[SecurityRatty] tag: blood

Biotech Platforms

Thu, 04 Sep 2008 06:08:55 +0000

It is interesting to see the notion of tech platforms play out in other fields. Specifically, the biotech field is all abuzz on platforms. For example Exelixis' oncology platform built on kinase inhibitors.

Having a validated drug discovery platform is the first and most important criterion for defining a good platform company. The platform is typically comprised of a combination of technology, experienced personnel and intellectual property that can generate a stream of drug candidates. Most importantly, investing should be done only after a product of the platform demonstrates activity in clinical trials. Having a clinically validated product is not a guarantee for future success of the platform nor does it mean that the specific agent will reach the market, but it does imply that one or more of the platform’s products stand a reasonable chance of becoming a commercial drug. A validated platform may increase overall success rates, yet the odds of a particular drug candidate to make it all the way to approval are still low.

...

Exelixis is active in the ever growing market of kinase inhibitors (KIs) for the treatment of cancer, that is, drugs that block the activity of kinases in cancer cells. Cancer cells are often described as cells that are out of control: They proliferate quickly, ignore death signals, invade nearby tissues and eventually metastasize to distant organs. These disease onset and advancement are associated with processes such as cell growth, motility and blood-vessel formation, which are governed by a complex network made of kinases. Thus, blocking these processes by inhibiting the relevant kinases has emerged as one of the most attractive approaches to fighting cancer.

Together with monoclonal antibodies, kinase inhibitors represent a paradigm shift in cancer treatment from cytotoxic agents to targeted therapies, a trend that is constantly growing. Like antibodies for cancer, kinase inhibitors target tumors while sparing healthy cells and consequently lead to better activity with fewer side effects. Kinase inhibitors, however, possess several advantages over antibodies. The most evident advantage is that KIs can hit targets inside the cell while antibodies can only bind targets presented on the cell surface, so internal targets are approachable only by KIs. Another advantage is the fact that KIs can be given orally, which is a major factor in terms of patient convenience, especially given the typical long treatment duration associated with targeted therapies. Another advantage, which will be later discussed in the article, is the ability to produce KIs that hit several targets at once.

Read the whole thing here.

Speaking a software guy, the thing that is interesting to me here is that the platform approach allows a biotech to aggregate a large database of tests and test results to refine products across a range of targets and delivery mechanisms. Its just data. Cancer versus Moore's law? Puh-leeze.

Neo-Nazi Forum Blood & Honour Hacked By German Anti-Fascist Group, 800MB Of Content Available For Download

Mon, 01 Sep 2008 18:27:17 +0000

German anti-fascist hackers have broken into the secure forum server of one of the world’s largest neo-Nazi groups, Blood & Honour, and copied more than 30,000 pieces of data. Members of Daten-Antifa managed to break the access codes of the forum last week. They copied roughly 800MB of data, including information that was only available [...]

(Not Really) Stateful IT-GRC Inspecting Threat Management At Gigabit Speeds

Tue, 22 Jul 2008 10:41:00 +0000

A friend of the blog recently pointed me to an article that used the term:

“PCI Risk Management”

Now usually when I see a term like this, I can only imagine that such things are the byproduct of rapidly decaying brain cells. In my mind I imagine there’s a conference room somewhere with some marketing types all hopped up on the vapors from industrial solvents spewing terms like “protectivity” or “advanced adaptive deep packet inspection” into the ether with all the acumen of an intoxicated long-horned bovine.

BUT

I thought about this, and it’s really not a bad idea - depending on how you define it. Now I just couldn’t make the effort to read how the author used the term (I have a short pain threshold), but here’s my thoughts on what PCI Risk Management should be. If we define Risk as the probable frequency and probable magnitude of future loss.

Then managing the risk inherent in PCI DSS compliance could mean:

1.) The expected frequency of being out of compliance and how much that will cost us.

