines and policies of what is required in order for somebody to get access to the information and how long should they have access to that data.
In my opinion, probably one of the biggest failures in how we control and manage access is the fact that a lot of access has no expiration. If you look at just about everything else we do, your driver's license has an expiration date; your passport has an expiration date; so when you are given access to sensitive data, it is typically infinite and there no expiration.
What if we went in and every time you were given access to the data you were only given that access for 10 day or 15 days; there was an expiration on it and then if you still needed the information, you would then request a new approval for it and have to be able to be reauthorized to get access. Now what you are doing is you are shifting the burden on the user, which is where it should be, as opposed to this data owner that is too busy and too over-tasked to really track and recognize other people really do or don't need it over a long period of time.

CHABROW: A lot of the systems developed over the past two years in government and as a result of the idea that different agencies need to share information after the 9/11 attacks; before then everything was in silos and people didn't know what other agencies were doing. That sounds good, but then you have the problem that we just saw with the WikiLeaks.
A user of information doesn't necessarily know what other agencies have and which could be very valuable for them to do their jobs. How does this play into this whole area of gaining access to information that could be critical, but then again protecting it from people who shouldn't be getting it?

COLE: That is at least a challenge because one of the phrases we use is, "Anything that could be used for good and be used for evil. So, on the one hand, you want the information to be accessible to a large number of people, you want high-end correlation of data and you want high-end details to be obtained, but on the other hand you want to reduce the risk of information being leaked out.

Once again, lots of different strategies where there are actually searching techniques where you can go in and find out information about a source without getting the details, or without getting the actual document. The idea now is instead of going in and letting somebody have full access to a 40-page document, when they might only need two of the 40 pages, what if we went in and actually did a better job indexing it where now you are indexing it at a more granular level. You are indexing at a paragraph or a page level so that now you are not requesting documents, you are requesting sentences or paragraphs. Now, now all of the sudden, you can get the details you need on a specific area but the bigger risk of getting more access than what is required to do your job is reduced.

At the end of the day, a lot of these problems that we see insider threat and information leakage, usually what occurs, and my guess is it would be true in this situation, the person needed some of the information in the document but not the entire document, but because most organizations don't know to hand it off in a more granular fashion, it is an all or nothing, and then they end up getting this repository with a lot more information than really is required.

Thin Client, Virtualization Reduce Risks

CHABROW: Would new tools need to be developed to automate this process, or can this process be automated?

COLE: If you think about the idea of having to go in and index everything at a sentence or paragraph level, it is a huge amount of work. The good part is, most of it can be done from an automated perspective. Now, there would be some costs in terms of the warehousing of this information, but you could argue that if the information is in electronic form, whether you are storing it as a single paragraph or as an entire document, it really takes up the same amount of space. So it is really the indexing form a high-end search engine to be able to build a meta- database to be able to find and access that particular data.
The other important thing is we have to better control that information. Right now today, all of the information is on servers; we have strict access control lists on the server but if you can get one person to copy that data who is authorized to their laptop, all of the access controls now are completely bypassed and they can give it out to anyone they want.
What if every time you are allowing somebody to access that sensitive information they had to do it from a thin client or a virtual machine? Anything they access could not be stored locally long-term; it would have to be maintained on the server. They could have a profile and they could have a directory on the server where they can save their searches, but everything is stored and controlled at the server level and nothing is put at the client level, and then all of the sudden once again you are taking away yet another avenue of exploitation from that user.

CHABROW: Obviously, at some point people would need to somehow store it; I mean the president of the United States isn't going to be working on a thin client, would he?
COLE: It depends on how transparent you make it. If you have the ability to open, view, access, store and read information, whether it is on your local hard drive or whether it is remote across the network, that really doesn't matter, and I don't think the president would care, it is all about can he get access to the information, when, where and how he needs it. And, if you look at all of the different communication mediums we have now between wireless, satellite and wired networks in almost every location, someone is always connected to a network; we can even do it at 40,000 feet now in airplanes and be able to have full access to the internet. As this access anywhere continues, I think you can do it in a way where it is completely transparent to the person and they just are not storing anything on a local portable media that has a greater risk of exposure and compromise.

3 Critical Questions

CHABROW: Any other takeaways you would like to share? 

COLE: Probably the big takeaway is, and I know when I say it sounds obvious, but we are amazed at how many organizations can't answer these simple questions. If you really want to have good security, you have to remember that especially when dealing with the insider threat, it is not about firewalls, IP addresses or technology. What it all comes down to is your data, and I would urge you - can you answer three questions.
  • What is your critical data?
  • What business processes utilize that critical data?
  • And, on what servers does that critical data reside?
If you can't answer those fundamental questions, how are you going to be able to manage, control and implement access controls, authentication and the other protection measures that are required long-term? We have to make sure we focus on the basics before we start dealing with the complex issues. 
CHABROW: Do you think people have learn the lesson of the WikiLeaks or do you think this is going to be a struggle for many organizations in the years to come?

COLE: I definitely think some folks have learned a lesson, but unfortunately in a lot of cases there is a small percentage of people though who they may see harm to others, they don't want the harm to them and they will learn from that activity. However, a large percentage of folks we found, until they personally suffer pain, they don't think it is something that can happen to them.
Unfortunately, I think there will be a large percentage of folks who will look at that, shake their heads and think how could this have happened, but then in the next sentence they say this can't happen to us. What everyone needs to realize is it absolutely, positively can happen to you. The question I would ask is: If there was somebody in your organization who is accessing information or more information than they should, if they were putting it on USB or other mechanisms and leaking it out of your organization, how would you know?
If the answer to that question is that you wouldn't, then you have to realize that you could have just put your name instead of the government's and the whole WikiLeaks thing could now be focused on your organization and all the issues you have.

( Eric Chabrow, Executive Editor, GovInfoSecurity.com)


Corruption Perceptions Index 2018

Why China is building islands in the South China Sea

INDONESIA NEW CAPITAL CITY

World Economic Forum : Smart Grids Explained

Berita Terbaru


Get Widget