Physical and file system access-control merging?

I was trolling through my daily news feed when I ran across this article on SecureIDNews. Its about a company which is marketing a card which controls access to both physical spaces and computers. I found this an interesting article since my research focuses on ethnographic studies of both physical and logical access-control administration. As a researcher I continuously get criticism from the computer security community that physical access control is a solved problem that has nothing to do with them. I’m glad to see someone interested in merging control of the two systems and am interested in how the merger will go.

Collection of articles on security metrics

The metrics center has a nice collection of articles on security metrics and data anonymization.

http://www.metricscenter.org/index.php/resourcesmain/articles

Posted under Interesting URLs | No Comments »

Report on data breaches

Verizon Buisness has published a Data Breach Investigations Report which looks at 500 data breaches worldwide over four years. Their report has several interesting findings.

• 18% of breaches were caused by insiders.
• Insider breaches were far less frequent than other types but they compromised more records.
• 66% of breaches involved data the victim didn’t know was on they system.
• 19% of breaches involved malicious misuse of access or privileges.
• 70% of breaches were discovered by third parties.

For more information I recommend reading the report which is free for download.

Societe Generale and controlling access

Societe Generale, a European bank, reported in January of 2008 a trading loss of nearly 7.2 billion dollars, one of the largest trading losses in banking history. How did they loose so much? Apparently an employee changed roles within the company moving from compliance to trading. While he was given the new permissions associated with his new role the permissions associated with his old role were never removed. Using his extra access rights and his knowledge of how compliance was managed the employee was able to make high risk trades in amounts far exceeding what he should be allowed. The result 7.2 billion in losses.

SOUPS 2008 conference

If you don’t know about the Symposium on Usable Privacy and Security (SOUPS) you probably should. Its a symposium dedicated to research on usable solutions to privacy and security problems. Attendees come to discuss topics ranging from graphical passwords to physical security management systems. I’ve included a description of the conference below. This year SOUPS will feature two workshops Usable IT Security Management (USM ‘08) and The Symposium on Accessible Privacy and Security (SOAPS).

SOUPS 2008

Symposium On Usable Privacy and Security

July 23-25, 2008

Carnegie Mellon University, Pittsburgh, PA USA

http://cups.cs.cmu.edu/SOUPS/

The 2008 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, discussion sessions, and in-depth sessions (workshops and tutorials). Detailed information about technical paper submissions appears below. For information about other submissions please see the SOUPS web site http://cups.cs.cmu.edu/soups/2008/cfp.html.

Privacy & data protection survey

Deloitte and Ponemon Institute published a survey on privacy and security in the enterprise enviornment.

I saw a talk given by Deloitte today on the survey and here are some of the highlights I found interesting:

• Over 85% of respondents reported at least one breach where user notification was required and 63% reported multiple breaches.
• The most implemented (59.9%) technology solution to privacy and security issues was segregation of duties tools. (Note: this sounds like companies are making use of the RBAC model)
• Data classification was also high (57.7%) on the list of technology solutions. (Note: This may also be part of RBAC, classifying data into roles as well as people)
• Encryption is being implemented (55%) but the encryption isn’t being applied to everything and a significant number of companies fail to adequately protect data both in storage and while in transit.
• Both privacy and security professionals spend most of their time on incident response which includes notifying affected users.
• Female and Male security professionals make approximately the same salary.