Licensing Security Professionals

I recently read an article insisting that Information Security Practitioners should be licensed.  This debate has gone on for quite some time, apparently.  Guess I missed the conversation.  I’m not one to stop yapping about security, just because everyone else has had a say…

Continue reading

Advertisements

Attack Targets Shift Again

B-spyC-level executives might seem like the perfect target for an attacker. They have privileged access, hold confidential data, and are usually well paid.  According to Symantec’s latest Internet Security Threat Report, the percentage of targeted attacks focusing on chief executive or board level employees fell from 25% in 2011 to 17% in 2012.
 
The most targeted role currently belongs to employees in the R&D area, hit with 27% of attacks, up from 9% in 2011.  The next most targeted group was the sales department, which saw 24% of attacks in 2012 compared to 12% in 2011.
 
To me, this is an indicator that targets are shifting back to a larger pool, and also to employees who may not be considered ‘high profile’, but have considerable access.  These employees are less likely to be suspicious, tend to take greater risks, and are not always presented with or interested in security awareness materials.
 

Canadian Breach Notification Laws Coming Soon

A first attempt at proposing an amendment at the federal level to add a breach notification obligation to PIPEDA privacy legislation was initially introduced through Bill C-29 in May 2010.  It died when the election was called in spring 2011. Bill C-12, identical to C-29, was introduced in September 2011 but has not been moved forward.

A new proposal which has received the support of key industry players was introduced in February. The private member’s Bill C-475 adds clear and mandatory security breach disclosure requirements to the PIPEDA federal law along with significant penalties for compliance failures.

Under Bill C-475, an organization having personal information under its control would have to notify the Commissioner of any incident involving the loss or disclosure of, or unauthorized access, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the security breach.

Article:  http://www.mcmillan.ca/security-breach-notification-soon-becoming-mandatory-in-Canada

Happy 1st BaKtun!

I woke up this morning feeling the ravages of the common flu.  Pushing back the viral fog, I looked out my bedroom window, expecting to see the streets flooded with zombies, the skies dark with winged bodies of alien invaders, a maelstrom of clouds swirling and the blaring of trumpets.  December 21st, 2012 has passed, and still, the world spins upon its axis.  Hmmm, what about all this talk about he Mayan calendar, and the prophesied apocalypse?

Well, hold on tight, earthlings.  Our best and brightest may have mis-calculated by just a few days.  Apparently, the calculation should have pointed to the 23rd ’round midnight!  I’m hedging my bets, and shopping light this Christmas.  Ya never know, it might not happen at all.

The Mayans used calendars kind of like we do, and what happens when we run out of days on our calendar?  We get a new calendar!  That’s all.  That’s it.  The Mayans observed the cycles of nature and the universe.  The key to cycles is that they repeat.

I am truly blessed, as I got to see the shenanigans as the second hand swept across twelve in 1999, ushering in a new era where technology would fail us all, elevators would rocket through the roof, and nuclear plants would melt down.  And now I have seen (or will soon see) the end of time as we know it.

Interesting write up about all of this at the link provided in the image above, if you are interested in all this.  For me, it simply shines the light on what people will believe.  If a story is repeated long enough, if no better explanation can be quickly presented, rumors and myths will rule.

Doomsday in my opinion, will come, and far too soon I’m afraid.  However, it will be either by our own hand as a species, or by the laws of nature and luck.  I will be as prepared as I can be, as aware as I’m able, and as accepting as possible of the outcome.  Until then, I wish you all peace on earth, and goodwill to all mankind.  Happy 1st BaKtun, and stay secure!!

Where You At?

Some folks have noticed that the old curmudgeon that used to update this blog hasn’t been around much and has kind of left this blog alone for a while. Well, MadMark’s back, and you can expect to see more content here again starting in 2013. I may not be as prolific, but I will try and post at least something interesting each month.

I started a new job back in March, and it really has been dominating my time. When creating a brand new department, it is imperative to focus on defining the many tasks that need to be fleshed out; creating strategy, governance, services, processes, and of course staffing appropriately.

So the second year is all about building it out according to plan. I expect that the build will actually take more time, but less focus, as I have good people to rely on, above, under, and around me who can help.

I fall back to one of my favorite movie quotes: “What doesn’t kill me makes me stronger. Pissed off, but stronger.” Well, maybe that’s not an exact quote. I am now glad that I have had the painful experience of having done this exercise before, and know much of what to expect.

Happy holidays to all, and see you in 2013. You can find me in person at the Toronto Area Security Klatch (TASK) meetings, or at Federation of Security Professionals events.

Mark

Anonymous ‘FFF’ Attack Schedule

Oh, for crying out loud.  Why don’t these guys just go away?   According to Wired, Anonymous is giving itself a weekly deadline now, a new attack every Friday.  How entertaining.  Following the Tuesday compromise of tear gas maker Combined Systems’ website, Antisec attacked a Federal Trade Commission webserver which hosts 3 FTC websites.  They claim this hack was in opposition of the controversial international ACTA copyright treaty, widely protested around the world for its potential impact on freedom of expression.

Those responsible for this week’s attacks spoke with Wired, and claimed that the attacks renewed a promise, previously noted in the defacement of CSI, and reiterated on the FTC websites, “every Friday will bring a new attack against government and corporate sites under the theme of #FFF” (‘F’ the Feds Friday).

They’ve decided try to balance between protest defacements like these two most recent ones, and posting material that can damage firms and agencies.   Jerry Irvine of the National Cyber Security Task Force told the New York Times last week that attacks would become more frequent, describing the collective as “unstoppable,” because of the poor state of online security.

-=[ Busted ]=- Six Trillion In Fake Bonds

On the other side of the pond, a record $6 trillion of fake US Treasury bonds were seized by Italian anti-mafia prosecutors.  The bonds were uncovered in hidden compartments in three safety deposit boxes in Zurich.  Bloomberg reports that Italian authorities arrested eight people in connection with the probe, dubbed Operation Vulcanica.

The Italian authorities also uncovered fraudulent checks issued through HSBC Holdings in London, and another $2 billion of fake bonds in Rome.  Those involved in the financial fraud case were apparently planning to buy plutonium from Nigeria, according to police monitored phone conversations.

Good work guys.  I hope they round up all involved, especially those with the plutonium.  You know that stuff isn’t going to be used to power wind up toys.