Wyoming broadens definition of personal information in amended data breach notification law
The amendment expands the definition of personal information to now include an individual’s first name or first initial and last name in combination with any of the following: (1) Social Security number, (2) driver’s license number, (3) account number, credit card number or debit card number in combination with any security code, access code or password that would allow access to a financial account of the person, (4) tribal identification card, (5) federal or state government issued identification card, (6) shared (login) secrets or security tokens known to be used for data based authentication purposes, (7) a username or email address when combined with a password or security question and answer that would permit access to an online account, (8) a birth or marriage certificate, (9) medical information, meaning a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, (10) health insurance information, meaning a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claim’s history, (11) unique biometric data, or (12) an individual taxpayer identification number.
Link: http://www.lexology.com/library/detail.aspx?g=5a82bdde-187f-458d-907f-7bb8e010b149
How to Build a Successful IT Security Awareness Program
The first step towards creating a successful security awareness program is to recognize that this is not a project with a defined timeline and an expected completion date, but is instead a development of organizational culture.
Similarly, the measurements of success are not just found in reduced counts of accidents or exposures but in the base line attitudes and practices of employees as they perform their business functions.
Link: http://www.tripwire.com/state-of-security/security-awareness/how-to-build-a-successful-it-security-awareness-program/?utm_source=Threat+Brief&utm_campaign=b08684f8ae-Threat_Brief4_1_2015&utm_medium=email&utm_term=0_79bf093b3a-b08684f8ae-388769721
Should security providers be held liable for data breaches?
Black Hat Asia ended with a discussion started by Black Hat founder Jeff Moss on if security providers, should be held liable for data breaches, because of the critical data they claim to “secure”. The recent number of hacking incidents everywhere have made this a widespread issue and security professionals worldwide have voiced their opinions.
A managed security service provider (MSSP), where an information security company such as Paladion is managing the security posture of the enterprise, is involved in maintaining the security products of the organization or uses their own to protect the organization. An MSSP can be held liable if there is a breach if it was an oversight or error by their security analysts that caused the breach. Liability would depend on the service contract that was drawn between the company and the service provider. An outcome based contract will have SLAs and liabilities that commensurate to the value, but a normal manpower based contract will not have this.Paladion provides outcome based information security services and has such contracts with several companies where penalties are defined in case of breaches.” added Rajat
Link: http://www.dnaindia.com/scitech/report-should-security-providers-be-held-liable-for-data-breaches-2075017
8 Steps to Stronger Information Risk Management
Your compliance and security teams may be approaching you, as the CFO, to be their advocate in obtaining the funds needed to set up or strengthen your information security or compliance programs. CFOs have historically been risk-averse by nature, focusing on protection of the business and the bottom line. But in the world we are now facing, CFOs will be expected to bring innovative ideas to the table to help their companies remain competitive.
As CFO, you know the risk appetite of the C-suite and the limitations of the budgets. Make sure the investments being recommended are in line with your organization’s strategy and operational needs. It’s important to either establish or strengthen an internal risk management governance council to guide decision-making.
Link: http://ww2.cfo.com/data-security/2015/04/8-steps-stronger-information-risk-management/
Principles of Malware Sinkholing
With malware dependency on domain name systems (DNS) and the use of domain generation algorithms (DGAs) on the rise, we’ve also seen an increase in the use of sinkholing as a defense and intelligence-gathering technique.
Although sinkholing is simple to execute, complex risks can be involved. First, some obvious legal issues may crop up with external sinkholing; for example, victim machines are now contacting a server you control. If, for instance, you use external sinkholing to control victim machines that do not belong to your organization — even if it’s for benefit — it’s a criminal act in most jurisdictions. This holds true even if there is a “self-destruct” feature in the malware that will uninstall itself when given the command to do so.
Ultimately, sinkholing is an important tool to have in your arsenal when dealing with emerging threats.
Link: http://www.darkreading.com/partner-perspectives/general-dynamics-fidelis/principles-of-malware-sinkholing/a/d-id/1319769
Brazil top for Android smartphones infected by malware
Brazil was last year among the countries most affected by malicious apps and spies for Android, according to a report released by Google, reports Teletime. In the ranking of infections by Potentially Hazardous Applications (PHA), looking at sites outside of Google Play and including unlocked devices (with root), Japan had the lowest rate of all in 2014, with 0.0702 percent. The global average was 0.7891 percent, and Brazil ranked above with 0.9996 percent. Brazil was only ahead of India, the UAE and Russia, which had highest percentage at 3.8548 percent. When it comes to spyware, the global average was 0.2035 percent and Brazil was again above this figure, placing penultimate with 0.4218 percent. Again, the lowest annual average was Japan, with 0.0141 percent.
Link: http://www.telecompaper.com/news/brazil-top-for-android-smartphones-infected-by-malware–1075037