The biggest scare at this years IANS event was not news about botnet attacks from Belarus or data leaks, but the increased scrutiny by Human Resource Departments of prospective candidates to include social media. So, do not be surprised when you are asked during an interview to provide information about your blogs or websites, or to logon and provide Human Resources access to your Facebook account.

Any person having graduated from high school or college during the past 10 years has a high probability of being included some form of electronic media, knowingly or not. A simple indiscretion at a party or on Spring Break can result in being the primary reason to be excluded for consideration for that choice position. You never know who has a YouTube camera.

But the scrutiny does not stop there. It is not longer sufficient to have stellar references, clean credit history and be drug free. Where is the separation between what is considered a personal and professional life? Any person can have belong to an association, group, volunteer for a charity, etc. that may not be considered as appropriate.

Do these preclude a person from satisfactorily executing the roles and responsibilities as required?

Not so long ago, the analogy to be a Boy Scout meant you walked in a different light, but now even that could be a problem.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: botnet, facebook, hr, human resources, IANS, Privacy, YouTube

Feed enhanced by Better Feed from Ozh

There is an interesting article in the February 18, 2010 Wall Street Journal by Siobhan Gorman, with the title “Hackers Attack 2,411 Firms: Global Offensive Snagged Corporate, Personal Data; Operation Is Still Running.” It describes how staff of the security services firm, NetWitness, discovered a broad and intensive hack into numerous government and private entities. The discovery took place on January 26, 2010, during a routine installation of the company’s technology at a major corporation. Amit Yoran, who is a former national cyber security “czar”, founded NetWitness.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: CSI, data breach, data breaches, FBI, insider threat, NetWitness, spotlight, VerizonBusiness Data Breaches report, Wall Street Journal

Feed enhanced by Better Feed from Ozh

It appears that the official Google position, as expressed by CEO Eric Schmidt, in a December 3, 2009 interview by Maria (NOT Mario, as The Huffington Post stated) Bartiromo on CNBC, is that if you didn’t want the data to be compromised, you “… maybe you shouldn’t be doing it.” Actually, if you think about it, The Huffington Post’s misstatement, at www.huffingtonpost.com/2009/12//07/google-ceo-on-privacy-if_n_383105.html  is a perfect example of how one’s profile might be corrupted forever due to some inadvertent typographical error. Think of all the rumors about sex-change surgery and the like, which this change in first name might generate. When I searched on “Mario Bartiromo,” I got 5,950 hits, which included posts such as “Mario Bartiromo isn’t even the hottests [sic] woman at CNBC.” The Web is clearly rife with errors of omission and commission regarding personal information, as well as all other categories of information.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: Buzz, Gmail, Google, ISSA, personal information, Privacy, spotlight, The Huffington Post

Feed enhanced by Better Feed from Ozh

Daniel Lyons will publish an op-ed on the insecurity of cloud computing in Newsweek‘s February 1st, 2010 issue. The  main thrust of the article can be summarized as such:

But there is one big, glaring problem with cloud computing, and it just got laid bare in Google’s recent problems with China: your stuff isn’t safe. Google insists that cloud computing is perfectly secure. But of course Google says that—it’s trying to build a business out of it.

But if Google is so secure, how come Chinese hackers broke into its corporate servers and stole its intellectual property? Google won’t say exactly what information got filched, but if the company can’t protect its own intellectual property, how can it protect yours?

Lyons then quotes Nicholas Carr for the opposing opinion:

Carr argues that while Google and other cloud providers can’t guarantee perfect security, they probably do a better job of fending off hackers than most companies can do on their own. On the other hand, Carr says, pooling millions of companies into a single big provider creates bigger individual targets. A hacker who cracks into a cloud can get at everybody’s stuff.

Professionally speaking, I need to agree with Carr on this one. Publicly traded companies such as Google in the US must comply with various of regulations, most notably Sarbanes-Oxley. They are bound to compliance measures that help increase the security in their publicly traded organization. And, Carr is also correct to point out that cloud computing companies/domains are a larger target with a greater impact if the institution is breached.

