Information Security: How to Make the Right Choices

 

More than ever, businesses, government agencies and consumers are learning costly lessons about due diligence in privacy and data security.

In recent years, more than 100 million Americans have been victimized, according to the Privacy Rights Clearinghouse, www.privacyrights.org, a consumer rights organization.

The Pacific Northwest is considered to be tech-savvy. Unfortunately, the consumer group says the Northwest is well-represented with 26 recent security breaches.

Washington:

• Swedish Medical Center, Ballard campus
• Ameritrade in Bellevue
• Boeing
• Washington Employment Security Department
• University of Washington Medical Center
• King County Records, Elections, and Licensing Services Division
• Madrona Medical Group, Bellingham
• Compass Health, Everett
• Stevens Hospital Emergency Room, Edmonds
• Port of Seattle
• T-Mobile
• Poulsbo Department of Licensing
• Starbucks
• TD Ameritrade Bellevue
• U.S. Department of Veteran’s Affairs, Seattle

Oregon:

• Providence Home Services, Portland
• Oregon Department of Revenue
• Dollar Tree, Ashland
• Ron Tonkin Nissan, Portland
• Transportation Security Administration, Portland
• Beaverton School District
• Willamette Educational Service District
• Clay High School, Oregon City

Idaho:

• Idaho State University
• Idaho Power Company
• University of Idaho, Advancement Services Office

To see the alarming data on known data-security breaches, visit: http://www.privacyrights.org/ar/ChronDataBreaches.htm.

The site shows the epidemic is caused by hacking, theft, and unscrupulous employees.

Indeed, five years of research by Carnegie-Mellon University’s CERT Coordination Center, www.cert.org, and the U.S. Secret Service shows employees and former employees are responsible for much of the information technology sabotage. Some 80 percent of incidents were caused by workers already known by managers to be discontented. The individual costs have been $500 to millions of dollars.

In other words, we’re in a state of crisis and it’s time for an update on solutions from a trusted source I’ve quoted in years past.

“The nature of the threat is far different than it was two years ago,” said Dr. Stan Stahl, a nationally known security expert.

He has three major concerns in recent security trends:

The first of which is organized crime, which he calls cyberscum. “Credit cards with pin numbers go for $100 on the black market,” said Dr. Stahl. “With such cyberscum, you have people who spend their days looking for vulnerabilities in software and they build botnets. The Secret Service uncovered one of the botnets that invaded and controlled 150,000 computers.

“Secondly, it used to be that the perimeter was well-defined because it was basically the corporate network,” he explained. “But now Blackberries, smart phones, and remote workers and all of that, the perimeter is no longer well-defined.”

His third concern? “It used to be you just needed anti-virus software, firewalls and passwords, but hackers are attacking anti-virus security so you really need to step back to take a big-picture look of protection to develop a secure program in your technology and culture,” he added.

Although convenient, confidential offsite storage is not guaranteed. Dr. Stahl recommends verifying the security of Web sites. “That’s one of the places the bad guys are looking.”

Small Business Security Checklist

His checklist advice for micro businesses:

1. Know what information you have that needs to be protected.
2. Understand the risks that your information is under.
3. Structure your networking to provide what’s called defense-in-depth. That’s a tiered architecture with network segmentation.
4. Watch the network.
5. Train your people.
6. Perform personnel background and physical security checks.
7. Manage the security of your third party vendors. (Note: That was the cause of the Stevens Hospital Emergency Room breach, according to Privacy Rights Clearinghouse.)

For success in reaching objectives in information-security control in financial institutions, other large companies and public agencies, Dr. Stahl provides a program that includes what he terms seven critical success factors:

1. Executive management responsibility: Senior management has responsibility for the firm’s information security program, and this program is managed in accordance with the enterprise’s information security policies.
2. Information security policies: The enterprise has documented its management approach to security in a way that complies with its responsibilities and duties to protect information.
3. User awareness training and education: Information users receive regular training and education in the enterprise’s information security policies and their personal responsibilities for protecting information.
4. Computer and network security: IT staff and IT vendors are securely managing the technology infrastructure in a defined and documented manner that adheres to effective industry information security practices.
5. Physical and personnel security: The enterprise has appropriate physical access controls, guards, and surveillance systems to protect the work environment, server rooms, phone closets, and other areas containing sensitive information assets. Background investigations and other personnel management controls are in place.
6. Third-party information security assurance: The enterprise shares sensitive information with third parties only when it is assured that the third-party appropriately protects that information.
7. Periodic independent assessment: The enterprise has an independent assessment or review of its information security program, covering both technology and management, at least annually.

Dr. Stahl’s approach is to meet with his nationwide clients in-person to evaluate their needs and later tests their sites remotely.

His list of credentials is voluminous, and has a client portfolio ranging from small to large clients in the public and private sectors. He’s also president of the Los Angeles chapter of the Information Systems Security Association (ISSA). Nationwide, ISSA has 15,000 members.

His firm’s Web site: www.citadel-information.com.

For consumers, he recommends reconciling credit card and bank statements every month. For online security, he also likes the following software: SpySweeper, ZoneAlarm and Sandboxie for special protection for provocative sites like gambling. “Some are becoming more proactive, but they’re just now beginning to emerge and I haven’t had a chance to test them,” he said.

To check your credit report for fraud, here are the bureau telephone numbers:

Equifax – (888) 766-008

Experian – (888) 397-3742

TransUnion – (800) 680-7289

From the Coach’s Corner, here is Dr. Stahl’s security blog: 

http://citadelonsecurity.blogspot.com/

On another subject, Dr. Stahl also writes wonderful essays about freedom. 

Here’s his blog address: http://letfreedomring-stahl.blogspot.com/