Friday, March 17, 2017
Friday, May 6, 2016
Wednesday, June 2, 2010
Scrum provides a framework for project management and agile software development. In 1986, Hirotaka Takeuchi and Ikujiro Nonaka described a new holistic approach that was designed to increase speed and flexibility in the development process for new commercial products.
They compared this new holistic approach to the sport of Rugby. The Scrum development phases overlap and the entire process is performed by one cross-functional team across the different phases. Similar to Rugby, where the whole team “tries to go the entire distance as a unit passing the ball back and forth”. Note - this is where the name Scrum came from - it was their favorite Rugby team! Scrum is not an acronym!
Scrum was first used for the management of software development projects. The beginning case studies came from the automotive, photo machine, computer and printer industries. Now Scrum is also used to run software maintenance teams and for general program/project management.
Scrum is seen as a “process skeleton” containing defined practices and roles.
The key roles in Scrum are:
1. “ScrumMaster” - maintains the processes (similar to a project manager)
2. “Product Owner” - represents the stakeholders and the business
3. “Team” - a cross-functional group of approximately 7 people who perform the analysis, design, implementation, testing, etc.
DEFINING THE SPRINT
A “sprint” is typically a 2 to 4 week development period decided by the team. This timeline is the time required for the team to meet a milestone such as development of a shippable "beta" product(ex: working/tested software).
THE PRODUCT BACKLOG
The set of features that are assigned to a sprint come from the product “backlog”. The backlog is a prioritized set of high level requirements of work to be completed. Specifying which backlog items go into the sprint is determined during the sprint planning meeting. The Product Owner informs the team of the items in the product backlog that need to be completed. The team determines how much of this they can commit to in order to complete the next sprint. Then the sprint is set to start.
During a sprint changes are not allowed in the sprint backlog. In other words-the requirements are frozen for the active sprint. After a sprint is completed, the team demonstrates how to use the product(ex: software).
Scrum promotes self-organizing teams that co-locate all of the team members assigned to the project. Scrum also requires frequent, in person, verbal communication across all team members and disciplines that are involved in the project.
CUSTOMER REQUIREMENTS FLEXIBILITY
A key benefit to Scrum for customers is that during a project the customers can offer additional requests or change their minds about what they want and/or need. In a traditional development process customers’ needs cannot be taken into consideration as the process is too rigid. Scrum promotes the approach of focusing on maximizing the team’s ability to deliver quickly and respond to the customers emerging requirements.
Thursday, May 6, 2010
If you are thinking of Partnering with a new company outside of the US and wonder what their "status" is - you may want to engage World-Check services!
In this down economy many companies are searching for new global opportunities in emerging markets. These new locations can present unusual challenges such as; corruption, organized crime, weak laws, unenforceable contracts, terrorist financing and money laundering. These are all common threats that have to be identified, assessed and mitigated prior to entering into a business relationship.
Effective risk management is key - you need to know who you are dealing with.
It is prudent to really understand the backround of international clients, business partners, distributors, agents and consultants. Especially before committing to an offshore deal, business association or foreign investment.
World-Check offers IntegraScreen Reports for international financial institutions and multinational corporations. The reports ensure compliance with; Anti Money Laundering (AML) regulations and legislation with trans-national reach. The USA PATRIOT Act and anti-corruption legislation like the Foreign Corrupt Practices Act (FCPA) contain specific customer due diligence requirements, especially within the context of emerging markets and offshore locations.
World-Check will assist you with Compliance, privacy and regulation laws. Note that in he process they have a strict policy that only publicly available records are accessed and used in their research. They do use digitised information on file but also access paper records as most public records held outside of the US in under-developed economies are not in an electronic format.
World-Checks Due Diligence Reports provide you with comprehensive background risk assessments of prospective and existing clients, M&A targets, IPO candidates, business partners and agents. These reports are designed to help YOU mitigate international business, legal and reputational risks.
If you are performning due diligence you will soon find that ‘publicly accessible’ does not mean ‘easily accessible’. World-Check has a global reach with local research experts to ensure accurate, comprehensive and consistent reporting for your company.
Contact World-Check for IntegraScreen Reports if you are ....
