Monday, July 29, 2013

DNB: Banken mogen in de Amazon-cloud

DNB: Banken mogen in de Amazon-cloud


29-07-2013 11:45 | Door Johannes van Bentum | Lees meer over het bedrijf: Amazon | Er zijn 25 reacties op dit artikel | Permalink

Geld

De Nederlandsche Bank geeft Nederlandse financiële instellingen het groene licht voor het gebruik van de diensten van de Amerikaanse cloud-aanbieder Amazon Web Services. Dit betekent volgens Amazon dat banken en verzekeraars voor hun websites, mobiele applicaties, bankiersoftware, gegevensopslag, extra rekenkracht en kredietrisico-analyses gebruik kunnen maken van cloud computing.

De financiële instellingen zouden vanaf nu ook diensten mogen afnemen van leveranciers die gebruik maken van de Amazon-cloud, stelt Amazon in een persbericht.

Woordvoerder Remko Vellinga van DNB houdt enkele slagen om de arm: ‘Zonder inhoudelijk op het Amazon-persbericht in te gaan, klopt het dat er voor DNB de wettelijke eisen geen belemmering meer hoeven zijn voor financiële instellingen om gebruik te maken van Amazon Web Services. Deze financiële instellingen zullen uiteraard wel een goede risicoanalyse moeten maken, wanneer ze activiteiten willen uitbesteden in de cloud.’

In een bericht op zijn website wijst DNB wel op de plicht van financiële instellingen een exitclausule op te nemen in het contract met de cloudleverancier. Ook moet er voorafgaand een risico-analyse worden opgesteld en moet DNB vooraf op de hoogte worden gebracht van de plannen.

Elders in Europa


Volgens Amazon Web Services maken financiële instellingen elders in Europa al gebruik van zijn diensten. Onder de gebruikers bevinden zich onder andere het Spaanse Bankinter en Unicredit in Italië. Ook de Australische Commonwealth Bank of Australia doet zaken met Amazon.

De eerste Nederlandse klant van Amazon Web Services is banktechnologiebedrijf Ohpen. ‘Wij hebben AWS gekozen als platform om onze ‘bank-uit-de-doos’-oplossing als SaaS-dienst te draaien’, zegt ceo Chris Zadeh van Ohpen. Volgens hem maken al enkele grote Nederlandse banken gebruik van de technologie van Ohpen om hun retail-activiteiten naar de cloud te brengen. ‘Met de goedkeuring van DNB kunnen zij onze bankiersoftware dus ook op AWS draaien.’

Verzekeraars

Eerder bereikte DNB overeenstemming met Microsoft over de levering van clouddiensten aan verzekeraars. Struikelblok daarbij was dat cloudleveranciers een beperking stelden aan de frequentie van toezicht door de toezichthouder. Microsoft besloot daarom op dit punt de contracten met verzekeraars aan te passen. Vertegenwoordigers van DNB mogen sindsdien op elk willekeurig moment onderzoek doen op de plaats waar de verzekeringsgegevens zich fysiek bevinden. Dat maakte de weg vrij voor het gebruik van bijvoorbeeld Office 365 in de verzekeringsbranche.

Met andere cloudleveranciers voert DNB vergelijkbare gesprekken. Lees voor meer details de circulaire die DNB begin december 2012 rondstuurde.

Read more: http://www.computable.nl/artikel/nieuws/outsourcing/4792558/1276946/dnb-banken-mogen-in-de-amazoncloud.html#ixzz2aT07nvLz

Wednesday, July 24, 2013

Guidance Software calls for rethink on data protection rules

23 Jul, 2013   

Forensics software company claims rules governing where data can be stored could impede enterprise business growth.

Data protection laws that prevent people from storing data in overseas clouds could be inhibiting enterprise business growth.
That’s the view of Sam Maccherola, general manager for EMEA at data forensics vendor Guidance Software, who has called on European lawmakers to overhaul the rules governing where people can store their data.
“Europe is such a small, condensed area and you’ve got the globalisation of organisations taking place, but moving data from country-to-country is problematic...and I think it’s almost an impediment to cloud [growth] in Europe,” he told IT Pro.
“Unless the EU changes something in terms of data privacy and the regulation surrounding it, it will continue to be an impediment to business growth.”
Maccherola also took aim at the fines handed out by data protection regulators, claiming they need to be drastically stepped up or corporations will continue to flout the rules.
For example, despite ever-tightening data protection laws governing how people’s data can be processed and stored, the punishments companies face for failing to follow them are not keeping pace.
“I don’t understand the rationale behind all these strict data regulations [if they are not being backed] by real fines, because there are no real ramifications if a [company's] data is stolen,” said Maccherola.
“Until corporations have to disclose [that a data breach] has taken place, and the fines remain somewhat nominal, they won’t understand the risks associated with losing data and things won’t change.”
This could potentially be rectified if the European Commission’s draft General Data Protection Regulation proposals get the go ahead.
This aims to update the Commission’s data protection legislation so that it takes into account the impact of globalisation and newer technology trends, such as cloud computing.
It is also designed to replace numerous other pieces of legislation with a single document.
 “Without a doubt, that [sizeable fines] is the missing component because the rationale behind [data protection regulations] makes great sense, but corporations are not taking responsibility because they don’t have to,” he added.
 


Read more: http://www.itpro.co.uk/security/20250/guidance-software-calls-rethink-data-protection-rules#ixzz2a2EK8Vuv

Sunday, July 21, 2013

The “Y” in Comply

Organizations are required to show a commitment to compliance, which touches several aspects of business such as: internal policy, enforceable standards, and governmental regulations. However, to have a successful compliance strategy, the business must address the “why?” in a way that is meaningful to both the community and its users. Paying lip service to mandated compliance “standards” is not enough for an organization to expect any meaningful buy in by managers and employees.

