Over the last few years, the new mandate in IT has shifted to security oversight. Historically, IT functioned to set up equipment, install software, manage systems and data, provide support and maintenance, and oversee all technical infrastructure needs. However, as these systems have become more user-friendly and automated, and users have become more savvy, the job has veered from these responsibilities and more into security.

Companies who haven’t yet made this shift and who adhere to the old ways — and the old reporting structure — may find themselves in at risk or with a big problem. Who is protecting their data?

The two sides to data protection include securing the data from loss or disaster and protecting it from outside attack or theft. Ensuring and protecting data requires special skills. It seems logical to move this responsibility to IT, but there is a gap between technical skills and security skills.

Moving from traditional IT to modern, security-oriented IT requires retraining. Companies should ensure that the person in charge of security is Personnel Technical Assessment trained and qualified for security.

But the retraining needs to happen on the company end, as well. IT frequently reports to the CFO through the accounting or finance division. While this made sense for traditional IT — which was non-operational side of business and more of a support function — it doesn’t work as well for modern security-oriented IT.

It’s best for modern IT departments to report to the CEO. That’s a better structure because  they have visibility and access to the top decision-maker as well as to the Board.  More importantly, now as an operational function, this structure allows the company to view IT strategically instead of as a support function. Many companies underestimate the importance of IT strategy, but smart companies know better — such as Wal*Mart, whose strategic use of IT revolutionized their business and maximized their profit.

How? As the central repository of data and interconnected with the entire company IT is a conduit of gathering information. They can help identify how much is needed, what is needed,how to grow and in which direction.

Wal*Mart began using IT strategically in the late 90s. They saw a massive amount of overhead required to support and maintain the organization. If they couldn’t manage the expense, then they could not expand and grow the profit. That’s the business maxim “if you can’t bend the curve, the cost will kill you” at work. Using their IT group, they discovered ways to become more efficient at stocking, distribution, expansion, and infrastructure needs. They also ensured that their plans, programs and data were secured.

It’s a smart model and well-worth emulating.

201 CMR 17.00 are you ready?

If you have ever received a notice that your personal data was compromised due to a lost backup tape, a computer being hacked, or some other incident such as a foreign criminal stole your credit card number then this will of interest not only for your business but also personally. Regardless of the how and why, most of these incidents happen because security takes a back seat to other priorities in organizations.

Massachusetts is leading the charge in addressing consumer information security. The state representatives enacted a new law that sets minimum requirements for data protection and handling. This applies to all businesses because it is based on the type of data that you collect and handle rather than the type of business you are. It certainly applies to private investigators, attorneys and other members of the legal system. Basically, the law spells out when and the type data being taken outside the business must be encrypted, minimum safeguards for Internet connections and many other factors that at least make it more difficult to steal the information. Also, this law applies to all businesses that have customers in the state whether they have a location there or not.

To read more about it and the rules go to: Regulations Mass

Let me know what you think and we can talk about how to best address the problem.

Last month, I had the opportunity to meet some new peers and old known ones at a small gathering in San Antonio. Just a few friends talking about the world cyber crime problems and discussing the steps being taken by our country to protect us from the perpetrators. For the readers who do not know me personally, it was back to the future to my Air Force roots.

The meeting was to discuss cybercrime on a world scale and give a status report of the standing of the 24^th Air Force, which given the work progress should become operational in the next few weeks. Some of you may ask what airplanes have to do with this, and the answer is nothing. The USAF is responsible for much more than flying the troops around or neutralizing a target; they also are the primary ISR (Intelligence, Surveillance and Reconnaissance) agency in the DOD and are a multi-service support organization. The ISR and the 24^th will have primary duties in monitoring and protecting us from Foreign and NGO attacks on the Internet. Contrary to popular belief, the Internet is used by our government as much as by the private sector and when it is attacked it affects all users equally. A long time acquaintance of mine Howard Schmidt, Cybersecurity Advisor to the President gave a very interesting keynote outlining the need for greater cooperation between all sectors (public, business, education and government) to combat Internet cyber crime. It is not about the big hit anymore, but the small frauds in the under $10 level of value per transaction, that cyber criminals are after, because when multiplied by millions of transactions they become huge takes that mostly go unnoticed or the siphoning of data that can be used in gaining an advantage in the marketplace, courtroom or field of battle..

