Global Payments didn’t disclose what type of data had been accessed, but said it had notified “appropriate industry parties to allow them to minimize potential cardholder impact.”

News of the breach broke in the morning but Global Payments confirmed it only after the market close. Global Payments shares tumbled 9% to $47.50 a share on the New York Stock Exchange, after people involved in investigating the breach identified the company to The Wall Street Journal as the victim of the attack. The stock was halted at midday. The company is scheduled to report quarterly earnings on April 4.

The breach underscores the mazelike network of the U.S. payment system, where little-known companies play important roles in processing billions of transactions each day. Global Payments is part of a group of companies called “third-party processors,” that serve as middlemen between merchants and banks.

Global Payments was the seventh-largest “merchant acquirer” in the U.S. last year, according to the Nilson Report, a payments-industry newsletter. Merchant acquirers have contracts with retailers to handle the processing of card transactions, including debit cards, credit cards and gift cards. Such third-party processors have been the target of big hacker attacks in the past.

via Breach Hits Card Processor Global Payments – WSJ.com.

Massachusetts AG Says Having a WISP is Not Enough to Comply With Massachusetts Data Security Regulations

The Massachusetts Attorney General’s Office and Belmont Savings Bank have agreed to resolve allegations that Belmont Savings Bank has violated the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) through an Assurance of Discontinuance, which has been filed in Massachusetts state court (see document here). Belmont Savings Bank has agreed to pay a civil penalty of $7,500 and has also agreed to institute new security and training procedures following a breach in May 2011, when an employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General’s Office, was likely incinerated by the bank’s waste disposal company.

While there is no evidence indicating that any customer’s personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose, the Assurance of Discontinuance states that if actual harm to customers results, the Attorney General’s Office will reopen discussions in order to determine appropriate restitution. This is the first settlement related to a violation of the Commonwealth’s relatively new data security regulations. While the Attorney General’s Office entered into a consent agreement with a restaurant chain in April 2011 for data security failures, that alleged breach occurred before the new data security regulations went into effect on March 1, 2010. (See our post about this consent agreement here.)

via Massachusetts AG Says Having a WISP is Not Enough to Comply With Massachusetts Data Security Regulations : Privacy Law Blog.

Raj Goel, CISSPCTOBrainlink International, Inc.raj@brainlink.com 917-685-7731 Raj’s LinkedIn profile

This article appeared on LAW.com

John Edwards (no, not THAT John Edwards) did a great job of summarizing various backup tools available for CLOUD backups, and some risks inherent in it.

My opinion is that law firms should NOT be using public or hybrid clouds, as dangers to client-confidentiality and potential litigation liabilities out-weigh any short-term savings.

PRIVACY

Rajesh Goel, chief technology officer at Brainlink International, a New York-based compliance security consulting firm, warns that storing data in the cloud could, under some circumstances, pose a privacy risk to client data. “If a firm is large enough and they have the financial and technical resources to build their own private cloud, then the advantages of cloud computing are compelling,” he says. “For firms lured by the low cost/save money siren song of public and hybrid clouds, there’s danger ahead.”

Goel observes that while the Electronic Communications Privacy Act assures that e-mail has a 180-day right to privacy, information held in databases has zero days of privacy protection. “All online applications … can be classified as databases, under the strict definition of ECPA,” Goel asserts.

Goel says that attorneys also need to be aware of another potential privacy threat. “The Patriot Act allows law enforcement to use National Security Letters to obtain information about individuals and companies from service providers,” he says. “Most NSLs forbid the service provider from notifying their clients that they have released information to law enforcement, based on NSLs.”

Goel adds that lawyers with clients in highly regulated areas, such as health care and financial services, also need to fully investigate their situation and privacy risk potential before sending files into the cloud.

Full Article is available at http://www.law.com/jsp/article.jsp?id=1202509461694&Backing_Up_Documents_in_the_Cloud&slreturn=1&hbxlogin=1

Raj Goel, CISSP, is chief technology officer of Brainlink International, an IT services firm. He is located in  New York and can be reached at raj@brainlink.com.

http://www.brighttalk.com/webcast/5385/22557

The FTC has emerged as the leading investigator of privacy and security breaches, and has sanctioned companies and institutions across industries for breaches.  This presentation reviews the FTC’s track record, examines lessons learned from each sanction, and provides guidance based on current and proposed regulations.

Continue Reading

Many firms have chosen to become PCI compliant, others are content to sit by the sidelines and hope they won’t get caught.
Countless other firms have engaged in PCI compliance efforts, only to fall short and have significant breaches while being PCI compliant.

