Nine Cybersecurity Bills

•Data Breach Notification Act, S 139, would normalize the 46 state data breach laws into one national umbrella. It may be expanded to include more than personal identifiable information. "One issue with this bill is that it would consolidate all reporting to the U.S. Secret Service, which is not helpful for broader information sharing with industry or across government."

•Data Accountability and Trust Act, HR 2221, was approved by the House in December and requires internet service providers to make victims aware of infections if they see a breach across their networks. "It will be interesting to see if this is extended to those services who may also be able to determine if there is anomalous behavior on the broader backbone."

•International Cybercrime Reporting and Cooperation Act, S 1438 and HR 4692, requires the president to produce an annual report to Congress providing an assessment of every country's level of information and communications technology utilization and development; assesses how each country's legal, law enforcement and judicial systems address cyber crime and protect commerce and consumers. "This bill met discord from software and hardware companies and their associated lobbying organizations (e.g., BSA, Tech America) because there is language that there will be imposed sanctions on countries who have demonstrated five years of 'bad behavior.'"

•Cybersecurity Enhancement Act, HR 4061, which passed the House in February. Among its key provisions: creating an office for a national coordinator for IT security research and development. "While this is non-controversial piece of legislation because it supports R&D efforts focused on identity management technologies and usability, authentication methods, and privacy, it's not clear how the new office will interact with the current [White House Office of Science and Technology Policy] responsibilities."

•FISMA II, S. 921 - also known as the United States Information and Communications Enhancement Act or U.S. ICE - updates the Federal Information Security Management Act of 2002 from compliance driven (check-list) to measures that are performance based and could address IT procurement reform.

•Intelligence Authorization Act, HR 2071, strengthens America's intelligence capabilities, and improves congressional oversight of our intelligence agencies. The measure also contains multiple congressionally directed actions for the Comprehensive National Cybersecurity Initiative. "It provides our intelligence community with the tools and resources to train more officers, expand language skills, strengthen cybersecurity efforts and more effectively prevent the spread of weapons of mass destruction."

•Cybersecurity Act of 2009, S 773, combines audits, industry-developed and government-backed standards, increased information-sharing and other mechanisms to bolster private-sector cybersecurity. The measure also known as the Rockefeller-Snowe Bill, establishes a presidential-level cybersecurity advisory panel and a national clearinghouse for information sharing as well as extend the Scholarship for Service program and increases the National Science Foundation's budget for R&D.

•The Grid Reliability and Infrastructure Defense Act, HR 5026, amends the Federal Power Act and directs the Federal Energy Regulatory Commission to protect the electric transmission and distribution grid from vulnerabilities. In addition to providing authority to address immediate threats, the GRID Act would also give FERC authority to require measures to protect against system vulnerabilities if it finds that the North American Electricity Reliability Corp. standards are insufficient. If enacted, the legislation would provide a security framework for the smart grid.

•Energy and Water Appropriations Act 2010 has already been signed by President Obama. It appropriates $46.5 million for energy delivery cybersecurity, an increase of $34.5 million from 2009, that will be used to develop secure grid technologies as cyber attacks increase worldwide and the grid becomes increasingly network-connected. It also establishes a National Cyber Center for the grid.

The Ten Immutable Laws of Security

1. If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

2. If a bad guy can alter the operating system on your computer, it's not your computer anymore.

3. If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

4. If you allow a bad guy to upload programs to your web site, it's not your web site any more.

5. Weak passwords trump strong security.

6. A machine is only as secure as the administrator is trustworthy.

7. Encrypted data is only as secure as the decryption key.

8. An out of date virus scanner is only marginally better than no virus scanner at all.

9. Absolute anonymity isn't practical, in real life or on the web.

10. Technology is not a panacea.

Source - www.microsoft.com/technet

GLBA and HIPAA Quiz

1. What is GLBA?


2. GLBA in an acronym for what?


3. What is HIPAA?


4. HIPAA is an acronym for what?


5. What is the difference between the two regulations?


6. What should you be aware of when you visit a medical facility?


7. With GLBA, what is defined as a financial institution?


8. How does our service work with both of these rules and regulations?


Send your answers to: safepcsolutions@gmail.com

Internet Security Specialist vs. Computer Tech

By Frances Gollahon

Before I can begin to explain the differences, it’s important to get the term straight:

• SOC, Security Operations Center, which is an organization that delivers Information Technology (IT). It offers continuous risk analysis and guarantees protection against intrusion. (More on the ability to “guarantee” anything later). The SOC also monitors and analyzes firewall activity, IDS (Intrusion Detection Systems). These technologies are ever-changing and require techs to keep abreast of the latest developments.

