Tag Archives: iso

ISO 31000 Risk management

By now, many of you have read the newly released ISO 31000 Risk management — Principles and guidelines standard. (Others may have seen its release draft or be familiar with its predecessor the AS/NZS 4360 standard.)

It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”

via The Forrester Blog For Security & Risk Professionals.

Unknown hackers steal details on U.S. Joint Strike Fighter project: Scientific American Blog

An unknown cyber criminal (or group of them) has broken into computer systems housing information about the U.S. Defense Department’s $300 billion Joint Strike Fighter project, the Wall Street Journal reports today, citing a number of “current and former government officials familiar with the attacks.”

It’s unclear how much damage the attacks have caused to the jet-fighter project, given that the cyber intruders were able to download “sizable amounts of data” related to the aircraft’s (also called the F-35 Lightning II) in-flight maintenance diagnostics but weren’t able to access the most sensitive information, related to flight controls and sensors (which is stored on computers not hooked up to the Internet), according to the Journal. The Air Force is currently testing prototypes of the aircraft, said to be the most expensive ever commissioned by the Pentagon.

The attackers allegedly access the Joint Strike Fighter information by exploiting vulnerabilities in the networks of two or three contractors helping to build the high-tech fighter jet, the Journal reports, citing “people who have been briefed on the matter.” Although none of the contractors have commented publicly on the computer compromise, Lockheed Martin is the lead contractor on the program, while Northrop Grumman Corp. and BAE Systems PLC are also playing important roles in its development. “Computer systems involved with the program appear to have been infiltrated at least as far back as 2007,” according to the Journal, which cites unnamed sources who state that the intruders appear to have been interested in data about the design of the plane, its performance statistics and its electronic systems. The guilty party loaded software onto the Pentagon’s computers that encrypts the data as it’s being stolen, which means investigators don’t know exactly what data has been taken.

This latest alleged cyber intrusion comes less than two weeks after the Journal reported that spies from China, Russia and other countries have hacked into the U.S. electricity grid and installed software that could cause mass outages, a story that has been criticized by some computer experts as hype perpetuated by government officials looking for more funding.

It’s unlikely that U.S. investigators will be able to ascertain the identities of those behind the attack, unless they can get the cooperation of China and any other countries that might be involved, says Dorothy Denning, a professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. Of course, it’s also possible that computers in China were hacked into in order to make it look like China is to blame, she adds.

State-sponsored spies aren’t the only ones who’ve successfully hacked into U.S. government computers though. Scottish computer hacker Gary McKinnon, 42, has for years been fighting extradition to the U.S. for in 2001 and 2002 allegedly breaking into networks owned by NASA, the US Army, Navy, Department of Defense, and the Air Force, causing about $800,000 in damage and ruining 300 computers. McKinnon, who suffers from Asperger’s Syndrome and could face life in prison in the U.S. if convicted, says that he hacked into U.S. government systems that had no password or firewall protection to search for information on “UFOs, free energy and anti-gravity technology,” Sky News reports.

There’s no silver bullet for protecting sensitive information, Denning says. Encrypting data might help, she adds, but an “adversary may be able to fool the system into decrypting the data or plant malicious code on the system that captures keys.”

Government computer security is a big problem, but some agencies do better than others, according to Denning, who points to the annual FISMA report (mandated by the Federal Information Security Management Act of 2002). The 2007 report gave five federal agencies (the Social Security Administration, Justice Department, Environmental Protection Agency, Agency for International Development, and National Science Foundation) an “A+” for their security efforts, but the average score was a “C” (and the Defense Department received a “D-“).

Image of an F-35 Lightning II Joint Strike Fighter taking off from a Lockheed Martin facility in Fort Worth, Texas, © U.S. Air Force

via Unknown hackers steal details on U.S. Joint Strike Fighter project: Scientific American Blog.

Visa leads effort at PCI conference to minimise payment information vulnerability

Visa opens PCI Dubai Conference

Dubai, UAE 14 April 2009: Visa International, the leading payment solutions provider, has participated in PCI Dubai, the leading payment industry conference and addressed stakeholders from across the GCC payment industry on various issues surrounding data security and payment card fraud. Participants also shared best practices, emerging technologies, and discussed ongoing industry challenges during the daylong event.

Kamran Siddiqi, MENA General Manager, Visa, delivered the keynote speech at the conference which promotes the widespread adoption of the Payment Card Industry Data Security Standard PCI DSS. In his speech, Mr Siddiqi focused on data protection and fraud prevention through common data security policies and practices.

