::PepperTech:: Security Management News Blog

Last Post... Bye Bye...

2008-01-16T19:36:00.000-05:00

It has been a few years since I have been posting to this website. Lately, I have been really busy that I have not had time to focus on this as much as I had hoped. So... I decided to shut this blog down. I will revive it when I am ready again. Thanks, and bye for now.

Art.com Hacking

2007-10-28T22:51:00.000-04:00

Art.com Inc. said that recently a hacker illegally gained access to some of its customers' names and encrypted credit-card numbers for some transactions made on its Websites from July through September. More details here.

Full body scan or "striptease"?

2007-10-16T10:12:00.000-04:00

EPIC (Electronic Privacy Information Center) calls the full-body scans a virtual striptease. However, TSA claims that 79% of the public prefer the full-body scan! For one thing, I do not know where the TSA got the stats, but it appears as though people prefer to be stripteasers than just be padded down.

In all seriousness, I am glad that there are security checks, but are they effective and how does it affect the general traveller in terms of privacy, reasonable comfort and all such feel-good factors?

Do not hack the hackers

2007-08-07T08:42:00.000-04:00

Interesting read from Forbes on how hacker's do not want to be threatened.

Data Privacy Watchdog for India

2007-06-16T11:01:00.001-04:00

India does not have strict data privacy laws. This has allowed for a huge number of security breaches in the recent past. Now, India has a self-regulated industry watchdog that is going to oversee data privacy in regards to offshoring. More details on silicon.com.

BBC/Yahoo Hackday

2007-06-16T10:59:00.000-04:00

Hackers meet in London for the first BBC/Yahoo hackday. See details here.

Scalability in Compliance

2007-04-24T13:32:00.000-04:00

Compliance is generally either towards internal requirements or to external regulations. And ideally, since there is no single way to interpret external regulations, corporates create internal interpretations of external regulations. So, in essence, you are complying with a set of internal requirements. That said, the universe of your requirements will be unique to your business. Lot of times you hear corporates whining about too many regulations that they have to comply with. However what one does not realize is the upshot that the ridiculous vagueness presetned by the regulations. That is, it allows you the wiggle room to interpret the regulations in multiple ways. SOX 404 interpretation in corporate A may very well be different from SOX 404 interpretation in corporate B. You can establish compliance to multiple regulations if you can establish a link between them and a singular industry standard (eg: ISO 17799 or BS 7799) that you want your corporate to follow. Most times, all of the regulations have a common denominator of security requirements that can be addressed by one industry standard. And if you align with the chosen standards, you can easily prove your alignment with the regulatory requirements as long as you have a clear mapping on the regulation to the industry standard and its applicability in your business. In summary, a) if your internal audit and security teams can distill the regulations into a universe of compliance requirements, b) map those requirements into an industry standard such as ISO17799 and c) implement processes in alignment to the established mapping, it would make your life easier, implementation more streamlined and compliance readily scalable to multiple regulations.

Basic rules while on the net...

2007-03-25T23:46:00.000-04:00

Just in line with my last post for a layman user on being safe on the net -- please read this article.

An additional note: Change the default user id and password on the router, and if you are an advanced user, put some physical address based filters on it. That way only the router will recognize only those computers that are on your network based on the filter configuration.

Gift card float fraud scheme

2007-03-25T09:17:00.000-04:00

Customer data stolen from TJ Maxx had been in use in what the investigators call the gift card float scheme. See details here. Some of the things that you should do are 1) always verify your purchases either manually or using a tool like Intuit Quicken or MS Money, 2) notify your card company right away, and invalidate the card, and 3) set up alert on your credit report through. You can get information on all these through your bank. And many banks offer this for free to their clients.

Security at offshore vendors

2007-03-20T18:34:00.000-04:00

With the advent of BPO has arrived a whole set of risks that may not be new, but definitely new in its avatar. "Just How Secure Are Your Offshore Vendors?" is an interesting article that hits on the key assessment areas that you should focus on at your offshore vendors when they are handling your business processes. The article is available here.

Should you stop at complying? Or go on to make money off of compliance??

2007-03-11T22:40:00.000-04:00

As I mentioned sometime back - certain companies are having difficulties to get funding for their security and risk initiatives, while some are well funded already. The thing is that off the second lot, only a few use the funding wisely. Its mostly because the second set of companies (of course, fortunate to get funding) set their goals on tactical security and risk initiatives - mainly to comply with internal requirements and/or external regulatory mandates. What they are not realizing is that the funding could be used in a strategic fashion to develop and implement projects that support the organization's risk initiatives and posture. Recommendation: Use the funding wisely... do not stop at compliance. Its only one milestone and there are several others, achieving which, would help your organization in ways unimaginable.

Email Retention - lessons from Intel

2007-03-06T07:42:00.001-05:00

Marketwatch reports this morning that Intel may have lost its email pertaining to an antitrust law suit. Apparent from the article is a common issue that corporates have today - inconsistent implementation of policies related to security, risk, compliance and governance management. There is something that everyone can learn from this - (i) Get your people (employees) on board with such policies and (ii) tie employee benefits/incentives to the quality of policy implementation, and (iii) continuously measure and monitor policy performance and adjust accordingly.

Real ID Controversy

2007-03-02T18:08:00.000-05:00

Yesterday, Secretary Chertoff issued a press conference on the Real ID initiative that has been gaining controversy momentum across the country. Truth be told, I am generally okay with a security-infused ID for every individual. However, I do not understand how the Secretary thought that some information was not top secret. To quote from the press release:

"Now here’s how these standards are going to work. It’s very simple and it’s really a matter of common sense. Applicants for driver’s licenses are going to need to bring documents to their state Department of Motor Vehicles offices in order to validate or prove five things: who they are, what their date of birth is, what their legal status is in the United States, their social security number and their address. None of this stuff is top secret stuff."

