By Geoff Sweeney, CTO, Tier 3 www.tier-3.com
Recent security breaches in both the private and public sector have highlighted the need for organisations to ensure personal information is processed and stored securely. Ever growing collections of personal data, more remote access and the prevalence of crime such as identity theft all create vulnerabilities. It is essential that effective data protection policies and practices are in place, combined with vigilance and strong governance at all levels in all organisations, to ensure data protection is taken seriously.
Individuals expect the Data Protection Act to shield the security of their information. At the same time information security is increasingly at risk. As part of its new data protection strategy launched in March 2008 the UK’s privacy watchdog, the Information Commissioner’s Office (ICO), disclosed its plans to promote the importance of appropriate security, the use its regulatory powers against organisations that neglect their responsibilities in this area and to help individuals to protect their own information.
In May this was reinforced when The Criminal Justice and Immigration Act received Royal Assent creating tough new sanctions for the ICO. This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act and represents a step up from the ICO's previous power to simply issue enforcement notices.
This isn’t necessarily the end of the changes and there may be more regulation to come as, towards the end of May, the European Network and Information Security Agency (ENISA), called for laws tougher than those in the US to force companies to reveal when their computer systems have been breached. In its General Report 2007 the EU's top security body said governments, businesses and consumers are still underestimating the scope of the IT security problem, in part because of the lack of transparency when breaches occur, and mandatory disclosure of security breaches would be a step toward raising recognition of the seriousness of security threats. In the US, there are two laws which force organisations to publish details of security breaches. One is the California Breach Law (SB1386), which requires organisations doing business in California to tell customers about possible security breaches. Similar laws are planned for other states. The second is Sarbanes-Oxley, which obliges executives to keep informed about material aspects of their business, including security breaches.
Whether mandatory disclosure of information security breaches is ultimately adopted in the UK or not is not yet known but clearly advances in IT have made the collection, storage and sharing of all sorts of information easier and available to a wider population. Undoubtedly these advancements have resulted in enhanced services across many sectors but it has also increased the challenge of managing and protecting information. The vulnerability of data protection is evidenced almost daily with costly data leakage incident regularly impacting individuals and the organisations charged with the custody of their sensitive information.
The connectivity of WANs and the internet means that there are now few barriers to sharing information. The consequence however is that it is increasingly apparent that organisations can quickly lose control of who is sharing the information, where it is going and whether it is being used appropriately?
With this in mind the best way for organisations to meet their data protection obligations is to understand the information flows and uses within their business environment. A systematic risk based approach which matches the data monitoring and protection capabilities of the organisation with the risks associated with the loss of information based on its sensitivity/value and its likely impact to the individual and the organisation is increasingly important. Security policies, processes and technology are all part of the operational risk management process of identifying, monitoring and controlling information security breaches which may cause highly public exposure to your organisation and its stakeholders.
Increasingly, with the massive data volumes involved, this risk management loop requires the integration of skilled operational staff and competent technology to provide appropriate monitoring and control to ensure the use and movement of confidential information is within policy and adequately protected.
The good news in all this is that the security management process shouldn’t be to onerous and indeed should be part of the overall IT security effort. Technology is available which readily monitors who is accessing information, when and for what purpose. Using data protection systems which employ behavioural analysis an organisation can easily distinguish between legitimate use of its confidential information and inappropriate usage. One of the most damaging breaches is when an authorised user who has “legitimate” access to sensitive information either accidentally or maliciously chooses to misuse or leak that information. A behavioural analysis based security system can detect unexpected or risky data movement even where other systems can’t.
By recording the movement and use of information a behavioural analysis based security system establishes a profile that incorporates the characteristics of normal system use. By constantly monitoring and profiling user and system activity the system immediately recognises when information is accessed, changed or shared in an unusual or uncharacteristic manner and immediately alerts the accountable manager for remediation and evidentiary audit purposes. Specific business and policy rules can complement the system to enable early warning of any specific forbidden or unacceptable practices eg. Theft or fraud.
The scale and task of protecting stored and transmitted sensitive information is undoubtedly becoming greater. The problem for organisations, however, is that their responsibility for information assurance remains unchanged and with the intrinsic risk associated with its storing and sharing information owners continue to need ongoing visibility of who is accessing data, for what purpose and where are they taking it. Behavioural based security monitoring technology provides the ability to continuously manage and report the status of access and usage of confidential information for any organisation.
Source: Eskenzi PR
<>
How to multiply the uses of your Business Continuity Infrastructure
Ian Master, sales and marketing director UK, Double-Take Software
Introduction
Business continuity (BC) infrastructure is typically thought of as a means to get data offsite. IT managers don’t necessarily realise that the BC infrastructure they are building can provide much more. A well thought through deployment can provide the ability to move information technology systems anytime, anywhere, for whatever purpose, without interfering with ongoing operations. Whether recovering from a disaster, simplifying routine server maintenance or even migrating whole data centres, a good deployment can provide a dynamic infrastructure that ensures effective business continuity planning as well as making the data centre manager’s life a whole lot easier.
A day in the life of a data centre manager
To state the obvious, data centre managers don’t spend their working lives exclusively worrying about large-scale disasters. Their day-to-day experience is more likely to include managing smaller business continuity and infrastructure issues. How can they maintain full service when they know a shared disk is starting to malfunction and needs to be swapped out? How can they replace a physical server because it is no longer performing optimally? What happens when entire clusters of servers need to be moved because the nodes lack disk or processing ability? What happens if the entire data centre needs to be moved to a different location?