“Visa has been at the forefront of the issue of data security and payment card fraud, initiating its Account Information Security AIS programme in 2000. The programme, which originally concentrated on the importance of data storage, was the precursor and foundation for the PCI DSS,” said Kamran Siddiqi, General Manager, Visa Inc.

In addition to the conference, sessions, educational seminars, and interactive workshops provided exchanges between participants allowing for a greater understanding of the issues around payment card data vulnerability and the benefits of the PCI DSS.

“Gartner, the information technology research and advisory firm, estimates that 20 – 30 % of Global 1000 companies suffer exposure resulting from privacy mismanagement. The costs to recover from these security mistakes often range from $5 – 20 million for each organisation. Whether data loss is occurring accidentally by businesses or illegally through theft by individuals, the loss of data and the resulting fraud are largely preventable concluded Siddiqi.

via Visa leads effort at PCI conference to minimise payment information vulnerability.

Fighting Fraud with the Red Flags Rule

Are you complying with the Red Flags Rule?

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations. Are you covered by the Red Flags Rule? Read Fighting Fraud with the Red Flags Rule: A How-To Guide for Business to:

* Find out if the rule applies to your business or organization;

* Get practical tips on spotting the red flags of identity theft, taking steps to prevent the crime, and mitigating the damage it inflicts; and

* Learn how to put in place your written Identity Theft Prevention Program.

By identifying red flags in advance, you’ll be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft. Take advantage of other resources on this site to educate your employees and colleagues about complying with the Red Flags Rule.

via Fighting Fraud with the Red Flags Rule.

PCI Council gives helping hand to merchants

PCI Council gives helping hand to merchants

Prioritized Approach framework to help attain PCI DSS compliance

Ian Williams, vnunet.com 04 Mar 2009

The Payment Card Industry Security Standards Council (PCI SSC) has released a new resource designed to help merchants struggling to attain compliance with the PCI Data Security Standard.

The global payment industry body launched the Prioritized Approach framework to help merchants that are not yet fully compliant. It will identify highest risk targets, create a common language around PCI DSS implementation efforts, and demonstrate progress on the compliance process to key stakeholders.

The framework is made up of six ‘security milestones’ aimed at laying out a series of best practices for protecting against the highest risk factors and escalating threats facing cardholder data security. The milestones are as follows:

1. If you don’t need it, don’t store it

2. Secure the perimeter

3. Secure applications

4. Monitor and control access to your systems

5. Protect stored cardholder data

6. Finalise remaining compliance efforts, and ensure all controls are in place

“Securing cardholder data is the ultimate priority, and following the PCI DSS is the best way to achieve this,” said Bob Russo, general manager of the PCI Security Standards Council.

“The Prioritized Approach framework will help stakeholders understand where they can act to reduce risk earlier in their journey towards PCI DSS compliance.

“The launch of these new guidance and interactive documents are another step by the Council to increase understanding of and education around PCI DSS among merchants, providing them with insight into how they can protect card holder data faster and demonstrate progress and compliance with the PCI DSS.”

According to the PCI SSC, the framework was based on actual data compromises, as well as feedback from assessors and forensic investigators, and input from the PCI SSC Board of Advisors.

The Prioritized Approach framework is available on the Council’s web site. It includes a reference document and downloadable worksheet that allows merchants to sort specific PCI DSS requirements by the individual milestones.

Permalink: http://www.vnunet.com/2237756

via PCI Council gives helping hand to merchants.

Identity Theft – PCI Chiefs Defend Standards, Plans – eWeek Security Watch

It’s a gross oversimplification of an utterly staggering technical and social challenge, and he knows it as well as anyone, but it’s hard to argue with PCI Security Standards Council General Manager Bob Russo’s assertion that when it comes to improving electronic data security and related matters of individual privacy, “something is much better than nothing.”

Since the massive, potentially record-breaking security breach at Heartland Data Systems in late January, the Payment Card Industry Security Standards Council and its DSS Data Security Standard have been put under a microscope and criticized for foisting on companies an impractical IT security mandate that detractors say does not actually meet its goal of making it harder for companies that handle credit and debit card data to be fleeced similarly to Heartland.

Some highly respected security researchers and practitioners have come out since the Heartland robbery and questioned the viability of the entire DSS effort, perceived as being out of touch with real-world IT environments and insufficient to help organizations avoid exploitation. A handful have gone as far as saying it actually makes the process even harder.

And after all, here’s a Tier 1 company that’s likely had to push to abide by the technological and process-oriented stipulations required under the PCI Standard as much and as long as any other, and it just got positively hammered.