Because I Said So

Vague answers such as “Because I said so” or “Because you’ll lose your job” are not satisfactory. Motivations and processes must be understood in order to get real commitment from stakeholders. In the quest to achieve acceptance from the user community, employees must also be provided with the proper tools to comply with the requested action.
To illustrate the point, assume we have two managers in the food-service industry. Manager A says to a new employee, “In order to comply with the state health and safety codes, and to keep our business running, you need to wash your hands every time you put on gloves. But currently, the sink in the men’s room is out of order, so you need to walk up three flights of stairs to wash your hands.” Manager B, on the other hand, informs a new employee, “When you wear gloves, be a good boy and wash your hands—everything you need is in the cabinet under the sink.”
Neither manager is showing any real commitment to compliance by the lack of articulating the importance of the “why,” and additionally by not providing the tools to make it effortless for the employee to accomplish the task.
TIBCO released a new whitepaper on best practices that demonstrate successful organizations that are tasked to meet and report on their compliance initiatives. If you are vested in rolling out or monitoring compliance, take a moment to download “10 Steps to Compliance.”

Data Analytics Tops Focus for Internal Auditors, According to Wolters Kluwer Audit, Risk & Compliance "TeamMate Internal Audit Technology Survey"

Data Analytics Tops Focus for Internal Auditors, According to Wolters Kluwer Audit, Risk & Compliance "TeamMate Internal Audit Technology Survey"

MINNEAPOLIS--()--Data mining and data analytics are currently the top area of concern among internal auditors, according to the annual TeamMate Internal Audit Technology Survey (IATS). The survey, which gathers information on core internal audit trends at the end of each year, received responses from nearly 820 auditors from around the world who use the TeamMate audit management system.
“Four-Step Strategic Approach for Data Mining & Data Analytics”
When asked which technology tools they expect to use to a greater extent over the next two years, data analytics took the top spot among respondents, slightly edging out Risk assessment technology, which was ranked first the year before, moved to second place. The results indicate that data mining, despite its widespread use, is a relatively new practice for many organizations.
While data analytics-related issues are a critical concern for internal auditors as they move forward in 2013 and beyond, many seem to face barriers when it comes to data access. The most common issue was a lack of specific data-related training, which was cited by nearly 50 percent of all respondents. Another common challenge was a shortage of requisite skills, with about 20 percent of respondents indicating they have been unable to hire or acquire the necessary skills to achieve their data-related objectives.
“Issues related to training and identifying individuals with the right skill set can have a major impact on an audit department’s ability to move up the data mining maturity curve,” said Mike Gowell, vice president and global general manager, TeamMate. “The survey shows there is significant opportunity for many internal audit teams to grow in these areas and enhance the value they bring to their organizations.”
About half of the IATS respondents positioned themselves in the initial stage of data mining and data analytics maturity, which means they have an initial data-retrieval tool, use computer assisted audit techniques (CAATs) on some audits, and have some technology specialists providing skill support.
Only two percent of respondents say they have achieved an optimized level of maturity, with a highly-skilled data team that develops new internal audit routines, including continuous controls and risk monitoring that are sought by business-unit management.
To see a full overview of the survey results, as well as a “Four-Step Strategic Approach for Data Mining & Data Analytics,” see the “Enhancing Audit Technology Effectiveness: Key Insights from TeamMate’s 2012 Global Technology Survey” online.
TeamMate is the world’s most widely-used audit management system. More than 90,000 auditors and over 2,000 organizations across the world rely on TeamMate to improve the audit process, including risk assessment, scheduling, planning, execution, review, report generation, trend analysis, committee reporting and storage.
About Wolters Kluwer Audit, Risk & Compliance
Wolters Kluwer Audit, Risk & Compliance is part of Wolters Kluwer, a leading global information services and solutions provider with annual revenues of (2012) €3.6 billion ($4.6 billion) and approximately 19,000 employees worldwide. Please visit our website for more information.


Contacts

Wolters Kluwer Financial & Compliance Services
Jennifer Marso, 612-852-7912 begin_of_the_skype_highlighting 612-852-7912 FREE  end_of_the_skype_highlighting
Vice President, Corporate Marketing & Communications
jennifer.marso@wolterskluwer.com
On Twitter: @JenniferMarso
or
Chuck Miller, 320-240-5457 begin_of_the_skype_highlighting 320-240-5457 FREE  end_of_the_skype_highlighting
Corporate Communications Manager
charles.miller@wolterskluwer.com
On Twitter: @CharlesWMiller

http://eon.businesswire.com/news/eon/20130513005203/en/internal-audit/data-analytics/TeamMate

Wolters Kluwer Audit, Risk & Compliance Introduces Targeted Solution for Small Audit Departments


MINNEAPOLIS--()--Today, Wolters Kluwer Audit, Risk & Compliance announced that the company has introduced TeamMate Express, a new version of TeamMate AM, the world's most widely used audit management software system, specifically geared for use by smaller audit departments. TeamMate Express is a fully hosted version of the TeamMate audit management solution that is pre-configured for smaller audit departments and ready to use out of the box. It includes access to the full content offering of TeamMate, including audit programs and risk assessment templates to help jump-start your audit planning.
“Doing so can allow small audit departments to not only leverage scarce resources but also help strengthen compliance with IIA standards, from capturing much needed documentation to enhancing process consistency and quality.”
Used by more than 90,000 auditors and over 2,000 organizations across the world, the TeamMate solution features an extensive content library. It includes over 2,000 audit programs from AuditNet®, COBIT 4.1 and 5.0, IIA Quality Assessment Review, Business Cycle Audit Programs with Risk/Control Library, Social Media Audit, Safety Audit Checklists, and more.
“In today’s business environment, it’s critical for smaller audit departments to utilize technology,” said Richard Chambers, president and CEO of The Institute of Internal Auditors. “Doing so can allow small audit departments to not only leverage scarce resources but also help strengthen compliance with IIA standards, from capturing much needed documentation to enhancing process consistency and quality.”
“We created TeamMate Express with the needs of smaller audit shops in mind,” said Mike Gowell, global vice president and general manager of TeamMate. “They now have access to many of the benefits their colleagues in larger shops do through TeamMate, but in a format and at a price that is much more practical for them.”
For more information, please visit www.TeamMateSolutions.com/Express
About Wolters Kluwer Audit, Risk & Compliance
Wolters Kluwer Audit, Risk & Compliance is part of Wolters Kluwer, a leading global information services and solutions provider with annual revenues of (2012) €3.6 billion ($4.6 billion) and approximately 19,000 employees worldwide. Please visit our website for more information.