Building a dynamic infrastructure
Data replication solutions, which copy data in real time from one server to another to create a complete duplicate on a live backup system, provide very high levels of data protection and availability. However, data replication is just that; it only protects an application’s data, not the application itself. In the event of a disaster, system administrators will have to hope that all of the application backups are valid and can be restored, because if not, they’ll have no choice but to find the installation disks and sometimes even that isn’t an option. To overcome this, the more sophisticated data replication solutions provide byte-level replication for application system states so that administrators have the ability to provision an entire server at the touch of a button and keep business critical applications up and running.
Another tool used to reduce hardware costs and manage infrastructure more flexibly is virtualisation. Virtualisation provides data centre managers with the ability to move servers “dynamically” to a different virtual machine where more processing power or disk space may be available. However, the process of moving virtual machines is limited to the virtual infrastructure and sometimes only the same physical server where the technology is hosted. By combining data replication that moves data and the application system state, virtualisation, WAN accelerators, operational monitoring and security tools, you now have the ability protect and dynamically manage your entire data centre, regardless of the situation.
Dynamic infrastructure in operation
Using host-based replication allows you to replicate data and operating systems, independent of hardware and in real time, while systems are still in production. Administrators are able to replicate from physical to a virtual environment or vice versa, physical-to-physical or virtual-to-virtual, all while the end users are accessing the data.
Data centre managers are using dynamic infrastructures to move entire data centres without end users even being aware, easing operational management as well as meeting the most stringent business continuity requirements. If a server is in need of maintenance, the data centre manager isn’t committed to a 2.00 am Sunday morning change control window just to tweak a configuration setting or perform a reboot. The operation of that server is dynamically moved to another without interruption, allowing the technician to take as long as needed to perform maintenance or repair that server. Maybe the part from the vendor won’t be available for 10 days? Operations continue uninterrupted and the maintenance window is open to whenever it is convenient.
Conclusion
If you have the ability to move systems anywhere, anytime, for whatever reason, without interruption to users, you have just exceeded a rather large piece of your company’s business continuity requirements and, more importantly, maximised data centre uptime. Dynamic infrastructures are providing the ability to restore business operations after a disaster not only to a functional level but also to the level of service that your end users expect, as well as providing the ability to seamlessly manage data centre operations.
Source: StoragePR
<>
Introduction
Business continuity (BC) infrastructure is typically thought of as a means to get data offsite. IT managers don’t necessarily realise that the BC infrastructure they are building can provide much more. A well thought through deployment can provide the ability to move information technology systems anytime, anywhere, for whatever purpose, without interfering with ongoing operations. Whether recovering from a disaster, simplifying routine server maintenance or even migrating whole data centres, a good deployment can provide a dynamic infrastructure that ensures effective business continuity planning as well as making the data centre manager’s life a whole lot easier.
A day in the life of a data centre manager
To state the obvious, data centre managers don’t spend their working lives exclusively worrying about large-scale disasters. Their day-to-day experience is more likely to include managing smaller business continuity and infrastructure issues. How can they maintain full service when they know a shared disk is starting to malfunction and needs to be swapped out? How can they replace a physical server because it is no longer performing optimally? What happens when entire clusters of servers need to be moved because the nodes lack disk or processing ability? What happens if the entire data centre needs to be moved to a different location?
Building a dynamic infrastructure
Data replication solutions, which copy data in real time from one server to another to create a complete duplicate on a live backup system, provide very high levels of data protection and availability. However, data replication is just that; it only protects an application’s data, not the application itself. In the event of a disaster, system administrators will have to hope that all of the application backups are valid and can be restored, because if not, they’ll have no choice but to find the installation disks and sometimes even that isn’t an option. To overcome this, the more sophisticated data replication solutions provide byte-level replication for application system states so that administrators have the ability to provision an entire server at the touch of a button and keep business critical applications up and running.
Another tool used to reduce hardware costs and manage infrastructure more flexibly is virtualisation. Virtualisation provides data centre managers with the ability to move servers “dynamically” to a different virtual machine where more processing power or disk space may be available. However, the process of moving virtual machines is limited to the virtual infrastructure and sometimes only the same physical server where the technology is hosted. By combining data replication that moves data and the application system state, virtualisation, WAN accelerators, operational monitoring and security tools, you now have the ability protect and dynamically manage your entire data centre, regardless of the situation.
Dynamic infrastructure in operation
Using host-based replication allows you to replicate data and operating systems, independent of hardware and in real time, while systems are still in production. Administrators are able to replicate from physical to a virtual environment or vice versa, physical-to-physical or virtual-to-virtual, all while the end users are accessing the data.
Data centre managers are using dynamic infrastructures to move entire data centres without end users even being aware, easing operational management as well as meeting the most stringent business continuity requirements. If a server is in need of maintenance, the data centre manager isn’t committed to a 2.00 am Sunday morning change control window just to tweak a configuration setting or perform a reboot. The operation of that server is dynamically moved to another without interruption, allowing the technician to take as long as needed to perform maintenance or repair that server. Maybe the part from the vendor won’t be available for 10 days? Operations continue uninterrupted and the maintenance window is open to whenever it is convenient.
Conclusion
If you have the ability to move systems anywhere, anytime, for whatever reason, without interruption to users, you have just exceeded a rather large piece of your company’s business continuity requirements and, more importantly, maximised data centre uptime. Dynamic infrastructures are providing the ability to restore business operations after a disaster not only to a functional level but also to the level of service that your end users expect, as well as providing the ability to seamlessly manage data centre operations.
Source: StoragePR
<>
The bad guys are out-running the good guys – Can compliance stop them?
