March 23rd, 2010 12:00 am — 1:30 pm - Lunch will be provided
Information security compliance issues are intensifying at an overwhelming rate. With penalties on the rise, and reputations at risk, organizations are looking to act quickly to ensure confidential information is secure. We invite you to attend our information security briefing regarding Information Security best practices.
Jacadis and Sophos have partnered to bring you this informative event. The subject matter has been designed as an education tool for members of the I.T. staff. Come and strategize with us on how to simplify policy enforcement/deployment, without sacrificing end user productivity throughout your organization.
We will discuss:
- Most Common Compliance Issues - Data Leakage Awareness - Confidential Information Concerns - How to Avoid: Risks/Penalties
You will certainly get a chance to network with other busy professionals.
Space is limited to the first 30 registrants so register early.
The following question has been asked in several ways to me online and in the Q&A of speaking engagements I've recently done. It is a question you should be asking if you are using social media to run and grow your business.
What issues are there with social media security and privacy? How are they resolved? What can I do to prevent or reduce problems especially with Facebook and Twitter? Should we jump into the social media world?
1. You'll need to be prepared to be protected from viruses, malware,
worms and a whole slew of other nasty software threats. You should be
protected from those issues regardless of whether you Facebook or
Tweet. Just connecting to the internet will expose you to these
threats. Facebook and Twitter are just another delivery channel for
what we call malware in the security industry.
The solution is protecting the endpoints in your business (speaking
English that means your computers and your cell phones). A good
endpoint security package is going to include a personal firewall, anti
virus, and anti spam.
My company is a big fan of Sophos end point products as they are partners of ours.
2. Privacy is about control. Don't publish details you don't want
to be out in the open. The obvious no no is over publishing personal
information. Giving too much away, in regards to travel or equipment
purchases, etc. can expose you. There are documented cases of people
tweeting on vacation only to come back to stolen electronics. A
coincidence? Or a follower?
Nobody knows for certain but there is no
reason to expose yourself. Be careful of geo tagging for the same
reasons.
3. Understand social engineering techniques. Social engineering is when
people online use old cons to trick you to do things they want. Get
rich quick schemes, emails from people you don't know (particularly
with downloads) and the like are typical concerns. We've dealt with
cases of social engineering where enough detail was given on Facebook,
Twitter, etc. that the attack actually came over the phone with people
pretending to be people known to the victim.
4. Back your systems up. IF you are attacked you don't want to lose all your hard work.
Scary? Probably. But so frightening you should stay away? Hardly.
My firm is an 11 person information security firm that
cautiously and correctly uses social media to run and grow our
business.
The security and privacy situation is constantly changing in regards to
social media. Get involved in social networking but set aside some time
to become familiar with the security and privacy features of these
tools (and their weaknesses). Don't listen to people that advise you to
stay away from them; embrace them wisely and grow your business!
Information Owners -- those responsible for the viability and survivability of an information asset -- need to accountable to their role. It is not enough to expet IT as custodians to understand their role in protecting the asset without an Information Owners involvement.
I am working on a data discovery and information asset profiling project for a client. Essentially this client has agreed that they a). need to know where their critical assets are b). whether or not they are protected throughout the business life of the information and c). what compliance requirements must be met to stay in-line with regulations and contracts.
Your business has these same issues. If your market is in the health care space you may have protected health information (PHI) and be expected to meet HIPAA requirements. If you transact business using payment cards -- Visa, MasterCard, Amex and so on -- the Payment Card Industry (PCI) expects you to meet their Data Security Standard. If you conduct business in most states you need to be compliant with data protection and notification laws that differ state to state.
Many businesses do an "ok" job of understanding what compliance requirements must be met but do a terrible job knowing where that protected data lies or flows within their business.
Which brings me to this client. They are a services firm that through its normal business routine gathers, processes and stores a termendous amount of personally identifiable information. They have a diligent and caring information technology department. They have executive support for securing their information. And like most firms the protected information in their business freely flows outside of protective boundaries creating a risk of exposure.
We were asked to do a data discovery to help find that exposed information and make recommendations for properly protecting it for both security and compliance purposes.
The CERT Survivable Enterprise Management group at the Software Engineering Institute at Carnegie Mellon in Pittsburgh developed the Information Asset Profiling (IAP) process as a model.
Some key components of the model:
Information owners are those responsible for the viability and survivability of an information asset. For all businesses that means that sales is responsible for account information, call center management responsible for the information in the customer relationship management toolset, engineering responsible for the "secret sauces" in the company product and so on.
Information custodians are those responsbile for protecting the information asset. In most firms this means the information technology staff. In most firm this is the group also given implied responsibility for viability and survivability. Yet, IT doesn't have the necessary tools to value information and protect it outside of its existence in computer systems within the company.
Containers are a concept within the model that refers to the form factor that is used to store the information. A file folder. A filing cabinet. A BlackBerry. A laptop. A server. The computer network. All these represent containers.
In our experience which has been validated as this project continues organization's are concerned with protecting the computer assets but are unaware when data flows into containers that are then themselves exposed such as printed documents, file folders, faxes and the like.
The end result of this project is that our client will truly know where their critical data is, how the containers it resides in are exposed, and what can be done to lesson the risk of losses or compliance violations.
Security and privacy issues in the social media space are evolving so rapidly it seems impossible to keep up; you need to invest some time to stay informed!
Last May I did a series of public presentations on Social Media. The Columbus ISACA chapter is co-hosting a session on social media with the local chapter of the IIA called: LinkedWorking: Utilizing Social Media to Advance & Enhance Business. That session will include a panel discussion on social media which I facilitating.
