accountants, attorneys, CFO/CSO/CPO, CISSP, Events
Cloud Privacy Concerns – Over sharing and Over Collecting
Social Media has quickly woven itself into the very fabric of everyday life and computing. This boom in sharing, even the most banal of details, has had a resounding impact on how our profession manages enterprise security. In this presentation we’ll explore strategies for managing the risks associated with:
We’ll examine the basic law that governs ALL internet activity in the US.
We’ll further delve into KEY FTC decisions that impact online activity.
Using case studies from the US and around the world, we’ll examine how people have lost jobs, college degrees, fortunes and freedom through social media.
We’ll investigate the rampant OVERCOLLECTION of customer and subscriber data by major corporations.
And finally, we’ll review success stories from the past 300 years, where lone individuals and committed groups have improved security, society and human life spans.
3 CPEs will be offered.
Register at: https://isc2.brighttalk.com/node/914
Oct 19, 2011 – Full Day ISC2 Local Event
Oversharing: Managing Risk in the Social Age
Co-presented by Raj Goel and Brandon Dunlap
Social Media has quickly woven itself into the very fabric of everyday life and computing. This boom in sharing, even the most banal of details, has had a resounding impact on how our profession manages
enterprise security. In this day-long, interactive event, we’ll explore strategies for managing the risks associated with:
We’ll also outline the cultural effects of Social Media on the enterprise as Generation Y, the Millenials, begin entering the workplace with expectations of open sharing.Many of the tools to protect our organizations and users are deployed and in use already. Join us as we share techniques from our peers in making the best use of our past investments to mitigate these risks.
Download the file here:
2011-10-19-RajGoel-ISC2-Secure_Boston_Cloud_Computing_Oversharing_OverCollecting.pdf
http://www.brighttalk.com/webcast/586/4565
Dropbox, Gmail, Facebook, Amazon Web Services — they’ve become part of the IT DNA. More than that, they have become household verbs.
Individual consumers and complete corporations moving to Social Media and the cloud has had a resounding impact on how our profession manages enterprise security. In this day-long, interactive event, we’ll explore strategies for managing the risks associated with:
In this highly interactive session, you’ll learn about threats to YOUR customer’s privacy.
• Googling Your Corporate Privacy Away – Tools and practices your users are already using that will compromise their privacy.
• Trends in Regulations – Rules and regulations you need to know to stay current.
• Trends in Financial Crimes – New crimes, old crimes with new tools and why your company is so attractive to attackers.
• Effective Multicompliance – Tips, techniques and lessons learned in staying compliant, while increasing profits and maintaining your sanity.
This full-day presentation was presented at SecureCharlotte2010 and SecureCleveland2011.
accountants, attorneys, CFO/CSO/CPO, CISSP, Presentations
The FTC has emerged as the leading investigator of privacy and security breaches, and has sanctioned companies and institutions across industries for breaches. This presentation reviews the FTC’s track record, examines lessons learned from each sanction, and provides guidance based on current and proposed regulations.
accountants, attorneys, CISSP, Presentations
This presentation covers:
- Overview of HIPAA, HITECH & NYS Privacy Breach Laws
- Trends in litigation – who’s been sued, who’s suing, what YOU need to know to protect your organization
- Trends in Compliance – Your Risk Analysis says you need to fix 100 things — we’ll help you determine what’s really important, what your peer organizations are doing and what the regulators are looking at.
- Success Stories – We’ll share with you the secrets to SUCCESSFUL compliance from organizations around the country
Many firms have chosen to become PCI compliant, others are content to sit by the sidelines and hope they won’t get caught.
Countless other firms have engaged in PCI compliance efforts, only to fall short and have significant breaches while being PCI compliant.
accountants, attorneys, CISSP, Presentations
Dropbox, Gmail, Facebook, Amazon Web Services — they’ve become part of the IT DNA. More than that, they have become household verbs.
accountants, attorneys, CFO/CSO/CPO, CISSP, Presentations
This presentation discusses trends in financial crimes, and the role of technology in adding a new twist to old crimes.
Information explosion has led to an exponential growth of information security breaches. Information security breach occurs when there is an unauthorized acquisition and disclosure of private information including Social Security numbers, or credit/debit card numbers. These data breaches lead to financial crimes and identity theft.
accountants, Articles, attorneys, CFO/CSO/CPO, CISSP
InfoSecurity Issue 7 – Trends In Financial Crimes
 |
Raj Goel, CISSP CTOBrainlink International, Inc.raj@brainlink.com 917-685-7731 |
|
accountants, Articles, attorneys, CFO/CSO/CPO, CISSP
|
|
Raj Goel, CISSP CTOBrainlink International, Inc.raj@brainlink.com 917-685-7731 |
|
It’s no secret that Google retains search data and metadata regarding searches—in fact, it’s quite open about doing so. What’s unsure, though, is the long-term threat to information security and privacy. Let’s review Google’s elements.
