While listening to an Educause webcast on Red Flag Compliance, the FTC announced that it would not be enforcing compliance on the Red Flag Legislation until May 1, 2009. That is a major relief and takes a lot of pressure off the remainder of this months. In the mean while, check the FTC site for the formal announcement.
Recently in Compliance Category
When you read the reports of information security breaches at The Breach Blog (see http://www.breachblog.com) and SC Magazine (see http://breach.scmagazineblogs.com), one of the most remarkable patterns is the frequency of breaches occurring in colleges and universities.
Source: Scott Wright's Security ViewsWhile it is true that many of the published breaches took place at colleges and universities, it is important to realize that institutes for higher education are typically more open and willing to share information with the outside world than many corporations of a similar size would be. Do not forget that even a small college may have upwards of 10,000 users (students, faculty, administration and staff). Those numbers go up significantly when the larger universities are also included.
Continue reading Information Security at Colleges and Universities.
We have all done it.
Who has not sent authentication credentials over an insecure channel in lieu of a doing it properly via a secure out-of-bounds circuit? With a high degree of certainty, just about everyone who reads this has done it at least one throughout their career.
Often, this decision is rationalized via a partial (often skewed) implicit risk assessment that probably looked somewhere along the lines: "The chance that someone intercepts this message, AND that the recipient does not change his password in a timely fashion to a properly complex pass phrase is low enough that we can do it this time". And the next time, and the next time, ad infinitum.
Continue reading Sending clear text sensitive information.
A 0day with an automatic discovery and dissemination tool shouldn't be a surprise to anyone. The fact that it's hit hundreds of thousands of sites in less than a couple of weeks is slightly surprising, though it mainly means that the bad guys are moving fast. Is this just the next step in Internet security, where we have new 0day vulnerabilities sweeping through web servers on a regular basis?Observations like this once more seem to reconfirm that the bad guys are increasingly focusing on OSI layer 7 and above. While not to be ignored, simply putting up a firewall to keep unwanted traffic out, and an IDS to make sure the firewall is working well (or an IPS, if you prefer) is not sufficient.
Source: Network Security Blog
Continue reading Information security framework.