Because let’s face it - being in or out of PCI compliance is still a subjective judgment. First, we have what our ever-qualified assessor says. But in the case of an incident, it’s really someone else who has the final say in whether or not we were “compliant” at the time of incident. So we can only know for certain if we’re in compliance after the fact - i.e. after there’s an incident. So if we cannot really “know” if we’re compliant - we have a probability problem to solve! Sounds like “risk” or “secure” doesn’t it?

So we could view the PCI as a threat community to deal with. This gives us the first angle of what we could call PCIRM (this sort of term begs to be it’s own acronym, doesn’t it?) - the simple creation of a probability statement that says there is some belief that we could be found out of compliance - regardless of our efforts - and the calculation of what the impact would be to our organization (like defending frivolous 90 bajillion $ law suits from tiny financial institutions whose lawyers smell blood in the water). Note that you may or may not want to add the value of the money and time spent on PCI compliance into your loss magnitude calculations. It’s a sunk cost at that point.

However, there’s another side of the coin. We can find out the risk of being out of compliance, but is there risk in being *in* compliance? I think there is. So our second aspect of PCI Risk Management might be:

2.) The expected frequency of being in compliance and how much that will cost us.

An alternate view of how we could view the Payment Card Industry as a threat community would involve trying to figure out the probable frequency with which they will make onerous demands of our security budget, and the impact of those demands.

Now note that we would have a “secondary risk” to measure here. I’m thinking that it’s not improbable that our PCI efforts may not be the most efficient use of or time and money. So if we’re spending money on what PCI says we must, and neglecting areas of our IRM landscape that would actually reduce organizational risk more than those PCI efforts - then PCI compliance is costing us some real value by reducing our capability to manage real risk. However, and it’s quite a long tail event but, imagine that we’re unlucky and an incident happens! This incident may become, in no small probability, the byproduct of PCI requirements. Being diligent in risk management, we might want to study this likelihood, too.

So there you have it. In both cases PCI Risk Management involves looking at the Payment Card Industry as a threat community, and determining the probable impact of having to deal with PCI DSS.

Now if you’ll excuse me, I have a white paper to write and I’m fresh out of acetone-based paint remover.

POST SCRIPT

I should make it clear that Risk Management should (and is) obviously being performed by those with PCI concerns. PCI, if you will, is simply a sort of ISMS. And the development of an ISMS can assist IT management with the process of developing metrics and analysis concerning the organizations capability to manage risk. There’s nothing wrong with PCI in this regard.

But I figured I should make the effort to read what the author was advocating, and the document this “PCI Risk Management” term was drawn from was really a set of “best practices” for PCI and “best practices” above and beyond what PCI requires. This is not risk management (and no, adding “risk assessment” - in quotes because the author is really referring to vulnerability management - to the list of best practices doesn’t make it risk management, either). It is more witch-doctory.

Loving customers frustrate security firms too

Fri, 13 Jun 2008 15:45:37 +0000

Roger Grimes has a good article up on his InfoWorld, Security Advisory blog entitled "Security firms frustrate loving customers". Roger details some specific examples of how security vendors just don't "show the love" to customers and prospective customers, with the result being lost business. Roger highlights three examples:

1. Making renewals a manual process with those annoying phone trees. I agree, when I hear the press 1 for this and press 2 for this, my blood starts to boil. There is no reason that this just can't be built into the product to renew over the web. Security or no, any software vendor not doing it this is just plain crazy.

2. Calling into a company with a sales inquiry and the sales guy never calls back. This one just kills me. When doing due diligence on potential acquisitions at a prior company I would call in or email with a sales inquiry and wait to see how long it would take for them to get back to me. It was a good indication of how well the sales organization and company functioned.

3. Killing the deal with one sided, overly legal and burdensome terms. Another one that I battle all the time. The CFO has to be able to recognize revenue so needs specific T&Cs. The lawyers want to protect the vendor against all eventualities and is doing his job. You want to make as few warranties and representations as possible to limit your liability. The result, the customer gets one sided, unfair document with fine print on maintenance pricing, renewals, SLAs, etc. Most customers don't even read the EULA. Take a lot at some of the ones with software you have bought. It may surprise you.