• Conducting pre-merger and acquisition inquiries and pre-IPO due diligence
• Entering into new international joint ventures
• Taking on a new banking or financial client
• Engaging overseas business partners
• Following regulatory compliance and corporate governance best practice
• Creating a consistent and auditable AML and anti-corruption compliance program
World-Checks IntegraScreen due diligence reports provide detailed risk insight to reduce business, legal and reputational risks. If you need help email: email@example.com. Tell them The JamieWire sent you!
Silanis Technology,Montreal,QC announced SMS text authentication and voice authentication features for its ApproveIt Web Server e-signature process management solution. Silanis is the leading provider of Electronic Signature Process Management solutions for the insurance and financial services companies. They sell to major government agencies, integrators and service providers to increase business transactions, reduce costs and to improve compliance with legal and regulatory requirements.
The company’s electronic signature platform, ApproveIt®, is an enterprise-class e-signature process management solution that transforms paper-based business transactions to all-electronic, Web-based processes for e-commerce and e-government.
Silanis Technology's ApproveIt Web Server e-signature process management solution now supports SMS text authentication and voice authentication features. This functionality provides an extra layer of security for in-person, click-to-sign processes also eliminating hardware requirements.
What problem is solved?
In the past when a customer was working with an agent or representative the customer had to share the agent/reps laptop or desktop computer. This is not a very secure practice and it raised the question of who actually e-signed te documents.
How the new Agent/Representative process works
SMS text authentication - The agent/rep enters the customer’s mobile number prior to e-signing. A unique PIN is then automatically generated by the application then sent to the customer’s cell phone as a text message. The agent hands over their computer to the customer who then must enter the unique, one-time password in order to continue the e-signing process.
Voice authentication - The voice process displays a Web page that prompts the customer to record a verbal statement that he or she has reviewed all documents and agreed to the contract terms. Once the voice statement is captured, the customer then ’clicks-to-sign’ using their mouse.
Compliance and Regulatory evidence
ApproveIt Web Server captures the authentication processes as part of the Electronic Evidence™. Once the customer is logged on - the web-based service captures the entire application review and signing process. Including all of the Web pages displayed to customers, how long they spend on each page, the areas they clicked on, agreed to, and signed. This provides much stronger evidence than prior paper trails.
Secure digital signing fraud reducton - The signed documents and Electronic Evidence are also secured with digital signature technology to ensure that no changes can be made without visibility invalidating the electronic signatures. The strong Electronic Evidence captured by the solution helps to reduce the risk of fraud or repudiation. This solution would also be very useful in the Real Estate and rental markets!
Friday, April 30, 2010
Symantec Corp. made a big play last week in the encryption market through their purchase of encryption powerhouse PGP Corp., and GuardianEdge Technologies Inc.
Symantec's acquisition of PGP allows them to offer customers a broad range of full disk encryption via PGP and removable media encryption via GuardianEdge.
The deal cost Symantec $370 million dollars. Symantec paid $70 million for San Mateo, Calif-based GuardianEdge and $300 million for Menlo Park, Calif.-based PGP.
Symantec will integrate the two vendors' platforms into Symantec's centralized management platform.
Symantec currently has an OEM relationship with both Guardian Edge and PGP. The combined offering provides customers with a full range of full disk encryption (PGP) and removable media encryption (GuardianEdge). Since both companies are OEM partners of Symantec, there should be minimal integration issues- per reports from their CEO Enrique Salem.
The agreements are subject to regulatory approvals and are expected to close during the June quarter.
Tuesday, April 27, 2010
The FireScope CMDB app for iPad lets you manage IT changes from anywhere!
The FireScope iPad App interfaces with the FireScope Configuration Management Database (CMDB). This gives you instant access to IT Service configuration knowledge and achieve structured, predictable change from an iPad.
With FireScopes iPad App you can view reports or approve Requests for Change(RFC's) from an Apple iPad. You can browse your CMDB from anywhere- forget being tied to your laptop or PC. Here is one example: You have an urgent incident and you need to begin troubleshooting. You arrive at the datacenter late at night. No worries - you can walk around the datacenter using the iPad drilling down through dependencies, supplied from the CMDB. This allows you to quickly find critical information you need to resolve the incident rapidly.
