CSPF Announces Second Annual Women In Security Lecture Series

The Canadian Security Partners’ Forum (CSPF) is preparing
their second Women in Security Lecture Series to be held Feb 7, 2013. Building
on the momentum of last year’s sold-out-event, CSPF will be hosting the event
at the Hampton Inn, Ottawa, ON. With tickets going on sale just a week ago and nearly
150 tickets already being sold, it looks like they will have another sell out on their hands.  
The main premise of CSPF is to build strong networks and
the Lecture Series is no different. CSPF has partnered with firmly established
and recognized associations including Canadian Women in Technology (CanWIT),
ASIS Women in Security Council, Women in Security Ontario (WiSO), and Key Women
in Security (KeyWIS).
The Lecture Series is dedicated to women in security
mainly as a tribute to the associations that are part of the Series, but the
event is open to both women and men. Last year 45% of attendees were men.

CSPF has been mapping the needs of the cybersecurity and security communities
to build out a comprehensive agenda for the Lecture Series. 
Key topics being
covered at the event include:
  • Cybersecurity
  • Security Risk Management
  • CSO/CISO Training & Education
  • Security & Academia
  • The relationship between security & intelligence
  • Security as a driver of shareholder value
  • Summarizing
    relationship between national security & corporate security

The panel was
specifically selected to represent depth of knowledge as well as breadth of
experience. They will bring their extensive knowledge and compelling experience
(National Security Council, US Department of Energy, Central Intelligence
Agency) to make the discussions both informative and practical.

The list of
elite presenters includes:
    – Founder, CEO, LEG Inc. 
    – Named to Fortune Magazine’s Most Powerful Women
in 2004, 2005 & 2006 
    – Served on the White House National Security
Council (NSC) as Director for Combating Terrorism 
    – Former Director, Office of Emergency Response, US
Department of Energy 
    – Former Acting Director, Office of Weapons Surety,
responsible for the safety and security of the American  
      nuclear weapons program 
    – President and CEO of KDM Analytics; 
    – Author of System Assurance: Beyond Detecting
Vulnerabilities (2011) 
    – 25+ years of experience and leadership in
software and security engineering 
    – Board Member for the Object Management Group
(OMG), an international standard body 
    – Co-Chair, OMG Architecture-Driven Modernization
Task Force and System Assurance Task Force 
    – Member of the SAS Technical Advisory Panel of
National Institute for Standards and Technology (NIST) 
For more
information and to register visit: http://cspfwomeninsecurity2013.eventbrite.ca/

Enhanced by Zemanta

How to stay off the list of Top Breaches 2013

An example of theft. Someone took everything e...
An example of theft. Someone took everything except for the front wheel. (Photo credit: Wikipedia)

As the saying goes there is always something to be learned from every success
and failure, what we can take away from the top breaches of 2012 is a
list of what to do to avoid similar breaches and ensure you’re not on the list
for 2013.
Below is a list of what we felt were the most significant:

  1. Segment and divide your networks. Don’t
    have the prisoners on the same network as the guards. Related breach: New
    Hampshire Department of Corrections prisoners accessed guard’s database.
  2. When you have a database make sure you watch who is accessing, what they
    are accessing and from where they are accessing. Related breach: New York State Electric & Gas
    Co. had 1.8 million files exposed due to unauthorized access by contractor.  
  3. Create alerts for large amounts of data being moved. Related breach:
    South Carolina Health and Human Services had employee steal the records of about
    228,000 people by emailing it to himself. 
  4. Use a trusted, private corporate courier for sensitive data. Related breach: California Department of Social Services microfiche damaged after sent
    through U.S. Postal Service. 
  5. Limit access to and storage/transfer of large amounts of data and only
    to non-mobile devices. Related breach: NASA laptop stolen with thousands of
    employee’s personally identifiable information. 
  6. All reports that are to be made public should be vetted by senior or
    security staff for sign off ensuring the report doesn’t contain any sensitive
    information. Related breach: Wisconsin Department of Revenue staff members
    posts report with sensitive material on website with public access. 
  7. When making major changes with data storage include a security
    assessment: Does your new set up meet the standards of the old system? It
    should exceed the old not be a step back. Apply same security if not more to
    backup information as for primary source. Related breach: California Department
    of Child Support Services lost more than 800,000 sensitive records on backup
    tape when shipped by FedEx and files fell off truck. 
  8. Update employee awareness and training. Related breach: University of
    North Carolina-Charlotte exposed 350,000 personal data files “accidentally made
    available for three months.”  
  9. Sensitive data should be encrypted in case it is hacked. Related breach:
    Zappos had their network hacked but hackers couldn’t use information because it
    was encrypted. 
  10. Protect
    your network against SQL injection attack by working with best practices. Related breach: United States Navy & DHS website was hacked by Blind SQL injection

eSecurityPlanet offers a comprehensive article that outlines four methods to prevent a SQL
injection attack.  

  • Filter user data for context, such as email addresses should be filtered
    to allow only the characters allowed in email address
  • Use a web application firewall
  • Limit database privileges by context by creating multiple database user
  • Use
    SQL variable binding with prepared statements or stored procedures

What are you adding to your check list?

Editorial comment: We’ve received feedback about point #10 not being relevant as it is a known fact and not a needed reminder. Excellent point, unfortunately that isn’t what we saw when we reviewed the lists of top breaches for 2012. On one list of top ten, two of the breaches were caused by SQL injection. 

Related articles

Enhanced by Zemanta

Best of Breaches 2012 – Did you make the list?

Nortel (Photo credit: secretlondon123)

This is the time of year you see the ‘best of’ lists popping
up everywhere. Lists of top breaches are no exception. Two excellent sources that
review and offer some insight into their listed breaches include Tom’s IT Pro
and Network World. Both lists include breaches that achieved fame for the
extent of the damage or publicity.

One of the more significant breaches was the Nortel breach
that remained undetected for 10 years. The hackers secured passwords for seven
Nortel executives. This allowed the hackers access to view and steal “technical
papers, R&D data, emails, plans and other sensitive corporate intellectual
property and trade secrets.” Although the full extent of the damage has not been
fully disclosed, or possibly been understood by Nortel, the breach leaves several
questions about the security measures used. Were there no noticeable changes in
network behaviour?
The Las Vegas Strip World of Coca-Cola museum ...
Did the executives not change their password on a regular
basis in 10 years?
While reading these lists I’m left wondering how many more
breaches occurred but didn’t make the list because they were never disclosed to
the public. For example Bloomberg published a list of breaches that weren’t previously
made public such as Coca Cola and the British energy group BG Group Plc.
How do you keep yourself off the list of 2013 breaches?
In part two of this blog we’ll follow up with a look at what
we can learn from these experiences with a compilation of tips to add to your security

Enhanced by Zemanta