Jan 20, 2012

Dallas/Ft Worth Marriott Solana
5 Village Circle
Westlake, TX 76262

Privacy and Security Challenges With Cloud Computing

6 CPEs for CISSPs and ISC2 members

Dropbox, Gmail, Facebook, Amazon Web Services — they’ve become part of the IT DNA. More than that, they have become household verbs.

Individual consumers and complete corporations moving to Social Media and the cloud has had a resounding impact on how our profession manages enterprise security. In this day-long, interactive event, we’ll explore strategies for managing the risks associated with:

-Data Loss Prevention
-Brand Protection
-Privacy Erosion
-Malware Protection
- FTC’s regulatory sanctions
- Guidance from the Courts, FTC, HHS and other regulatory bodies on Cloud Computing and Social Media

Many of the tools to protect our organizations and users are deployed and in use already. Join us as we share techniques from our peers in making the best use of our past investments to mitigate these risks and more.

This event was a huge hit in Denver and looks to be the BIGGEST bash in Texas!

Grab the PDf from http://www.brainlink.com/whitepapers/2012-01-19-RajGoel-ISC2-Secure_San_Antonio_Dallas_Cloud_Privacy_Concerns_FINAL.pdf

http://www.brighttalk.com/webcast/5385/22557

http://www.brighttalk.com/webcast/188/3182

March 24, 2011

Cleveland Airport Marriott

In this highly interactive session, you’ll learn about threats to YOUR customer’s privacy.
•    Googling Your Corporate Privacy Away – Tools and practices your users are already using that will compromise their privacy.
•    Trends in Regulations – Rules and regulations you need to know to stay current.
•    Trends in Financial Crimes – New crimes, old crimes with new tools and why your company is so attractive to attackers.
•    Effective Multicompliance – Tips, techniques and lessons learned in staying compliant, while increasing profits and maintaining your sanity.

8 CPEs for CISSPs and ISC2 members

Like all ISC2 events in their Security Leadership Series, this event is free to ISC2 members and is fantastic opportunity to connect with your peers from around the area.

Download the PDF here:

2011-03-24-ISC2-Protecting_Consumer_Privacy.pdf

PDF Article

It’s no secret that Google retains search data and metadata regarding searches—in fact, it’s quite open about doing so. What’s unsure, though, is the long-term threat to information security and privacy. Let’s review Google’s elements.

Google Search: This search engine is gathering many types of information about online activities. Its future products will include data gathering and targeting as a primary business goal. All of Google’s properties— including Google Search, Gmail, Orkut and Google Desktop—have deeply linked cookies that will expire in 2038. Each of these cookies has a globally unique identifier (GUID) and can store search queries every time you search the Web. Google does not delete any information from these cookies. Therefore, if a list of search terms is given, Google can produce a list of people who searched for that term, which is identified either by IP address or Google cookie value. Conversely, if an IP address or Google cookie value is given, Google can also produce a list of the terms searched by the user of that IP address or cookie value.

Orkut: Google’s socialnetworking site contains confidential information such as name, email address, phone number, age, postal address, relationship status, number of children, religion and hobbies. In accordance with its terms of service, submitting, posting or displaying any information on or through the Orkut.com service automatically grants Orkut a worldwide, nonexclusive, sublicensable, transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, and publicly perform and display such data.

Gmail: The primary risk in using Gmail lies in the fact that most users give their consent to make Gmail more than an email-delivery service and enable features such as searching, storage and shopping. This correlation of search and mail can lead to potential privacy risks. For example, email stored on third-party servers for more than 180 days is no longer protected by the Electronic Communications Privacy Act, which declares email a private means of communication.

Gmail Mobile: Mobile phones are increasingly being sold with Gmail built in, and if not, it can be downloaded. The questions to ask: How uniquely does your mobile phone identify you as the user, and when was the last time you changed your phone and your identifiers?

Gmail Patents: Gmail’s Patent #20040059712 emphasizes “Serving advertisements using information associated with email.” This allows Google to create profiles based on a variety of information derived from emails related to senders, recipients, address books, subject-line texts, path name of attachments and so on.

Google Desktop: Google Desktop allows users to search their desktops using a Google-like interface. All word-based documents, spreadsheets, emails and images on a computer are instantly searchable. Index information is stored on the local computer. Google Desktop 3 allows users to search across multiple computers. GD3 stores index and copies of files on Google’s servers for nearly a month.

Chrome: Chrome is Google’s browser. It’s available for download today and will eventually be installed on new PCs. Some of the risks it poses include:

• Every URL visited gets logged by Google
• Every word, partial word or phrase typed into the location bar, even if you don’t click the Enter/Return button, gets logged by Google
• Chrome sends an automatic cookie with every automatic search it performs in the location bar.

Android: Android is Google’s operating system for cell phones. It retains information about dialed phone numbers, received phone-call numbers, Web searches, emails and geographic locations at which the phone was used.

Google Health: This product allows consumers— such as employees, coworkers and customers—to store their health records with Google. Recently, CVS Caremark, along with Walgreens and Longs Drugs in the United States, agreed to allow Google Health users to import their pharmacy records.

Organizational Threats Uninstalling these products or using competitive tools can mitigate many of these threats. But what about the dangers to your organization? One example is Google Search with its Google Flu Trends (www.google.org/ flutrends).

Google has correlated flu data from the U.S. Centers for Disease Control (CDC) from 2003 to the present with its own search data. Spikes in users’ searches about flu treatments correlated tightly with the CDC data. Flu Trends has demonstrated Google’s ability to analyze search data for a specific term or set of terms. And it can retain this data and where it came from because Google in its privacy policies states that it records IP addresses.

So, what’s to stop Google from analyzing all search data from your organization’s networks? What’s the difference between analyzing flu trends and “Top 100 search terms from XYZ Corp.”? Or what if a company were to correlate regional threats from swine flu with search data from Google Health/Prescription data and then analyze the health of its employees and detect longterm effects?

Overall, the most critical threat is reliance on Gmail— whether the setting is universities, cities, companies or countries switching to Gmail en masse, or the newest employees in the organization using Gmail as their primary or sole email platform. Questions to ask your security team: How big is the organization’s email archive? How many years of emails are saved? If your organization switches its email hosting service to Google Gmail, what happens to the privacy and confidentiality clauses in your employee and customer contracts?

Another area of concern for hosted email is the potential of having to turn that data over to the government. Google, Yahoo and Microsoft have a history of complying with the United States’ and foreign governments’ requests for information. If such data is turned over, how much corporate security is being eroded?

Consider the amount of money and manpower dedicated to handling Microsoft Windows patches, viruses, spyware and botnet detection. Imagine the impact that reliance on Google products could have on corporate privacy and security.