Learning to share

Is this the start of something good or the start of the next big scandal?  Today the House of Representatives intelligence panel voted to approved a bill to share sensitive and classified with defense contractors and their service providers and vice versa.  In the Reuters article the bill would expand an existing program where the federal government would share data with a larger audience.

The good part of this makes me think of the goal of the FBI Infragard program.  Infragard's main purpose is to share information within a trusted community.  Infragard screens potential members before allowing them to join.  Members are required to agree to specific rules.  Once met, members know they can trust sharing information that might help another member of the same industry or simply a fellow man (when the information is not confidential).

Within in a civilized society, sharing is a good thing.  Sharing, even within a civilized society, also brings risks.  Can the federal government trust the NSA and the expanded list of Internet Service Providers (ISP)?  What measures are being taken to ensure this sensitive or classified information is properly protected, especially from those suspected of attacking companies and other countries?

The article discusses that the bill expressly prohibits the federal government from colluding with ISPs to gather information about private citizens amounting to government surveillance of private citizens.  The bill was amended to ensure that all data would be used on for cyber security or national security.

It will come to no surprise that we're all humans.  The military is famous for the Counter Terrorism briefings that were held, and maybe still are.  During those briefings we were warned about the means that the 'enemy' was willing to use to get the information we had.  I remember the foreign born woman falling all over some knucklehead jarhead to get him to give her sensitive information.  Maybe they still do this.  If they do, I'm sure at least one of the subjects has changed a little.

We are civilized and we're smarter than we were 20 some years ago.  We think we know who the enemy is and we think we know how to effectively manage and protect data.  People are the weakest link though.  I'm not really sure it's possible to protect the data once it leaves the source.  It would be nice to think that all Americans had our best interests at heart.  Too many people are interested in getting their five minutes of fame so I am expecting that, while I think that sharing the information is good, I'm waiting for the day when we learn that the data fell into the wrong hands and this turns into finger pointing and further rage about the government.

In conclusion...

As a brand new blogger I found the experience of discussing current events or material covered in class on this blog to be gratifying.  In addition, I really enjoyed reading the blogs of my classmates.  I was impressed with my classmates blogs, watching them develop each week with the addition of pictures, links and well developed posts.

I attempted to write about current events that interested me.  I asked my family to follow me, so I considered them as I selected my topics.  My father tried to follow my posts but became discouraged as he said he didn’t understand what I was writing about. 

My posts fell into several categories:  personal security, network security, PCI DSS, new technology, a scam, Steve Jobs, social networking, cyber threats and certification.  All of the topics I chose to blog about were interesting to me.  I hope that readers of my blog would be interested enough to read my thoughts and even read the article (linked in the blog) that caught my attention.  It was fun to find pictures for the post to entice the reader to read what I wrote.

I used a variety of sources to find my weekly topic.  Kim Kommando is my hero.  She sends out a brief email to a huge audience with something interesting.  She provides information effectively to a diverse audience with a knack for making the topic understandable to folks with various levels of technology experience.  Information technology is not the same as molecular biology.  The types of information we deal with on a daily basis and the knowledge we have can be very valuable to people of all walks of life.  The information we can share with others to enhance their understanding of technology is powerful stuff.  I look at a variety of websites on a daily basis to include Kim Kommando’s daily email.  Some of the ideas for posts came from her email messages.

I believe that blogging is a great way to share information we learn along the way.  Furthermore, you can’t blog about something you know nothing about.  Blogging was a great way to get a grasp on a concept. 

Do you want be a CISSP?

Achieving the CISSP certification is one way to show the world that you have the technical ability, knowledge and experience in the IT Security field.  If you think the certification is important, I encourage you to prepare well for it, then take the test and join me as a CISSP.  The exam covers the 10 domains called the Common Body of Knowledge (CBK) in 250 questions.  In order to pass the test you must achieve a score of 700 points or more.  There are several additional steps beyond passing the test that each candidate must complete to earn the CISSP certification.  I'll walk you through the basics... 

 

Minimum experience requirements:
You must have a minimum of five years of professional experience in the information security field or four years plus a college degree. You may subsititute an Advanced Degree in Information Security from a National Center of Excellence or the regional equivalent can substitute for one year towards the five-year requirement.
A candidate must also provide acceptable answers to 4 questions related to regarding criminal history and related background.

