Cybersecurity

CTOs seek help from Congress

Thu, 20 Mar 2008 07:59:59 -0400

A gathering of chief technology officers in Washington, D.C., recently led to a unified front in seeking help from Congress. The request was for improved technology policies and the full funding of critical IT initiatives to the tune of $3.26 billion. "In light of rising global economic competition and mixed signals in the domestic economy, we urge you to support several pending measures to strengthen America's high-tech industry," CTOs from the Business Software Alliance wrote in a March 4 letter to Senate leaders in both parties. The CTOs want funding programs for the Patent and Trademark Office and the Homeland Security Department's National Cyber Security Division. They also want a few other things too: patent reform legislation and information technology security bills.

For more on CTOs and their congressional requests:
- See this GCN article

Data security bill gains traction

Thu, 21 Feb 2008 06:59:59 -0500

Congress is currently grappling with legislation to fight cybercrime and to improve government information security compliance. The measure is likely to have an impact on the private sector, too. The proposal would update the Federal Information Security Management Act, which sets up requirements for securing personal or sensitive data.

The bill includes a broader definition of "personally identifiable information" and strengthens reporting and auditing requirements. It also calls for privacy impact assessments for agency purchases of lists containing potentially sensitive information from commercial data brokers.

The legislation is controversial, and faces some serious opposition. Karen Evans, administrator of eGovernment at the Office of Management and Budget, told a Congressional committee in written testimony that the bill could "seriously impact established agency security and privacy practices while not necessarily achieving the outcomes of improved privacy or security."

Cyber Security Industry Alliance President Tim Bennett said that OMB guidance has been "uneven" and too focused on compliance with memorandum and circulars. A similar bill already passed by the Senate would give federal prosecutors tools to fight identity theft and cybercrime. "The bad guys are moving quicker and getting more sophisticated every day and we don't have time to lose," Bennett said.

For more on this security bill:
- See this GovernmentExecutive article

Federal cybercrimes growing

Thu, 24 Jan 2008 06:59:59 -0500

It's really no surprise that cybercrime has been increasing in the federal government, and it's just as likely that it is growing in the private sector, too. The Veterans Affairs Department, the Transportation Security Administration, the Internal Revenue Service and several other federal agencies have been hit by attacks in the last two years. As a result, the Congressional High Tech Caucus is looking at the issue and will likely try to deal with it by pressing for more funding for agencies.

The federal space is ripe for many kinds of solutions. Some agencies are turning to information security management tools to deal with these kinds of threats. Other agencies are looking at replacing older low-tech solutions with higher level ones. The job of the CIO is never done in either the federal sector or the commercial one. With cybercrime on the rise, it surely is important to find the best ways to protect your system and to make sure your databases are insulated from theft.

For more on cybercrime in the federal sector:
- Check out this Washington Technology article

Are you dealing with identity theft?

Mon, 14 Jan 2008 06:59:58 -0500

Identity theft is a relatively new kind of crime that is almost as sophisticated as the computer that you use every day. If your identity and credit card number are stolen, thieves can start charging merchandise they want like that iPhone, fancy fur coat or trip to the Caribbean. Credit card companies are getting more sophisticated about policing fake charges, though. They may call you to confirm a purchase if they see a suspicious-looking charge.

In 2005, more than 8 million Americans were victims of identity theft. Of that number, nearly two million had accounts opened or other types of fraud committed with stolen information. The rest had their credit cards hijacked and pilfered. That means that every CIO has to be on alert. And it is no easy task.

"Unfortunately, the way things are set up today, there is way too much information available in way too many places," said Adam Levin, chairman of Identity Theft 911 and a former director of New Jersey's Division of Consumer Affairs. If someone fraudulently uses a credit card, the card company ordinarily will reimburse the consumer for any loss. Nevertheless, CIOs working for a company that issues credit cards must be on the alert. This is a trend that is growing, not shrinking, and you better have a plan to deal with it in place, or you could end up with a big headache.

For more on the surge of ID theft:
- See this Washington Post article

Citibank gets tough on ATM scams

Thu, 10 Jan 2008 06:59:59 -0500

Getting cash from an ATM machine just got tougher. In response to a series of ATM robberies and at least one case of a false reader mounted at a site, Citibank is limiting withdrawals to about $500 a day, a drop from the previous $2,000 a day allowed. There are a number of reasons for this change, including cases of thieves "skimming" or copying someone's ATM card and PIN. In at least one case, a false reader was mounted at a Citibank site in front of a real ATM machine. Later, the culprits retrieved the false panel and read the data. Customers whose accounts have been tampered with have since been reimbursed. This latest cyber security crime definitely raises the warning signals for anyone using a computer. Technology is great, but identity must be protected at all costs.

For more on ATM headaches:
- See this CNETnews.com article

Record year for email spam

Thu, 10 Jan 2008 06:59:58 -0500

Not that any CIO wants to hear this, but spammers ran rampant in 2007. And if you never saw any spam on your system, you had a great spam filter or you were very lucky. In 2007, spam accounted for a large percentage of email traffic, according to SpamStopsHere, a provider of e-mail security and spam filtering solutions. Phishing attacks rose dramatically, too. And spam got more sophisticated. In addition to just blanketing the Internet, spam culprits attached their worms in devious ways to MP3, Zip, Excel, Word and PDF files. There's a lot of surveillance that must take place to prevent this kind of infection.

