Reports Relevant to Compliance and Privacy

Phorm over function? Perhaps that's the challenge in relation to marketing desires clashing with privacy hopes. But given the starting point of the Phorm furore, in the Spring of 2008, we are now in the Autumn of 2008 and its been nothing but data breach after user faux pas exposing countless millions of individuals' personally identifiable information that has focussed the spotlight firmly upon the need to apply "privacy by design" principles from the outset - something that the ICO will be taking a very serious view of in the coming months. The BCS Security Forum is equally involved in keeping a watching brief.

Published by kind permission of Andrea Simmons

Download as a pdf

VeriSign's CEO Stratton Sclavos presented at the recent US RSA Conference, 'The Any Era Has Arrived And Everyone Has Noticed' download Keynote presentation

Download as a PowerPoint animated presentation (recommended) or as a static pdf

Nico Popp of VeriSign gave the Keynote Presentation at the RSA Conference 2006:

The Keynote Presentation addressed the topic 'Identity Security  - Time to Share' , focusing on the issues around Identity Theft, Online Fraud and Phishing. The presentation gave a thought provoking insight into the ideas of a Identity network and the notion that the 'good guys' should be sharing  intelligence, and working on global and intelligent infrastructures.

Download as a PowerPoint animated presentation (recommended) or as a static pdf

Mike Davies of VeriSign discusses:

• Personal data at rest
• Personal data in transit
• Industry and regulations has focused on data at rest
• The Semantic web will make it easier to get data on any subject from the internet
• Data privacy will be impacted as the fog of information becomes clearer
• Fraudsters will use these tools to steal identities by looking at multiple sources ("Phoraging")
• Where security needs to be applied to protect privacy

Download as a PowerPoint animated presentation (recommended) or as a static pdf

Doug Barbin, VeriSign Senior Regional Consulting Manager discusses:

• The difference between Controls Assessments and Risk Assessments
• What the FFIEC means by a risk-based approach to authentication
• Guidelines for developing and implementing a practical roadmap to FFIEC-Authentication Risk Assessments
• How to develop a step-by-step task list for conducting a Risk Assessment
• How to ask key questions for each stage of the assessment

register to view this on-demand web seminar

The following are the iDefense Exclusives which may be part of the next Microsoft Patch Tuesday, scheduled for June 13. iDefense customers have been provided workarounds for these issues as far as 146 days in advance of public notification.

Download the report

Intrusion Detection Systems (IDS) detect inappropriate, incorrect or anomalous host or network activity. This presentation provides information about common techniques used to evade IDS detection. The goal is to answer the question: To what extent should network administrators rely upon IDS detection systems for security and advanced warnings of attacks?

Full Webcast Streamed to your Desktop 22 minutes. (Please note this is a replay and no interaction is possible. Requires speakers or headphones).

Accompanying Slideset, and Accompanying Report, each as a pdf

The distributed denial of service (DDoS) attack is among the most potentially costly and intractable cyber threats facing technology-dependent companies today. DDoS attacks are also more frequent, larger and more costly than ever before, and the number of available "zombie" computers in the wild is greater than ever. These trends will continue for the foreseeable future. This presentation discusses why and what DDoS mitigation and prevention strategies are used to keep technology-driven organizations in business today, and how early DoS attacks evolved into present-day techniques.

Full Webcast Streamed to your Desktop 27 minutes. (Please note this is a replay and no interaction is possible. Requires speakers or headphones).

Accompanying Slideset, and Accompanying Report, each as a pdf

Proactive vulnerability notification is critical to effective risk management. VeriSign® iDefense Security Intelligence Services delivers comprehensive, actionable intelligence aiding customers in making decisions in response to threats on a real-time basis. The following is a list of VeriSign iDefense Exclusive Vulnerabilities that have been publicly disclosure by the vendor since January 1, 2005. The table shows the number of days VeriSign iDefense customers receive notification on exclusive vulnerabilities in advance of public disclosure.

Download the report

Criminals are stealing thousands of credit cards and banking account credentials daily through phishing attacks, Trojan horse attacks and other attack vectors. Thousands of dollars daily are then laundered to offshore banking accounts through dozens of countries by "money mules," or phishing money launderers. Cyber-fronts are created to solicit, hire and exploit these money mules within multiple countries, and they can make as much as $10,000 or more in a month for part time work. This report will take a look inside the world of money mule operations and provide several examples of business fronts and job offers.

Full Webcast Streamed to your Desktop 28 minutes. (Please note this is a replay and no interaction is possible. Requires speakers or headphones).

Accompanying Slideset, and Accompanying Report, each as a pdf

Sober was the most prevalent e-mail worm of 2005. The carefully planned and coordinated attack started in early November 2005 and lasted until Jan. 6, 2006. In this presentation, iDefense examines the progression of the Sober attacks and the techniques the worm used to both infect its hosts and spread to others. iDefense also covers the impact that these attacks had on key corporate infrastructure and the future of the Sober worm itself.