Continue Reading

March 24, 2011

Cleveland Airport Marriott

In this highly interactive session, you’ll learn about threats to YOUR customer’s privacy.
•    Googling Your Corporate Privacy Away – Tools and practices your users are already using that will compromise their privacy.
•    Trends in Regulations – Rules and regulations you need to know to stay current.
•    Trends in Financial Crimes – New crimes, old crimes with new tools and why your company is so attractive to attackers.
•    Effective Multicompliance – Tips, techniques and lessons learned in staying compliant, while increasing profits and maintaining your sanity.

8 CPEs for CISSPs and ISC2 members

Like all ISC2 events in their Security Leadership Series, this event is free to ISC2 members and is fantastic opportunity to connect with your peers from around the area.

Download the PDF here:

2011-03-24-ISC2-Protecting_Consumer_Privacy.pdf

PDF Article

It’s no secret that Google retains search data and metadata regarding searches—in fact, it’s quite open about doing so. What’s unsure, though, is the long-term threat to information security and privacy. Let’s review Google’s elements.

Google Search: This search engine is gathering many types of information about online activities. Its future products will include data gathering and targeting as a primary business goal. All of Google’s properties— including Google Search, Gmail, Orkut and Google Desktop—have deeply linked cookies that will expire in 2038. Each of these cookies has a globally unique identifier (GUID) and can store search queries every time you search the Web. Google does not delete any information from these cookies. Therefore, if a list of search terms is given, Google can produce a list of people who searched for that term, which is identified either by IP address or Google cookie value. Conversely, if an IP address or Google cookie value is given, Google can also produce a list of the terms searched by the user of that IP address or cookie value.

Orkut: Google’s socialnetworking site contains confidential information such as name, email address, phone number, age, postal address, relationship status, number of children, religion and hobbies. In accordance with its terms of service, submitting, posting or displaying any information on or through the Orkut.com service automatically grants Orkut a worldwide, nonexclusive, sublicensable, transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, and publicly perform and display such data.

Gmail: The primary risk in using Gmail lies in the fact that most users give their consent to make Gmail more than an email-delivery service and enable features such as searching, storage and shopping. This correlation of search and mail can lead to potential privacy risks. For example, email stored on third-party servers for more than 180 days is no longer protected by the Electronic Communications Privacy Act, which declares email a private means of communication.

Gmail Mobile: Mobile phones are increasingly being sold with Gmail built in, and if not, it can be downloaded. The questions to ask: How uniquely does your mobile phone identify you as the user, and when was the last time you changed your phone and your identifiers?

Gmail Patents: Gmail’s Patent #20040059712 emphasizes “Serving advertisements using information associated with email.” This allows Google to create profiles based on a variety of information derived from emails related to senders, recipients, address books, subject-line texts, path name of attachments and so on.

Google Desktop: Google Desktop allows users to search their desktops using a Google-like interface. All word-based documents, spreadsheets, emails and images on a computer are instantly searchable. Index information is stored on the local computer. Google Desktop 3 allows users to search across multiple computers. GD3 stores index and copies of files on Google’s servers for nearly a month.

Chrome: Chrome is Google’s browser. It’s available for download today and will eventually be installed on new PCs. Some of the risks it poses include:

• Every URL visited gets logged by Google
• Every word, partial word or phrase typed into the location bar, even if you don’t click the Enter/Return button, gets logged by Google
• Chrome sends an automatic cookie with every automatic search it performs in the location bar.

Android: Android is Google’s operating system for cell phones. It retains information about dialed phone numbers, received phone-call numbers, Web searches, emails and geographic locations at which the phone was used.

Google Health: This product allows consumers— such as employees, coworkers and customers—to store their health records with Google. Recently, CVS Caremark, along with Walgreens and Longs Drugs in the United States, agreed to allow Google Health users to import their pharmacy records.

Organizational Threats Uninstalling these products or using competitive tools can mitigate many of these threats. But what about the dangers to your organization? One example is Google Search with its Google Flu Trends (www.google.org/ flutrends).

Google has correlated flu data from the U.S. Centers for Disease Control (CDC) from 2003 to the present with its own search data. Spikes in users’ searches about flu treatments correlated tightly with the CDC data. Flu Trends has demonstrated Google’s ability to analyze search data for a specific term or set of terms. And it can retain this data and where it came from because Google in its privacy policies states that it records IP addresses.

So, what’s to stop Google from analyzing all search data from your organization’s networks? What’s the difference between analyzing flu trends and “Top 100 search terms from XYZ Corp.”? Or what if a company were to correlate regional threats from swine flu with search data from Google Health/Prescription data and then analyze the health of its employees and detect longterm effects?