Brian Chess, Founder and Chief Scientist, Fortify Software
Judging by the number of public breaches that we keep hearing about, it looks like the bad guys are far outrunning the good guys. We know it’s a big problem because as a company we get called in to sort out the problems most often once the horse has bolted.
In June of this year in the US with section 6.6 of the PCI Data Security Standards (DSS) becomes mandatory in the US will things change? From a UK perspective it’ll be interesting to whether it makes a change for the better. Online merchants that process credit card payments will either have to conduct a code review for their applications or install an application-layer firewall. The standard offers a choice, but there really isn’t any choice at all. If an organization is going to successfully protect its data, it needs to aim for preventing a breach, not passing an audit. This means, first, finding and fixing the vulnerabilities in your software, second, building security into the development process, and third, protecting your applications once they’re deployed.
Hannaford Bros, a supermarket chain based in New England, USA, passed a PCI audit and then got hacked. They lost 4.2 million credit and debit card numbers, which has led to 1,800 cases of fraud to date. Over the last two years, as the PCI standards have slowly been implemented, the number of data breaches has increased from 158 incidents in 2005 to 443 incidents in 2007, for a total of 212 million records. So judging by this, you’ll see the bad guys are still very much in the lead. And that’s why PCI keeps evolving. But, in order to win this battle, companies must invest in security, not just in compliance.
In the spring of 2005, someone broke into a Web application for the Assignment Management System of the United States Air Force. They stole 33,000 personal records. The USAF responded to their breach with a multi-million dollar effort to identify and eliminate their security holes. This initiative incorporated a heavy reliance on source code analysis, in order to fix the problems at the root cause, as well as targeted investments in application firewalls, web application scanning tools, and database firewalls. The key to their approach was having the right motivation. They didn’t launch this initiative to pass an audit. They did it to ensure their software was secure. The result has been a comprehensive and dedicated deployment. As software drives nearly every military activity today, we can all be a little more comfortable knowing they have the right approach to deal with the threat.
The PCI council knows that analyzing the code early is the right thing to do, as they stress the importance of building security into the development process. All of the following quotes come from the PCI council, and they all emphasize the importance of the code.
(2) Payment Card Industry (PCI) Data Security Standard, Version 1.1. September, 2006
Bottom line – build security in. If you want to have the best chance of passing a PCI audit, AND preventing a breach, fix the code first, and then monitor it in real-time.
PCI Section 6.6 is a productive step forward and encourages companies to do just this, but as with many standards, companies can interpret the mandates in many ways. A bad interpretation and a weak implementation will mean a false sense of security. Passing a PCI compliance audit is necessary, but compliance alone does not protect your company from a breach. So be ahead of the bad guys, put your efforts into ensuring your applications are secure – that way you’re be out there taking the lead.
www.fortify.com
<>
Judging by the number of public breaches that we keep hearing about, it looks like the bad guys are far outrunning the good guys. We know it’s a big problem because as a company we get called in to sort out the problems most often once the horse has bolted.
In June of this year in the US with section 6.6 of the PCI Data Security Standards (DSS) becomes mandatory in the US will things change? From a UK perspective it’ll be interesting to whether it makes a change for the better. Online merchants that process credit card payments will either have to conduct a code review for their applications or install an application-layer firewall. The standard offers a choice, but there really isn’t any choice at all. If an organization is going to successfully protect its data, it needs to aim for preventing a breach, not passing an audit. This means, first, finding and fixing the vulnerabilities in your software, second, building security into the development process, and third, protecting your applications once they’re deployed.
Hannaford Bros, a supermarket chain based in New England, USA, passed a PCI audit and then got hacked. They lost 4.2 million credit and debit card numbers, which has led to 1,800 cases of fraud to date. Over the last two years, as the PCI standards have slowly been implemented, the number of data breaches has increased from 158 incidents in 2005 to 443 incidents in 2007, for a total of 212 million records. So judging by this, you’ll see the bad guys are still very much in the lead. And that’s why PCI keeps evolving. But, in order to win this battle, companies must invest in security, not just in compliance.
In the spring of 2005, someone broke into a Web application for the Assignment Management System of the United States Air Force. They stole 33,000 personal records. The USAF responded to their breach with a multi-million dollar effort to identify and eliminate their security holes. This initiative incorporated a heavy reliance on source code analysis, in order to fix the problems at the root cause, as well as targeted investments in application firewalls, web application scanning tools, and database firewalls. The key to their approach was having the right motivation. They didn’t launch this initiative to pass an audit. They did it to ensure their software was secure. The result has been a comprehensive and dedicated deployment. As software drives nearly every military activity today, we can all be a little more comfortable knowing they have the right approach to deal with the threat.
The PCI council knows that analyzing the code early is the right thing to do, as they stress the importance of building security into the development process. All of the following quotes come from the PCI council, and they all emphasize the importance of the code.
- “…it is recommended that reviews and scans also be performed as early as possible in the development process.” (1)
- “Tools should be made available to software developers and integrated into their development suite as much as practical.” (1)
- “The reviews or assessments should be incorporated into the SDLC and performed prior to the application’s being deployed into the production environment.” (1)
- “Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines.” (2)
- “Review custom application code to identify coding vulnerabilities.” (2)
- “Cover prevention of common coding vulnerabilities in software development processes.” (2)
(2) Payment Card Industry (PCI) Data Security Standard, Version 1.1. September, 2006
Bottom line – build security in. If you want to have the best chance of passing a PCI audit, AND preventing a breach, fix the code first, and then monitor it in real-time.