Full Webcast Streamed to your Desktop 19 minutes. (Please note this is a replay and no interaction is possible. Requires speakers or headphones). 

Identity theft is one of the most damaging and frightening computer-aided crimes to emerge in the information age. Research in both the US and in Europe shows that it is not only becoming increasingly common, but individuals are so frightened of falling victim that it is undermining their trust in e-commerce. What can be done? And specifically, what can businesses operating through the Internet do to prevent their customers falling victim to identity theft and thereby maintain or restore confidence in their online brands? And what role can technological solutions play? Our panel of experts moderated by Andrew Lawrence, Editorial Director, Information Age debated with an online audience the best answers to these issues.

The expert panelists were::

• David Lacey, former chief security officer of Royal Mail, and a member of the Home Office Committee on ID Theft
• Ryan Kalember, Technology Director of VeriSign, and a leading authority on federated identity management technology
• Bori Toth, Biometric Research and Advisory Project Lead Deloitte & Touche

Our panelists opened the debate with presentations outlining the threats to business posed by ID theft, and presented their view of what can best be done to combat them. The debate was then opened up to the online audience, and an enlightening half hour discussion ensued

Full Webcast Streamed to your Desktop 60 minutes. (Please note this is a replay and no interaction is possible. Separate registration required. Requires speakers or headphones, and Internet Explorer).

There were many questions during the session. These have been collated and are now available for download here as a pdf.  

In order for malicious code to provide its author with some benefit, it must be successful in four areas: propagation, infection, malicious actions and persistence. With the advent of multi-tasking computers, the increased popularity of networking in general, and the Internet in particular, the tools and techniques used by malicious code authors have improved considerably. This webcast focuses on these tools and techniques, concentrating on the evasion of first-line defenses, autostart considerations and rootkits.

Full Webcast Streamed to your Desktop 28 minutes. (Please note this is a replay and no interaction is possible. Requires speakers or headphones). 

On August 8, 2001, the FFIEC agencies1 (agencies) issued guidance entitled Authentication in an electronic Banking Environment (2001 Guidance). The 2001 Guidance focused on risk management controls necessary to authenticate the identity of retail and commercial customers
accessing Internet-based financial services. Since 2001, there have been significant legal and technological changes with respect to the protection of customer information; increasing incidents of fraud, including identity theft; and the introduction of improved authentication technologies. This updated guidance replaces the 2001 Guidance and specifically addresses why financial institutions regulated by the agencies should conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services.

This guidance applies to both retail and commercial customers and does not endorse any particular technology. Financial institutions should use this guidance when evaluating an implementing authentication systems and practices whether they are provided internally or by a service provider. Although this guidance is focused on the risks and risk management techniques associated with the Internet delivery channel, the principles are applicable to all forms of electronic banking activities.

Numerous recent media articles have noted that al Qaeda is improving its information operations tactics through the use of the Internet, providing a means of anonymous communication and the dissemination of news on the group's military successes. This report will reveal the frequent presence of Islamist Extremist Propaganda online and provide a clearer understanding of the different forms of IEP, based on the specific objective and approach of each type.

Full Webcast Streamed to your Desktop 26 minutes. (Please note this is a replay and no interaction is possible. Requires speakers or headphones). 

As 2005 comes to a close, a review of the top threats and trends of the year helps to establish a forward looking view for 2006. This webcast, originally given on January 18, 2006, focuses on exploitation, specifically malicious code incidents, for 2005 and the implications as we look forth into 2006.

Full Webcast Streamed to your Desktop (42 minutes. Please note this is a replay and no interaction is possible. Requires speakers or headphones). 

As most people herald the arrival of 2006 with fanfare, the creators of spyware and adware applications continue inexorably toward the goal of maximizing revenue from their creations. The automatons that they set into motion do not take holiday breaks, preferring instead to lie in wait for the next user gullible enough to download, install and use the malicious software and provide financial benefit to the spyware distributors.  Spyware is a perfect example of the growing trend in which questionable entities exploit the Internet for financial gain. The last few years have proven that malicious code, and its cousins adware and spyware, have become the raison d'être for many computer professionals. Additionally, the fine line between the malicious code camp (writing and distributing worms, viruses, Trojan horses and combinations thereof) and that of adware and spyware (writing code that is "questionable" at the least) is blurring, and successful techniques used by one faction are often, and quickly, incorporated into the products of the other. There is even a fast-growing trend of adware and spyware being deployed by means of malicious code droppers and websites - all in the pursuit of easy money.

Full Webcast Streamed to your Desktop (54 minutes. Please note this is a replay and no interaction is possible. Requires speakers or headphones). 

