Welcome to the Monday Morning News Kick Off post from the ITAC blog. As our dedicated readers know, today officially kicks off RSA 2011. And after about four weeks of running our “Countdown to RSA” podcast series, we are very excited that the most significant event in cybersecurity is finally happening. So, we have dedicated this week’s Monday post to all RSA 2011 news happening. Think of the ITAC blog as your “one-stop destination” for all things RSA.

RSA Conference 2011 Opens Today in San Francisco
Information security professionals and business leaders from around the world convened today for the opening of the annual RSA Conference being held at San Francisco’s Moscone Center. Taking place February 14-18, RSA Conference 2011 proudly brings together the information security industry’s best and brightest, providing unparalleled educational opportunities and insight into the most important issues. Through interactions with peers, industry luminaries and emerging and established companies, RSA Conference is the place for security experts to gather for a discussion on current and emerging threats. Read the full RSA press release here.

Deputy Secretary of Defense William Lynn to Speak at Pentagon RSA Conference 2011
RSA Conference, an information security conferences and expositions, has announced that Deputy Secretary of Defense William J. Lynn III will present the keynote “Defending a New Domain: The Pentagon’s Cyber Strategy” on Feb. 15 at RSA Conference 2011 in San Francisco, CA. The RSA Conference noted that Deputy Secretary Lynn’s address will close the keynote sessions, following an exciting series of presentations that include Art Coviello, President, RSA, The Security Division of EMC, and Executive VP, EMC Corp.; Enrique Salem, President & CEO Symantec Corp.; and, the annual Cryptographers’ panel featuring leaders in cryptography including Ronald Rivest, Viterbi Professor of Electrical Engineering and Computer Science, MIT, and Adi Shamir, Professor, Computer Science Department, Weizmann Institute of Science, Israel. Read the full press release here.

Unresolved Security Issues On RSA 2011 Agenda
This year’s RSA security conference suggests that IT vendors are still struggling to find solutions to problems that were highlighted in RSA 2010. The RSA 2011 conference, which is taking place this week in San Francisco, brings together enterprise IT experts and software vendors on a single platform to discuss the latest problems plaguing the industry and their possible solutions. However, according to V3, the schedule for RSA 2011 has striking similarities to last year’s conference, indicating that most of the problems voiced during RSA 2010 remain unsolved. Cloud computing was one of the main focus points for RSA 2010. Enterprises are still hesitant about hosting their sensitive company data along with private customer information on servers that are usually located outside the country they are operating in. Read the full IT Portal post here.

A Personal Preview of RSA
For those interested in government IT security, there’s no shortage of fare on the menu at RSA 2011, the information security conference being held in San Francisco this week. Personally, the highlight of the conference will be on Thursday, when GovInfoSecurity.com unveils the findings from the premiere Government Information Security Today survey, our poll of those in local, state and federal governments charged with safeguarding IT. I’ll be joined by David Matthews, deputy chief information security officer for the city of Seattle, who will add his interpretation to the results. I’m pleased that David’s joining me in this presentation because part of our survey addresses secure cloud computing, and he’s a recognized expert in the use of cloud computing in government. Read Eric Chabrow’s full GovInfoSecurity post here.

RSA 2011 Shows Familiar Problems Elude Solutions
This week the security world descends on San Francisco for the annual RSA conference. Arguably the biggest show of the year for enterprise IT, the conference brings vendors from all over the world to discuss the latest developments in the security space and the best methods for dealing with emerging threats and new challenges. In theory, the topics at RSA are always evolving. New challenges are met and every year new breakthroughs are made to deal with the problems of the previous year. Issues are addressed and new challenges arise in their place. This year, however, the rhetoric at RSA may sound awfully familiar. Read the full V3 post here.

RSA Conference Adds Focus on Cloud Computing Security
The buzzword for this year’s RSA Conference—cloud. The conference, which will run from Feb. 14 to Feb. 18 at the Moscone Center in San Francisco, has an entire track focused on cloud security. It is one of 17 class tracks available at this year’s conference, which typically draws a large crowd of vendors, researchers and security pros to the city. “Security is a rapidly evolving industry, and we’ve made some substantive changes to the tracks this year to help attendees get to the information they need,” said Hugh Thompson, RSA Conference program committee chair and advisory board member. “Cloud Security is a new track, and here you’ll find some of the best practitioners in the industry sharing information about operational cloud security, and how to manage identity, privacy and data security in the cloud.” Read the full eWeek article here.