Common tasks you can perform with the CMDB iPad app include:
• Quickly inspect IT service dependencies
• View and approve Requests for Change (RFCs) remotely
• Perform impact analysis on prospective change
• Review configuration of critical assets
• Access all of your CMDB reports
• No additional software to install on the server, or additional configuration.
In addition to the iPad, FireScope has a solid mobile strategy. They have apps for the Apple iPhone 3GS, 3G and iPod Touch. And for Android phones they support Nexus One, HTC Hero, HTC Magic, Motorola Droid and more. I have a Droid HTC Hero and I downloaded it today-its Free! It installed without a hitch. I will see if I can hit a demo site to test it out!
The iPad application will be available for download via iTunes, pending final approval from Apple. Watch for the release!
Draft NIST Publications (FIPS, Special Publications) has published a draft (NIST IR-7511 Rev. 2) of the Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements
The DRAFT is open for review by the public and feedback is accepted until May 20, 2010. The SCAP document is waiting to be approved as a final document by the Secretary of Commerce.
Draft NIST Interagency Report (IR) 7511 Revision 2, Security Content Automation Protocol (SCAP) Version 1.0 Validation Program Test Requirements, describes the requirements that must be met by products to achieve SCAP Validation. Validation is awarded based on a defined set of SCAP capabilities and/or individual SCAP components by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program. Draft NISTIR 7511 Revision 2 has been written primarily for accredited laboratories and for vendors interested in receiving SCAP validation for their products.
This update to Draft NIST Interagency Report (IR) 7511 Revision 2, includes changes to the Internet Connectivity requirements and clarifying language to several other requirements and test procedures.
If you have questions regarding this document, please send email to: IR7511comments@nist.gov . The deadline to submit comments is May 20, 2010.
The Federal Information Security Management Act was passed in 2002. FISMA is a framework to manage risk and ensure the confidentiality, availability and integrity
of federal information and information systems. The Act assigns specific development, management, oversight and reporting responsibilities to two federal
agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).
Federal Information Security Management Act (FISMA)
FISMA is a framework aimed at protecting Government information, operations and assets. FISMA requires agency officials to implement policies, procedures and practices to strengthen information security and reduce security risks. FISMA compliance requires the following:
• Develop an agency-wide security program
• Implement and adhere to security configuration standards developed by NIST
• Identify and resolve risks
• Perform ongoing assessment and testing
• Conduct annual reviews on the effectiveness of the agency’s information security and privacy programs and report the results to OMB annually
To provide a formal framework to manage and measure agency security and risk, FISMA tasked NIST with the development of the standards and guidelines for selecting, categorizing and assessing information systems.
-Develop Security Program
-Identify and Inventory Assets
-Select Security Controls
-Implement Security Controls
-Assess and Monitor Security Controls
-Respond to Incidents
In a nutshell, FISMA requires compliance for all data and information systems that support the agency’s operations and assets. This includes operations and/or assets provided or managed by other agencies or contractors. As part of the FISMA process, agencies must be able to produce a complete and accurate inventory of all systems including their security status and requirements.
For more on FISMA visit: http://csrc.nist.gov/groups/SMA/fisma/index.html
Electronic payment applications with credit card processing MUST meet PA-DSS
(Payment Application - Data Security Standards)
Deadline to enforce the requirement is July 1, 2010. If you are a merchant and you are NOT compliant - you may find that your merchant account service provider (bank)will not be able to process your credit card payment transactions!
Specifically - Visa will NOT allow financial institutions who provide merchant account service(Acquirers)to sign up merchant accounts for companies who use payment applications that are NOT in compliance with these security standards.
This is being driven by valid concerns over the increasing incidents involving large amounts of credit card data being breeched and or stolen annually. As a result, a data security council was formed by the payment industry to adopt Visa's PABP (Payment Application Best Practices) security initiatives. The mandate is to ensure that all electronic payment applications with credit card processing MUST meet PA-DSS (Payment Application - Data Security Standards) to guard against cyberdata thefts.
This reinforces the fact that PCI Compliance is no longer an option for businesses accepting credit card payments. All merchants must be in compliance with PCI or they will be subject to huge fines.
For more information regarding PCI compliance, please visit the Visa website at the below URLs for more information! http://usa.visa.com/merchants/risk_management/cisp_merchants.html
Friday, April 23, 2010
HIPAA Violations and Enforcement
Failure to comply with HIPAA can result in civil and criminal penalties (42 USC § 1320d-5).