Download the Top 10 Spyware Applications Report (accompanying pdf)

The iDefense exploitation framework comparison is a comprehensive review of the features included in the CORE IMPACT, Immunity's Canvas and Metasploit exploitation frameworks. Typically, corporations use these frameworks to perform penetration testing on their internal systems. However, hackers also frequently take advantage of the automated test-and-penetrate mechanisms that these frameworks offer. In its report, iDefense compares these frameworks to determine which is the most useful in a corporate setting and which might prove the most significant threat to vulnerable networks.

Full Webcast Streamed to your Desktop (25 minutes. Please note this is a replay and no interaction is possible. Requires speakers or headphones). 

Download the slideset for reference (pdf)

The Linux operating system has not historically been a popular target for malicious code writers. Recently Linux-based systems have increased dramatically in popularity, which has resulted in a very high prevalence on Internet-facing systems. This increase in numbers, coupled with a large number of vulnerabilities in both the base OS and the third-party software, make Linux very good candidate for present and future exploitation by malicious code. In this presentation, iDefense security experts discuss the current issues associated with the Linux OS and how they can be exploited by internet-based malicious code threats.

Full Webcast Streamed to your Desktop (28 minutes. Please note this is a replay and no interaction is possible. Requires speakers or headphones). 

Download the Accompanying Slide Presentation

Recent news stories about a report from the UK National Infrastructure Security Coordination Centre (NISCC), followed by a similar but separate CERT advisory, have generated much concern about targeted attacks, including their likelihood and potential impact. This report overviews targeted attacks, select examples to date, exploits and code utilized in targeted attacks, likelihood and impact, and mitigation measures.

Full Webcast Streamed to your Desktop (27 minutes. Please note this is a replay and no interaction is possible. Requires speakers or headphones). 

Download the Targeted Malicious Code Attacks Report

Download the Accompanying Slide Presentation

ISIB Report - March 2006

VeriSign® Security Services presents this report with data and trend analysis on Internet security events and online identity fraud. This briefing includes data and intelligence drawn from a variety of VeriSign intelligent infrastructure services, including digital certificates (SSL and PKI), and Managed Security Services (MSS).

This briefing presents data and trends covering:

• Identity 2.0
• 2006 Threat Landscape
• Statistics on Worldwide Internet Security Events.

Download the March 2006 Internet Security Intelligence briefing Report

ISIB Report - November 2005

The VeriSign® Internet Security Intelligence Briefing reports current trends in Internet growth and usage as well as security events and online fraud. This briefing includes data and intelligence drawn from a variety of VeriSign intelligent infrastructure services, including Domain Name System (DNS) services, digital certificates (SSL and PKI), Managed Security Services (MSS), Payment Services, and Fraud Protection Services^*. This briefing covers data
gathered from April through September 2005 This briefing presents data and trends covering:

• The Frontiers of Internet Security
• Top Adware/Spyware Exploits and Related Vulnerabilities
• Internet commerce
• Mobile Communications
• Emerging Threats and Vulnerabilities
• Worldwide Internet Usage

^*These services are described in detail on the last page of this briefing.

Download the November 2005 Internet Security Intelligence briefing Report

ISIB Report - June 2005

Internet domain growth continues unabated in Q1 '05, Phishing and pharming attacks get ever more sophisticated - DMS cache poisoning and software vulnerability exploitation are replacing attacks relying on gullibility. Find out how serious this could be for your organisation

Download the June 2005 Internet Security Intelligence briefing Report

It includes data and intelligence drawn from VeriSign Intelligent Infrastructure Services and covers data gathered from October 2004 to January 2005. In particular it looks at data and trends covering:

• Internet commerce during the 2004 holiday season
• Phishing attacks
• Emerging threats and vulnerabilities
• Worldwide Internet usage

Download the February 2005 Internet Security Intelligence briefing Report

The Cisco IOS Incident at Black Hat

The Cisco Internetwork Operating System (IOS) issue presented at Black Hat by security researcher Michael Lynn in Las Vegas on July 27 dominated the news this past week.

The Scots Hacker

The case of the so-called "Scots Hacker" has been adjourned until October 18, 2005. Gary McKinnon (aka "Solo"), who was on trial in London for allegedly hacking into numerous US government networks in 2001.

Download the Internet Security Intelligence briefing Report

Global Governance

The establishment of good governance is crucial for companies as well as countries, and it must become a major priority. Recognizing this reality, CEOs and political leaders at the World Economic Forum held last month in Davos, paid considerable attention to this issue. Michael Useem , director of Wharton's Center for Leadership and Change Management , who moderated a workshop on the subject at the Forum, provides an inside view of the discussion.  (reproduced here by kind permission of Wharton Business School, www.knowledge.wharton.upenn.edu )

Download the 2005 WEFReport

In an article  written four years ago, in Nov  2000, in the Financial Times' Mastering Management series, Wharton legal studies professor Thomas Donaldson looked at the increase in corporate ethics programs throughout the world.  It is, in our view, a remarkably prescient article given the importance that is attached to compliance issues today. It discusses issues that businesses and organisations everywhere now face and how to address them. 

Download the Corporate Ethics Report

This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.