• IT, Information Technology, the study, design, development and implementation of computer systems, software and hardware. According to the Information Technology Association of America (ITAA), “IT deals with the use of electronic computers and computer software to convert, store, protect, process, transmit and securely retrieve information.

• IDS, Intrusion Detection Systems, which is an application that monitors network or system activity which are violations or imminent threats to computer security policies or standard security policies, and deterring individuals from violating security policies. Intrusion Detection Systems have become a necessary part of the security infrastructure of most organizations.

• Vulnerability Assessment – searches for known weaknesses within the computer systems and/or software installed. Risk assessment.

• Penetration Test – is performed to isolate and expose known or unknown weaknesses in systems, services and web applications.

• Technical Assistance/Internet tech/computer tech can provide assistance for any issue regarding the computer system, any violations, updates to hardware and software.

• Trojan – is a malware that the user doesn’t see and therefore unknowingly allows unauthorized access to the their computer system. The term is derived from the Trojan Horse story in Greek mythology. It allows a hacker remote access to another’s computer.

• Malware – malicious software designed to become part of your computer system without your consent and includes viruses, worms, trojans, spyware, adware, crimeware and root-kits, to name a few.

• Worm - is a self-replicating malware. It independently networks itself to other computers and causes some type of harm or corruption.

• Spyware – a type of malware that collects information about the user without their knowledge or consent and collects various types of personal information; installs software and redirects browser activity; changes computer settings. Is also known as “privacy-invasive” software.

• Adware – Advertising-Supported software – it automatically plays or downloads advertisements to your computer. Some are also privacy-invasive software.

• Crimeware is used to steal identities through “social engineering”. Most often associated with identity theft in order to gain access to online accounts at financial companies. Crimeware is best described by security consultant Kevin Mitnick (former computer criminal) who points out “it is much easier to trick someone into giving a password for a system than to spend the effort to hack into the system.” He claims it was the single most effective method in his arsenal. He coined the term “social engineering.”

• Zombie – just as the name describes, a computer that’s been hacked in to and is used for malicious tasks under remote control. The computer owner is unaware, which led to the name “zombie.” Used extensively with email scams and spams and helps spread trojan horses, since they are not self-replicating.

• Botnet – a collection of zombies that run autonomously and automatically, usually for damaging and malicious use.

• Rootkit – is a means of access to your computer for control over your system. Rootkits take a lot of skill and effort to be completely removed from a system.

• Keylogging or keystroke logging – tracking keystrokes so personal data can be accessed. There are many keylogging modalities, including electromagnetic and acoustic analysis.

• Computer forensics - a branch of forensic science that deals with examining information on computer systems for use as legal evidence or to recover data lost due to failure, or to analyze how a hacker gained access.

• Computer Security Audit – technical assessment of a system which may include interviewing staff, reviewing operating system access controls, running vulnerability scans, analyzing physical access to the system…just to name a few.

Now for that word “guarantee.” Bruce Schneier, American cryptographer, computer security specialist and author (he has written several books on computer security and cryptography) criticized computer security approaches that try to prevent or guarantee any malicious intrusion and instead argues that we might be better off focusing on designing systems that “fail well”.

A system that fails badly is a catastrophic failure. One single failure can bring down the whole system.

A system that fails well compartmentalizes or contains failure. For example, the hulls of watercraft are compartmentalized ensuring that a breach in one compartment will not flood and sink the entire vessel.

This is the best we can “guarantee.”

Computer technology specialist vs. Internet security specialist

A computer technologist – are non-degree certifications given to those who have achieved qualifications specified by a certifying body. The certification qualifies the holder to obtain certain types of positions within the field of study.

IT, Information technology, is the study of computer-based information systems, focusing on software application and computer hardware. According to the Information Technology Association of America (ITAA). IT deals “with the use of electronic computers and computer software to convert, store, protect, process, transmit and securely retrieve information.”

Today’s IT professionals are highly training and skilled individuals with a variety of duties including in designing computer networks and databases to data management, networking, software design, application installations, database design, management and administration of entire systems.

Computer science has many sub-fields, but is basically the study of theory and practical application of that theory in computer systems. Computer science is the study of understanding the “properties of the programs used to implement software.” (Wikipedia)

In researching Information Technology Degrees that can be studied online I found that this is the foundational pursuit that leads to other subfields for IT professionals.

