data security & compliance

Reply to comment | California Progress Report

2011-12-21T03:04:00.000-08:00

Reply to comment | California Progress Report
Data Breaches: A Year in Review (2011)

IDG Connect – Abhay Bhargav (India) - IT Security: An Essential for the Indian Manufacturing Company

2011-12-13T04:06:00.000-08:00

IDG Connect – Abhay Bhargav (India) - IT Security: An Essential for the Indian Manufacturing Company

Encrypting Amazon Storage: Not So Simple | Trend Cloud Security Blog - Cloud Computing Experts

2011-10-31T03:47:00.000-07:00

Encrypting Amazon Storage: Not So Simple | Trend Cloud Security Blog - Cloud Computing Experts

5 vaccinaties tegen Lektober 2012 | Webwereld

2011-10-29T02:41:00.000-07:00

5 vaccinaties tegen Lektober 2012 | Webwereld

Hacking tool targets SSL vulnerability

2011-10-25T02:06:00.000-07:00

By Steven Musil, CNET News, 25 October, 2011 09:47

NEWS

Hackers have released a program they say will allow a single computer to take down a web server using a secure connection.

The THC-SSL-DOS tool, released on Monday, purportedly exploits a flaw in Secure Sockets Layer (SSL) renegotiation protocol by overwhelming the system with multiple requests for secure connections. SSL renegotiation allows websites to create a new security key over an already established SSL connection.

A German group known as Hackers Choice said it released the exploit to bring attention to flaws in SSL, which allows sensitive data to flow between websites and individual user's computers without being intercepted. "We are hoping that the fishy security in SSL does not go unnoticed," an unidentified member of the group said in a blog post.

Lek 18: 715.000 klanten van CheapTickets.nl | Webwereld

2011-10-24T06:11:00.000-07:00

Lek 18: 715.000 klanten van CheapTickets.nl | Webwereld

'Lekkende gemeente Landgraaf overtreedt wet' | Webwereld

2011-10-21T07:13:00.000-07:00

'Lekkende gemeente Landgraaf overtreedt wet' | Webwereld

Lek17: accounts ov-chipkaart.nl volledig te kapen | Webwereld

2011-10-21T07:11:00.000-07:00

Lek17: accounts ov-chipkaart.nl volledig te kapen | Webwereld

The Criticality Of Risk Assessments: FISMA, HIPAA, And Other Regs

2011-10-17T07:58:00.001-07:00

Risk assessments are a critical part of regulatory compliance, but many organizations don't implement them well Sep 04, 2011 | 09:19 AM | 3 Comments By Richard E. Mackey, Jr.Dark Reading One of the most important components in any security program is the risk assessment process. Regulations like FISMA, HIPAA, Red Flag Rules, and state privacy regulations require organizations to methodically assess risk and select security controls based on that assessment. The problem is that many organizations do not understand what it means to assess risk through a formal method. Worse yet, many IT people have a hard time understanding the practicality of formal assessments. What is a formal risk assessment? Formal risk assessments are processes that consider the value of the assets that are at risk, the business and technical threats to the assets, and the effectiveness of the business and technical controls that are designed to protect the asset. In the end, a risk assessment gives the organization an objective measure of the risk to an asset. The process forces the organization to acknowledge and accept the risk, eliminate the risk by terminating a business practice (e.g., stop offering access to the asset via the Web), transfer the risk by outsourcing or insurance, or, more often than not, select additional more effective business or technical controls to reduce the risk. Benefits Of Formal Risk Assessments Conducting formal assessments within a risk management program offers a number of benefits: 1. requires business and technical representatives to reason about risk in an objective, repeatable, way 2. requires consistent terminology and metrics to discuss and measure risk 3. justifies funding for needed controls 4. identifies controls that can be eliminated 5. provides documentation of threats that were considered and risks that were identified 6. requires business and IT to acknowledge the responsibility for ownership of risk 7. requires organizations to track risks and reassess them over time and as conditions change There is a good reason for so many regulations to include a requirement for risk assessment. It is only sensible that a regulatory body cannot dictate the controls that are necessary in every environment. What might be appropriate for a large company with a significant Web presence could be overkill for small organization with a few customers. If the threats are different and the environment is different, then it stands to reason that the controls might be different. It is interesting to note that even the most prescriptive standards (e.g., PCI DSS) require risk assessments to determine the need for and effectiveness of controls. On the less prescriptive side of the regulatory spectrum, HIPAA and FISMA have very few required controls but expect the entire program to be risk-based. This approach makes sense when one standard needs to apply to everyone. Choosing A Risk Management Framework If your organization needs to comply with FISMA, then your risk management approach should be based on NIST Special Publication 800-39. This document provides an overall description of the risk management life cycle. Risk assessment, which is one part of the risk management program, is described in NIST Special Publication 800-30 (which is being revised). SP 800-30 provides a stepwise method for assessing risk that can be customized for a given organization. Another good source of risk management documentation is provided by the OCTAVE project developed at Carnegie Mellon University. Both NIST and OCTAVE provide excellent sources for building a risk management program that helps organizations meet their security and regulatory requirements. Richard Mackey is vice president of consulting at SystemExperts Corp.

The SSL certificate industry can and should be replaced

2011-10-12T13:20:00.000-07:00

October 12, 2011The SSL certificate industry can and should be replacedA new alternative, called Convergence, is picking up steamBy Ellen Messmer | Network World The SSL certificate authorities like Comodo that have had their security undermined by hackers shouldn't be trusted, and in fact, the way the entire SSL certificate industry of today works can and should be replaced with something better, says Moxie Marlinspike, a security expert who's come up with a plan he says will do that.Marlinspike's plan, unveiled last August at the Black Hat Conference, is called "Convergence," and it's gaining some momentum, particularly after the shocking hacker attacks on DigiNotar, GlobalSign, Comodo, and other SSL certificate authorities of late that resulted in fake certificates coming into use on the web, including a fake Google certificate, since revoked. Marlinspike's Convergence is radically different from the situation today where the Web of trust is based on a SSL server certificate signed by a certificate authority and recognized by the user's browser, based on recognition of the certificate authority that's programmed in by the browser vendors. Marlinspike thinks this whole system -- which props up the multi-million-dollar certificate authority business today -- should be dumped in favor of the idea of the user more directly controlling how the browser trusts certificates based on so-called Convergence "notaries" proving online feedback about what to trust. To work, the user needs to have Firefox browser plug-in for Convergence that Marlinspike makes available. "Originally, I was the only notary," says Marlinspike, noting that today there are more than 50 Convergence notaries, including Electronic Frontier Foundation and security vendor Qualys. The idea is that the Convergence notaries, based on the user's own selection of which ones they prefer, electronically inform the user if the SSL certificate is considered valid. Marlinspike says there are 30,000 active Convergence users today. Marlinspike's ideas are starting to get some support from the security industry. Qualys Director of Engineering Ivan Ristic says the research Qualys has done shows Convergence is a "viable alternative" to the general way the SSL ecosystem works today, "but in order for it to be successful, it will also need a critical mass." "We have been researching the SSL ecosystem for some time now â€” publishing our tools and documentation on the SSL Labs web site â€” so it was only natural that we took interest in Convergence, which aims to solve some of the inherent security issues in the way we currently determine trust," Ristic says.Instead of trying to fix today's weaknesses by "keeping existing arrangements," Ristic says, Convergence "is different; it's a proposal to try something completely different." Qualys wants to "play our part and assist in its growth, and give it a chance," he adds. Marlinspike, CTO at Whisper Systems, says Convergence is his personal project and he doesn't have expectations about how it can be a revenue-generating business. But he's scornful of the current arrangement in which browser vendors have somewhat "hardwired" in their support for the certificate authorities, particularly the big ones like VeriSign, Entrust, Thawte and Comodo. After the DigiNotar hack, for example, Microsoft made much of changing its browser to no longer support DigiNotar. DigiNotar itself was forced to declare bankruptcy as a direct repercussion of being hacked. Comodo is one-quarter to one-fifth of certificates on the Internet, and removing support for Comodo in the browser would be hugely disruptive operationally in this current system. But the underlying security for it all is just "an illusion," according to Marlinspike. He pointed out, "We've made a decision to trust Comodo forever, regardless of whether they continue to earn that trust." Marlinspike continued, "What happened to DigiNotar is the kind of thing that happens every day. It was an accident anyone ever noticed. If the hackers hadn't been stupid, no one would have ever noticed." Marlinspike points out that Convergence is "totally backward compatible" with the current SSL certificate system and the "user experience is exactly the same as now." It's simply in the Convergence model, the notaries you contact tells you if they believe the certificate is valid or not. Through multiple answers to that question, there's an increase in the validation through consensus. Business can keep getting signed certificates if they want, but the validation for them changes according to what the user trusts. Read more about wide area network in Network World's Wide Area Network section.Network World is an InfoWorld affiliate.

Lek1: Blunder Logius maakt DigiD-fraude kinderspel | Webwereld

2011-10-01T11:59:00.000-07:00

Lek1: Blunder Logius maakt DigiD-fraude kinderspel | Webwereld

NHS loses CD of 1.6 MILLION patients' records

2011-09-20T12:11:00.000-07:00

'We reassure you it was old data'. Sure, my DOB's changed By Guardian Healthcare Network Posted in Government, 20th September 2011 An NHS trust has told patients that it is acting to improve its data handling practices after a rebuke from the Information Commissioner's Office (ICO) for losing a CD containing details on 1.6 million people. Chief executive of NHS Kent and Medway Ann Sutton said that information is now more secure following the implementation of encryption systems to replace the use of floppy discs and CDs. Last week the trust was handed an undertaking by the information watchdog after sending the personal information to a landfill during an office move in March. The ICO said the data contained the names, addresses, dates of birth, NHS numbers and GP details of those affected. In a statement on the trust's website, Sutton said that the data had not been recovered and that the trust had accepted the ICO's report on the incident. She said: "While the breach was unfortunate, I would like to reassure patients that the data stored in the filing cabinet was not current - the most recent information was from 2002. Sutton added: "We have already strengthened our information governance policies, procedures and training on the basis of our internal investigation of the incident. The information commissioner's recommendations to improve them further will be implemented fully." ® This article was originally published at Guardian Professional. Join the Guardian Healthcare Network to receive regular emails on NHS innovation.

Hackers break SSL encryption used by millions of sites

2011-09-20T12:07:00.000-07:00

By Dan Goodin in San Francisco Posted in ID, 19th September 2011 Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting. At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL. The demo will decrypt an authentication cookie used to access a PayPal account, Duong said.

FISMA compliance to require monthly reports

2011-09-20T12:05:00.000-07:00

FISMA compliance to require monthly reports Dan Kaplan September 19, 2011 Federal agencies soon will be required to report on their information security health on a monthly basis, instead of annually, according to a memo from the federal Office of Management and Budget. As part of their compliance with the Federal Information Security Management Act (FISMA), agencies must, beginning next month, submit data from their automated security management tools into CyberScope, an application that went online in 2009, and is used to securely and efficiently report security-related information and provide analysis. "This shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through CyberScope allows security practitioners to make decisions using more information – delivered more quickly than ever before," OMB Director Jacob Lew wrote in the memo, issued last week. The monthly requirements also include answering questions in CyberScope that address risk. They are meant to determine whether an agency effectively is implementing its security functionality. In addition, under the reporting mandates, agencies must work with government specialists through sessions and interviews to improve their security stance. Marcus Sachs, a former U.S. government cyber official, said increased reporting requirements, in both the private and public sector, tend to occupy man-hours that would be better served working the problem. But he said that forcing senior management to sign off on regular reports could shine a light on the need for more security resources. "I think it one sense, increasing the [reporting] burden does take away from the few people who are really good at cybersecurity," he told SCMagazineUS.com on Monday. "On the other hand, it does increase the awareness of the senior leaders. Nobody is going to sign off on it unless it's accurate."

Local News : State investigates computer security breach; city likely to discipline officer - Frontiersman

2011-09-18T01:17:00.000-07:00

Local News : State investigates computer security breach; <br />city likely to discipline officer - Frontiersman

Hoster lekt honderden gemeente-databases | Webwereld

2011-09-16T06:23:00.000-07:00

Hoster lekt honderden gemeente-databases | Webwereld

Dutch Regulator Bars DigiNotar From Issuing Qualified Certificates

2011-09-16T00:29:00.000-07:00

Dutch Regulator Bars DigiNotar From Issuing Qualified Certificates

History of DOS -Denial of Service Attack

2011-09-11T01:44:00.001-07:00

http://uscyberlabs.com/blog/?p=811

DigiNotar SSL Hack Diagram | Cyber Chatter

2011-09-11T01:41:00.001-07:00

This is an ongoing diagram of the DigiNotar SSL Hack. I will update this as I work on it. I just think that this will help some people to understand the scope of this attack. This is from the spreadsheet I got from the TORProject… http://uscyberlabs.com/blog/?p=840

Email encryption for iPad and iPhone

2011-09-11T01:38:00.000-07:00

Email encryption for iPad and iPhone

België voorbereid op rampscenario GlobalSign | Webwereld

2011-09-08T06:49:00.000-07:00

België voorbereid op rampscenario GlobalSign | Webwereld

DigiNotar SSL certificate compromise widens to include security agencies - 9/5/2011 - Computer Weekly

2011-09-05T07:19:00.000-07:00

DigiNotar SSL certificate compromise widens to include security agencies - 9/5/2011 - Computer Weekly

Dutch suspect Iran hacked websites - Casting the first stone | TechEye

2011-09-05T02:36:00.000-07:00

Dutch suspect Iran hacked websites - Casting the first stone | TechEye

Why Diginotar may turn out more important than Stuxnet - Securelist

2011-09-05T02:30:00.000-07:00

Why Diginotar may turn out more important than Stuxnet - Securelist

The 5 biggest IT security mistakes | Security - InfoWorld

2011-07-25T12:26:00.000-07:00

The 5 biggest IT security mistakes | Security - InfoWorld

EU data breach notification law under advisement

2011-07-19T04:08:00.000-07:00

EU data breach notification law under advisement

Public cloud can't be used for everything, says UBS CISO

2011-06-29T04:09:00.000-07:00

Public cloud can't be used for everything, says UBS CISO

Why privacy legislation is hot now - TheHill.com

2011-06-27T01:56:00.000-07:00

Why privacy legislation is hot now - TheHill.com

AIX security blog

2011-05-17T13:43:00.000-07:00

http://www.poweritpro.com/Blogs/tabid/62/categoryid/8/Default.aspx

VMware acquires Shavlik Technologies for vulnerability, configuration management

2011-05-17T04:47:00.000-07:00

VMware acquires Shavlik Technologies for vulnerability, configuration management

E-commerce businesses need to invest in cybersecurity, say experts

2011-05-17T04:24:00.000-07:00

E-commerce businesses need to invest in cybersecurity, say experts

Appache server en security

2011-05-15T01:20:00.000-07:00

Some hints and tips on security issues in setting up a web server. Some of the suggestions will be general, others specific to Apache.

