UK MP’s ask regulator to end “box ticking” culture …..

The UK parliamentary committee investigating the recent LIBOR bank rate fixing scandal has suggested that the regulator to the UK Financial Services Market, the Financial Services Authority (FSA), should end it’s “box ticking” culture and look at what is really happening under the covers of the Financial Services organisations in the UK.

Sound familiar?

Data breaches have occurred all over the world during the last couple of years probably because audit committee chairmen and board directors were given their own regulatory “tick lists” to say that their data security controls were safe without knowing the full impact and extent of where they could be breached.

Tell that to Sony and all the others which have been caught in the headlights of a security breach.

All to often I see the tip of the iceberg being “audited” in companies and organisations when it comes to data security controls because that is what the regulators know about. What ever happended to deep diving to see what is under the tip of the iceberg to see where the weaknesses to people’s data security really are so that you build a data security strategy from the bottom up.

Don’t be taken in by the “box ticking” culture which has caused the problem within the UK – and now international – banks! Remember the impact of brand, reputation, shareholder value and client confidence which is now effecting these organisations.

For the full story on the above click –

http://www.ftadviser.com/2012/08/18/regulation/regulators/mps-fsa-must-end-box-ticking-and-endless-data-collection-o59KkcbJYSmvlPhNXXgpDM/article.html

Posted in Uncategorized | Comments Off

Information Security is “top” IT skill sought says BCS poll

Information security is the IT skill most in demand today according to a survey carried out by the British Computer Society (BCS), the Chartered Institute for IT.

The results, published at a CIO summit held to discuss the future training needs of the IT industry, showed that information security received more than twice the number of votes of any other listed IT attribute polled.

“It’s not surprising that information security topped our poll” said Adam Tilthorpe, BCS Director of Professionalism. “Information is one of the most valuable assets organisations own, and being able to protect it is vital”.

Tilthorpe said that he expected that specific experience in information security, assurance and cyber security to increase in importance as online business expanded and new technologies emerged.

“Organisations need to understand information and have an approach to risk management” he said. “This gives them a better understanding of the opportunities open to them as well as the benefits and risks. They will then be able to implement technology and information security to mitigate the risks and fully benefit from the opportunities” 

(Source : October 2011 edition, Networking Plus www.networkingplus.co.uk)

Posted in Cervello, Data Security, Information Security | Comments Off

Industry Analysts Predict Growth in Demand for Database Security Services

Respected global industry analysts, Forrester Research, has forecast the demand for database security services will grow considerably over the next 3 years. This comes on the back of a number of high profile database breach stories reported in the press over the last few years which has affected financial services, corporate and government organisations alike (see link to commentary below).

As the threat to databases continue to rise through rogue insider effort, cybercriminal activity, web application use and remote mobile access, the risk to confidential and sensitive data is coming more under attack. Monitoring and reporting to management of potential fraudulent or malicious activity taking place at the database level of the organisation, plus alerting of vulnerabilities being created to possibly expose management to an attack on their key data, are just two of the areas where the report highlights services will be in demand over the next few years.

For full details on the Report commentary see the link below -     

http://www.darkreading.com/database-security/167901020/security/news/231700002/database-security-market-to-grow-20-percent-through-2014.html

Posted in Data Breach, Database Activity Monitoring, Database Vulnerability & Configuration Management | Comments Off

CCTV cameras captured evidence of wrong doing by London rioters. Just need to use the same monitoring to capture evidence of data breaches.

The recent rioting in London, and other major English cities, has taught us one thing if we ever wondered why we need CCTV cameras in our country.

The fact that the cameras were monitoring, recording and reporting back what was happening not only helped identify, and possibly help convict, some of the perpetrators of the looting which was going. It also helped alert police, fire and ambulance services – and management of businesses affected – where potential fraudulent or malicious activity could be heading for next unless the rioting was stopped.

Sometimes you don’t anticipate where, or when, trouble is going to happen. When it does happen, however, you need to have immediate alerting and reporting of what is happening so that you can take mitigating action – and see the perpetrators of the potential abuse – to limit the impact of the action.

Were the looters of the shops and offices aware that CCTV cameras were picking up there every move? Probably not. However, if they had been told in advance that monitoring controls would not only record what they were doing but also identify them as potential perpetrators of the crimes they were committing would they still have gone ahead and carried out the crimes? Possibly, but they would have been silly to do so if they thought that they would be caught.

