Category Archives: Technology Risk

Игроки всегда ценят удобный и стабильный доступ к играм. Для этого идеально подходит зеркало Вавады, которое позволяет обходить любые ограничения, обеспечивая доступ ко всем бонусам и слотам.

ERM Best Practices in the Cyber World

Posted on by

Using ERM to assess cyber risk

If you read the news in 2011, it should be no surprise that data is more vulnerable than ever. The threats are growing more sophisticated by the day and the fallout if you suffer a data breach can cost a fortune. Risk managers need to take a more active role in this arena. It can no longer be the sole responsibility of IT.

“The volume and value of sensitive data has never been higher and the sophistication of those who want to steal it continues to increase,” said David A. Speciale, of Business Acquisition at Identity Theft 911. “All the while, the potential cost of a data breach grows ever more catastrophic in terms of financial, legal, and reputational damage. Failure to act is not an option.”

To this end, RIMS (the organization that publishes this blog) has released a new paper on how ERM can help. “ERM Best Practices in the Cyber World” discusses looking at cyber-risk as less an exercise in patching network systems and more about changing your mind-set. It’s about using ERM principles to better prioritize the actual threats and gauging how severely each could hurt the company.

The paper also provides advice on creating a better information security plan and gives an excellent, detailed overview of the many cyber-related rules and regulations that companies must abide by in 2012: HIPAA, Sarbanes-Oxley, Graham-Leach-Bliley, the FAIR Act, the Red Flags Rule, the PATRIOT Act, the Data Protection Directive, and the many state-specific notification laws that kick in following a data breach.

“ERM Practices in the Cyber World” is free to RIMS members and $29 for non-members.

 

The Anatomy of Data Risk Management

Posted on by

As we posted yesterday, Saturday, January 28, is Data Privacy Day. Keeping with that theme, we think it’s important to focus on data risk management. Brian McGinley, senior vice president of data risk management at Identity Theft 911 offers this well-written piece on the timely topic.

Think of data as a living organism.

Just like a human body, data has various components and life support systems that must be maintained to ensure the whole thrives and survives. You can think of a data risk specialist as a doctor trying to keep the organism healthy through its various life stages.

Data, our hypothetical patient, (you’re welcome Star Trek fans) needs a safe and healthy environment, a supportive lifestyle and good hygiene. Just as a doctor has to consider external threats (“do you smoke?”) so does the data risk manager.

Let’s look at what this all means, and how this philosophy can be applied to your businesses policies and practices.
Data, our hypothetical patient, has three basic forms: paper, electronic and human memory.  A good data risk management plan must consider all three.

Controlling paper and electronic data is what we think of most when considering data security. This is your standard (or what should be standard) security policy, access controls procedures, system audits, and the like. It’s where security planning meets IT.

Human memory is a little more elusive. Education, security training and a reward-demotion plan can help control human errors, as can confidentiality agreements, and project-specific security contracts. These are the tools of teachers and lawyers. Generally speaking, there are four key rules to protecting data in all its forms:

  1. Be stingy with sensitive data, internally and externally;
  2. Provide access to data on a need-to-know basis;
  3. Provide access only to that specific data, rather than entire data sets;
  4. Be deliberate in how data is handled, used and shared.

Data has a life cycle. If your data doesn’t, it should. Whether it’s government secrets or an online shopper’s credit card number, data is received or created within your company’s computer systems. It is used, maintained and stored. It is archived or destroyed. That data, in all cases, has three basic states: in action, in motion or at rest. Take the credit card number example: that information can be used, the card charged, or moved to another computer system, or archived. Use, motion, rest.

There are four fundamental rules regarding the life cycle of data:

  1. If the organization doesn’t need it, don’t collect it.
  2. If data must be collected, collect only what is needed.
  3. If data is needed, control it and encrypt it.
  4. When data is no longer needed, get rid of it – SECURELY.