However, visiting Boston on a media tour organized to share some new elements of the PCI Council’s larger plans the week of Feb. 23, Russo and new PCI Security Standards Council Chairman Lib de Veyra — an executive at and appointee of JCB International Credit Card — made a lot of credible points. Mostly, because they firmly recognized the reality that no standard is perfect and that DSS as it exists is only a first step in a long evolutionary process.

Not to be misinterpreted, the PCI Council is satisfied with what it’s put in place thus far, given the challenge at hand, Russo and de Veyra said.

The parts of DSS that need to be tweaked to address the vast diversity of infrastructure and applications employed by all the retailers, merchants and processors, as well as all the techniques utilized by attackers, will be addressed by taking feedback directly from the very companies that must comply with the standard, the PCI Council representatives said. And truthfully that has been at the very least a consistent message of the organization all along.

A number of powerful banking, retail, technology and government players are also involved in the PCI Advisory Board.

And the Heartland incident, as well as those reported at other companies that have been at some time certified as PCI compliant, including TJX Companies and Hannaford Brothers, in no way proves that the standard is clearly lacking in some specific area, they said.

The PCI leaders said in addition to having not yet shared specific details with the Council of exactly how they were individually victimized by fraudsters, the fact that these companies were at one time judged to be in conformity with DSS in no way guarantees that they were at the time they were attacked.

“Just because a company gets a clean bill of health today doesn’t mean they can’t be infected tomorrow,” de Veyra said. “Organizations are making configuration changes and broadening adoption of technologies like wireless all the time; the guidelines in DSS are something that you have to continue to monitor and maintain all the time.”

And many of the Council’s initiatives, including plans to launch two new standards aimed at improving embedded security features, or “host security modules,” built into card data transaction processing hardware, and regulations for UPTs (unattended payment terminals) such as gas pumps and ticketing kiosks, will help push the entire industrywide process forward, they said.

The PCI Security Standards Council will also continue to push DSS overseas, in Europe and APAC specifically, where the guideline has faced some resistance from card handlers. But the effort launched by the world’s largest card companies — American Express, Discover, JCB, MasterCard and VISA – remains undaunted in its pursuit, PCI’s chief spokespeople said.

“Addressing the criticism comes down to communication; once we have enough information from companies like Heartland to truly examine what happened, we can understand how it relates to DSS,” de Veyra said. “And working with all the companies on our Advisory Board, meeting with them and incorporating their feedback over time, will be the most important aspect of maturing the standards.”

Another new element of DSS will be a technological tool, a sort of stripped-down PCI diagnostic application provided by the Council to offer organizations still getting started with the standard a more “prioritized approach to DSS.”

The Prioritized Approach tool will help companies track their ability to meet basic milestones of achieving compliance with DSS, the representatives said. The first three steps — preventing the improper storage of electronic data, securing the network perimeter and securing applications — have obviously been proven hard to accomplish for many organizations, and some might argue most or even all.

But most importantly, the idea is to promote gradual coalescence of a world where every company affected by the PCI mandate has at least greatly augmented and formalized its approach to, if not its execution of, securing electronic data, the leaders said.

“No standard is ever going to completely stop what we’re seeing right now with cyber-crime, but the reaction we’ve seen to PCI after some of these incidents like Heartland has been absolutely unfair, because we don’t even know if they were compliant,” Russo said.

In terms of whether incidents like the breaches at Heartland, TJX and Hannaford Brothers have damaged public perceptions of DSS, the industry veteran said, as in any case, there is no shortage of opinions.

“You can sit there and look at it from one side and say, you have this standard but these incidents have still happened, and that proves something isn’t working,” Russo said. “But what you don’t know at the same time is, If we didn’t have DSS as it stands in place, how many more of these incidents might we have had?”

I’m sure that there are valid criticisms of various aspects of PCI — some very smart people have spent time voicing their questions already.

But, I’m curious to know whether they’d agree at the end of the day that something is better than nothing.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

via Identity Theft – PCI Chiefs Defend Standards, Plans – eWeek Security Watch.

NIST releases draft guidelines for FISMA compliance

The National Institute of Standards and Technology (NIST) on Thursday released new guidelines to help federal agencies comply with the Federal Information Security Management Act (FISMA).

The document, titled “Recommended Security Controls for Federal Information Systems and Organizations,” is in its third revision, but this is the first major update since its initial publication in December 2005. NIST is accepting comments on the document until March 27, Ron Ross, the organization’s FISMA implementation project leader, told SCMagazineUS.com Friday.

