You know how much I love the fallout from the data breach at TJX. Here is more info on the shear arrogance of the company. The new report out of Canada states: "... Canada's Privacy Commissioner, Jennifer Stoddart, blasted the parent of the TJ Maxx, Marshalls and A.J. Wright chain of stores, for failing to protect its customers. "The company collected too much personal information, kept it too long and relied on weak encryption technology to protect it—putting the privacy of millions of its customers at risk," Stoddart said in releasing the report." Why aren't heads rolling here? From Baseline Magazine:
http://www.baselinemag.com/article2/0,1397,2188613,00.asp?kc=BARSS03129TX1K0000628
Good news for consumers from CNN, Equifax Fraud Solutions Help Businesses Win the Fight Against Fraud.
http://money.cnn.com/news/newsfeeds/articles/prnewswire/CLW08726092007-1.htm
IT News, Australia, has an interesting article based on a presentation by McAfee's president. The one item that sticks out is the acknowledgment that cybercrime is now a $105B business, bigger than the word-wide illegal drug trade.
http://www.itnews.com.au/News/61497,cyberthreats-outpace-security-measures-says-mcafee-ceo.aspx
Well, it had to happen at some point. I've seen this a couple of places but this is from vnunet.com.... hacking tools are now for sale on eBay... how convenient!
http://www.vnunet.com/computing/news/2199102/hackers-training-sold-ebay
IT Security explains what it sees as The Top 10 Types of Cybercriminals. I'm not sure #5, Online Loan Sharks, is really accurate, but overall, it's a keeper.
http://www.itsecurity.com/features/top-10-cybercriminals-091007/
A little more specific topic, but if you are in a manufacturing or other environment that employs SCADA (Supervisory Control and Data Acquisition), this is yet another wake up call. SCADA, for those who do not use it, is used to control machine tools, robots, etc. SC Magazine relates a simulated event where a hacked SCADA device self destructs. Cool!
http://www.scmagazineus.com/Video-shows-simulated-hacker-attack-on-electrical-grid/article/35872/
SC Mag also highlights the unique position of colleges and universities relative to the cascade of multiple regulations and compliance.
http://www.scmagazineus.com/Back-to-school-Compliance-in-higher-education/article/35684/
And, last but not least, ComputerWorld talks about creating a data-centric, as opposed to a deveice-centric environment as the only real way to defend important information.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9038960&pageNumber=1
Onward to October!
Sunday, September 30, 2007
Tuesday, September 18, 2007
posts from vacationland!
Excellent. Sunny Florida... taking some time to recharge... the villains never take vacation, though, so I continue my reading and posting, making what little contribution I can, regardless of how inviting the resort pool and the tray of gin and tonics may look.
In working with a prospect who is active in the database protection space I came across these two article. Both emphasize the importance of protecting the corporate database itself, and perhaps paying at least as much attention to it as to reducing spam. This makes sense. An increasing amount of exploits are coming from within companies, which circumscribe perimeter defenses. And the corporate database most often represents the crown jewels of a company. Protecting the jewels from inside exploits is certainly worth additional discussion.
From eWeek:
Data Governance Rises to Top of Compliance Efforts
From SearchSecurity.com, an article by Ed Skoukis on the potential threats to VoIP infrastructures. When Ed writes something, most people take note. As someone working at a company that does a lot of VoIP implementations, I suggest that, if you are considering such technology, you consider the content of Plentiful VoIP Exploits Demand Careful Consideration:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1260359,00.html?track=sy320&asrc=RSS_RSS-10_320
Also from SearchSecurity.com, a similar thesis by John Burke is a little more detailed in the threat area, and perhaps a bit more unnerving:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1260359,00.html?track=sy320&asrc=RSS_RSS-10_320
Enough for now... the beach beckons...
In working with a prospect who is active in the database protection space I came across these two article. Both emphasize the importance of protecting the corporate database itself, and perhaps paying at least as much attention to it as to reducing spam. This makes sense. An increasing amount of exploits are coming from within companies, which circumscribe perimeter defenses. And the corporate database most often represents the crown jewels of a company. Protecting the jewels from inside exploits is certainly worth additional discussion.
