Get on a plane and join me at International Cyber Threat Task Force (ICTTF) Cyber Threat Summit in Dublin, Ireland 20/21 September 2012, be my guest by using the registration code: nowheretohideguest – http://www.cyberthreatsummit.com/
The British Standards Institute (BSI) issued ISO/IEC 27001:2005 Lead Auditor (TPECS) certificate to Chuck Georgo today. ISO/IEC 27001
ISO/IEC 27001 is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.
NOWHERETOHIDE will be publishing a series of blog posts over the next few weeks to help educate organizations about the standard, its criteria, and strategies for achieving compliance.
It is important to understand that ISO/IEC certification is not a one-off exercise. To maintain the certificate the organization will need to both review and monitor the information security management system on an on-going basis.
War has been defined as “a state of organized, armed and often prolonged conflict carried on between states, nations, or other parties typified by extreme aggression, societal disruption, and usually high mortality.[Wikipedia]” Cyber Warfare has been defined as “politically motivated hacking to conduct sabotage and espionage. [DOD]”
While some of what we’ve recently can be construed as Cyber Warfare (including the recent hacktivism), the bulk of what’s really going (largely beneath the surface) is a) efforts by organized criminal elements using new technologies and capabilities to do what they have always done—steal money, or b) continued acts by nation states to steal military secrets (espionage) or corporate secrets (economic espionage).
While the latter (b) get the big press, I am worried that that the former (a) is actually the bigger problem of the two. I was personally hit by identity theft a few years ago when a group got access to my credit card details from a retailer I had done business with. This group proceeded to charge 250 rubles (about $9US) twice a month to one of my credit cards. While not a significant amount of money for me, I would guess that they had thousands of victims like me, and together, the monthly booty would add up quite quickly. Two hypotheses…
I’m also afraid that our law enforcement forces (internationally) are nowhere near being prepared to dealing with crime using cyber technologies—two points from a National Criminal Justice Association (NCJA) Forum I recently attended:
Now ask yourself, how many law enforcement officers are prepare to investigate this type of crime, let alone basic identity theft, software piracy, child pornography, and cyber-extortion? And what about their readiness to preserve digital evidence in computers, laptops, routers, firewalls, servers, and handheld devices?
Today these skill sets are confined to special divisions within a police department, segregated from the bulk of the force. I would like to offer that just like the weapon, handcuffs, and radio on their utility belt,it’s time to equip many more, if not all law enforcement officers with the training and tools to understand, detect, and investigate cyber-crime…we’ll never get fully ahead of the problem, but maybe we can catch-up a bit.
your comments and thoughts welcome…r/Chuck
So it’s no great revelation that public safety has benefited greatly from public private partnerships, and I’m cool with that, especially when we are dealing with technology that saves lives. However, a press release hit my email inbox today that made me think of the risks to security and privacy when we implement innovative technologies.
Before I get into the story it, let me be v-e-r-y clear…I am NOT here to debate the effectiveness or morality of red-light/speed enforcement systems, nor am I here to cast dispersions on any of the organizations involved in the press release…this blog posting is strictly about using the Gatso press release to emphasize a point about security and privacy – when we engage in innovative law enforcement technology solutions, we need to take extra care to adequately address the security and privacy of personally identifiable information.
Here’s the press release from Gatso-USA:
GATSO USA Forms Unique, Strategic Partnership with Nlets
Earlier this month, GATSO USA was approved as a strategic partner by the Board of Directors of the National Law Enforcement Telecommunications System (Nlets). Nlets is….general narrative about NLETS was deleted. The approval of GATSO is an exciting first for the photo-enforcement industry.
Nlets will be hosting GATSO’s back office and server operations within the Nlets infrastructure. GATSO will have access to registered owner information for all 50 states plus additional provinces in Canada. The strategic relationship has been described as a “win-win” for both organizations.
From Nlets’ perspective, there are key benefits to providing GATSO with hosted service. Most importantly, it virtually guarantees personal data security. Due to this extra step of storing personal data behind the DMV walls of Nlets, the public can be assured that security breaches — such as the recent incident with PlayStation users — are avoided.
From GATSO’s perspective, hosting the system with Nlets will provide a ruggedized, robust connection to comprehensive registered owner information — without the security issues faced by other vendors in this industry. Nlets was created over 40 years ago…more stuff about NLETS was deleted).