Contacts

Wolters Kluwer Financial & Compliance Services
Jennifer Marso, 612-852-7912 begin_of_the_skype_highlighting 612-852-7912 FREE  end_of_the_skype_highlighting
Vice President, Corporate Marketing & Communications
jennifer.marso@wolterskluwer.com
On Twitter: @JenniferMarso
or
Chuck Miller, 320-240-5457 begin_of_the_skype_highlighting 320-240-5457 FREE  end_of_the_skype_highlighting
Corporate Communications Manager
charles.miller@wolterskluwer.com
On Twitter: @CharlesWMiller

http://eon.businesswire.com/news/eon/20130715005224/en/TeamMate/TeamMate-AM/TeamMate-Express

Saturday, July 20, 2013

Cyber-security firm Cylance works to read hackers' minds

Cyber-security firm Cylance works to read hackers' minds

Cylance, an Irvine cyber-security firm, is focused on creating an artificial intelligence system capable of blocking future threats.

 
Cyber-security firm Cylance works to read hackers’ minds
Stuart McClure is chief executive of Cylance. The Irvine firm hopes to tap the burgeoning market for cyber security in crucial industries such as energy, communications, finance, healthcare and transportation. (Gary Friedman, Los Angeles Times / July 1, 2013)
    
Two hackers from Irvine gained access in April to the air conditioning and water systems of a Google Inc. office in Sydney, Australia.
Because Google had failed to install a security patch to a software program that remotely tracks and controls building systems, the hackers could have easily raised the office's temperature to an unbearable level or caused water pipes to burst by increasing pressure.
Luckily for Google, the hackers were working for Cylance Inc., an Irvine company that has been grabbing headlines for uncovering security holes that could allow malicious hackers to do serious damage to crucial infrastructure such as hospitals, oil pipelines and banking systems.
The hacking demonstrations are how the company (pronounced as "silence") showcases its work in developing what it says is the ultimate anti-virus warrior.
"We want to help avoid the cyber-Sept. 11," Chief Executive Stuart McClure said. "We have to silently protect — it's in our name."
The 1-year-old start-up says many facilities now use devices and companion software that are just as vulnerable as those used at several Google locations and in more ordinary local office spaces. In Los Angeles, hotels, USC classrooms and a major movie studio run the same computer program online as Google's Wharf 7 facility in Sydney.
"The software security in the Nintendo Wii or even iTunes far surpasses the security software in these devices," Cylance technical director Billy Rios said.
The company is hoping to tap a burgeoning market. Worldwide spending on cyber security should reach $46 billion this year in crucial industries such as energy, communications, finance, healthcare and transportation, according to an ABI Research report released in June.
In the six months that ended May 31, federal officials noted more than 200 attacks on crucial infrastructure. The previous 12 months saw 198 incidents.
Congress remains divided about whether to make cyber-security standards mandatory for crucial infrastructure operators. Analysts have called for more research, development and regulation — areas in which Cylance wants to lead. The company hopes to turn half of the most-crucial Fortune 1,000 companies into customers by 2015.
The start-up has received at least $15 million in venture capital. And as one of the few cyber-security firms in Southern California, Cylance has an easier time recruiting top talent than Silicon Valley cyber-security start-ups.
The company's main service is helping companies find vulnerabilities and attackers. McClure, who previously worked at popular anti-virus software maker McAfee Inc., said that in two-thirds of cases, a company already has an intruder lurking in its computer network.
"We're looking for flaws through a bad guy's glasses, exposing that dark and visible world, and looking for the bad guys and any other undesirables who might be there," he said.
Dozens of firms offer similar security services, but McClure says his company is focused on creating an artificial intelligence system capable of blocking future threats.
Typically, firewall or anti-virus software can stop only those intruders who have been seen before. Cylance's mission is like creating a vaccine for a virus that doesn't exist yet or using facial recognition to nab a future robber who hasn't even been born.
"We're using artificial intelligence to understand what's good and bad in real time and devising a model to predict what's good and bad in the future," McClure said.
The machine is fed with intelligence from its researchers.
In May, Rios and colleague Terry McCorkle publicly revealed the Google incident with permission from the technology giant. Rios, who once worked for Google's security team, says Cylance is finding new problems every week.
Badge readers, security cameras and anything else loosely connected to the Internet can be an entrance for hackers. The systems weren't necessarily designed to be Internet-facing, and they've become a blind spot for organizations. Rios said the best solution is placing the devices within a virtual private network, a slice of the Internet accessible to only credentialed users.
"I don't want to be in a building that doesn't like me," Rios said. "Even a simple thing like turning off the air conditioning could be really disruptive to a business."

Hijacking connected cars with a $25 tool

Hijacking connected cars with a $25 tool

Lawmakers push for federal data beach notification law

  • In

Congress still has to work out some details, including whether a federal law would preempt 48 state laws