 

Before the exam:
1.  Study. 
    a.  Complete a self assesment quiz to see where your strengths and weaknesses are.
    b.  ISC(2) has several free webcasts valuable for your review.
    b.  Shon Harris books and DVDs are great references to ensure you have a full understanding.
    c.  Take free practice quizes before taking the test.  The test questions are long and complicated.  It is critical that you read all the words in the question as it is easy to speed read the question and answer it wrong.        
   d.  The candidate will be required to agree to follow the ISC(2) Code of Ethics to become CISSP certified.  Be sure to read and understand the requirements as this is not optional.
   e.  Read the ISC(2) Candidate Information Bulletin available for download from:  www.isc2.org/cib. 
2.  Join a study group if possible.  NebraskaCERT generally offers one prep class per year.  Check their website or go to a meeting if you're looking for a study partner or session.

 

Day of exam:

• Print a copy of the email "ticket" you receive from ISC(2) and bring it with you to the exam site.  A proctor will check you into the exam.  The informaiton on your ticket will be cross referenced by the proctor.
• Bring a valid form of identification that has your picture on it (Driver's License, Military Identification, etc.)
• Bring a snack.  Candidates are provided a space in the room away from the desk/table where the test is administered.  You may get up from the test to quietly eat the snack in the room.  
• Do not bring your cell phone, books, papers, or other items into the test area.  You will be provided pencils. 
• Be sure to be well rested and focused on the material on the day of exam.  Leave other stresses at home.

How do I know if I passed?
ISC(2) will email you the results of the exam usually within one week of completing the exam.  If you pass, you will get a letter that begins with "Congratulations ....".  You will not be provided your score.  If you did not pass, you will receive a letter that does not begin with "Congratulations".  Those who do not pass will receive their score.

 

There are a few more steps after you pass the exam before certification is approved:
If you pass, the letter will remind you that you are not permitted to use "CISSP" yet.  You will be instructed to submit your resume for review. 
You must be endorsed by another (ISC)² certified professional in good standing before the credential can be awarded.  The endorser will attest that the candidate's assertions regarding professional experience are true and to the best of the endorser's knowledge, and that the candidate is in good standing within the information security industry.

 

What are the on-going requirements to maintain the CISSP certification?
All CISSPs must maintain their certification by completing Continuing Professional Education (CPE) credits before the three year period and pay $85 per year. 
ISC(2) requires that each CISSP must complete a minimum of 20 CPEs each year - so a CISSP cannot complete 120 CPEs during year one and maintain his or her certification.  A CISSP may complete more than 20 CPEs per year, but not less.  If a CISSP does not complete 20 CPEs each year, he or she will need to retake the CISSP exam. 

 

What counts as CPE?
You can earn CPEs by:

• Attending educational/training conferences and seminars
• Attending conferences
• Attending Professional Association Chapter Meetings (such as Infragard and NebraskaCERT)
• Attending Vendor Presentations
• Completing college courses (*you must pass the class)
• Providing security training to others
• Publish a security article or book
• Serve on the board of a professional security organization
• Complete computer based training
• Read Information Security books or authorized magazines (may be required to complete a book report)
• Various IT related volunteer work

How do CISSPs submit CPE?
All CISSPs must register on the ISC(2) website using information provided from ISC(2) after the CISSP certification is earned.  CISSPs log into the website to submit CPEs and pay the annual maintenance fee.

 

Good luck.  May the force be with you!

How secure is your corporate network?

According to the SC Magazine article, Reducing network breaches, between 178 -218 million user accounts, email addresses, token seed files or "records" were stolen from organizations by cyber theives from the published top six network breaches.  That is pretty frightening! 

How could this happen??  The article suggests that social engineering attempts are especially problematic.  Years ago many people recieved the Nigerian email where a wealthy foreigner needs help moving money from his homeland and promises a reward for helping him.  Things have gotten more sophisticated since the early scams such as the Nigerian scam.  The article suggests that organizations need to provide continuous information to employees to warn them about providing information from unsolicited calls, email messages or visits asking for information.  Some email messages requesting information appear to be legitimate or may offer a prize for providing information which may entice some folks to willingly give away valuable company information.