PCI Section 6.6 is a productive step forward and encourages companies to do just this, but as with many standards, companies can interpret the mandates in many ways. A bad interpretation and a weak implementation will mean a false sense of security. Passing a PCI compliance audit is necessary, but compliance alone does not protect your company from a breach. So be ahead of the bad guys, put your efforts into ensuring your applications are secure – that way you’re be out there taking the lead.
www.fortify.com
<>
New Online Community for Information Security Industry www.infosecurityadviser.com
NEWS RELEASE
Monday 30th June 2008 - The team behind the popular Infosecurity Europe show - held in London every spring - has launched an online interactive security forum for the Infosecurity industry with advice, forums, blogs, career path, ask the experts, Q&A and other resources for everyone involved in the challenges of information security. The key difference from other sites is not about the latest news, it is a community where all the content is created by and for the benefit of the global infosecurity community.
"The Infosecurity Adviser portal contains a wide variety of resources, including top-quality blogs, all of which are designed to keep computer users up to date on current and future events in the IT security industry. Registered users of the site can get involved by posing questions to members of the “Ask the Expert” panel, on the forum, add a product review on a technology they have used or comment on any of the content created by the community." said Claire Sellick, event director of Infosecurity Europe.
The most active bloggers at the moment are Members of the Information Security Awareness Forum Board including, Dr David King ISSA chair of the ISAF; Peter Wenham, CISSP from the Communications Management Association, Andy Jones, CISSP from the Information Security Forum; also Jon Collins, Service Director with analyst firm Freeform Dynamics and Chris Potter a partner with PricewaterhouseCoopers. The 2 top rated blogs at the moment are “Top down awareness” by ISAF Blog team member Peter Wenham and “Security awareness - the next generation” by Chris Potter from PricewaterhouseCoopers.
"We also have an exclusive "Ask the Experts" section of the site where users can get free advice from industry experts," Sellick added.
According to Sellick, thanks to the support of the Information Security Awareness Forum and a number of other IT security bodies, the Infosecurity Adviser portal can offer all types of computer users information and resources that will keep them informed on the many aspects of information security they need.
"The site's crisp and concise manner, together with regular updates from a flotilla of industry experts, means that we expect the portal to become a must-visit resource on the Web in a short space of time," she said.
Infosecurity Advisor is supported by the Information Security Advisory Forum (ISAF). Dr David King, ISSA UK and Chair of the Information Security Awareness Forum said, "The new Infosecurity Advisor Portal will help to bring together expertise and advice to those who have questions around information security. This in turn will help to promote security awareness. The Information Security Awareness Forum supports this initiative and welcomes the bringing together of different elements of the industry through the portal mechanism. The awareness forum is also supporting the portal through its blog which is available on the portal website."
Raj Samani, ISSA-UK VP of Comms, “Sometimes you can be left with problems which Google simply cannot answer! It is therefore refreshing to see something out there which can provide practical help to problems which can sometimes seem impossible to deal with on your own.”
“The IT security industry is an industry in transition. For this reason as much as any, it’s great to have a place where industry experts and security professionals on the front line can have a clear and open exchange of views. It’s both useful in its own right, and it all helps move the debate forward.” Said Jon Collins, Service Director with analyst firm Freeform Dynamics
"In my experience, the information security community comes up with some really good questions. I'm looking forwards to the online community being a great way for us all to share experience and get to the answers!", said Chris Potter Partner PwC
For more on the Infosecurity Adviser portal:
http://www.infosecurityadviser.com/
<>
Monday 30th June 2008 - The team behind the popular Infosecurity Europe show - held in London every spring - has launched an online interactive security forum for the Infosecurity industry with advice, forums, blogs, career path, ask the experts, Q&A and other resources for everyone involved in the challenges of information security. The key difference from other sites is not about the latest news, it is a community where all the content is created by and for the benefit of the global infosecurity community.
"The Infosecurity Adviser portal contains a wide variety of resources, including top-quality blogs, all of which are designed to keep computer users up to date on current and future events in the IT security industry. Registered users of the site can get involved by posing questions to members of the “Ask the Expert” panel, on the forum, add a product review on a technology they have used or comment on any of the content created by the community." said Claire Sellick, event director of Infosecurity Europe.
The most active bloggers at the moment are Members of the Information Security Awareness Forum Board including, Dr David King ISSA chair of the ISAF; Peter Wenham, CISSP from the Communications Management Association, Andy Jones, CISSP from the Information Security Forum; also Jon Collins, Service Director with analyst firm Freeform Dynamics and Chris Potter a partner with PricewaterhouseCoopers. The 2 top rated blogs at the moment are “Top down awareness” by ISAF Blog team member Peter Wenham and “Security awareness - the next generation” by Chris Potter from PricewaterhouseCoopers.
"We also have an exclusive "Ask the Experts" section of the site where users can get free advice from industry experts," Sellick added.
According to Sellick, thanks to the support of the Information Security Awareness Forum and a number of other IT security bodies, the Infosecurity Adviser portal can offer all types of computer users information and resources that will keep them informed on the many aspects of information security they need.
"The site's crisp and concise manner, together with regular updates from a flotilla of industry experts, means that we expect the portal to become a must-visit resource on the Web in a short space of time," she said.
Infosecurity Advisor is supported by the Information Security Advisory Forum (ISAF). Dr David King, ISSA UK and Chair of the Information Security Awareness Forum said, "The new Infosecurity Advisor Portal will help to bring together expertise and advice to those who have questions around information security. This in turn will help to promote security awareness. The Information Security Awareness Forum supports this initiative and welcomes the bringing together of different elements of the industry through the portal mechanism. The awareness forum is also supporting the portal through its blog which is available on the portal website."
