Archive for February, 2010
Protected: ABA Information Security Committee Pre-RSA 2010 Meetings
Posted by Matt on February 27, 2010
Posted in Federal Statutes, Information Security, Regulation, State Statutes | Enter your password to view comments.
Fighting On Two Battlefronts
Posted by Matt on February 18, 2010
Just a quick note about the latest press coverage over the discovery of a large botnet that includes zombies within Fortune 500 companies. The disturbing realization I draw from reports like this is that modern legislation for information security and privacy of personal data does very little to protect against these types of major threats. In fact, one might argue the regulatory regime over information protection actually detract from the ultimate goal of protecting against such threats. After analyzing the threat vectors in these types of cases, the most basic security controls are the primary lines of defense against such attacks against a business entity: end-user training, awareness and vigilance, personal email service blocking and anti-virus.
All to often within a modern corporation, information security is divided between two battles: 1- the battle against legislation, regulation and compliance, and 2- the battle against the real enemy.
We need to take proactive steps to converge these two battle fronts into a focus against the common enemy. Part of the solution is smarter legislation, which will involve information security leaders and risk management professionals taking a more prominent role in both lobbying and the notice/comment rule making process. The later is particularly important as most laws are still written with a broad stroke, using vague terms like “risk assessment” and “administrative, technical and administrative safeguards.” The devil and the details come via the administrative agency rule making process.
Responses to threats faced by modern organizations should be proportional to the threats they face, not proportional to the size and type of the regulatory agency overseeing the organization’s activities, nor the breadth and depth of the primary regulator’s experience in such matters. After all, in our modern information-driven economy, the art and science of regulating information risk in a large corporation can be almost as complex and intricate as the art and science of intrusion detection and incident response. Only when we achieve a seamless integration of the two pockets of self-defense will we make much headway against the common adversary sitting behind botnets like Kneber.
Press Coverage of Kneber Botnet:
http://www.foxnews.com/scitech/2010/02/18/massive-hack-attack-shows-major-flaws-todays-cybersecurity/
http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html
The Netwitness report on the Kneber Botnet, established on the back of the Zeus Trojan, can be downloaded from the Netwitness website.
Posted in Federal Statutes, Information Security, Regulation, Risk Management & Compliance | Leave a Comment »