Overall, the most critical threat is reliance on Gmail— whether the setting is universities, cities, companies or countries switching to Gmail en masse, or the newest employees in the organization using Gmail as their primary or sole email platform. Questions to ask your security team: How big is the organization’s email archive? How many years of emails are saved? If your organization switches its email hosting service to Google Gmail, what happens to the privacy and confidentiality clauses in your employee and customer contracts?

Another area of concern for hosted email is the potential of having to turn that data over to the government. Google, Yahoo and Microsoft have a history of complying with the United States’ and foreign governments’ requests for information. If such data is turned over, how much corporate security is being eroded?

Consider the amount of money and manpower dedicated to handling Microsoft Windows patches, viruses, spyware and botnet detection. Imagine the impact that reliance on Google products could have on corporate privacy and security.

Aug 12, 2009
By: Rajesh Goel, Chief Technology Officer, Brainlink International Inc.

Q. What are some good security defense practices?

A. In the last column, we talked about creating an information security compliance program. Reminder: Information security is a lot like the common cold–statistically, everyone catches the cold. Some people avoid it for years, while others get it yearly, and every year a surprisingly large number of people die from untreated colds and seasonal flus. A breach or break-in is a question of when, not if. You will be broken into, you will get infected–the only questions are when it will happen and whether you’ll be able to deal with the infection. Now, let’s look at some good information security defense practices.

Good security consists of using several tools to do the job properly. Use a good spam firewall or service to prevent junk from getting into your mail servers, desktops, et cetera. Use a good UTMS (Unified Threat Management System) to automatically scan network traffic (both inbound and outbound) for infected packets. Deny malicious packets from entering your network, and investigate all PCs, laptops, et cetera that originate garbage from your network. After all, you do not want the rest of your company’s email to be affected, or to have your Internet connection terminated because your network is accused of spamming the Internet.

Use good, managed switches, firewalls and routers. Switches come in two varieties: managed and unmanaged. Unmanaged, or dumb, switches are what you get at your local megamart. They’re cheap, and, like your first car, will do a decent job of moving traffic from one device to another. Managed, or smart, switches, on the other hand, are not usually sold at your local big-box retailer (they’re available online at PCMall.com, CDW.com, NewEgg.com and Amazon.com). They cost a bit more, but can give your network abilities you never knew you needed. Capabilities include VLANS (which split one physical switch into multiple, isolated virtual switches), logging traffic and analyzing traffic.

And then there is anti-virus software. Most desktop-based anti-virus software is junk. According to av-comparitives.org, an independent lab that tests all major anti-virus/anti-spyware tools regularly, even the best tool has a 69 percent success rate. So if you used the latest product and configured it properly, there’s a good chance almost a third (31 percent) of the malware could still come in. Thus, you still need to use an AV/AS product, and we recommend using multiple tools simultaneously–or switching to Macs or Linux and ditching windows completely.

Furthermore, it would be wise not to put all your eggs in one basket. For decades, the military has successfully used the concept of network isolation. Everyone has two or more workstations, one for general purposes (in the corporate sector these might include emails, Web surfing and proposal writing) and one for sensitive purposes(such as financial planning, budgeting, accounting and R&D).

In the consumer space, we tend to use our PCs for everything from video games to solitaire to online banking to emails and shopping. Imagine living in a one-room house that combines the kitchen, bathroom, bedroom, living room and dining room. Not very appetizing, is it? Now apply that to your PC or laptop: Start separating higher-value or highly sensitive activities from general-purpose activities. PCs are cheap. Using a KVM, or virtual machine, you can give people access to classified resources without compromising security.

Finally, when and where possible, look at alternative operating systems and browsers. Replace Internet Explorer with Firefox or Opera. Disable/uninstall Outlook Express, and use Thunderbird or webmail for email. If you can, move more of your applications onto Web-enabled platforms (for instance, use an accounting system that can be managed by a secure Web browser, or move your applications-submission process to online forms). Then you can really ditch Windows on the desktop and move toward Mac OSX or Linux desktops.

If you must use Windows (and yes, we live on Exchange, Outlook, Quickbooks, et cetera), then consider virtualising it. There are huge benefits to a properly virtualized server and desktop farm. We’ve reduced help desk and desktop support costs by 50 to 90 percent by moving to VMs.

Remember: The best defense is defense in depth.

Rajesh Goel is chief technology officer at Brainlink International Inc. (or the Technologist), which assists companies in selecting and managing their mobile workforce, including PDAs, email integration and new mobile applications development appropriate for the real estate and commercial property markets. Send him your technology questions via Suzann.silverman@nielsen.com.