Raj Samani, ISSA-UK VP of Comms, “Sometimes you can be left with problems which Google simply cannot answer! It is therefore refreshing to see something out there which can provide practical help to problems which can sometimes seem impossible to deal with on your own.”
“The IT security industry is an industry in transition. For this reason as much as any, it’s great to have a place where industry experts and security professionals on the front line can have a clear and open exchange of views. It’s both useful in its own right, and it all helps move the debate forward.” Said Jon Collins, Service Director with analyst firm Freeform Dynamics
"In my experience, the information security community comes up with some really good questions. I'm looking forwards to the online community being a great way for us all to share experience and get to the answers!", said Chris Potter Partner PwC
For more on the Infosecurity Adviser portal:
http://www.infosecurityadviser.com/
<>
Protecting Virtual Infrastructures with Data Replication
by Ian Masters, UK sales and marketing director at Double-Take Software
Many organisations are adopting virtualisation technologies in their data centre to secure the benefits of increased hardware utilisation, reduced power consumption and simplified management. The reliability of this new infrastructure is likely to be of critical importance but what is the best way to protect virtual servers and keep them highly available?
A virtual infrastructure has a single point of failure: shared disk space. An organisation that relies on tape to protect this environment will struggle to provide the infrastructure with the protection and availability it requires as it can take days to restore virtual systems from tape, if it’s possible at all. Some virtual products come ready equipped with a snapshot-based technology that sends data in periodic chunks. However, the flexibility of this technology is limited and as a result they do not provide the protection, availability and disaster recovery that a business critical virtual infrastructure warrants. No matter which virtualisation vendor’s solutions are deployed, independent data replication products provide availability of virtual infrastructures far more effectively than tape, greatly increase native protection and provide data centre managers with a very useful management tool.
If an organisation is already using an independent data replication solution within its business continuity plan, it may be flexible enough to be used within virtual infrastructures. Data centre managers are likely to maintain a variety of hardware on which they host virtual servers so the high availability solutions needs to have the flexibility to work in any hardware environment. Host-based replication is an asynchronous technology that replicates at the server level and streams replicating changes in real time, as they occur and compiles them on target servers in the order that the operations occurred. Host-based replication is hardware agnostic and therefore ideal for heterogeneous environments so has the flexibility required to protect typical virtual infrastructures. Host-based replication has the additional benefit of providing data centre managers with a simple to use virtual infrastructure migration and management tool.
Many organisations already have a disaster recovery facility or satellite office where they send backup copies of data for disaster recovery. Having a live duplicate of the virtual infrastructure within those locations provides the ultimate level of protection and recovery in the event of substantial site disaster. Host-based replication technologies are able to replicate over any distance so provide organisations managing virtual infrastructures with the best possible protection for business-critical physical and virtual environments.
Virtualising servers is only the first step in modernising a data centre to take advantage of the benefits on offer. Virtual infrastructures are business-critical so organisations need to make sure they are highly available. Deploying an appropriate data replication technology is the only strategy that will provide the protection required. Host based data replication products not only provide high availability but can also help data centre managers better maintain virtual systems by having the ability to provision, convert and migrate the systems both near and far.
Source: Eskenzi PR Ltd.
Many organisations are adopting virtualisation technologies in their data centre to secure the benefits of increased hardware utilisation, reduced power consumption and simplified management. The reliability of this new infrastructure is likely to be of critical importance but what is the best way to protect virtual servers and keep them highly available?
A virtual infrastructure has a single point of failure: shared disk space. An organisation that relies on tape to protect this environment will struggle to provide the infrastructure with the protection and availability it requires as it can take days to restore virtual systems from tape, if it’s possible at all. Some virtual products come ready equipped with a snapshot-based technology that sends data in periodic chunks. However, the flexibility of this technology is limited and as a result they do not provide the protection, availability and disaster recovery that a business critical virtual infrastructure warrants. No matter which virtualisation vendor’s solutions are deployed, independent data replication products provide availability of virtual infrastructures far more effectively than tape, greatly increase native protection and provide data centre managers with a very useful management tool.
If an organisation is already using an independent data replication solution within its business continuity plan, it may be flexible enough to be used within virtual infrastructures. Data centre managers are likely to maintain a variety of hardware on which they host virtual servers so the high availability solutions needs to have the flexibility to work in any hardware environment. Host-based replication is an asynchronous technology that replicates at the server level and streams replicating changes in real time, as they occur and compiles them on target servers in the order that the operations occurred. Host-based replication is hardware agnostic and therefore ideal for heterogeneous environments so has the flexibility required to protect typical virtual infrastructures. Host-based replication has the additional benefit of providing data centre managers with a simple to use virtual infrastructure migration and management tool.
Many organisations already have a disaster recovery facility or satellite office where they send backup copies of data for disaster recovery. Having a live duplicate of the virtual infrastructure within those locations provides the ultimate level of protection and recovery in the event of substantial site disaster. Host-based replication technologies are able to replicate over any distance so provide organisations managing virtual infrastructures with the best possible protection for business-critical physical and virtual environments.
Virtualising servers is only the first step in modernising a data centre to take advantage of the benefits on offer. Virtual infrastructures are business-critical so organisations need to make sure they are highly available. Deploying an appropriate data replication technology is the only strategy that will provide the protection required. Host based data replication products not only provide high availability but can also help data centre managers better maintain virtual systems by having the ability to provision, convert and migrate the systems both near and far.
Source: Eskenzi PR Ltd.