In reviewing social media through the security and privacy prism these changes have occured in less than a year:
I am attending and will blog on the content afterward.
Should you go? I can't speak to the content, but I can speak to the importance of knowing the answers to the questions that will be addressed. Operating without understanding (and managing) the risks facing your business is a recipe for losing value.
How are your company's defenses? Don't forget to tend to them as your run and grow your business!
Tonight I read the 2010 CyberSecurity Watch Survey. "The 2010 CSO CyberSecurity Watch Survey was sponsored by Deloitte and conducted in 2009 in collaboration with CSO Magazine, the U.S. Secret Service, and the CERT Coordination Center at Carnegie Mellon."
The report hit close to home because in the past 30 days we have:
begun projects with several firms that have had web sites targeted and attacked;
assisted a firm manage an longstanding employee out of the organization because he had "quit and stayed", taking an offer from a competitor while continuing to "work", explore available confidential information and download it, and;
developed an incident handling and forensic process for a large Software as a Service (SaaS).
The report is a quick read (16 pages). I suggest you dive into it and then use it to talk to your HR and IT management to make sure you are properly protected.
I work with business leaders and executives who are nervous their company's critical data might be exposed and who are scared they are not compliant with government rules and regulations. I find most don’t understand the critical nature of the information security game.
Most agree that customer trust and financial integrity are critical to their business.
All agree that the office or store doors and cash box need to be under lock and key.
Few argue that the lights, phones and computers need to come on when work starts each day.
But many think information security which is protecting the confidentiality, integrity and availability of their critical information while also address government and sometimes customer obligations is distraction, bother or obstacle.
Until they have an information loss.
Entrepreneurs need to identify the value of the information within their business, understand the risks to that information and understand that securing it is not just a computer problem.
Does information security and risk management share equal management attention as process quality, customer satisfaction, and financial integrity?
Trying to manage the incoming waves of regulations is bad enough ... but keeping track of what is on and what is not on anymore is a tough job when you really just want to run and grow your business!
Short one this week. You want to keep an eye on this news. According to an article in SCmagazine.com there is a bill working its way through Congress that may exempt some small business from the RedFlags rules.
Understanding the Security Risks With Social Media for Business
We have taken the plunge as a firm and use Twitter, LinkedIn and Facebook to promote our personal brands, market our business and build community with customers and prospects.
While we've embraced the 2.0 world, we've done so with eyes wide open. As we use the technology to create benefits we also acknowlledge we create risks that must be identified, addressed and managed.
Most professionals, most firms using these new technologies are not "professional paranoids" like we us.
If you are using Social Media and have concerns about the risks ... or if you have balked at adopting the technology because of your fears of those risks ... please join me for:
Jacadis presenting lunch & learn on web application security with Platform Lab in Columbus
I wanted highlight an upcoming lunch and learn reviewing web application security that might be of benefit to you if your business develops and deploys web applications. The event is free and lunch will be provided. Please register below, and send this on to individuals in your organization who would benefit.
Jacadis, the company I work for, is putting the lunch and learn on with its non-profit partner the Platform Lab, part of Tech Columbus.
Presenter: Simon Herring, CISSP – Founder and CTO Jacadis, LLC.
Cost: Free
When: September 16th, 2009 11:00 am — 1:00 pm - Lunch will be provided
Cyber thieves use automated scanners to find web security holes… Why don’t you?
Thousands of web applications have been developed by companies of every size and industry to support business growth, extend customer interactivity, and lower service delivery costs. But how deliberate are you in evaluating the security of web applications throughout the application’s lifecycle, from inception to retirement?
Consider the following:
Many web vulnerabilities exist due to limited knowledge of secure coding principles. Catching these weaknesses before “go-live” can decreases costs related to post-deployment patching and the risks associate with a security break-in.
The sophistication of web hackers and data thieves continues to increase. Just scanning during the development cycle assumes no new web application exploit techniques will be developed and shared in the Black Hat community. The “10 foot wall” you created last Fall won’t be able to withstand the “11 foot ladder” that cyber thieves throw-up this Summer.
In addition to being an established best practice for protecting general web servers, routine web application scanning can help you comply with federal, state, and industry regulations. With little marketing effort, you can also build security into your brand and show your existing or potential clients that protecting sensitive data is important.
The tools and processes are available to prevent the deployment of poorly coded and insecure web applications. Perhaps you know the risks, but you don’t know how to manage them, or where to begin. To answer these questions, we are hosting “Securing Web Applications using Acunetix WVS” to demonstrate how Acunetix Web Vulnerability Scanner (WVS) is an effective tool to add to your security routine.
In this edJACADIS seminar, we will:
Examine the components of a successful web application development process
Discuss the role of web application vulnerability scanning in the overall security process
Explore how Acunetix Web Vulnerability Scanner (WVS) can be used by developers and security analysts alike, to perform automated or manual web vulnerability testing.
Image via CrunchBase![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=021e3822-d4e8-4844-9ac5-a98c2db6448f)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=2b7afff0-7999-4702-86b6-de3dc9f3f079)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=ed5c69e1-5ade-4949-800d-6f70a2af435d)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=8a691373-e1a1-4af4-b2e8-3f614b7c3a6b)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=9c351b12-fa49-4b36-b5be-bc5c19fc0b1c)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=7ed99951-a1cf-4224-88f2-d39e527c79ec)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=168ebc4f-1b71-45dd-97be-c3a3cbf38ba3)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=8169725d-7098-4b5b-ac2a-97975a05e25d)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=34d3de4f-abba-4ead-8f7a-88dc77dda82b)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=21bf0f4e-5079-40a6-8fa0-469a47fb9b3c)
