Information security involves far more than just computer security.  It's about protecting information in all its forms against all sorts of risks using whatever security controls are cost-effective.  Technology-based controls such as logins, firewalls and antivirus programs, plus physical controls such as padlocks, are merely parts of the information security space - important parts, maybe, but not sufficient in themselves to secure our information assets.  This is where the modern approach to information security departs from traditional IT security in particular.  We need to secure not just the computer systems and networks but also the human beings - the people who design, develop, test, implement, use, manage and maintain the systems and networks, plus those who seem to get by perfectly well without IT ... Information security is very much a human endeavor, which of course makes it an ideal security awareness topic, not least as security cannot be addressed thro...

Phishers are already using the US hurricanes as the pretext: "... After several stormy rainfall occurred recently, We regret to inform you that a computer failure has affected some of the modules of our systems notament sending wire transfers and credit card payments online.  But our teams have set up a verification process and reactivate your account.  To complete verification, you will be taken through the following stages:    1. Input your Personal Information  2. Input your Account Information  3. Input your Online Banking Information    4. Click on Continue ..." Anyone gullible enough to believe that 'several stormy rainfall' is enough to knock out a bank's computer systems and require them to 'verify' themselves probably shouldn't have a bank account.   :-)

I've been reading the recently-issued revised FFIEC guidance to US financial institutions on user authentication and related 'layered' controls, and puzzling as to why such guidance is required  Is it really necessary for the FFIEC to tell banks, for example, to use "enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk"?  Is that not stating the bleedin' obvious?  Isn't it clearly in the banks' interest to make their valued customers aware of keylogging Trojans, phishing, 419s, money-mules and a zillion other scams? The financial institutions in which I have worked have all been hot on risk management, and have usually worked at or close to the cutting-edge of brand new security technologies.  My risk, security and fraud colleagues definitely appreciated the issues relating to failing to identify and authenticate customers, not least for Internet banking systems, while on t...

Distribute.IT, an ISP that suffered a devastating hacker attack on June 11th was attempting disaster recovery by June 13th but in serious trouble by June 17th and finally admitted defeat with the complete loss of several important customer-facing servers by June 21st, just ten days after the hack. Some 4,800 domains and customer accounts were lost, with (it appears) no offsite data backups from which they might have been restored. With 20/20 hindsight, someone in Distribute.IT's management presumably made some extremely unwise decisions regarding the risk that materialized. Whether they simply didn't consider or appreciate the risk, considered it too remote to address, or failed to treat the risk adequately, is now a moot point: whatever they did do was patently not good enough, and it looks like the business has failed. Controls that are meant to prevent hacks fail quite often in practice, so it would have been sensible to make suitable disaster recovery and business contin...

The website for the Sun newspaper, formerly a competitor to the now defunct News of the World , has been hacked, compromising personal details of entrants to an online competition .  Whether this is linked to Lulzsec and Anonymous hacks remains to be seen, but I'm glad I'm not an information security manager for the British tabloid press, or in fact any British news media.

EMC, which owns RSA, spent US$66m 'between April and June' as a result of the Trojan/hack incident in March that compromised their SecureID product. $66m may be Information Week 's headline figure and that's a staggering amount of money for starters, but that's just it - it's for starters. We're told " It doesn't include post-breach expenses from the first quarter, when EMC began investigating the attack, hardening its systems, and working with customers to prevent their being exploited as a result of the attacks." so we know for sure it is an underestimate of the full breach costs.  The wording of the disclosure also implies that it only covers the direct costs that are readily-attributed to the breach. Indirect costs such as the brand/reputation damage, customer defections, lost sales prospects, damaged employee morale and more are hard to even estimate, let alone with sufficient accuracy to satisfy the bean-counters and marketing people w...