Thumb drives, wireless networks, smart phones, and laptops make life simpler for employees, but also can weaken the network perimter and safety of corporate information.  The article suggests that smartcards using a credential management system be used to ensure a multilayered strong authentication protects access to corporate servers, VPN and cloud applications.  

The protection of customer information is critical to the continued success of a company.  PCI compliance will not guarantee 100% protection, but will provide a good place to start.

The bottom line is that employees are the first line of defense in social engineering attempts.  American children are taught to help others and be friendly.  The author encourages organizations to continuously remind employees to be skeptical of others asking for information.  I would encourage employees not to unsolicited surveys.  The best response to an unsolicited phone call requesting you to complete a survey is asking the caller to take you off his or her list.  The caller has no way of knowing who the caller is, where the information is going or who the information might be sold to.  Professional magazine subscriptions require a subscriber getting a free publication to provide certain information.  If you don't read the publications, do not subscribe.  If you read them, provide them the least amount of information possible.  Never provide a co-workers name, title or email address.  Most technical magazines are available at no cost on-line anyway.

We should all learn to be skeptical.  Being skeptical is healthy.  Most skeptical people wouldn't imagine why a rich Nigerian would need their help to move money and most skeptical folks wouldn't believe an email message from the US Postal Service asking for personal information so they could deliver a package to their facility.  How the would the US Postal service have your email address?  Answer:  they wouldn't.  It just takes a few minutes for us to think about the information.  Does it make sense?

It will pay off to be skeptical.


References:
http://www.snopes.com/fraud/advancefee/nigeria.asp

A Good Partnership?

Reuters announced that the National Security Agency (NSA) will partner with US banks to deter cyber attacks within the banking industry according to an article on Reuters.

The financial industry has been taunted and attacked by hackers from other countries, mainly China. The financial industries have security resources in place, but "tremendous vulnerabilities" remain.  Threats include individuals positioning themselves inside a business to negatively impact operations and malware. 

Given the impact of the value of information on financial institution networks, the loss or compromise of this information as well as the impact to investors it is imparative that our resources are protected.  History has shown that the hackers strike when a business is most vulnerable, such as during a crisis.

It was interesting to read the comments on the article.  Many people were not pleased that a federal agency was assisting the financial/banking industry, asking when their company could get help from the federal government to fix their problems, etc.  Not many positive comments.  We are a bunch of complainers, aren't we?  I think this is a great step.  Hillary Clinton's book, It Takes a Village describes the number of caring people that make up the lives of children, from parents, grandparents, teachers, friends, neighbors, law enforcement officials, government officials and others.  Looking at the resources of our country, these children need the support of friends, neighbors, law enforcement, goverment officials and others.  We're all in the same boat.  When one aspect fails, we all fail.

Mama always said you should watch what you say!

Marc Bechtol's facebook post cost him a two semester suspension and ban from the Catawba Valley Community College (CVCC) on Oct 4 according to a CBS report.

Bechtol had to sign up for a specific bank account to receive grant money.  He began receiving unwelcome spam from credit card companies shortly after the account was opened which he concluded were directly related.  He posted "Did anyone else get a bunch of credit card spam in their CVCC inbox today? So, did CVCC sell our names to banks, or did Higher One? I think we should register CVCC’s address with every porn site known to man. Anyone know any good viruses to send them?”on the CVCC facebook page.  Moments later he added a post “OK (sic), maybe that would be a slight overreaction,” under his first post.

It was too late.  His comments yielded a letter from campus informing him of his suspension and campus ban.  CVCC indicated that the post was disturbing and "indicates possible malicious action against the college". 

The Foundation for Individual Rights in Education (FIRE) came to Bechtol's aid by intervening on his behalf.  Rober Shibley, the senior VP of FIRE, found CVCC's reaction to the post to be extreme.  He asked the school to put Bechtol on notice and provide him the opportunity to be heard by the administration before suspending him.  Bechtol's suspension has been revoked and he is now able to go back to campus, however, he has not done so yet.

