News & Views

November 10, 2011 from InfoWorld – “Fraud cost organizations 2.1 percent of earnings in the past 12 months, which is equivalent to a week of revenues over the course of a year, according to the Kroll Annual Global Fraud Report, a recent survey that polled more than 1,200 senior executives worldwide.

The research does contain some good news, however, and found a decline in the frequency of fraud over last year. Of the executives polled, 75 percent suffered some kind of fraud-related loss in the last 12 months, which is down from 88 percent the year prior.

However, fraud remains predominantly an inside job, according to the report, and insider jobs increased this year. The 2011 figures show that 60 percent of frauds are committed by insiders, up from 55 percent last year…”

180 View – The article discusses fraud related to the data that has now become more easily accessible as well as the traditional methods such as procurement fraud or internal financial fraud. Although access to information is much better than before, fraudulent employees could have taken hard copy reports in the past and shared them with competitors. With good access restrictions built into the system which are enforced using third party reporting tools, we think fraud opportunities should be diminished. As far as the more traditional forms of fraud, there are tools that can help reduce these risks. These tools include comprehensive audit trails, workflow which enforces division of duties and access restrictions.

April 19, 2010 from CBS News – “At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports almost every one of them holds a secret.

Nearly every digital copier built since 2002 contains a hard drive – like the one on your personal computer – storing an image of every document copied, scanned, or emailed by the machine.

In the process, it’s turned an office staple into a digital time-bomb packed with highly-personal or sensitive data.

If you’re in the identity theft business it seems this would be a pot of gold.

“The type of information we see on these machines with the social security numbers, birth certificates, bank records, income tax forms,” John Juntunen said, “that information would be very valuable…”

180 View – Who knew?

April 12, 2010 from PCWorld – “Picture this: You’re at a café with your laptop and latte in hand, getting ready to review new sales leads and the quarterly financial projections. First you hop on the free Wi-Fi that the shop’s management provides. Then you connect your laptop to a projector so that the entire café can take a look, and finally you hand out some printed copies of your confidential product specifications to the other patrons so that they can follow along…”

180 View – Stay safe.

February 27, 2010 from The New York Times – “On the Internet, things get old fast. One prime candidate for the digital dustbin, it seems, is the current approach to protecting privacy on the Internet…”

180 View (Written by Graeme Booth) – “The attached article from the New York Times suggests that the rampant proliferation of data harvesting has all but made conventional approaches to privacy ineffectual. The author contends that privacy practices under-pinned by the use of disclosure statements is insufficient and that only governance defined by a combination of “rules and tools” will suffice. However, it is less than certain that increased regulation (which is what the author means by rules) is the most effective approach. Reasonable constraints on employee/individual behavior at the company level are a measured response to corporate sensitivities and external threats. It would seem, then, that a refocus on privacy and security efforts at the company or entity level would provide more immediate assurance to companies, employees, and other stakeholders. Big Brother may go to new lengths to increase his scrutiny but prudent companies should be asking themselves if the security and privacy “rules and tools” at their organizations are enough.

December 8, 2009 from InfoWorld – “…The problem is that the auditors themselves know so little about IT, so they often ask for something that’s either useless or outright ridiculous, even as audits grow in importance. Now, the government is talking about creating more audits for Wall Street, but will extra work really do the trick?…”

180 View – I have been on both sides of the audit fence. Before becoming a CA, I headed up a large IT department and had auditors ask me ridiculous questions too. Later I did some IT auditing with one of the major audit firms and thought our firm at least asked better questions. One continuing problem is that technical people are often scornful of non-technical people who ask technical questions.

December 2, 2008 from itbusiness.ca – Statistics show that one laptop is stolen every 53 seconds. The prime opportunity for thieves to do their best work is during travel. 12,000 laptops per week are lost at U.S. airports. Many of those are truly lost rather than stolen, and honest people try to return them to airport lost-and-found facilities. A full 70% of lost laptops are never reclaimed or returned to their rightful owners.

Increased security measures at airports (yes, be ready to pull out your notebook from your carry-on and put it in a separate bin on the conveyer belt for x-raying) have led to rushed travelers being so anxious to make their flights on time that they forget the computer back at security. 40% of laptops are lost at security checkpoints, and a further 23% are lost at departure gates, as travelers often have their computers open while waiting for flights, and then get flustered once the flight is called for boarding.