From eWeek:
Data Governance Rises to Top of Compliance Efforts
From SC Magazine:
CISO, Talk to Your DBA: Barriers to Database Security
http://www.scmagazineus.com/CISO-talk-to-your-DBA-Barriers-to-database-security/article/35563/
From SearchSecurity.com, an article by Ed Skoukis on the potential threats to VoIP infrastructures. When Ed writes something, most people take note. As someone working at a company that does a lot of VoIP implementations, I suggest that, if you are considering such technology, you consider the content of Plentiful VoIP Exploits Demand Careful Consideration:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1260359,00.html?track=sy320&asrc=RSS_RSS-10_320
Also from SearchSecurity.com, a similar thesis by John Burke is a little more detailed in the threat area, and perhaps a bit more unnerving:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1260359,00.html?track=sy320&asrc=RSS_RSS-10_320
Enough for now... the beach beckons...
Friday, September 7, 2007
three strikes, and if you think toys with lead paint are all you have to worry about, think again
Wow... from Dark Reading, the sad, sad story of Pfizer's recent security debacle, Pfizer: Strike Three. Three major security breaches in three months, the latest the result of internal employee theft. My favorite quote: "A Pfizer spokesman called the breaches "three separate and distinct incidences" that bear no relationship to each other." Really. Are you out of your mind? Of course they are related -- they are related to a failure of leadership at the highest level in the area of FIXING their problems. Lay off the Viagra over there, and start thinking with your big head.
http://www.darkreading.com/document.asp?doc_id=133028&f_src=drweekly
On a positive note, from CIO.com, the German government is taking steps to prevent further hacking of its systems by China. Germany is working in conjunction with industry to protect government and infrastructure systems from attack. Excellent.
http://www.cio.com/article/135352/Germany_Aims_to_Protect_IT_Systems_With_Security_Plan
On the other hand, from FT.com: Chinese military hacked into Pentagon. OK, China is the one of the world's largest and fastest growing economies. That counts for something. The fact that they own a sizable amount of the US debt is another. But holy crap, don't we draw the line somewhere here?
http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html
From Dark Reading, a short entry that makes a couple of very good points. Firewalled: What Have You Got to Hide? 61% of companies survey have a data classification policy, most say it is rarely enforced and many say it is out of date. So, if you don't know what data is critical to your business, you try to protect everything. Very often that drives the price of a storage security /business continuance solution WAY up, which means you elect to protect nothing. This deserves greater consideration.
http://www.darkreading.com/blog.asp?blog_sectionid=327&doc_id=132867
Hope you've decided what's critical to a great weekend. I'll be putting up tomato sauce... about as low tech as you can get!
http://www.darkreading.com/document.asp?doc_id=133028&f_src=drweekly
On a positive note, from CIO.com, the German government is taking steps to prevent further hacking of its systems by China. Germany is working in conjunction with industry to protect government and infrastructure systems from attack. Excellent.
http://www.cio.com/article/135352/Germany_Aims_to_Protect_IT_Systems_With_Security_Plan
On the other hand, from FT.com: Chinese military hacked into Pentagon. OK, China is the one of the world's largest and fastest growing economies. That counts for something. The fact that they own a sizable amount of the US debt is another. But holy crap, don't we draw the line somewhere here?
http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html
From Dark Reading, a short entry that makes a couple of very good points. Firewalled: What Have You Got to Hide? 61% of companies survey have a data classification policy, most say it is rarely enforced and many say it is out of date. So, if you don't know what data is critical to your business, you try to protect everything. Very often that drives the price of a storage security /business continuance solution WAY up, which means you elect to protect nothing. This deserves greater consideration.
http://www.darkreading.com/blog.asp?blog_sectionid=327&doc_id=132867
Hope you've decided what's critical to a great weekend. I'll be putting up tomato sauce... about as low tech as you can get!
Subscribe to:
Comments (Atom)