admini – Page 228 – CyberSecurity Institute

Tech Giants Form Consumer Privacy Rights Forum

Posted on June 21, 2006December 30, 2021 by admini

The Legislative Forum makes it clear that the national standard it envisions would preempt state laws. For that reason, “a robust framework is warranted,” it said.

Some privacy advocates worry that preemption of state laws might constitute an end-run around the more stringent — and to many companies, quite onerous — privacy protections that are already in place in states such as California. Now, the few pieces from California’s original legislation that were allowed to go into effect — the ability of consumers to request a credit freeze for example — are in danger of being replaced with far weaker national legislation currently under consideration.

http://www.technewsworld.com/rsstory/51272.html

Research Predicts Security Spending Slowdown

Posted on June 20, 2006December 30, 2021 by admini

However, while 7 percent of those surveyed for the report said they hope to eliminate the need for stand-alone security products altogether by using on such tools, only 16 percent said they actually plan to buy fewer products, with 22 percent holding out for price concessions from vendors before making additional purchases.

“[The] key will be for vendors to anticipate new security needs with extended or newer offerings.”

However, the report said some types of security applications, such as anti-virus software, firewalls and VPNs, will become increasingly commoditized, putting pressure on stand-alone vendors of the technologies as demand decreases. Bob Egner, vice president of product management at Pointsec Mobile Technologies, which markets software used to encrypt data on desktops, laptops and mobile devices, said demand for the company’s applications is not slowing, but rather becoming more consistent.

http://www.eweek.com/article2/0,1759,1979225,00.asp?kc=EWRSS03119TX1K0000594

Encryption can save data in laptop lapses

Posted on June 17, 2006December 30, 2021 by admini

“It is shocking how many of these are stolen laptops and that fact that the users of the laptops did not use encryption to secure the data,” Beth Givens, director of the Privacy Rights Clearinghouse, said of recent data losses. If thieves read the newspaper, they can readily figure out that they have got more than just a piece of hardware.”

Since June 2005, there have been at least 29 known cases of misplaced or stolen laptops with data such as Social Security numbers, health records and addresses of millions of people, according to the Privacy Rights Clearing House, a San Diego-based nonprofit that tracks data thefts. So far, there is no evidence the stolen data were used for identity theft or other nefarious purposes. Hospitals, universities, consulting firms, banks, health insurers and even a YMCA have lost personal data.

The portable computers are usually protected by passwords needed to boot them up, but the data on their drives are still accessible.

Ernst & Young, which has 30,000 laptops used by its highly mobile staff of consultants, is encrypting all contents on the computers, according to company spokesman Charlie Perkins.

In several cases, laptops were lost or stolen when employees violated company rules by leaving them in parked cars or in their homes.

http://seattlepi.nwsource.com/business/1700AP_Laptops_Security.html

Study: Sarbanes-Oxley forcing some companies to consider going private

Posted on June 16, 2006December 30, 2021 by admini

Many industry watchers expected audit fees would drop during public companies’ second year of complying with Sarbanes-Oxley Section 404, which requires companies to attest to the effectiveness of controls put in place to protect financial reporting systems and processes. Instead, they increased: Audit fees rose 22% for small companies, 6% for midsize companies and 4% for large companies (as defined by Standard & Poor’s indices).

Smaller public companies, in particular, felt the burden of increased audit costs, said Tom Hartman, corporate governance study director and business law partner at Foley & Lardner, in a teleconference. The fees companies pay their directors also have climbed considerably as a result of corporate governance and public disclosure reforms implemented since the enactment of Sarbanes-Oxley.

Overall annual director fees have increased an average of 71% for small companies, 64% for midsize companies, and 58% for large companies between 2001 and 2005.

When all the expenses are tallied, companies with under $1 billion in revenue spent an average of $2.9 million to comply with Sarbanes-Oxley in 2005, and companies with greater than $1 billion in revenue spent $11.5 million.

For companies of all sizes, audit fees represent the biggest portion of those expenses, followed by the cost of lost productivity.

For the first time in four years, not a single respondent said the reforms are not strict enough, Hartman said.

http://www.networkworld.com/news/2006/061506-sarbanes-oxley.html

SCADA industry debates flaw disclosure

Posted on June 16, 2006December 30, 2021 by admini

“These are what you would consider, in the IT world, critical enterprise applications,” Peterson said.

LiveData maintains that the flaw is a software bug, not a security vulnerability, pointing out that it only affects how the LiveData ICCP Server handles a non-secure implementation of the communications protocol–typically used only in environments not connected to a public network.

“In general SCADA networks are run as very private networks,” said Jeff Robbins, CEO of LiveData.

The incident has touched off a heated debate among a small collection of vulnerability researchers, critical infrastructure security experts and the typically staid real-time process control systems industry. The controversy mirrors the long-standing dispute between independent researchers and software vendors over disclosing vulnerabilities in enterprise and consumer applications.

Last week at the Process Control System Forum (PCSF), a conference on infrastructure management systems funded by the U.S. Department of Homeland Security, a similar debate played itself out. Perhaps three dozen industry representatives and security researchers met during a breakout session to hash out the issues involving disclosure. The tone became, at times, contentious, said Matt Franz, the moderator at conference panel on the topic and a SCADA security researcher with Digital Bond. “‘It puts people and infrastructure in danger,’ they said.”

Moreover, many vendors did not appreciate the involvement of the U.S. Computer Emergency Readiness Team (US-CERT), the nation’s response group tasked with managing the process of vulnerability remediation for critical infrastructure, Franz said.

The debate over how disclosure should be handled underscores both the intense focus on SCADA and DCS systems as potential targets of cyberattacks and the position of many companies in the real-time process control systems industry that vulnerabilities in such systems require special treatment.

For between 5 and 10 percent of the networks audited by PlantData, a single ping attack or a data flood aimed at a SCADA system could shut down most of the managed devices, Pollet said.

http://www.securityfocus.com/news/11396

Regulatory Compliance Planning Guide

Posted on June 16, 2006December 30, 2021 by admini

The regulations and standards come from many sources, such as national and local governments. Examples include the Sarbanes-Oxley Act (SOX) and the California Law on Notice of Security Breach, formerly known as SB-1386. They also come from industry-specific oversight groups, such as the Payment Card Industry Data Security Standards.

Not surprisingly, many companies find it difficult to understand how to respond appropriately to these regulatory requirements, and then maintain their regulatory compliance through cost-effective processes and procedures.

http://www.it-observer.com/articles/1161/regulatory_compliance_planning_guide/