Compliance and Privacy
Compliance and Privacy News )
Essential Reading for Today's Business 15th September 2006

in this issue:
  • Security Breaches - Around 80 per cent affected!
  • The 'Secure the Trust of Your Brand' survey
  • Davis Wright Tremaine's Privacy and Security Law Blog
  • The Life of a Threat - Video
  • Data Privacy Thinker Blog
  • The Metasploit Project Official Blog
  • UK Information Commissioner's Annual Report
  • VeriSign® Identity Protection Fraud Detection Service Whitepaper
  • Attacking the Code: Source Code Auditing - an iDefense Webcast
  • Risk-Based Assessment: A Practical Guide to Complying with FFIEC Authentication Guidelines
  • US Ratifies Council of Europe Convention on Cybercrime
  • News Roundup

    Dear Visitor,

    Like you, we had a summer break. Now we're all pretty much back to hard work and striving to keep up with changes. So we've a full newsletter for you this week. I won't make it longer with a long intro, just a summary:

    We're majoring on Security and Brand Image. The top two stories deal with the increasing impact of security on customer perception and loyalty. Alongside that is the UK Information Commissioner's Annual Report on Data Privacy and Freedom of Information matters.

    Back to security with a new white paper from our sponsor, VeriSign, very much on the theme of security and the brand. Consumers are scaling back purchases because of fears of ID theft online.

    There's been an interesting discussion in the Data Privacy discussion groups under the heading of "Data Protection (Processing of Sensitive Data) order 2006" that gives UK readers pause for thought, too.

    We also are publishing several new blogs including: "Davis Wright Tremaine's Privacy and Security Law Blog", Rebecca Wong's "Data Privacy Thinker Blog" and the "Metasploit Project Official Blog". As with all our blogs, visit a couple of times a week and see what's new, see what affects you, and get an edge on how to comply better and be more exploit-proof.

    As always we thrive on your input. Hearing from you what you need to hear, either by email or ideally through the Discussion Groups means we can always improve your Compliance and Privacy News

    Peter Andrews

    Security Breaches - Around 80 per cent affected!

    Two new surveys on security breaches have just been published - and they make difficult reading particularly given the increasing tide of security breach legislation in the US and the activities of data protection officials in Europe.

    The first published by Deloitte, found that 78 per cent of the worlds top 100 financial services organizations surveyed admitted to a security breach from outside the organization. In a similar survey in 2005 only 26 per cent admitted to having suffered a breach. The survey also found that nearly half of the organizations experienced at least one internal breach, up from 35 per cent in 2005. In response, 95 per cent of enterprises said their information security budgets have increased in the past year.

    In the second survey by CA of 642 large North American organizations more than 84 per cent had experienced a security incident over the past 12 months.

    The 'Secure the Trust of Your Brand' survey:

    In the U.S. last year, over 52 million account records were reportedly stolen or misplaced; in 2006, reports of security breaches continue.

    In the light of this, 2,200 consumers were asked how corporate security practices affect their purchase patterns. Conducted by the Chief Marketing Officer (CMO) Council and the Business Performance Management (BPM) Forum, and underwritten by Symantec and Factiva, the survey found consumers are increasingly keeping tabs on corporate security news.

    Approximately 90 percent of respondents said that security is a concern to them, and 50 percent said that they have recently become more concerned about security than before.

    Davis Wright Tremaine's Privacy and Security Law Blog

    DWT has a panel of blogging lawyers:

    • Joe Addiego from San Francisco
    • Kraig Baker from Seattle
    • Brian Bennett from Seattle
    • Thomas R Burke from San Francisco
    • Kaustuv M Das from Seattle
    • Randy Gainer from Seattle
    • Bruce E H Johnson Head of the Privacy and Security Law Group
    • Lance Koonce (Editor), from New York City
    • Ronald G London
    • Peter Mucklestone from Seattle
    • Brian Wong from Washington DC

    The range of topics covered by this panel is enormous. While much is US Centric the firm takes a global view

    The Life of a Threat - Video
    Life of a Threat

    Watch the Life of a Threat Video and learn how VeriSign® Managed Security Services (MSS) brings together the people, processes, technology, and intelligence to: Proactively manage risk, Monitor compliance, Identify and mitigate security threats - in real time

    By identifying and understanding security threats, VeriSign MSS is uniquely qualified to help you protect your business.

    Data Privacy Thinker Blog

    Rebecca Wong has a strong UK perspective on Data Privacy and Data Protection legislation. This blog is a refreshing and detailed look at the UK's Data Protection Act 1998 and subsequent "anti-spam" legislation.

    She is currently finishing the PhD at the University of Sheffield. Recent works include assisting the European funded project, PRIVIREAL , which aimed to examine the implementation of the Data Protection Directive 95/46/EC in relation to medical research and the role of ethics committees.

    The blog goes far wider. Recent articles are relevant to Singapore and the USA.

    The Metasploit Project Official Blog
    Metasploit Blog

    The Metasploit Project's goal is to provide useful information to people who perform penetration testing, IDS signature development, and exploit research. The Metasploit Project Website was created to fill the gaps in the information publicly available on various exploitation techniques and to create a useful resource for exploit developers.

    Many of the blog entries are by the Texan founder, H D Moore, whose philosophy is to pass the greatest possible information on exploits to the widest possible community, thus seeking to ensure exploit awareness and exploit-proofing.