U.S. lawmakers plan to resurrect national data breach notification legislation that has failed to pass in past sessions of Congress, but some advocates don't agree on what should be included in a bill.
Six witnesses at a U.S. House of Representatives hearing Thursday called for a national law requiring businesses that lose data in hacker attacks to notify affected customers, but there were differences about whether the bill should preempt 48 existing state laws or should set a minimum standard that state laws can build on.
"Any federal law should not weaken strong state laws," Representative Jan Schakowsky, an Illinois Democrat, said during a hearing of the Energy and Commerce Committee's trade subcommittee. "Any federal response should establish a baseline so that every American can be assured some level of data protection, not just notification after the fact."
Others disagreed, saying a new federal law that doesn't preempt state laws would create a 49th data breach regulation for businesses to comply with. A national standard would be "particularly helpful to small business, many of whom cannot afford teams of lawyers to navigate 48 breach standards, should something bad actually happen," said Kevin Richards, senior vice president for federal government affairs at trade group TechAmerica.
The debate over whether a national law should preempt state laws -- along with debates over what types of information should be subject to breach notification rules and how long companies have before reporting the breaches -- has held up a national breach notification bill in Congress for years, with early bills introduced in the middle of the last debate. But committee members said Thursday they will renew their push for a national law.
Some witnesses and lawmakers also called on Congress to pass comprehensive cybersecurity legislation focused on preventing data breaches along with breach notification. Others suggested that Congress needs a longer debate on comprehensive legislation, while a breach notification bill could be ironed out sooner.
Congress needs to act to prevent the huge number of data breaches happening every year, said Representative Joe Barton, a Texas Republican. In the 1930s, when there was a rash of kidnapping, Congress didn't just pass a "kidnapping notification law," but it gave the U.S. Federal Bureau of Investigation authority to track kidnappers, he said.
David Thaw, a law professor focused on cybersecurity at the University of Connecticut, agreed, saying comprehensive data security regulation, combined with data breach notification rules, would be more effective in protecting consumers and businesses.
"I analogize the effects of breach notification alone to locking the bank or vault door while leaving a back window wide open," he said.
Richards called on the committee to move forward on data breach notification, saying there's some consensus developing around that legislation, but more work to do on a comprehensive bill.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com.

http://news.techworld.com/applications/3459675/lawmakers-push-for-federal-data-beach-notification-law/

Friday, July 19, 2013

StartPage and Ixquick Deploy Newest Encryption Standards against Mass Surveillance

Published: Friday, Jul. 19, 2013 / Updated: Friday, Jul. 19, 2013 12:18 PM

StartPage and Ixquick Deploy Newest Encryption Standards against Mass Surveillance

First search engines to offer TLS 1.1.and 1.2 as well as “Perfect Forward Secrecy”


NEW YORK & AMSTERDAM -- 
In the wake of the US PRISM Internet surveillance scandal, companies are revisiting how they do business online and beefing up their privacy practices to protect their users.
Private search engines StartPage and Ixquick have pioneered a new advance in encryption security this week, becoming the first search engines in the world to enable "Perfect Forward Secrecy" or PFS in combination with a more secure version of SSL encryption known as TLS 1.1. and 1.2 , which works by setting up a secure "tunnel" through which users' search traffic cannot be intercepted.
This is the latest in a series of security firsts by StartPage and Ixquick, which pioneered the field of private search in 2006. Combined, StartPage/Ixquick is the largest private search engine, serving well over 4 million searches daily.
Harvard-trained privacy expert Dr. Katherine Albrecht, who helped develop StartPage, says, "We take encryption very seriously, and we've always led the way when it comes to security. We were first to adopt default SSL encryption in 2011, and now we're setting the standard for encryption in the post-PRISM world."
SSL encryption has been proven to be an effective tool for protecting sensitive online traffic from eavesdropping and surveillance. However, security researchers now worry that SSL encryption may not provide adequate protection if Government agencies are scooping up large amounts of encrypted traffic and storing it for later decryption.
With SSL alone, if a target website's "private key" can be obtained once in the future - perhaps through court order, social engineering, attack against the website, or cryptanalysis - that same key can then be used to unlock all other historical traffic of the affected website. For larger Internet services, that could expose the private data of millions of people.
StartPage and Ixquick have now deployed a defense against this known as "Perfect Forward Secrecy," or PFS.
PFS uses a different "per-session" key for each data transfer, so even if a site's private SSL key is compromised, data that was previously transmitted is still safe. Those who want to decrypt large quantities of data sent using PFS face the daunting task of individually decrypting each separate file, as opposed to obtaining a single key to unlock them all.
This can be likened to replacing the master "skeleton key" that unlocks every room in a building with a tight security system that puts a new lock on each door and then creates a unique key for each lock.
In addition to its pioneering use of PFS, earlier this month StartPage and Ixquick deployed Transport Layer Security, or TLS, encryption versions TLS 1.1 and 1.2 on all of its servers. TLS is an upgraded form of SSL encryption, which sets up a secure "tunnel" that protects users' search information.
In independent evaluation, StartPage and Ixquick outscore their competitors on encryption standards. (See Qualys' SSL Labs evaluation of StartPage's encryption features:
https://www.ssllabs.com/ssltest/analyze.html?d=startpage.com&s=69.90.210.72 )
CEO Robert Beens urges other companies to upgrade to these new technologies. "With Perfect Forward Secrecy and TLS 1.1 and 1.2 combined, we are once again leading the privacy industry forward. For the sake of their users' privacy, we strongly recommend other search engines follow our lead."

Wednesday, July 17, 2013

3 Big Data Security Tips You Need to Know

How to protect big data without breaking analytics

The new era of computing has arrived: Organizations are anxious to process, analyze and derive maximum value from the power of big data.  However, as the opportunity increases, the challenge of ensuring information is trusted and protected becomes exponentially more difficult. If not addressed head on, confidence in big data outcomes is lost and the desire to act upon new insights is stifled.
With the average cost of security-related incidents in the era of big data estimated to be over USD40 million, there has never been a better time to focus on data protection. Not mention that it is required by more than 50 international laws such has Canada’s Privacy Act, Germany’s Federal Data Protection Act, Argentina’s Personal Data Protection Act and Korea’s Act on Personal Information Protection.  Oh, and one more thing, according to the 2013 IBM XForce Report, data breaches are up 40%!
Now hopefully you are convinced to read on.:)

Three quick tips for protecting sensitive data

The question becomes, how can you support business goals and real time analysis while also ensuring the protection of sensitive data no matter what form it takes – structured, streaming, files and more?
While this may seem like a daunting task, specific data protection issues can be addressed with a focused practical approach that offers concrete benefits in the near term.  The protection of sensitive information from eyes that don’t need to see it—whether the eyes reside within the organization or within a contractor or other trusted partner—is a reasonable and achievable objective.  Let’s break down the problem into three quick tips.