Google Search: This search engine is gathering many types of information about online activities. Its future products will include data gathering and targeting as a primary business goal. All of Google’s properties— including Google Search, Gmail, Orkut and Google Desktop—have deeply linked cookies that will expire in 2038. Each of these cookies has a globally unique identifier (GUID) and can store search queries every time you search the Web. Google does not delete any information from these cookies. Therefore, if a list of search terms is given, Google can produce a list of people who searched for that term, which is identified either by IP address or Google cookie value. Conversely, if an IP address or Google cookie value is given, Google can also produce a list of the terms searched by the user of that IP address or cookie value.
Orkut: Google’s socialnetworking site contains confidential information such as name, email address, phone number, age, postal address, relationship status, number of children, religion and hobbies. In accordance with its terms of service, submitting, posting or displaying any information on or through the Orkut.com service automatically grants Orkut a worldwide, nonexclusive, sublicensable, transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, and publicly perform and display such data.
Gmail: The primary risk in using Gmail lies in the fact that most users give their consent to make Gmail more than an email-delivery service and enable features such as searching, storage and shopping. This correlation of search and mail can lead to potential privacy risks. For example, email stored on third-party servers for more than 180 days is no longer protected by the Electronic Communications Privacy Act, which declares email a private means of communication.
Gmail Mobile: Mobile phones are increasingly being sold with Gmail built in, and if not, it can be downloaded. The questions to ask: How uniquely does your mobile phone identify you as the user, and when was the last time you changed your phone and your identifiers?
Gmail Patents: Gmail’s Patent #20040059712 emphasizes “Serving advertisements using information associated with email.” This allows Google to create profiles based on a variety of information derived from emails related to senders, recipients, address books, subject-line texts, path name of attachments and so on.
Google Desktop: Google Desktop allows users to search their desktops using a Google-like interface. All word-based documents, spreadsheets, emails and images on a computer are instantly searchable. Index information is stored on the local computer. Google Desktop 3 allows users to search across multiple computers. GD3 stores index and copies of files on Google’s servers for nearly a month.
Chrome: Chrome is Google’s browser. It’s available for download today and will eventually be installed on new PCs. Some of the risks it poses include:
Android: Android is Google’s operating system for cell phones. It retains information about dialed phone numbers, received phone-call numbers, Web searches, emails and geographic locations at which the phone was used.
Google Health: This product allows consumers— such as employees, coworkers and customers—to store their health records with Google. Recently, CVS Caremark, along with Walgreens and Longs Drugs in the United States, agreed to allow Google Health users to import their pharmacy records.
Organizational Threats Uninstalling these products or using competitive tools can mitigate many of these threats. But what about the dangers to your organization? One example is Google Search with its Google Flu Trends (www.google.org/ flutrends).
Google has correlated flu data from the U.S. Centers for Disease Control (CDC) from 2003 to the present with its own search data. Spikes in users’ searches about flu treatments correlated tightly with the CDC data. Flu Trends has demonstrated Google’s ability to analyze search data for a specific term or set of terms. And it can retain this data and where it came from because Google in its privacy policies states that it records IP addresses.
So, what’s to stop Google from analyzing all search data from your organization’s networks? What’s the difference between analyzing flu trends and “Top 100 search terms from XYZ Corp.”? Or what if a company were to correlate regional threats from swine flu with search data from Google Health/Prescription data and then analyze the health of its employees and detect longterm effects?
Overall, the most critical threat is reliance on Gmail— whether the setting is universities, cities, companies or countries switching to Gmail en masse, or the newest employees in the organization using Gmail as their primary or sole email platform. Questions to ask your security team: How big is the organization’s email archive? How many years of emails are saved? If your organization switches its email hosting service to Google Gmail, what happens to the privacy and confidentiality clauses in your employee and customer contracts?
Another area of concern for hosted email is the potential of having to turn that data over to the government. Google, Yahoo and Microsoft have a history of complying with the United States’ and foreign governments’ requests for information. If such data is turned over, how much corporate security is being eroded?
Consider the amount of money and manpower dedicated to handling Microsoft Windows patches, viruses, spyware and botnet detection. Imagine the impact that reliance on Google products could have on corporate privacy and security.
accountants, Articles, attorneys, CFO/CSO/CPO, CISSP
Aug 12, 2009
By: Rajesh Goel, Chief Technology Officer, Brainlink International Inc.