So, we all know you can't take back your posts but we can learn from them.  What could Bechtol have done to deal with his suspicion about the spam?   The best response, ignore the email and delete it immediately.  Another option asked to read the CVCC's and Higher One Bank's privacy policy.  As a customer you have the right to see what kind of information they're sharing and opt out.  It really makes sense to read all the words of a contract before signing anything.  My final advice is to create a secondary email account that you provide when you suspect you might get unwanted email.  A good time to use this is when you order from an online retailer.  Many retailers require your email address to complete an online order.  You will get shipment information related to your order but you'll also get regular (unwanted?) email from the retailer.  Provide your secondary email account when ordering so you're aware of the shipping information but the extraneous email is not clogging up your primary email account.

I'm sure Mr Bechtol learned from this painful and public experience.  Listen to Mom.

Apple releases new iOS for iPhone, iPod and iPad

Apple is scheduled to release the newest operating system, version 5, on Wednesday, October 12.  In conjunction with the OS update, an updated version of iTunes was released today, October 11.  The iTunes update, version 10.5 fixes 79 flaws in the Windows edition according to ComputerWorld.  The update is free.  If you plan to run the new OS, you must update iTunes so you can sync your iPhone, iPad, or iPod. 

iOS 5 has some nice improvements:

You don't need a PC or Mac to configure the device out of the box.  You can activate the device wirelessly.

The new OS has a notification center showing you your new email, texts, friend requests, stock market updates, weather and more.

Apple also released iMessage, a messageing service allowing users to send text messages from their i-device.  iMessage is an encrypted system.

Another improvement in the new OS is iCloud service (coming soon). iCloud stores your contacts, calendar entries, photos, music and television programs on Apple servers in the cloud which makes your content available on your i-devices "anywhere, any time".  iCloud supports up to 10 devices at no cost and provides up to 5 GB of storage.  Additional storage will cost you to upgrade.

iOS 5 has a Newsstand feature to allow users to subscribe and manage publications.  Users can read the latest version of current magazines and newspapers.

The new operating system brings improvements to the camera, picture editing, Safari browser, mail, calendar and the game center.

I got an iPad at work and am anxious to get clearance to install iOS 5 on my iPad.

Scam

I posted a cell phone for sale on Craigslist Tuesday night.  About 5 minutes after I posted ad I received a short email asking if the phone was still available.  I wasn't expecting anyone to buy the phone that fast, my heart was racing as I typed a quick "yes".  I didn't get any return response that night...

This evening I got an email message from the individual:
 ___________________________________________________________________________
Hello,
Thanks for your mail, , i dont know what happened to my yahoo account, i cannot reply the   message i have in my inbox so thats why i couldn't get back to you. The price of the item is fair to me and i wouldn't want to loose it so it would be my pleasure to add another $20 to the asking price so you can sell the item to me and also tell other interested parties that it has been sold to avoid competitions. I don't have much  time to come over to take a look because of my Business i have limited time, i am ready to make money order to you but i need you to get back with your full details as
  1)Full name for Payment
  2)Full Address
  3)city
  4)State
  5)zip code
  6) cell or home Phone Number(also let me know the best time to reach you on phone)
I will be waiting to get those infors from you later today so i can make money order  out to you immediately, Please don't bother yourself about the pick up, i know a forwarding courier in your state, they will handle the pick up immediately you inform me that you got your money order  cash, then i will contact them to come for the pick up of the item at your location at your own best time....
I will be waiting for your quick response tomorrow latest.
Stay Blessed.
 ____________________________________________________________________________
Would you sell your phone or respond to this person?  If you answered "yes", you would likely be the victim of a scam.  How do I know?:

1. The first email came from xxxxxx@att.net.  This email came from xxxxxx@yahoo.com.  I noted the discrepancy.  Pay attention to the recipient email address. 
2. Misspellings and poor punctuation are typical in scams. 
3. The buyer offers me more money than I am asking for the phone.  He is testing my greed factor. 
4. The buyer offers to send me a money order.
5. The buyer offers to send a courier to my state so I won't need to send the device to him.  Since he's not picking it up, an unknown party will pick it up so he remains anonymous. 
6. He wants a quick response. 

So, if I respond to this guy and accept his generous offer, he will send me a mail order check then task an unknown person to pick up the phone from me.  For the scam to work, the check will look real but it will be fake.  I won't know that until the bank contacts me about the bad check I deposited.   The bank will charge me a bad check fee and I will have given away my phone.  It's a potential loss for me.  I'm not buying it, so game over buddy. 

