Security Around Social Initiatives
Read Write Web has a great digest of the entire last round of social applications, from open social to Facebook, android, Bebo and box.net. Understanding these applications from a security viewpoint is...
Red Hat, Where's The Love For Hyperic?
Matt Aslett at The 451 Group reports: "Red Hat and GroundWork Open Source announced an interesting expansion of their partnership today that sees Red...
HTTP Conditional Gets In ColdFusion
I've been working on performance updates to ColdFusionBloggers over the past week or so - and the primary area I'm working on is the aggregator. One item that has been recommended to me by multiple...
A DNS Puzzler
Here's an interesting puzzle involving DNS. It's about Windows, Linux, and OS X, and I don't have a complete answer yet, but I thought I'd share what I've found...
Lawrence On Embedded Virtualization
VMware and XenSource are moving to hardware near you: Virtualization: A feature of the hardware, not the OS?. It's not clear to me how much cost this will add - VMware ESX runs from $1,000.00 on up, but assuming...
2007's Biggest Problem - The Trusted Insider
By Dan Morrill
This has not been a banner year for insider hacks, and insider data loss across the board. In many ways we can most likely call this the year of the insider.
Either through actual hacking, or through actual not compliance with company policy and taking work home, or loosing disks with millions of consumer records, the trusted insider is 2007's biggest problem.
Adding to that is a recent insider hack from Florida, where a senior database administrator stole then sold through a 3rd party, consumer information that should have been better secured, or at least, someone should have been watching.
Working for a subsidiary called Certegy Check Services, Sullivan used his access to Fidelity's database to pilfer records that included individuals' names, addresses and financial account information, according to court documents. To cover his tracks, he incorporated a business called S&S Computer Services, which sold the data to an un-indicted accomplice. According to authorities, this unidentified person resold the information to direct marketers, including one called Strategia Marketing, which also went by the name Suntasia. Source: Channel Register
While the TJX settlement was not that much in terms of money out to consumers, the loss of data, and the selling of data is not just for hackers anymore. The underground economy in data, should include insiders as a source, either by purpose, or because they got spear phished as they did at Los Alamos this week.
Security Risk Management needs to take a lot of this into consideration, and controls must be in place to make sure that these kinds of events do not happen with the same kind of frequency that they have happened this year.
One thing that security risk managers can do is familiarize them with the insider threat research conducted by CERT. This is one of the best repositories for data about insider threats, that will help a company scenario plan, and come up with contingencies as well as monitoring strategies.
Another good source of Links is Practical and well worth visiting.
In the mean time, while we wind down for the holidays, it might be time to revisit your security practices, and work on mitigations for insider threats. There have been far too many this year.
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.