The “American Recovery and Reinvestment Act of 2009”(ARRA) that was signed into law on February 17, 2009, established a tiered civil penalty structure for HIPAA violations (see below). The Secretary of the Department of Health and Human Services (HHS) still has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. The Secretary is still prohibited from imposing civil penalties (except in cases of willful neglect) if the violation is corrected within 30 days (this time period may be extended).
HIPAA Violations broken down:
Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA is $100 per violation, with an annual maximum of $25,000 for repeat violations. Note: maximum that can be imposed by State Attorneys General regardless of the type of violation)$50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to reasonable cause and not due to willful neglect
$1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation due to willful neglect but violation is corrected within the required time period is $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million
HIPAA violation is due to willful neglect and is not corrected is $50,000 per violation, with an annual maximum of $1.5 million
In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
Covered Entity and Specified Individuals
The DOJ concluded that the criminal penalties for a violation of HIPAA are directly applicable to covered entities—including health plans, health care clearinghouses, health care providers who transmit claims in electronic form, and Medicare prescription drug card sponsors. Individuals such as directors, employees, or officers of the covered entity, where the covered entity is not an individual, may also be directly criminally liable under HIPAA in accordance with principles of "corporate criminal liability." Where an individual of a covered entity is not directly liable under HIPAA, they can still be charged with conspiracy or aiding and abetting.
The DOJ interpreted the "knowingly" element of the HIPAA statute for criminal liability as requiring only knowledge of the actions that constitute an offense. Specific knowledge of an action being in violation of the HIPAA statute is not required.
Full DOJ memorandum
(This link will take you off the AMA Web site. The AMA is not responsible for the content of other Web sites.)
The Department of Health and Human Services (DHHS) has the authority to exclude from participation in Medicare any covered entity that was not compliant with the transaction and code set standards by October 16, 2003 (where an extension was obtained and the covered entity is not small) (68 FR 48805).
The DHHS Office of Civil Rights (OCR) enforces the privacy standards, while the Centers for Medicare & Medicaid (CMS) enforces both the transaction and code set standards and the security standards (65 FR 18895). Enforcement of the civil monetary provisions has not yet been tasked to an agency.
Please refer to the AMA's FAQs on the privacy regulations for additional information on enforcement of the privacy standards.
No Private Cause of Action
While HIPAA protects the health information of individuals, it does not create a private cause of action for those aggrieved (65 FR 82566). State law, however, may provide other theories of liability.
HIPAA stands for the United States Health Insurance Portability and Accountability Act. HIPAA is a set of standards introduced by Congress in 1996 that aim to protect the privacy of patient information in the healthcare industry by regulating how providers handle patient data while conducting business. HIPAA also ensures the continuity of individuals' healthcare coverage.
HIPAA created a set of universal standards for exchanging and securing personal data via electronic data interchange (EDI). The goal of HIPAA is to protect all data that is personally identifiable to a specific person, regardless if it is communicated orally, electronically or in writing.
There are two sections to the standard:
1) HIPAA Title I: Protecting citizens' healthcare coverage if they are fired or laid off
2) HIPAA Title II: Patients' rights and how to properly transmit, share and store their information.
The HIPAA privacy rule
All healthcare providers or any organization that processes medical records must inform patients of their privacy rights. They are required to educate and train staff on how medical data should be properly handled. They must also implement and practice the required privacy and security policies in order to ensure that electronic health information of patients remain secure.
In the late 90's HIPAA fines and penalties for non-compliance were not often issued.
Because of this organizations assumed HIPAA compliance was discretionary. This is not true!
Recently, several organizations have received more then a slap on the wrist in the form of hefty HIPAA-related fines for bad practices, causing many healthcare organizations to rethink their lagging efforts in implementing and enforcing HIPAA policies. I will cover some of these instances under a different entry!
HIPAA security rules and compliance guidelines
HIPAA's standards require that all healthcare industries apply and enforce certain protections.
1) Organizations must have an administrative authority in charge of managing and enforcing HIPAA compliance rules, regulations and efforts. There should be a clear set of guidelines in place regulating who is and isn't permitted to access patient information. All access to sensitive data and systems should be monitored.
