Cyber Security Industry Alliance Newsletter • Volume 2, Number 2 • October 2005

CSIA in the News

Article of Interest

Government Technology, September 20, 2005
Vigilance, Resilience Key to Cyber Security, Says New York State Official

"We just did a phishing exercise to 10,000 desktops," said William F. Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination. "We sent out a generic advisory on phishing, and no one was aware there would be an exercise to follow." About a month after the advisory, an e-mail arrived on those agency desktops. It came from outside, but appeared to be from state government. It said that since security was so important, and that passwords were the first line of defense, the state had developed a password checker for state employees. "It asked them to enter their personal password and user ID to see how good their passwords were," said Pelgrin. "Out of 10,000 employees, we had about 17 percent that fell prey to it at that time.

In keeping with that premise, Pelgrin has expanded the efforts of his office to educate and inform state and local government, law enforcement, and the public. His office — along with the Department of Homeland Security's National Cyber Security Division and other organizations — developed a cyber-security awareness program for New York, that other state and local governments around the country are invited to use. "For October," said Pelgrin, "our theme is protecting children on the Internet. The slogan is 'It's everyone's responsibility'. Parents, teachers, law enforcement, government — everyone needs to take a role to ensure our children are protected and also that children don't become the next hacking generation..."

CSIA Coverage

CIO Insight, September 5, 2005
Double Identity; Data theft laws are gaining traction on Capitol Hill. But will the upcoming legislation do any good?
According to a May 2005 survey of 1,003 U.S. voters, conducted by the Cyber Security Industry Alliance (CSIA), a trade organization representing companies that make security products, 97 percent of respondents rate identity theft as a serious problem and are fearful of their personal information being stolen; 48 percent said they avoid making purchases on the Internet because they are afraid their financial information isn't safe, and 71 percent believe new laws are needed to protect consumer privacy. "More companies are starting to evaluate the risk to their operations and financial performance from neglecting to protect sensitive information," says Paul Kurtz, executive director of the CSIA. "They don't want their names plastered on the front page of the newspaper, or to be prosecuted for failing to live up to the standards federal and state governments are demanding they adopt to protect consumers. They know that wouldn't be good for business. Encryption is an important and elegant approach to data protection-it's absolutely essential-but it still must be part of a holistic data protection system. I don't want to think that companies will believe they've done enough because the law lets them off the hook if they encrypt." "Passwords are a lousy way to protect consumers," says Chris Voice, vice president of technology at Entrust, an Addison, Texas-based encryption company. "At an ATM, you have to have a debit card or you can't access the system. That's more than a password. So why do we guard credit data, health records and other sensitive data behind only a password on the Web, or in most corporate networks?"
*By Subscription Only

eWeek, September 15, 2005
Organizations Urged to Stay Protected from IT Security Threats
Companies must incorporate best IT security practices in their daily routines if they intend to protect data assets and instill confidence in their customers, the CEO of a high-profile data security company told attendees during a keynote speech online Wednesday at the Ziff Davis Internet Virtual Tradeshow. Art Coviello, CEO and president of RSA Security Inc., told seminar attendees that only about 20 percent of businesses in the United States actually have formulated IT security policies and have communicated them clearly to their employees. Best-practice IT security policies involve "reasonable and appropriate" controls, Coviello said, over online and internal data access and storage; logging and reporting; employee authentication and levels of permission access; business partner/customer access to company data; and compliance with Sarbanes-Oxley and HIPAA regulations. "And don't forget one of the most common security problems we see: properly removing data access to former employees," Coviello said. Coviello currently serves as co-chair of TechNet New England and is a member of TechNet's CEO Cyber Security Task Force. He is also a founding board member of the CSIA (Cyber Security Industry Alliance) and was appointed to co-chair of the National Cyber Security Summit's Corporate Governance Task Force, a public-private initiative co-organized by the U.S. Department of Homeland Security and leading industry associations.

Forbes, September 15, 2005
Cyber Security Today: Building Safeguards That Work
"We're beyond the point where we can look at these issues problem by problem," says Kurtz. "The solutions will be holistic ones, and the good news is that everyone, including the U.S. Congress, is beginning to understand that. Our mission is to ensure that as government begins to take action, it is aware of the private sector's activity to secure information systems, and that any new regulation utilizes existing guidance and standards to minimize the burden on the private sector." The issue is vital, say Kurtz and others, because information technology now touches every sector in the economy. It carries all of our personal and financial information, and contains the mission-critical information not just of businesses but of government as well. "When we talk about cyber security today, we're talking about the confidentiality, integrity and the availability of information," says Kurtz. "the scope is literally as wide as the economy. Cyber security can often be confusing for business leaders to understand "because it's not something tangible that they can see, touch or feel, like physical security," says Tom Noonan, chairman, president and chief executive officer of Internet Security Systems (ISS). "But all of them are coming to the understanding that their businesses are dependent on the safe, free, uninterrupted flow of data in and out of their systems, and that those systems have to be protected."
*By Subscription Only, September 23, 2005
Home is where the heart (and disaster back-up plan) is
You've advocated teleworking as a way to stay running in the face of a disaster. How would it help? Kurtz: The attacks on the London transportation system this summer showed we need to think about our working environment. We need to plan for disasters of different types. It could be a natural disaster or the threat of a terrorist attack where you have an unwillingness of people to move if needed and you have a situation where people can't get to work. But our IT infrastructure gives us the ability to be far more resilient and live and plan in an environment where we can reconstitute ourselves in an attack. The idea is that in the event of a disaster, or even the threat of one, you don't have to bring everything to a screeching halt. With telework, you can keep business flowing before, during and after an incident because you're not shutting everything down during a threat to move people around. After the London bombings, there was the problem of people getting to their physical work locations with the underground shut down. The vulnerability is that people can't get to their job. What if something happened and it became very difficult for people to get into Washington D.C.

TIME Magazine, September 26, 2005
Searching for Online Security
According to a recent survey by the Cyber Security Industry Alliance, an industry advocacy group, 48% of Internet users avoid making purchases online because they are nervous their financial information will be stolen. And with good reason-unauthorized use of online accounts has become the fastest-growing fraud in the United States, according to Gartner. More than $11.7 billion was lost to fraud among online adults in the year ending April 2004, the research firm says, and it estimates that by the end of 2006, 75 percent of the data stolen to commit illegal checking-account transfers and credit-card purchases will be taken from the Internet. That may change with the launch today of TrustWatch Search, the first search engine to help Internet users fight fraud, identity theft and other online scams. The free service looks and works like a regular search engine.

CNET, September 29, 2005
Expert: Cyberterror response shared responsibility
A misconception about cyberterrorism is that only the government should prepare for it, Paul Kurtz, the security software industry's chief lobbyist said Thursday. "Calling for stronger security in the context of terrorism is a mistake," Kurtz said in a keynote speech at the IT Security World Conference in San Francisco. "I think it is a mistake because the implication is that it is the government's responsibility to solve the problem. The government can't defend all these networks. Significant attacks occur daily without any involvement from terrorists," Kurtz said. Every organization should therefore pay attention to computer security. "Protecting networks against everyday attacks will help defend against inevitable attacks by terrorists or enemy states," he said. Kurtz, who is executive director of the Cyber Security Industry Alliance, is lobbying Washington to help give guidelines on security, not regulate security. "We're not trying to regulate folks into security. If we do, it is going to inhibit growth, it is going to inhibit innovation and it is going to tie people's hands," he said.