■ Keep up to Date
The Apache HTTP Server has a good record for security and a developer community highly concerned about security issues. But it is inevitable that some problems -- small or large -- will be discovered in software after it is released. For this reason, it is crucial to keep aware of updates to the software. If you have obtained your version of the HTTP Server directly from Apache, we highly recommend you subscribe to the Apache HTTP Server Announcements List where you can keep informed of new releases and security updates. Similar services are available from most third-party distributors of Apache software.

Of course, most times that a web server is compromised, it is not because of problems in the HTTP Server code. Rather, it comes from problems in add-on code, CGI scripts, or the underlying Operating System. You must therefore stay aware of problems and updates with all the software on your system.

Permissions on ServerRoot Directories
In typical operation, Apache is started by the root user, and it switches to the user defined by the User directive to serve hits. As is the case with any command that root executes, you must take care that it is protected from modification by non-root users. Not only must the files themselves be writeable only by root, but so must the directories, and parents of all directories. For example, if you choose to place ServerRoot in /usr/local/apache then it is suggested that you create that directory as root, with commands like these:

mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs

It is assumed that /, /usr, and /usr/local are only modifiable by root. When you install the httpd executable, you should ensure that it is similarly protected:

cp httpd /usr/local/apache/bin
chown 0 /usr/local/apache/bin/httpd
chgrp 0 /usr/local/apache/bin/httpd
chmod 511 /usr/local/apache/bin/httpd

You can create an htdocs subdirectory which is modifiable by other users -- since root never executes any files out of there, and shouldn't be creating files in there.

If you allow non-root users to modify any files that root either executes or writes on then you open your system to root compromises. For example, someone could replace the httpd binary so that the next time you start it, it will execute some arbitrary code. If the logs directory is writeable (by a non-root user), someone could replace a log file with a symlink to some other system file, and then root might overwrite that file with arbitrary data. If the log files themselves are writeable (by a non-root user), then someone may be able to overwrite the log itself with bogus data.

Server Side Includes
Server Side Includes (SSI) present a server administrator with several potential security risks.

The first risk is the increased load on the server. All SSI-enabled files have to be parsed by Apache, whether or not there are any SSI directives included within the files. While this load increase is minor, in a shared server environment it can become significant.

SSI files also pose the same risks that are associated with CGI scripts in general. Using the exec cmd element, SSI-enabled files can execute any CGI script or program under the permissions of the user and group Apache runs as, as configured in httpd.conf.

There are ways to enhance the security of SSI files while still taking advantage of the benefits they provide.

To isolate the damage a wayward SSI file can cause, a server administrator can enable suexec as described in the CGI in General section.

Enabling SSI for files with .html or .htm extensions can be dangerous. This is especially true in a shared, or high traffic, server environment. SSI-enabled files should have a separate extension, such as the conventional .shtml. This helps keep server load at a minimum and allows for easier management of risk.

Another solution is to disable the ability to run scripts and programs from SSI pages. To do this replace Includes with IncludesNOEXEC in the Options directive. Note that users may still use <--#include virtual="..." --> to execute CGI scripts if these scripts are in directories designated by a ScriptAlias directive.

CGI in General
First of all, you always have to remember that you must trust the writers of the CGI scripts/programs or your ability to spot potential security holes in CGI, whether they were deliberate or accidental. CGI scripts can run essentially arbitrary commands on your system with the permissions of the web server user and can therefore be extremely dangerous if they are not carefully checked.

All the CGI scripts will run as the same user, so they have potential to conflict (accidentally or deliberately) with other scripts e.g. User A hates User B, so he writes a script to trash User B's CGI database. One program which can be used to allow scripts to run as different users is suEXEC which is included with Apache as of 1.2 and is called from special hooks in the Apache server code. Another popular way of doing this is with CGIWrap.

Non Script Aliased CGI
Allowing users to execute CGI scripts in any directory should only be considered if:

•You trust your users not to write scripts which will deliberately or accidentally expose your system to an attack.
•You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.
•You have no users, and nobody ever visits your server.
Script Aliased CGI
Limiting CGI to special directories gives the admin control over what goes into those directories. This is inevitably more secure than non script aliased CGI, but only if users with write access to the directories are trusted or the admin is willing to test each new CGI script/program for potential security holes.

Most sites choose this option over the non script aliased CGI approach.

Other sources of dynamic content
Embedded scripting options which run as part of the server itself, such as mod_php, mod_perl, mod_tcl, and mod_python, run under the identity of the server itself (see the User directive), and therefore scripts executed by these engines potentially can access anything the server user can. Some scripting engines may provide restrictions, but it is better to be safe and assume not.

Protecting System Settings
To run a really tight ship, you'll want to stop users from setting up .htaccess files which can override security features you've configured. Here's one way to do it.

In the server configuration file, put

AllowOverride None

This prevents the use of .htaccess files in all directories apart from those specifically enabled.

Protect Server Files by Default
One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients.

For instance, consider the following example:

# cd /; ln -s / public_html
Accessing http://localhost/~root/

This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server's configuration:

Order Deny,Allow
Deny from all

This will forbid default access to filesystem locations. Add appropriate Directory blocks to allow access only in those areas you wish. For example,

Order Deny,Allow
Allow from all

Order Deny,Allow
Allow from all

Pay particular attention to the interactions of Location and Directory directives; for instance, even if denies access, a directive might overturn it.

Also be wary of playing games with the UserDir directive; setting it to something like ./ would have the same effect, for root, as the first example above. If you are using Apache 1.3 or above, we strongly recommend that you include the following line in your server configuration files:

UserDir disabled root

Watching Your Logs
To keep up-to-date with what is actually going on against your server you have to check the Log Files. Even though the log files only reports what has already happened, they will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.

A couple of examples:

grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log
grep "client denied" error_log | tail -n 10

The first example will list the number of attacks trying to exploit the Apache Tomcat Source.JSP Malformed Request Information Disclosure Vulnerability, the second example will list the ten last denied clients, for example:

[Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied by server configuration: /usr/local/apache/htdocs/.htpasswd

As you can see, the log files only report what already has happened, so if the client had been able to access the .htpasswd file you would have seen something similar to:

foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"

in your Access Log. This means you probably commented out the following in your server configuration file:

Order allow,deny
Deny from all

Available Languages: en | ko | tr

Copyright 2011 The Apache Software Foundation.
Licensed under the Apache License, Version 2

Tripwire acquired by investment firm

2011-05-12T06:32:00.000-07:00

Tripwire acquired by investment firm

Breach at Michaels Stores Extends Nationwide

2011-05-10T13:48:00.000-07:00

Breach at Michaels Stores Extends Nationwide

NHS trusts in London compromising data security - 05 May 2011 - BSI Shop

2011-05-06T01:32:00.000-07:00

NHS trusts in London compromising data security - 05 May 2011 - BSI Shop

Reality TV Show X-Factor Spills Data On 250,000 Hopefuls

2011-05-06T01:14:00.000-07:00

Reality TV Show X-Factor Spills Data On 250,000 Hopefuls

Security Expert: Sony Knew Its Software Was Obsolete Months Before PSN Breach - The Consumerist

2011-05-06T01:05:00.000-07:00

Security Expert: Sony Knew Its Software Was Obsolete Months Before PSN Breach - The Consumerist

Datensicherheit muss gewährleistet sein - Computer Reseller News

2011-05-05T08:12:00.000-07:00

Datensicherheit muss gewährleistet sein - Computer Reseller News

Meldplicht bij verlies persoonsgegevens | Securitymanagement.nl

2011-05-05T07:18:00.000-07:00

Meldplicht bij verlies persoonsgegevens | Securitymanagement.nl

Data Breaches: 3 Lessons for Leaders

2011-05-04T03:10:00.000-07:00

Healthcare Information Security ArticlesMay 4, 2011 - Upasana Gupta, Contributing Editor

In March, RSA, a trusted name in the security industry, suffered a major security breach of its SecurID product, proving that no organization is immune to such incidents.
Then, in April, the Epsilon e-mail breach exposed the risks of data security managed by a third-party service provider.

Two weeks later, Sony Corp announced that hackers had stolen names, addresses and possibly credit card details from 77 million user accounts of its PlayStation Network and Qriocity online service.

RSA, Epsilon and Sony: Three major security incidents that dominated the headlines and sent ripples throughout security organizations worldwide.

No one feels the pressure of such breaches more than the chief information security officer, who ultimately is responsible for protecting and securing the organization. How an organization plans for and responds to such incidents can make or break a CISO's career.

In the wake of these three high-profile breaches, we spoke to two global information security leaders -- Alessandro Moretti, executive director of IT security risk management at UBS Investment Bank, and Abbas Kudrati, head of information risk and security director for the kingdom of Bahrain -- and asked for their biggest lessons learned. Here's what they shared. [For more on leadership and incident response, see Why CISOs Must Care About Sony Breach.]

#1: Build Trust with Senior Management
An incident as significant as the RSA breach requires leaders to be agile and have the ability to redirect investment, projects and security controls within the shortest possible time if needed, says Moretti. This transition can only happen when IT security leaders have built trust with the business owners by establishing an open line of communication in which they discuss pervasive and forward- thinking issues on a continuous basis. Example: how to respond to unique events such as the recent Japanese earthquake or the RSA breach. Moretti picks up the phone and speaks with his executives at the bank as often as needed, bringing to their attention the risks, investment and options to be pursued within the threat landscape. "Leaders have to focus on how they get information across to senior management to do something more proactive," he says.
#2: Enhance Security Awareness
These high-profile breaches have reinforced the need for comprehensive employee training programs designed to help organizations build a more security conscious workforce. "It is still a big challenge for most organizations to implement a thorough security awareness program in their companies, as they lack insight into employee behavior and where, what and how to protect their information assets," says Kudrati. "This means awareness remains low, understanding of the risks stays incomplete, risk is not properly assessed, and the need for regulation is not created."
His response to these incidents has been to initiate a detailed awareness program, including providing the necessary education and tools to employees for a heightened awareness of corporate policies, procedures and guidelines; customizing email policy for different departments based on usage; conducting frequent social engineering and anti-phishing exercises to enable employees to carefully consider the security implications of their online activities. He also has automated regular checks on technical controls, infrastructure and internal vulnerabilities, allowing the organization to reduce the risk of exposing sensitive information and ultimately strengthening the risk management and data loss prevention policies.

"We are working progressively in reducing risks by pushing the basics, expanding our knowledge of threats and vulnerabilities and educating our employees," Kudrati says.

#3: Manage Risk with Vendors
IT security leaders can no longer just focus on controls and contracts in dealing with vendors that provide software, applications, network and core infrastructure solutions. Leaders have to ensure that "vendor management is built into the risk framework, so these providers know what risks they are managing for you," Moretti says. One must categorize vendors before assessing vendor risk, as not all service providers are the same. Also, IT leaders need to ensure they have a contingency plan in place to support their business should the worst happen to the vendor supporting their mission-critical systems and infrastructure .
Moretti says he has changed his attitude from a control mindset and instead works with vendors as partners of the organization in making them understand the impact of managing risks. The dialogue is now on risk management and mitigation.

Ultimately, Moretti says, "A leader's passive attitude to a security incident outside of their organization is no longer acceptable."

DDoS-aanval nekt internetbankieren Rabo - UPDATE | Webwereld

2011-05-03T05:01:00.000-07:00

DDoS-aanval nekt internetbankieren Rabo - UPDATE | Webwereld

Encryptiesleutels via Google te oogsten - update | Webwereld

2011-05-03T05:00:00.000-07:00

Encryptiesleutels via Google te oogsten - update | Webwereld

Total cost of Epsilon breach could reach $4 billion

2011-05-02T02:59:00.000-07:00

Total cost of Epsilon breach could reach $4 billion

http://myemail.constantcontact.com/Raz-Lee-Security-News-and-Expo.html?soid=1101191758604&aid=7ejJfiXrR_k

2011-05-02T01:21:00.000-07:00

http://myemail.constantcontact.com/Raz-Lee-Security-News-and-Expo.html?soid=1101191758604&aid=7ejJfiXrR_k

Securing the cloud and securing data in the cloud are not the same

2011-04-30T13:22:00.000-07:00

Securing the cloud and securing data in the cloud are not the same

Page-integrated encryption for protecting credit cards on the web

2011-04-28T07:58:00.000-07:00

Page-integrated encryption for protecting credit cards on the web

IT-afdelingen vooral bezig met compliance (Infosecurity.net)

2011-04-21T04:36:00.000-07:00

20-04-2011 - IT-afdelingen zijn steeds vaker bezig met het oplossen van zaken die zich buiten de computerruimte afspelen. Vooral compliance neemt veel tijd in beslag. Dit constateert de beroepsorganisatie ISACA in een onderzoek.

Branche: Automatisering
Volgens de Information Systems Audit and Control Association (ISACA), een beroepsorganisatie voor onder andere IT-managers, IT-beveiligingsspecialisten, audit-specialisten en IT-vezekeringsspecialisten, zijn IT-adelingen steeds vaker voornamelijk bezig met zaken die buiten de algemene beheertaken zich afspelen. Vooral reguleringswerkzaamheden, zoals compliance, governance en beveiligingsbeheer, een enorme druk op het huidige IT-personeel. Volgens ISACA komt dit doordat het aantal wettelijke regels toeneemt door meer gevallen van gegevendiefstal en de opkomst van nieuwe technologie als cloudcomputing en het gebruik van persoonlijke mobiele devices op de werkvloer. In de toekomst zullen juist cloudcomputing, mobiel devicebeheer, virtualisatie en business intelligence veel van de IT-beheerders gaan eisen.

Management
In hetzelfde onderzoek breekt ISACA ook een lans voor het beter profileren van IT-afdelingen ten opzichte van het algemene management. Volgens het gehouden onderzoek denken algemene managers dat IT-afdelingen nog in een van de zakelijke kant van het bedrijf afgesloten omgeving werken. De ISACA-leden geven op hun beurt aan dat het algemeen management vaak weinig leiding geeft aan een strategie voor het beschermen van de ICT. Volgens een meerderheid, tachtig procent, van de onderzochte ISACA-leden ziet een dergelijke strategie als het grootste belang voor een bedrijf of organisatie. Ook op het gebied van disaster recovery zouden algemene managers meer betrokkenheid moeten tonen. Meer dan 87 procent van de ISACA-leden geeft aan dat hun algemeen management weinig initiatief toont voor het in werking houden van de belangrijkste IT-functionaliteit tijdens een crisissituatie.