1. Discover and understand sensitive data

Ask 5 of your colleagues what data records constitute payment card information and you are likely to get 5 different answers. Before rolling out an enterprise data protection strategy, you should convene a cross functional team to decide what constitutes sensitive data and what should be protected.
Not all data is high risk. Many have failed, because they don’t understand the distributed data landscape and where the sensitive data resides.  Keep in mind, sensitive data is duplicated and shared across production systems, non-production systems and with third parties like business partners and vendors.

2. Monitor and audit data activity without slowing down performance

Monitoring and auditing data activity will give you complete insight into the who, what, when and how of all data transactions. With a complete access history, you can understand data and application access patterns, prevent data leakage, enforce data change controls and respond to suspicious in real time.
Leading monitoring solutions also deliver automated compliance reports on a scheduled basis, distribute them to oversight teams for electronic sign-offs and escalation and document the results of remediation activities. Beware of solutions that rely on native logging as they will likely inhibit rather than support your ability to do analytics in real time.

3. Mask sensitive information in applications, databases, reports, analytics and documents

Mask sensitive information in applications, databases, reports, analytics and documents facilitates information sharing and analytics without compromising data privacy
Yes – You got that right. You can mask data inside your analytics platforms without breaking anything! The technology known as semantic masking de-indentifies data in context based on rules to ensure accurate and consistent results for analytics.  The value of semantic masking is to retain the utility (usefulness) of the data while also adhering to compliance/regulation requirements.
Let’s explore an example scenario. Semantically masked data will have the same symptoms and gender but the age, family income and ethnicity are intelligently masked to the proper range and to a valid set of data points.  The result is researchers achieve valid results while protecting privacy.
With 2.5 quintillion bytes of data created every day, now is the time to understand sensitive data and establish business-driven security policies to keep customer, business, personally identifiable information (PII) and other types of sensitive data safe. A focus on discovery, monitoring and auditing and data masking are the foundation of a successful data security strategy.
The bottom line – the increasing number of analytics systems storing sensitive data exponentially increases the risk of a breach– more data stores means far greater risk.

Sale And Purchase Agreement Signed To Combine EMCF And EuroCCP

Sale And Purchase Agreement Signed To Combine EMCF And EuroCCP


EMCF and EuroCCP  have announced that the sale and purchase agreement has been signed to form a new pan-European cash equities clearing house that builds on the strengths of both firms. This follows the announcement made in March that the firms planned to combine.
The owners of EMCF – ABN AMRO Clearing Bank and NASDAQ OMX – and owner of EuroCCP – DTCC – along with BATS Chi-X Europe, are signatories to the agreement.
Subject to approval from regulators and competition authorities, the new CCP, to be named EuroCCP N.V., will bring together the strengths and capabilities of each firm to deliver greater efficiencies and sustainable competition to the pan-European market place. The new CCP will use the risk management framework and customer-service organisation of EuroCCP, and it will run on the technology and operations infrastructure of EMCF.
 
EuroCCP N.V. will be headquartered in Amsterdam, with customer-facing functions located in London and Stockholm.
 
Diana Chan, CEO, EuroCCP and CEO designate of the new company, said: “The signing of the sale and purchase agreement is a significant step towards launching the new CCP and demonstrates market participants’ desire and support for initiatives that are pro-competition and strengthen the market’s infrastructure and risk mitigation while driving down costs for users. We are focused on making the migration of our customers’ business as straightforward as possible and are working closely with them to ensure they can fully benefit from what the new business will deliver to them.”
Jan Booij, CEO of EMCF and COO designate of the new company, said: “We welcome this further development and look forward to delivering the sustainable best practices of both companies from a single cost base. This will benefit the platforms that connect to us and the customers who clear with us.”
 
The transaction is expected to complete once the necessary regulatory and competition authority approvals are received.

http://www.iss-mag.com/news/sale-and-purchase-agreement-signed-to-combine-e?goback=%2Egde_1828192_member_258655854

Juli 2013

Tuesday, July 16, 2013

Senate Bill Orders NIST to Develop Cybersecurity Best Practices

16 July 2013


Following President Obama’s executive order to work on information sharing to thwart cybersecurity threats, the Senate Commerce Committee has issued a draft bill that directs the National Institute of Standards and Technology (NIST) to develop voluntary standards for cybersecurity best practices.


Spearheaded by Committee chairman Jay Rockefeller (D- W. Va.) and ranking member John Thune (R-S.D.), the bill as written is fairly non-controversial, unlike previous public-private information-sharing bills like the Cyber Intelligence Sharing and Protection Act (CISPA), which has died in the Senate after passing in the house.
It will require that NIST’s standards: be voluntary; developed in close and continuous coordination with industry; not conflict with or duplicate existing regulatory requirements; incorporate voluntary consensus standards and industry best practices and align with voluntary international standards; and are technology neutral.
The bill also sets forth that the federal government should support “cutting edge research, increase public awareness and improve our workforce to better address cyber threats."
Earlier in the year, the Senate also introduced a proposed law to thwart espionage, called the Deter Cyber Theft Act. Also a bi-partisan measure, that bill aims to protect the fruits of billions of dollars in research and development from spies – both homegrown as well as state-sponsored.
Introduced by Sens. Carl Levin (D-Mich.), Jay Rockefeller (D-W.Va.), John McCain (R-Ariz.) and Tom Coburn (R-Okla.), the Deter Cyber Theft Act would require the Director of National Intelligence to compile an annual report on foreign economic and industrial espionage, including a priority watch list of the worst offenders; a list of companies and countries engaging in theft; a list of US technologies or proprietary information targeted by such espionage and, to the extent possible, a list of such information that has been stolen and what it’s been used for; and actions taken by the DNI and other federal agencies to combat industrial or economic espionage in cyberspace.
The legislation, most importantly, would also require the president to block import of products containing stolen US technology, those made by state-owned enterprises of nations on the DNI’s list that are similar to items identified in its report as stolen or targeted, and any products made by a company the DNI identifies as having benefited from theft of US technology or proprietary information.

