In my last blog posting I discussed barriers in achieving compliance and responding to eDiscovery orders when data are stored in the cloud. But these are just a few among the many legal risks in connection with cloud computing. One of the most serious risks is customers not knowing exactly where their data are being stored and processed and how (if at all) they are being safeguarded. This in turn translates to a number of concerns: Read more…
I am sure that you are by now aware of the fact that there are many potential security risks associated with so-called cloud computing. Although we are still learning about the nature and extent of these risks, it is important to not focus so much on security risks that we overlook the legal risks that are also part of the cloud risk formula.
One of the most serious cloud legal risk issues is how to achieve compliance when you have lost full or partial control of your IT environment. Suppose, for example, that a company that takes in, processes, stores and transmits credit card data decides to move its credit card operations to the cloud. The cloud service provider (CSP) can provide every assurance of PCI-DSS compliance, but that does not relieve the company of its responsibility in safeguarding these data in a way that meets the provisions of the PCI-DSS standard. The company will undoubtedly breathe a sigh of relief if and when the CSP passes a QSA audit. Still, the direction of PCI-DSS is toward continuous, not once a year compliance. Read more…
The Stuxnet worm stole the headlines last week, the second time a self-reproducing program came into the limelight in less than three weeks. What is distinctive about this worm is not only its proficiency in infecting Windows systems, but also its seeking and infecting supervisory control and data acquisition (SCADA) systems. Stuxnet attempts to exploit several Windows vulnerabilities, some of which have been zero-day vulnerabilities, and if successful in doing so, then tries to infect Siemens SCADA systems. Read more…
With cloud services (better called “utility computing services”) proliferating like crazy, the security of an organization’s data stored in the cloud is starting to become a very serious issue. Suppose that an organization has decided to contract with a cloud service provider (CSP) for Infrastructure as a Service (IaaS) storage services. Although the organization may assume that the CSP will adequately safeguard the stored data, in reality the opposite is likely to be true. Why? Encryption of data stored in the cloud is not a trivial issue in that it precludes being able to conduct operations that are normally done in connection with data storage–searching and indexing. Without the ability to do both, data storage becomes downright inefficient. So unless provisions in a service level agreement (SLA) or statement of work (SOW) explicitly state that encryption will be provided for all data stored by the CSP, data are likely to be stored in cleartext. Read more…
I attended a presentation by a major anti-virus product vendor at an ISSA chapter meeting yesterday, something that got me thinking and brooding sufficiently to motivate me to write this blog entry. In some of my previous entries I have stated that the proficiency of detecting and eradicating of viruses and worms by today’s generation of anti-virus software is with a few exceptions o.k., but not spectacular. The detection and eradication of Trojan horse software is another matter, however–most current anti-virus products are deficient in these areas. But how do these products fare in detecting “client-side exploits,” attempts to exploit vulnerabilities in browsers (e.g., Internet Explorer and Firefox), browser plug-ins, desktop applications, and other software frequently run by users? NSS Labs, which is rapidly becoming one of my heroes in the information security arena because of its vendor-independent stance and sound testing procedures, conducted such tests earlier this year and announced the results only a few weeks ago. Read more…
Just when we were thinking that “all is quiet on the virus and worm front,” a new virus started spreading rapidly yesterday. Dubbed the VBMania virus by McAfee, this virus arrives in email with a subject line of “Here you have.” Interestingly, this is the same subject line as the Anna Kournikova worm that surfaced years ago had. The body of the message says something to the effect of “Hello… this is the document I told you about, you can find it here” and contains a link to a Web page hosted on members.multimania,co.uk. If an unsuspecting user clicks on this link, what appears to be a screensaver file with an .scr extension is downloaded to the user’s machine. The file is the virus code, however. Once the virus infects a system, it uses the Outlook address book to mail itself to addresses therein, although there is evidence that the virus also mails itself to other addresses. Read more…
Just when we were thinking that “all is quiet on the virus and worm front,” a new virus started spreading rapidly yesterday. Dubbed the VBMania virus by McAfee, this virus arrives in email with a subject line of “Here you have.” Interestingly, this is the same subject line as the Anna Kournikova worm that surfaced years ago had. The body of the message says something to the effect of “Hello… this is the document I told you about, you can find it here” and contains a link to a Web page hosted on members.multimania,co.uk. If an unsuspecting user clicks on this link, what appears to be a screensaver file with an .scr extension is downloaded to the user’s machine. The file is the virus code, however. Once the virus infects a system, it uses the Outlook address book to mail itself to addresses therein, although there is evidence that the virus also mails itself to other addresses.
Initially, the worm initially spread very rapidly, clogging Internet gateways in various parts of the world. US government agencies have been hit particularly hard. The worm has since slowed down considerably since yesterday; configuring mail servers to block messages with .scr files as attachments stops the spread of this virus.
What is particularly interesting about the VBMania virus is that mass mailing viruses have for all practical purposes disappeared over the last five years of so. We have seen ILoveYou, Anna Kourikova, and other mass-mailing viruses come and go, but lately malware of this nature has become extinct. Let’s face it–computer criminals want to make money, and you can’t make much money by releasing malware that is easily noticed and does nothing more than infect systems. So just as the Conficker worm showed us that worms are by no means dead, VBMania has shown us that mass-mailing viruses are also still very much alive and well.
What amazes me is how successful VBMania has been within US government agencies despite all the money and effort they have spent on training and awareness activity. One would think that users would hesitate to click on URLs sent in messages, but apparently this is not true. But the US government will never lead the way when it comes to security. Unbelievably, the two people charged with rewriting the Department of Energy’s cybersecurity policies do not even have a background in cybersecurity, nor do they have even have a single information security professional certification between them! And there are similar stories in other departments and agencies. So if I were a better person, I’d bet that VBMania is not the last virus that will spread profusely within the US government. The late Harvard professor George Santayana once said: “Those who do not learn from history are doomed to repeat it.” Apparently US government departments and agencies are not learning from history…
We’ve been seeing a trend in the U.S. in which cybersecurity legislation is being passed by states, but not by the federal government. In no area has this been more true than in the case of data security breach notification. California got the proverbial ball rolling with its now well-known State Bill 1386, which in essence required commercial entities that experienced data security breaches involving certain kinds of customer information such as credit card information and banking PINs to promptly notify affected individuals unless the information was encrypted. When this bill was passed it was revolutionary, but by today’s standards it is rather blasé. A stronger data security breach notification law has since been passed in California, and nearly every state within the US now has a law that requires organizations that leak financial and/or person information to notify those whose information has been compromised. Read more…