The real cost of a security breach
by David Hobson, Managing Director of Global Secure Systems (GSS)
In its 2006 annual report for the fiscal year ended 27 January 2007, T.J. Maxx recorded a pre-tax charge of approximately $5 million for costs incurred in connection with the computer intrusion it formally disclosed in January 2007. This charge covers actual costs incurred to investigate and contain the breach, strengthen its computer security and systems, and communicate with customers, as well as technical, legal, and other fees. $5 million may suggest that it got off lightly but is this just the tip of the iceberg? What are the hidden costs of a security breach? What will be the final figure? This article aims to examine the hidden expense of a data breach, both the tangible and intangible costs. It concludes with a ‘top ten tips’ to prevent being the next headline grabber.
IT security in the early 1990's was relatively simple. Data was stored on mainframes, access control was limited and the need to share data was very limited. Today the rules have changed. More data is needed to be shared, access to data is required from almost anywhere and the need to secure that data has grown through regulation and legislation. The user population is much more technical now, and the Internet boom has enabled an increasing number of people to be able to cause more trouble than ever. Most organisations acknowledge that the impact of a security breach to the business will result in financial expense.
It’s going to cost how much!
Firstly, there are the direct and easily correlated costs such as replacing any lost or stolen devices; investing in, or strengthening existing, IT security; and if necessary strengthening the building’s physical security.
In August 2007, Monster had to take action when it discovered that con artists had mined contact information from curriculum vitaes for 1.3 million people, and possibly many more as Monster has since confirmed that this was not an isolated incident. Files were stolen not only from Monster.com but from USAJobs.gov, the federal-government career-listing service operated by Monster. Monster has said it will have to spend at least $80 million on upgrades to its site, which will include security changes. Among them is closer monitoring of the site and limits on the way its data can be accessed.
It doesn’t stop there
Some costs are harder to pin down including contacting those whose records may have been exposed, credit monitoring for those affected, and even the possibility of subsequent legal action taken by people who have suffered a financial loss as a direct result of their records being exploited.
The HMRC, who in December had two CD’s containing 25 million child benefit records go astray in its internal post system, wrote to each person whose personal details were at risk. When tallying this up there is the physical cost of the paper and envelopes, printing the letter and addressing the envelopes, postage, and the harder to guesstimate employee’s time to draft the letter and to physically perform the mail out, to account for.
Customer lawsuits can cause serious headaches for businesses that go far beyond the reputation-slaying negative headlines. Aside from the actual monetary damages, lawsuits often leave companies on the hook for additional training, systems upgrades or -- in the case of a data breach -- credit monitoring for those affected.
In the case of TJ Maxx’s massive security breach, it revealed that all affected customers were offered credit monitoring at its expense. Additionally it disclosed that it has agreed to pay up to $24 million in a settlement with MasterCard and it might not stop there. It also confirmed that it’s had to budget for various litigation and claims that have been, or may be, asserted against it or its acquiring banks on behalf of customers, banks, and/or card companies seeking damages allegedly arising out of the Computer Intrusion.
In another instance the Information Commissioner’s Office (ICO) found Marks & Spencer in breach of the data protection act in January this year following the theft in April last year of an unencrypted laptop containing the personal information of 26,000 M&S employees. As a result, the ICO ordered Marks & Spencer to ensure all hard drives on laptops that it uses were encrypted fully by April 2008 facing further prosecution if it failed to comply although M&S have appealed against this decision and a final outcome is yet to be decided. Other tangible costs Marks & Spencer faced were writing to all 26,000 employees affected and the cost of its offer to them for free credit checks. But what is the hidden cost, how many employees loyalty will have been damaged by this incident? We all recognise the cost of recruitment and training.
In 2007, the UK's largest building society Nationwide, received a fine of nearly £1m from the Financial Services Authority after the theft of an employee's laptop unearthed security flaws which could have put its 11 million customers at risk. In the first action taken by the City regulator over such systems and controls issues, Nationwide had faced a £1.4m penalty but was given a reduced fine of £980,000 because of its cooperation.
It runs deeper still
So what other concealed costs are there?
There is bound to be an impact on share price, even if only temporarily, as stakeholders react to the news.
There is the lost marketing investment when a brand is damaged, which is a key impact that UK Boardrooms should be concerned about. This is closely followed by the recovery costs in the form of future/increased marketing budgets to regain market position, rebuild reputation, etc. Imagine the continuing damage if the company’s communications can no longer be trusted. IKEA fell victim earlier this year when a hole in its website security allowed hackers and phishers access to its ‘contact IKEA’ function enabling them to send bulk outbound mail via its email servers. The potential damage to the company's reputation and possibility of email blacklisting could be significant.
There is the cost of customer erosion, especially where the breach has compromised credit card details as in the case of Cotton Traders. Apacs has called the recent hacking attack on its website a “serious” breach, saying the hackers could use the stolen card details for fraud. The clothing company has so far refused to say how many people have been affected, and has tried to alleviate continuing fears by confirming that its customer credit card data is now encrypted on its website, but could this prove too little too late?
There could even be the risk of employee’s jumping ship as internal morale dives when they feel their loyalty is compromised if the company they work for makes headline news for the wrong reasons. Filling vacancies is a costly exercise.
There is even the reality that those unaffected and uninvolved will still end up footing the bill. Again the HMRC data loss can provide a perfect example of this. The Chancellor of the Exchequer at the time of the breach, Alistair Darling, confirmed that banks were having to monitor all 7.25 million bank accounts whose details were on the discs. Although the cost for this monitoring has not been revealed the banks will make sure that they recoup the expense from someone! So either the tax payer, or everyone with a bank account, is going to cover this charge.