http://www.infosecurity-magazine.com/view/33438/senate-bill-orders-nist-to-develop-cybersecurity-best-practices/?utm_source=twitterfeed&utm_medium=twitter

Fact or Fiction: Encryption Prevents Digital Eavesdropping

Source:
http://www.scientificamerican.com/article.cfm?id=fact-fiction-encryption-prevents-digital-eavesdropping&page=2

There are effective ways to encrypt data, whether it is in transit or in storage, but if that data is left in the clear at any point along its path, it is vulnerable to theft or tampering


Most e-mail programs support SSL encryption as messages are sent from the user’s machine to their ISPs. As messages move through the core of the Internet, they are usually unencrypted, however. “Unless somebody is doing something intentionally to put encryption on the messages, the messages are decrypted at each hop along the way and are visible there,” Kocher says.



Decidedly unsocial
Encryption used in other forms of online messaging—social networks, in particular—is also hit or miss. For the most part, when you have one of these server-based cloud services where the cloud has the ability to access all of the data, all of your security depends on the machines that are hosting your information, Kocher says.

In a statement issued after NSA whistleblower Edward Snowden blew the lid off of his former employer’s PRISM program, Apple claimed conversations taking place over its iMessage and FaceTime services “are protected by end-to-end encryption so no one but the sender and receiver can see or read them.” The company further said that it “cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form.”

Apple’s claim of end-to-end encryption means anyone trying to compromise communications via its services must compromise an end point to capture them. But that isn’t necessarily hard to do, especially for an intelligence agency or an experienced attacker, Kocher says. “It means [they] have to target a particular end point as opposed to turning the vacuum cleaner on and sucking up [every message] automatically.”

Skype used to claim to have endpoint-to-endpoint encryption. “From some evaluations I’m aware of, that actually seemed to be the case in the past,” Kocher says. More recently, however, Microsoft (which bought Skype in 2011) has modified the protocols so that data is decrypted at the server and then reencrypted before being sent out to the other end of the communication. “So it appears that they’ve actually gone from a stronger model to one that is weaker and more susceptible to surveillance,” he adds. Recent reports indicate that Microsoft actually helped the U.S. government circumvent the company’s own encryption, granting the federal agencies access to Skype video calls as well as Outlook Web chats and e-mail, and information stored via Microsoft's cloud-based SkyDrive online backup and storage software.

If more people used encryption, it would be more difficult—not impossible—for cyber thieves and government agencies to eavesdrop. Still, even if people do a better job of protecting their e-mail communications and data stored on their devices, they need to likewise monitor their use of social networks and other Web sites visible to the general public. Who needs a court order or computer virus when so much information if offered up willingly via sites such as Facebook and Twitter?

Sunday, July 14, 2013

Greatest threats

http://www.kpmg.com/global/en/issuesandinsights/articlespublications/risk-management-outpacing-capabilities/pages/greatest-threats.aspx?utm_medium=social%E2%80%90media&utm_campaign=2013-adv-risk-survey&utm_source=twitter&utm_content=gbl+2013+may+16+global+risk+survey+greatest+threats


Regulatory pressure is seen as the issue posing the greatest threat to respondents.
In the wake of the deluge comes the reckoning. It was almost inevitable that, after the business excesses in the years leading up to the financial crisis, governments around the world would tighten the regulatory framework of global capitalism.

New financial regulation is in the forefront of this trend, but the financial services industry is not the only sector feeling the heat. Healthcare, manufacturing, technology, energy and other industries face many new government rules.

In the survey, we asked which issue posed the greatest risk to the respondent’s industry. Regulatory pressure came top in Financial Services, Energy and Natural Resources, and in the “other industries” category (covering such sectors as Consumer Goods, Construction and Chemicals). “Government pressure to contain spending”, a regulatory issue, was the top risk in healthcare. Nor was there a significant difference among regions. Regulatory pressure was regarded as almost as big a threat for most industries in Asia-Pacific, as it was for those in Europe and North America.

Greatest threats

Saturday, July 13, 2013

5 ways hackers attack you (and how to counter them)