2) Documentation should be provided to patients informing them of their rights.
3) All corporate systems, machines and buildings must have physical and technical data and intrusion protection controls to prevent malicious hacker and unauthorized access.
4) There must be a traffic-monitoring device, such as a firewall, in place to examine activity coming into and leaving the organization's network.
5) Management should practice risk assessments, data-handling policies, data loss prevention (DLP) and record all security policies and procedures.
Note: These steps are numbered for ease of reading and do not denote actual steps taken from the requirements.
Appoint a central HIPAA management person or persons
These key people will be liaisons between your business and IT management teams. The goals is to delegate the responsibility of managing and enforcing compliance policies and procedures to a specific person or groups. Tasks will be to educate staff, handle data, enforce polices, answer questions and lead corporate efforts.
You will also need to make sure that all employees are aware of what the HIPAA regulations and policies are. How and why the organization needs to become compliant and what the potential penalties and fines are for non-compliance.
HIPAA employee awareness compliance training
All organizations affected by HIPAA should ask employees to undergo some form of HIPAA training to ensure the rules and regulations are clear and everyone is on the same page. You will need proof of this training! It should be clearly identified in the training sessions what constitutes as sensitive patient information, how it should be protected and who is allowed to access that information. This is critical if you ever have an incident where an employee claims that he or she was unaware of the HIPAA policies and procedures.
Restrict and monitor employee access
Administering access controls and data-handling polices are essential parts of all good compliance programs. Access to sensitive data and materials must be restricted to only those who absolutely need it to perform their job function. Additionally, their access should be monitored frequently and updated as required. Note - if you terminate an employee or they change positions - please remember to update access controls to avoid giving the wrong people open access privileges.
PCI DSS requirement 11.1 states:
"Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use"
This requirement to change from WEP to WPA came several years ago - so hopefully you have already put this into your budget. Smaller companies can use a wireless analyzer to scan the network periodically for rogue and/or non-WPA wireless networks. If you find them you can take them offline as they are discovered. It is better to perform scans frequently. Once per month is the minimum suggested - the more the better.
If your company has a large physical footprint wireless surveys are not feasible. Consider using an existing wireless infrastructure to act as a sensor in a rogue wireless detection system by using a wireless IDS/IPS. Tools you can use are Kismet(open source tools), AirMagnet or AirTight Networks.
Best practice when upgrading is to eliminate any impact to your credit card processing systems. It is recommended that you run both WEP and WPA networks simultaneously for a few weeks and then make the transition of all hardware to your new WPA network. Don't put this off as merchant banks won't be willing to open up the possibility for an attack. Securing your wireless network is critical and it will lead you one step closer to PCI Compliance! If you need any assistance send me an email and I will help! firstname.lastname@example.org
The Payment Card Industry Data Security Standard(PCI DSS) requires companies to eliminate all use of Wired Equivalent Privacy (WEP) on their networks. WEP is an outdated standard and its problem is that it uses insecure cryptography. This allows hackers using AirCrack to penetrate WEP networks in a matter of seconds. The release of PCI DSS 1.2 in late 2008 from the PCI Security Standards Council set forth three new requirements for organizations using wireless networks:
1) Use strong encryption and authentication for all wireless networks.
2) Do not deploy any new WEP networks.
3) Decommission any existing WEP networks by June 30, 2010.
If you have not started you better get moving! You will need to deploy the more secure Wi-Fi Protected Access (WPA) encryption standard.
The WPA standard has been available for more than five or six years. If you have older WEP equipment that does not support WPA - then it will soon be near its life's end. So you must consider replacing it to deploy WPA.
To upgrade your network you will need to upgrade all wireless access points used on your companies campus. You will also need to upgrade your wireless adapters in client systems. If you have Wi-Fi-reliant client devices these will work in the new environment. You can also provide USB wireless adapters for laptop users as required.
One situation I ran into recently, when on a PCI consulting job, was the use of both WEP-encrypted and unencrypted networks running within the buildings. Employees brought their own wireless routers and plugged them into the corporate network. Of course they were caught but this is an issue that needs to be addressed. These are referred to as "Rogue" wireless networks and can be an issue with PCI DSS requirement.
The PCI DSS requirement 11.1 states:
"Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use".