“During the past three years we have learned a lot from our federal agencies implementing these controls,” Ross said. “[The revisions are] based on new threats we are seeing and the type of cyberattacks that are ongoing within our federal agencies.”

Ross said federal government, private sector and companies abroad are encouraged to review and comment. NIST likely will put out a final draft before the document is finalized for release around April.

“We like to make sure our customers are part of the process because they have to implement this stuff — so we want to get their perspective with everything we do,” Ross said.

Changes to the document include: A restructuring of the security control catalog to include guidance requirements that were previously supplemental; adjusted security control/control enhancement allocations in the low-, moderate- and high-impact baselines; added security control enhancements for advanced cyberthreats, including supply chain threats; and elimination of redundant security controls/control enhancements.

“The biggest improvement is the addition of the new controls and control enhancements with regard to the new threats we are seeing,” Ross said.

Security program management controls were added relating to capital planning, budgeting, enterprise architecture and risk management. Additional guidance was added for the management of common controls.

A revised and simplified six-step risk management framework also was incorporated, in addition to a three-part strategy for harmonizing the FISMA security standards and guidelines with international security standards.

This will help align the federal law with standards that are generally accepted by corporations, Christopher Fountain, president and CEO of SecureInfo, provider of information assurance solutions for the federal government, told SCMagazineUS.com Friday in an email.

“It begins to incorporate [ISO 27001] that is generally accepted in the private sector,” he said. “Since the private sector controls over 90 percent of the nation’s critical infrastructure, which depends heavily on complex networks and systems, having common standards to secure all networks and systems across the public and private sectors is much needed.”

via NIST releases draft guidelines for FISMA compliance – SC Magazine US.

Nosy nurse runs afoul of HIPAA regulations – Cortlandt Forum

Breaching the privacy of a patient’s records could send her to jail and jeopardize the entire clinic.

What began as “harmless” poking through medical records ended in an arrest and possible jail time for a licensed practical nurse who shared a patient’s medical information. She put her physician-employer in jeopardy too.

Ms. A, 29, had worked at a midsize regional clinic for five years. While she enjoyed her job and got on well with Dr. P, her supervisor, she was known to bemoan what she saw as low pay and to mention that she and her husband were suffering some financial strain. That strain intensified when her husband was in an auto accident and then sued by the people in the other car seeking compensation for their injuries. 

One day, as Ms. A was flipping through charts to straighten up the files, she came across a chart bearing the name of the plaintiff in her husband’s lawsuit. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file.

That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she’d taken earlier. “I think these will help,” she said.

The following day, Mr. A phoned the man who was suing him. During the conversation, Mr. A made it known that he had medical information which he believed weakened the man’s case. Mr. A suggested that the man consider dropping the lawsuit.

After getting off the phone with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney. 

The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her. 
After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed the staff that no breach of these laws would be tolerated under any circumstances.

Meanwhile, Ms. A’s problems were just beginning. The district attorney forwarded the patient’s complaint to a federal prosecutor, and within a month both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. 

The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. After a great deal of soul-searching, Ms. A pleaded guilty to one count of wrongful disclosure. In exchange, the charges against her husband were dismissed. 

Ms. A is currently awaiting sentencing. She faces up to 10 years in prison, a fine as high as $250,000, and as many as three years of supervised probation. Meanwhile, the state nursing board is seeking to revoke her license.

Legal background

Since HIPAA went into effect in 2003, more than 34,000 complaints of privacy violations have been filed. Most of these complaints (approximately 80%) have been resolved. 

About 400 of the unresolved cases have been referred to the federal Department of Justice, but only a handful have been prosecuted. This is likely to change, however, as violations are taken more seriously and the government gears up for these types of cases. 

While some HIPAA violations are inadvertent—a stolen laptop with patient records on it, for example, or a computer glitch that reveals information on the Internet—Ms. A’s violation struck at the heart of what HIPAA is supposed to prevent. She accessed patient records, gathered information, and then provided that information to someone else, knowing full well that it would be used against the patient’s interest. Her prosecution was meant to set an example and warn HIPAA-covered entities that the regulation is serious and must be upheld.

Protecting yourself

Ms. A’s actions could have put the clinic itself in danger of prosecution, but management handled the situation in the best way possible: 

     —Dr. P fired her on the spot after the patient notified him of the breach. 

     —Then, without delay, he called a meeting to educate staff members—both clinical and clerical—about HIPAA, its purpose, the importance of patient privacy, and what can happen in the event of a violation.
As an employer, it is essential that you not wait for an incident. The best way to protect yourself is to ensure that your employees understand HIPAA regulations. 