    UK Information Commissioner's Annual Report

    With a 13% rise in complaints under Data Protection legislation in the UK alone, people are becoming far more alert to their rights. And as they become alert they're starting to insist on organisations keeping tot he law with their personal data. As Richard Thomas, the UK Commissioner, says in the introduction to this year's report:

    "Never before has the threat of intrusion to people's privacy been such a risk. It is no wonder that the public now ranks protecting personal information as the third most important social concern. As technology develops in a globalised 24/7 culture, power increases to build comprehensive insights into daily lives. As internet shopping, smart card technology and joined-up e-government initiatives reduce costs, respond to customers' demands and improve public services, more and more information is accumulated about us. According to one estimate, information about the average working adult is stored on some 700 databases. New information is added every day. Much of this will be confidential material which we do not want others to see or use unless we say so. There are obvious risks that information is matched with the wrong person or security is breached. The risks increase substantially as information is shared from one database to another, or access granted to another group of users. Real damage can arise when things go wrong - careers and personal relationships can be jeopardised by inaccurate information. Identity theft can involve substantial financial loss and loss of personal autonomy."

    VeriSign® Identity Protection Fraud Detection Service Whitepaper
    Download the White Paper

    Identity theft and fraud are growing problems for Internet businesses, affecting the cost of doing business, heightening consumer concern, and inviting government regulation. In a 2003 survey, the Federal Trade Commission (FTC) estimated that identity theft and account fraud cost businesses an average of $10,200 per incident.

    In 2005, the FTC found that 55% of all fraud originated from web sites or email. A recent survey of US households by Forrester Research showed that 36% of consumers have scaled back their purchase of goods and services online because of security concerns. Government regulations, such as the recent FFIEC guidance on Authentication in an Internet Banking Environment, which is aimed at US financial services ompanies, have put even more urgency around evaluating and adopting stronger authentication.

    The best way to prevent identity theft and fraud is through a layered approach. A critical layer in this type of approach includes fraud detection - risk-based authentication.

    Attacking the Code: Source Code Auditing - an iDefense Webcast

    Source code auditing has always been considered an art form that many have wished to learn. The purpose of this presentation is to unveil the techniques and methodologies behind efficient source code auditing. Examples of common programming mistakes found in real-world applications are included with detailed analysis of the problems surrounding the vulnerabilities. The presentation also aims to provide new techniques to beginning and experienced code auditors to help improve on their current skills.

    Where?: On your computer
    When?: 20 September at 2pm US Eastern Time (7pm UK time, 8pm European Time)
    What do I need?: This is interactive so you need a fully audio equipped computer. A headset, or mic and speakers.
    How long does it last?: Depends on the level of questions. Scheduled for 30 minutes.

    Risk-Based Assessment: A Practical Guide to Complying with FFIEC Authentication Guidelines

    Doug Barbin, VeriSign Senior Regional Consulting Manager discusses:

    • The difference between Controls Assessments and Risk Assessments
    • What the FFIEC means by a risk-based approach to authentication
    • Guidelines for developing and implementing a practical roadmap to FFIEC-Authentication Risk Assessments
    • How to develop a step-by-step task list for conducting a Risk Assessment
    • How to ask key questions for each stage of the assessment

    US Ratifies Council of Europe Convention on Cybercrime

    On Aug. 3, 2006, the United States Senate ratified the Council of Europe Convention on Cybercrime, a multinational treaty that attempts to foster cooperation on prosecuting Internet-based crimes. Although some privacy organizations are protesting the treaty, overall, the response to America 's ratification of the treaty, especially commentary from leading American security companies, has been quite positive.

    To-date, 38 counties have signed the treaty that requires that member countries establish as criminal offenses a wide variety of cyber-related activity, including "the access to the whole or any part of a computer system without right... when committed intentionally, the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system... the damaging, deletion, deterioration, alteration or suppression of computer data without right" (ibid.)., child pornography and other offenses. It also requires that signatory countries establish procedures for dealing with these crimes and provides a prosecutorial framework for international cooperation between signatory countries.

    News Roundup

    iPay Technologies Selects VeriSign Identity Protection Fraud Detection Service for Risk-Based Authentication.

    iPay Technologies selected the VeriSign® Identity Protection (VIP) Fraud Detection Service to provide online security for its customers and financial institutions. Under terms of the agreement, iPay Technologies will deploy the VIP Fraud Detection Service to secure customer login and transaction information

    VeriSign to Secure WiMAX Standards Wireless Broadband Networks.

    VeriSign has been selected by the WiMAX Forum, the exclusive global organization dedicated to certifying the interoperability of wireless broadband access products based on global standards, to provide PKI-related services to all WiMAX Forum Certified solutions based on IEEE 802.16-2004 and ETSI HiperMAN 1.2.1 .

    Baiting the hook

    Back when Frank Abagnale Jr, subject of the film Catch Me If You Can, was on the run, being an international fraudster seemed to involve swanky hotels, beautiful women and staying one step ahead of the authorities. Nowadays things are a lot more ruthless. Modern phishers rely primarily on social engineering techniques to defraud their victims, exploiting their trust in order to breach security measures and steal customer details.

    Quick Links...


    Readers should note that references to VeriSign's sponsorship are historical. That sponsorship ended on 28 February 2007, and is simply included here for context and historical purposes. VeriSign is not formally associated with this site in any manner, and has asked us to emphasise this point.