So don't let this one slip by your IT teams! Add it to the procedures and policies of your company so it is not overlooked! Good Luck!
Andy Purdy, National cybersecurity expert and former federal cybersecurity czar, calls for a new leadership committee to secure our nation's critical infrastructure.
Recently at the SOURCE BOSTON 2010 security conference, Purdy called for a leadership committee that would consist of both government and private sector officials. Their goal - to identify strategic priorities and take action on lessons learned from the 2006 and 2008 Cyber Storm exercises.
Purdy participated in the The Cyber Storm exercises that tested the nation's response to a major cyberterrorism attack. Purdy was a participant and agrees that little was done as a result of the findings. No lessons learned were applied in an effort to implement better defenses and develop a more coordinated response. So I wonder why did they even do them?
Per reports - Purdy states that much of the response to the exercises has been in the form of talk. Many reports highlight deficiencies, but little action has been taken. Cyber Storm I cost $3.5 million and more than $6 million was spent on Cyber Storm II, Purdy said. That adds up to $9.5 million of wasted tax dollars.
"Nobody followed up," Purdy said. "The challenge was to try to create visibility to get the government and private sector together … the opportunity for something like the outcome of Cyber Storm provides a roadmap for the private sector."
You may or may not know - but Purdy worked in the Bush Administration as one of the cybersecurity experts. He helped draft the U.S. National Strategy to Secure Cyberspace in 2003. He then moved on to the Department of Homeland Security where he served on the team that helped to form the National Cyber Security Division (NCSD) and the U.S. Computer Emergency Readiness Team (US-CERT). He is currently chief cybersecurity strategist at Falls Church, Va.-based Computer Sciences Corp.
Purdy, in my point of view, should have driven home the fact that the entire goal of such an exercise is to gain lessons and work towards resolving known issues based on their critical nature while he was involved with these projects. Now Purdy's call for yet another committee leaves me wondering if they too will have the share information and do nothing attitude. Lets hope not.
Purdys suggestion of a new leadership committee would meet quarterly and bring all the key stakeholders together to help White House cybersecurity coordinator Howard Schmidt set goals. His goal is to create a framework and identify strategic priorities or milestones that can be set so the White House could track progress. The focus would take a risk-based approach to address preparedness, defend against malicious activity and foster research and development activities.
The most unsettling comment from Purdy per reports - While some experts say it could take a major cyberattack to get the government moving on issues, Purdy said a cyberattack won't result in getting any action. "Somebody will get blamed," he said. "We have not adequately made it clear to decision makers what it is they need to worry about and what they need to do about it."
Thursday, April 15, 2010
Theft of over 130 million debit and credit cards delivered two 20 year prison sentences to Albert Gonzalez, 28, of Miami Florida last month. Gonzalez also had two Russian hacker counterparts in these attacks. As a result of their prosecution, they represent the largest hacking and identity theft ring ever prosecuted in the U.S.
A federal judge sentenced Albert Gonzalez to 20 years and one day in prison for being the master-mind behind the data security breaches into Heartland Payment Systems Inc. and other companies.
He was also sentenced to another 20 years in prison for his role in the theft and sale of millions of credit and debit cards from TJX Companies Inc., Barnes and Noble, 7-Eleven Inc., Hannaford Brothers and other retailers. Not to forget the more than 250 financial institutions that were affected as well. Both sentences are to be served concurrently.
How did they steal the data?? Well according to the indictment, they researched the credit and debit card systems. Then they used SQL injection attacks to bypass network firewalls to steal the data. They hid their activities by testing their malware against antivirus products prior to the attacks.
In the end, Gonzalez will spend many years in prison for the theft and sale of millions of debit and credit cards. He will also be required to serve three years of supervised release following his prison term. As far as fines - he was ordered to pay a $25,000 fine in both cases. A total of $50,000 dollars.
This fine by no means is large enough, in my opinion, given the shockwaves that still rumbles in the retail and financial sectors due to their crimes. As a result, PCI compliance and other safeguards have emerged to thwart these types of attacks in the future.
"These sentences -- some of the longest ever imposed for hacking crimes -- send a powerful message to hackers around the globe that U.S. law enforcement will not allow them to breach American computer networks and payment systems, or illegally obtain identities," said Assistant Attorney General Lanny A. Breuer.