When he says that the Dept of Homeland Security will not maintain a master database of personal information on any individuals, I guess its because all personal information is not all that personal anyways!

Perhaps that was not the intention he had, but definitely requires re-characterization.

Buidling a case for security

2007-03-02T00:23:00.000-05:00

Couple nights ago, I attended a vendor-sponsored meeting where I heard some attendees talking about their issues in convincing their CFO to spend money on security initiatives. I thought this is a problem that should have a ready response from the security industry. Apparently, not! So, how do you sell security and ask for a budget?

The point is: You will never be able to win funding without talking to the CFO in a language that he understands. I believe that connecting the dots between security and risk management is what is key in convincing the CFO to get the money. i.e., lack of security means plenty of risks. And plenty of risks mean exposure that would directly affect the top management. As long as you do not distill your requirements in that fashion, it is not going to work in your favor. And stop blaming the CFO... he just does not understand what you are talking about!

TJ Maxx security lapse, PCI, and business value

2007-02-22T00:47:00.000-05:00

eWeek has an article on TJX and its disclosures coming in bits and pieces. While the article has interviews from several industry fellows that indicate PCI compliance as the"ultimate" solver of the data theft problem, I honestly believe that many corporates use such "compliance" requirements to their disadvantage by being narrowly focused. All they want to do is get it out of their way so they have a stamp or seal from an "approved" PCI vendor. Proving that you meet 12 requirements in 6 areas is not going to bring value, but leveraging that and going the extra mile is what brings value. Hear again for the n'th time: "Compliance is not the end game! Leveraging compliance to support your business processes and bringing in shareholder value is".

Stop & Shop Breach

2007-02-20T17:21:00.000-05:00

I am little unclear on how the breach was executed! An "investigation" by Stop&Shop says that no insider participated. However, its a bit strange how this whole thing was carried out. I think its my first time seeing this happen! Perhaps they broke-in prior to wire the ETFs, and started collecting data over a period of time? Would be interesting to watch the progress on this theft!

News available on Boston Globe.

Its about time...

2007-02-14T22:27:00.000-05:00

PayPal announced the use of authentication tokens. I think PayPal will probably make money on this deal. Imagine 100 million accounts and $5 tokens sold to them! In any case, I think its a positive thing. I am not sure why all the banks have not done that!

RSA on Feb 9 2007

2007-02-10T12:32:00.000-05:00

Finally, I am home after a week in San Francisco. I attended one session Friday by Ben Rothke. He took the "Stephen Covey" avatar to discuss the 5 habits of enterprises that treat security seriously.

Overall, the conference proved one thing - security is an issue due to: a) Lack of understanding of the requirements out there, b) People, and c) Processes. There are a ton of technologies out there that will solve a whole bunch of things, but they are defintiely not focusing on the challenges that the customers have. Bleeding edge technology in this industry is good, but not when it does not cater to the customer's real challenges!

RSA on Feb 8 2007

2007-02-08T22:41:00.000-05:00

Today was an alright day at the RSA. A very good presentation on infusing security into SDLC by Jeff Bardin of IBT. If they do have what they presented, I must say that they have a stellar program.

The highlight of the day for me was the key note by Tom Kelley of IDEO on how we should be innovative! Our industry does support that, but never has promoted as much.

I am in my hotel room blogging instead of attending the "CodeBreaker Bash Party"... Well, I do have a dinner with my good friends . So I am off to my friends in a bit.

Tomorrow is the last day, and off I go home, back to NYC!

RSA on Feb 7 2007

2007-02-08T01:59:00.000-05:00

The day started off with a session around metrics. So they talked about Risk Circumvention. Interesting concept, but wonder how often that happens! Even if it happens, why would anyone want to re-brand "Risk Elimination" to "Risk Circumvention"? It almost sounds like you are trying to avoid dealing with risk!

The highlight was when Oracle's Larry Ellison did not show up for a key note due to flu. It was almost sad to watch everyone walk out of the key note delivered by Larry's VP of IAM.

In general, I have seen a handful of products around risk management and reporting, but yet to find something thats specific around defining, monitoring and reporting metrics in a proper manner!

RSA on Feb 6 2007

2007-02-07T01:35:00.000-05:00

So, here I am again at the RSA Conference. This morning started off with the key notes from Bill Gates, Craig Mundie, Art Coviello, Joe Tucci, John Thomson, etc. The theme was pretty consistent with what the industry is doing in terms of networks, data protection, identity management and consumer confidence. Microsoft made some annoucements around their collaboration with Open ID, while EMC announced the buy of an India-based DB encryption startup. The notions around moving from fortress security towards secure coding and passwords to smartcards were high notes. Do you think its time for a certificates/PKI to come back? I am sort of tired of hearing "this is the year of PKI" for the n'th time since I started in security/risk management!

RSA Security Conference 2007

2007-02-02T21:16:00.000-05:00

Yes, after a long time, I am back. Work has been busy and hence was out of the loop. I'm glad I'm still part of the first page on Google search! :-)

Anyways, I'll be at the RSA Conference Feb 5 through 9. I think I decided not to attend the Colin Powell thing, but definitely around for several other Keynotes and sessions.

Internet crime to hit homes hard

2006-09-25T08:31:00.000-04:00

The report by security firm Symantec found that cyber criminals are targeting home PC owners because they are the easiest to catch out.

Hackers target latest Windows fix

2006-08-16T08:06:00.000-04:00

A worm has been spotted in the wild that tries to use vulnerabilities to hijack home computers.

Hijacked handheld turns data spy

2006-08-09T08:19:00.000-04:00

A booby-trapped game of noughts and crosses has been used to show how a Blackberry can be hijacked to steal confidential data.