There are two points that are not touched on by the Op-Ed.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: cloud computing, daniel lyons, exploits, Google, newsweek, nicholas carr, spotlight, vulnerability

Feed enhanced by Better Feed from Ozh

The category of a particular data item may have been carefully arrived at and cast in concrete, as it were. But data do not live in unchanging isolation, nor are they always used for the same purpose or in the same manner.

© BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: compliance, data classification, data handling. data destruction, data life cycle, Encryption, information classification, spotlight

Feed enhanced by Better Feed from Ozh

How many times have you heard the following?

“First classify the data into internal, confidential, secret, etc. This determines how the data should be handled. Then assign a data owner who must approve who has access to the data and what they can do with them. Oh, and by the way, the data owner assumes the risk related to inappropriate disclosure and use of his or her data.”

Well, there is only one thing wrong with the above – everything! In the next three columns we will discuss the many fallacies contained in these common assertions.

© BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: classified, confidential, consumer, customer, data classification, harm, internal, non-public personal information, non-sensitive, NPPI, PII, proprietary, public, reputational risk, sensitive, spotlight

Feed enhanced by Better Feed from Ozh

While in India this week, Bill Gates made the following comment:

He admitted that he once had a Facebook page, but every day “ten thousand people tried to be my friend.” He said he spent too much time trying to decide “Do I know them? Don’t I know them?” Ultimately, he said, “I had to give it up.”

Would it be incorrect to assume that Bill Gates is technology savvy? Gates could have easily avoided being so public by restricting his profile. He could have even set up a Fan page for all those that wanted to be his friend. (Although I think when he closed his account it was before Fan pages existed.) If we believe that Gates is competent — which I believe he is — what does that say about the ability of “normal” people to set the privacy controls on applications?

Most people do not take the time to restrict their Facebook profiles and allow anyone who becomes their friend to see all of the information contained in the page. As I’ve written before, this can lead to strange and unusual circumstances. The amount of time and effort most people need to set up the proper controls is too much for them.

© BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: application security, bill gates, facebook, gates, microsoft, Privacy, spotlight, templates, web applications

Feed enhanced by Better Feed from Ozh

Perhaps the most famous, or infamous, photograph of Albert Einstein is the one showing him irreverently sticking out his tongue in response to a photographer’s request that he smile. Incidentally one of the few original prints of the photograph sold at auction on June 19, 2009 for the princely sum of $74,324. In any event, that image came to mind when I read an article, with the title “Troubles Plague Cyberspy Defense,” by Siobhan Gorman. The article appeared on the front page of the July 3-5, 2009 issue of the Wall Street Journal.

© BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: Einstein, identity theft, personal information, Privacy, Siobhan Gorman, spotlight

Feed enhanced by Better Feed from Ozh

As infosec professionals continue to struggle mightily trying keep up with the security and privacy vulnerabilities introduced by new technologies and IT environments, such as Web 2.0, Web 3.0 and Cloud Computing, there is a new game in town … singularity. As I will describe, singularity represents a quantum leap ahead in technology.

© BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: artificial intelligence, botnets, Google, grid computing, NASA, Privacy, Singularity Univesity, spotlight

Feed enhanced by Better Feed from Ozh

Here we go again. We see yet another case of lack of privacy protection and its devastating consequences.

In the “Link By Link” segment of the February 16, 2009 issue of the New York Times, Noam Cohen writes a column with the title “As Data Collecting Grows, Privacy Erodes.” Again we see that a top public hero is diminished by the unauthorized retention of personal data – in this case, it was Alex Rodriguez’s information about his using steroids.

© BlogInfoSec.com, 2009. | Permalink | One comment | Add to del.icio.us
Post tags: data mining, Privacy, spotlight

Feed enhanced by Better Feed from Ozh