accountants, attorneys, Events, Presentations
The Nassau County Bar Attorneys Accountants Committee has asked me to present on selected Cyber-Security topics.
When; Feb 27, 2012
Where: Nassau County Bar Association
URL: https://www.nassaubar.org/Calendars/other_meetings.aspx
accountants, attorneys, CFO/CSO/CPO, CISSP, Events
Cloud Privacy Concerns – Over sharing and Over Collecting
Social Media has quickly woven itself into the very fabric of everyday life and computing. This boom in sharing, even the most banal of details, has had a resounding impact on how our profession manages enterprise security. In this presentation we’ll explore strategies for managing the risks associated with:
We’ll examine the basic law that governs ALL internet activity in the US.
We’ll further delve into KEY FTC decisions that impact online activity.
Using case studies from the US and around the world, we’ll examine how people have lost jobs, college degrees, fortunes and freedom through social media.
We’ll investigate the rampant OVERCOLLECTION of customer and subscriber data by major corporations.
And finally, we’ll review success stories from the past 300 years, where lone individuals and committed groups have improved security, society and human life spans.
3 CPEs will be offered.
Register at: https://isc2.brighttalk.com/node/914
accountants, attorneys, CFO/CSO/CPO, CISSP, Presentations
The FTC has emerged as the leading investigator of privacy and security breaches, and has sanctioned companies and institutions across industries for breaches. This presentation reviews the FTC’s track record, examines lessons learned from each sanction, and provides guidance based on current and proposed regulations.
accountants, attorneys, CISSP, Presentations
This presentation covers:
- Overview of HIPAA, HITECH & NYS Privacy Breach Laws
- Trends in litigation – who’s been sued, who’s suing, what YOU need to know to protect your organization
- Trends in Compliance – Your Risk Analysis says you need to fix 100 things — we’ll help you determine what’s really important, what your peer organizations are doing and what the regulators are looking at.
- Success Stories – We’ll share with you the secrets to SUCCESSFUL compliance from organizations around the country
Many firms have chosen to become PCI compliant, others are content to sit by the sidelines and hope they won’t get caught.
Countless other firms have engaged in PCI compliance efforts, only to fall short and have significant breaches while being PCI compliant.
accountants, attorneys, CISSP, Presentations
Dropbox, Gmail, Facebook, Amazon Web Services — they’ve become part of the IT DNA. More than that, they have become household verbs.
accountants, attorneys, CFO/CSO/CPO, CISSP, Presentations
This presentation discusses trends in financial crimes, and the role of technology in adding a new twist to old crimes.
Information explosion has led to an exponential growth of information security breaches. Information security breach occurs when there is an unauthorized acquisition and disclosure of private information including Social Security numbers, or credit/debit card numbers. These data breaches lead to financial crimes and identity theft.
accountants, Articles, attorneys, CFO/CSO/CPO, CISSP
InfoSecurity Issue 7 – Trends In Financial Crimes
 |
Raj Goel, CISSP CTOBrainlink International, Inc.raj@brainlink.com 917-685-7731 |
|
accountants, Articles, attorneys, CFO/CSO/CPO, CISSP
|
|
Raj Goel, CISSP CTOBrainlink International, Inc.raj@brainlink.com 917-685-7731 |
|
It’s no secret that Google retains search data and metadata regarding searches—in fact, it’s quite open about doing so. What’s unsure, though, is the long-term threat to information security and privacy. Let’s review Google’s elements.
Google Search: This search engine is gathering many types of information about online activities. Its future products will include data gathering and targeting as a primary business goal. All of Google’s properties— including Google Search, Gmail, Orkut and Google Desktop—have deeply linked cookies that will expire in 2038. Each of these cookies has a globally unique identifier (GUID) and can store search queries every time you search the Web. Google does not delete any information from these cookies. Therefore, if a list of search terms is given, Google can produce a list of people who searched for that term, which is identified either by IP address or Google cookie value. Conversely, if an IP address or Google cookie value is given, Google can also produce a list of the terms searched by the user of that IP address or cookie value.
Orkut: Google’s socialnetworking site contains confidential information such as name, email address, phone number, age, postal address, relationship status, number of children, religion and hobbies. In accordance with its terms of service, submitting, posting or displaying any information on or through the Orkut.com service automatically grants Orkut a worldwide, nonexclusive, sublicensable, transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, and publicly perform and display such data.
