Government Security News

Ice IX Steals Phone Numbers to Compromise Accounts
"The misfortune here for the banks is that they can have the best fraud-detection systems out there ... but it all breaks down when they call the 'hacker' to verify the transaction," says Gartner's Avivah Litan.

CERT Report Identifies Insider Patterns
Although insider-threat incidents within organizations tend to be different case-by-case, says Carnegie Mellon University's Dawn Cappelli, there are similarities and patterns that organizations can look for when mitigating their risks. What are some of the common characteristics among insiders, and how can organizations respond?

Part 2: Professionals Thinking Outside of the Box
Risk-management professionals must think outside of the box in terms of innovation, research and development and partnerships.

Transparency Will Help Verisign Gain Stakeholder Trust
Verisign Inc. may have followed the letter of the law when revealing a series of breaches in an SEC filing. But the company that assures the flow of a hefty portion of Internet traffic should have been more forthright to ease the minds of its various constituencies.

Movement to EHRs Could Fail if Public Trust Lacking
Building public trust that electronic health records will remain private is essential to the success of federally funded efforts to boost EHRs and health information exchange.

Company: Data Accessed, But Net Root Name Servers Unaffected
Verisign, operator of two of the 13 root name servers that route traffic on the Internet, has revealed that outsiders attacked its computer network several times in 2010, but top management did not learn of the incidents until September 2011.

Organizations that have experienced a breach report that three lessons they learned were to limit the amount of personal information collected, limit sharing data with third parties and limit the amount of data stored, a new survey shows.

Why Recordings of Emergency Calls Need to Stay Private
The extensive news media coverage of a 911 emergency call about actress Demi Moore is calling attention to an important issue: The need to protect privacy.

Understanding the Merits of Google's New Privacy Policy
The uproar over Google's latest privacy policy is much ado about nothing, especially the cry from some in Congress that the Internet company won't allow users to opt out of its new policy.

At Intel, the BYOD trend started in 2009, when employees began using their own smart phones, tablets and mobile storage devices on the job. Rather than reject the trend, as many organizations initially attempted, Intel's senior leaders were quick to embrace it as a means to cut costs and improve productivity.

Since Jan. 2010, the number of employee-owned mobile devices on the job has tripled from 10,000 to 30,000, and by 2014 Intel CISO Malcolm Harkins expects that 70 percent of Intel's 80,000 employees will be using their own devices for at least part of their job.

The payback so far:

• Better Productivity - Employees who use their own devices respond faster to communication and over a greater percentage of the day;
• Improved Security - Mobility improves Intel's time to respond, contain and recover from incidents;
• Greater Control - Because personally-owned devices are encouraged, Intel now has markedly fewer unauthorized devices on its network.

And while there are heightened risks that come with having employees carry sensitive data on their personal devices, Harkins says organizations must tackle these risks head-on. "Doing nothing is not an option" when it comes to BYOD, he says. "Employees will work around and unknowingly expose the enterprise."

In this presentation, Harkins tells how Intel came to embrace and benefit from the BYOD trend, including insights on:

Bottom-up Approach - Intel from the outset involved employees in mobile policy creation, making the process open to input and constructive criticism. The result: an effective Employee Service Agreement for personally-owned devices.

Risk Management - There is no 'one size fits all' so Intel developed a five-tier risk management model that provides enhanced security capabilities depending on the employee's access to sensitive data such as line of business applications, filtered e-mail and the corporate intranet.

Beyond Technology - Intel quickly discovered that BYOD impacts more than the IT and security groups. HR and legal play huge roles in helping to define policy, enforce compliance and ensure adequate attention is paid to details regarding privacy, appropriate use and software licensing.

Risk assessments are the foundation of risk management and information security, and since 2005 U.S. banking regulators have urged institutions to conduct periodic risk assessments of their online banking products and services.

But institutions failed to follow that guidance, and as a result they and their customers were victimized by sophisticated schemes such as ACH/Wire fraud and corporate account takeover.