But in my best Fox News voice, lets be fair and balanced. So in that vein, let me give you 3 specific examples of how loving customers frustrate security firms:

1. The guys who picked the product leave and the new guy comes in and doesn't have a clue. This happens all the time, especially in the government. One guy or team buys the product for a specific reason and has all of the expertise. The new folks come in and even if they know your product is there, they don't know why or how to use it. They may feel they inherited this product and have their own favorite product in this category. They can't wait to replace you and either don't use the product at all or blame the problems of the world on it.

2. Buying the product and than "other priorities" delay implementation. A surefire recipe for shelfware. When I see this happening I tell our folks better to be a pain in the butt and force them to use the product they bought than to sit around watching the license expire on the shelf. The longer the product sits, the more it becomes a nice to have, rather than a must have, that drove the sale. Now sure, one can say that what does the vendor care, the customer paid. If he doesn't use it, less support costs. But you don't get renewals, you don't get upsells or referrals without customers using product.

3. Using the product in unintended ways. Another favorite heartburn of mine. Customers figure just because the application runs Linux underneath, why can"t I run (You Name It). We recently had a customer that was chewing up support hours like the dial at a gas pump today. It turns out the problems we all due to the all of the other software that he had put on the box, not to mention editing .conf files, database tables, etc. It is hard enough supporting the software we developed. It is a whole another story supporting software that you have written.

So Roger, yes the customer is always right and security vendors have to get their act together if they want to survive, let alone compete in these tough economic times. But customers certainly don't make the job any easier with some of the shenanigans they pull.

Spring ISD mobile devices stolen along with personal student information

Sun, 18 May 2008 19:01:44 +0000

Technorati Tag: Security Breach

Date Reported:
5/16/08

Organization:
Spring Independent School District ("Spring ISD")

Contractor/Consultant/Branch:
None

Victims:
Students

Number Affected:
~8,000

Types of Data:
"personal information, including name, social security number or state-assigned identification number, gender, name of school, grade and birthday"

Breach Description:
"Spring ISD has been informing the parents of about 8,000 students of an incident that occurred in the evening on Wednesday, May 14 that involves the students’ personal information. The Spring ISD testing coordinator’s car was broken into while she was making a stop at a business on her way home from work that evening and a Spring ISD laptop computer and an external flash drive were stolen."

Reference URL:
Spring ISD News
Houston Chronicle
ABC Channel 13 News

Report Credit:
Spring ISD

Response:
From the online sources cited above:

Spring ISD has been informing the parents of about 8,000 students of an incident that occurred in the evening on Wednesday, May 14 that involves the students’ personal information.

The Spring ISD testing coordinator’s car was broken into while she was making a stop at a business on her way home from work that evening and a Spring ISD laptop computer and an external flash drive were stolen.
[Evan] The fact that the district allows personal student information to be stored on mobile devices is very troubling. There is no mention of encryption, so I will assume that there was none. This is very careless.

The coordinator's computer bag was stolen from her vehicle between 5:30 and 7 p.m. Wednesday when she stopped to run an errand near Mason Road and Beltway 8, on her way home from work

The coordinator had the laptop, Curry said, because the job responsibilities often require her to work nights and weekends.
[Evan] Fine. This is the reason why many organizations use laptops. The problem is the lack of control and security. If an organization decides to employ laptops, then the organization MUST ensure that they are adequately protected.

The flash drive contains the Texas Assessment of Knowledge and Skills (TAKS) results of third and fifth graders who have taken the first round of reading and math tests, eighth graders who have taken the first round of math tests and 11th and 12th graders who have taken the exit level retest.

In addition, the drive contains the students’ personal information, including name, social security number or state-assigned identification number, gender, name of school, grade and birthday.
[Evan] Why in the *&^$ does a testing coordinator have Social Security numbers on a laptop and/or flash drive?! A Social Security number should have no correlation to testing scores.

This also applies to students who are in those testing groups but were absent when the testing took place.