Regulatory compliance is a top concern in 2011

2011-04-20T06:54:00.000-07:00

Regulatory compliance is a top concern in 2011

Courthouse News Service

2011-04-19T05:48:00.000-07:00

Courthouse News Service

Testy 9th Circuit Hears Whistleblower Case Boeing

2011-04-19T05:47:00.000-07:00

Monday, April 18, 2011Last Update: 12:55 PM PT

Testy 9th Circuit Hears Whistleblower Case

By JUNE WILLIAMS
ShareThis

SEATTLE (CN) - Two Boeing employees who were fired after providing a newspaper reporter information about alleged ethics violations asked the 9th Circuit to reconsider a federal judge's ruling that the Sarbanes-Oxley Act does not prohibit termination for disclosures to the media. No court has yet addressed whether employees can be fired under federal whistleblower laws for providing non-confidential information about potential fraud to the press.
Nicholas Tides and Matthew Neumann worked in Boeing's corporate audit department and made several complaints to supervisors about the company's violations of auditing requirements under Sarbanes-Oxley, according to their original federal complaint.
Congress enacted Sarbanes-Oxley after the Enron accounting scandal.
Tides and Neumann provided a reporter at the Seattle Post-Intelligencer with information and documents about the alleged fraud. They were fired after Boeing learned of the disclosures.
U.S. District Judge John Coughenour ruled that Sarbanes-Oxley "does not prohibit termination for disclosures to the media" and upheld the firings.
During oral arguments on Friday, attorney Stephen Kohn, whose National Whistleblowers Center filed a friend of the court brief, argued the case with the plaintiffs' attorney, John Tollefsen.
As soon as Kohn began his arguments, he was interrupted by a skeptical Judge Andrew Kleinfeld.
"This case concerns a per se rule prohibiting whistleblowers from contacting the press," Kohn said.
Judge Kleinfeld disagreed. "I have difficulty seeing it that way," Kleinfeld said. "It looks to me as though what it concerns is a statute that prohibits retaliation against whistleblowers provided that their disclosures are one of three classes of recipients of the information. I don't see where the statute says anything about the press."
Kohn replied that that was a "misreading" of Sarbanes-Oxley.
"Does the stature mention the press?" Judge Kleinfeld asked.
"It does not, your Honor," Kohn replied.
Kleinfeld then said that the law allowed whistleblowers to provide information to federal regulatory or law enforcement, congress and the employee's supervisors.
"That's all she wrote," the judge said.
But Kohn said that the wording "cause to be provided" in Sarbanes-Oxley could be read as going through the media, and that the language is "substantially similar" to other whistleblower protection laws, "all of which were interpreted as protecting contacts with the press."
Tollefsen said Sarbanes-Oxley does not place limits on how one contacts Congress, and that contacting the press is one of the most effective ways to get the attention of Congress.
"You would be the first court ever to interpret any of these statutes - and we cited four of the whistleblower statutes where you're allowed to use the media as a mode of communication," Tollefsen said.
Judge Kleinfeld countered, "You can use this for blackmail."
Tollefsen, raising his voice, said, "We're not talking about blackmail. We're talking about - that's the kind of thing that Enron's lawyers would have said."
Kleinfeld replied: "I must be a bad fellow because I asked you a question that you think Enron's lawyers might have raised."
Both Judge Kleinfeld and Judge Barry Silverman noted that whistleblower protection for federal employees placed no restrictions on whom the employees could contact, unlike Sarbanes-Oxley.
Tollefsen said that Congress intended for Sarbanes-Oxley to have the same protections as federal employees.
"Now, why they didn't use the exact language as the federal employee statute, I don't know," Tollefsen said.
"That's a major problem, isn't it, for you?" Judge Silverman asked.
In a short argument, Boeing's attorney Eric Wolff claimed that the case was "a very straightforward case of statutory interpretation."

The Role of FCPA Compliance in Contractual Responsibilities

2011-04-18T07:59:00.000-07:00

We often discuss the impact of the Foreign Corrupt Practices Act (FCPA) on companies in
relation to their third parties. Topics can include due diligence of third parties, contracting terms
and conditions, and management of these relationships. However, just as all US companies are
subject to the FCPA and therefore are required to implement compliance programs which meet
the strictures of the FCPA, many non-US companies are required to have compliance programs
in place to meet contractual requirements.
We considered the relationship of these non-US companies when we recently read the article
“Compliance Programs Redefined: Elevating Contractual Responsibilities to Their Proper
Place” by Steven Lauer, published in CCH, Corporate Governance Guide, Issue 551, March 21,
2011. Indeed when reviewing or discussing FCPA compliance programs, one part of the
discussion which is often overlooking by US companies is their own contractual obligations to
have such a program in place. Lauer posits that a “compliance program offers a company…a
truly positive benefit” in relation to its counter-parties. While his article is not specifically FCPA
focused, we found it to be an excellent perspective for companies to consider their overall
compliance program.
Lauer believes that there are two general forms of contracting compliance. The first is process
and the second is substantive. Process compliance encompasses all events leading up to contract
execution. Substantive compliance comes into play after execution when parties are obligated to
honor their respective contractual commitments.
An example of process compliance is where one contract may require a company to violate the
terms and conditions of a previously executed agreement. Lauer gives the example of a company
which enters into a foreign joint venture and pledges certain physical assets but the same
company has previously agreed with a lender not to limit the lender’s right to encumber any
company assets. A more recent example has been with BP and its attempts to enter into a
business relationship with Rosneft. BP’s joint venture partners from TNK-BP, claimed that such
agreement violated the terms of their joint venture agreement and successfully sued to enjoin the
action in the British courts.
Under the compliance terms and conditions of a Master Service Agreement or Master
Construction Agreement, it is not usual for a Company to require a Contractor to make the same
FCPA terms and conditions to all of the Contractor’s subcontractors who may perform work
under the Master Agreement for the Company. Failure to do so by the Contractor would violate
the FCPA compliance terms and conditions of the Master Agreement. This can be problematic
for a contractor initially entering the international arena and may not have FCPA compliance
program in place.
Lauer acknowledges that compliance with compliance terms and conditions in an agreement are
a subset of obligations which a company has to outsiders. Such outsiders can include
governmental authorities and lenders. However, contract requirements “may be the most specific
and relevant on a day-to-day basis.” Therefore, from the substantive contract compliance prong,
a company must ensure proper performance of its agreements and that individuals administering
the agreement understand its obligations. Once again in the context of FCPA compliance, it may
require a Contractor to require its subcontractors to have compliance program in place; require a
Contractor to train its subcontractors employee’s on basic FCPA compliance; and to audit a
subcontractor’s FCPA compliance component.
William Athanas has recently written an article advocating the proactive use of the results of a
company’s FCPA compliance program, in his article “Demonstrating “Systemic Success” in
FCPA Compliance: Identifying and Maintaining Evidence to Respond to Government
Investigations . . . Before They Begin.” He makes clear that if your compliance program does not
document its successes there is simply no evidence that it has succeeded. Just as this would be
true in any Department of Justice investigation, it would be equally true if a Contractor is audited
by its contracting counter-parties. So as always, the key is to document, document and document.
Lauer notes that an effective compliance department should not replicate other corporate
functions; rather, it creates mechanisms that implement and then track the performance of those
other units in respect of those activities regarding a company’s compliance with the various
behavioral expectations that apply to its operations. Some of those expectations arise externally
and others are created internally. FCPA compliance terms and conditions can arise from these
external expectations.
Lauer ends by stating his belief that by creating an ongoing FCPA compliance-assurance
mechanism a company can, among other things, strengthen its competitive posture and improve
the overall ethical culture of an organization. Further these benefits will serve as more than
simply a preventative; it will allow a compliance department to better realize its company’s
business objective and continue the company’s revenue stream.
We believe that Lauer’s article points out some issues which are not often considered in regard to
FCPA compliance. We hope his article will give you pause for thought on yet another role for
your compliance department.
This publication contains general information only and is based on the experiences and research
of the author. The author is not, by means of this publication, rendering business, legal advice,
or other professional advice or services. This publication is not a substitute for such legal advice
or services, nor should it be used as a basis for any decision or action that may affect your
business. Before making any decision or taking any action that may affect your business, you
should consult a qualified legal advisor. The author, his affiliates, and related entities shall not
be responsible for any loss sustained by any person or entity that relies on this publication. The
Author gives his permission to link, post, distribute, or reference this article for any lawful
purpose, provided attribution is made to the author. The author can be reached at
tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

The Role of FCPA Compliance in Contractual Responsibilities | Thomas Fox - JDSupra

2011-04-18T07:57:00.000-07:00

The Role of FCPA Compliance in Contractual Responsibilities | Thomas Fox - JDSupra

Security fears still an obstacle to cloud adoption

2011-04-18T04:02:00.000-07:00

Security fears still an obstacle to cloud adoption

Breach in Texas comptroller’s office exposes 3.5 million Social Security numbers, birth dates | Texas Regional News - News for Dallas, Texas - The Dallas Morning News

2011-04-12T13:51:00.000-07:00

Breach in Texas comptroller’s office exposes 3.5 million Social Security numbers, birth dates | Texas Regional News - News for Dallas, Texas - The Dallas Morning News

Government-owned credit cards compromised in contractor breach

2011-04-11T12:15:00.000-07:00

Government-owned credit cards compromised in contractor breach

EFF slaat alarm over onveilige SSL-certificaten | Webwereld

2011-04-07T06:19:00.000-07:00

EFF slaat alarm over onveilige SSL-certificaten | Webwereld

Multiple vulnerabilities in IBM Tivoli Directory Server

2011-04-04T06:54:00.000-07:00

Multiple vulnerabilities in IBM Tivoli Directory Server

Basel III kan concurrentiepositie grote Nederlandse banken aantasten

2011-04-04T04:09:00.001-07:00

Gebaseerd op: Banking Review (februari/maart 2011)

Langzaamaan wordt duidelijk wat de effecten van Basel III zijn op het bancaire landschap. Voor Nederland betekent het bijvoorbeeld dat de banken onder de hoogste kapitaaleisen van Basel III vallen. En dat wil zeggen dat de concurentiepositie van de Nederlandse banken mogelijk aangetatst wordt.

De aangscherpte kapitaaleisen van het Basel III-akkoord heeft grote implicaties voor banken wereldwijd en zal an ook een impact hebben op strategische besluitvorming. Mogelijke gedragsalternatieven voor banken zijn dan ook: het aantrekken van nieuw aandelenkapitaal; vermindering van de activa op de balans (bijvoorbeeld door verkoop van bedrijfsonderdelen); het veranderen van bedrijfsonderdelen of de onderlinge relatie met dochterondernemingen en minderheidsbelangen; herverdelingen aan de activa zijde van de balans, waarbij risicovollere investeringen worden omgezet in veiliger, lager renderende investeringen.

Een ander gevolg is dat de grootste banken wellicht niet de grote winnaars zijn van al deze ontwikkelingen. Toezichthouders werken nog steeds aan het probleem van `too big to fail`en zullen mogelijk de grootste banken ontmoedigen verder te groeien door acquisities. En dat heeft weer gevolgen voor de grote Nederlandse banken.

Nieuwe boekhoudregels (IFRS) kost sector miljarden

2011-04-04T04:06:00.000-07:00

04 apr 2011 -

Leven-, schade- en zorgverzekeraars denken dat de invoering van nieuwe wereldwijde boekhoudregels de sector miljarden gaat kosten. Maar vooral de consument zal de rekening van de invoering van IFRS betalen.

Gerelateerd:

Nog lang geen IFRS, maar trainers plukken wel de vruchten
IFRS voor niet-beursgenoteerde ondernemingen
Dat leidt DFT af uit het KPMG rapport The New World for Insurance. De nieuwe standaard voor financiële verslaggeving onder International Financial Reporting Standards (IFRS) is bedoeld om de resultaten van verzekeraars uit meer dan 120 landen gemakkelijker te kunnen vergelijken. De richtlijn, die vermoedelijk in juni wordt gepresenteerd, verplicht verzekeraars cijfers te rapporteren en de onderneming op marktwaarde weer te geven.

Actualiseren
Verzekeringsverplichtingen moeten op elke rapportagedatum geactualiseerd worden naar de laatste inzichten rond sterftetrends, kosten, rendementsgaranties en rentecurve. De huidige methode gaat uit van de originele tariefgrondslag en een vaste disconteringsvoet

What Basel III Means for Corporates

2011-04-03T13:57:00.000-07:00

Jaco Boere, Zanders, Treasury & Finance Solutions - 31 Mar 2011
This article examines the Basel III agreement and looks at what this might mean for corporates who primarily use bank finance for their funding.

How useful was this article?
(5=high)
1 2 3 4 5

People who read this article also recently read:
Payment Factory Trends in Europe

The Role of A/R in Optimising Working Capital

How Can Corporates Gain End-to-end Visibility Over Cash Flows?

Focus on Receivables and Payables to Enhance Cash Position

Supply Chain Finance Blog: Part 8

Email this article
recipient email:

Comment on this Article:
Add your question/ comment

Following the financial crisis, it became clear that the concept of Basel II, which became effective in February 2008, had severe shortcomings and that there was a need for greater change in banking regulation and supervision. On 12 September 2010, the Basel Committee on Banking Supervision (BCBS) endorsed a new regulatory capital and liquidity regime - Basel III.

Addressing Liquidity Risk
The focus of the new regime is mostly on the liability side of the bank’s balance sheet. It will address the issues revealed under Basel II, including over-leverage and liquidity risk caused by mismatches of the asset tenor relative to the funding tenor. Basel III will also change the requirements for the bank’s core capitalisation, which will have to be maintained at a level relative to their risk weighted assets (RWAs).

Table 1 provides an overview of the differences between Basel II and Basel III for the minimum required levels of capital.

Table 1: Basel II Versus Basel III

Using a phased approach, the additional requirements don't just affect capital quality and capital requirements, but leverage, liquidity and net stable funding ratio requirements will also be introduced for banks. The objective is to increase the loss-absorbing capital capacity of the banks relative to their RWAs and to strengthen the banks' balance sheets so that they are better able to withstand periods of economic downturn.

Although the definition for capitalisation will be strengthened and the ratios will also be raised under Basel III, the definition of RWA is largely based on the current Basel II requirement, except for some elements of counterparty credit risk and equity. In essence, the RWA definition means that the banks will have to maintain higher degrees of capital buffers against riskier assets according to risk weights. Low-risk assets could be held with minimum capital levels and therefore allow a higher gearing. However, ratings and risk weightings have not always proved to be reliable in assessing true underlying credit risk - as shown by the structured finance and securitisation bubble.