Now that we know what data looks like (paper, electronic, mnemonic) and how it lives (in action, in motion, at rest) we should consider those external threats, namely data breaches. A data breach is an incident (or series thereof) in which sensitive, protected or confidential information has potentially been viewed, stolen or used with unauthorized access. This can be a hacker attack, an internal company mistake that results in exposed information or, in some cases, corporate or government espionage. A data breach can be anything that jeopardizes data.

These threats range from simple user negligence, operating or systemic issues, all the way to highly complex criminal attacks launched against your organization. As anyone who follows the tech news knows, sensitive consumer and business information has become a criminal commodity.
With this hostile environment in mind, it is imperative for the business to plan and prepare not only for the protection of their information, but also for the response and recovery of their data and business in the event of a data breach. For a data manager or security professional to fail to issue such a warning would be akin to that doctor not asking about smoking.

At the end of the day, data as an organism is more than an extended metaphor. It’s a means to look at your company’s data products in an abstract way and understand how it operates. This, in turn, will allow you to develop the proper health plan. Just like with our health, there is no single wonder pill. But there are data doctors out there who can analyze your businesses’ risk posture and recommend ways to get it in shape.

 

The Risks of Social Media: Spam Attacks Q&A

Posted on by

In mid-November, Facebook became the target of spam attack that infiltrated user’s profile pages on which it posted disturbing images. The attack caused an uproar due to the nature of the violent and sexually explicit images. Facebook chalked it up to a “security bug in an internet browser.” But this was not the first (or, most likely, last) spam attack on the social media site.

Over the Thanksgiving weekend, the Facebook community forum was flooded with spam messages that advertised links for streaming sporting events. And just today it was announced that a new worm spreading on Facebook is aiming to infect users with a data-stealing virus. Though not considered a spam attack, it is just another example of the risks of social media.

With questions on this topic, I turned to Dr. Hongwen Zhang, co-founder and CEO of Wedge Networks.

Facebook has been the target for several recent aggressive spam attacks. What makes the site so popular for spammers?

Spammers are moving their efforts away from email and towards social media, exploiting the ability to create fake profiles for free while quickly gaining a massive online presence across various platforms such as Facebook. In addition, hackers/spammers are capitalizing on the popularity of social media by manipulating end-users into downloading malicious content or browsing malicious sites. Studies conducted by security vendor Kaspersky Labs, show that social networking sites are 10 times more effective at delivering malware than previous methods of email delivery. This is a result of social media sites, such as Facebook, where development is based on human relationships and the ability to quickly and easily connect, creating a perfect breeding ground for malicious code and spam.

What were the implications of the recent Facebook spam attack?

With such a large online community, the increasing amount of spam and malware affects Facebook’s operations as well as their users. While the most recent spam attack isn’t new, the violent and pornographic nature of November’s attack upset users more than usual, who went to their blogs, Twitter or Facebook accounts to discuss the outbreak. As of October of this year, Facebook said that spam represents less than 4% of content shared on the social networking website and affects under 0.5%, or 4 million users, on any given day. This is still a large number of people who are being affected on a daily basis and I suspect that this number only includes spam that Facebook catches, therefore it’s not 100% accurate.

Have there been any recent spam attacks on other social networking sites, such as Twitter or LinkedIn?

Twitter and LinkedIn both have faced similar attacks as Facebook, although we have not seen any published information on these attacks as large of a scale or as organized as what we saw in November with Facebook’s stream of spam messages on user profiles and on their help forum. However, most social media sites follow the same principles of user-generated content on trustworthy sites and as such, hackers and spammers can quickly and easily publish their attacks on all sites and expect a similar effect. For example, there have been many documented cases of spam and malware on multiple sites at once, such as the Starbucks themed attack that used both Facebook and Twitter concurrently in November. According to Sophos, spamming on social networks rose in 2010, with 67% of people surveyed receiving spam messages, up from 57% at the end of 2009 and 33% in the middle of that year. Phishing and malware incidents were also rife, with 43% of users spotting phishing attempts and 40% receiving malware.