    —Educate your employees upon hire and periodically thereafter. 

    —Keep written records detailing clinic policy and include it in all employee manuals or handbooks.

Ms. Latner, a former criminal defense attorney, is a freelance medical writer in Port Washington, N.Y.

Nosy nurse runs afoul of HIPAA regulations – Print Article – Cortlandt Forum.

Palo Alto Networks Hosting Webinar with Forrester on PCI Audit Process

Jan 29, 2009 (Close-Up Media via COMTEX) —

Palo Alto Networks will host a webinar with Forrester Research Security and Risk Management Analyst, John Kindervag on Tuesday, February 10 at 10 a.m. PST, 1 p.m. EST.

PCI audits are often daunting, both in scope of effort and associated costs, and this informative webinar will review how to simplify the process through network segmentation and user-based security policies.

The October 2008 update of the PCI DSS documentation states that companies can reduce the cost and complexity of PCI compliance by using network segmentation to isolate the cardholder data in a secure segment. Without adequate network segmentation – sometimes called a “flat network” – the entire network is in scope of the PCI DSS assessment. This webinar will offer insight into the issues, challenges and strategies required to meet PCI compliance.


via Palo Alto Networks Hosting Webinar with Forrester on PCI Audit Process.

RBS WorldPay Breach Rings Alarm Bells About Acquirer Security

(December 23, 2008) The latest data-breach battleground has shifted to merchant-acquiring and prepaid card territory. Atlanta-based RBS WorldPay, a big acquirer owned by the Royal Bank of Scotland Group that also provides prepaid card programs, late Tuesday afternoon reported a breach of its computer system that may have compromised personal information on about 1.5 million cardholders, including the Social Security numbers of 1.1 million consumers.

The data leak affected prepaid cardholders “and other individuals,” RBS said in a news release, but the company didn’t give a breakdown other than to say the cardholders held payroll and open-loop gift cards. “Personal information associated with certain payroll cards may have been improperly accessed,” the release says. “PINs for all PIN-enabled cards have been or are being reset.” Actual fraud to date involves only 100 cards. The company did not give a loss figure.

Formerly known as RBS Lynk, RBS WorldPay said it discovered the breach Nov. 10 and notified law-enforcement agencies and banking regulators “shortly thereafter,” according the release. But the company didn’t say why it waited until Dec. 23 to report the breach publicly. Spokespersons did not return calls from Digital Transactions News. Nor did the news release say how the breach happened or when it began. “RBS WorldPay has urgently taken a number of important steps to mitigate risk in response to this situation,” the release says without giving details. RBS WorldPay said it has notified affected cardholders and posted information on its Web site.

This latest breach represents yet another worrisome development in the payment card industry’s unending war with computer intruders. While most of the attention in the past two years has focused on retailers’ lapses in securing credit and debit card data, the RBS WorldPay breach serves as a reminder of how hackers can penetrate the computer systems of a major acquirer and processor. “It’s very bad news,” says Avivah Litan, a technology and security analyst with Stamford, Conn.-based Gartner Inc. She notes that unlike retailers’ computer systems, processors’ systems connect directly to the networks of Visa Inc. and MasterCard Inc. “An attacker that breaks into a processor conceivably can get into the heart of the system,” she says, adding that a fraud-intelligence executive at a Gartner client company recently told her that attacks on acquirers and processors are increasing.

Another question raised by the breach is whether the Payment Card Industry data-security standard, or PCI, is adequate to protect acquirers/processors. While many merchants, especially small ones, don’t yet meet the PCI rules set down by the PCI Security Standards Council and enforced by the card networks, acquirers enforce the rules with their individual merchant clients and presumably are compliant themselves, Litan notes. She did not have information about the status of RBS WorldPay’s PCI compliance.

RBS WorldPay said it has called on outside experts as well as its own security professionals to investigate the breach. Those personnel are working with federal and state investigators. In the release, Ben Barone, RBS WorldPay president and chief executive, said his company “is working closely with leading computer security firms to further safeguard our system.” Barone also said “we regret any inconvenience this may cause affected individuals. We have taken important, immediate steps to mitigate risk and none of the affected cardholders will be responsible for unauthorized activity on their account resulting from this situation.”

RBS WorldPay is offering individuals whose Social Security numbers were compromised free, one-year subscriptions to a credit-monitoring service. Gift cards that have already been purchased retain their value and can be used wherever merchants accept them. Those gift cards that had not been purchased have been deactivated and are being removed for destruction from stores as an additional precaution, RBS said.

via News.