What can corporations do: Training, training and more training! Maybe its me in my experiences but most of the HR personnel I've encountered since 1990 have tended to be older folk - and I don't mean this in a discriminatory way. Many are "set in their ways" and can't really understand the mechanisms of threats. They understand the exposure and risks aspects, but are like deer in headlights when it comes to threats and vulnerabilities.

With so much information having gone and still going digital, with so many users "going online" (for lack of better buzzword), there are more threat vectors then they typical policy is structured for. For example, a security policy might state: "Thou shall not visit non business related sites from the companies machines". Works fine until someone brings in their laptop and plugs in. Now you can have all sorts of policies on the network that would eliminate this, but its cumbersome and difficult to architect.

Thou shall not surf the net
Thou shall not bring in laptops
Thou shall not bring in cellulars
ad nauseam...

"Hey! I found this neat little USB key someone lost in the parking lot... Wonder what's on it!"

Corporations need to train their staff on the dangers of NOT IMPLEMENTING policies in order for staffers to "get it" and avoid throwing themselves into a pool of sharks. I could go on rambling about the corporation side of things until my face turns blue... So moving along ;)

Federal Authorities: Stop playing around with these corporations and giving them slaps on the wrist. Stop letting lobbyists glean those pockets for once. Start dishing out hefty fines for companies not in compliance. Begin by either creating similar to the IRS only this department would randomly audit ANY BUSINESS with the capacity to distribute, disseminate, house, transfer, whatever mechanism to control a financial transaction. Violators not in compliance would be first given a fine and allowed time to fix their holes, second time around, heftier fine, one year ban, third time, five year ban.

Companies have no incentive to do everything in their power to secure their networks. Some companies truly attempt to do anything and everything they know how to do correctly, but at times that's not enough. In a situation like this where businesses are forced to protect information or face sanctions, I'm sure MANY businesses would start doing what they needed to do in order to secure their infrastructure.

NIST, NSA, you name it, they've all implemented regulations (HIPAA, SOX, etc.) but who is watching over this. CISO, CSO? Who's watching them. I don't mean to sound crude/arrogant to any security officer anywhere, but its always a good thing to have a second set of eyes.

You could slap on all the regulations you'd like but an internal security audit is not going to EVER come close to an independent audit. Number 1 someone may have a unique view of something whereas someone else might overlook it. Secondly, an independent audit is focused solely on that audit whereas a CSO, CISO, Security Officer might be under tight deadlines, policies and again, allow something to pass innocuously through an infrastructure.

Same rules for SOX 404 should apply to CSO/CISO/CTO types in all industries: "You signed your name on the dotted line agreeing to these regulations" regardless if the company is publicly traded or not. Perhaps vendors like Visa, Mastercard could order this PRE-business dealings.

Side note... Credit card companies and their "certification process". Shh industry secret coming up... "Fill out this form tell us you're so secure, we'll run Nessus against you and if you don't fail, welcome aboard partner!" Credit card companies need to start promoting security and follow up on it.

Banking: ... Jesus I don't have enough time or space to ramble on ;)

posted March 31, 2008

The government needs to level some meaningful penalties when organizational negligence leads to disclosures of sensitive personal information. Last Thursday the Federal Trade Commission published a press release detailing their settlements with data brokers Reed Elsevier and Seisint as well as TJX following their well publicized and highly damaging data compromises. The settlements amount to nothing more than a wag of the finger and a disapproving look. They basically are now required to exercise the due care over sensitive data that they should already have been doing; in the case of TJX, mandated to have been doing by their agreements with VISA Corporation.

The government is clearly telling businesses that they should continue with their rational calculation that it is much cheaper to maintain sloppy security until they're caught with their pants down and then clean up their acts. We need to instead be putting the fear in to them that if they don't follow best practices and due care that they will be made to hurt in the only ways that seem to get their attention: hefty fines and criminal prosecution for the top executives responsible.

posted March 31, 2008

Jon

Good question but one that has been around for a while and with all the experts and companies that are working on it, I expect the problems will be with as long as we use technology, sorta of a necessary evil.

To my knowledge, I have not had an issue (knock on wood) but I know of a few folks that have. For them an unending nightmare. One had their credit cards lifted and along with that, passport, driver's license and checking accounts information stolen.