Gmail: The primary risk in using Gmail lies in the fact that most users give their consent to make Gmail more than an email-delivery service and enable features such as searching, storage and shopping. This correlation of search and mail can lead to potential privacy risks. For example, email stored on third-party servers for more than 180 days is no longer protected by the Electronic Communications Privacy Act, which declares email a private means of communication.
Gmail Mobile: Mobile phones are increasingly being sold with Gmail built in, and if not, it can be downloaded. The questions to ask: How uniquely does your mobile phone identify you as the user, and when was the last time you changed your phone and your identifiers?
Gmail Patents: Gmail’s Patent #20040059712 emphasizes “Serving advertisements using information associated with email.” This allows Google to create profiles based on a variety of information derived from emails related to senders, recipients, address books, subject-line texts, path name of attachments and so on.
Google Desktop: Google Desktop allows users to search their desktops using a Google-like interface. All word-based documents, spreadsheets, emails and images on a computer are instantly searchable. Index information is stored on the local computer. Google Desktop 3 allows users to search across multiple computers. GD3 stores index and copies of files on Google’s servers for nearly a month.
Chrome: Chrome is Google’s browser. It’s available for download today and will eventually be installed on new PCs. Some of the risks it poses include:
Android: Android is Google’s operating system for cell phones. It retains information about dialed phone numbers, received phone-call numbers, Web searches, emails and geographic locations at which the phone was used.
Google Health: This product allows consumers— such as employees, coworkers and customers—to store their health records with Google. Recently, CVS Caremark, along with Walgreens and Longs Drugs in the United States, agreed to allow Google Health users to import their pharmacy records.
Organizational Threats Uninstalling these products or using competitive tools can mitigate many of these threats. But what about the dangers to your organization? One example is Google Search with its Google Flu Trends (www.google.org/ flutrends).
Google has correlated flu data from the U.S. Centers for Disease Control (CDC) from 2003 to the present with its own search data. Spikes in users’ searches about flu treatments correlated tightly with the CDC data. Flu Trends has demonstrated Google’s ability to analyze search data for a specific term or set of terms. And it can retain this data and where it came from because Google in its privacy policies states that it records IP addresses.
So, what’s to stop Google from analyzing all search data from your organization’s networks? What’s the difference between analyzing flu trends and “Top 100 search terms from XYZ Corp.”? Or what if a company were to correlate regional threats from swine flu with search data from Google Health/Prescription data and then analyze the health of its employees and detect longterm effects?
Overall, the most critical threat is reliance on Gmail— whether the setting is universities, cities, companies or countries switching to Gmail en masse, or the newest employees in the organization using Gmail as their primary or sole email platform. Questions to ask your security team: How big is the organization’s email archive? How many years of emails are saved? If your organization switches its email hosting service to Google Gmail, what happens to the privacy and confidentiality clauses in your employee and customer contracts?
Another area of concern for hosted email is the potential of having to turn that data over to the government. Google, Yahoo and Microsoft have a history of complying with the United States’ and foreign governments’ requests for information. If such data is turned over, how much corporate security is being eroded?
Consider the amount of money and manpower dedicated to handling Microsoft Windows patches, viruses, spyware and botnet detection. Imagine the impact that reliance on Google products could have on corporate privacy and security.
accountants, Articles, attorneys, CFO/CSO/CPO, CISSP
Aug 12, 2009
By: Rajesh Goel, Chief Technology Officer, Brainlink International Inc.
Q. What are some good security defense practices?
A. In the last column, we talked about creating an information security compliance program. Reminder: Information security is a lot like the common cold–statistically, everyone catches the cold. Some people avoid it for years, while others get it yearly, and every year a surprisingly large number of people die from untreated colds and seasonal flus. A breach or break-in is a question of when, not if. You will be broken into, you will get infected–the only questions are when it will happen and whether you’ll be able to deal with the infection. Now, let’s look at some good information security defense practices.
Good security consists of using several tools to do the job properly. Use a good spam firewall or service to prevent junk from getting into your mail servers, desktops, et cetera. Use a good UTMS (Unified Threat Management System) to automatically scan network traffic (both inbound and outbound) for infected packets. Deny malicious packets from entering your network, and investigate all PCs, laptops, et cetera that originate garbage from your network. After all, you do not want the rest of your company’s email to be affected, or to have your Internet connection terminated because your network is accused of spamming the Internet.
