jump to navigation

Privacy, Social Media, and Legislation September 29, 2012

Posted by Heather Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , , , ,
add a comment

This week marks the opening of a new chapter in the rocky marriage of privacy and social media.  California has passed two laws related to the protection of privacy on social media platform.

In SB1349, the state prohibits public or private post-secondary educational institutions from requiring students to provide the organization with access to the student (or student groups) social media sites.  Nor can the student or group be forced to divulge information contained on those sites.

AB 1844 is similar in nature, but applies to employers.  Specifically, the bill “would prohibit an employer from requiring or requesting an employee or applicant for employment to disclose a username or password for the purpose of accessing personal social media, to access personal social media in the presence of the employer, or to divulge any personal social media. This bill would also prohibit an employer from discharging, disciplining, threatening to discharge or discipline, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions.”

These bills are interesting in that they address a core concern around privacy and labor laws as they relate to social media.  Employers (and potential lenders) are prohibited from making decisions based upon race, gender, religion, politics, sexual orientation.  Most of this information, though, is available on individuals’ private social media profiles.  Amid increasing reports of employers requiring prospective employees to turn over credentials or access their sites in view of the employer, privacy advocates were becoming increasingly, and rightly, concerned that the rights of individuals to protect their personal lives from employers were being diluted.  These actions on the part of California serve to protect those rights.  Frankly, these actions can also protect employers and schools from being accused of discriminatory behavior by not providing them access to this information, which would otherwise be unavailable to them.

It will be interesting to see how quickly other states follow the lead that California has set.  Recall that California was the first state to pass a breach notification law and we now have 46 such laws nationwide.  So the question, to me, is when, not if, we are going to see the trend take shape.

 

 

 

EMV: Payment Security Endzone? September 29, 2012

Posted by Heather Mark in Industry News, PCI DSS.
Tags: , , , , , , ,
1 comment so far

As I’m buckling down for another fun-filled day of college football, I’m drawn to compare the GameDay set to some of the panels I’ve recently seen.  As Kirk, Lee, and the gang try to determine the best strategies for each team in their respective games, I think about my colleagues and myself sitting at the panel tables, trying to envision the best way to secure payment (and other sensitive) data without crushing our bottom lines.  Okay – maybe it’s a bit of a stretch, but I needed a way to work college football into a post.  Mission accomplished.

On a more serious note, though, I recently attended the Western States Acquiring Association conference in Huntington Beach.  It was well-attended and had a number of interesting sessions.  Not surprisingly, much of the talk centered around EMV, of Chip & PIN.  Some wondered whether EMV meant the end of PCI DSS.  Well, the answer to that question is a resounding “no.” The PCI SSC has already been adamant about the fact that the PCI DSS remains relevant, even in the face of advancing security technologies.  (Insert your own commentary here.) In fact, there is legitimacy in the argument that is put forth here.  Simply adding additional layers of authentication doesn’t change the type of data that is collected.  In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.

Additionally, we’ve seen evidence that Chip & PIN may not be as secure as we’d thought.  Brian Krebs recently wrote an article highlighting research on a security flaw in the EMV technology.  Supposition has it that thieves have been “quietly exploiting” this flaw to “skim” the data.  That’s not to say that EMV is useless, but it’s not the exactly the impenetrable defense that some have made it out to be.  Even the best defensive line sometimes gives up the big play.

So – to the question in the title – does EMV represent the winning score?  My thought is that payment security is more like the 2010 Outback Bowl between Auburn and Northwestern.    After a back and forth game that ended regulation play tied, the teams went on for five overtime periods that finally ended only when Auburn managed to wear their opponent down just shy of the goal-line.  It was a long, brutal game and you really couldn’t tell who was going to win.  You just gotta keep putting your best players on the field and keep those trick plays coming.

What do you think of EMV?  Touchdown, fumble, or forward progress?