Personal phone calls were made to the parents of these students on Thursday, letters were sent home with students and the letters are being mailed to homes also in an effort to help parents quickly take steps to protect their children from identity theft.

"The district immediately contacted federal agencies to make them aware of the theft, and we are checking to see whether there is any thing else we can do on behalf of the individual students. In the meantime, we urge parents to use the information we have provided," said Regina Curry, assistant superintendent for communications and community relations.

The theft is being investigated by the Harris County Sheriff’s Department and every effort is being made to recover the equipment.

The district has reported the incident to the Texas Education Agency Test Security Task Force and will comply with whatever action they require.

"This incident is highly regrettable and the district is looking at potential security precautions to protect the students’ personal information in the future," Curry said.
[Evan] I'm sure that the district regrets the incident, but careless acts have consequences and this should have been known beforehand.

Anyone with information about the theft is urged to call the Harris County Sheriff's Office Burglary and Theft Division at 713-967-5770 or the Spring ISD Police Department at 832-764-4911.

Commentary:
I try to be politically correct in many of my comments although sometimes I push the boundaries. I can't think of a word right now that adequately expresses my thoughts. Where was common sense? It could be argued that many breaches we read about entail a certain amount of dumbness, but this one definitely strikes a chord.

Who in their right mind would allow highly-confidential personal information to be carried around on mobile devices? Without encryption? When it isn't necessary? It puzzles me.

I feel like I should say more, but my high blood pressure has gone high enough for the day. I should rest.

Past Breaches:
Unknown

Adobe web portal exposes educational software users

Wed, 07 May 2008 12:31:31 +0000

Technorati Tag: Security Breach

Date Reported:
5/1/08

Organization:
Adobe Systems Incorporated

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature.

Breach Description:
"It appears that certain personal information was stored on a server accessed via an Adobe website portal at a time when the server did not contain security or authentication procedures. The server was created to allow customers to upload information in order to enable Adobe to validate a customer's qualification to purchase certain education software."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We are writing to inform you of a recent incident possibly involving the unauthorized exposure of your personal information.

The information was stored on a server accessed via an Adobe website portal at a time when the server did not contain Adobe's standard security or authentication procedures.

The information was stored in relation to status verification for your recent purchase of Adobe education version software.

Based on our investigation to date, we believe some combination of the following information may have been exposed for the customers we are notifying: name, address, home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration data, credit card security code, partial or full bank account number, partial or full Social Security number, school identification card, driver's license number, government identification, military identification number, and a copy of a signature.
[Evan] Holy moly! How much information did Adobe request from people? The purpose of collecting the information was "status verification", which I assume means making sure that you are allowed to use education version software at a significantly reduced price. No urine samples, blood samples, etc.?

We have no reason to believe that any personally identifiable information was potentially exposed except the information contained in the images that you uploaded to Adobe.
[Evan] Huh?

We apologize for this incident and sincerely regret any inconvenience that these events and responding to this notice may cause you.

Please note that Adobe has no indication that any unauthorized individual has accessed, has used, or is using you personal information; we bring this incident to you attention, however, so that you can be alerted to signs of possible misuse of your personal information should it occur.

Immediately after Adobe learned of this incident, we secured the server and removed the feature in the website portal allowing customer access in order to prevent unauthorized access to the information.

Additionally, we began an investigation to determine which files, if any, we exposed.

Our investigation revealed that files containing the above information were not properly secured, and could have been accessed by unauthorized third parties via the Internet.

Adobe is providing a year of free credit monitoring

Please rest assured that Adobe takes data security very seriously and we have already taken steps to minimize any risk from this incident and any future incidents.

Commentary:
It seems like Adobe is/was collecting much more information than was necessary to verify that a claimed educational user is/was in fact an educational user. Adobe has a very significant web presence. I am pretty sure they employ some very talented (and well trained) web developers, a robust change control process (including segregated dev and prod environments), and a talented information security crew. How did this slip through the cracks? I also wonder how Adobe became aware of the exposure?