I am not expert on the issue and I know there are better minds that are working on this. I am not sure what I could add to solve or slow the problem.

Bottomline, I believe some of these issues can be reduced if folks are more careful with their information. Meaning, using only secured/known networks, never giving out information unless absolutely necessary and using secure passwords and changing them often. I also would suggest that everyone use a quality security product like McAfee when online.

Also I would suggest that you never store any information online (secured or not) that you don't want stolen. I never store social security numbers, real addresses or personal information, like family names, dates of birth etc.

Better to be really safe than really sorry.

Send an invite to connect if you like. I have some interesting folks in my network that might be of interest to you.

posted March 31, 2008

I once got scammed with my credit card... I contacted my bank and within a month the money was put back into my account. Not a pleasant experience at all, but I lost no money in the end - thanks to my credit card company.

Frankly, I don't see the threat of Cybercrime ever going away.

The best we can do is protect our own key information by limiting its use online.

These are my thoughts.

-Ron Wiles

posted March 31, 2008

How about believing reports from others that they've been hacked.

From the stories in the trenches I've heard, there are far too many system administrators that are over-confident in their abilities. They sometime ignore even direct communication with strong proof their system has been compromised and serve as infection points for other systems. This certainly isn't the majority of system administrators, but it doesn't take many Typhoid Mary's to have a problem. It seems like companies should be better about dealing with less than competent system administrators.

The US has done something right though in making the banks largely liable for cybercrime committed against their customers. We really ought to extend that to other data losses. You might want to check Security Engineering by Ross Anderson for some historical perspective.

posted March 31, 2008

Of course it's trivial to achieve perfect computer and network security.....but eventually, we need to turn the computers back on, right....:-)

Your challenge, slowing down "cybercrime", is a very broad one. It may includes things like phishing, pharming, brute force attacks, and many, many others. In order to slow all of these attack vectors, you need to start with a clear understanding of what assets you have, what they are worth, and then how to protect them. The "how" must include clear and concise policies, which can then be the basis for enforcement and monitoring.

Effective dual controls - being able to have the left hand watch what the right hand is doing - can prevent most configuration errors which lead to compromise, as well as insider threats.

As always, have a plan. The rest is just time-consuming....

Look forward to reading your book!

Best,

Howard

posted March 31, 2008

Dear Jon,

Firstly, I cannot agree more with Oquendo on the importance and need for training. This is grossly neglected area as it is. Even in places where there are some trainings, they are focused on corporate environment. I think the training should go beyond the direct relevance to corporate, to the general rules of the road for the Internet and digital information handling. I am not aware that this is being taught anywhere. I have interviewed people with an engineering degree in computer science, excellent is software engineering, but don't even know the basic hygiene on the Internet.

Second, all most all companies I have dealt with have some processes in place, some devices, tools and policies in place. Regrettably, very few even contemplate on the process to check violation of processes and policies ( I know they have an audit process, I also know where the failures are). We need to start monitoring or checking exceptions/ deviations and know what to do, in near real time.

Third, there are lots of regulations for corporates failing the Due Deligence test. But our laws (bound by concepts like site of crime, law of the land etc.) are vowfully inadequate to handle international cyber crime. There is an urgent need to have a common law for handling crime on Internet, and an infrastructure to ensure implementation of that Law. Sometime ago, there was some effort to have a common law for handling Human Rights violations, with an international court of justice (which to my knowledge did not take off) due to differences amongst countries and culture on what constitues violation, and also due to political complusions. Something similar needs to be worked out. To give a simple example, wire fraud is not an offence in many countries, pronography is not the same in many countries etc. i.e we don't have a common set of taxonomy of cyber crime. We don't have the rules of the road I mentioned before. We can punish a CIO or CISO or a CEO for loss of data, but the thief can rarely be brought to justice (which is similar to punishing the police, but not the criminal).