Referring to a recent posting, even a few years after the Heartland heist by Mr. Gonzalez, banks are just now finding out that their credit cards were compromised in the heist. They stole millions of numbers, but they did not use them all at one time, so no one knows what other card numbers are out there in the hands of the criminals. And banks do not change account numbers very often even when cards are renewed. I have had personal incidents were American Express allowed charges to be passed through on a card number expired over 3 years prior to the date of the charge. After getting caught they reversed it, but only after a complaint was filed and I refused the unauthorized charge. The bank makes money on every charge processed, hence their approach to processing. By the way if want to have fun, ask your credit card company why they have not implemented the chip on the card system used by all credit issuers in Europe for your account in the US. Some banks are starting to change because US international travelers are finding that they cannot use their credit cards overseas in automated systems, the chip requires the use of a pin in addition to the card being read. It makes fraud much more difficult.

A consensus amongst the attendees was that finally we are starting to see a unified concerted effort in the cyber security arena. But it is just beginning and Cyber-Hygiene is a long-term proactive approach. Another topic of interest was the sale of counterfeit computer parts that contain built in hacks to divert data packets to criminals or foreign operatives. Do you have a policy that controls the sources of hardware to known legitimate vendors and manufacturers, or is the lowest price the purchase determinant? In many large organizations price is the ultimate decision maker, if I wanted to hack someone, all I have to do is sell them very low price Ethernet cards or complete systems, the question is: what is the value of your data?

To learn more about Internet security or to conduct a security assessment, contact For-Sec at 281-549-4751 or email Ernesto Rojas at efrojas@for-sec.com.

A recent case comes to mind about the use of free email and the weakness of these products. It is surprising to see that many professionals i.e. lawyers, accountants, doctors and many others do not use domain based email accounts, but the free email products offered by Google, Yahoo, Hotmail and others. I have to admit that I have a Google account and use for certain purposes that are not business related, or that require a secured medium of communication. but is has come to my attention that there has been a growing increase of complaints over “hacked” email accounts from the free services.

The growing problem comes from the automated password reset mechanism and other weak features, that are part of the design in these email products.what can you do about it? Very little…with regards to having the product improved, let’s face its “free”. Eventually better code will be written, but that takes time. In the meantime, a paid email account will improve your chances of not being hacked multiple times. There are providers like Postini, 4securemail, runbox, neomail and swissmail that will provide a mailbox that is much harder to crack and send embarrassing emails in your name.

If you have questions regarding email security give us a call and we can help you with this area.

This week’s issue of The Economist, has a feature article titled “Cyberwar: The threat from the Internet” and it points to the possibility that an attacker over the Internet could cripple the economic, infrastructure and social systems of many countries on our planet, including first tier nations. So what is being done about this, at this point, most countries are beginning to view these threats with the same level of seriousness as any other attack on the nation, and at the same level as a nuclear threat. On the other hand, the article poses that it may be time to have the equivalent of a treaty among nations to prevent the proliferation of Internet attacks by and between governments, similar to what has been attempted with nuclear weapons (unsuccessfully).

What about rogue militant groups, Al Qaeda, the Taliban and similar, they are not governments, does anyone think that they will abide by a treaty? Or even sign one anytime soon. As a result, there is a need to protect ourselves and be able to if not retaliate, then to cutoff the source of any attack that may come our way, by instituting better coordination between the government and the private sector. In addition there is a need for leadership in the area of infrastructure protection when it comes to computing at all levels in the United States.

In many cases, security has been given a low level of attention because investing in security does not create income as thought off by our business models; but when a problem appears, everyone regrets the substantial expense to correct the problem. Example T J Max, how much could upgrading those wireless networks that allowed the breach could have cost, a lot less than the millions that fixing, notifying their customers, and other actions cost after the breach.