It’s not just the inconvenience and cost of losing and having to replace a missing laptop that causes consternation. It’s the data. That can be costlier and cause more headaches than the actual hardware.

To prevent this situation, Absolute Software offers up 10 tips:

1. Back up data before the trip
2. Use laptop recovery and data protection software to retrieve data and possibly track down the computer (and prosecute the thieves)
3. Don’t check your laptop (Remember the Toshiba commercial? “I checked my notebook!”)
4. Clearly label your machine (You tie a ribbon or something around your checked luggage to make it stand out at the baggage claim, don’t you?)
5. Put your notebook in a hotel safe
6. If using a public computer, be aware of keyboard loggers and trackers
7. Do not log onto unsecured wireless networks
8. Do not access banking or financial records while traveling, especially on public wireless networks
9. Deselect “remember me” when surfing the net, even on your own machine
10. Clear your history and cache after surfing, even on your own machine

180 View (written by Esther Friedberg Karp): Having just returned from a trip overseas, I can appreciate these tips. One trick I use is to take a mental count of all the separate items (bags, purse, security bins holding jackets and shoes) that go on the conveyer belt before I go through the metal detector. I then take another mental count as I collect all my things to make sure I do have everything. Another tip is to have a separate (brightly-coloured) sleeve for your notebook that goes inside the carry-on luggage. Then, when using the notebook at the departure gate, I place the obviously empty sleeve on top of my carry-on so that I get a mental cue that the computer must be returned to it and replaced inside the carry-on.

March 12, 2008 from BusinessWeek – “You have an hour before your flight, so you log in to the Wi-Fi network at the airport. You look up some stock prices, check your e-mail, pay a couple of bills online, and surf a few Web sites. Has it occurred to you that curious or hostile eyes could be peering into your computer and your network? It pays to be paranoid.”

180 View – An ounce of prevention is worth a pound of cure…

WEP (Wired Equivalent Privacy) is often the security method chosen for wireless networks. Did you know that it would be easy for someone to break into your wireless network, and this person could do this in less than an hour? There are tools such as Cain & Abel, which according to their website

• “is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kinds of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.”

These tools can be useful but in the wrong hands can pose a threat especially if there is something on your network that would be considered valuable. In any event, do yourself a favour and use WPA (Wifi Protected Access) instead of WEP.

January 2008 from Popular Mechanics “The recent boom in video monitoring—by both the state and businesses—means we’re all being watched. It’s like something out of George Orwell’s 1984. Except that, unlike Orwell’s protagonist Winston Smith, we can watch back—and plenty of people are doing just that. Which makes a difference.

The widespread installation of recording devices is not all bad: ATM cameras helped prove that Duke students accused of rape couldn’t have committed the crime. And we all sympathize with the goals of preventing terrorism and crime, though it is not proven that security cameras accomplish this.

Nonetheless, the trend toward constant surveillance is troubling. And even if the public became concerned enough to pass laws limiting the practice, it’s not clear how well those laws would work. Government officials and private companies too often ignore privacy laws…

The widespread availability of digital cameras and video-capable cellphones means that ubiquitous surveillance on the part of the little guys is moving, if anything, even faster than ubiquitous surveillance on the part of the big boys. And distribution tools like YouTube make it easier to get the footage to a large audience.”

180 View – 9/11 changed everything. It seems that most people are ok with less privacy in favour of more security. Technology is also changing everything when it comes to privacy vs security. Some claim that satellites in space can already read a license plate. London’s so-called Ring of Steel, is an extensive web of cameras and roadblocks designed to detect, track and deter terrorists. New York is in the process of doing something similar. According an article entitled “Surveillance: A New Look at Big Brother” published by CIO Today on December 26, 2007, “There are about 30 million surveillance cameras in the U.S. — inside ATM machines, at traffic lights, in department store dressing rooms.” How long will it be when the cameras can find someone based on a retina scan?

November 24 from InformationWeek – “As more people use laptops for their primary work PCs, the chances for being compromised because of wireless miscreants loom large. Here are 10 how-to tips to protect yourself and make the best use of a wireless network, whether you are at home, at work, or in between.