Monitoring of data security is the exactly same. Think that your actions on data, or the security surrounding data, are not being recorded then you might think about committing a data breach. Know that there are CCTV cameras watching your actions on data then you might think again.

The perpetrators of the looting just highlighted why you need to have monitoring controls to capture evidence of certain aspects of “human nature”. It’s not to spy on everyone. In fact, it’s to vindicate the “good guys” and capture the “bad guys” so think of it that way.

Management of data breach cases over the last year take heed! Monitor for rogue insider activity and/or for cyber criminal activity, and for security vulnerabilities to your data. Security at the perimeter is no longer good enough, or deep enough, to protect your data.

Posted in Data Breach, Database Activity Monitoring, Database Vulnerability & Configuration Management | Comments Off

UK Oracle User Group holds major data security conference

This year has seen a number of high profile data breach stories which have majorly impacted the brand and reputation of the organisations concerned.

Many have been subject to substantial fines, and had legal action taken against them, for not having fully protected their data from fraudulent insider activity or external cyber attack. As a result, the roles and responsibilities of board directors and senior management to data security controls sign off have been brought to the forefront and attention of industry regulators, legislators and audit firms plus that of their own clients, investors and shareholders.

To address the risks facing organisations in this area, the UK Oracle User Group is holding a focused, “one off “data security conference at Bletchley Park, home of the famous Enigma code breaking machine, on Tuesday the 13th of September, and is inviting senior management and IT professionals to a day of top industry speakers, including Mary Ann Davidson, Chief Global Security Officer at Oracle, to hear a range of topics on data security to help protect both them and their organisations against the challenges facing them in data breach.

Seethe link below to register and to see the full list of speakers and agenda for the conference.

http://www.ukoug.org/events/security-special

Posted in Cervello, Data Breach, Data Loss | Comments Off

Phone hacking judge appointed. First action? To find out who was meant to be “guarding the guardians?”

Lord Justice Leveson has just been appointed to lead the enquiry into The News of the World phone hacking story which has been all over the UK press over the last couple of weeks.

He has said that his first action as part of his review will be to look at who was meant to be independently monitoring what was happening at The News of the World. Sound familiar?

Who was independently monitoring the banks when the global banking crisis took place? No one! (“Don’t worry. We can regulate ourselves”). 

Who was independently monitoring MP’s activity in the UK Government when they were abusing their expenses claims? No one!

Who was independently monitoring the culture and behaviour of the UK police in the payments certain officers were receiving in return for information given to alleged criminals associated with The News of the World? No one!

And, who has been independently monitoring the data security controls of some of the major data breach cases which have also been in the news over the last couple of months? Probably no one again!     

Do not independently monitor your data security and see what happens! You cannot leave the guardians of your data to guard themselves.  Recent history shows what happens.

Posted in Cervello, Data Breach, Database Activity Monitoring | Comments Off

Monitoring “behaviour” and “culture”. What happens if you don’t do it.

Following the News of the World phone hacking story which I wrote about yesterday, the words ”behaviour” and “culture” have been banded about over the press and the airwaves with great regularity over the last 24 hours in the excuse that management of the paper did not know, and indeed could not have known, everything that was happening at the paper.

A good get out clause? I don’t think so.

Look at what has happended.

1) the former Chief Executive of the paper has been arrested and is ”helping police with their enquiries”

2) a business has been closed down almost overnight

3) thousands of employees have been told that they are losing their jobs after this weekend

4) share value of the parent company has dropped overnight

5) loyal clients have deserted the brand in droves

6) market confidence has gone in the management of the company(even if they do start up a new company which has been touted)

All because the company did not monitor, or did not want to monitor, the behaviour or culture of some the of people in the organisation. Sound familiar?

Alan Greenspan, former Chairman of the US Federal Reserve, said of the recent banking crisis “It’s human nature. Unless somebody can find a way to change human nature then we will have another crisis. This crisis will happen again”

Management beware! The law (and market mood) is changing on the responsibility of Board Directors and Audit Committee Chairmen when it comes to carrying the can  for what happens in your organisation. I know, in most cases, that it is a minority of people who open a company or organisation up to the damage which has all too evidently been exposed by what has happended in the News of the World case, orin what happened with the global banking crisis.