The higher degrees of Bachelor of Information Technology with concentration in Internet Security or a Master’s degree is required to pursue careers used in business today to examine, define and develop policies to maintain security and manage Internet security risks in a business environment. Security practices that should be in place in any organization to comply with federal and state regulations and laws.

So the difference between the two is education. For a business to assume their highly skilled and greatly valued IT techs can keep them in compliance with federal regulations like the Red Flags Rule is like playing Russian roulette with 5 chambers filled.

Frances Gollahon is a member of The Synergy Marketing Team Beta Testers. Give this gal a script and watch her go!

Visit her blog at: cybercrimandsecuritytaskforce.blogspot.com

Business Surveys Quiz

Eight Question Survey

1. What is the purpose of the Eight Question Survey?

2. Why are the questions in this survey important to ask the prospect?

3. Once the survey has been taken, how do you ascertain whether the business must comply with security regulations?

4. If the business only answers yes to question number seven (Accept credit cards as a form of payment) what should you do?

Security and Privacy Scorecard

1. What is the purpose of the Security and Privacy Scorecard?

2. What is the difference between the Eight Question Survey and the Security and Privacy Scorecard?

3. What are the two major areas covered in the scorecard?

4. What do you do with a business that is low or medium risk?

ABC's Of Red Flags Rule

On June 1, 2010 The Red Flag Rule goes into effect. If you are a small business owner and this is the first you’ve heard of it, you are not alone. Most small business owners either have no idea that there are compliance issues they need to be aware of, or they have taken to hiding their heads in the sand believing it has nothing to do with them because they are too small, or their CPA/lawyer/exorcist would have told them something about it if it was true, or the dog ate their homework…whatever.

But this new law will affect most businesses regardless of size.

These businesses (especially small and mid sized) are targeted for their sensitive customer and employee information like names, SS#, drivers license numbers, medical info, bank info, 401k plans etc. All the goodies that identity thieves sell in their now thriving criminal enterprises. Last year’s identity theft losses to businesses and financial institutions totaled $47.6 billion, and consumer victims reported $5 billion in out-of-pocket expenses.

So What Is The Red Flags Rule?

In a nutshell, it applies to any entity that extends credit by granting loans or arranging for loans, like car dealerships, finance companies, mortgage brokers, real estate agents, and any other retailer that offers financing or provides help to consumers in getting financing by processing credit applications. This includes utility companies, health care providers and telecommunication companies. The Rule requires a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in day-to-day operations, take steps to prevent the crime, and mitigate the damage it inflicts.

The Rule also applies to businesses that defer payments, offer installment plans or provide goods and/or services and bills/invoices a customer/client/patient later, or a business that issues a store credit card is a creditor under the Rule.

However, simply accepting credit cards as a form of payment does not make a business a creditor under the Rule. The Payment Card Industry (PCI) regulates itself in regards to credit card fraud and has regulations for merchants completely separate from the FTC Red Flags Rule.

The “Red Flags” Rule is a regulation issued by the Federal Trade Commission (FTC) under the Fair and Accurate Credit Transactions Act (FACTA), a federal law passed in 2003 to strengthen protection against identity theft. The FTC published the Rule October 31, 2007 and it became effective January 1, 2008, but its implementation date (after which companies would be responsible for complying) has been repeatedly delayed, from November 1, 2008 to May 1, 2009, to August 1, 2009 and to November 1, 2009 and finally to June 1, 2010, when enforcement will commence.

At this point, one cannot assume that the FTC will further delay implementation, meaning that businesses and organizations need to begin working on compliance now if they have not already done so.


The Red Flags Rule Mandates Include:

1. Administrative Safeguards: Appointing an administrator to put a written plan together showing how a business will detect and act upon “Red Flags” (suspicious documents, changes of address, warnings from credit agencies, or notices from victims or law enforcement) with reasonable responses when any “red flags” are detected. This includes monitoring or closing accounts, not opening an account or notifying potential victims of a problem.

The administrator is also responsible for implementing an ongoing training program for employees on how to recognize and act upon these “red flags.” These trainings must be documented by the administrator and signed by the employees when they finish to show they participated in the training and understand the rule.

2. Physical Safeguards: Securing physical business surroundings to safeguard as well as properly dispose of information stored on hard copy files (or disks) as well as insuring that a company laptop doesn’t go “missing.” You would be amazed at how much information is stolen or lost due to a business owner or employee leaving information out in the open, such as medical files, loan applications or a business laptop.

