Albert Gonzalez, Cyber Criminal
alt
 
Albert Gonzalez, a 28 year old from Florida, is suspected of being involved in most of the major security breaches dating back to 2003 when he became an informant for the US Secret Service. With his assistance they were able to breakup "the shadow crew group" one of the largest online black markets for stolen identities. Of the 28 people arrested 27 of them pled guilty and one is on the run.
 
In 2008, Gonzalez was indicted on charges related to security breaches at TJX, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes and Noble, Sports Authority, Forever 21 and DSW.
 
On August 17, 2009 he was indicted a third time by a federal grand jury on charges related with data breaches at Heartland, Hannaford Bros. and 7-Eleven Inc. These three date breaches have exposed over 130 million credit and debit cards.
 
The Takeaway
To protect yourself you need to understand how hackers executed their attacks in order to determine how to protect your data. According to reports, Gonzalez and two other accomplices used SQL injection attacks, malware and packet-sniffing tools to detect and steal payment card data.
 
In previous attacks Gonzalez and his cohorts used flaws in vulnerabilities in wireless networks to gain access to company’s networks and steal payment card data directly from databases.
 
Organizations should protect their networks and data by ensuring they follow industry security standards. For example:
 
Strong wireless access controls and encryption
Intrusion Detection / Prevention systems
Web Development code reviews
Application Layer Firewalls
Vulnerability scanning
Penetration testing
Vulnerability patch management
Finally, constant vigilance is required, not an option
 
Following security standards is not a guarantee of protection. Some people mistakenly think that by following a security standards will offer complete protected from hackers. Security standards will never eliminate risk; they can only reduce the risk of hackers successfully breaking into your networks and accessing data.

Donald E. Hester
 
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
Archival Media
alt

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
 
Here is a question from a client:
I have a question regarding the definition of optical disk. For record retention, our City Clerk has been told they need to keep some of their records on optical disks that cannot be changed. What would qualify for this? Would something like a DVD-R? How about our backup tapes? Thanks.
 
When selecting an archive media you will need to consider the retention period and the degree of integrity needed for the data. The retention period will guide you on selecting media that has longevity beyond the required retention period. The degree of integrity will guide you in selecting media and technology that will protect the data from modification or alteration.
 
Integrity
Integrity is about protecting the data from intentional or unintentional modification or alteration. There are a number of ways to protect the data on the media from modification or alteration. Selecting DVD-R instead of DVD-RW because DVD-R media is write once media and DVD-RW is writeable multiple times.
 
If you need to use media that can be written to multiple times, such as DVD-RW, Hard Disk, Solid State Memory or Magnetic tape, you can use a one-way hash algorithm. A one-way has algorithm which is a mathematical function that is used to determine if the original data (file, message, etc..) has been altered in any way. If the data is altered, in any way, the hash algorithm will not work.
 
Hashes will work to tell you if someone has modified the original data not protect it from being changed. If you need to protect it, the best bet is to encrypt the data as well. I would recommend using encryption to protect the data from modification, alteration and disclosure. However, using encryption means you need to have a key management system.
 
A low-tech way to protect the integrity of data for archival purposes is to store multiple copies in different locations. If one copy has been compromised, you would be able to compare it with anther copy to see if there are any differences.
 
Availability (Retention)
You also need to consider the retention time. Regular CDs and DVDs have an expected life of 10 years! Backup tapes have a shorter life expectancy if used multiple times. Tapes used weekly are typically replaced annually. Is that long enough? Your media needs to be able to last as long, if not longer than, the life of the data.
 
If you use DVD-R media for storage you may want to look into special DVD-R media. Multiple manufacturers such as Memorex Verbatim and TDK make Archival Grade DVD-R media. They claim they will last up to 100 years.  
 
If you use backup tapes you need to purchase tapes that are used to backup and store. In other words the tapes are not in the normal backup rotation. Backups and archives are not the same, they serve two different functions and have different requirements for the media.  With backups the media is regularly reused; in archival use, the tapes would be written to once and stored. For archival purposes, you will need to purchase archival grade tapes with a 30-50 year life span.
 