The new standards will be implemented and become effective through a staged approach between 2013 and 2019.

What Effect Will Basel III Have on Corporates?
The effect of Basel III for an individual bank, and how it will translate into products and pricing offered, will be dependent on its current capitalisation ratios, as well as its business profile and the composition of its asset portfolios. In general, banks will likely have to allocate more capital (deleverage) and liquid assets across their business, as well as use more stable sources of funding, to meet the new Basel III requirements. This is expected to lead to a general increase in capital and funding costs for banks. Although banks may try to improve their operational efficiency, fine tune their models and optimise their asset segmentation, it's likely that they will pass some of the additional cost to their customers to preserve the same level of returns. This will imply that, for corporates, on and off balance sheet banking products that require a higher capital allocation or have a relative higher weighting in the ratios for a bank will likely become more expensive. However, it can also be argued that Basel III requirements will alter and reduce the risk profile of a bank and therefore they may settle for lower returns.

Corporate treasurers may be affected by the consequences of Basel III on banks in a number of ways, obviously mostly on the borrowing side, but other product categories will also be affected.

An interesting point may be that bond financing or, more generally speaking, non-bank financing for corporates may gain further attractiveness under Basel III relative to bank financing. This is a trend that has already been observed during the recent crisis.

First, there is a difference in the liquidity treatment for the determination of the liquidity coverage ratio (LCR). Banks will have to hold 30 days liquidity net cash outflow in liquid assets. High-quality corporate bonds are considered to be liquid assets in the context of the LCR, since they can be easily converted into cash, whereas bank or non-public debt is less liquid and therefore is treated less favourably.

Second, the LCR may also have an unfavourable effect on the revolving style of corporate credit and liquidity facilities. Commitment for stand-by revolving committed credit facilities is expected to become more expensive, particularly liquidity back-stop facilities for commercial paper programmes given their unfavourable treatment under the LCR, which can require banks to hold up to a 100% liquid assets buffer for any undrawn part, depending on the nature of the facility.

Third, it is also expected that corporate bank lending will face a relatively higher increase in interest margins compared to non-bank lending because of Basel III. Because the non-bank debt market may also attract other types of investors that are not subject to the new Basel III requirements, these investors may have a competitive advantage compared to banks. This may particularly impact the smaller corporates that either do not have access to this market or do not have a good credit standing, and therefore are predominantly dependent on bank debt as source of debt financing. For those corporates that do not have a credit rating it will become important to have an understanding how a bank perceives their credit risk and also make sure a bank perceives it correctly. They also should have notion about how a bank will price the associated credit risk in relation to the term and the characteristics of the credit facility, and the effect of collaterals and securities provided. The attractiveness of the deal will play an important role for the bank. In any case, bank finance will likely become more expensive, particularly for corporates that have a lower credit standing.

Corporate short-term investments will also be impacted by Basel III. In relation to the LCR and the net stable funding ratio (NSFR), a corporate bank deposit, depending on the conditions, is typically considered as a less stable type of funding for a bank and will have a lower weighting compared to other sources of funding for a bank. Therefore corporate deposits, especially the ones with a very short term, will likely be less attractive to banks under Basel III than previously.

The NSFR and the related matched funding requirement are also expected to lead to relatively higher prices for facilities and loans with longer terms.

Another product category that will be notably hit by the new requirements is off-balance sheet products, particularly trade finance products such as letters of credit (LCs). Any of these off-balance sheet commitments will have a high credit conversion factor against the threshold for the leverage ratio.

Conclusion
Overall there is uncertainty about the consequences of Basel III and how banks will respond to it. Banks shall alter their strategy and may redefine their 'sweet spots'. It will also very much depend on the extent a bank can already meet the additional Basel III requirements and whether or not it will have to raise additional capital. Also, non-bank financial institutions may start to play a more active role as they are beyond the scope of the Basel III requirements, which may give them a competitive advantage.

In response to Basel III, banks will increasingly assess the total return on a customer in relation to its credit risk position and the capital a bank will have to allocate. Using a bank’s asset side of the balance sheet under Basel III will likely come at a higher price for corporates, who will either have to be compensated by a higher interest margin or reward ancillary business to the credit providing banks. It will be likely that bank relations will be more and more driven by credit, particularly for corporates that (have to) rely heavily on bank finance as a source of overall funding. It will therefore become even more important for corporates to understand their total banking wallet and how these products affect the capital that banks have to allocate for Basel III.

SEPA: A Core Issue Checklist for Corporates

2011-04-03T13:52:00.000-07:00

Karsten Becker, Deutsche Bank - 29 Mar 2011
This article is a back-to-basics approach on the core issues surrounding the single euro payments area (SEPA), explaining what corporates need to do when implementing a SEPA project.

How useful was this article?
(5=high)
1 2 3 4 5

People who read this article also recently read:
SEPA: What Corporates Should Expect From Their Banks

Payment Factory Trends in Europe

Companies Neglect Risks in Supplier Financing

SEPA Implementation for Corporates: A Chore or an Opportunity?

SEPA: Increasing Direct Debit Risk?

Email this article
recipient email:

Comment on this Article:
"Dear Mr. Becker, thank you for your interesting article. Is it possible to get in touch with you fo..."

Add your question/ comment

On 16 December 2010, the European Commission (EC) published a proposal for regulating the end dates for single euro payments area (SEPA) migration. Although still under review, the regulation is expected to come into force late this year or early next year, which would mean that existing domestic credit transfers could be decommissioned as early as 2012/13 and direct debits as early as 2013/14, effectively replaced by SEPA instruments.

With the end dates in sight, many corporates are asking fundamental questions:

•What does this mean for my company?
•When does my company need to be ready?
•What steps does my company need to take?
What has become clear is that no company will escape SEPA. However, the impact will vary from one company to the next - the project could be quick and easy, or complex and time consuming.

For example, a company that uses mainly domestic credit transfers may only need to obtain International Bank Account Numbers (IBANs) and Bank Identifier Codes (BICs), and its bank will provides format conversion services; whereas implementing SEPA Direct Debits (SDDs) requires more work. Companies active in a number of European countries will also face greater complexity because the process for obtaining IBANs/BICs will vary from country to country.

By going through a checklist of features that may be applicable, a company can get a sense of the project’s complexity.

Setting Up a SEPA Project Team
As a result of the proposed regulation, the industry is likely to be looking at rather tight implementation timeframes for SEPA Credit Transfers (SCTs) and for SDDs. Corporates should start planning and budgeting now, in order to get the project in this year’s budget cycle. A positive effect of a regulated end date is that it will be easier to get funding because the project is now a regulatory one, rather than one that requires a business case.

At the outset, a company should perform a high-level analysis and then put together a project team that is responsible for implementing SEPA migration.

Project Manager: Ensuring all potentially affected departments are involved

Finance department:

•Invoicing - add IBAN/BICs.
•Accounting, accounts receivable (A/R), accounts payable (A/P) - account reconciliation/capture IBANs and BICs/update database.
•Investigations (client inquiries).
•Treasury: enterprise resource planning (ERP) impact/liquidity management/bank relationships.
Other affected departments:

•Sales/procurement - inform business partners/potentially new contacts/new forms.
•Customer service - SEPA-specific client questions.
•Human resources (HR) - salary and benefit payments.
•Legal - mandate migration/change contracts if collection via SDD.
•External partners - e.g. call centres.
The SEPA Project Checklist
The following checklist is an illustration of potential considerations only and cannot outline all possible ‘to dos’. What a corporate needs to do will, of course, vary greatly from one company to the other.

Strategic analysis
When a corporate examines SEPA from a strategic perspective, this poses the question of whether to centralise payments and collections. SEPA is another driver that encourages the trend towards a centralised structure because it harmonises cross-border payment processes.

If a corporate does decide to create a payment or collection factory, then the project takes on a much larger dimension.

To dos:
•Analyse set-up of accounts and cash management structures and systems landscape in Europe.
•Check account centralisation and system consolidation potential.
•Assess and quantify benefits.
A second question has to do with timing - does the corporate want to be one of the first movers or the last? With the end date taking shape, that question is not posed as sharply. But most can’t migrate immediately because of the preparation needed in advance of migration. For this reason, the bulk of SCT migration is expected to occur in the second half of 2012.

To dos:
•Analyse migration complexity.
•Clarify SEPA-interest of business partners.
•Determine own migration strategy.
•Proactive, or wait-and-see?
•Credit transfers and direct debits together or separately?
•All countries at once, or one by one?
A third question revolves around a format strategy - does the company want to switch its payment formats to XML now, or continue to rely on bank conversion services? Today, all banks recommend XML as the format of the future, but this change has an impact on the corporate’s ERP systems and connectivity because XML files tend to be much larger than domestic equivalents.

To dos:
•Analyse which formats are currently in use.
•Set timing of XML migration or keep other global formats and adjust for SEPA.
•Assess availability of temporary solutions (banks’ conversion capabilities differ) - if required.
•Check if a new release is needed from external system provider to obtain the XML module.
The corporate should also map its infrastructural changes, particularly for pan-European companies that have grown through mergers and acquisitions (M&As). Often such a company will have many ERP systems or treasury workstations. A varied landscape makes it more difficult for a company to analyse whether all systems allow for IBANs, for example, or if the company needs to upgrade. A corporate could use this opportunity to streamline its systems landscape.

To dos:
•Identify affected systems.
•Check the preconditions for and the availability of SEPA-upgrades/modules with vendor(s).
•Is a new release required?
•Define specifications and timelines for own system adjustments.
•Interface analysis and plans for adjustments.
•Planning and conducting tests.
Another by-product of a SEPA migration project is the chance to reduce the number of banking relationships. The question of how many banking relationships are optimal grows in importance, because if a company can make local payments from a central account in another country, does it still need a local bank?

To dos:
•Check if and by when relationship banks will offer SCT and SDD.
•Compare SEPA requirements with banks’ SEPA capabilities - submit request for proposal (RFP) for SEPA transactions.
•Analyse what value-added services are on offer.
•Determine which banks to use in SEPA.
Migrating to IBAN and BIC
The first hurdle for most companies is the basic question of how to obtain IBANs and BICs. Should a company go directly to its counterparty if it only has a few, or should it use the format conversion services that banks or third parties offer?

There are local solutions in each country, which tend to be relatively inexpensive, but if a company has to convert in 30 countries, then it can become quite cumbersome to oversee 30 different processes. Therefore, it might be better to use a third party; however, vendors tend to be more expensive. Often Deutsche Bank recommends that clients use domestic conversion services for high volume countries because they are inexpensive, but if they have a few countries with relatively few IBANs, to use a vendor.

To dos:
•Determine how to obtain the corresponding IBANs and BICs: directly from counterparties (contact them) or indirectly via local conversion service?
•Decide how to communicate own IBAN and BIC.
•When and where should this information appear?
•Make the required changes to invoices and other forms.
•Prepare customer service to answer questions, such as: “What is an IBAN? Where do I find it? What is it used for?”
The next step is to determine the technical impact of converting, so a corporate needs to understand which of its current systems are able to handle IBANs and BICs.

To dos:
•Identify all systems that contain account numbers and bank codes.
•Adjust field lengths to IBAN and BIC.
•Decide how to enter IBAN and BIC into the systems.
•File uploads, document scans and/or manual input.
•Potentially develop IBAN checks to be applied during capture.
Payment detail field
Under SEPA, the payment detail field is only 140 characters long, which may be shorter than corporates are accustomed to today. Particularly in the B2B space, most companies include a lot of payment detail because they pay more than one invoice at a time. Corporates need to either adjust their payment patterns by breaking them down into more than one payment, or maybe think about how to shorten the information they provide.

To dos:
•Check the length of the payment details fields used by country.
•Adjust length and content.
•Allowed characters are numbers, letters and special signs.
•Think about using the orderer/creditor (end-to-end) reference field for certain information (e.g. contract number).
Optional originator/creditor reference field
SEPA payments also include an optional creditor reference field for the sender. If a creditor wants to receive specific information, for example an invoice number, this additional 35-character field can be used.

To dos:
•Determine if this field is needed.
•Define content.
•Allowed characters are numbers, letters and special signs.
•Establish reconciliation processes based on reference number.
Optional purpose codes
In addition, optional purpose codes can help the beneficiary identify the payment type, e.g. salary, phone bill, etc. This is relevant if the beneficiary asks for this information, in order to categorise incoming payments.

To dos:
•Check with your counterparties if they require purpose codes (and which ones).
•Find out if their bank supports purpose codes.
•Define own processes when receiving purpose codes.
Category purpose code
The category purpose code is another optional field, which allows the sender to designate the way that their payment is processed. For example, a company’s payments are normally all executed overnight with the standard SCT and maybe all booked individually. However, the company may want its salary payments to be executed the same day and booked in bulk.

Therefore, it could use the category purpose code for salary payments to indicate to its bank that these are salary payments. The company could set up a standing instruction so that when it sends a file with this category purpose code, then the bank knows to book them in bulk and execute on the same day.

The category purpose code is also optional for the bank, so a corporate needs to ensure that its bank offers this service.

To dos:
•Determine the need for special processing options, e.g. for salary payments.
•Indicate these options in the file.
Reference party field
Lastly, there is a reference party field - also called an ‘on behalf of’ field - which is relevant for payment/collection factories. For example, if Company ABC Germany is making a payment on behalf of its subsidiary in France, it has a separate field so it doesn’t need to fill up the limited space in the payment detail field.

To dos:
•Check if making on-behalf-of payments or collections today/want to use them in the future.
•If the information is supplied today, potentially migrate it to the new fields (maximum 70 characters).
•Define the processes and inform counterparties.
Additional Preparation for SCT Only
Execution and cut-off times
As a result of the Payment Services Directive (PSD), the execution time will change - so corporates need to be aware of this for time-sensitive payments, such as salaries. Currently, it is a maximum of two days for a SCT, but from 2012 it will be only one day. This should help in liquidity planning because the payee will be certain that the payment will reach the beneficiary by the next day.

Cut-off times may change in comparison to what corporates are accustomed to for domestic equivalents. They will vary from bank to bank, but it’s important for corporates to be aware that this is changing in case they have to submit payments earlier.

To dos:
•Analyse what time-critical transactions are made today (e.g. salary, benefit/social security, etc).
•Define whether processes for executing these payments need to be adjusted.
•Determine processing preferences.
•Adjust file-submission processes to account for different cut-off times.Additional Preparation for SDD Only
Mandate management
With SDD, corporates will need to manage received direct debit mandates. Today, some countries operate a debtor mandate flow, which means that the mandate goes to the debtor bank rather than the creditor. With SDD, it is a creditor mandate flow, which means that the creditor must physically keep the paper mandate. From an operational perspective, large direct debit users in countries such as France and Belgium must design internal processes to cope with these paper mandates. In addition, corporates will need to make the mandate data electronic, because certain mandate elements will have to be submitted with every SDD to the bank.