3. Technical Safeguards: Finally, there are technical safeguards that need to be implemented to lock down data on computers and keep them invisible to hackers, using professional-grade security antivirus and antispyware and a bi-directional firewall for every computer in your business. Other safeguards include file encryption for both stored and transmitted files and records, regular vulnerability assessments to identify any security holes in your computer network and permanent deletion of individual electronic records, files, and hard drive information prior to disposing of a computer or hard drive.

4. Living Law: There is no one-time implementation and now “you’re set” with regards to Red Flags Rule compliance. Sorry, the rule is a living law and subject to change as the trends in identity theft change. Every program must be evaluated and updated regularly and ignorance of the changes as they occur will not be seen as a valid excuse for not being in compliance.

How Will The Rule Be Enforced?

The FTC does not conduct routine compliance audits. But the FTC can conduct investigations to determine if a business within its jurisdiction has taken appropriate steps to develop and implement a written Program, as required by the Rule.

The FTC may ask the target of the investigation to produce copies of its Program and other materials related to compliance. The FTC also may interview officers, employees, or others who are familiar with the company’s practices. If the FTC has reason to believe the Rule has been violated, it can bring an enforcement action.

There is no private consumer right of action, only certain federal and state government agencies can enforce the Rule. However businesses should know that consumers may be encouraged to file complaints with the FTC about a company’s identity theft Program or lack of and that the FTC uses these complaints (filed at https://www.ftccomplaintassistant.gov/) to target its law enforcement efforts.

The Fines And Other Spankings For Non Compliance:

These trying economic times are difficult enough for a business owner to deal with just going about the business of doing business. But having to now deal with the epidemic of business data breaches that put each and every business and their customers and employees in peril of identity theft has added yet another burden upon their precious time and resources, but non compliance can be far more costly than you think.

Federal: The penalty per single identity lost or stolen is $3,500.

State: Up to $1,000. Per individual violation (plus attorney fees).

Warned: If a business is warned by a regulatory agency of non-compliance then found to remain in non-compliance during a follow up, the fine jumps to $11,000. Per individual incident.

Law Suits: There are also allowances for individuals who’ve been victimized to seek damages from the businesses.

Any one of these can cripple or even kill a business, all of them together and you may as well say adios to all your hard work and sacrifices…bye bye business!

Examples Of Entities That Must Comply:

Health Care Practices – Because most bill later or defer payment through insurance.

Retail Stores – The only exception is if a store deals exclusively in credit cards and/or cash.

Services/Utilities – Phone companies, cell phones, power companies etc.

Auto Dealerships – This includes motor cycles, boats, RVs, etc.

Financial institutions – Banks, credit unions, credit card companies and mortgage brokers.

Non-Profits - entities that defer payment for goods or services.

Schools – Any school, college or university who provides or accepts financial aid.

A Few Helpful Definitions:

Red Flags Rule: The Red Flags Rule is a law that will be enforced on June 1, 2010 that requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs or “red flags” of identity theft in their day-to-day operations.

FTC: The Federal Trade Commission (FTC) was established as an independent administrative agency pursuant to the Federal Trade Commission Act of 1914. The purpose of the FTC is to enforce the provisions of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in commerce,” and serves an important function as a protector of both consumer and business rights.

FACTA: The Fair and Accurate Credit Transactions Act of 2003.This law applies to businesses and individuals who maintain, or otherwise possess, consumer information for a business purpose and requires businesses to develop and implement a written privacy and security program.

Financial Institution: A State or national bank, a State or federal savings and loan association, a mutual savings bank, a State or federal credit union, or any entity that holds a “transaction account” belonging to a consumer. A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

Creditor: An entity that regularly extends, renews, or continues credit or regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Non-profit and government entities that defer payment for goods or services are also considered creditors.

Covered Account: An account used mostly for personal, family, or household purposes, and involves multiple payments or transactions. These accounts include credit cards, mortgage loans, automobile loans, margin accounts, cell phone, utility, checking and savings accounts.

For more information go to: www.ftc.gov/redflagsrule

PCI Compliance Quiz

1. What is PCI DSS?

2. Who does it apply to?

3. Is PCI compliance a law?

4. Who regulates PCI compliance?

5. Is PCI compliance applicable to home-based businesses?

6. When do merchants have to become PCI compliant?

7. How does a merchant become PCI compliant?

8. Does Invisus certify PCI compliance?

9. How can Invisus help make a merchants certified PCI compliant?

10. What if a merchant tells you he is PCI compliant, what then?

 
Copy and past quiz into a word doc. and send your quiz answers to: safepcsolutions@gmail.com