2010 is going to be an interesting year with economic concerns impacting the security business. I suspect that businesses will need to regroup and think about their security spend again next year. Companies will probably remain gun-shy and hold budgets close to their vests. This could set up a shootout between increasing security threats and the desire to continue to control costs. Who will win? Your thoughts?
Happy Holidays y'all and here's wishing you a Secure New Year!
Case in point, the SEC announced this week the approval of new rules that will, among other things, require companies to disclose the relationship between their compensation policies and risk management, as well as describe the board of directors’ role in risk oversight.
Understanding what compensation policies have a material impact on an organization’s risk and developing policies for board-level oversight of risk will require guidance from internal and/or external risk experts... good news for any risk experts who appreciate gainful employment. And of course, many additional regulations and SEC rules expected to come together early next year are also likely to continue this trend.
A while back, I blogged on how researchers have developed tools to intercept streaming video from video conferencing systems and IP surveillance cameras. Today I feel so prescient with the Wall Street Journal's article on how Iraqi insurgents are using similar software to intercept the video feed of Predator Drones.
The article has the catchy subtitle "$26 Software Is Used to Breach Key Weapons in Iraq; Iranian Backing Suspected." It discusses how the insurgents are using the software to intercept the Drone's unencrypted video stream, "potentially providing them with information they need to evade or monitor U.S. military operations."
According to the article, the military has been aware that this type of attack was posssible for some time: "The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said."
Let's hope that the Pentagon has learned what happens when you ass-u-me things...
Last week, Facebook upgraded its privacy settings. I am sure by now many of you have gone through the new privacy setting wizard. But do you know all the ins and outs of the new settings and how to navigate them?
In general, the new Facebook privacy setting menu is easy to use and straightforward. Some of the new options Facebook provides are positive changes. For instance, you can now hide a wall post to specific individuals (or make them visible to specific individuals). This level of fine-grained control was not available before, which is a welcome change.
However, in the course of migrating to the new privacy settings, Facebook has made several categories of information visible by default to “Everyone.” If you didn’t actively manage your privacy settings through this new migration, some of your information, such as Family and Relationship, Education and Work, and your posts will be left visible to everyone, regardless of what your previous privacy settings were.
Another puzzling thing is that Facebook apparently does not think the ability to control who can see your “Friends list” belongs in privacy settings. Moreover, they’ve made everybody’s Friends list visible to the world by default. To turn that off, you have to go to your profile page and click the little crayon icon next to your friends list to unselect the “Show Friend List to everyone” option. If you have previously hidden your Friend list from public view, they are now free for all to see unless you did the little trick with the crayon icon! Even worse, your Friend list will now show up in search engine results.
Compliance, along with security and privacy, is a big topic when firms consider cloud services. I recently did a Forrester Webinar on the topic of compliance for cloud computing. This blog entry is a recap of the Webinar.
In terms of compliance for cloud services, there are four categories of issues of concern:
Where: Geographically-related issues
How: This is about operational details that affect compliance
Audit: Show me evidence that you can help me achieve compliance
Others: Everything that doesn’t fit into the above categories
For the “where” category, you need to be conscientious of the following aspects:
Implications of local laws and regulations (where the datacenters are operating)
Third-party access: Does the vendor use any “third-party” resources that may affect the locations of relevant data?
We recently helped a client evaluate the business suitability of a SaaS provider. In the course of doing so, we discovered that the SaaS vendor used a third-party backup service to back up their logs. Although the SaaS provider is located entirely in the US, the backup service provider is not. Therefore there is a question of whether my client’s logs will get stored in a datacenter outside the country. This made my client uneasy.
The “How” category is the biggest and most comprehensive, as it includes many operational aspects. For example, along with other aspects, you need to consider:
As the debate continues between what’s best for businesses and consumers as we look for economic recovery, a few of the amendments expected to come to a vote today involve the creation of a new consumer financial protection agency, a Sarbanes Oxley exemption for small firms, and new power for the Government Accountability Office to audit the Federal Reserve.
While this debate is going on, the Organization for Economic Cooperation and Development released a framework last week to guide policymakers in the reform of international financial markets. According to the announcement, “Increasing transparency is key. The complexity and opaqueness of products made risk assessment difficult for firms and investors and hindered market transparency, a major cause of the crisis.”
The framework’s explanation of the financial landscape includes principles for 1) A definition of the financial system, 2) Transparency, and 3) Surveillance and analysis. Responsibilities for the collection and distribution of relevant data are described for government authorities, industry groups, and international organizations. These principles mirror the focus of other potential regulatory changes and will have a substantial impact in the way organizations document and track a wide range of business processes and transactions if they are carried out in legislation.
A couple of network televisions shows have lately caught my eye.Now I’m not a television critic but there were things in these shows that have security implications that warrant some attention.These episodes came just as I had finished some hacking training and provide an opportunity to share some interesting new tools and attack scenarios.
First, Alex Baldwin pimped Cisco’s TelePresence system on 30 Rock.In the episode “The Audition,” Baldwin’s character Jack has bedbugs and is forced to use TelePresence to attend a meeting.There is a very funny bit that takes product placement to a new tongue-in-cheek level:
TelePresence Screen: “Do you like the Cisco equipment?”
Jack:“Of course, it continues to be the gold-standard by which all business technology is judged.Cisco, The Human Network.”
It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”
But if we expect the availability of ISO 31000 to have any sort of revolutionary or game-changing impact in the immediate future, we’re getting way ahead of ourselves.
To Facebook or not to Facebook? Forrester recently received a flurry of inquiries concerning social network access inside enterprises. Many firms are reluctant to deny their employees’ access to social networking sites but at the same time are worried about consequences such as malware threat, data loss, and the loss of productivity.
More specifically, risks associated with social networking come in three flavors:
Malware and phishing: Social networks have become a hot bed for malware and phishing activities. As such, allowing access to sites like Facebook, MySpace, LinkedIn, etc., does carry a certain amount of security risks.
Data loss: Employees post content to social networking sites pose a potential threat of data loss, which has many up in arms about the use of social networks in enterprises.
Damage to corporate image: There is no reliable way to ensure that no one can set up a fake corporate page in LinkedIn or Facebook, and that no one takes your official promotional video and repost it to YouTube after unauthorized edits.