This article proves that data loss is not an insignificant issue. Information assurance is business critical and for many organisations, the data they own is their key asset, so why are so many failing to treat it as such? Failing to do so opens the corporate purse with no guarantee that it will ever be closed again. TJ Maxx itself summed it up when it said in its statement : “Beyond this charge [$5 million], we do not have enough information to reasonably estimate losses we may incur arising from the Computer Intrusion.”
Top Ten Tips to Preventing a Breach:
Source: Eskenzi PR Ltd.
In its 2006 annual report for the fiscal year ended 27 January 2007, T.J. Maxx recorded a pre-tax charge of approximately $5 million for costs incurred in connection with the computer intrusion it formally disclosed in January 2007. This charge covers actual costs incurred to investigate and contain the breach, strengthen its computer security and systems, and communicate with customers, as well as technical, legal, and other fees. $5 million may suggest that it got off lightly but is this just the tip of the iceberg? What are the hidden costs of a security breach? What will be the final figure? This article aims to examine the hidden expense of a data breach, both the tangible and intangible costs. It concludes with a ‘top ten tips’ to prevent being the next headline grabber.
IT security in the early 1990's was relatively simple. Data was stored on mainframes, access control was limited and the need to share data was very limited. Today the rules have changed. More data is needed to be shared, access to data is required from almost anywhere and the need to secure that data has grown through regulation and legislation. The user population is much more technical now, and the Internet boom has enabled an increasing number of people to be able to cause more trouble than ever. Most organisations acknowledge that the impact of a security breach to the business will result in financial expense.
It’s going to cost how much!
Firstly, there are the direct and easily correlated costs such as replacing any lost or stolen devices; investing in, or strengthening existing, IT security; and if necessary strengthening the building’s physical security.
In August 2007, Monster had to take action when it discovered that con artists had mined contact information from curriculum vitaes for 1.3 million people, and possibly many more as Monster has since confirmed that this was not an isolated incident. Files were stolen not only from Monster.com but from USAJobs.gov, the federal-government career-listing service operated by Monster. Monster has said it will have to spend at least $80 million on upgrades to its site, which will include security changes. Among them is closer monitoring of the site and limits on the way its data can be accessed.
It doesn’t stop there
Some costs are harder to pin down including contacting those whose records may have been exposed, credit monitoring for those affected, and even the possibility of subsequent legal action taken by people who have suffered a financial loss as a direct result of their records being exploited.
The HMRC, who in December had two CD’s containing 25 million child benefit records go astray in its internal post system, wrote to each person whose personal details were at risk. When tallying this up there is the physical cost of the paper and envelopes, printing the letter and addressing the envelopes, postage, and the harder to guesstimate employee’s time to draft the letter and to physically perform the mail out, to account for.
Customer lawsuits can cause serious headaches for businesses that go far beyond the reputation-slaying negative headlines. Aside from the actual monetary damages, lawsuits often leave companies on the hook for additional training, systems upgrades or -- in the case of a data breach -- credit monitoring for those affected.
In the case of TJ Maxx’s massive security breach, it revealed that all affected customers were offered credit monitoring at its expense. Additionally it disclosed that it has agreed to pay up to $24 million in a settlement with MasterCard and it might not stop there. It also confirmed that it’s had to budget for various litigation and claims that have been, or may be, asserted against it or its acquiring banks on behalf of customers, banks, and/or card companies seeking damages allegedly arising out of the Computer Intrusion.
In another instance the Information Commissioner’s Office (ICO) found Marks & Spencer in breach of the data protection act in January this year following the theft in April last year of an unencrypted laptop containing the personal information of 26,000 M&S employees. As a result, the ICO ordered Marks & Spencer to ensure all hard drives on laptops that it uses were encrypted fully by April 2008 facing further prosecution if it failed to comply although M&S have appealed against this decision and a final outcome is yet to be decided. Other tangible costs Marks & Spencer faced were writing to all 26,000 employees affected and the cost of its offer to them for free credit checks. But what is the hidden cost, how many employees loyalty will have been damaged by this incident? We all recognise the cost of recruitment and training.
In 2007, the UK's largest building society Nationwide, received a fine of nearly £1m from the Financial Services Authority after the theft of an employee's laptop unearthed security flaws which could have put its 11 million customers at risk. In the first action taken by the City regulator over such systems and controls issues, Nationwide had faced a £1.4m penalty but was given a reduced fine of £980,000 because of its cooperation.
It runs deeper still
So what other concealed costs are there?
There is bound to be an impact on share price, even if only temporarily, as stakeholders react to the news.
There is the lost marketing investment when a brand is damaged, which is a key impact that UK Boardrooms should be concerned about. This is closely followed by the recovery costs in the form of future/increased marketing budgets to regain market position, rebuild reputation, etc. Imagine the continuing damage if the company’s communications can no longer be trusted. IKEA fell victim earlier this year when a hole in its website security allowed hackers and phishers access to its ‘contact IKEA’ function enabling them to send bulk outbound mail via its email servers. The potential damage to the company's reputation and possibility of email blacklisting could be significant.
There is the cost of customer erosion, especially where the breach has compromised credit card details as in the case of Cotton Traders. Apacs has called the recent hacking attack on its website a “serious” breach, saying the hackers could use the stolen card details for fraud. The clothing company has so far refused to say how many people have been affected, and has tried to alleviate continuing fears by confirming that its customer credit card data is now encrypted on its website, but could this prove too little too late?
There could even be the risk of employee’s jumping ship as internal morale dives when they feel their loyalty is compromised if the company they work for makes headline news for the wrong reasons. Filling vacancies is a costly exercise.