Mandate number
Corporates now need to give every mandate a number. They are free to generate the mandate number, with a maximum of 35 characters, however they want. It could be a contract number, a client number, or just an ascending or descending number. Deutsche Bank recommends using something that is similar to a client number, so it is easy to recognise which client’s mandate it is.

To dos:
•Generate the mandates.
•Determine mandate form.
•Create the text in required language(s).
•Potentially print and mail the mandates.
•Choose mandate reference (e.g. contract numbers, ascending numbers, etc).
•Generate mandate reference (maximum 35 characters).
•Add them to mandates or communicate them to clients afterwards.
•Check mandate-management options.
•Physical storage/scanning.
•Save mandate data in mandate database.
•Define processes for mandate administration (e.g. capture of new mandates, changes to existing mandates, ordering of copies, etc).
•Alternative: outsourcing.
Creditor identifier
Corporates also need to obtain a creditor identifier, which uniquely identifies each creditor through an alpha-numeric code, rather than relying on a name, which can vary. Where a corporate can get this ID varies from country to country - in Germany, for example, it is done through a central service by the central bank.

The combination of creditor identifier and mandate number allows each debtor bank to uniquely identify an incoming direct debit.

To dos:
•Obtain creditor identifier.
•One identifier or separate ones for different legal entities?
•Potentially use creditor business code within the ID to distinguish separate entities or departments so that only one ID is needed.
Submission deadlines
SDD submission deadlines are five days for the initial direct debit prior to due date, and then two days for recurring core SDDs. For business-to-business (B2B) SDDs, it is only one day before due date. This difference will have a significant impact on internal processes, in terms of when corporates will need to submit those files to their banks to ensure they make the due date.

It becomes even more complicated if corporates send mixed files with initial and recurring SDDs. Their banks may split them and the corporate could see two separate bookings.

The five-day submission deadline will be a pain point for online and point-of-sale (POS) retailers because in some countries, such as Germany, they can create a direct debit and submit it to their bank on one day, and it is settled the next day. The longer submission deadlines will impact liquidity and risk management around direct debits.

To dos:
•Setting of due date.
•Ensure the debtor is informed in advance.
•Define/adjust submission processes, taking into account the deadlines.
•Five days for first/one-off transactions; two days for recurring ones.
•Define/adjust booking processes/options.
Return transactions
For return transactions (R-transactions), SDDs have different codes on the account statement. Normally, a corporate sees the reason and then decides whether to generate a new direct debit, call the client, or a number of other actions. If an automated process is in place, they may have to re-program their system based on these new return reason codes.

To dos:
•Analyse the return reasons and compare with today’s situation.
•Adjust reconciliation process to account for the new text keys.
•Define strategy for each reason code:
•Resubmit?
•Contact debtor?
•Sell to collection agency?
Conclusion: There is No Escape from SEPA
SEPA will affect every company - but to what extent is dependent on a number of factors. Even for a company that only needs to obtain IBANs and BICs, which seems rather easy, that work still needs to be done. The company will need to enter IBANs and BICs into its treasury system in order to properly generate SEPA payment files.

For the majority of corporates, particularly the mid-tier and larger companies, a SEPA migration project may require a considerable amount of preparation.

Based on the above checklist, each corporate should go through its own project and analyse the relevant aspects to consider in its migration to SEPA. Once it has a laundry list of all the potential ‘to dos’, then it can start to plan how long it will take and how much it may cost. Corporates need to start on or accelerate their SEPA journey now that the end dates are in sight.

To read more from Deutsche Bank, please visit their gtnews microsite.

Twitter opportunities april 2011

2011-04-03T08:24:00.000-07:00

By Whitson Gordon
Top 10 Uses for Twitter (That Aren't Self-Indulgent)
Since Twitter's inception, it's been looked down upon as a place for self-centered technophiles to share the mundane details of their lives. We at Lifehacker know better than that, though—here are our favorite ways to turn Twitter into a useful tool, without becoming one yourself.
We've shared some of our non-breakfast related Twitter uses before, but over the past few years Twitter has evolved, grown more popular, and we've just discovered more clever and productive uses for it. Some of these you may recognize, but even the ones we've discussed before may have been updated, so be sure to check them all out if you're looking to upgrade your Twitter usage.
10. Quickly Access Productivity Tools
We've mentioned before how easy it is to add tasks to Remember the Milk or send memos to Evernote using Twitter, which makes using our favorite productivity tools super quick and easy—almost like a productivity command line. Since then, we've discovered even faster ways to use this to our advantage, like performing those tasks straight from the address bar, or using Google Voice actions to just speak it to our phone. Twitter allows you far more than just one more access channel to your favorite productivity webapps. Since Twitter is everywhere these days, it opens up a ton of different options for super-quick access, so you can add a task to your to-do list and get on with your day.
9. Get Search Results for Timely News
As hard as news sites and blogs try to be up-to-the-second sources for news, the fact of the matter is that Twitter is just the best place to find out what just happened. Whether you want to keep up with this year's Oscar winners without sitting through the show, find out who got voted off American Idol, or finding out that Comcast's DNS went down (and how to get around it), all you need to do is hit up search.twitter.com. Within seconds you'll have all the information you need, even if it isn't up yet anywhere else on the internet.
8. Find a Job
We already know the internet is a great tool for the unemployed (or just unhappy at their current job), but you can actually find a good number of listings on Twitter. We've talked about how to do this with free service TweetMyJobs, which lets you pick the field your interested in and get real-time Twitter updates of job listings you might be interested in. Furthermore, reader AlphaGeek notes that you can just search Twitter for the hashtag #jobs, and perhaps a hashtag for your industry or city. You'd be surprised at what you can find. Again, it certainly won't be your only resource, but its another good one to add to your arsenal. Photo remixed from an original by Janet McKnight
7. Get Up to the Minute Updates on Your Favorite Software
One of my favorite Twitter uses is following my favorite software developers and finding out immediately when they update. Whether it's big programs like Firefox and XBMC or smaller ventures like Adium for the Mac, I've never gotten a faster notification than on Twitter. Not only will you find out as soon as a new update is ready, but you'll find out about the cool stuff coming up in future versions, nightly builds, and sometimes even handy tips you didn't know about.
6. Use it as a Quick-Access Cloud Notebook
If you aren't using something like Evernote, that doesn't mean you can't still use Twitter's quick-post nature as a notebook—reader Epell says its a great place to jot down ideas as soon as you think of them. Just protect your tweets, disallow discovery of your account by email address, and use it as your own personal notebook. If you're the more introspective type, you can use it as a short-post journal, too—whether public or private.
5. Discover News and Articles You Otherwise Wouldn't Have
Using Twitter for news is hardly a new idea—following accounts like @cnnbrk are Twitter 101 (plus, if any news starts breaking, the other folks you follow will probably be quick to talk about it). What I find especially cool about Twitter is that I find news and articles I otherwise wouldn't have discovered. Since you can follow anyone with just a click, you probably end up following more people (and a more diverse group of people) than you would on, say, Google Reader. As they tweet out interesting links (or retweet others you don't follow), you might find articles or blog posts that weren't hugely popular, but still useful or interesting. Sure, at a certain point this can get more "noisy" than helpful, but this is why you should routinely unfollow people to keep your feeds clutter-free.
4. Get Alerts and Inspiration on Pretty Much Anything
Aren't sure what you want to make for dinner tonight? @cookbook can give you a bit of inspiration with her 140-character recipes. Not sure what's good on TV tonight? @TVGuide can give you some ideas. There are a ton of Twitter accounts out there that send out useful alerts or inspiration for things in your daily life. Other examples include previously mentioned @queuenoodle, which alerts you to expiring movies on Netflix Instant, or @amazonmp3, which keeps you alerted to the best deals (and all the free tracks of the day) on Amazon MP3. Your local businesses might also have some cool accounts, too—a few of the local bars where I'm from will tweet out special drafts that aren't publicized anywhere else, so only their followers know to come in and ask for it specifically.
3. Control DIY Home Automation Projects
Whether you need to send a quick command or get alerts for something happening at home, Twitter has become a very popular tool for home automation projects. You can do something simple like control your PC from afar with TweetMyPC, or do a more complicated project like tell your coffee pot to start brewing, water your plants, or even dispense Halloween candy. With the Twitter API and an Arduino, there are pretty much no limits to what you can control.
2. Get Instant Customer Support
Lots of companies have taken to providing support on Twitter, and it's more than just a way to get in on the fad. @JetBlue and @ComcastCares are two accounts that have made the format popular, and with good reason—some people are getting faster responses via Twitter than they are the customer service phone line. Other companies using Twitter this way include Microsoft for the Xbox, Time Warner Cable, and Dell, though with a bit of searching you'll find a ton more.
1. Get Specific Answers and Advice from a Knowledgeable Pool
Those that follow us on Twitter know that one of our favorite uses is asking questions from you guys, and getting specific advice. Whether you're looking for the best app for a particular job, the best coffee in New York, or just advice on a good new band to listen to, the Twitterverse has opinions and they aren't afraid to share them. The more followers you have, the more answers you'll get, obviously—but if you can get a few more popular followers, you can often get your question retweeted and get a lot of good advice back.
________________________________________
These are some of our favorite clever uses we've discovered over the years, but there's bound to be more out there. So if you have a clever way of using Twitter (productive or not), be sure to share it with us in the comments below.

•
• Share this:
•
•
•
April 2nd, 2011 Top Stories
•
Celebrate April Fool's Day All Weekend with These DIY Projects
•
From the Tips Box: Firefox Back Button, Nail Biting, and Email Mistakes
•
This Week's Most Popular Posts
•
Remove Kinks in Cables with a Glass of Hot Water and Tape
•
April Fool's Day QR Code Scavenger Hunt
More Stories on Lifehacker »

Restaurant Chain is First Fined Under Massachusetts Data Breach Law

2011-03-29T12:18:00.000-07:00

Restaurant Chain is First Fined Under Massachusetts Data Breach Law

Thieves join rush to online banking - Oroville Mercury Register

2011-03-29T00:25:00.000-07:00

Thieves join rush to online banking - Oroville Mercury Register

Tech Insight: HTTPS Is Evil - Darkreading

2011-03-24T12:49:00.000-07:00

Tech Insight: HTTPS Is Evil - Darkreading

Audit executives stand by Sarbox dd 22 March 2011

2011-03-22T06:35:00.001-07:00

We're seeing some major efforts in Congress right now to roll back previously enacted reform efforts, like credit and debit card reform measures, the Dodd-Frank Act, the Patriot Act and the Obama Healthcare initiative. It remains to be seen if these efforts will ever prove successful.
But we can look to Sarbanes-Oxley for an example of how legislation that is reviled can sometimes emerge as something that regulated entities eventually support.
A new survey of more than 300 chief audit executives by Grant Thornton has found that the vast majority, nearly 90 percent, do not believe the Sarbanes-Oxley Act of 2002 should be repealed. There was a day when that number would have been a lot lower. Frankly, the act has never been this popular.
So, is this legislation showing the way for laws that are currently unpopular? Maybe.
Early on, people spared no insult for Sarbox, which ended up being very expensive for companies large and small. But after years of working through the issues, the big companies eventually cracked the nut and were able to impressively streamline their 404 processes. These days, they have the process down to a science.
As for small companies, Dodd-Frank gave them a permanent reprieve from 404(b). It may be that once companies take the initial hit on some reform measures, they might end up better off.
That said, this argument will likely not prove persuasive with those who are opposing problems with the current crop of new regulations.

Mac OS X 10.6.7 fixes security vulnerabilities

2011-03-22T06:25:00.000-07:00

Mac OS X 10.6.7 fixes security vulnerabilities

The Day - FBI tapes target Nawaz at fraud trial | News from southeastern Connecticut

2011-03-22T01:59:00.000-07:00

The Day - FBI tapes target Nawaz at fraud trial | News from southeastern Connecticut

RSA breach: Reactions from the security community

2011-03-19T01:37:00.000-07:00

RSA breach: Reactions from the security community

RSA SecurID customer data stolen by audacious hackers - Techworld.com

2011-03-18T04:40:00.000-07:00

RSA SecurID customer data stolen by audacious hackers - Techworld.com

Eight Breach Prevention Tips

2011-03-08T07:50:00.000-08:00

Don't Overlook These Breach Prevention Measures
March 7, 2011 - Howard Anderson, Executive Editor, HealthcareInfoSecurity.com
Share

Print Email Save Digg Delicious RedditPlease login or register to save this article.

To prevent healthcare information breaches, a growing number of organizations are encrypting information stored on laptops and other portable devices. As they prepare comprehensive risk management strategies, however, hospitals, clinics and others must make sure they don't overlook other important breach prevention steps, security experts advise.
Following are eight breach prevention tips gathered at the recent Healthcare Information and Management Systems Society Conference. These steps also can play an important role in complying with the privacy and security provisions of HIPAA and the HITECH Act.

1. Make Broader Use of Encryption
Adam Greene, senior health information technology and privacy specialist at the Department of Health and Human Service's Office for Civil Rights, points out that although HIPAA and the HITECH Act don't explicitly mandate the use of encryption, the HIPAA security rule makes encryption "addressable," meaning that "it's required if it's reasonable and appropriate." He added, "For electronic health records, it is generally reasonable and appropriate to encrypt."
Terrell Herzig, information security officer at UAB Medicine, urges hospitals, clinics and others to expand encryption beyond mobile devices and desktops to include USB drives, CDs and DVDs as well (See: Overlooked Breach Prevention Steps).

And far too many organizations are neglecting to use secure e-mail, says Willie Williams III, managing partner at The Kiran Consortium Group. Including patient information in e-mail that lacks encryption is extremely risky and can lead to a breach, he stresses.

2. Use Business Associate Agreements
Although pending HIPAA modifications make it clear that business associates must now comply with HIPAA, business associate agreements still are essential, Greene says. The agreements offer an "important opportunity" to spell out the role of the business associate in protecting patient information and preventing breaches, he stresses.
Williams points out that hospitals, for example, should "write into their business associate agreements how their partners, including consultants, will protect any patient information they remove from the hospital on a laptop."

3. Consider Role of Cloud Computing
Consultant Patricia Dodgen of Hielix advises smaller clinics to consider using the software-as-a-service model of cloud computing when adopting EHRs because it offers a level of security that clinics cannot provide on their own servers. She also says remotely hosted EHRs offer better backup services (See: EHRs and Cloud Computing).
But Feisal Nanji, executive director at the security consulting firm Techumen, urges healthcare organizations to require that cloud computing vendors "provide detailed documentation of how they are protecting their data centers" to prevent breaches. He also says those considering using cloud computing should get a clear understanding of "how computers will be authenticated to either provide information or receive it."