Q. What are some good security defense practices?
A. In the last column, we talked about creating an information security compliance program. Reminder: Information security is a lot like the common cold–statistically, everyone catches the cold. Some people avoid it for years, while others get it yearly, and every year a surprisingly large number of people die from untreated colds and seasonal flus. A breach or break-in is a question of when, not if. You will be broken into, you will get infected–the only questions are when it will happen and whether you’ll be able to deal with the infection. Now, let’s look at some good information security defense practices.
Good security consists of using several tools to do the job properly. Use a good spam firewall or service to prevent junk from getting into your mail servers, desktops, et cetera. Use a good UTMS (Unified Threat Management System) to automatically scan network traffic (both inbound and outbound) for infected packets. Deny malicious packets from entering your network, and investigate all PCs, laptops, et cetera that originate garbage from your network. After all, you do not want the rest of your company’s email to be affected, or to have your Internet connection terminated because your network is accused of spamming the Internet.
Use good, managed switches, firewalls and routers. Switches come in two varieties: managed and unmanaged. Unmanaged, or dumb, switches are what you get at your local megamart. They’re cheap, and, like your first car, will do a decent job of moving traffic from one device to another. Managed, or smart, switches, on the other hand, are not usually sold at your local big-box retailer (they’re available online at PCMall.com, CDW.com, NewEgg.com and Amazon.com). They cost a bit more, but can give your network abilities you never knew you needed. Capabilities include VLANS (which split one physical switch into multiple, isolated virtual switches), logging traffic and analyzing traffic.
And then there is anti-virus software. Most desktop-based anti-virus software is junk. According to av-comparitives.org, an independent lab that tests all major anti-virus/anti-spyware tools regularly, even the best tool has a 69 percent success rate. So if you used the latest product and configured it properly, there’s a good chance almost a third (31 percent) of the malware could still come in. Thus, you still need to use an AV/AS product, and we recommend using multiple tools simultaneously–or switching to Macs or Linux and ditching windows completely.
Furthermore, it would be wise not to put all your eggs in one basket. For decades, the military has successfully used the concept of network isolation. Everyone has two or more workstations, one for general purposes (in the corporate sector these might include emails, Web surfing and proposal writing) and one for sensitive purposes(such as financial planning, budgeting, accounting and R&D).
In the consumer space, we tend to use our PCs for everything from video games to solitaire to online banking to emails and shopping. Imagine living in a one-room house that combines the kitchen, bathroom, bedroom, living room and dining room. Not very appetizing, is it? Now apply that to your PC or laptop: Start separating higher-value or highly sensitive activities from general-purpose activities. PCs are cheap. Using a KVM, or virtual machine, you can give people access to classified resources without compromising security.
Finally, when and where possible, look at alternative operating systems and browsers. Replace Internet Explorer with Firefox or Opera. Disable/uninstall Outlook Express, and use Thunderbird or webmail for email. If you can, move more of your applications onto Web-enabled platforms (for instance, use an accounting system that can be managed by a secure Web browser, or move your applications-submission process to online forms). Then you can really ditch Windows on the desktop and move toward Mac OSX or Linux desktops.
If you must use Windows (and yes, we live on Exchange, Outlook, Quickbooks, et cetera), then consider virtualising it. There are huge benefits to a properly virtualized server and desktop farm. We’ve reduced help desk and desktop support costs by 50 to 90 percent by moving to VMs.
Remember: The best defense is defense in depth.
Rajesh Goel is chief technology officer at Brainlink International Inc. (or the Technologist), which assists companies in selecting and managing their mobile workforce, including PDAs, email integration and new mobile applications development appropriate for the real estate and commercial property markets. Send him your technology questions via Suzann.silverman@nielsen.com.
Malicious attacks on databases and incidents of online and other tech-related thefts continue to evolve in number and manner– leaving both consumers and businesses scrambling to pay for the damage to their reputations and bottom lines.
accountants, Articles, attorneys, CFO/CSO/CPO, CISSP
Most of us use Google on a daily basis to conduct searches and/or research for personal and professional needs.
This article and presentation focuses on Google’s services, tools and privacy policies and how they can compromise or even breach attorney-client, doctor-client, agent-client privacy.
Audience:
Attorneys, Insurance Agents, Real Estate Agents, Banking, Consultants, Investment Professionals and anyone who uses Google.
ISC(2) SecureSanAntonio – Jan 19, 2012
ISC(2) SecureDallas – Jan 20 2012
© 2012 Raj Goel, CISSP. Powered by WordPress.