There is even the reality that those unaffected and uninvolved will still end up footing the bill. Again the HMRC data loss can provide a perfect example of this. The Chancellor of the Exchequer at the time of the breach, Alistair Darling, confirmed that banks were having to monitor all 7.25 million bank accounts whose details were on the discs. Although the cost for this monitoring has not been revealed the banks will make sure that they recoup the expense from someone! So either the tax payer, or everyone with a bank account, is going to cover this charge.
This article proves that data loss is not an insignificant issue. Information assurance is business critical and for many organisations, the data they own is their key asset, so why are so many failing to treat it as such? Failing to do so opens the corporate purse with no guarantee that it will ever be closed again. TJ Maxx itself summed it up when it said in its statement : “Beyond this charge [$5 million], we do not have enough information to reasonably estimate losses we may incur arising from the Computer Intrusion.”
Top Ten Tips to Preventing a Breach:
- Management set the tone for their organisations by their own behaviour. As such, good information practices are obligatory for all stakeholders, not just employees.
- Be proactive – management should deal with information assurance issues proactively, rather than reactively as information assurance is far more cost effective in a preventative rather than a remedial context.
- Information assurance is a business issue, not something extra for IT to handle. IT simply does not have the resources and/or authority to drive information assurance best practices through their organisations.
- Understand that information assurance is an ongoing process, not an annual event just before the auditors arrive.
- Information assurance is everyone’s job and as such investments in training and awareness programs for all employees are critical.
- Management should set out the company’s expectations with respect to information assurance in clear, accessible policies.
- The process for dealing with information security incidents should be defined in straightforward and unambiguous procedures.
- Investments need to be made in technology that will result in the secure transport and processing of information by the company’s information technology assets.
- Suitable best practices should be identified and implemented rather than ad hoc approaches implemented.
- Expert advice should be sought and used at all times to advise and oversee efforts in respect of information assurance from an experienced and objective third-party perspective.
Source: Eskenzi PR Ltd.
Farms need emergency plans before disasters strike
(Wisconsin) Farmers should have emergency plans before a tornado, fire, or other disaster hits their farm, according to the Wisconsin Farm Bureau Federation. The Farm Bureau posts a farm emergency plan template on its web site, www.wfbf.com, for farmers to make their own list of emergency contacts, family members and employees, a plan to meet away from the farm in an emergency, and a diagram of their farm.
“When an emergency responder pulls into a farm’s driveway, they may not always be prepared for what they are going to find,” said Casey Langan, Director of Public Relations for the Farm Bureau. “They might not know how grain bins operate, how livestock react under stress, how anhydrous ammonia tanks work and the danger involved with handling the product. Therefore a farm emergency plan should include a description and location of production facilities, livestock and equipment to help minimize the devastating effects of a farm disaster.”
The Farm Bureau said current operational procedures exist for local police, fire and emergency response teams, but many of them may have little knowledge of the workings of a farm. An emergency plan should provide the additional safety information that emergency responders will need.
Farms may have equipment, building structures, livestock bio-security measures, farm chemicals and fuels, power usage and generation, and other aspects of raising livestock and growing crops that require special attention by emergency officials or other important partners who respond to the special needs of farms.
The Farm Bureau is recommending that farm families review and update this emergency list with their family and employees, and to have copies posted near telephones and shared with neighbors and emergency responders.
Items to include in a farm emergency plan:
The template of an emergency plan can be found under the “Ag Resources” section of www.wfbf.com.
Source: Wisconsin Farm Bureau Federation (USA)
“When an emergency responder pulls into a farm’s driveway, they may not always be prepared for what they are going to find,” said Casey Langan, Director of Public Relations for the Farm Bureau. “They might not know how grain bins operate, how livestock react under stress, how anhydrous ammonia tanks work and the danger involved with handling the product. Therefore a farm emergency plan should include a description and location of production facilities, livestock and equipment to help minimize the devastating effects of a farm disaster.”
The Farm Bureau said current operational procedures exist for local police, fire and emergency response teams, but many of them may have little knowledge of the workings of a farm. An emergency plan should provide the additional safety information that emergency responders will need.
Farms may have equipment, building structures, livestock bio-security measures, farm chemicals and fuels, power usage and generation, and other aspects of raising livestock and growing crops that require special attention by emergency officials or other important partners who respond to the special needs of farms.
The Farm Bureau is recommending that farm families review and update this emergency list with their family and employees, and to have copies posted near telephones and shared with neighbors and emergency responders.
Items to include in a farm emergency plan:
- List of family members, employees or neighbors, who are familiar with your farm business.
- List of emergency contacts.
- Description of medical history or medical information of family members and employees.
- Description of location of the farm and directions from nearest major intersection.
- A general diagram of the farm that includes the location of chemical, fuels, livestock, equipment, overhead and buried utilities, etc.
- Location of spare keys for vehicles or buildings.
- Contact information of businesses providing services such as veterinarian, heavy equipment, electricity, livestock and milk hauling, insurance, financial, etc.
- List of suppliers of chemicals, fertilizer, medications, etc.
- Contact information of medical care provider.
- Telephone grid of farmers to help provide livestock care, emergency feed and water, power, etc.
- Safe storage of farm and personal financial information and computer records in fire-proof boxes or off-site safe deposit boxes.
- Off-site meeting location and contacts for family and employees to gather following a disaster to assess the situation and coordinate response.
The template of an emergency plan can be found under the “Ag Resources” section of www.wfbf.com.
Source: Wisconsin Farm Bureau Federation (USA)
Subscribe to:
Posts (Atom)