One spam attack involved the Storm Worm, which claimed to have information about storms. The spam was so effective that experts say the number of PCs infected by Storm Worm could reach 10 million. So what's a CIO to do? Well there is the usual stuff. Train your employees to be wary of strange email, get a strong spam filter and just hope that 2008 will be the year that spam is finally contained and conquered.

For more on growing spam attacks:
- See this press release

FTC targets spam

Mon, 07 Jan 2008 06:59:59 -0500

The Federal Trade Commission is taking a hard look at the next generation of spam and what companies can do to fight the impact of malicious emails and phishing. In a new report called "The Next Generation of Threats and Solutions," the FTC said that Internet service providers' spam filters are essential to reducing the amount of spam that gets into a user's inbox.

The FTC is looking at spam and other malware as a consumer problem. It is fielding an increasing number of Internet, telemarketing, identity theft and other fraud-related complaints. While the problem is growing, panelists at a recent summit said there are an increasing number of software solutions that can be employed to stop spam in its tracks. These include email authentication and email reputation services. And panelists at the summit also underscored the importance of educating both consumers and businesses to detect and hunt down spam attacks.

While the FTC can do little to shut down all these malicious attacks, summit panelists said the actions of these spammers are inherently criminal, and criminal law enforcement agencies, across the board, should be shutting them down. The FTC's Consumer Sentinel, a secure, online database, is available to more than 1,600 civil and criminal law enforcement agencies in the United States and abroad. While the problem has not yet been solved, there are ways to fight a problem that is growing, not shrinking, in cyberspace.

To read more about the FTC's efforts to fight spam:
- See this agency report

USA Today: Personal data theft triples

Thu, 13 Dec 2007 06:59:59 -0500

The theft of personal data has tripled, according to a new piece by USA Today. More than 162 million records were reported stolen or lost in 2007, triple the 49.7 million that went missing in 2006. And to make the loss even more painful, there have only been prosecutions in 19 cases. So what is a CIO to do? Work harder. Find more secure ways of protecting your data and test new tools that provide impenetrable firewalls for hackers.

As they "cram more and more data into a single place," companies and agencies present thieves with more opportunities for a big score, says Benjamin Jun, vice president of technology at Cryptography Research. Attrition.org keeps track of incidents, mostly in the United States. Many are made public as a result of new data-loss-disclosure laws. Of more than 300 cases tracked in 2007, 261 were reported in the USA, 16 in Great Britain, 15 in Canada, six in Japan, two in Australia, and one each in Denmark, Ireland, Sweden and Norway. Sometimes, but not always, employees are responsible for these data thefts with their own thoughtlessness. Nearly two-thirds of those surveyed by security firm RSA, said they email work home to continue the job at night. And 35 percent said they felt compelled to bend company security rules to get the job done. While the CIO's may not see their role as a security guard, in a way they are. And the sooner they realize they have an added responsibility to protect what they have in-house, the more successful they will be.

For more on the growth of data theft:
- See this USA Today Article

Follow the government's lead on security

Mon, 10 Dec 2007 06:59:58 -0500

Sometimes the government has to get it right. And one way for a company to get it right is to follow government regulations on security. A new report finds that a company's ability to protect sensitive data is helped by keeping an eye on how the government adds an extra layer of security protection. The report by the IT Policy Compliance Group, a Cleveland-based research firm, finds that companies that follow the regulations for compliance also do better on protecting their own security. "The results were definitely surprising," said Jim Hurley, the research firm's managing editor. "Until last year there was nothing in the quarterly data we collected to suggest such a relationship existed."

But an analysis of two years worth of data found a strong relationship between compliance success and data protection. The study was based on data collected from 2,000 companies and on publicly reported data losses and thefts. It found that companies with two or fewer compliance deficiencies annually are likely to have two or fewer data losses or thefts in the same time period. At the same time, companies that have 10 or more deficiencies in a year are likely to find themselves experiencing a data loss more than a dozen times during the year. It may be tough to follow the lead of someone else, but the outcome provides a good reason to do it.

For tips on reaching security nirvana:
- Take a look at this CIOInsight Article

Cybercrime on the rise

Mon, 03 Dec 2007 07:00:00 -0500

The FBI recently announced the arrest and prosecution of several cybercrime cases against individuals accused of defrauding banks, companies and consumers. It is part of an FBI probe called "Operation Bot Roast." And it is just the beginning of a crackdown into the compromise of two million PCs attacked by at least 10 individuals.

It's pretty scary when you look at the kind of cases being prosecuted. A 21-year-old student at the University of Pennsylvania was recently indicted for orchestrating attacks from a botnet of 50,000 PCs against various online chat networks. The scheme had a very far reach--the student was charged with working with an individual from New Zealand. Meanwhile, a 27-year-old Tacoma, Wash., resident pleaded guilty in September to maintaining a botnet of hundreds of thousands of compromised PCs. He rented them out to spammers and people who wanted to use the bot network to take websites offline.

There are plenty of others, too. This may sound a bit like Bonnie and Clyde or the Wild West, but the reality is these are now new types of crimes that did not exist a decade ago. It's important for every CIO to remember that your network is not just your own. You probably keep your door locked at night and park your car in a safe location. With these new kind of cybercrimes, it's important to remember that law enforcement may not know what is coming next until a successful attack has been launched. Will you be the next victim?

ALSO: For a look at what's coming down the road for CIOs, check out this week's special report on eDiscovery, a legal issue that involves preserving and keeping track of electronic documents, including email, in the event of a court order to turn the material over in a lawsuit.-Judi