These high-profile fraud incidents helped inspire 2011's updated FFIEC Authentication Guidance, which re-enforces regulators' expectations of periodic risk assessments. Specifically, the guidance says:

"Financial institutions should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months. Updated risk assessments should consider, but not be limited to, the following factors:

• Changes in the internal and external threat environment, including those discussed in the Appendix to this Supplement;
• Changes in the customer base adopting electronic banking;
• Changes in the customer functionality offered through electronic banking; and
• Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry."

In this session, Joe Rogalski, VP and information security officer at New York's First Niagara Bank ($44 billion in assets), will detail how his institution conducts period risk assessments, including:

• An overview of the FFIEC guidance and what examiners will expect to see in your approach to risk assessments;
• How to conduct an effective risk assessment, including qualitative and quantitative approaches;
• What to do about risks, vulnerabilities and threats identified in your assessments.

You know your company's social media policy is a good one when it starts sounding less like a checklist and more like common sense, says Sherrie Madia, social media expert and author.

Does the U.S. government's shuttering of the file-sharing website Megaupload.com show that new laws are not needed to battle intellectual property piracy? Brookings's Allan Friedman believes it does.

The Europay, MasterCard, Visa standard, commonly used in most global markets, is coming to the U.S. The sooner issuers, acquirers and merchants initiate migrations, the better, says Stephanie Ericksen, head of authentication product integration at Visa.

The National Institute of Standards and Technology, a non-regulatory agency of the Department of Commerce, is responsible for providing standards and technology to protect against threats to the confidentiality, integrity and availability of information and information systems. NIST's Computer Security Division is positioned to ensure that new technologies are selected, deployed and operated in a manner that reduces risk.

The Health Insurance Portability and Accountability Act Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity. Covered entities include hospitals, physician groups, health plans and claims clearinghouses. Soon, the rule also will apply to business associates - business partners that have access to sensitive patient information. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.

To help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environments, NIST has developed a HIPAA Security Rule Self Assessment Toolkit.

In this session, Kevin Stine, manager of the Security Outreach and Integration Group within NIST's Computer Security Division, will:

• Introduce participants to NIST and its role in information security;
• Provide a detailed overview of the toolkit application;
• Discuss how the toolkit can be used to support an organization's risk management process, help improve security safeguards and aid security assessment and compliance activities; and
• Identify additional NIST information security resources, such as risk assessment and security control guidelines, which can help organizations to manage risk and safeguard health information.

In the fall of 2011, the U.S. Department of Veterans Affairs launched a "go-slow" approach to enabling physicians and others to use Apple iPhones and iPads for limited purposes. In this pilot program, a limited number of VA staff members will use the smart phones and tablets primarily for encrypted e-mail and as viewers to access a VA clinical information system, but not to store patient information.

"We're being careful to not increase our breach exposure as we roll these devices out," said Roger Baker, the VA's CIO. The VA's experience mirrors what is happening to public and private sector organizations in every global marketplace. They are all trying to get a secure handle on the mobile revolution, which is driven by consumer-friendly technologies and threatened by a range of security risks. Employees and customers alike want to conduct business via mobile technologies, including optical discs and USB devices, so information security leaders are forced to grapple with questions such as:

Who Owns the Devices? Do organizations issue their own devices in the workplace, or do they allow their employees to bring their own devices to work - if they follow prescribed policies?

What Are the Elements of a Sound Mobile Policy? Organizations need minimum security standards, and they need to articulate clear uses, data management principles and the fundamentals of mobile security awareness.

What are the Risks? Each organization must assess the relative risks of mobile against other electronic channels - for employees and customers alike. But there are unique mobile security risks, including controls in mobile applications, the growing threat of mobile malware, and the ever-present prospect of device loss or theft.

In this session, mobile security experts will discuss these topics and more, sharing insights on how today's leading-edge organizations are enabling safe, secure mobile computing inside and outside the workplace.

The Department of Defense and two other government agencies have issued a proposed rule designed to help ensure that government contractors provide adequate privacy training to their staff members.

Guidance on establishing processes to rapidly detect and respond to cyber incidents.

Specifying architecture and technical requirements for a common identification standard for federal employees and contractors.

Organization, Mission and Information System View