Use good, managed switches, firewalls and routers. Switches come in two varieties: managed and unmanaged. Unmanaged, or dumb, switches are what you get at your local megamart. They’re cheap, and, like your first car, will do a decent job of moving traffic from one device to another. Managed, or smart, switches, on the other hand, are not usually sold at your local big-box retailer (they’re available online at PCMall.com, CDW.com, NewEgg.com and Amazon.com). They cost a bit more, but can give your network abilities you never knew you needed. Capabilities include VLANS (which split one physical switch into multiple, isolated virtual switches), logging traffic and analyzing traffic.
And then there is anti-virus software. Most desktop-based anti-virus software is junk. According to av-comparitives.org, an independent lab that tests all major anti-virus/anti-spyware tools regularly, even the best tool has a 69 percent success rate. So if you used the latest product and configured it properly, there’s a good chance almost a third (31 percent) of the malware could still come in. Thus, you still need to use an AV/AS product, and we recommend using multiple tools simultaneously–or switching to Macs or Linux and ditching windows completely.
Furthermore, it would be wise not to put all your eggs in one basket. For decades, the military has successfully used the concept of network isolation. Everyone has two or more workstations, one for general purposes (in the corporate sector these might include emails, Web surfing and proposal writing) and one for sensitive purposes(such as financial planning, budgeting, accounting and R&D).
In the consumer space, we tend to use our PCs for everything from video games to solitaire to online banking to emails and shopping. Imagine living in a one-room house that combines the kitchen, bathroom, bedroom, living room and dining room. Not very appetizing, is it? Now apply that to your PC or laptop: Start separating higher-value or highly sensitive activities from general-purpose activities. PCs are cheap. Using a KVM, or virtual machine, you can give people access to classified resources without compromising security.
Finally, when and where possible, look at alternative operating systems and browsers. Replace Internet Explorer with Firefox or Opera. Disable/uninstall Outlook Express, and use Thunderbird or webmail for email. If you can, move more of your applications onto Web-enabled platforms (for instance, use an accounting system that can be managed by a secure Web browser, or move your applications-submission process to online forms). Then you can really ditch Windows on the desktop and move toward Mac OSX or Linux desktops.
If you must use Windows (and yes, we live on Exchange, Outlook, Quickbooks, et cetera), then consider virtualising it. There are huge benefits to a properly virtualized server and desktop farm. We’ve reduced help desk and desktop support costs by 50 to 90 percent by moving to VMs.
Remember: The best defense is defense in depth.
Rajesh Goel is chief technology officer at Brainlink International Inc. (or the Technologist), which assists companies in selecting and managing their mobile workforce, including PDAs, email integration and new mobile applications development appropriate for the real estate and commercial property markets. Send him your technology questions via Suzann.silverman@nielsen.com.
accountants, Articles, attorneys
By: Rajesh Goel, Chief Technology Officer, Brainlink International Inc.
|
|
Raj Goel, CISSP CTO Brainlink International, Inc. raj@brainlink.com 917-685-7731 |
|
Q: How effective are Internet security tools these days and what new tools or processes should I be using to protect electronic access to my business records and communications?
A: The first thing to note is that talking about Internet security by itself makes no sense. That’s akin to asking, “How do I protect my car in the garage?” without looking at the overall security of your house, neighborhood and locality.
When people talk about Internet security, what they really mean is,”How do I protect my sensitive information?” That is, information security.
Information security involves:
Determining what and where are your information assets– databases, paper files, online systems, emails, accounting systems, PDAs, laptops, etcetera;
Classifying the assets by value;
Determining who should and should not have access to that information;
Determining which regulations and standards apply to your business. At the federal level, Gramm-Leach Bliley, HIPAA and Sarbanes-Oxley provide written standards that organizations must meet, depending on the nature of their business or clientele. At the state level, 31 states have passed State Privacy Breach laws (California’s SB-1386 was the first, while New York and Massachusetts have the toughest). So if you have clients in any of those 31 states, complying with those laws is a must. At an industry level, two standards stand out: PCI-DSS for any company that accepts credit cards, regardless of industry, and the National Association of Realtors’ REALTOR Secure standard. PCI-DSS and REALTOR Secure are industry standards, and do not have the force of law behind them. However, complying with them can improve business practices, provide competitive advantages and even provide a safe-harbor defense in case of a breach.