with best wishes,

Commander MS Raghunath (Retd)

posted March 31, 2008

I have worked with clients to respond to cybercrime and must admit, the current state of affairs is daunting. At a federal level, governments needs to keeps pursuing diplomacy to ensure extradition treaties and other agreements. These agreements can stop cybercriminals from developing havens in countries with poor relations with the countries of the potential victims. The more uniform and international the code, the more victims will be protected. Additionally, this should be setup so that there are incentives by “haven” countries to participate in these treaties. While I am not a political scholar, this avenue needs to be addressed as more crimes are being committed from countries in which local and federal law enforcement in countries such as the United States just “give up” due to the low chance of capturing the criminal.
At a corporate level, there needs to be open and ongoing communications with law enforcement. There has been a sort of reluctance to get law enforcement involved for fear of public relations nightmares. While there may be bad apples on local and federal law enforcement agencies, I have not encountered them. That being said, the best time to develop relationships with law enforcement is prior to an incident actually happening. Give your local law enforcement a call; see if there is anything your company can do to help law enforcement should an incident occur. Work to develop, test, and update your incident response policy to include these communications with law enforcement.
There are many more things that should be done at both corporate and law enforcement levels, and many have been outlined in answers previous to mine. I do want to recommend that all companies have a strong incident response/management policy and make sure it is tested and updated regularly. Try to avoid thinking of incident response as the reactive “response” and focus on the proactive “management”. This will help get the mindset correct within an organization and help to reduce losses and the time needed to resolve incidents in the future.

posted April 1, 2008

You can take the word cyber out of the sentence and virtually have the same answer.

Corporate and federal authorities have long worked to slow down the threat of traditional crime and the nightly news continues to remind us of their limited success. Part of the problem is that crime prevention is usually way behind the curve in that we don't develop a way to prevent it until the crime has reared it's ugly head.

Much like traditional crime, Cybercrime is being pursued by the authorities at an acceptable pace. The real "slow down" in Cybercrime will be noticeable when Cyberusers start using the information that has been given to them. Criminals will go for the easy prey every time. The trick is to not give them the opportunity.

posted April 1, 2008

It's not regulation which is needed here. It's education and a push for a loosening on the use of encryption in the public sector.

The NSA prohibits the use of strong encryption. This unfortunately prevents people, corporations and organizations from properly protecting their data.

RSA encryption just isn't strong enough anymore for a skilled hacker to deal with.

Most cyber crime occurs due to off line activities. A server at a restaurant copies your card number... or you fall victim to an online scam (419 scams from Nigeria come to mind here). In these cases it's best to provide and earnestly push public education initiatives.

It is however, unnecessary to regulate or legislate such issues and such regulation or legislation will not do anything to help the issues at hand and will instead simply create frivolous laws.

===

The government at a Federal level, of course, is already doing things to assist in these areas. Those who fall victim to online scams perpetrated from an international point, can contact the State department regarding this issue. The US State Department has many resources at hand... including putting pressure on the nation the perpetrating individual is believed to be from. There are also numerous programs granting tens of millions of dollars in compensation to the tens of thousands of individuals who bother to report having fallen victim these kinds of crimes. Most do not bother to report their victimization though... largely because they find it embarrassing.

It is education... not legislation which will with the war on cyber crime.

posted April 1, 2008

I have been burned by cybercrime. Luckily, the dollar amount could have been higher had i not logged in to my bank account one morning and noticed some suspect transactions and with one of the companies 72 hour policy some of it was caught. Not sure how things progressed on the companies end. I wasn't happy about the banks approach, even though they did understand some of the transaction took place outside the United States and some were suspect just looking at them.

I'd like to see more law and policies and procedures in place by Financial Institutions to protect consumes from these type of crimes.Corporate America also needs to take a better stand on CyberCrimes and not just leave it up to the Federal Government. Protect your assets, your company and most of all your customers.

posted April 1, 2008

Cybercrime is nothing more than crime; let's not glamorize it. Whether they realize it or not, everyone is a victim of this type of crime. Increased prices, tighter regulations, more inconveniences are all effects of crime, regardless of where it occurs.

The easiest, and most expedient, way to mitigate crimes on-line is to increase network traffic monitoring. ISP's should be issuing consumers robust firewalls; businesses should be monitoring every packet in and out.
There are still businesses using the internet without proper firewall technology, let alone diligently monitoring their networks.

