July 28, 2006
So how many interns are you taking on this summer? And what are they bringing into the office? According to research published on the BBC, the average UK student now owns IT gadgets worth more than $5,300. More than half of UK students now own an MP3 player and 6% regularly use a PDA.
With many organizations still failing to adequately communicate and enforce security policies - and a natual tendency among students to blur the lines between corporate and personal computing - the presence of unmanaged personal gadgets in the workplace could be a recipe for disaster.
July 26, 2006
The names, addresses and Social Security numbers of over 540,000 injured New York workers have been put at risk following the disappearance of unspecified “computer hardware” from a secured facility of Chicago-based CS Stars, an independent insurance brokerage.
The company is offering those involved identity theft insurance, 12 months to get free credit reports and access to fraud resolution specialists. Which might be something of a relief to those potentially-affected, but will do little for CS Stars’ bean counters, for whom the breach may proof very costly.
An FBI investigation is ongoing.
July 24, 2006
“Theft of trade secrets is a very big problem” according to Shena Crowe of the FBI. A simple, perhaps even obvious statement, but one that shows how law enforcement agencies are becoming more concerned about the lack of security applied to corporate data on the move.
According to the FBI, companies can’t afford to wait for an Enron-scale ‘boom’ before they take action. And while they praised more and more companies for going public on security breaches, the FBI still believes there is a culture of sweeping problems under the carpet.
According to FBI research, the three costliest forms of security breach are:
#1 - Virus infection
#2 - Unauthorized accessing of information
#3 - Laptop theft
July 21, 2006
The House Veterans’ Affairs Committee passed the Veterans Identity and Credit Security Act of 2006, the bill establishes federal standards for notifying people when records containing names, Social Security number, birth dates and other personal information are lost or stolen, including requiring an independent risk analysis of the potential for misuse. It is still unclear if it will pass the House of Representatives or the Senate.
The bill is the committee’s response to the May 3 theft from the home of a Department of Veterans Affairs employee of personal information about 26.5 million veterans and 2.2 million service members.
Although this is definetly a step in the right direction, to notify people when their data is compromised, I would like to know what is being done to prevent these thefts in the first place. Although there is a clause that federal contractors who have access to sensitive personal information would be liable for damages if they are responsible for a security breach, including paying for credit protection services, there was very little mention of actual policies for preventing the thefts.
There is a lot of talk and money spent on securing applications from external threats such as intrusion detection tools that scan web applications for potential openings. Regulations such as Sarbanes Oxley and HIPPA may address some security issues through and audit process, however very few discuss folks on the “inside” such as database administrators, developers and IT folks who have direct access to critial data and source code.
What I am getting at is the potential for a developer to introduct malicious code into an application. Most companies are at the mercy of their programmers, even a code review may not catch malicious code or backdoors that are introduced to an application, most testing of an application simply analyze if the requirements are met, not physically reviewing actual code. An underpaid disgruntled developer may inject code given to him on a USB stick if the price was right.