How can these spam attacks affect businesses who use social media for marketing purposes?

Twitter, Facebook and LinkedIn have entered the IT security landscape — bringing both advantages and dangers to your business. Organizations continue to utilize social media services for marketing and its employees utilize social media for personal usage. IT departments must balance use with control in order to protect a business in the social media world. It becomes a two-fold job:

1. Stopping Outbound Malicious Spam:
Proactively controlling outbound content mitigates the risk of disclosure, ensures appropriate information is being sent and stops the network from sending out spam or malware from your organization. Organizations need to take measures to ensure that its corporate accounts are safe. This includes limiting passwords, staying up-to-date on industry trends and providing education to staff that are managing social media accounts on behalf of the organization. In addition, outbound malware and spam threatens business relationships with customers and negatively impacts the reliability of the brand. Companies must use content protection strategies to strengthen their brand by preventing the distribution of bad outbound content, including spam and malware from their corporate IP or account.

2. Protecting You and Your Employees from the Dangers of Social Media:
Organizations must also protect their networks and assets from employees who use social media sites. With high click through rates, spam being sent through social media can damage corporate assets as well as cost organizations time and money while they clean infected devices. Inline real-time threat protection and malware analysis of all content, including hidden injected malware attacks and downloads, is necessary to efficiently analyze web traffic for malicious attacks against all endpoints. This provides organizations with the comfort of knowing they are protected, even if their employees have been tricked.

What can businesses do to prevent, or at least minimize, the attacks?

Prohibiting employees from accessing social networking sites like Facebook, Twitter and LinkedIn is no longer realistic.

Blocking and application control policies are becoming inefficient with dynamic user generated content and cross-site, drive-by attacks on good websites. Combined with access through multiple endpoints (mobile devices, PDAs and tablets), old approaches are no longer effective. Security solutions with the ability for deep content inspection give organizations the advantage of utilizing all social media, while guaranteeing compliance mandates are met and the organization is protected, regardless of what the end-user is accessing. The solutions provide visibility of the application content and the aptitude in which to apply flexible policies over users, applications and protocols based on the real-time understanding of the applications’ intent.

It seems individuals and companies will always be one step behind when it comes to preventing such attacks. Hackers and spammers are just more sophisticated in terms of technical expertise. Do you agree?

I agree with this as many companies and individuals are struggling to protect themselves against attacks, especially when conventional approaches, such as blocking web access according to the reputation of the URLs, are used. However, there are innovative solutions out there that go beyond simply checking on the reputation of a link and go deep to make sure that the actual content is not malicious. These deep content inspection based solutions are effective tools to prevent the spreading of malicious content in social media use.

The Risks of Social Media: How Insurance Companies Are Benefitting Despite the Potential Perils

Posted on by

It’s been quite awhile since we last added to our Risks of Social Media series. There has of course been many developments and discussions of the risks involved over the past year, but more so than the downsides, companies should now be focusing on the upside. Twitter, Facebook, YouTube and now, perhaps, Google+ all present vast marketing, reputation, customer service and sales benefits so it would be foolish to continue ignoring the social media revolution just due to the downsides.

For a recap of the perils, however, let’s look at the below slide from the Insurance Industry Charitable Foundation’s presentation “Social Media 2.0 for Insurance Professionals.”

These issues are real concerns. They must be dealt with. And anyone in your company who is tasked with managing any aspect of the firm’s social media platform must undergo training that highlights the risks just as much as the opportunities.

But just look at how even these — theoretically — risk-averse companies are leveraging social media for their own gains. Insurers are generally not going to jump into something if the threat outweighs the upside. So if they’re doing it, chances are you should be, too. (all slides courtesy of Dewey & LeBoeuf’s presentation for IICF)

State Farm

 

Farmers

 

Progressive

 

Allstate