  • spyware 2.jpg
    AP
Right now, millions of hackers, spammers and scammers are hard at work. They're after your Social Security number, bank account information and social media accounts. With any of these, they can steal your money or trick your friends into giving up theirs.
The scary part is that anyone can be a hacker. For as little as $3,000, you can buy a complete and fully operational exploit kit. This kit does most of the illegal work for you automatically. You get to sit back and rake in the cash, until you get caught.
Between semi-amateurs with automated systems and serious hackers who are masters of technology and trickery, how can you possibly hope to stay safe?
The best way is to know how hackers do what they do. Once you know that, you can counter their malicious acts. Here are five popular hacker strategies.
1. Phishing scamsLucky you! A Nigerian prince has selected you to help smuggle millions out of his country. For a little bit of effort -- a few simple wire transfers -- you'll get a substantial cut. What could be easier?
I bet you're asking yourself, "Who would fall for that?" Well, tens of thousands of people do every year. That's why Nigerian scams, or 419 scams, are still very popular.
Other versions might say you won a contest or have a job offer. Maybe someone wants to meet you, or you can make money for shipping some goods.
The catch is that you have to send in personal or banking information, or pay a fee. Of course, your information and money is going straight to hackers.
Use common sense before reacting to any email. Scams rely on making you act quickly. If you think about things long enough, you can usually see through them. Just remember the old saying, "If it looks too good to be true … "
2. Trojan horseMany hackers want to slip a virus on your computer. Once installed, a virus can record everything you type and send it back to the hacker. It can send out spam email or attack other computers.
To do this, the hackers disguise the virus as something harmless. This is called a Trojan horse, or just Trojan.
One of the most popular ways to deliver a Trojan is a variation of the phishing email scams.
For example, the email might say it's from a shipping service, bank or other reputable company. There's been a problem with a transaction! To learn more, you have to open an email attachment.
The attachment might look like a normal file, but it really contains a Trojan. Clicking on the file installs it before you can do anything.
Similar scams appear on Facebook and Twitter. You think you're going to watch a funny video your friend posted. Instead, a popup tells you to update your video player. The "update" file it provides is really a Trojan.
The key to defeat this tactic, as with phishing emails, is common sense. However, up-to-date security software is essential as well. It should detect and stop most Trojans before they can install. Click here for the best security software you can download without paying a dime.
3. Drive-by downloadsSecurity software is good, but it isn't always enough. Programs on your computer might have weaknesses that hackers can use to bypass security software.
To take advantage of these weaknesses, hackers set up website embedded with viruses. You might get there by clicking a malicious link in a phishing email or on social media. You can even find these sites in a search for popular programs or topics.
It isn't just malicious sites, though. Hackers can sneak malicious code on to legitimate websites. The code scans your computers for security holes. If it finds one, a virus can download and install without you doing anything.
To stay safe, you have to keep your programs up to date. Every month, Microsoft releases updates for Windows and Internet Explorer. These updates close critical security holes that hackers exploit.
Other critical programs to patch are Adobe's Flash and Reader, and Oracle's Java. Using old versions of these programs is like sending hackers an engraved invitation. Click here to learn more about keeping these programs up to date.
You should also be using the latest version of your programs. Anyone using Internet Explorer 6, 7 or 8 needs to update or switch browsers immediately.
4. Bypassing passwordsIn Hollywood movies, hackers are masters of guessing account passwords. In the real world, however, very few hackers bother.
Instead, they go around passwords. They might get your password from a data breach at a company or website you use.
It's important that you use a different password for every account. That way, if a hacker discovers one, they can't get in to every account.
Perhaps the hacker slipped a virus on to your system. It records your passwords and sends them to the hacker; no guessing needed. As I mentioned above, you can stop viruses with up-to-date security software and programs.
A hacker might tackle your account's security question. Most security questions can be answered with information people post publicly.
You should change how you answer security questions. Give a random answer that has nothing to do with the question. That way, no one can guess it. Click here for tips to create security questions and answers only you will know.
5. Using open Wi-IfI'm sure you have a Wi-Fi network at home. Is it encrypted? If you don't know the answer, then it's probably, "no."
That means hackers, and neighbors, can connect to your network from outside. They can see and record everything you do. They can surf to bad websites and download illegal files on your connection. You might be getting a visit from the police.
You need to take a few minutes and secure your network. The instructions will be in your Wi-Fi router's manual. Trust me; it's worth it.
Copyright 2013, WestStar Multimedia Entertainment. All rights reserved.
Kim Komando hosts the nation's largest talk radio show about consumer electronics, computers and the Internet. To get the podcast, watch the show or find the station nearest you, visit: www.komando.com/listen. To subscribe to Kim's free email newsletters, sign-up at: www.komando.com/newsletters.


Read more: http://www.foxnews.com/tech/2013/07/13/5-ways-hackers-attack-and-how-to-counter-them/?utm_medium=referral&utm_source=t.co#ixzz2YwKgfoZ7

Friday, July 12, 2013

NY Governor Probes Insurers Data Security Solutions

 

Posted by on in Data Security  
              
NY insurers are being asked to supply detailed insights on the existing data security solutions.As consumer advocacy groups underscore the severity of cybersecurity threats facing government, healthcare and financial service institutions, New York Governor Andrew Cuomo is hoping to solicit additional information before proposing policy reforms. Recently the governor's office addressed formal request for information notices to the state's leading insurance providers in an effort to gain perspective on the organizational resources allocated toward protecting sensitive data.
"The extraordinarily sensitive health, personal and financial information that New Yorkers entrust to their insurance companies is a virtual treasure trove for hackers," Cuomo explained. "It's vital that we stay ahead of the curve on cybersecurity because we know hackers aren't going to give us any breathing room."
The letters sent by New York State Department of Financial Services (DFS) representative specifically inquire as to the frequency and severity of cyberattacks experienced by the insurer over the past three years as well as the data security technologies and policies currently in place to deter such breaches. This move mirrors a DFS initiative launched earlier in the year investigating the state's banking sector.
Actionable information?
According to GovInfoSecurity, state officials have yet to specify their exact intentions with the on-the-ground intelligence they are hoping to gather. However, the process may be even more exhaustive than previous projects. As Forrester Research analyst Ellen Carney told the news source, insurers collect more customer data to formulate an initial quote than most banks do to maintain an existing account.
She also cautioned that the insurance industry's comparatively low rate of data security incidents should not be taken for granted, as it may only be a matter of time before hackers begin tracking targets of immense opportunity. But in concert with the state Cybersecurity Advisory Board founded just weeks ago, it seems New York has its regulatory priorities in the right place.

Wednesday, July 10, 2013

Encryption Merits Can Be Exaggerated


Encryption Merits Can Be Exaggerated
Encrypted data at some point has to be decrypted for use, and that's where the security of the system can break down. That's not the only risk, however. "If a service provider holds the keys and someone comes knocking on the door with a lawful request ... the enterprise would not know that its information has been handed over," said PrivateCore's Vice President for Marketing Todd Thiemann.

  
Encryption combined with cloud storage has been hailed as a highly secure way for organizations to protect their data from Net marauders, but their value may be overstated, contend two security pros.
While encrypting data is better than not encrypting it, where it's decrypted can be an important security consideration, said Steve Weis, CTO and cofounder of PrivateCore.
Data at rest that's been encrypted has strong protection. It's when the data has to be decrypted for use with applications that it can become vulnerable.
"If a company processes that data in the cloud or with an off-premises service provider, then the keys to that encrypted data can be exposed," Weiss told TechNewsWorld. "If those keys are compromised, their stored data can be compromised."
That's not a problem for organizations encrypting their data locally because the keys remain in their possession. However, "what we're seeing more and more are enterprises doing decrypting closer to where the data is," Weiss observed. "That means storing it and processing it in the cloud."
"To do that, they need to give the decryption keys to a server that's in the cloud," he continued. "The keys aren't being stored anywhere. They're being used in memory, but the memory is vulnerable to someone who has access to the machine."
  

