Twitter Settles With FTC For Privacy Breach

Organizations continue to face risk for security breaches. Normally, we talk about the risk of security breaches being fines and other costs around loss of PII, per California Senate Bill 1386 and similar laws in 45-or-so other states.

What’s interesting about Twitter's settlement today with the FTC is that it had to do with a breach of information that is not protected under these kinds of laws. This isn’t the kind of data breach that the FTC normally delves into. My sense is that the oversight must have appeared to the FTC to be so lax as to be in violation of Twitter’s privacy policy – that is the kind of thing that it would and does pursue. Of course, having someone crack into Barack Obama’s account on your service is certainly going to raise the profile of the incident. (So why isn’t the FTC looking into the breach of Sarah Palin’s Yahoo! Mail account? Where’s the right-wing/tea-party outrage? ;-) )

The FTC specifically identified these practices (among others) that constituted insufficient care:

Read more

Enterprise Risk Management For IT Security

A few weeks ago, Stephanie Balaouras and I posted a podcast on a topic that has been a high priority for many of our customers — how to apply risk management techniques to IT security. We know that many of you are feeling the pressure to take the lead in IT risk management and in some cases even play a role in initiating risk management at the corporate level.

The key to success is understanding the core elements of risk management and how to plug them into existing processes without creating simply another layer of overhead. A major theme of my recent research has been on existing risk management standards and how they are being applied to IT Security and Risk functions. For example, the ISO 31000 risk management standard outlines a five-step process for formalized risk management. My January report, Introducing ERM To IT Security And Risk , provides a summary of the standard, and I will be expanding upon the next steps in my upcoming research documents. In addition, look out for my next doc on Regulatory Intelligence, to be published in the next few months.

In the meantime, I encourage you to listen to this podcast to hear about best practices and lessons learned from clients who have gone through these steps. And as always, I welcome any questions or feedback.

Hacking The Building Information Management And Vehicle Communication Systems

In the past week or so, I have seen many interesting articles about vulnerabilities in control systems. Just last week I came across one about security issues in the Cisco Network Building Mediator, a product from Cisco’s acquisition of Richards-Zeta. There was another interesting piece about exploiting vulnerabilities in the modern automobile networks.

Cisco issued a warning that its Network Building Mediator products have multiple vulnerabilities. It’s expected that other products from Richards-Zeta may have security flaws as well. According to the Dark Reading article:

“Cisco warned users of its Network Building Mediator products to patch the vulnerabilities, which could allow access to obtain administrative passwords and read system configuration files, making it possible for hackers to take control of a building's most critical control systems.”

Read more