« April 2009 | Main | June 2009 »

May 2009

May 28, 2009

LT Auditor+ 9 June '09 Update Includes Dramatic Increase in Reporting Speed

The upcoming release of the LT Auditor+ 9 June '09 update features a newly optimized reporting engine which beta users have reported as "incredibly fast". 

The test data indicates that even with large data sets including millions of records, the time to generate reports was reduced from minutes to seconds and in some extreme cases, from hours to just a few minutes.

The dramatic results were consistent on both SQL Server and Oracle platforms.  Other new additions will be outlined when the update becomes available.  The June '09 update is scheduled for release on June 1 and will be available from the LT Auditor+ User Center.

Posted by John Pace on May 28, 2009 at 01:01 PM in Product Updates | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

|

Texas Lottery Employee Arrested After Stealing Personal Data

The Austin American-Statesman reported last week that 39-year-old Joseph Anthony Mueggenborg of Austin was arrested in connection with the 2007 theft of the personal details of more than 27,000 lottery winners, employees and retailers.

According to the paper,

According to a search warrant filed in September, an assortment of Lottery Commission files was discovered on Mueggenborg's state computer while he worked in the fiscal management division of the Texas comptroller's office.

They included "names, social security numbers, race/sex, home addresses, home telephone numbers, hire date, job titles" and other information on 619 lottery employees; names, addresses and amounts won and paid on 27,075 "mid-level Texas Lottery prizewinners"; and the names and Social Security numbers of 534 lottery retailers.

Read the entire article

Posted by John Pace on May 28, 2009 at 12:38 PM in Data Loss, Data Theft, File Auditing, Information Security, Insider Threat, Privacy | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

NIST SP 800-53 Solution Brief Now Available

Blue Lance released its LT Auditor+ Solution Brief today for IT controls outlined within SP 800-53 - Recommended Security Controls for Federal Information Systems produced by the National Institute of standards and Technology (NIST).  The document illustrates how LT Auditor+ maps to the NIST IT controls as documented in the framework.  The document is one of several solution briefs being developed on IT security regulations and frameworks including GLBA, FISMA, and Sarbanes-Oxley.

LT Auditor+ is an important step on the path to IT security and compliance.  The tools provide detailed audit trails for Novell NetWare and eDirectory as well as Microsoft Windows file systems, Active Directory and Group Policy.  It allows security and compliance teams to monitor, report and alert on access and changes to sensitive files and configuration settings.

The SP 800-53 Solution Brief is available now through the LT Auditor+ User Center.

Posted by John Pace on May 28, 2009 at 11:43 AM in Data Loss, Data Theft, FISMA, HIPAA, Information Security, Insider Threat, NIST SP 800-53, Privacy, Regulatory / Compliance | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

|

May 20, 2009

Kaiser Hospital Hit with $250,000 Fine After Breach

The LA Times is reporting that Kaiser Permanente's Bellflower hospital has been fined $250,000 by the California Department of Public Health over a breach that occurred in January of this year.

The California Department of Public Health charged that the hospital "failed to prevent unlawful or unauthorized access to, or use or disclosure of a patient's medical information".  It is the first monetary penalty from an amendment to the California Health and Safety Code enacted January 1.

In all, the investigation found that 21 employees and 2 physicians viewed Nadya Suleman's medical record without need or authorization.  Many of the accesses had apparently taken place after the initial breach notification to the state.

I think California is sending a clear message here about their commitment to enforcement here.  I will also be interested to see if HHS will follow California's lead with its own penalties for HIPAA violations.

LA Times Article

California Penalty Notice

Posted by John Pace on May 20, 2009 at 02:01 PM in HIPAA, Information Security, Insider Threat, Privacy, Regulatory / Compliance | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

|

May 19, 2009

KPMG Study Finds That Corporate Data Theft More Than Doubled Since 2006

A report released yesterday by KPMG and law firm Mishcon de Reya concludes that corporate data theft in the UK has more than doubled between 2006 and 2008. 

According to the press release:

"In the current uncertain times, the theft of business sensitive and confidential information by employees is a real threat to companies. With redundancies being made across all sectors in the UK along with rising job insecurity, more and more employees are using the confidential information they have obtained with their current employer in order to give them the edge in the increasingly difficult job market."

Key Findings

  • In 93% of the cases, the theft was not discovered until after the employee had left the company.

  • 70% of the time, the perpetrator was an employee who went to work for a competitor.

  • In 75% of cases the stolen data customer or client-related information (relating to customer relationships, levels of trading, pricing information, profit margins and so on) or customer lists.

  • 69% of cases involved males, or groups of males.


According to Hitesh Patel, partner in KPMG’s Forensic practice,

“These findings highlight the challenges of defining what data within your business should be considered proprietary and also when and why it may be construed as public information. Companies need to consider how vulnerable they are to this kind of misconduct by employees and ensure that they have everything in place to prevent or fight information theft.”

The report also suggests that measures be taken to not only prevent, but also respond to the theft of data to minimize losses, take legal action and recover the data quickly to prevent damage from its release.

The full report is available here.

