Highlights:
– Financial institutions offering Internet-based products and services should use effective methods to authenticate the identity of customers using those products and services.
– Single-factor authentication methodologies may not provide sufficient protection for Internet-based financial services.
– The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
– Risk assessments should provide the basis for determining an effective authentication strategy according to the risks associated with the various products and services available to on-line customers.
– Customer awareness and education should continue to be emphasized because they are effective deterrents to the on-line theft of assets and sensitive information.
http://www.fdic.gov/news/news/financial/2005/fil10305.html
Month: October 2005
PGP Encrypts BlackBerry Messaging
The solution runs in conjunction with PGP Universal, a series of products for enterprises, businesses and departments requiring multiple encryption and digital-signature solutions managed from a single console. With PGP Universal, enterprises deploy one key infrastructure and may later add new encryption capabilities and devices without changing that infrastructure.
PGP support is fully integrated in the BlackBerry user interface (see top image) and provides e-mail encryption, decryption, digital signature, and verification services for e-mail sent from and received on BlackBerry devices. Users authenticate themselves with their private key passphrase before decrypting or signing e-mail on their BlackBerry. Outgoing messages are automatically protected according to a centralized policy specified by the PGP Universal administrator. PGP Universal uses PGP Additional Decryption Key (ADK) capabilities, automated key management and recovery, and automated enrollment and centralized policy management.
PGP VP of marketing Andrew Krcik told SmartPhoneToday PGP Support Package for BlackBerry will be available as part of the BlackBerry handheld 4.1 operating system next month.
It also requires BlackBerry Enterprise Server for Exchange 4.0.2 or Lotus Notes 4.1 and PGP Universal Series 500 plus PGP Desktop 9.0 or PGP Universal Satelite client to run.
Furthermore, Krcik said PGP brought the idea for the solution to RIM because they shared so many customers and it filled a need requested by many enterprises. “BlackBerry is the overwhelming leader for enterprise mobile messaging. By providing an integrated PGP Universal and BlackBerry solution, we address a strategic requirement of our joint customers,” according to PGP CEO & President Phillip Dunkelberger.
PGP Support Package for BlackBerry costs $249 per client, with volume discounts available for channel partners.
http://www.rimroad.com/articles/2005/10/2005-10-10-PGP-Encrypts-BlackBerry.html
Top Ten Strategic Priorities for 2006 according to PWC, CSO and CIO
– Disaster recovery/business continuity
– Employee awareness programs
– Data backup
– Overall information security strategy
– Network firewalls
– Centralized security information management system
– Periodic security audits
– Monitoring employees
– Monitoring security reports (log files, vulnerability reports and so on)
– Spending on intellectual property protection
This list further reinforces the reactive nature of information security. Awareness programs often score high as a strategic priority because they’re relatively low-cost. One should expect number 10 on this list will shoot up in priority next year, given the steady stream of identity thefts and other major information crimes.
http://www.csoonline.com/read/100105/survey_topten.html
How ‘Good’ is Your Security Policy?
It is not unusual for organisations to have a number of disparate documents distributed throughout the business, each addressing various issues such as acceptable use of company e-mail and the Internet, physical security of company assets, and so on.
Security policies have a number of human, financial and legal consequences. Because of this, great care needs to be taken to ensure that such policies accurately reflect the current situation.
Certainly, the legal requirements for the protection of personally sensitive data have changed dramatically of late and it is common to discover that individual organisations’ security policies have not kept pace. Additional legislation dealing with the protection of data and monitoring in the workplace has been introduced recently that may have a significant impact on both public and private sector organisations. Many organisations are required to demonstrate to external and internal auditors that they meet prescribed standards in the way in which they secure and operate their businesses Correctly interpreting how the various pieces of legislation and corporate governance guidelines apply to your organisation is a serious challenge and one where mistakes potentially can prove very costly.
Best practise (BS-7799/ISO-17799) recommends that security polices are updated regularly so as to ensure organisations continue to protect themselves from the risk of security breaches whilst remaining legally compliant.
· Does your current policy incorporate sufficient procedures to cover the use of Personal Digital Assistants (PDAs) and similar mobile devices?
· Do any of your personnel work remotely or on the move and, if so, are they connecting securely?
· Are you aware of the main areas contained within ‘The Telecommunications Lawful Business Practise Regulations’ and ‘The Employment Practices Data Protection Code’ in respect of the monitoring of communications?
• Does the Civil Contingencies Bill (which came into force last year) apply to your organisation?
If you are unsure about any of these issues – and this is by no means an exhaustive list – it is highly likely that your security policy needs reviewing and updating.
http://www.ebcvg.com/articles.php?id=935
Compliance? What’s That?
Here are two theories, both of which probably play some role: One, the regs are confusing and difficult to comply with.
Companies don’t fear any serious repercussions for not complying with the regulations, either because the mandates are too vague to really be enforced, or the regulatory agencies aren’t devoting resources to enforcement.
Supporting the “lack of teeth” theory is the fact that only a third of respondents reported having compliance testing in place, and only a quarter link their security organization to the compliance group.
Lobel offers a third factor: “There’s just a lot of regs for these guys to deal with.”
http://www.csoonline.com/read/100105/survey_compliance.html
The Global State of
Issues:
Intellectual property left on a laptop that’s gone missing.
Corporate espionage rings that stretch from the United Kingdom to the Middle East and use IT to infiltrate companies.
Phishing scams by the thousands: puddle phishing, Wi-phishing, pharming.
We haven’t even mentioned good old viruses and worms, but those still work too.
To borrow from forestry parlance, information security is an escaped wildfire.And according to “The Global State of Information Security 2005,” a worldwide study by CIO, CSO and PricewaterhouseCoopers (PwC), you are the firefighters,desperately trying to outflank the fireline and prevent flare-ups and firestorms.It’s a thankless, impossible business.
In this environment, just holding your ground is a victory, and that’s what you’re doing.
This is the third annual edition of the survey—once again the largest of its kind with more than 8,200 IT and security executives responding from 63 countries on six continents. Each year the data has shown incremental improvement in the tactical battle to react to and fight off security incidents.
At the same time, the data shows a notable lack of focus on actions and strategies that could prevent these incidents in the first place.
There’s also a remarkable ambivalence among respondents about compliance with government regulations, a clear lack of risk management discipline, and a continuing inability to create actionable security intelligence out of mountains of security data.
Just 37 percent of respondents reported that they had an information security strategy—and only 24 percent of the rest say that creating one is in the plans for next year. With increasingly serious, complex, targeted and damaging threats continuously emerging, that’s not a good thing. “When you spend all that time fighting fires, you don’t even have time to come up with the new ways to build things so they don’t burn down,” says Mark Lobel, a security-focused partner with PricewaterhouseCoopers. “Right now, there’s hardly a fire code.”
Lobel compares the global state of information security to Chicago right before the great fire. “Some folks were well-protected and others weren’t,” he says, but when the ones that weren’t protected began to burn, the ones that were protected caught fire too. ”
Of course, with the survey’s thousands of pages of data and tens of thousands of data points, the overall security picture is a little more complex than “Everyone’s tactical; no one’s strategic.” Some respondents show signs of embracing a more holistic approach than others. Maybe even create a fire code so that if a cow does knock over a lantern,the whole city won’t burn.
http://www.csoonline.com/read/100105/survey.html