Government Intrusions

Hackers and malicious insiders aren't the only ones who may be able to compromise a company's encrypted data. If an organization doesn't have control of the encryption keys for its data -- a common scenario when using large service providers like Amazon, Microsoft and Google -- law enforcement or spy agencies may be able to legally access it.
"If a service provider holds the keys and someone comes knocking on the door with a lawful request, the service provider is going to have to respond to that, and the enterprise would not know that its information has been handed over," PrivateCore's Vice President for Marketing Todd Thiemann told TechNewsWorld.
A savvy government agency could break into an organization's encrypted data, even when the organization has control of its encryption keys.
If the encrypted data is stored with a service provider and the company wants to work with data online, it would have to unlock the data in the memory of one of the provider's servers. A snapshot can be taken of the data in that unlocked state.
"A lawful request could be made to snapshot the data," Thiemann explained, "and from that snapshot, you can get at the underlying encrypted data."

Threat Trends

With half the year gone, cyberthreat trends are beginning to shape up for security pros. McAfee, for example, is seeing many hackers return to old ways.
"Many of the significant trends of the previous year went into remission, and older types of attacks, or retro-malware, grew significantly," McAfee Messaging Data Architect Adam Wosotowsky told TechNewsWorld.
Global spam, including the resurrection of pump-and-dump stock schemes, increased for the first time in three years, he added.
Another trend identified is the growth of storage stack attacks, also known as "master boot record" attacks.
"These attacks infect a machine's storage system and take control of the entire device," Wosotowsky said. "These MBR attacks have increased more than 30 percent so far this year."

Democratization of Malware

Social networks continued to become a fertile area for Net bandits.
"Hackers will take over a social networking account and use the contacts for that account to distribute malware as a trusted person," George Tubin, a senior security strategist with Trusteer, told TechNewsWorld.
"You're more likely to click on a link if a friend embeds a link in a tweet," he added.
Cybercriminals have been expanding their target pool beyond banks and into the enterprise and e-commerce, noted Tubin.
"That has to do with banks -- especially larger banks -- getting better at blocking some of these attacks," he said.
Also during this year, the democratization of the malware industry has become increasingly apparent, added JD Sherry, vice president of technology and solutions at Trend Micro.
"The shadow economy has created quite the black market for malware," he told TechNewsWorld. "It's allowed cybercriminals and miscreants to be able to acquire those assets easily, hence democratizing their production and distribution."

Breach Diary


  • June 29. Spam attack on Instagram uses compromised accounts to post fruit photos with links to a dieting Web page on a BBC website. Links were clicked on by more than 30,000 users before the image sharing service addressed the problem.

  • June 30. Ubisoft, a game maker whose stable includes Assassin's Creed, alerts users of a data breach and recommends they change their passwords. Information illegally accessed includes an estimated 58 million user names, email addresses and encrypted passwords. No payment information was stolen because the company doesn't retain that data.

  • June 30. Office of the president of South Korea reveals that personal information of 100,000 people registered with the office's website was breached. Information compromised includes names, birthdates, identification numbers, offline addresses and IP addresses. It's believed that passwords and their registration numbers -- the equivalent of U.S. Social Security numbers -- were not compromised because they were encrypted.

  • July 1. California Attorney General releases first annual data breach report showing 131 breaches in 2012 affecting 2.5 million consumers in the state.

  • July 1. Andrew Auernheimer, sentenced to 41 months in federal prison for breaching AT&T computers and exposing users of the iPad at the time Apple first introduced the tablet, appeals conviction.

  • July 1. Indiana Family and Social Services Administration notifies 187,533 clients that their personal information may have been compromised due to a programming error by a contractor. Information that may have been disclosed includes name, address, case number, date of birth, gender, race, telephone number and email address; types of benefits received, monthly benefit amount and employer information; some financial information such as monthly income and expenses, bank balances and other assets; and certain medical information such as provider name, whether the client receives disability benefits, and medical status or condition; and certain information about the client's household members like name, gender and date of birth. In addition, 3,926 clients may have had their Social Security Numbers disclosed.

  • July 2. AppRiver releases Global Threatscape report for first six months of 2013. In compiling the report, the company screened more than 15 billion messages, of which 13 billion were spam and 171 million carried viruses.

Upcoming Security Events


  • July 10. Getting Your Session Proposal Accepted for RSA 2014. 1 p.m. ET. Webcast. Free.

  • July 11. Inside the Mind of a Hacker. 1 p.m. ET. Webinar sponsored by WatchGuard. Free.

  • July 17. Accelerate Your Cloud Strategies: Strategies for Securing, Optimizing and Controlling the Cloud. 1 p.m. ET. Webinar sponsored by Akamai Technologies. Free.

  • July 24. Cyber Security Brainstorm. Newseum , Washington, D.C. Registration: non-government employees US$495; July 24, $595.

  • July 27-Aug. 1. Black Hat USA 2013. Caesars Palace, Las Vegas. Registration: June 1-July 24, $2,195; July 25-Aug. 1, $2,595.

  • Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $895 member, $1,150 non-member. After Aug. 20, $995 member, $1,295 non-member.

  • Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian/The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $875/$775 government; Standard to Oct. 3, $995/$875 government.

  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros+VAT delegate/495 euros+VAT one day pass; Discount from July 27 -Sept. 27, 995 euros+VAT delgate/595 euros+VAT one day pass; Standard from Sept. 27-Oct.27, 1,095 euros+VAT delegate/695 euros+VAT one day pass; On site from Oct. 28-31, 1,295 euros+VAT.

  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.


John Mello is a freelance technology writer and former special correspondent for Government Security News.