Wednesday, May 26, 2010

Millennials Impact on Security and Control

As the most tech savvy generation in history establishes a foothold in the workplace, the Millennials are confirming some of what many have predicted. They are presenting new challenges to control and security over IT, but also new opportunities.

Millennials have grown up using technology that is individualized to their needs, downloadable off the internet, and with unique methods to control their privacy and image. They are used to using their own technology that they have configured themselves and don't take kindly to corporate IT overlords dictating standardization policies to them. In fact they often ignore those policies or work around them.

Companies cannot ignore these factors and need to respond in a way that still retains a responsible level of control and security. According to a recent survey by Accenture, the good news is that it is not shaping up to be a war, but a collaborative effort where compromises will be made on both sides. For the survey, see the Accenture site.

Tuesday, May 25, 2010

New Security Standards for the Cloud

At a recent workshop, there was extensive discussion of the steps to be taken to establish good security standards for cloud computing. Two initiatives were the focal point - FedRAMP and SAJACC. There was discussion of the adequacy of these standards as well as the possible alternatives.

It's a complicated issue. There are technical challenges as well as jurisdictional and leadership issues. Which agencies should take the lead? What should be the role of government?

It's an area that is going to be around for some time. There is an article on the discussion on InformationWeek.

Tuesday, May 18, 2010

Understanding the Security Landscape

Effective risk evaluation requires a good understanding of the security landscape. Most security professionals keep an eye on this changing landscape, and like to think they have a good understanding of it. However, as with any large and complex area, there are common misconceptions and it's a good idea to review these once in a while, as ITBusiness has recently done. There are some useful observations in their summary of the top five Myths about Information Security.

Monday, May 17, 2010

Avalanche Responsible for Most Phishing Attacks

An East European gang has been found to be responsible for more than 50% of the phishing attacks during 2009 - specifically 84,000 out of 127,000 attacks. The gang was named Avalanche because of the vast quantity of attacks they can generate. They use sophisticated technologies to launch focused attacks on lucrative targets like the big banks.

They are elusive, too, because law enforcement agencies have been tracking their activities for years, but haven't been able to do anything about them. Here's an article on them.

Friday, May 14, 2010

Security of Cloud Computing Users: A Study of U.S. and Europe IT Practitioners

CA and the Ponemon Institute have published a cloud security survey of U.S. and Europe IT and IT security professionals. The findings show that less than half of the respondents in the US don’t believe the organization has thoroughly vetted cloud services for security risks prior to deployment. It also showed that 55 percent of respondents are not confident they know all the cloud services in use in their organization today. The reason for this is that many cloud decisions are made by end users, who often don't give careful thought to which data should be in the cloud and which should not.

The study calls for a need for IT and Security professionals to embrace the cloud and help their organizations more securely adopt cloud services.

A copy of the survey can be downloaded from this site.

Wednesday, May 12, 2010

Managing Risk in 2010

Ernst & Young issues reports from time to time on Risk Management - reports that are timely, well written and well researched. Their current reports include:

1.Top privacy issues for 2010
2.The top 10 strategic risks for business
3.Future of risk: Protecting and enabling performance
4.Manage risk in the current climate

All of these reports can be downloaded from their website.

Tuesday, May 11, 2010

Software Piracy

Here's an area where IS auditors should be paying some attention. During 2009, Canadian companies paid out some $1 Million dollars to the Business Software Alliance (BSA), a consortium of large software makers that investigates suspected software piracy. In 2008, the BSA released a study saying that Canada was a Piracy Haven, although the study has been questioned by other researchers pointing out its flawed methodology.

Either way, the fact is that there is a lot of software piracy going on, and IS auditors can help if they so choose, simply by testing the software licences in place and the process for maintaining them. An interesting article on the Canadian software piracy scene, including a list of the fines recently paid by some Canadian companies, can be found at this link.

Monday, May 10, 2010

The 2009 Data Breach Hall of Shame

Many data breaches arise because of lapses in the most basic of security precautions. This is an important fact for IS auditors because it means that the have within their everyday audit programs the capability to find and prevent these breaches (or at least warn against them). It also means they will more likely be held to account when the breaches occur. The CIO Magazine's 2009 Hall of Shame lists several occurences that are mind boggling in their simplicity and in their laxity. How about posting a complete description of your security policies and procedures on the internet? Or lets try maintaining all user IDs and passwords in plain text, unencumbered with such complications as encryption. Not to mention a lack of control over the hard drives that contained the plain text files. There are others. Read on in this article.

Wednesday, May 5, 2010

Asymmetrical Warfare

Surprise attacks by small, simply armed groups on modern, high-technology nations, sometimes referred to as asymetrical warfare, are on the rise and are effecting not only the security of individual companies but also the security of nations. The reason for the rise is that the entry costs of getting into cyber-crime are very low. The tools can be purchased on the internet for prices like $40 or $50. Groups have been formed to organize the perpetrators, especially in less developed nations offering high rewards, especially if major break-ins are achieved. The rewards can be impressive and the crime conducted with little personal risk or even inconvenience.

The cost is hitting companies big time. A recent UK report by PricewaterhouseCoopers showed that the cost of cybercrime has doubled in the last few years and continues to rise.

There is an urgent need for a concerted response to this crime wave, a response consisting of both private an public interests. A good rundown on this area is found by clicking this link.

Monday, May 3, 2010

Data Breaches Cost Dearly

The Ponemon Institute has released their 2009 Annual Study: Global Cost of a Data Breach, sponsored by the security firm PGP Corporation. The study sets the cost in US at $204 per record, which is 43 percent higher than the global average cost for data breaches.In Germany  the cost was $177 per record. Other countries: Australia ($114), France ($119), and the UK ($98). The cost of lost business accounts for 42% of the cost of the data breaches. For a summary of the study conclusions, see this article.