Because I Said So September 23, 2012

Posted by Heather Mark in cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Politics.
Tags: , , , , ,
add a comment

Last week, Democratic leaders made some minor news when they sent a letter to President Obama suggesting that he issue an executive order on Cybersecurity.  Their position is that, since Congress seems to be at loggerheads over the issue, the president should take the opportunity to force action by issuing an Executive Order.  In fact, Secretary of Homeland Security Janet Napolitano told a congressional committee that just such an order was in its final stages.  So what might we see in this forthcoming order?

According to reports, the order will attempt to regulate sixteen “critical” industries.  The guidelines will be voluntary, after a fashion.  Compliance with the standards may determine eligibility for federal contracts.  The White House has not made any secret about its intentions on Cybersecurity.  In fact, the White House website lists  “Ten Near Term Actions to Support Our Cybersecurity Strategy.”  Brevity prevents me from getting into a deep discussion about those actions here, but you can read them and draw your own conclusions.

The questions remain, however – 1) how stringent (read intrusive) will the requirements be?; 2) Will they be relevant to the threats in the landscape?; 3) How will compliance be policed? and 4) How much additional cost are we potentially adding our already stretched budgets?

Another question that merits examination is whether or not the standards will be redundant.  Many industries are already straining under the weight of a variety of infosec requirements – whether industry-regulated or government mandated?  Will another layer of regulation mean increased efficacy of data protection strategies and mandates or will it be just another layer of red tape?

 

 

 

All’s Fair in Love & (Cyber) War September 17, 2012

Posted by Heather Mark in cyberespionage.
Tags: , , , , , , ,
add a comment

A report released today suggests that the United States government is far more involved in the use of trojans and mal-ware than previously thought.  The US had previously been linked to the Stuxnetvirus that wreaked havoc on the Iranian nuclear program. Speculation at that point was that the US and Israel had collaborated on the program in an effort to derail Iranian nuclear ambitions.  I don’t think many were surprised to hear that supposition.  Today, though, Kapersky Lab and Symantec announced that they have found evidence linking the US to three other, previously unknown viruses.

The use of covert operations on “enemy” governments dates back to the beginning of the civilization, really.  Sun Tzu writes extensively about the subject and the use of “covert operatives” peppers Greek and Roman history, as well.  These historical endeavors share a common purpose with the cyber-espionage that we see today – to gather data, or to provide data, that can be used to bring about the downfall of one’s enemy, or at least provide a significant advantage to the other side. It shouldn’t come as any surprise, then, that any country would make use of the available technology to conduct remote espionage operations.

We know that other countries, China in particular, has a specific focus on launching attacks on Intellectual Property of Western companies.  A recent report in the Baltimore Sun highlights the countries singular focus on hiring cyber-soldiers (for lack of a better word): “Experts estimate that North Korea has as many as 1,000 cyber warfare agents working out of China and is recruiting more every day.”  When we know that our enemies are fully engaged in cyber-warfare tactics, it would be short-sighted and naive to believe that our government is not fighting back.

“Democracy or Friendship?” – The US Role in Supporting Democracy July 31, 2012

Posted by Chris Mark in Laws and Leglslation, Politics.
Tags: , , , , , ,
4 comments

Heather Mark completed her PhD in Public Policy & Public Administration ‘several year’ ago.  Her Dissertation was titled: “The Role of the United States Foreign Policy in the Global Adoption of Democratic Governance”.  The US has long espoused the position of supporting democracy.  Does the US actually practice what it preaches?  Here is an excerpt from Heather’s dissertation:

“As the twentieth century wore on, however, the threats to democracy became less specific, but presidents and policymakers continued to use the ideology to frame their policy statements.  This begs the question: “Do the actions of the United States actually further the cause of democracy, as policymakers indicate?”  If the U.S. public knew the effect of U.S. actions on democracy, would the rhetoric still be as effective?”

Download and read her dissertation here.  Make your own decisions regarding the US’s role.