Additional rules and regulations from governments will only allow hackers new loopholes to exploit and reduce the speed of innovation. Industry, as a whole, needs to take control of it and stop it. No longer is data security the "invisible elephant" in the room, when every week news media lists companies that have lost data. Gone are the days when big business was the only group affected, today hackers will go after a local gas station, most likely with less difficulty, as quickly as they target big box retailers. With the web, self governance can work. No party, be they consumer or business, is going to buy from an organization that loses personal or financial data.

Links:

• http://www.thelorenzigroup.com

Rob F also suggests these experts on this topic:

• Andrew R
• Greg K
• Jason D

posted April 1, 2008

To stop cyber-crimes Federals have to organize an independent squad, to which you, as a user, can send your complaint about being hacked.The squad will analyze the situation and in case "the hacking" complies with the criteria of a cyber crime" it has the authority to shut down the IP Provider. This will make IP providers more responsible and they will start controlling the "bad guys". Then IP providers will organize a squad, which will shut down the access of "Bad guys". There must be at least one case of that to happen, which should be widely publicised so that all internet community knows: Now somebody is really taking care of cyber-crime security!

posted April 1, 2008

From my understanding,

From the end user perspective, they should have a better understanding of what exactly they are dealing with, not a whole lot of deep understanding about operating system or other items involved in their regular computer operation but about general idea about what is a computer virus, Trojans, spyware, malware, computer become a zombie system of a botnet. i think most of the FBI cyber counter terrorism is all about once the threat happen rather than preemptive. they should reach out to the community college level campaign so that people will understand and act accordingly.

From the corporation perspective, there has been a information security group which deals with the threats and awareness, but may be their policy and procedure will not work inside the corporate politics, when it comes to deliver the product and the company makes money now vs act like a good citizen and develop the product and it will take longer money, time and effort by comply with security team, i think the first wins.

From the Government side, a sticker rule will be placed to restricts the marketing company's doing the data mining work to reach out people to offer product and services to increase their revenue, one way the whole scenario helps for a capitalist county, but who is handling the data, how the data is moving around different hands and different systems is to be restricted.

The issues like once you put your number in the do-not-call list and you still get marketing calls, looks to me the senate and congress has a long history of laying down rules and policy which will create another big wave of issues.

Several company's these days have access to people public record, your court records, your credit card record, your driving and accident information, your employment records, your medical records, your rental records, your house payment and default records etc... are publicly available and most case accessed by the other individuals through this offering company, what policy apply how these company exist no one knows.

Most of the rules and policy currently in this country laid down by the senate and congress are not proactive detection, they are reactive based. the reason they do have is lack of insight on the issue ( for the person himself ) relying heavily outside lobbyist assuming their are the subject matter experts.

From the Technological stand point, like companies like CISCO , FOUNDRY and other those who are dealing with core operation of the internet should make their products more intelligent concepts like threat detection and threat isolation. company specifically deals with security area like symantec, macafee and other people to have a combined knowledge and resources to fight against the issue.

The bottom line is, there are too many moving parts this topic becomes very lengthy and i can keep writing another 100 pages, so there has to be a collective contribution from all side will make it work.

1. Better educate the end users
2. Having a strict rule on the companies which handling the public data and make it available to others for money ( there are dozens of them in the internet right now ) either for marketing purpose or some sort of analysis purpose.
3. Administration like senate and congress need to pass small number of rules with small number of loop holes, normally it works opposite.
4. Enforcement agency like FBI , DHS and other local teams needs to have much more awareness of the issue and may be they need to build a a data mining on the companies and individuals to make sure how things may go wrong based on some past patterns, they have to be more proactive.

posted April 1, 2008

Your company clearly needs an eDiscovery plan and a thorough security analysis. If you need help--contact me at cbressi@aspect-consulting.com

Links:

• http://www.aspect-consulting.com

posted April 1, 2008

I found it interesting that in all of the previous answers not one person mentioned the idea of teaching secure software coding/programming to the next generation of computer scientists and engineers. I recently participated in ITAA's annual CIO survey, and this was a top priority for the majority of CIO's I interviewed (Information Assurance in general was the absolute top priority for Federal CIO's).

I think that we spend too much time on searching for a technology panacea (if you just buy this box or this software package your security worries will go away...) or on trying to regulate the issue to death. More regulation never worked on Microsoft, but market clamor for more security certainnly lit a fire under their developers and they are taking security very seriously now.