2010 RSA Security Conference
The PCI Security Standards Council is researching emerging technologies and plans to issue a guidance document on end-to-end encryption in the next version of the PCI Data Security Standards (PCI DSS) expected for release in October.
It is reported that Bob Russo, general manager of the PCI Council, said researchers are preparing documentation on what he calls the latest industry "big buzz word." Other technologies they are researching include tokens, chip and PIN technologies. These are used to protect credit card data and how virtualization affects data protection technologies.
When asked the question by a reporter at RSA conference Russo reported the following updates on the PCI standard:
Bob Russo: In 2009 we were seeing a lot of uptake on the standard. Since it's a global standard, we're seeing it throughout the world. We're doing lots of training and lots of awareness-type seminars for literally every place around the world. All of our training is pretty much sold out. This year we've had to add training sessions so people can understand what the standard is and get better prepared for an assessment. So overall 2009 was a very good year for the Council, but 2010 is a very busy year for us. We're releasing three standards this year in eight different languages, so we're working hard.
Russo: We're studying a couple of technologies right now to give additional guidance on them hopefully this year when we release the standard. Chip (chip and PIN) [is being studied] as an initial technology, because chip is a mature technology. There's a lot known about the technology. We have a lot of experience with it outside the United States, so we're looking at chip and we're actually mapping how chip would compare with the standard. We certainly don't think that there's a silver bullet in any of these technologies, whether it is chip and PIN, end-to-end encryption as the buzz word goes, tokenization or anything of that nature.
The second technology is encryption. Russo does not like the term end-to-end encryption. Whether it is point-to-point encryption, account data encryption or transaction-based encryption, whatever it ends up being, they will be mapping that as well. Then they will be moving towards technologies such as tokenization and virtualization.
The PCI Council is creating a framework right now where they map these technologies out and lay them next to the standards, so if a company is using one of these technologies, the framework will let them know if they would satisfy certain PCI requirements.
Summary of Interview
As far as revisions or 2010 - At this point they are collecting feedback which will close at the end of April. The feedback touch points are how to best protect the data and then how much will this cost a merchant, the return on investment and whether there's anything that changes, fundamentally, the way the merchant will do business to comply.
It is reported, by Bob Russo, that they wont require something that changes the fundamental way a merchant does business. They are not going to put existing compliant merchants out of compliance. Ideally they will issue a guide for best practice for a certain period of time.
Another question from merchants is with end-to-end encryption one of the questions is from what end to what end? Well - this is key. There are no standards yet for this type of encryption and how the keys are handled. If you are not careful you can end up making things less secure.
There are a dozen solutions on the market. The questions are - Do they talk to each other? Are they interoperable? What if a merchant is using more than one? All of these things will need to be considered.
What the PCI council plans to study is an encryption solution and the minimum level of things that need to be done with an encryption solution. Once this is defined they will then put out some guidance- but nothing specifically in the standard itself.
Tokenization is making its way into emerging encryption products. The PCI council doesn't see themselves requiring any kind of tokenization, end-to-end encryption or chip technology in this version. However, the will issues guidance on them. Russo: If a merchant has already started down a path and spent some dollars on one technology, certainly it would not be in our best interest to say "you chose the wrong technology now you need to use this technology." So there will be guidance on each one of these things that we roll out.
DON'T PANIC - YET
In the last version of the standard, requirement 6.6 was a best practice for 18 months. It's still too early to tell if this will be a version 2 or a version 1.3.
Monday, April 5, 2010
FireScope is a leader in Modular Compliance Solutions. FireScope's Compliance feature consolidates, automates and simplifies compliance efforts!
The result - reduction of costs associated with regulatory audits.
FireScope delivers real-time monitoring of key control objectives, intuitive checklists and powerful inline reporting. These contribute to a faster turn-around time for remediation, less cost and time spent in determining control effectiveness and audits.
The Result - greater efficiency and quality in IT security and administration.
Below is FireScope's 5-Pronged Assault on Compliance Complexity
1. Automated Monitoring of Key Controls
FireScope's consolidates all of the real-time monitoring of key controls into a single interface that includes log aggregation and processing, object access records, security events and more. These are deployed through pre-configured templates that can be associated with the key assets in your infrastructure, enabling rapid deployment and easier management.