Please be careful when selling equipment on E-bay or Craigslist, watch for signs that might indicate that the potential buyer is a scam artist.  
 

Rest in Peace Mr Jobs

The legendary Steve Jobs, co-founder of Apple, lost his battle with pancreatic cancer October 5 at the age of 56.  Most young people associate Steve Jobs with the creation of the iPod, iPhone and iPad but his contributions span beyond these devices...

Steve Jobs was born in 1955 and grew up in California with an interest in electronics.  As a teenager he contacted William Hewlett, President of Hewlett-Packard, to request parts for a school project and ended up getting the parts and a summer job.  He was a visionary man with an nonconforming life including a brief experience in college before dropping out, a short job designing Atari video games, backpacking across India and experiences with psychedelic drugs.  His experiences influenced his creativity and ideas throughout his adult life.

Steve became friends with Steve Wozniak while working at HP.  Jobs and Wozniak partnered together to launch Apple Computers with two others.  They built their first computer in 1976 in Steve Job's parent's garage.  The product was sold unassembled, had no keyboard or monitor and cost $666.66.  The following year Apple created the Apple II which was a big hit in the market.  The Macintosh computer was launched in early 1984. Two years later Jobs left the company then started a marginally successful computer company, NeXT Computer.  Jobs then bought Pixar Studios from George Lucas where he shared his visions and led the successful animation company.  In 1996, Apple bought NeXT which brought Jobs back to Apple.

In 2001, Jobs introduced the iPod followed by iTunes, the iPhone, the App Store and the iPad.  Steve Jobs left this world early but has left a legacy that will live in the memories of many...

What is that shiny new thing you've got there?

New tech gadgets are coming into the marketplace making many people drool.  The newest ones usually receive the most 'cool points' from friends and other employees.  These shiny new tech devices are working their way into the federal workspace with the belief that 'Johnny' will be more productive.  John Zyskowski of Federal Computer Week offers several suggestions to ease the secure introduction into the workplace in the article at:  http://fcw.com/Articles/2011/09/26/FEAT-mobile-consumerization-plans.aspx.

This article unfairly points at Information Technology folks being a speed bump for hip users in their quest to become more productive with these new devices.  The first suggestion is for IT to "deal with it" and allow hip young users and the big bosses to start using theses devices the same way these folks use the same devices at home.  Wow, kind of sets a negative tone...

The second suggestion is to "standardize, but not where you think" meaning that the centralized applications and security settings should be configured to work with any device.  The author mentions that using devices in 'the cloud' via a virtual connection results in simple screen scrapes where no data resides on the end user device.  Sounds pretty simple...

The third suggestion is to "let users break out the plastic" meaning users contribute to the costs of using the device in a "bring-your-own-device" to work program.  End users share the costs with the agency so the user and the agency both chip in.  Nice, but might bring on some issues with where data is stored and access issues.

The fourth suggestion is to "cover all the security bases" which would require that specific requirements are met on the user device including encryption, remote management to wipe the configuration of a lost device, user passwords, patch management, identity management and two-factor authentication.  This is smart and should be incorporated into the management of all devices.

The final suggestion is for IT workers to develop the applications to enable these cool folks to use the devices.  The author recognizes that most applications were developed for standard computers so he suggests that the applications be converted to web enabled applications to enable them to be compliant with the HTML5 standard predicted to be ready in a couple years.

The suggestions are good, however, many are not practical.  First, Vivek Kundra, the recently separated first federal CIO, started several initiatives last year including the effort to consolidate data centers.  This consolidation is smart, but this effort is the cause of great efforts to ensure the consolidations do not halt the productivity of federal employees sitting at desks right now.  It's not simple to relocate circuits and servers and redirect clients. 

Second, the federal budgets are not growing.  The public is led to believe that federal agencies are "fat" now with an abundance of equipment and services.  I'm afraid that isn't true at the agency where I work.  Devices get old and need to be replaced, maintenance contracts need to be renewed, backup devices need to be updated and documentation needs to be updated.  Turns into a lot of money going to these not-so-sexy or shiny purchases.  Furthermore, in order to implement applications and security settings with devices, additional equipment may need to be purchased, configured, tested and documented in federally mandated security documentation. 