Putting systems in place to enforce security, log unauthorized access, etcetera.
Thus, there is no simple answer to information security–each organization is different, as is how they conduct business and the culture of each firm will determine the choice of tools and success of the individual information security program.
In our experience, a good InfoSec program delivers the following benefits:
It requires the organization to become aware of existing laws and how they impacts the organization. E.G. Gramm-Leach-Bliley, for instance, expanded the definition of financial institutions to include real estate firms, auto dealerships and appraisers. So if you appraise property, hold funds in escrow or otherwise lend credit in the course of doing business, GLBA may consider you a financial institution and requires that you safeguard clients’ personal indentifiable information. Failure to secure PII can results in penalties including civil monetary fines of varying amounts as high as $1 million or more, prison sentences of as much as five years, lower examination ratings and increased reporting requirements, and enforcement actions, which can include board resolutions, memorandums of understanding, written agreements and cease and desist orders.
A good InfoSec assessment answers the following questions: – What business are we in?
- Where do our clients come from?
- Who are ARE our key clients?
- Which clients or lines of business should we get rid of, outsource or spin off?
Complying with the laws and standards helps your company stand out from its peers, reduces liabilities and damages in case of breaches and increases profitability.
In our experience, one of the things we uncover is the roadblocks and logjams that are interfering with productivity: for instance, if the way forms are handled or cases are approved or projects are delivered or goods are sold is too slow or too cumbersome or the process was built 10 or 20 years ago.
In many cases, we reduce transaction time, increase deal flow and/or reduce staff and labor costs by analyzing the information flows, diagramming the information-flow touch points and working with our clients to eliminate roadblocks.
When fixing the issues (“remediating the gaps” in InfoSec jargon), new technology and faster systems can be brought in that really show results at the bottom line.
I worked with a large retailer to complete a PCI compliance assessment, and shaving 1/100th of a second per transaction (multiplied by millions of transactions per month) led to a significant increase in profits.
For a health care chain, the result of the PCI compliance efforts was the adoption of a new electronic health record system that reduced errors, eliminated patients filling out the same medical intake questionnaire again and again, reduced keying and transcription costs and led to better health care. Reduced waiting times also allowed the chain to book more appointments.
For a commercial property management firm, we identified systems and services that were being hosted by third-party vendors that were bleeding the business. We moved these critical systems in house and saved the client a fortune. Moving them in house also led to lowered compliance and management costs.
So, what’s your information security policy? What business practices and roadblocks have you been tolerating that, when removed, could increase your profits by 10 to 30 percent?
accountants, Articles, attorneys
June 11, 2009
By: Rajesh Goel, Chief Technology Officer, Brainlink International Inc.
|
|
Raj Goel, CISSP CTOBrainlink International, Inc. raj@brainlink.com 917-685-7731 |
|
Q: HELP! My Web site disappeared and I can’t get any emails!!
A: Determine why the Web site disappeared.
As companies rely more and more on their Web sites, hosted email servers and other outsourced IT services, a new threat has slowly emerged: the disappearing Web site.
Traditional factors usually involve money: The Web hosting bill wasn’t paid or the designer wasn’t paid or there’s a dispute between the client and the designer.
A newer trend is for sites and services to go down due to malware infections or government actions. For example, in the past two weeks, 40,000 virtual servers, representing more than 200,000 Web sites, went offline because the hosting provider, VAServ, was attached with a new virus. Those sites are in further jeopardy because the underlying technology, HyperVM, has additional flaws that may not be patched for a while, if ever.
Closer to home, we’re seeing a large number of small real estate- and realtor-owned Web sites being hacked and injected with malware. Why? Because most small businesses do not have the tools and the expertise necessary to secure their Web code. Many of these were put together as low-cost/get-it-done-cheap projects. Furthermore, most small-business owners do not consider themselves to be a big enough target, so security is never even considered.
As a result, automated attack tools are constantly scouring the Internet for easily hacked Web sites. Once the attacker is in, they either use the attacked site as a transfer point for storing/transferring data or they use it to infect visitors.
Why are hackers and criminals attacking your Web site? Because the more people they infect, the more money they can make. And at some point, either your Web hoster will shut your site down or they will suffer an extended attack that takes them down, too. Furthermore, in a growing number of cases, the FBI is seizing servers and shutting down complete data centers.
