The Security Pub

Random Thoughts About Security

Monthly Archives: August 2009

PCI is just a Security Baseline….

For everyone that continues to say PCI failed because of the recent breaches, just proves that if they are running their organizations security or compliance programs  they could likely be the next name on the list of data breaches, simply because they don’t get the PCI DSS!!

PCI DSS is just a security baseline and you must go beyond just getting the ROC and maintain compliance as a program not a project.  Projects have an end date, which means if you treat PCI like a project, then the day after the project is completed you will probably not be compliant.

Massachusetts’ Revised Personal Information Security Regulation (201 CMR 17.00)

warningMassachusetts’ Office of Consumer Affairs & Business Regulation (OCABR) has recently released a revised version of its “Standards for the Protection of Personal Information of Residents of the Commonwealth.  The August 2009 version modifies the February 2009 version. Here is the press release for the new revision is here, and the FAQs released by OCABR appear to be updated to address some of the changes.

Big Questions with PCI

question-mark

The standard relies largely on qualified data security assessors. But who watches the watchman – who assesses the assessors?

Assessors bear no liability or responsibility if they get the assessment wrong. So, 573,300 potential compromises = an “oopsie …?”

PCI puts all the security responsibility on the retailers and payment processors, but fails to address the antiquated (and vulnerable) payment system.

These are all fair questions and this time – once and for all — the payment card industry and its partners need to adequately address them.

Compliance vs. Security

ComplianceI recently had the opportunity to catch up with some colleagues for lunch. We talked about how to measure and communicate enterprise risk. I wasn’t surprised by how these discussions immediately gravitated to the topic of regulatory compliance. My colleagues pointed out that while securing the organization should be their primary goal, compliance occupies all their resources and thus is now driving security. But compliance should be a way of measuring the effectiveness of established processes, not defining requirements.

It was only a matter of time before a PCI-compliant organization loses millions of credit card records as a result of a rather straightforward, but overlooked security issue, like an unsecured wireless access point. Compliance may only provide an illusion of security to those that don’t understand the complexities of securing the digital business world, but it shouldn’t be the end goal.

There is an outcome to the time we spend satisfying regulatory bodies. We’re building trust with upper management in our security talents and delivery capabilities as a result of being on the boardroom agenda. Not a bad thing to have, right? The key is how do we benefit from this when we have achieved our compliance objectives? It’s vital that we recognize that every problem is an opportunity in disguise.spa9qxbt5u

End Users & Admin Rights

InformationWhether you are in charge of a small business or part of the IT group with networks consisting of hundreds of servers, you face some similarities in certain areas of the business structure, one of them, and mostly a potential vulnerability and failure point, the end user. Usually, all users are set to have full privileges to their computer which allows them to install and remove applications, turn off services and edit configuration settings.

These rights allow malware and other harmful software to easily spread and have control over devices like cameras or microphones, network cards, printers & more. Viruses usually take advantage of this and spread and infect computers in your networks.

Often, the problem with end users and software are due to downloads from sites that are not trusted, infected hard disks or USB drives, personal laptop computers and other media devices that can cause harm to the entire organization.

To prevent security incidents, a policy should be enforced so that limited end user access is assigned, with least privileges. This should also address issues relevant to end users moving from one department to another, which must have their rights reviewed and modified. Also, when a end user leaves the organization, access to all information should be revoked.

Federal Agency Charges Facebook Of Violating Canada’s Privacy Law

AHN Staff

Ottawa, Ontario (AHN) – The Office of the Privacy Commissioner of Canada bared on Thursday the result of an investigation which found social networking site Facebook guilty of violating the country’s privacy laws.

The probe was the offshoot of a complaint filed by the Canadian Internet Policy and Public Interest Clinic which pinpointed to several areas in which the website needs to improve privacy levels and make its practices comply with Canada’s privacy law.

Among the areas identified by the privacy commissioner are Facebook’s account setting page which has information on how to deactivate an account, but lacks instruction on how to delete personal data from the portal’s servers.

Privacy Commissioner Jennifer Stoddart also questioned the sharing of Facebook users’ personal information with third party developers that create the website’s applications like games and quizzes since there are over 950,000 developers spread across 180 nations. Stoddart said Facebook does not have enough safeguards to effectively restrict these developers from gaining access to profile information.

Facebook’s policy of indefinitely retaining personal data of former members who deactivated their accounts is a violation of Canada’s Personal Information Protection and Electronic Document Act, the report said.

While Facebook has agreed to change some of its policies based on the agency’s recommendations, some have yet to be put in place.

Assistant Privacy Commissioner Elizabeth Denham said in a statement, “Social networking sites can be a wonderful way to connect. They help us keep up with friends and share ideas and information with people around the globe. It is important for these sites to be in compliance with the law and to maintain users’ trust in how they collect, use and disclose our personal information.”

Article © AHN – All Rights Reserved