1) Make sure you are connecting to the right network. Although this sounds sort of obvious, I’ve noticed in my travels that there are lots of unscrupulous people who purposely name their wireless connection “Linksys,” or some other common vendor’s name, in hopes of getting someone who is less than careful to connect to them. The security industry calls these sorts of conditions “evil twins”…

When you are out on the road, look carefully at the screen that shows the available network connections, and particularly at the different icons next to the connections. The icon that looks like a light beacon indicates an access point, while the one showing two computers with connecting lines indicates a peer-to-peer connection. These peer-to-peer connections are the ones to avoid…”

180 View – We thought there were a few good tips in the article that you may not know about.

November 21, 2007 from The New York Times – “The British government struggled Wednesday to explain its loss of computer disks containing detailed personal information on 25 million Britons, including an unknown number of bank account identifiers, in what analysts described as potentially the most significant privacy breach of the digital era…

In sheer numbers, the breach was smaller than several in the United States over the last few years. Last year, a computer and detachable hard drive with the names, birth dates and Social Security numbers of 26.5 million veterans and military personnel was stolen from the home of an analyst, but recovered apparently without any harm. In 2003, a former software engineer at America Online pleaded guilty to stealing and selling 92 million user names and e-mail addresses, setting off an avalanche of up to seven billion unsolicited e-mail messages.

But the disks lost in Britain contained detailed personal information on 40 percent of the population: in addition to the bank account numbers, there were names, addresses and national insurance numbers, the British equivalent of Social Security numbers. They also held data on almost every child under 16.”

180 View – “The disks were protected by a password, the government said, but were not encrypted.” How many wake-up calls are necessary before sensitive data is routinely encrypted?

October 17, 2007 from NetworkWorld – “If you use a secure wireless network, hackers may be able to steal data from your computer in the time it takes to have a cup of coffee. At the Toorcon hacking conference in San Diego this coming weekend, security researcher Vivek Ramachandran, will demonstrate a technique he’s developed to attack laptops that use the WEP (Wired Equivalent Privacy) encryption system to log on to secure wireless networks.

Developed in the late 1990s, WEP was the default method of securing Wi-Fi networks. Though the WPA (Wi-Fi Protected Access) system replaced it, about 41 percent of businesses continue to use WEP. That percentage is even higher among home users, security experts say.

That’s unfortunate because WEP has been riddled with security problems. In fact, WEP was blamed for the recent TJX Companies Inc. data breach in which thieves were able to access 45 million credit- and debit-card numbers.”

180 View – Why take chances? Upgrade to WPA.

June 27, 2007 from ITBusiness – “”What’s interesting in financial services is that it is the combination of data that becomes valuable information when it comes together to create an identity,” Axelrod said. “If you are just going to file away social security numbers with no way to tie them to identity, they’re actually pretty innocuous; but even if you just have a way to associate that information to a phone number or other data, someone can put things together…”

Axelrod said for the record that “data protection is a contradiction in terms,” and that the process will never be perfected, based on the nature of IT systems and the need for businesses to easy retain access to important information…

Regulations like the Sarbanes-Oxley Act have proven less effective than legislators might have initially hoped they would be at improving overall data security because businesses have focused on meeting the terms of the guidelines versus boosting their overarching protection schemes, Fusco and other panelists agreed.

However, some industry-driven security requirements, such as the PCI (payment card industry) standard forwarded by credit card issuers, have had the desired effect, experts said.

Well-written guidelines can help make the difficult task of convincing senior executives to increase their IT security budgets easier, alleviating one of the most significant challenges of the entire data protection process, according to Steve Peltzman, chief information officer at the Museum of Modern Art in New York…”

180 View – Take a look at Payment Card Industry (PCI) Data Security Standard https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf to see the “well-written guidelines”. We see a lot of overlap between the various regulations and authorities on security, and sympathize with organizations struggling to protect their data as well as comply with regulations.

June 22, 2007 from BusinessWeek – “The Internet’s most popular services enable people to do everything from research ailments to virtually tour Times Square—for free. But when you type in a Web search, your words are stored by Google and other search providers, along with information tying those words to your personal computer. If you surf the Web, the pages you visit and what you do on them are tracked with “cookies,” tiny text files that download to your computer so they can report back to their ad network owners…”

180 View – Although Google’s business model does not include extortion, there are security concerns which need to be addressed. But the potential threat of getting exposed, may be good incentive for some people to clean up their act.