A recent New York health information breach involving the theft of unencrypted backup tapes, which may have affected as many as 1.7 million individuals, may lead more organizations to consider investigating using backup storage in the cloud.

"Many organizations are phasing out physical backup media in favor of backup over the Internet," says security specialist Kate Borten, president of The Marblehead Group. "Of course, that has its risks too, unless proper security measures are followed." (See: Privacy Protections for Backup Files)

4. Use Two-Factor Authentication
Using two-factor authentication can support efforts to more effectively control access to protected health information and prevent breaches, says Herzig of UAB Medicine. The integrated delivery system in Birmingham, Ala., recently shifted from hardware tokens to software tokens that run on mobile devices.
"We received complaints about the inconvenience of hardware tokens," Herzig says. As more clinicians were using a variety of mobile devices to remotely access patient information, UAB determined that an applet that generates a one-time password on any mobile device would be more practical, he explains.

5. Develop a Social Media Policy
Lee Aase, director of the Mayo Clinic Center for Social Media, advises healthcare organizations that are making broader use of social media to educate staff members about appropriate uses of the new media by using a combination of blogs, webcasts, conferences and other options (See: Mayo Clinic's Insights on Social Media).
Mayo's social media guidelines are based on its existing, broader policies regarding maintaining patient privacy, guarding trade secrets, using the Internet during work hours and other issues, Aase points out. He also stresses the need to develop a corporate culture that emphasizes serving the best interests of patients, including maintaining their privacy.

6. Monitor Document Shredding
Shredding documents is an effective strategy to protect the privacy of personal information and prevent breaches, says UAB's Herzig. But when his organization audited the work of its new shredding vendor, "we discovered that in actuality they were leaving a lot of the material in an unsecure location to pre-stage it," he says.
"It's a case in point. You have to audit every one of your security controls to make sure they are operational and effective."

7. Destroy Unused Drives, Tapes
Herzig also says hospitals need to develop more effective, affordable methods to properly dispose of unused media, such as hard drives or backup tapes. He says degaussing magnetic storage media can prove difficult, and overwrites of data can be time-consuming.
So instead, UAB uses an onsite industrial crusher to destroy old drives. "We pulverize our hard drives into half-inch squares," he says. By destroying drives onsite, UAB can easily track the chain of custody and issue a certificate of destruction, he adds.

8. Use DLP as Educational Tool
UAB generates weekly security reports using a data loss prevention application. For example, the reports pinpoint inappropriate uses of e-mail that were prevented.
"We sanitize the data in these reports and use it in our corporate compliance education courses," Herzig says. Such educational efforts can play a critical role in preventing breaches, he adds.

Next Related Article:
Feds Name Healthcare Chief Privacy Officer

Insurance company punished for improper disposal of documents - WREX.com – Rockford’s News Leader

2011-03-06T13:07:00.000-08:00

Insurance company punished for improper disposal of documents - WREX.com – Rockford’s News Leader

It's Time to Invest in Your IT Team

2011-03-01T14:38:00.001-08:00

Skills to invest in for 2011 and beyond.

By Don Jones03/01/2011
As we near the end of the first quarter of 2011, you're probably getting those new IT projects moving, allocating this year's budget and so forth. As you do, don't forget one of your most important IT assets: your team. But where should you focus? I suggest three areas.

Troubleshooting Skills
In my practice as a strategic consultant, I see an incredible lack of troubleshooting skills within organizations. That means when problems occur, those organizations spend an unacceptably long amount of time resolving issues and stabilizing the production environment. Unfortunately, troubleshooting skills are hard to teach.

You can, however, encourage your team to deliberately develop and refine its experience, which leads directly to more efficient troubleshooting. Have a brief meeting every month (and no, I can't believe I'm recommending more meetings rather than fewer) where you review the problems of the previous month and ask one team member to describe what went wrong, what fixed the problem and why the fix worked.

Automation Skills
It pains me every time I see someone performing some rote task, such as creating new user accounts using a GUI console. C'mon, it's 2011 -- surely we can start letting the computers do the mundane, repetitive stuff, right?

In the Microsoft world, that means investing in Windows PowerShell. A solid understanding of command-line administration also engenders a better understanding of the technology you're administering ... which leads to better troubleshooting skills, too.

I've been careful to write command-line administration and not scripting. A lot of Microsoft-focused admins have a huge fear of, distaste for or disinterest in "programming," and they correctly see scripting as a kind of lightweight programming. No problem: A major benefit of Windows PowerShell is that you can be extremely effective without learning to program. That's a main focus of the classes I teach, and it's a message that's been going over gangbusters with hundreds of administrators every year. Sure, for those admins who do have some programming experience and who enjoy scripting, Windows PowerShell steps up and lets them be extremely powerful -- but it doesn't leave you out in the cold if you're not ready to fire up Visual Studio, either.

Based on what I'm seeing some of my largest clients (banks, pharmaceuticals, telecoms and manufacturing firms) do, Windows PowerShell could well be the most important IT investment you'll make in the next five or six years. Some of my customers have documented clear returns on training investment in just a few months, simply by automating tasks and freeing up administrator time for other projects and issues.

A New Version
Finally, make sure every one of your team members becomes well-versed in the latest version of at least one product or technology that he works with, along with details on how to deploy it. Even if you're not planning to actually deploy that version of that product, get someone up to speed on it.

You never know when you may suddenly have to change your mind about that version, and having an expert on staff will make things easier. Also, the "skip a version" mindset might work well from a financial perspective, but it results in a huge skills deficit. Skip version 4, and your team will be even less prepared for versions 5 and 6, which will doubtless build on version 4. So if version 4 is what's new right now, at least have someone gain a basic familiarity with it. Today's cheap virtual machine technologies make it easy to create a test lab where someone can spend some time with the new technology. Make this project a part of each team member's formal goals for the year.

About the Author
Don Jones is a 12-year industry veteran, author of more than 45 technology books and an in-demand speaker at industry events worldwide. His broad technological background, combined with his years of managerial-level business experience, make him a sought-after consultant by companies that want to better align their technology resources to their business direction. Jones is a contributor to TechNet Magazine and Redmond, and writes a blog at ConcentratedTech.com.

Failure to invest in secure software a major risk

2011-02-27T02:24:00.000-08:00

Failure to invest in secure software a major risk

A lesson to learn from the HBGary breach

2011-02-21T02:34:00.000-08:00

A lesson to learn from the HBGary breach

Secret plan to kill Wikileaks with FUD leaked Cybercrime Legal News SC Magazine Australia/NZ

2011-02-13T03:51:00.000-08:00

Secret plan to kill Wikileaks with FUD leaked Cybercrime Legal News SC Magazine Australia/NZ

Study Exposes Weaknesses Of Risk-Based Security

2011-02-07T04:17:00.000-08:00

Study Exposes Weaknesses Of Risk-Based Security
February 7, 2011 by Brian Prince
inShare.1

An audit by the US Department of Energy has identified a major security weakness in the way that organisations identify critical assets

A recent audit from the office of the US Department of Energy’s Inspector General painted a not-so-rosy picture of efforts to secure the US’ power grid. But it also highlighted something of a conundrum in the world of compliance–how to take a truly risk-based approach when organisations have an incentive to underreport risk.

Inside the report (PDF), the department states its audit, which was conducted between October 2009 and November 2010, found existing CIP (critical infrastructure protection) standards do not always include controls commonly recommended for protecting critical information systems. But another problem was much more basic–the standards did not include a clear definition of what constitutes a critical asset.

Clarity necessary
“When outlining what attributes should be considered when proposing reliability standards, the (Federal Energy Regulatory Commission) noted in Order 672…that CIP reliability standards should be clear and unambiguous regarding what is required and who is required to comply,” the report states. “The Commission noted that such clarity was necessary because users, owners and operators of the bulk electric system must know what they are required to do to maintain reliability. Despite this guidance, both Commission and NERC (Nuclear Energy Regulatory Commission) officials stated that they believed entities were under-reporting the number of critical assets and associated critical cyber assets.”

For example, the DOE notes that in April 2009, then-NERC Chief Security Officer Michael Assante reported that only 29 percent of power generation owners and operators – and less than 63 percent of power transmission owners – identified at least one critical asset on a self-certification compliance survey. Subsequent filings by organisations have not shown significant improvement in the reporting of critical assets, despite the fact those assets could include such things as control centres and transmission substations, the report adds.

“Every so-called risk-based security plan starts with: ‘identify your critical assets’,” said Richard Stiennon, chief research analyst at IT-Harvest. “This never works in IT organisations because it requires someone to admit that the assets they are responsible (for) are not critical. Of course the DBAs (database administrators) say their Oracle database servers are critical, the email guys say email is critical, the web team says the web servers are critical. So you do not get the weighted differentiation you hoped for.”

When regulations are involved there can be the opposite effect as businesses look to avoid some of the costs associated with compliance, he said.

“If you have to disclose a breach of critical health care information or PII (personally identifiable information) immediately none is critical,” he said. “If you have to archive critical communications, suddenly no communication is critical. This is why regulation based on risk does not work either.”

Differences of opinion
Risk-based regulation introduces potential for differences of opinion when the risk rating of a particular asset is determined by the individual responsible for that asset, said Sumner Blount, director of product marketing, security and compliance at CA Technologies. Still, a one-size-fits-all approach, where the risk of a given asset is not considered, is even worse.

“A balance is clearly needed,” he said. “Organisations need to evaluate asset importance based on clearly documented criteria, and the decision should be made by cross-functional, compliance-savvy teams rather than individual asset owners. Similarly, the definition and treatment of critical information or PII should not be up to one person…There are generally accepted definitions for this type of information for regulatory purposes, and where none exists, definitions should be developed by the team so as to avoid conflicts later on.”

In addition, the complexity and redundancy of controls should be to some extent related to the impact and likelihood of a situation that would cause the control to fail, Blount said. Some compliance controls, such as making sure administrators only have the rights they need, are essential due both to the likelihood and the potential impact of a violation. Others are much less likely and therefore don’t require the same type of strong controls, he added.

“In short, risk-based compliance is like Churchill’s description of democracy – it’s one of the worst ways to approach compliance… except for all the other ways that have been tried,” he said.

Financial incentives
While to Blount risk-based regulations have their place, Stiennon argued regulations need to move beyond such methodologies.

“They have not worked in IT security; they will not work in CIP,” he said. “Laws and regulations must supply real financial incentives. Instead of mandating password policies they should assign liability. Make a power generating utility liable for the damage caused by an outage from a cyber incident and they will find the resources to devote to IT security. They, along with their insurers, and bond raters, will quickly determine their risks.”

A vulnerability on an expose machine is a higher priority than one on a machine that is not exposed for example, he noted, just as a vulnerability that is being exploited by a worm or virus is of higher priority than one that requires a targeted attack to exploit.

“Imagine a military commander using risk based management,” he said. “During a battle he would deploy his forces to protect the most valuable assets instead of where the enemy was penetrating his line.”

Debit and credit card skimming: Skimming your debit and credit cards is growing crime trend - OrlandoSentinel.com

2011-02-06T08:16:00.000-08:00

Debit and credit card skimming: Skimming your debit and credit cards is growing crime trend - OrlandoSentinel.com

Nasdaq erkent inbraak door hackers - Economie - VK

2011-02-06T08:08:00.000-08:00

Nasdaq erkent inbraak door hackers - Economie - VK

Overheidscloud vergroot risico's op datalekken | Webwereld

2011-02-02T04:11:00.000-08:00

Overheidscloud vergroot risico's op datalekken | Webwereld

Data EU-passagiers naar inlichtingendiensten - Nieuws - VK

2011-02-02T00:36:00.000-08:00

Data EU-passagiers naar inlichtingendiensten - Nieuws - VK

EMC Solution Gallery - Raz-Lee Security - iSecurity for IBM-i

2011-01-31T23:52:00.000-08:00

EMC Solution Gallery - Raz-Lee Security - iSecurity for IBM-i

Apple security chief calls for vulnerability tax - Security - Technology - News - iTnews.com.au

2011-01-31T12:47:00.000-08:00

Apple security chief calls for vulnerability tax - Security - Technology - News - iTnews.com.au

The ROI of Security Compliance

2011-01-31T12:24:00.000-08:00

Study Finds Compliance Cuts Costs, Improves Operations
January 31, 2011 - Tracy Kitten, Managing Editor Share

Tripwire's Shenoy says security compliance improves the bottom-line.

A review of security practices and investments at 46 global companies across the financial, retail, healthcare and government spaces finds that compliance with industry security standards actually saves money over the long-term. Sponsored by Tripwire and conducted by the Ponemon Institute, the new study reviewed security investments made over a 12-month period. The findings have been published in a new report, "The True Cost of Compliance," released today by security and compliance automation solutions provider Tripwire.
While compliance with the Payment Card Industry Data Security Standard was the most-often reviewed for the study, since PCI-DSS impacts any entity that accepts payment cards, the study also looks at other guidelines and standards, such as HIPAA and Sarbanes-Oxley.

What the study finds, says Rekha Shenoy, vice president of strategy for Tripwire, is that across the board, regardless of industry or standard, companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than companies that are categorized as non-compliant.

"There were not many differences among industries. They are all spending money for compliance, but they are not all getting secure," Shenoy says. "It was the ones that invested in security practices that were reaping the benefits -- those that focused on securing the business, rather than focusing on compliance alone."

Focus on security, and compliance will follow. "When you automate compliance and you are always in a compliant state," Shenoy says, "you are always secure and you are doing 'good' for the business."

During this interview, Shenoy discusses:

•How internal audits improve consistent security compliance;
•The fluid nature of security compliance;
•How investments made by financial institutions are proving for other industries and agencies the benefits of automated compliance audits.
Shenoy is Tripwire's vice president of strategy. Shenoy joined Tripwire in April 2007. Before Tripwire, Rekha held positions in corporate development, product management and marketing for performance management solutions, database tools and mainframe solutions, and in market research at BMC Software Inc. in Houston, where she drove strategic decisions around new technologies. She also worked at Questia Media Inc. and Compaq Computer Corp. Shenoy holds a mater's degree in business administration, with a focus on marketing and finance, from Rice University. She holds a bachelor's degree in computer science and engineering from the University Visvesvaraya College of Engineering in Bangalore, India.