My two IA cents,

David

posted April 1, 2008

Identity and privacy breaches happen when privacy data, such as personally identifiable information (PII), personal credit information (PCI), and personal health information (PHI) are not properly protected. There are
various ways these breaches happen including - hackers, malicious insiders and negligent employees, or by lost/stolen laptops and backup tapes.

For most organizations, a critical problem is protecting Social Security Numbers (SSNs). Legally, the use of SSNs is mandatory for state and federal reporting; however, often nongovernment organizations have used SSNs to identify persons within their own enterprises, causing a proliferation of SSN usage.

The Oracle Data Privacy Shield package includes solution components required for solving the SSN proliferation problem such that SSNs are encrypted and maintained in a centralized and secured registry where each SSN is assigned to an Alternative ID. Applications access the Alternative ID instead of the SSN. For business processes that require access to SSNs, this solution provides secure Web services and
special SOA integrations for replacing the Alternative IDs with the real SSNs with full auditing. A SSN registry application, Web services and a person match process are provided to allow authorized users and processes to update the central registry with new SSN data.

This solution greatly reduces the risk of SSN (it can also be utilized for Credit Information or Health Information security) exposure to non-authorized users and systems. Because SSNs are controlled in one location, an institution can better protect them.

This solution complements any identity management and networking security for a more complete defense-in-depth strategy.

posted April 1, 2008

Utilizing online consumer activists is an underutilized tool to combat cybercrime.

My experience:
I've spent a number of years volunteering for online anti-fraud groups. The groups I have worked with have specifically targeted online investment fraud. Contrary to popular belief, some online consumer-advocacy groups are not run by vigilantes, but rather common consumers who have a desire to expose fraud and protect other consumers.

How it works:
Investigations are initially handled by the group to ensure that there is an actual fraudulent activity occurring, and that there is a significant victim-base. Once this is established, the group will organize the victims, providing them resources such as complaint letter templates and a list of appropriate authorities to report the activity to.

An example:
I've been directly involved with investigations of fraudulent enterprises at many levels, and I've experienced the frustration of dealing with government authorities such as the FBI, the SEC, and the Attorney General's office. These agencies do not recognize the resource that is available to them. For example, in a recent investigation a multi-billion dollar ponzi scheme was brought to our attention. Hundreds of victims were organized, written complaints registered, and vast amounts of incriminating evidence was collected (e.g. Promotional videos, income evaluations, victim statements). To this date, no known government action has been taken against the purveyors of the business. Furthermore, little more than a form letter from one government agency was received.

Room for improvement:
There are many online organizations that work in a similar fashion. If the government were to make an effort to identify those organizations that are credible, they will have tapped into a very powerful grass-roots level of knowledge about fraudulent online activities. The government needs not empower these groups in any way other than providing #1: an avenue to report criminal activity, #2: an open, direct line of communication.

posted April 1, 2008

Business Process Management has been an option for some Federal Agencies. Gaining control of your processes and Enterprise Architecture will limit incursions and aid in planning a strong infrastructure.

Links:

• http://www.metastorm.com

posted April 1, 2008

Yes, my wife and I were burned by stolen identity. It was awful and I cannot tell you how vulnerable we felt. That being said, I did have to hand it to the Federal government for covering our losses. I think stiffer penalties for corporations and individuals who do not have authorization and authentication to possess card numbers, IDs, and other - regardless of intent - would help sow down the threat. Unfortunately, I do not think this problem is going away anytime soon. Good luck with the book.

posted April 1, 2008

Unprecedented level of international cooperation is required to face cyber crime. New laws have to be passed in every country and new international regulations have to stipulated to promote zero tolerance towards cyber crime whether it perpetrated by indivduals, organized groups or legally operating business entities.

Corporations can help by providing multiple layers of security to their customer data and enforcing strong data governace measures across the enterprise.

Govermental bodies can help by closely scrutizing the existing regulations to identify any loopholes with respect data security. They can also help pass new laws keeping the interest of privacy of their citizens.

Social welfare NGOs and consumer advocay groups can help by educating public about these threats and proposing counter measures constatntly - the way to outsmart a hacker is to think like a hacker. They can also help by supporting international bodies like (OECD's) WPISP which stress on international cooperation to fight cyber crimes.