Past Breaches:
Unknown

Why even having health insurance is not enough anymore

Sun, 04 May 2008 11:13:07 +0000

Forgive me for going totally off topic (hey its my blog I write what I want) but it is Sunday and not much news on security. I wanted to write about an article I saw in the NY Times today called "Even the Insured Feel the Strain of Health Costs". The article details that with the hard economic times even people who have health insurance are being bitten by the ever rising costs of health care. Rising premiums, covering less procedures and care and charging more for prescriptions and medical care combine to put the bite on everyone. From my own experience here are 4 examples of how even with health insurance, medical care costs are taking a bite:

1. My wife had minor surgery in September. It was ambulatory surgery where she went in the morning and went home that afternoon/evening. Even though we have full PPO coverage and it was participating doctors, hospital, etc. my out-of-pocket costs after insurance were almost $3000! The surgeon received a whopping $472 from the insurance company for the operation and the hospital billed like 17k! When I called the hospital they said they did not expect to get paid that much, but had to bill it so they could get as much as they could. I than had to negotiate what I would pay out of pocket beyond that. I also had to pay the anesthesia, the prescriptions, etc.

2. Here at StillSecure we had to switch providers again this year because United Health Care wanted another 15 to 20% raise in premiums. In fact that is about normal for health insurance, way above the cost of living and inflation. We pay a good chunk of our employees insurance premiums, but even so the 20% or so that we have the employee pick up gets bigger and bigger. Plus the insurance company covers less and less. This squeeze is frankly baffling. How can you pay more and get less.

3. I had a dental implant a few months back. Though we pay for dental coverage, our insurance would cover a bridge or cap, but they don't consider implants necessary and would not cover any of it. I had to lay 2k out of pocket. On top of this the panoramic x-ray the oral surgeon took (which again was not covered, another 100 bucks) showed I had an impacted wisdom tooth with a cyst around it. My dental insurance covered the wisdom tooth, but the cyst removal would be considered under my regular insurance and my dentist was not participating. In fact I could not find a participating oral surgeon in the area. So I had to an extra $600 dollars out of pocket and of course my out-of-network deductible was $750, so I ate it again.

4. The orthodontist. This one is perhaps the worst of all and really gets my goat. My oldest son went for an orthodontic exam. The doctor told my wife that he would probably need braces when he gets older and that current best practices in orthodontics is to put braces on now in a phase 1 and than if necessary they put other braces on later when more of his adult teeth come in. Putting braces on now would lesson the severity of what he would need later. OK, great lets do it, right? Wrong! Our insurance covers a one time payment of $1200. The dentist said if we use it now, the cost for phase 1 would be $3600. That leaves a balance of $2400 that I have to pay. However, if I do it without insurance he would charge me $2400 and than I could use the $1200 towards the phase 2 braces my son may need which could be up to 10k. So if we went through insurance the cost was $3600 with $2400 out of pocket or no insurance $2400 out of pocket. What is wrong with that picture. Whether I have insurance or not, it still costs me $2400! This is fundamentally what is wrong with our health care system. The dentist is willing to accept $2400. He should take the $1200 from my insurance and I should pay him another $1200. Anything else is ludicrous and in my mind borders on criminal insurance fraud.

We need to restore sanity to the whole system. It is not just the 48 million people in this country that don't have insurance, it is also the costs of the people who do have insurance. Don't tell me that giving us greater limits to put in tax deferred health savings plan are the answer either. Fundamentally we need the insurance companies to stop sucking the blood of the premium payers. We need the health industry to bill for what the do and what it is worth, not how to maximize what the insurance company pays and most of all we need to make sure that people can afford and receive decent health care!

BTW, if you want to read an excellent blog on this subject, Dr. Stanley Feld, Brad's dad writes a great blog on it.