That gives rise to a number of questions:
This technologist considers secure, reliable backups and good systems documentation to be the backbone of a successful business. Because data equals dollars.
If you have any questions regarding backups, securing your business, building and maintaining your disaster recovery policies and procedures or IT in general, feel free to contact me.
Send your technology questions to Rajesh Goel, chief technology officer at Brainlink International Inc., via Raj@brainlink.com.
accountants, Articles, attorneys
By: Rajesh Goel, Chief Technology Officer, Brainlink International Inc.
|
|
Raj Goel, CISSP CTOBrainlink International, Inc.raj@brainlink.com 917-685-7731 |
|
A: What are the pros and cons of going with VOIP as my company’s main telecommunications set-up?
B: Here’s why you might want to switch to VOIP:
The two key areas where we see VOIP adding tremendous value are office moves and reconfigurations and unified messaging/Outlook integration. With moves, whether of whole offices or cubicles, across the floor or across the country, simply unplug your handset, unplug it, move to new space, plug it in and your phone number just moved with you. This initiative saves tremendously on reprinting costs, since – no new business cards or letterheads need to be printed. This also saves on move costs and setup costs. Unplug/plug—it is not necessary to reconfigure or changie PBX configurations.
When it comes to unified messaging and Outlook integration, VOIP straddles both
voice and data, with the VOIP packet routed the same way as are emails or Web traffic. In addition, many providers allow integration of your VOIP phone with Outlook. Suddenly, your entire Outlook contacts list is your phonebook / speed-dial list. Going a step further, you can have your emails, faxes as TIFF or JPG attachments and emails as WAV attachments with or without automated text-to-speech conversions show up in one place.
Further down the road, we see the next logical step for many companies will be to integrate email + fax + voice + instant messaging + video chat + video conferencing + virtual meetings into a single system. Voice as a standalone product will disappear or become subsumed into a larger communications suite.
There are, though, downsides to VOIP. Among them:
Furthermore, unlike traditional phones, where the voice team rarely, if ever, worked with the data team, going forward, the integration between the voice, data and IT services teams will have to get stronger.
Overall, though, the advantages to using VOIP outweigh the disadvantages. VOIP is here, and it is the future. The only question is: When will you adopt it? And will you adopt it proactively or will it be forced on you by the market?
Send your technology questions to Rajesh Goel, chief technology officer at Brainlink International Inc. at Raj@brainlink.com
accountants, Articles, attorneys, CFO/CSO/CPO, CISSP
Most of us use Google on a daily basis to conduct searches and/or research for personal and professional needs.
This article and presentation focuses on Google’s services, tools and privacy policies and how they can compromise or even breach attorney-client, doctor-client, agent-client privacy.
Audience:
Attorneys, Insurance Agents, Real Estate Agents, Banking, Consultants, Investment Professionals and anyone who uses Google.
accountants, Articles, attorneys, CFO/CSO/CPO
By: Rajesh Goel, Chief Technology Officer, Brainlink International Inc.
Very often, busines owners ask “How can I grow my business in this economy“?
The most common answer is, networking. Business Chambers, BNI, Gotham, Trade conferences, various societies, alumni groups, etc.
Many marketers will tell you ADVERTISE, use Social Networking – Facebook, MySpace, Twitter, MeetUp, etc. as a component of your outbound marketing activity (e.g. spams your friends, family and strangers you met at the last cocktail party…)
For most white-collar businesses (Accountants, Lawyers, Architects), there are legal or social norms as to why they can’t advertise or solicit as easily as Real Estate brokers, Soda makers, Car manufacturers, etc.
Frankly, if a white collar business got 500 new clients in 6 months, they might go under from the overload. Most professional firms require 1-10 new clients a month. Don’t believe me? Check your sales records. How many new clients did you get last month? Last quarter? Last year? Chances are, you have a long, soft-touch sales cycle.
There’s an old adage that says “Salespeople spent 90% of their time chasing new customers. Smart salespeople spend 50% of their time getting more business from existing customers.”
So, how do you grow your business smartly? Datamining! Or as we used to call it, competitive intelligence.
Keep tabs on what your
Here’s a PDF tutorial on using LinkedIn as a competitive research tool
ISC(2) SecureSanAntonio – Jan 19, 2012
ISC(2) SecureDallas – Jan 20 2012
© 2012 Raj Goel, CISSP. Powered by WordPress.
