Jaime Chanaga, CISSP, CISA

I wrote this report and just published it on my consulting firm's website. This executive report examines three important trends of cybersecurity importance for business. We are facing difficult economic times. Organizations who proactively plan and manage cybersecurity risks will be better positioned to succeed in the global business environment.

To download this report go to:

http://www.csoboard.com/Publications

Image via Wikipedia

The University of California, Berkeley, has setup a website http://datatheft.berkeley.edu/ informing the general public about a data security breach carried out by hackers who may have accessed a database at the university's campus health services center.

My thoughts...It is my hope, this incident will serve as a wake up call to healthcare organizations and educational institutions of the need for stronger information security management.  I've long believed that healthcare and educational institutions have a greater responsibility for the confidentiality, integrity, and availability of the personal information entrusted to them by their students, staff, and business partners. 

As a former Chief Information Security Officer (CISO) in healthcare, I know first hand the data security and privacy risks for that industry.The healthcare industry collects and processes more personal information on patients, than most financial institutions. For hackers seeking to steal personal information to be able to conduct financial fraud, healthcare organizations are easy targets, given the limited financial resources those organizations have devoted to protecting the personal information of patients, staff, and business partners. Healthcare organizations need to invest in more information security defenses and education for their staff.  Meeting an audit report for regulatory compliance is not sufficient and healthcare organizations must invest in information security as an integral part of their way of doing business.

The Virginia Prescription Monitoring Program (PMP) was hit by hackers according to media reports. (See Washington Post: http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html)

The suspected hackers deleted the pharmacy records of 8 million patients in the state's databases and hijacked the PMP website with a $10 million dollar ransom note to return the data records.  The state is referring all inquiries to the U.S. FBI.

More news regarding this incident:

FBI Probes $10M Hacker-Ransom Claim in Virginia
http://www.cbsnews.com/stories/2009/05/05/tech/main4992372.shtml

Alleged hacker demands $10 mil for Va medical records
http://www.timesdispatch.com/rtd/news/local/article/HACKGAT05_20090504-212004/265693/

During the week that the RSA Conference is held in San Francisco, another event takes place that is always the highlight of the week.  That event is the SC Magazine Awards Gala industry awards.  This is one of those events I look forward to every year and I'm sure many IT security industry companies also look forward to having their solutions honored by an award.

The SC Magazine 2009 Awards Gala event was held last night at the Hilton Hotel were the best awards that I've attended in recent years.  Despite the economic news we hear every day, you could tell from observing the companies attending, nominated, and honored are growing and providing solutions that customers are demanding.  This leads me to believe that the IT industry in general has at least one very large bright spot and that is IT security.

I won't pontificate on the merits of IT security solutions or the value of purchasing those solutions.  I'll let you be the judge of those solutions.  Here is the link for a the list of winners of the SC Magazine Awards 2009 -- http://www.scmagazineus.com/pages/section/945/

Thanks to SC Magazine, the judges, nominees, winners, and most importantly thanks to the customers and clients we in the IT security industry serve.  You, our customers in many industries have allowed us the privilege and honor of serving you with IT security solutions that protect your organizations from risks both on-line and offline.  Thank you for aallowing us to serve you, our customers.

I couldn't sleep tonight and was reading on-line on recent cybersecurity challenges and ran across an article in the San Francisco Chronicle regarding this year's RSA Conference.  (See SFGate.com: Somber year for RSA Conference on cybersecurity).  The RSA Conference is one of the largest gatherings of cybersecurity professionals in the world. 

The SF Chronicle article crystallized for me what I have been feeling as an information security professional, a feeling that today more than ever, cybersecurity has a real impact on our daily lives.  Unfortunately due to the current economic crisis, many organizations are being forced to scale back their Information Technology (IT) and information security budgets. 

Organizations should carefully consider their investments in light of current economic conditions and make wise investments in cybersecurity.  Prudent investments in cybersecurity will help to safeguard an organization's intellectual property, business transactions, and the data/information entrusted to them by their clients and business partners.

As I travel to the RSA Conference this week, I hope to interact with other information security professionals and colleagues and learn how they are helping their organizations by adding value and performance improvements to their organizations.

Several media outlets are reporting of an investigation being led by the U.S. Federal Bureau of Investigation targeting officials in the Office of the Chief Technology Officer (OCTO) for the government of the District of Columbia.

According to news reports, Yusuf Acar, the Information Systems Security Officer (ISSO) for the OCTO has been arrested by the FBI.

Yusuf Acar worked for Vivek Kundra, who recently left his role as Chief Technology Officer for the District of Columbia to become President Obama's nominee for Chief Information Officer for the Federal Government.

See more at:

Washington Post - Breaking: D.C. Tech Official Busted in Federal Bribery Sting  http://voices.washingtonpost.com/dc/2009/03/breaking_dc_tech_official_bust.html

Associated Press - FBI searches DC government office, arrests worker
http://www.google.com/hostednews/ap/article/ALeqM5hMT9GSjeFeuiRWPCUKflpfkvfw3QD96SIU584

ABC News - FBI Arrests DC Official
http://blogs.abcnews.com/politicalpunch/2009/03/fbi-arrests-dc.html

Fox News- Obama's Pick for Information Officer Raided by FBI
http://www.foxnews.com/politics/first100days/2009/03/12/obamas-pick-information-officer-raided-fbi/

SC Magazine: Leading through the good and bad
by Jaime Chanaga, CISSP, CISA - CEO, The CSO Board

As the drumbeat of negative economic updates seems to overwhelm our daily news cycles, we tend to forget that at the heart of any business engine is people.

Read the full article here:
http://www.scmagazineus.com/Leading-through-the-good-and-bad/article/128340/

Normally I don't complain about anything on-line.  However, today I will make an exception.  My AT&T Wireless cell phone service started to have issues this morning.  I have just spent the last 30 minutes on the phone with Customer Service, only to be told there is a potential network outage (voice/data) on the AT&T Wireless network in Texas, affecting the Dallas area.

The only information I have at this time are two technical support trouble ticket numbers TT000009764939 and TT000009768806.  As soon as I find out more information I will post it here.

I have been a loyal premier business customer of AT&T Wireless for a very long time and hope they can find a resolution to this network outage.  I have posted this on twitter under #ATTWireless if you would like to follow any further updates to my experience on this issue affecting users of AT&T Wireless services.

The University of Rochester has disclosed (see official notice) that a non-academic student database was compromised resulting in the data theft of social security numbers of current and former students.  Estimates by the university are that approximately 450 people are affected in this incident.

The University has notified the FBI, the New York State Attorney General, the Consumer Protection Board, and the Office of Cyber Security.  The University is also offering to pay for credit monitoring services for the victims affected by this data breach. 

As the new year begins, I'm hopeful that despite the negative forecasts for the U.S. economy, there will be areas of business and technology growth driven by increasing regulatory and compliance mandates for organizations across many industries. Organizations should begin to look at ways they can leverage and optimize their use of information security management programs and technologies to enhance the operational and financial efficiency of their information technology services portfolios. Regulatory compliance as a stand alone business function does not add value to the financial bottom line of any organization.

It is up to those responsible for information technology and security management to find ways to add operational and financial value to their organization. To my fellow information technology and security colleagues, I urge you to make 2009 a year in which you actively brainstorm and produce tangiable added value to your organization. Let's do our part to help the economy grow--every action of added value can help! One thing I'm confident about is the ingenuity and resourcefulness of information technology and security professionals.

If you have an idea on how information technology and security can bring added value in 2009 to any organization, please share it with me or the readers of this blog.

Best wishes for success in 2009!