October 2011 Archives - IT Policy Compliance

In an article in the Washington Post, Ellen Nakashima and David Hilzenreth point out the Securities Exchange Commission (SEC) issued new guidelines that publicly-traded companies must report significant instances of cyber-theft or attack.

See Washington Post article here:

http://www.washingtonpost.com/world/national-security/cybersecurity-sec-outlines-requirement-that-companies-report-data-breaches/2011/10/14/gIQArGjskL_story.html

Because there’s a lot covered in the SEC Guidance, we recommend you take the time to read it carefully.

Among some of the highlights, publicly-traded organizations:

Will have to review, on an ongoing basis, the adequacy of their disclosure relating to cyber-security risks and incidents

Should address cyber-security risks and incidents in Management’s Discussion and Analysis of Financial Condition and Results of Operations if the costs or other consequences associated with one or more known incidents, or the risk of potential incidents, represents a material event, trend, or uncertainty that is reasonably likely to have a material effect on results of operations, liquidity or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial conditions

Will be required to disclose the risk of cyber incidents if the issues are among the most significant factors that make an investment in the company speculative or risky

May need to disclose known or threatened cyber incidents to place the discussion of cyber-security risks in context

May need to discuss the occurrence of specific attacks and their known potential costs and consequences.

Should provide sufficient disclosure to allow investors to appreciate the nature of the risk faced by a company in a manner that would not have further cyber security risk consequences

Will have to describe the material affect on products, services, relationships with customers or suppliers, or competitive conditions

Will have to disclose legal proceedings it is a party to as these relate to cyber security incidents

Will be required to disclose conclusions on the effectiveness of disclosure controls and procedures

Find the SEC Guidance, CF Disclosure Guidance Topic No. 2, here

http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

Posted in Observations | No Comments »

Add this post to Del.icio.us - Digg

Where’s Your Data – Today?

Monday, October 10th, 2011

A random assortment of recent coverage involving sensitive information:

October 10: Secret Orders Target Email

October 10: Virus infects US air drone fleet

October 10: PII data of 4.9 million Tricare beneficiaries lost on missing backup tape

October 10: Outage of blackberry Service spans three continents

October 8: Chaos Computer Club: Lawful interception malware of German Police Force

October 7: Obama Issues ‘WikiLeaks’ Order to Better Safeguard Information

October 7: 1.6 Million PII records lost on backup tapes

October 7: PI data of thousands of employees exposed on University Website

October 5: HTC confirms security faw; fix in the works

Posted in Observations | No Comments »

Add this post to Del.icio.us - Digg

Information Risk, Security and Asymmetry

Thursday, October 6th, 2011

Are you prepared to deal with a world of asymmetric information to protect your organizations most valuable information assets?

It’s already upon us

The events of the past year may be sufficient evidence we are beyond the tipping-point: one where black-hats are able to more rapidly and stealthily gather information about you than you are, to defeat them. Some events of the past year – those that that have been publicized – indicate we are at or over the edge of information asymmetry, include:

Aurora attacks on Google
Rerouting of 15% of Internet traffic through a small ISP located in China
Google gathering data from unprotected Wi-Fi networks for its Street View projects
100,000 iPad customers surprised by a hack on records at AT&T
Stuxnet worm destroys Iranian nuclear capabilities and equipment
Wikileaks continuing to find & publish secret and confidential state data
RSA two-factor authentication token system compromised by hackers
SSL BEAST proof-of-concept attack demonstrated against SSL
HTC Android phones spewing user data
The ever-changing, Facebook un-privacy flavor-of-the-month

When black-hats have better information than you do, the results are lopsided, and heavily in their favor.

What they don’t have – one hopes – is all of the tricks you use to defeat their attacks to gain additional information.

While there is merit to the now-common approach to information security based on Kerckhoff’s principle that I’ll re-phrase as “no security through obscurity”, there’s also merit to the pragmatic approach of using “security through obscurity” to reduce your information asymmetry.

In an environment where adverse selection plays an important role in determining outcomes, he who has more information, has the upper-hand.

Whether it’s information asymmetry of economic agents (mortgage brokers, estate-agents), war (Operation Fortitude of World War II, Sun Tzu) or that for information and security risk management (honeypots for example); the cat-and-mouse games involving signaling, screening behavior, false information, information hiding, information transparency, and the absolute necessity of up-to-date information intelligence dictates winners.

She who has more intelligence – information asymmetry – at her fingertips will generally survive to play the next game.

Some related information

Asymmetry in Infosec

Security through obscurity

Ascent of Asymmetric Risk in Information Security: An Initial Evaluation

The Value of Security Audits, Asymmetric Information and Market Impact if Security Breaches

Posted in Observations | No Comments »

Add this post to Del.icio.us - Digg

Almost All Categories