The main points I took away from this press release were:
Again, please don’t call me a party-pooper as I am a huge advocate for finding innovative ways to use technology to make law enforcement’s job easier. However, I am also painfully aware (as many of you are) of the many security and privacy related missteps that have happened over the last few years with technology efforts that meant well, but didn’t do enough to make sure that they covered the bases for security and privacy matters. These efforts either had accidental leakage of personal information, left holes in their security posture that enables direct attacks, or created opportunities for nefarious evil-doers with legitimate access to use that access to sensitive information for other than honorable purposes.
After I read the press release, I thought that it would be a good case-study for the topic of this blog – it involved innovative use of technolgy for law enforcement, a psuedo-government agency (Nlets), two foreign-owned private companies, and LOTS of PII sharing – some might even say it had all the makings of a Will Smith movie. 🙂
To help set the stage, here are a few facts I found online:
There are no real surprises here either; there are many foreign companies that provide good law enforcement technologies to jurisdications across the U.S., and outsourcing traffic violations is not new…BUT what is new here is that a sort-of-government agency (Nlets), has now provided two civilian companies (with foreign connections) access to Personally Identifiable Information (PII) (vehicle registrations) for the entire U.S. and parts of Canada…should we be worried?
Maybe; maybe not. Here are nine questions I would ask:
How these questions are answered will determine whether or not we should worry…
Did I miss any other important questions?
Beyond this particular press release and blog posting, I suggest that you consider asking these kinds of questions whenever your agency is considering opening/connecting its data systems to outside organizations or private companies—it may just prevent your agency from becoming a headline on tonights news, like St. Louis –> St. Louis Police Department computer hacked in cyber-attack .
The bottom-line is that whenever you take advantage of opportunities to apply innovative technologies to public safety, make sure that you cover ALL the bases to protect your sensitve data and PII from leakage, direct attacks, or misuse and abuse.
As always, your thoughts and comments are welcome.
r/Chuck
Caught this article in Times of India (PTI, Sep 27, 2010, 01.29pm) website today…funny it didn’t make any of the U.S. cyber security sites…here’s a couple snippets…
“A sophisticated malicious computer software, is attempting to infiltrate factory computers in China’s key industries, threatening the country’s national security, cyber experts have warned.”
“Called Stuxnet, the worm was first discovered in mid-June and was specially written to attack Siemens supervisory control and data (SCADA) systems commonly used to control and monitor industrial facilities – from traffic lights and oil rigs to power and nuclear plants, the state-run Global Times daily reported quoting experts.”
“Globally, the worm has been found to target Siemens systems mostly in India, Indonesia and Pakistan, but the heaviest infiltration appears to be in Iran, the report said. According to Wang, there might be large financial groups and nations behind the malicious software.”
“Eugene Kaspersky, co-founder of security firm Kaspersky said the Stuxnet worm could prove that “we have now entered the age of cyber-warfare. – He believes that Stuxnet is a working – and fearsome – prototype of a cyber-weapon that will lead to the creation of a new arms race in the world.”
Read more: Web ‘superbug’ threatens Chinese national security – The Times of India http://timesofindia.indiatimes.com/tech/news/internet/Web-superbug-threatens-Chinese-national-security/articleshow/6635680.cms#ixzz10lUJux3C
If you can’t answer these questions, then you need this workshop sponsored by the Maryland InfraGard Chapter (IMMA) and the Small Busness Adminstration!!
The NIST Computer Security Division has developed a workshop to the small business owner increase information system security.
Learn how to define information security (IS) for your organization.
Hear examples of common types of threats and understand how determine the extent to which your organization should proactively address threats.
Learn common Best Practices and procedures to operate securely.
Hear a basic explanation of current technologies used in reducing vulnerabilities and learn of resources freely available to organization.
For additional information visit:
Date: August 20, 2010
Session I from 8:00 am – 12:00 pm*
Session II from 1:00 pm – 5:00 pm*
*50 seats per Session
Location: Baltimore City Community College, 710 East Lombard Street, Room 30, Baltimore, MD
Registration Fee: FREE
Register Online: http://cybersecuritymd.eventbrite.com
Parking is available nearby at 701 Lombard St. or 55 Market Place, Baltimore, MD for
$13.00 per day.
Questions about registration ?
E-mail Lauren.F.Schuler@infragard.org or call 443-436-7725.
Questions about the class content?
See http://csrc.nist.gov/groups/SMA/sbc/ or contact Richard Kissel at rkissel@nist.gov .