Links:

• http://www.oecd.org/department/0,3355,en_2649_34255_1_1_1_1_1,00.html

posted April 1, 2008

Greetings Mr. Swartz,

A great question and a simple answer, industry wide awareness, policies and education.

IT Security is the same no matter what size organization or vertical you’re in or if you're a home user, the IT Security Threats Landscape is such that we need this level of standard and understanding across the board for this to be effective.

Once we have created this culture and understanding, people will adhere to it as it will allow better understanding and acceptance of the implications and impacts. If you break the rules by not practicing the needed security policies and rules then you know what the consequences will be right off the bat.

This is the very concept of our Business to Business IT Security Network, building a mutual working relationship and understanding between businesses. Our National IT Security Public Awareness Program enhances this awareness and education in such a way that people are like, we didn’t think of it this way nor did we realize the real impact and effects this presents. There isn’t enough focus and attention given to these security issues on a general population stance and that’s our downfall. We took this even further by integrating IT Security specific training, certification and awareness in the educational system. A vision we hope will come to fruition soon as our young minds needs to be taught about these issues and their impacts at a young age so they can stop playing around with kits that are used to create nefarious threats/risks and using the talent and skills to help protect and fend our infrastructure.

We’ve been too naïve about the ways in which IT Security affects our infrastructure (people, technology, work, life) and in talking with people on a day to day basis I can’t help be cringe at how vague the mindset is towards it.

TITSSN strongly believes that until we converge on the IT Security issues across the industry in general, we'll never be able to keep ahead of the game because our vulnerabilities will be our partners, associates and those we "trust".

IT Security is NOT and industry problem, it is a people problem.

Thank you for the great question.

~Brett A. Scudder~
President/Chairman
~TITSSN~

Links:

• http://titssn.net

posted April 1, 2008

Yes, I have been a victim of cybercrime at the federal website for job seekers: www.usajobs.gov; My job application file along with other applicants was compromised, and it was unsettling to learn of last August 2007. I do want the criminals located and prosecuted as it held personal information on all our details. What exactly can be done? I would suggest having hiring a cyber monitor for cites such as this to detach links that are questionable and watch cyber activity.

posted April 1, 2008

It should be the # 1 issue. Way too many people take this process for granted. Or better, have a short memory span when implimenting a security process.

Fixing the barn door AFTER the horse is gone is too late. Unfortunately, some people need to be hit with a bat or in this case burned.

posted April 1, 2008

Real simple, quit using Social Security numbers as a primary identification tool.

posted April 1, 2008

Hi Jon,

Yes, I had several thousand dollars taken from my Credit Union account through a ATM in Romania even though I've never been to Romania. Just like clockwork so much in the morning and so much in the evening to keep it from being flagged over a period of two weeks.

Thank God I used a Credit Union! I had my money back in three days.

Unless all governments around the world inforce action against cybercrime; we're all S.O.L.

Regards,
Martin

posted April 1, 2008

I have been the victim of Internet-based fraudulent use of a visa/mc number three times in the past year; it was a different number each time. Each time I was impressed with the quickness by which both the bank and the vendor responded to the problem. It seems it is still too easy for criminals to invent a number and try to find a web business that will accept it -- in all three cases I was told that whoever did the theft just made the number up at random.

posted April 1, 2008

We cannot count on authorities and government. We should be responsible for our action. Whenever an identity is stolen it is due to the carelessness of the victim. Everone should understand that WWW means "Wild-Wild-Web". Be careful when you hit the "submit", "send" or "register" button on any website. There are free tools to remind you of such potential risks in the web resources cited with the answer. Take care.

Links:

• http://www.parentapproval.com
• http://www.phishing-shield.com

posted April 1, 2008

I was phished back in 2002. I lost an Ebay account, and an email account. It was extremely frustrating.

I had a very hard time convincing Ebay and Yahoo, over email (never seems to be an 800 number for the big sites?), that I was a victim and needed help.

It's difficult to resolve this type of crime, because when you're explaining what happened, you begin to sound like a scam too.

I was able to get help from Ebay, but I never recovered my Yahoo account, which is sad, because it was my first one from back in the 90s!

Links:

• http://www.antiphishing.org/

posted April 1, 2008