Do not have independent, and I emphasise independent, monitoring controls in place to alert and report on potential areas of exposure and risk to your organisation, or potentially fraudulent, malicious or anomalous activity taking place as a result of ”behaviour” or “culture” within your organisation then you can see what happens. 

Monitor to verify that your organisations ”behaviour” and “culture” is what you think it is.  Do not? Well, just watch the news wires and wait on the knock on the door.

Posted in Cervello, Database Activity Monitoring, Database Vulnerability & Configuration Management | Comments Off

News of the World phone hacking story highlights the need for monitoring insider activity

The News of the World phone hacking story has yet again highlighted the risk to organisations of unmonitored insider activity, and the bad press (sorry for the pun) that goes with it when the proverbial hits the fan.

Trust in employees? I’m with you on that. Think they are all doing what is right by the terms & conditions of the contracts of employment they signed up to with you? In the main, yes. Should we just let them get on with the jobs they are employed to do without independently monitoring that what we think they are doing they are actually doing? I think the News of the World story has answered that one for you.

If you leave a gap for an insider to exploit, and they know that you don’t have any IT “CCTV” watching them and they think that they can get away with exploiting that gap, then don’t be surprised to see your name in the papers.

Protect you organisations integrity by independently, and I mean independently, monitoring for the insider threat within your organisation. “Let’s trust, but let’s verify that process”

Posted in Best Practice, Cervello, Database Activity Monitoring | Comments Off

Almost weekly data breach stories are confirming one thing. Closing the door after the horse has bolted is just too late.

Just tweeted about yet another data breach story where Arizona’s police force computer system has been hacked and confidential documents stolen and published on line.

A spokesman for the police force has told Reuters “We are aware of computer issues. We’re looking into it. And of course we’re taking additional security safeguards”.

This almost appears to have been the default statement being handed around from data breach victim to data breach victim over the last couple of months telling their clients, stakeholders and the outside world that they are aware of security issues surrounding their data but they are now going to take action to resolve them.    

Forgive me but that seems to be a reactive data security strategy rather than a proactive one, and backs up the weaknesses I have written about in data security strategies where businesess and organisations are being encouraged to put in “adequate” controls to protect their data (see my blog of June 6 2011)

Once a data breach story is out there damage is already done. The data has either been lost or put up on line (or sold to the highest bidder) where it can then be used to seriously impact the brand and reputation of the organisation concerned. Board directors and management can start thinking about potential law suits or legal action being taken against them for not having fully protected the source of their data, and market confidence and client attrition has already started to kick in. That’s not to mention fines coming in from the regulators and drop in stock market valuation in the case of some companies.

I heard someone say recently “organisations need to start looking at data security from the inside out and not the outside in”, and by that meaning that we need to look at what we REALLY need to do to protect the source of our data and not do what is just seen to be “adequate”. Perhaps Sony, Nintendo, Sega, Lockheed Martin, the IMF, the CIA and the FBI have exchanged the “we are aware of the computer  issues ………” statement over the last couple of months but the horse, I’m afraid, is already off and running.

Look at where the stable is vulnerable to potential breach and attack, and install a CCTV camera to monitor the activity happening around your stable and maybe, just maybe, you will seen both how and where the horse is going to bolt from the stable before it happen.

Just a thought! 

For details on the police force computer hack see below -

http://www.bbc.co.uk/news/technology-13901478

Posted in Data Breach, Database Activity Monitoring, Database Vulnerability & Configuration Management | Comments Off

Data Loss Prevention. “Bring in security consultants who know what they are doing”

Read a really good blog this morning on Data Loss Prevention (DLP), and the technology market’s claims that vendor solutions in this area can solve your problems for you.

I’m not going to go through the content of the whole blog for you. I will let you read it for yourself in the link I have attached at the end of this page.

In summary it said that whilst technology has its part to play as part of a DLP strategy, you first of all need to “bring in security consultants who know what they are doing” to

  1. define your strategy for you
  2. establish where your sensitive data is first, and 
  3. confirm where your data is currently vulnerable

Without that starting point you are aiming technology at a data set which will not be good enough to protect the data you want to protect.

I’m not going to say anymore. Read the blog and take the key points out of it and get your starting point right before you bring any technology to your DLP strategy. 

https://www.infosecisland.com/blogview/14401-You-Cant-Buy-DLP.html

Posted in Best Practice, Data Loss, Database Vulnerability & Configuration Management | Comments Off