Former Salesforce.com execs form new security company

2011-01-30T13:26:00.000-08:00

Former Salesforce.com execs form new security company

CBP: Overheid moet privacy beter beschermen

2011-01-30T04:28:00.000-08:00

28 January 2011 Redactie www.security.nl

Bedrijven en overheden moeten kunnen aantonen dat zij de persoonsgegevens van hun klanten en van de burgers zorgvuldig gebruiken en adequaat beveiligen, zo laat het College Bescherming Persoonsgegevens op Databeschermingsdag weten. De gegevens van Nederlandse burgers komen in duizenden bestanden voor. Door de almaar toenemende digitalisering en globalisering wordt dit woud van verwerkingen steeds ondoorzichtiger.

Volgens het CBP is het voor het individu niet meer te doen om inzicht te hebben in al deze verwerkingen, laat staan daar het overzicht van te behouden. De toezichthouder benadrukt dat bedrijven en overheden daarom nu aan zet zijn. "Zij moeten kunnen aantonen dat zij de persoonsgegevens van hun klanten en van de burgers zorgvuldig en volgens de regels van de wet verzamelen en gebruiken."

Het CBP ontving het afgelopen jaar vele signalen van burgers over het plaatsen van persoonsgegevens op internet en over het onzorgvuldig omgaan met persoonsgegevens. Bedrijven en overheid moeten daarom de betrokkenen helder, volledig en op een toegankelijke manier informeren over het doel van het verwerken van hun gegevens en meedelen aan welke derden zij die gegevens verstrekken. "Alleen dan kunnen burgers hun rechten uitoefenen, zoals het verbeteren van hun gegevens of het laten verwijderen ervan."

Meldplicht
Naast het geven van betere informatie moeten bedrijven en overheden nog meer, meent het CBP. Zij moeten aangesproken kunnen worden op wat zij doen met de persoonsgegevens van hun klanten en de burgers. "Zij moeten bij het ontwerpen en ontwikkelen van nieuwe producten en diensten rekening houden met privacy-eisen. En zij moeten, zeker met het oog op de toenemende verwerking van gegevens online, ervoor zorgen dat persoonsgegevens veilig worden verwerkt."

In het geval er toch iets mis gaat bij de beveiliging en persoonsgegevens op straat komen te liggen, pleit de toezichthouder ervoor dat zo’n datalek onmiddellijk moet worden gemeld. "Zodat snel maatregelen genomen kunnen worden om misbruik van de gegevens te voorkomen."

Multiple vulnerabilities in Symantec products

2011-01-28T05:53:00.000-08:00

Multiple vulnerabilities in Symantec products

Application security hardening for mobile and embedded software

2011-01-28T02:50:00.001-08:00

Application security hardening for mobile and embedded software
By Yvette Francino

SearchSoftwareQuality.com
.ContentSyndicationDigg This Stumble Delicious Google Fusion .Security is a growing concern as the number of mobile devices such as smart phones, tablets, gaming devices and other devices which are run with embedded software is ever-increasing. Applications are being downloaded by the billions, and hackers are finding ways to gain access to modify license agreements or download machine code and then reverse engineer to gain access to source code. How do organizations protect themselves from this type of piracy? Read on.

Hardening your application

Certainly, there are many tools and techniques used to address security. In Security Lesson: Beating Web application security threats, Kevin Beaver discusses tools such as vulnerability scanners and static analysis tools that can be used to protect your Web applications.

But often that’s not enough.

Bob Walder, Research Director at Gartner, says:

As security attacks become more financially motivated, and as organizations get better at securing their networks, desktops and server infrastructures, there has been a shift in attacks to the application level. To address these new risks, enterprises must modify their application development (and procurement) processes so that, ideally, application security defects are detected and remediated prior to deployment of the application.

Thus, this is not just about anti-piracy measures for developers, but also about protecting enterprises against subverted applications (inserting Trojan code, for example) -- either their own applications or those purchased from ISVs.

Application hardening and shielding products provide protection for an organization's software-based assets (especially those placed on machines, sites and locations that the organization doesn't control) from tampering, reverse engineering and attacks. They can also provide several types of application-level security without requiring developers to natively modify source code.
Application hardening tools are those tools designed to protect your code from hackers by using techniques of obfuscation, encryption or authentication. You want to look for a product that will ward against tampering, piracy, reverse-engineering, malware insertions and unauthorized use.

With these types of tools, security is injected into your code, specifically with the purpose of detecting and preventing application-level intrusions.

Defending against attacks

Obfuscation

Obfuscation is used to hide structure and code flow within an application. By modifying the original code or inserting new code that will disguise the original code, the hacker will be unable to reverse engineer or tamper with the original source code.

Gartner’s Walder says this of hardening tools:

At their most basic level, the technologies include obfuscation tools to protect the application code as the increasing use of intermediate language representations (such as Java and .NET) enables hackers to easily reverse-engineer intellectual property (IP) embedded in software.
More advanced capabilities include the ability to inject security protection directly into the application without requiring developers to modify the source code. This can be applied proactively (for example, obfuscating the application to protect against and alert for tampering, or implementing the type of input filtering that the developers should have written to protect against exploits) or reactively (injecting protection as a result of a vulnerability discovered in production, or performing some predetermined action based on exploitation attempts).

This set of technologies captures two diverse needs. Code obfuscation is the more widely adopted and more mature method of protecting applications, but estimated adoption rates are still in the high single digits, because most organizations are unaware of its benefits until they directly experience the theft of IP or an attack from an application compromise. Furthermore, for application protection techniques that rely on the insertion of code, development organizations may be reluctant to allow the injection of new code into an application from a source other than a developer.

Authentication and attack detection

Checksum

Checksum is used as a way of detecting the integrity of an application and its data. A procedure is used that will yield a “checksum” from data. Then when that data is transmitted, the checksum algorithm can be run again to ensure the data was not altered, either accidentally or intentionally. Variants to checksum functions are hash functions, fingerprints, randomization functions, cryptographic hash functions and digital signatures. Though related, each of these has its distinct uses and priorities.

Anti-debug

This is a technique of detecting tools used that might be used by hackers to compromise data. Security schemes that use anti-debug may block the application from executing if tools such as a kernel-mode debugger are present.

Though this may prove somewhat beneficial, in his post, Anti-debugger techniques are overrated, Nate Lawson warns not to depend simply on anti-debug techniques in your protection scheme.

The reality is that they are either too simple and thus easy to bypass or too specific to a particular type or version of debugger. When designing software protection, it’s best to build a core that is resistant to reverse-engineering of all kinds and not rely on anti-debugger techniques.
Alert and react to attacks

You need tools to defend from attacks and detect when code has been attacked. A third area you want to look for in your protection tool is how it reacts when an attack is discovered. Is it able to repair the tampered code with the original code? What errors are produced when attacks are detected? Is there capability to send alerts to the appropriate people?

Mobile and embedded software

With the vast number of mobile devices and applications, downloads number in the billions and unprotected code is a prime target for hackers intent on stealing intellectual property.

According to Charles Kolodgy, Research Vice President of Secure Products at IDC:

I don't see much difference in the protection profile required for standard web applications and those of mobile applications. The key is what kind of manipulation of the software can occur that will result in attackers being able to use an application as an avenue to collect information that they can then use for monetary gain. The real problem with mobile applications is that there are so many of various quality levels that it is difficult to know what is a good application and what might have been created to gain a foothold on your device.
Though embedded software running on specialized devices is not at as high of a risk, due to less consumer exposure, it still can be very important to protect the intellectual property. Biometric devices and military devices are two examples of embedded software which require a high level of protection.

Kolodgy notes the growing concern for increased security throughout the SDLC:

There is a growing appreciation that applications need to be developed in a secure manner. There are beginning to be requirements, from the government but also from industry (see PCI/DSS) that are requiring that software be tested against a minimum level of security. Security testing is being integrated into the SDLC.

20 Jan 2011

.

NIST Issues Guidance on Cryptographic Algorithms

2011-01-24T12:33:00.000-08:00

NIST Issues Guidance on Cryptographic Algorithms

Click For More Info
SP-131A: Guide to Transition to Use of Cryptographic Algorithms
January 24, 2011 - GovInfoSecurity.com

The National Institute of Standards and Technology issued Monday new guidance on cryptographic algorithms and key lengths.

SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths provides an approach for transitioning from the use of one algorithm or key length to another, as initially addressed in part 1 of SP 800-57.

SP 800-131B – known as Transitions: Validation of Transitioning Cryptographic Algorithms and Key Lengths – is under development and will address the validation of cryptographic modules during the transition period. Part 1 of SP 800-57 is being revised for consistency with SP 800-131A. SP 800-57 (part 1) and SP 800-131B will soon be available for public comment.

Protecting your SaaS deployment from stupid users - Feature - Techworld.com

2011-01-23T06:57:00.000-08:00

Protecting your SaaS deployment from stupid users - Feature - Techworld.com

Cryptography in the Cloud

2011-01-19T12:08:00.000-08:00

As a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info
When Moving to the Cloud, Don't Overlook Cryptographic Security

January 14, 2011 - Tom Field, Editorial Director Share

Ralph Spencer Poore: There's no better way to secure critical data than through cryptography, especially when that data is stored in the cloud.

Ralph Spencer Poore, an information security veteran with decades of experience in cryptography, is a proponent of employing cryptographic security in cloud computing.
"Information in motion and information at rest are best protected by cryptographic security measures," says Poore. "In the cloud, we don't have the luxury of having actual, physical control over the storage of information, so the only way we can ensure that the information is protected is for it to be stored cryptographically, with us maintaining control of the cryptographic key."

But know what you're looking for when you seek a cloud provider who promises cryptographic security, Poore says. "Cryptographic security measures must not be left to the imagination of the party in the cloud," he says. "Do your homework. Really understand what the capabilities are of any organization to which you're outsourcing."

Among the unique challenges are jurisdictional issues. "Because the cloud has the potential of being international, and because cryptographic technology is considered by most nations to be 'munitions' or a similarly restricted category, cryptographic implementations may have jurisdictional limitations and potential liabilities," Poore says. "The client relying on the cloud should ensure that such issues are clearly addressed by contract."

In an interview about cryptographic security in the cloud, Poore discusses:

•How cryptography relates to cloud computing;
•Challenges to overcome when employing cryptographic security;
•Key questions to ask of cloud service providers re: cryptography.
Poore is Chief Cryptologist for Cryptographic Assurance Services LLC (Arlington, TX). He has over 35 years of information security experience, including over 20 years of applied cryptography. He has written extensively on the subject and his work is cited in academic papers, national standards, professional journals, and books.
Podcast Options
Play Streaming Audio
Download MP3 File
iPod and mobile devices
Related Podcasts in:
Technology
- Cloud Computing
- Encryption

Password security should be retired for good - Feature - Techworld.com

2011-01-18T12:45:00.000-08:00

Password security should be retired for good - Feature - Techworld.com

Views regarding PCI compliance are mostly positive - SC Magazine US

2011-01-12T12:00:00.000-08:00

Views regarding PCI compliance are mostly positive - SC Magazine US

Securing the file transfer world, one file at a time - SC Magazine UK

2011-01-12T06:18:00.000-08:00

Securing the file transfer world, one file at a time - SC Magazine UK

Fraud Prevention Requires Mind Shift

2011-01-12T05:02:00.000-08:00

Most Banks Focus on Compliance, Not Security
(http://www.bankinfosecurity.com/articles.php?art_id=3257&opg=1

January 12, 2011 - Tracy Kitten, Managing Editor
Share

What financial industries need is a shift in the way they think about fraud-prevention. It's security first, compliance second.
That's the way Adam Dolby, who heads up online security and authentication systems for Gemalto North America, sees it. Dolby says banking institutions in the U.S. have for too long focused on regulatory compliance, rather than centering their attention on solutions that actually detect and prevent fraud.

"There has been a number of solutions that were presented as a way to get to compliance that really led people down a bit of the wrong path," he says. "It almost created the illusion of security, rather than delivering security solutions. So, some of the fraud solutions that have been deployed really haven't done anything to mitigate the actual occurrence of fraud. What they have done is provide a bit of a false sense of security."

That false sense of security has had a domino effect, because it's led many institutions to be caught off guard. For instance, some of the steps put in place to comply with regulatory mandates, such as one-time passwords, have actually helped fraudsters to compromise transactions.

After reviewing results from Information Security Media Group's The Faces of Fraud Survey, Dolby says financial institutions are falling victim to what he calls the "CSI phenomenon."

"This is like trying to act against crime but starting with a dead body and investigating backward, rather than actually trying to stop people from getting whacked in the first place," he says.

During this interview with Information Security Media Group, Dolby discusses:

•How U.S. institutions could learn from their overseas financial counterparts;
•Needed investments in fraud-detection technology;
•The role stronger authentication will play in the future.
Dolby oversees online security and authentication systems via channel relationships for Gemalto North America, where he builds and maintains regional partnerships. Dolby also supports Gemalto's business and security objectives, through consumer education and advocacy on Gemalto's online resource www.JustAskGemalto.com. Before Gemalto, Dolby worked in the banking industry, serving in executive management roles for online banking and partnering with the world's leading financial institutions. Dolby's experience encompasses management of multiple e-banking systems including ACH, wire, treasury management, consumer e-banking, card networks and ATMs.

Current Fraud Detection
TRACY KITTEN: What fraud trends can the financial industry expect to face in 2011? I'm here today with Adam Dolby, who oversees online security and authentication solutions for Gemalto North America. Building on newly released results from Information Security Media Groups, the Faces of Fraud survey, Dolby shares his thoughts about surprising and not-so-surprising trends in financial fraud and investments banks and credit unions are expected to make in security solutions in the New Year. Adam, you've reviewed some of the results from our fraud survey and this one caught a number of the experts' eyes. Seventy-five percent of respondents said they learn about fraud from their customers or members. What does that tell us about fraud detection, and is the industry continuing to rely too heavily on customer and member notification?
ADAM DOLBY: I certainly thought that this particular question, and the fact that it led study, was very interesting. If 75 percent of respondents are saying that they are learning about fraud from their customers, what it is really issuing is a bit of an indictment on the industry as a whole, and the measures of fraud detection and prevention that are existing in the market place today. You could sort of equate this a bit to, say, maybe the CSI phenomenon, for those of you who watch the show, where we are seeing evidence of a dead body first and relying on people to report the crime, rather than preventing the crime from happening in the first place.

KITTEN: How much fraud do you think, Adam, is slipping through the cracks as a result of the way financial institutions are learning about fraud?

DOLBY: I think that is an excellent question and perhaps a bit of a scary one. Knowing how well customers, in general, look at their statements and their banking activity, I would suppose that quite a substantial amount of fraud is actually slipping through the cracks; whether it's undetected or late detected or perhaps under-detected remains to be seen. Also of issue in here is not necessarily where fraud occurs, but just where accounts have been entirely taken over and customers have no method for verifying what transactions have taken place. I think all of those factors here paint a bit of a grim picture on what the industry looks like as a whole, with regard to fraud and Internet banking; but it also means that there is quite an opportunity to be able to act on what the results of this study are.