Posted by John Pace on May 19, 2009 at 03:09 PM in Data Theft, File Auditing, Information Security, Insider Threat, USB Auditing | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

May 14, 2009

Nearly half of IT security budgets deemed insufficient

SC Magazine has published an article with results from a new survey called “What keeps network administrators up at night”.

The survey found that 41 percent of respondents had their IT budgets decrease in 2009.  46 percent said that their current budget was not sufficient to support current information security needs.

Read the article here.

Download the survey.

Posted by John Pace on May 14, 2009 at 12:17 PM in Information Security | | Comments (0) | TrackBack (0)

Technorati Tags: ,

|

May 13, 2009

UC Berkeley Overlooks Breach for Six Months | 160,000 Individuals Exposed

In a case which clearly identifies the need to have both perimeter security and internal security auditing, the University of California, Berkeley announced that notifications had begun in a server breach that began on October 9, 2008 and continued until April 9 of this year.  More than 160,000 records of individuals were reportedly exposed.

The breach was discovered when administrators identified messages left behind by the hackers while performing routine maintenance.  The subsequent investigation performed by the security incident team indicates that the attacked was launched overseas and began by accessing a public web site.

The lost data includes Social Security numbers, health insurance information and immunization records.  The victims of the breach include UC Berkeley students, and their families who had UHS health care coverage.  UC Berkeley has created a website, datatheft.berkeley.edu to assist victims with information and established a 24-hour hotline to answer questions.

If it weren't for the hackers leaving messages behind, this breach may have never been discovered.

Original Press Release

Posted by John Pace on May 13, 2009 at 11:02 AM in Data Loss, Data Theft, Information Security, Privacy | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

May 07, 2009

U.S. ICE Legislation Aims to Refocus Goverment IT on Security

Last week, the Senate introduced the United States Information and Communications Enhancement Act of 2009, also known as U.S. ICE in an effort to reform FISMA.

FISMA had long been characterized as waste of time with a focus primarily on compliance and paperwork, with very little focus on security.  Several high profile breaches over the years since FISMA was enacted have brought Federal information systems security back into the spotlight, encouraging Congress to reexamine the issue.

The U.S. ICE Act will create the National Office of Cyberspace, headed by a presidential appointee, and will be responsible for, "coordinating issues relating to achieving assured, reliable, secure, and survivable global information and communications infrastructure and related capabilities."

According to a recent presentation by Erik Hopkins, the goals of the U.S. ICE legislation will

  • Recognized global interconnectedness

  • Increased situational awareness by leverage the resources of the entire Federal government

  • Greater accountability within agencies

  • Enhanced monitoring, detection, and responsive

  • Elimination of distinction between NSS/ NNSSS

  • Effective partnership between public demand and private supply

The bill is available for download in PDF format from here.

Posted by John Pace on May 07, 2009 at 03:00 PM in FISMA, Information Security, Regulatory / Compliance, U.S. ICE Act | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

|

May 04, 2009

Did a State Agency Respond to their Privacy Breach with a Second Breach?

In what has to be one of the strangest data loss cases ever, the Oklahoma Employment Security Commission fails on the handling of a recent data loss incident.

The News-Star in Shawnee, Oklahoma reported last month on a data loss incident at the Oklahoma Employment Security Commission, where an employee lost a flash drive contain containing the Social Security numbers and payroll information of more than 5,500 Shawnee-area workers while attending a work-related conference in Dallas.

According to one business owner, the state agency sent the breach notification via registered mail, but failed to include the owner's name.  Okay, an oversight to be sure but it's just a breach notification, right? 

Here's where it gets interesting...

Kurt Kalies, an audiologist and owner of Shawnee-based Hearing Health Care, Inc., said he become upset with the OESC when the state agency sent a certified letter to his business but failed to address it specifically to him.  “I just can’t believe they would send out that information to no recipient in particular,” Kalies said. “There was Social Security numbers and payroll information for every employee at the company. I don’t think that seems right to me.”

So, in response to the initial privacy breach and data loss, OESC responds by creating a secondary breach by sending the same lost information through the mail without explicitly identifying a contact to receive such information. 

In addition, the breach notification named the employee responsible for losing the flash drive; even after the agency had deemed the loss as accidental.

According to John Carpenter, the OESC spokesman, the investigation was brief:

“I called the guy and talked to him and I believe that he probably just misplaced the flash drive and that it wasn’t done intentionally,” he said. “I thought it was pretty strange that his name was in the letter considering they [the OESC] were saying it was an accident.”

The OESC's inept handling of this breach including the investigation and the response, illustrates the need to have a response plan in place prior to a breach as well as security policies and tools that safeguard sensitive data. 

Here's the original article.

What do you think?  Leave a comment below.

Posted by John Pace on May 04, 2009 at 01:54 PM in Data Loss, Insider Threat, Privacy, USB Auditing | | Comments (0) | TrackBack (0)

Technorati Tags: , , ,

|

Subscribe to the On the Radar Newsletter
Email Address*

January 2011

Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Recent Posts

Subscribe to this blog's feed
Bookmark and Share