Iron Man was just not very magnetic to me

Sat, 03 May 2008 18:48:58 +0000

Took the kids to see Iron Man tonight with our cousins Jeri and Danny. I generally like Robert Downey, Jr and he acted very hard in this movie. However, I just didn't get the story. I remember watching Iron Man cartoons when I was little and reading the comic books, there was some special thing about Iron Man's blood the way I remember it that gave him super hero powers.

In the movie incarnation, Tony Starks is the son of a weapons designer and a brilliant weapons designer himself. However, he has some serious character flaws. He is kidnapped by some sort of mid-eastern terrorists and take some shrapnel in his chest. A doctor attaches an electromagnet to a car battery on his chest to keep the shrapnel from going into his heart. Downey then designs some sort of mini-power source to power the electromagnet, He uses the power source to power a metal suit he builds (long story) and escapes from the terrorists. From there the movie is fairly predictable and frankly in my opinion not very good. I didn't understand how he got the superpower, it was just a powered suit and how it worked was pretty silly.

The ultimate thumbs up or down for me was that both of my sons fell asleep in the movie theater. The good news is that this is the start of the summer movie season. I am really looking forward to Indiana Jones and the kids want to see Speed Racer!

Stolen account firm laptop contained personal information

Mon, 28 Apr 2008 05:50:55 +0000

Technorati Tag: Security Breach

Date Reported:
4/24/08

Organization:
Hough, MacAdam & Wartnik LLC

Contractor/Consultant/Branch:
Coos County, Oregon
South Coast Hospice & Palliative Care
Two other undisclosed organizations

Victims:
Client employees

Number Affected:
482

Types of Data:
"name, Social Security number, and other personal information"

Breach Description:
"NORTH BEND - The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft."

Reference URL:
The World

Report Credit:
Jessica Musicar and Jolene Guzman, Staff Writers at The World

Response:
From the online source cited above:

The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft.

County officials worry the data may have contained employees’ names, Social Security numbers and other personal information, which had been used in recent audits performed by Hough, MacAdam & Wartnik LLC of North Bend.
[Evan] We see too many breaches occurring through contractor/vendor relationships.

Although, there have been no known reports of identity theft from any of the 482 employees notified, the computer has not been found and, according to a letter from the firm, thieves sometimes hold victims’ information for later use.
[Evan] The fact that thieves DO sometimes hold victims' information for later use is important to remember. This is one reason why one year or two year free credit monitoring (a semi-standard offering by breached companies) is a very limited short term response.

According to a Coos Bay Police press log, at approximately 7:28 a.m. on March 5, officers received a report of a woman flagging down Officer Tony Wetmore, identified as 122 in the log, near Coos Bay City Hall. Crystal Albiar, 30, told Wetmore a laptop computer had been stolen from a vehicle, which, Wetmore said, belonged to Albiar. The victim is listed on the press log as Hough, MacAdam & Wartnik. Albiar is a senior accountant at the firm.

Later that day, a letter from the company was sent to clients stating that a "serious data security incident" may have involved clients’ personal information.
[Evan] Quick response.

"During the night of Tuesday, March 4, 2008, a notebook computer was stolen from a locked vehicle. The notebook’s hard drive may have contained your name, Social Security number, and other personal information,"

"We have notified law enforcement about this incident. This notification included a general report alerting them to the fact that the incident occurred. However, we have not notified them about the presence of your specific information in the data breach."
[Evan] I wonder why the firm decided not to notify law enforcement about specific information on the computer.

A public accounting firm, Hough, MacAdam & Wartnik is locally owned by Jim Hough, Shirley MacAdam and Jayson Wartnik. It opened in July 2004, following the acquisition of the office from Moss Adams LLP. The business dates back to the 1940s.

Shirley MacAdam said the March 5 letters were sent to the 482 employees of four clients - only one of which was a public agency. She demurred from identifying the clients involved, but further investigation revealed the County and South Coast Hospice & Palliative Care in Coos Bay are among the four.

it is possible the four data files from the four clients contained Social Security numbers and addresses of some of the employees on the laptop’s hard drive.