Fraud Detection and Audits
KITTEN: You also noted that you found it interesting that 25 percent of the survey's respondents said they discover fraud during audits. Why is that interesting, and what does it tell us about current fraud-detection mechanisms, or the lack thereof?
DOLBY: I found that number a bit interesting, perhaps a bit differently, in that I thought 25 percent was actually a bit high. If we're actually discovering fraud one out of four times during an audit, rather than a customer reporting it or any detection or prevention mechanism addressing the issue, then, really, one out of four are saying that there is fraud being detected substantially after the fact. Money has actually moved out of an account. What is particularly troubling there is that no detection mechanism or the customer is finding it when it occurs. It is actually slipping through almost all of the cracks and being found sort of at the last possible moment, during an audit of either the account balancing or any other system detection. So, yes, I think it is good amount that it is being found that late, and I think that it is a bit troubling. That means it has gotten past the initial detection systems, including the eyes of the customer.

ACH Fraud: 'Unprepared to Fight'
KITTEN: ACH and wire fraud is a growing problem. That is not a surprise. But banks and credit unions in the survey said they feel very unprepared to fight ACH and wire fraud.
DOLBY: Really, to date, there has been a bit of hesitancy to move forward with really aggressive fraud-prevention measures, rather than detection. I would say that the challenge for the industry, at this point, is to move toward solutions specifically designed to address the spectrum of money-movement fraud -- whether it's ACH, wire, account-to-account transfers, or any other type of money-movement -- and really making sure that we're addressing all of those problems before it's possible for them to happen. I think the other challenge, quite frankly, has been that there have been a number of other issues that have plagued the financial industry, including the relative instability in that space over the last few years. From a simple perspective, people have had other things to worry about. But at this point, I think we really have to recognize that security is an ongoing battle. It is certainly a necessary part of delivering financial services online that every bank should have a plan and staff to address. As an industry, we need to make sure that we're looking at and making long-term investments aimed at stopping fraud as it can occur today, but also as it can occur tomorrow and the day after tomorrow. We also need to look at what other vectors that it can take; whether it is starting as simple as phishing and moving to more advanced malware and key logging, and making sure that we're addressing the transaction set that has seen fraud today and will see fraud tomorrow.

KITTEN: This is something that we have discussed in the past, not something that is directly related to the survey results, but it does have a tether of sorts. You've noted that authentication is a problem, especially as it relates to ACH and batch transactions. One-time passwords have, in some ways, you've said, assisted fraudsters. Can you explain and tell us what you think institutions should be investing more in when it comes to ACH-fraud prevention?

DOLBY: I think one of the point of clarification is that the initial investment in, not necessarily just one-time passwords, but some very basic fraud analytics have created a bit of a green-field opportunity for those folks who know how to execute a sophisticated technology-based attack on a financial institution, be that "man-in-the-middle" or "man-in-the-browser." So, with that sort of opportunity presenting itself to those folks who really know how to execute that technology-based attack, what it means is that they have an opportunity to sort of get by those security measures, as the earlier pieces of the study would indicate, and really go after the money. What it requires is a bit of a shift in thinking, from the part of both security companies as well as financial institutions. And then we have to look at, "How do we defend every type of transaction within the banking infrastructure?" The early emphasis, and rightfully so, was on protecting wire transfers, because those are one-to-one movements of money and payment options; but we've historically defended wire transfers very well at a very basic level.

I could pick up the phone and call you and say, "Hey, Tracy. Do you want to move money to Francesca in Massachusetts?" And you would have the opportunity to say "yes" or "no" and approve that transaction. But you can't do that for transaction batches, in particular, ACH. If you think of a large payroll being transmitted weekly, it's not possible or even feasible to go in and verify every transaction and all of the account holder information for everyone in that direct-deposit file. So, if that becomes the weakest link in the security chain, it will become the vector that we're seeing attacked most often. What that means is we have to look at security solutions that are aimed at protecting large amounts of alphanumeric data, which the solutions that are currently in place, whether that is OTP or fraud detection or prevention mechanisms and analytics, are not designed to protect. Really, what it requires is a shift in thinking: Looking at more PKI-oriented technology, which is really designed to protect massive amounts of information, and also alphanumeric information, so that it would protect payee information, account-number information and or anything else that is contained in a database, in transit and at rest.

Budget Constraints
KITTEN: Going back to the survey results, financial institutions noted in their responses that budgetary constraints and inadequate technology were listed as the most-often to blame for lacking fraud detection. Are banks really strapped for fraud-detection investments, or are they just investing in the wrong types of solutions?
DOLBY:I thought that piece was very interesting as well, and I think it is probably a mix of the two. For me, I think fraud detection is a bit of misnomer, because I think in order to build your fraud-detection solution, you have to at least see some instances of fraud to build your model off of. In the banking industry, again, if you go back to sort of the crime-scene model, one body is too much, in my opinion. Just seeing any financial loss for any particular customer is a potential PR nightmare, let alone the dollars that can be lost. So, from that standpoint, I think what has really happened is there has been a bit of a tendency, and we saw this with the FFIEC guidance that came out several years ago, to think more around compliance, rather than looking at true security-based solutions and how we can actually prevent fraud from occurring in the first place. Solutions certainly exist. Really, what it requires is a bit of a shift in thinking. Institutions need to accept the fact that security is a piece of the necessary puzzle to deliver online services. They need to have a bit of that forward-looking, forward-thinking mentality that says, "I need to invest in what amounts to an insurance policy for each customer that merits it," and pick the level that is appropriate for those customers. I don't believe in a one-size-fits-all approach. So, you would have a blend of security solutions for your customer base or even for particular users within an individual business, for example, and move forward in a way that really treats security as that necessary part of the puzzle, rather than something that has to get done to get examiners off our back.

I also think there has been a number of solutions that were presented as a way to get to compliance that really led people down a bit of the wrong path, where it almost created the illusion of security, rather than delivering security solutions. So, some of the fraud solutions that have been deployed really haven't done anything to mitigate the actual occurrence of fraud. What they have done is provide a bit of a false sense of security, and to me that is almost worse than no security at all. When your security solution is compromised, you have quite a bit a shake in confidence from your customer base and, perhaps, a very difficult time getting them back.

Reputation Loss
KITTEN: I'm going to build on that just a little bit, talking about reputation loss and customer confidence. Forty percent of our survey's respondents said that reputation loss and customer confidence were adverse side effects of fraud. What does that tell you about investments banks and credit unions should be making in fraud prevention, to not only cut their hard costs but also their soft costs, which would be the customer and member losses?
DOLBY: Security is a necessary part of delivering online banking. If you could save half of, or even a third of, your customer base that is potentially vulnerable from a compromise, I think that is a huge number. In fact, having that many customers vulnerable to outside influences is huge in and of itself. So, if one individual or a group of individuals has it in, so to speak, for any financial institution, or just sees that bank as the weakest link in the security chain, that is a tremendous number of your base that you are going to have to not only spend money on to try to keep, not to mention the money that will have to be spent to respond to any media leaks or announcements that go out about publicized attacks. At a time when customers are already looking for a reason to be aggravated with the financial industry, it really creates a potential point of compromise that is extremely dangerous for the industry as a whole. Even if you as an individual are not compromised, there is the possibility that others in your peer group, if they are compromised, you could still have shaken confidence. For a bank, their customer based could be shaken, because they are going to question the security measures their bank has in place. So, certainly, it is a very interesting and challenging time. Fortunately, there are security solutions that exist that can make fraud virtually impossible. It certainly requires some investment from the financial perspective, but it also requires a bit of a mind shift on the part of the customers themselves. Customers need to realize, "Hey, for me to access my online banking, it may be a bit different than it was in the past. It may require me to carry a device." So, there is an educational campaign aspect to this that has to occur as well. But, certainly the fact that 40 percent of respondents are saying loss of customer confidence and loss of the customer himself is a problem is huge. That is a huge number of people to be potentially vulnerable, if you are a financial institution is attacked.

KITTEN: Now, I'm going to go back to the customer education piece for just a moment. We talked about this earlier, and it's come up in this last question here. Customer education is effective, but can only go so far. Yet it seems that banks and credit unions say education and awareness are the best fraud prevention measures they have in place. Why is technology not seen as a critical investment, when it comes to fraud prevention, and do you see that as a being U.S.-centric perspective? Is fraud prevention addressed or viewed in a similar way by financial institutions throughout the world?

DOLBY: I'm a huge proponent of customer education, and I think it is going to be even more essential going forward. Customers are continually educated on what to look for, whether it is phishing e-mails or not clicking on links, etc. I think for a proactive institution, the opportunity to position the bank as a resource for that type of information, especially if they have a small-business customer portfolio, is excellent. There is an opportunity to continue to educate them about protecting VPNs and firewalls and all of those things. However, customer education can only do so much, as you say, and it's a bit like expecting individuals to not transmit the flu by telling them they need to wash their hands all the time. Well, certainly we do that, but we also have a flu vaccine, and really, that is where technology comes into play. As we deliver that vaccine and prevent the spread of that infection, we control the sickness.

I think it seems to be more of a U.S.-centric mentality; outside of the U.S., you see very rapid expansion and adoption of authentication solutions and stronger authentication solutions for customers, both at the corporate and retail levels. At the retail level, it is almost unheard of in the U.S. There are a few banks that have taken proactive measures, but they are very few and far between.

I think technology is seen as too expensive and, perhaps, a bit too complex. I think that is, in large measure, a bit of a red herring. I think if you really look under the covers of solutions, you'll find they are very customer friendly. And if you present them to a user in the correct manner, they will be very accepting of those solutions. We've seen technology presented out to customers in a way that would lead to some negative feedback. For example, I've seen financial institutions that will say, "Do you want to use thing to connect to Internet banking or nothing. Well, human nature is going to say, "I don't want to carry anything else to do this if I can get away with it." Certainly, if you present security in that manner, it's not received well; but if you go to the same customer and say, "Would you like to be able to access your bank securely and guarantee that no one can commit fraud on your account?" That is a much different presentation of the technology.

I would also take it a step further, in that we have a set of regulations called Reg E in the U.S., where we have a number of consumer protections that actually dumb down, a bit, the level of sophistication on the part of the end-user and their awareness of security. That's because the bank is ultimately responsible when fraudulent movements of money occur. That is why you see a strong push on the corporate side, which is not covered by Reg E, for security solutions. On the retail side, there aren't many security solutions or very many strong authentication solutions deployed, because those consumers are protected by Reg E. Really, what we've done is said, "Security is going to be the bank's concern, and when you go to try to alter the user experience for those people that are protected by that regulatory protection, they don't have to adopt any additional measures and more protected measures for accessing their accounts. So, there are a number of forces at work. There is certainly an environmental issue in the U.S. that is a bit unique and I do believe that education is a good step and a necessary step. But, really, in terms of that actually fixing your problem or helping fraud prevention, I think that first question of 75 percent of institutions learning about fraud from their customers and members says it all. To learn about fraud from their customers is still troubling. It's clearly still happening and to expect your customer to prevent is a bit naïve.

2011 Agenda
KITTEN: In closing, Adam, I would just like to ask where you see the industry heading over the course of the next year? Banking institutions are looking for more fraud prevention and security tools. Why, in your opinion, is knowledge so lacking, and what can the industry do in 2011 and beyond to break this cycle?
DOLBY: Yeah, I certainly think it is a bit incumbent upon providers to make sure that we are doing our best to educate folks, whether that is through conducting a podcast like this or webinars, etc. Really, that is our responsibility to educate, not to simply go out and promote a product. We need to educate the industry about the threats that exist and talk to customers about what challenges there are and how they can be addressed.

I do think we'll see better responsiveness from the industry in 2011, if only because the industry continues to settle with a bit of consolidation here and there. But, really, the uncertainty has passed for a lot of folks and they can start to really focus on security now, instead of worrying about if they have a job. I also think there is certainly a growing awareness. I've seen it all the way up to the board level, where they clearly understand the risks involved with Internet and doing business on the Internet. We have to make sure we are protecting customers in the appropriate manner. I also think it's been a bit of a struggle to really bring in some of the foreign influence, where we've seen banks adopt strong authentication for 10, sometimes 15, years now. We'd like to show banks here what they've done and get response for what's happened environmentally overseas. It can prove that customers will adopt this technology and use this technology, and actually do more transactions online. That mentality has changed. Having been in the industry for eight or so years now, I know when I first started doing this, if you talked about a bank in the Netherlands that was using strong authentication, banks in the U.S. would say, "What does that have to do with me?" They never considered that it is just one Internet. But now you see that awareness improving. Banks are willing to look overseas for expertise. So, I do think 2011 will be a much stronger year in the authentication space. I think it is important to learn lessons from around the world.

Healthcare and security

2011-01-10T12:56:00.000-08:00

Healthcare Information Security ArticlesTop 10 Health InfoSec Stories for 2010
A Look Back at the Past Year's Biggest Events
January 10, 2011 - Howard Anderson, Managing Editor, HealthcareInfoSecurity.com
Share

Healthcare privacy and security issues rose to the forefront in 2010 thanks, in large part, to the HITECH Act, which led to many new regulations as well as a public list of major health information breaches.

HealthcareInfoSecurity.com has compiled a list of the past year's most noteworthy trends and events in an interactive slide show.

In one of the most significant events of the year, federal rules were issued to launch the HITECH Act's electronic health records incentive payment program. One rule defining "meaningful use" of EHRs requires hospitals and physicians to conduct a risk assessment and then take steps to mitigate risks identified.

A new federal list of major health information breaches surpassed 200 cases by year's end, drawing attention to the need for breach prevention efforts.

Meanwhile, as more organizations relied on social media for marketing and education, concerns about privacy threats grew. One hospital fired staffers for discussing a patient online. And as regional and statewide efforts to facilitate health information exchange continued, federal regulators grappled with a long list of issues, including how to obtain patient consent for data exchange.

Leaked: US government strategy to prevent leaks

2011-01-09T12:20:00.000-08:00

Leaked: US government strategy to prevent leaks

Group Publishes Database of Embedded Private SSL Keys

2010-12-21T12:50:00.000-08:00

Group Publishes Database of Embedded Private SSL Keys

Data Breach Could Test Massachusetts Law

2010-12-21T12:49:00.000-08:00

Data Breach Could Test Massachusetts Law

SaaS adoption creates downtime risk, says NCC Group - 12/7/2010 - Computer Weekly

2010-12-07T08:29:00.000-08:00

SaaS adoption creates downtime risk, says NCC Group - 12/7/2010 - Computer Weekly