by Doug Pollack

Network World recently published an article titled “Federal Workers Notified after SRA Virus Breach” about SRA, a 6,600 person federal government contractor, who recently reported a data breach.The breach was caused by a virus in their computer systems that exposed personal information including employee names, addresses, Social Security numbers, dates of birth and healthcare provider information as communicated by the company said in a notification posted at the Maryland Attorney General’s Web site.

“The breach is embarrassing for SRA, a 6,600-employee technology consulting company that sells cybersecurity and privacy services to the federal government. The company wouldn’t say which federal agencies were affected by the breach, but in U.S. Securities and Exchange Commission filings it lists intelligence agencies and those such as the U.S. Department of Defense, the U.S. Department of Homeland Security and the U.S. National Guard among its clients.”

While unfortunate for SRA and the federal workers whose personal information was compromised, this continues to provide a wake up call for organizations of all sizes that current security approaches and technologies are not a guarantee against the eventuality of a data breach. Organizations are increasingly turning to an outside privacy risk assessment to get an independent view as to their real risks of data breach.

By Rachel James

A new method of scams, as described by this article, from IT World, called “Why you can’t trust ‘friends’ on Facebook”, is another example of the risks that social networking exposes us to:

Step 1: Request to be “friends” with a dozen strangers on MySpace . Let’s say half of them accept. Collect a list of all their friends.

Step 2: Go to Facebook and search for those six people. Let’s say you find four of them also on Facebook. Request to be their friends on Facebook. All accept because you’re already an established friend.

Step 3: Now compare the MySpace friends against the Facebook friends. Generate a list of people that are on MySpace but are not on Facebook. Grab the photos and profile data on those people from MySpace and use it to create false but convincing profiles on Facebook. Send “friend” requests to your victims on Facebook.

As a bonus, others who are friends of both your victims and your fake self will contact you to be friends and, of course, you’ll accept. In fact, Facebook itself will suggest you as a friend to those people.

(Think about the trust factor here. For these secondary victims, they not only feel they know you, but actually request “friend” status. They sought you out.)

Step 4: Now, you’re in business. You can ask things of these people that only friends dare ask.

“Let’s meet for drinks — bring your new car!”

“I’m in Nigeria on vacation, got robbed and need $500 to get home!”

by Doug Pollack

PriceWaterhouseCoopers recently published a survey on the information security sector titled “Safeguarding the new currency of business“. Given the continued grow in corporate data breach events, the survey is particularly timely and provides valuable insights to corporate security and privacy officers.

One key conclusion surrounds the investment being made in security technologies during 2008. They noted “double digit advances in implementing new security technologies across virtually every security domain, from prevention to detection.”

Given this, it still begs the question of “why enterprise-wide visibility into the crucial details of actual security incidents is so clouded?” Not only is it difficult to clearer assess data breach events, but technology still does not stem data breaches caused by human error. The proverbial “lost laptop”.

They note appropriately that “the acute focus on technology over the last year has not been matched by an equally robust commitment to other critical drivers of security’s value such as: (1) many of the critical business and security processes that support technology, and (2) the people who administer them.”

This may presage the priorities that we may see taken on in corporate America to address the on-going security breach issues that continue to be so commonplace.