Some of the information could have been on the laptop since October 2007.
[Evan] This is a long time for personal information to be stored on a mobile device. The longer the time, the higher the risk that the mobile device will be lost or stolen. Right? CPAs now this thing called risk, don't they?

The CPA said the computer was password protected, as were certain files.
[Evan] Oh boy, here it is. The password protection mention. Password protection should not be considered adequate protection is most circumstances (some would argue ALL circumstances). Operating system passwords are simple to circumvent as are many common application passwords.

Some of the information contained in the programs require "special knowledge in order to find the personal information inside of the program"
[Evan] And now, the security through obscurity mention. Security through obscurity is a myth. It is not effective.

When MacAdam and other members of the firm learned the computer had been stolen, their first priority was to identify affected clients and to notify them of potential risks. This was done within 24 hours of the theft

"Our concern was to ensure that we are taking all actions that we should as prudent business people, in addition to complying with all regulations regarding proper and timely notification," MacAdam wrote to The World.
[Evan] Prudent business people should do many things, and one thing among them is to regularly evaluate the risks involved with the way the handle information. A prudent business person should be able to identify that storing confidential information from multiple clients on a poorly secured laptop is an unnecessary and unacceptable risk.

"We informed them of the actions they and their employees needed to take. Due to the nature of our work and our internal policies, no client information other than audit data is ever stored on a laptop, so there is no concern that any other client information might be on the stolen laptop."

The firm has since revisited its internal information technology security policy and implemented changes such as increased frequency of password changes, more complex passwords and encryption software when applicable.
[Evan] Careful. Increased frequency of password changes and increased password complexity can very easily lead to an increase in the probability that people will write passwords down. A person writing a password down on a Post-It note will defeat all of these controls (password changes, password complexity, and encryption software).

Additional training also was provided to Hough, MacAdam & Wartnik staff regarding the security policy
[Evan] I am a big proponent of training. People argue about its effectiveness, but my experience has typically shown that it is well worth the time and effort. Training should be fun and interactive, periodic (maybe annual), and followed-up with regular awareness reminders (such as posters, email newsletters, banners, freebies, etc.).

While no reports of identity theft or fraud have been made to the firm, MacAdam said the impacts of the theft have been felt by clients as well as by the firm.

"The impact on HMW has been both time and financial as we took all steps necessary to inform the individuals affected and address all concerns brought to our attention."
[Evan] The costs of a breach are significant in soft and hard dollars. What did my grandma say "an ounce of prevention is worth a pound of cure"? Wise advise, maybe she could have been a good information security professional .

MacAdam noted her firm has never experienced a data breach in the past and is still not aware if one has occurred.
[Evan] The firm is "still not aware is one has occurred" (meaning a breach)? Oh yes, it has occurred! In my definition, if you cannot be reasonably assured that confidential information has remained confidential, then a breach has occurred (not to mention integrity and availability).

More than 300 employees who received paper paychecks from the county may have had their personal information on the laptop, said Coos County Commissioner Kevin Stufflebean.

Information on the missing computer was left over from the county’s 2005-06 audit, Stufflebean said. There is a chance nothing was on the computer, he added.

"They didn’t have confirmation that it was wiped off the computer," he said. 'That’s why they notified (employees)."

Coos County Counsel Jacki Haggerty said she had not received any reports from county employees of any unauthorized use of their information. Still, the incident will raise the level of awareness of possible breaches in the future, according to Haggerty.

"I think it’s sobering,' she said. "You don’t think about it until something like this happens. This is kind of a wake-up call."
[Evan] This should be a wake-up call. It's really too bad that it takes an personally affecting incident before waking up. Wouldn't it be easier and more cost-effective to do a little research and learn from other people's mistakes?

Both the county and Hough, MacAdam & Wartnik are in the process of changing how data is used to make sure no unnecessary personal information is released in future audits. Haggerty said she feels assured by the lengths the firm has gone in order to increase data security.

"They are taking certain steps ... including not requesting or accepting certain information," she said. On the list of banned data includes clients’ Social Security numbers.
[Evan] This is the best control so far. You can't lose information that you never had.