Third, the federal government has an obligation to her citizens to prevent data loss.  Many devices rely on good faith with the user to establish a VPN connection (i.e. it's not automatic).  Some devices won't allow a VPN connection to run, some don't have sophisticated patch management or identity management and most do not allow two-factor authentication.  Furthermore, a cloud computing providers study by Ponemon Institute released in April 2011 "do not consider cloud computing security as one of their most important responsibilities and do not believe their products or services substantially protect and secure the confidential or sensitive information of their customers".  


It is critical that the federal government provide an environment where employees can be productive.  It also has an obligation to provide security of the data.  It's critical to balance the two even if that means Johnny has to wait to use his shiny new toy.

Japan's first cyber attack

Reuters announced that Japan's defense industry sustained their first cyber attack on September 19, 2011.  http://www.reuters.com/article/2011/09/19/mitsubishiheavy-computer-idUSL3E7KJ0BD20110919

Hackers gained access to computers at one or more of its submarine, missile and nuclear power plant factories on August 11 marking the first known cyber attack on Japan's defense industry.  The article states that 80 computers were infected with computer viruses including eight types of Trojan horses.  The plants build missiles, aircraft wings, submarines, components for nuclear power stations and escort ships.  The article suggests a possible reason for the attack being a partnership with Boeing and interest from other countries in the project.

A sad issue for the country of Japan, especially after the recent devastation of the tsunami.

Hacking can't always be prevented, but it makes sense to ensure that anyone using a computer protect the computer to the greatest extend possible.  Several ways to protect your home computer at low or no cost include:

1.  Install a reputable virus protection program on your computer and keep it up-to-date.  Virus protection programs can be purchased for at very low cost during holiday weekends (Labor Day, Veteran's Day, Thanksgiving, etc.) using rebates at computer stores.  I like Symantec.  There are also several good free programs such as AVG that offer good protection.

2.  Install a hardware and software firewall.  It is important to install a hardware firewall, also known as a router, on your home network.  A hardware firewall offers first defense against hackers attempting to get into your home computer.  A software firewall enhances your fortress against attack if the hardware firewall is penetrated so a software firewall is also a must.

3.  Malware, spyware and adware are becoming a larger problem.  Malware is malicious software designed to interrupt your computer or network.  Malware includes spyware (such as a keylogger) and adware.     Several anti-virus software programs include spyware detection/removal.  I recommend you use a virus protection program that includes malware/spyware detection and removal.

4.  Update your computer regularly.  Microsoft regularly finds vulnerabilities and provides "patches" to resolve.  Several other programs you may have installed such as Adobe Acrobat Reader, Flash and  JAVA release regular updates.  Many of these programs notify you when updates are available.  Many other programs have a link to update the software in the "Help" or "About" sections.  Update your software.  If you don't run the software anymore, un-install it.

5.  Backup your important data.  You can do this by copying data to CDROM or DVD (least expensive option), purchasing an external hard disk which may cost $100 or less or subscribing to an online service.  If you backup to a home device (CD, DVD or external drive) remember to consider where the backup is stored.  If your machine falls prey to theft or is destroyed by a fire, tornado or other natural disaster you could also lose your backup.  Store it safely in a manner that will provide a good chance that the backup will survive if the machine does not.  

Thanks for following the recommendations listed above.  Everyone who uses the internet is swimming in the same fishbowl.  One infected machine has potential to infect others.  Thanks for doing your part to halt the spread of viruses and malware.

Security shouldn't take a break (especially on vacation)

Jaikumar Viguyan reported on a breach that may affect 40,000 people who visited waterpark resorts in Wisconsin and Tennessee between December 2008 and May 2011 in the September 12 article in ComputerWorld.

The vendor handling point-of-sale systems processing credit card transactions, Vacationland Vendors, reported that they had been hacked but they did not say how, when or if they had contacted victims yet.  The vendor reported that "a computer hacker improperly acquired credit card and debit information".  The organization reported that the breach was not the result of an internal security weakness at the two waterparks.  Fo realz ya'll?  Nice way to take responsibility Vacationland Vendors!  It sounds like Vacationland Vendors didn't properly protect the information and/or they had a weakness that allowed a hacker to compromise their system.  Since we don't know the details it's hard to know whether they were keeping the credit card information in an unprotected database, the hacker had access to some component of their system for two and a half years or something else.  Taking responsibility is certainly a first step...

