- +
Your World. . . Hacked 02/10/2007 10:51:23
As your business becomes more collaborative and global, the risks to your company’s trade secrets rise proportionally. Fortunately, there are new strategies to protect the data that allows you to competeThe call to Bob Bailey, an IT executive with a major US government contractor, came on an otherwise ordinary day in October 2003. "Why are you attacking us?" demanded the caller, an IT leader with a Silicon Valley manufacturer. He wanted to know why Bailey's company had launched a denial-of-service attack against his network
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.Newsletter Subscription
Stories detailing the theft of personal information from enterprise databases have filled our news for years and are reaching almost unbearable intensity and frequency. Even back in 2005, it was reported that more than 55 million Americans had their personal data exposed in more than 130 major security breaches. A more recent survey found that nearly 90 per cent of Fortune 500 companies and government agencies have experienced security breaches (that they know of!)
Consider the infamous TJX breach. The US-based retail giant discovered more than a year ago -- and much too late -- that its computer systems were compromised because of an unsecured wireless network and that sensitive customer data was stolen. It wasn't until later that the owners of T.J. Maxx publicly announced the breach, and even when they announced the breach, they were unaware of the full extent of the damage. Later, TJX made public that the number of affected customers had reached 94 million. Even today, years after the breach, there are reports of the company's security not being up to the Payment Card Industry Data Security Standard (which is not, to put it mildly, overly stringent). Similarly, another recent intrusion at Hannaford Bros. highlighted the fact that even complying with PCI does not guarantee that a damaging breach won't happen.
In the wake of each breach came public outcry about corporate responsibility for not only ensuring the security of customer data but also for proper notification of those affected. Compliance mandates such as PCI provide system and information security requirements for companies. Still, as the Hannaford example shows, a compliant firm can still be successfully compromised and have information stolen. And always, the remaining question is: What are the guidelines for breach notification, the other half of the corporate security responsibility story?
The first security breach notification law (enacted in 2003 and called the California Data Security Breach Notification Law, or CA 1386) requires companies to give individuals early warning in the event that their unencrypted personal information is "accessed by an unauthorized person" (which is nothing but an euphemism for "stolen"). The idea was that with knowledge of a breach, affected people can lessen the effects of the crime by taking steps to protect themselves against further identity theft. In reality, these laws work mostly through forcing the companies to safeguard information because of fear of public embarrassment, which essentially becomes mandatory. CA 1386 gives companies permission to delay notification only if it would impede a criminal investigation.
At that time, California was the only state with legislation requiring the disclosure of security breaches involving personal information. Since then, more than 40 states have passed data security breach disclosure laws, each with unique notification mandates, but all modeled after CA 1386. A national notification law, rather than disparate state laws, would help unify corporate reaction to and notification of security breaches; several bills currently making their way through Congress detail potential requirements. Some countries are also considering such laws, including the UK, Australia and New Zealand.
For those of you familiar with my writing, you are probably waiting for logs to make their grand entrance. After all, what data security discussion would be complete without mentioning the topic of logs? Indeed, logging requirements are hidden in many regulatory mandates that do not mention "logs" by name. Breach-disclosure laws are a primary example.
I have always championed log data as one of the cornerstones of IT security and one of the best ways to detect unusual activity as well as audit normal user and system activities. Log data is also useful for mitigating the fallout from security breaches since it reveals who accessed confidential customer data, when access occurred and by what methods.
Computerworld Member Login
Prioritizing Services with IT Service Management (ITSM)
Computerworld Live Webinar
Wednesday 20th, August 2008
11:00am EST (Sydney, Australia)
To be repeated on:
Thursday 4th, September 2008
11:00am EST (Sydney Australia)
Sign up and receive a free copy of The Forrester WaveTM Service Desk Management Tools, Q2 2008 at the conclusion of the Webinar.
Attend and discover:
- How to deliver value to your business through ITSM
- Best practice ITSM implementation
- Why emphasis is changing from optimizing IT management processes to better servicing customers and demonstrating real dollar value
- If service-oriented ITSM is best for your business
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Viva la Verticals! Key to Vendor Growth is Through Vertical Market Opportunities, Says IDC 2008-09-05 11:05:00+10
F-Secure delivers fastest protection in the online world 2008-09-04 16:50:00+10
NETGEAR expands ProSafe team as business-class products take off in SME market 2008-09-04 16:27:00+10
Rogue security apps dominate Fortinet's Aug 2008 IT threat report 2008-09-04 16:00:00+10
Adaptec Intelligent Power Management Reduces Storage Power Consumption Up to 70 Percent 2008-09-04 11:28:00+10
Wireless LANs: Is my enterprise at risk?
Achieve an overall understanding of the risks associated with wireless LANs. Discover their inherent properties, as well as what makes them different from wired networks. Read on to uncover a list of recently published articles on real-life breaches and incidents illustrating the need for proactive measures to mitigate wireless security risks.