Whatever media you end up using, there will also be storage requirements such as:
Temperature
Humidity
Light exposure (for optical media and possibly for magnetic media is the light source creates heat)
Magnetic exposure (for magnetic media)
 
Helpful links
Much more could be said about archiving procedures, data retention, data destruction, media handling and security requirements related to this topic. If you would like more information, check out the links below:
 
NIST Special Publication 500-252 Care and Handling of CDs and DVDs —A Guide for Librarians and Archivists:
http://www.itl.nist.gov/iad/894.05/docs/CDandDVDCareandHandlingGuide.pdf

 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
FaceBook at work?
alt 
 
From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
 
Here is a question from a client:
How should we address web 2.0 and social media in our Computer Terms of Use policy?
 
 
There is no doubt about it Social Media has its good points and its bad points. Businesses can use it to reach their customers better. Local government can use it to better reach it's citizens. Social Media can be used to promote you organization and deliver the information you want to interested parties. Social Media is especially good for local governments who want to promote transparency in government.
 
Social media sites can also help with productivity. I often use FaceBook and other sites for collaborative research on various topics. Most recently I used FaceBook and associated friends to do some research on privacy issues of social media sites.
 
The downside is employees may spend all day on social media sites to the neglect of their work. Social Media sites are addictive, that is why they are a great medium for getting information out fast. In fact, this blog is listed on various social media sites such as blogs, FaceBook, YouTube, Twitter and LinkedIn. As a result of its addictive nature people have found themselves spending hours on social media sites not realizing they have been on the site for hours. At work this could mean the loss of countless hours of productivity.
 
What should organizations do with this dilemma? Do they restrict all access, do they allow unlimited access and hope employees do the right thing? Maybe there is a way to strike a balance between the two extremes.
 
There are two issues to address, one as to whether or not the organization will use social media as a way to communicate to interested parties and second as to whether employees will have access to such sites during work hours and on work computers.
 
Here are three ways to handle the use of social media sites for employees.
 
Option 1
The best case scenario is to have the most liberal approach possible. By that I mean a policy like the following:
 
"Employees are considered professionals and are expected to act professionally, ethically and legally. Employees will be treat as professional. Failure to act professionally, ethically and legally will result in disciplinary action. Employees use of such services should be incidental and not interfere with their normal job duties or deadlines."
 
This policy obviously has a lot of gray area but it provides enough room for reasonable use and restrictions. It gives plenty of room for interpretation and for that reason it should have a training component included with it. For example security awareness training that covers security and privacy issues of such sites and services. You may even consider ethics training similar to that required for CPAs and other professionals.
 
Note: We use this type of management philosophy and Maze & Associates and attorneys often advise a less flexible approach.
 
Option 2
Not all organization can have a policy with that much latitude. Allowing limited access to social media site in conjunction with a more defined policy. In those cases there are a number of considerations you look for in a use policy. If you have use polices they should be reviewed and you should add stipulations for the use of social media sites and services and to what extent they can be used and accessed.
 
Things to consider:
 
  1. Restrictions on posting internal organizational information or confidential information.
  2. Restrictions on cyber stalking and harassment.
  3. Employees should be required to attend training on security and privacy issues related to such sites.
  4. Definition of what is considered reasonable use and reasonable times.
  5. You may be able to track or restrict the amount of time employees use such sites with firewalls and web filtering devices. (If you track internet activity of employees remember that you need to warn them that there is no expectation of privacy for what they do on your systems.)
 
Option 3
Blocking all social media sites is another option but not a very good one. Remember legitimate uses social media sites. Blogs such as this one provide information that can be used by staff in conjunction with their normal duties. In addition, many sites use YouTube to deliver technical training. If you block all such sites you will limit access to information staff may need to complete their tasks efficiently.
 
In addition, restricting access to such site creates a perceived attitude that management does not trust employees to do the right thing. Remember happy employees are more productive than unhappy ones. Not to mention the stress employees feel from police state type of controls. If you can avoid restricting all access your organization will be better off.
 
Conclusion
Whatever path you chose to go down don't ignore the issue. Bring it up, make a decision and implement your approach. If you ignore it, it will become a problem.
 
Remember, if you are reading this blog, you are using social media.

 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
More Articles...
<< Start < Prev 1 2 3 4 Next > End >>

Page 1 of 4

Subscribe To Feed

Subscribe to LearnSecurity Blog using your favorite feed reader by clicking here.


Donald Hester Bio


Click here to read Donald Hester's bio.


Facebook

Click here to subscribe to the LearnSecurity Facebook Group.



Latest News

New PCI Web Application Scanning! Helping your organization meet PCI compliance with PCI DDS § 6.6.
Copyright © 2010 Maze & Associates. Designed by Purple Cow Websites.