This isn't the first time this has happened, unfortunately.  Heartland Payment Systems compromised the security of millions of credit cards several years ago after a breach of their point of sale network was discovered. 

The Payment Card Industry finalized data security standards (PCI DSS) in 2010 dealing with the end-to-end encryption of point of sale devices, the protection of user credit card data and regular verification of security processes.  Read more about PCI DSS at this link.

Vacationers shouldn't expect to bring home credit card problems from a trip to the waterpark.  Consumers should have a reasonable expectation that they can safely use their credit card(s).  The payment card industry has worked hard to provide retailers and consumers a means of better security.  Retailers must follow these standards - no exceptions!  Consumers should watch for credit card skimmers at ATM machines and be leery of using their credit cards at sketchy places.  The news of the breach is disheartening at best.  I can only hope that consumers are notified.  It will be interesting to see if someone sues the Vacationland Vendors.  I think I'll bring cash on my next trip to the waterpark!

Didja forget something?!!

A fired IT worker from Texas broke into his former employer's computer system and deleted customer data while logged in at a restaurant's wireless network according to the Network World.  https://www.networkworld.com/news/2011/090211-ex-employee-wiped-financial-data-from-250433.html.

According to the article the former employee, David Palmer, was angry that he had been fired and his former employer had not assisted him with getting unemployment benefits.  Palmer logged into the system and used a backdoor account he created before leaving the organization.  He deleted customer payroll and software files.  Palmer logged into the system numerous times from his home as well as several wireless networks in restaurants prior to the offense.

The incident took place on January 21, 2010.  The day after the files were deleted, company staff noticed that their punch clock software and payroll records were missing.  The company contacted the U.S. Secret Service to report that there was an unauthorized intrusion into their system.  Palmer was tried in US District Court in Texas September 1, 2011 and pled guility to computer intrusion.  He is scheduled to be sentenced on November 2, 2011.

The article states that the situation is not unique.  In several cases former employees have logged into their former employers system from restaurants with the idea that their traffic wouldn't be traced back because the individual was in a public place.

This situation begs the question, What steps should an organization follow when an IT employee with administrative privileges is terminated?  Any organization firing an IT employee with special privileges should have reviewed accounts to ensure that all of the employee accounts had been removed and execute a search for unauthorized accounts were removed.  Logging may have identified that the unauthorized access occurred if it was enabled, and periodic reviews were made of the logs.

So, it's clear that both Palmer and his company did forget something.  Palmer created a backdoor account so he could log in to the system, in case he forgot something.  The company forgot something too, they terminated an employee with the knowledge to get back into their system.  The company should have set up roadblocks to prevent his re-entry or flares so they knew if he was back in the system.

Week 1

Welcome to my blog! 

On September 1, 2011, the state of California passed a law to enhance the notification process for California residents when their personal information is accessed illegally.  Breeches involving PII (personally identifiable information), credit card numbers, and other sensitive information happen frequently.  In some cases, individuals affected are not notified or are only given minimal information about the incident.  When the victim is not provided details and the extend of the incident he or she may not react appropriately.  The new California law requires that victims be provided nofitication containing "specifics of the incident, including the type of personal information exposed, a description of what happened, and advice on steps to take to protect oneself from identity theft." ( http://www.scmagazineus.com/california-blazes-trail-again-with-enhanced-breach-alert-law/article/211005/)  Furthermore, when a breech affects 500 or more individuals, a copy of the breech notification must also be provided to the California State Attorney Office.

This new law enhances the ability for victims of potential identity theft by enhancing their ability to react appropriately to the incident.  The article does not identify the timeframe when notification must occur.  

The article states former Governor Arnold Schwartzenager failed to sign this bill under his term because he thought that California citizens would not benefit from the additonal information.  It also states that he said that the State Attorney Office would not benefit from having copies of the breeches.  That is ridiculous. You can't fix something you don't know is broken... 

This law allows the state to protect her citizens in an appropriate fashion.  I hope to see other states follow suit.