Simplifies your day to day management of compliance events, enables faster turn-around time for remediation, less cost and time spent in determining control effectiveness and audits, greater efficiency and quality in IT security and administration.
2. Real-Time Dashboards
Real-time management of the business impact of IT Operations, compliance-specific dashboard pagelets provide real-time status of compliance controls. Instant compliance status on an ongoing basis simplifying the process of maintaining compliance between audits.
3. Interactive Checklists
some aspects of compliance can't be automatically evaluated -FireScope provides an intuitive self-assessment checklists that guide you through each line item of compliance controls and records results for instant access when you need them.
4. Easy, Pre-Built Reports
FireScope includes a rich library of pre-built reports that document organization's adherence to compliance that can be handed to the auditor. This significantly reduces the labor and costs of the audit. As audit requirements change over time, each report can be easily extended to meet evolving needs.
5. Extensible Architecture
FireScope's modular approach to compliance makes it extremely easy to support changing compliance requirements, or introduce support for other regulatory and governance standards.
FireScope, Inc. is headquartered in Huntington Beach, California, and provides organizations with actionable business intelligence concerning the health and security of all critical IT assets, regardless of operating system or platform with its FireScope line of security appliances.
Check them out at: http://www.firescope.com/Solutions/Compliance/
I recently had a conversation with Steve Cotton, CEO of FireScope. The company provides an integrated IT Service management suite including FireScope Business Service Management, Configuration Management and Analytics solutions. They have developed the industries first Self-service solution allowing businesses of any size to achieve a technology agnostic- single-pane view of assets, events, performance trends, security and service-level agreement status. My interest was to see how this applies to the Compliance sector.
FireScope offers a very unique approach to Compliance with HIPAA, SOX, PCI, NIST, GLBA and NERC. I had the opportunity to have a demo of the portal-web dashboard- and it was very impressive. What do I mean by that? Everything you would want to take action on -or review- is in one web-based dashboard! All status reports, administration tasks, task assignments, real time data, etc - one window view! The demo showed views of their integrated IT Service management solution that included FireScope Business Service Management, Configuration Management and Analytics solutions. Thank you Josh - FireScope!
What is really cool is that FireScope is the first IT Operations Web-based portal built on Web 2.0 technology with a services-oriented architecture (SOA). Their "industry first" modular approach allows users to pick and choose services that apply to standards such as HIPAA, SOX, PCI, NIST, GLBA and NERC. Services include options for security, performance, availability and compliance monitoring along with long-term strategic planning, administration, task assignments, compliance reporting, audit related data, and more.
The ability to pick and choose service options is very flexible and the modules can also be reused with the ability to add new services at a later time. This make their solution very flexible, affordable and scaleable for companies of all sizes to adopt and manage over time. FireScope installs rapidly and is subscription based so you only pay for the services you use! This makes FireScope a very reasonable choice when compared to other options, such as, adoption of multiple solutions, long integration timelines, heavy maintenance and payment for options you will never use.
If you are seeking a Compliance Solution you must see FireScope!
Visit them at: http://www.firescope.com
Sunday, March 28, 2010
Access To Your Medical Records has just become easier for patients. ABBO EMR is a web and mobile integrated system for tracking medical records between patients and doctors.
On March 25th Dr. Fred Abbo, of La Jolla CA, announced that he has developed an advanced medical record system that provides paperless communication between doctors and patients via the Internet and mobile phones. The software provides patients with complete access to medical records including reminders and lab reports.
Abbo EMR is a web and mobile document that allows patients to view, edit and update their personal health care history online. Data that can be edited consists of medications used, past diagnoses, office visits, lab results and physician’s instructions. Doctor visit reminders are also sent to the patient via text message and by email.
The company believes that a key feature in Abbo EMR is the graphing capability. Medical data such as lab test results, EKG parameters and life-style parameters are plotted on a graph to detect trends. This helps patients working on improving lab results such as cholesterol and vitamin levels over time.
The company that assisted Dr. Abbo in developing the software is Zco Corporation. Zco specializes in multi-platform application development including iPhone, iPad, Android and Blackberry. They also develop backend industrial strength applications leveraging .Net and Java Technologies.