Employees of South Coast Hospice & Palliative Care also received copies of the March 5 letter from the accounting firm.

Carol Gardner, the administrative and personnel manager for South Coast Hospice, said Hough, MacAdam & Wartnik has audited the organization for approximately 10 incident-free years. In fact, Gardner said, the hospice’s board of directors complimented the company for acting so promptly.

"It was one of those unfortunate faux pas," Gardner said of the theft. "This was an unusual situation and proper steps (were) taken to coach and correct that employee.
[Evan] A faux pas (false step) yes, but I would argue against "unfortunate". Unfortunate for the victims, certainly, but not for the firm. Information mismanagement should not be confused with bad luck.

"It did scare me a little bit to think that somebody had access," Gardner said, adding her own son dealt with a four-year struggle after someone stole his identity. However, 'Up to this point we have not heard of any repercussions from it.

"I feel that we were very fortunate because, as I understand (it), it’s big business " things getting stolen out of vehicles ... " I think everyone needs to be aware not to leave anything of value in their vehicles."

Commentary:
Another sad incident of personal information on a poorly secured laptop computer. When I read news articles like this, my blood boils. Do people not know any better? If they don't, then they shouldn't be allowed to create, collect, process, transfer, or store confidential information.

It is Monday morning, so maybe I'm in a bit of a mood.

Past Breaches:
None

Holier than marketing people - not!

Fri, 25 Apr 2008 17:09:21 +0000

So here is one of my pet peeves about the IT world. Too many "technical" people consider themselves (pick one:) superior, smarter, more ethical, better than, their marketing counterparts. Hey people, everybody is selling something all of the time, even if it is themselves. Case in point, a recent "spat" between my bud Mike Rothman and another friend, Misha Govshteyn. Now Rothman and I go back a bit and have had our share of blog bad blood, but all in good spirit. Misha is a good guy too. Anyone who knows where to find a schmaltz herring in Houston after all can't be too bad. And my friend Farnum who serves as the peanut gallery in this story is solid as well. OK now that we have the players, lets lay out the story.

It seems that Alert Logic had a webinar titled _ Simple & Affordable PCI Compliance w/ Alert Logic. Mike thought that this was very misleading marketing from the slimy, no ethics, don't understand the real pain marketing folks at Alert. They are preying on the simpletons who are responsible for security and PCI compliance in the world and Mike delivers his full venomous wrath (according to Misha anyway, I bet Mike could be worse) on Alert Logic and their marketing team. Misha than responds with his own venomous wrath, that Rothman is literally full of baloney, a shameless self-promoter on par with Michael Savage. To add fuel to this fire comes Michael Farnum, who tells Misha in his comments that while he likes Alert Logic, "many manufacturers use their marketing as fly traps."

OK, here is my take. To Mike Rothman: come on Mike, you never did anything like that when you were a marketing guy? What are you some kind of reformed smoker? What would you have them name the webinar: "PCI is hard and our stuff can only help a little". Give it a rest. Also a little respect for the people they are marketing too. I think they realize what is what and can separate the bull from the cream. To Misha, hey at least Mike gave you some PR. I understand your frustration but instead of pointing at everyone else, say we stand by the name and that does it. Most of all to my buddy Farnum, dude, we know what you do, it is just a question of price. If those Venus Fly Trap marketing people weren't drawing people in, you would have to have a second job to feed the family and many not have the leisure time for blogging.

But seriously folks, marketing people have a hard job too. It is not that they are not technical or don't understand what is involved in PCI compliance or the like. It is their job to make these webinars appealing. I don't think most marketing people think of what they are doing is being misleading. They try to make these webinars deliver as advertised. The same way engineers try to make a product work as intended. Lets understand that it "takes a village" to develop, market, sell and support a product. Everyone has their job to do and for the most part do it the best they can and again for the most part with the highest of professional standards. Thinking that marketing people are slimy fly traps does a disservice to them, the people they market too and frankly comes across as self-serving arrogance.