In December of that year the bank sued Hillary. That’s definitely a huh? moment.

The bank sought a judicial declaratory judgment that its security procedures were commercially reasonable and that it had not breached its obligations. In essence, Hillary had demanded that the bank cover the lost funds, claiming that the bank’s security was not commercially reasonable, and the bank preemptively sued to get a judicial authority to rule that its procedures were reasonable, thereby forestalling any legal action by Hillary.

On February 16, there will be a session at the RSA Conference titled Whose Fault Is It That I Didn’t Know It Wasn’t you. This will be a mock hearing on a claim that bad authentication practices led to an unauthorized transfer of deposited funds. A follow-on panel will discuss associated topics, including processes that could be put in place to mitigate these attacks.

This mock hearing will be heard by the Honorable John Facciola, Magistrate Judge in the U.S. District Court for the District of Columbia. Two practicing attorneys, Joseph Burton, of Duane Morris and Steven Teppler of Edelson McGuire, will represent the parties. Jim Woodhill of Authentify and I, Hoyt Kesterson of Terra Verde Services, will play the roles of testifying experts. The Honorable Andrew Peck, Magistrate Judge in the U.S. District Court for the Southern District of New York, will act at the Greek Chorus, narrating the background and introducing the players.

The RSA 2011 Conference Website describes this session as a panel. It is not. It is a one-act play in which the attorneys will examine and cross examine the experts on the facts of the hypothetical—a hypothetical in which Forty-Second Fifth bank has transferred the funds of Clacks Incorporated to some bad guys. The attorneys will then make their arguments to the judge. If Magistrate Judge Facciola holds to the routine he has established in the mock hearings conducted at previous RSA conferences, he will ask the audience to act as his law clerks and volunteer their opinions on how he might rule in the case. He will then rule, giving his reasons for his decision. Then he and the other actors in our little play will answer questions from the audience.

This is the latest in a series of mock sessions that are part of the set of sessions in the Law and Policy track developed by the Electronic Discovery and Digital Evidence and the Information Security Committees of the American Bar Association’s Section of Science & Technology Law in partnership with the RSA Conference. Attorneys attending these sessions will earn Continuing Legal Education credits.

In previous conferences we held a mock hearing arguing the validity of a digital signature on a will, a mock spoliation hearing on missing ESI (electronically stored information), and a mock FRCP 26(f) meet & confer in which the plaintiff’s request for a database extraction to produce the identities of people who were taking a specific medicine was viewed by the defendant as a request for a production that could put the defendant in violation of HIPAA. The latter two mock sessions are being reprised at the Second ABA E-Discovery and Digital Evidence Practitioners’ Workshop. This workshop is being held immediately after the RSA Conference and many of the participants in the RSA sessions will be part of the faculty.

If any of you reading this post attend the conference, be sure to come up and say hello. For those of you who cannot be there, after the conference I will post a description of the outcome of the mock session, hopefully with comments from some of the other members of our merry band.

Check out an RSA podcast here with more information on this panel.

About the Author:
Hoyt L Kesterson II is a consultant with Terra Verde Services in Arizona. He has more than 40 years of experience in information security and related technologies. For 21 years he chaired the international standards group that created the X.509 certificate, a fundamental component in digital signature and securing web transactions, He is the vice-chair of the ABA’s eDiscovery and Digital Evidence Committee. A testifying expert, he has given many CLE-accredited talks to lawyers and to technologists. He is an acknowledged contributor to a book on e-discovery and a book on digital data and the rules of evidence, both published by the ABA.

In the classic fable Henny Penny, Chicken Little (a hare actually) is disturbed by falling fruit that he believes is the sky is falling, and that the earth is essentially coming to an end. This irrational hysteria whips all the other animals in the forest into raging stampede. Thankfully, a lion halts them, investigates the cause of the panic and restores calm. The ultimate point of this fable is to teach the necessity for deductive reasoning and subsequent investigation.

On the topic of cyberwars and cyber security, do we have too many Chicken Littles running around scaring up irrational fear? is a cyberwar eminent? According to a study released yesterday by the Organization for Economic Cooperation and Development, there are great exaggerations happening and a cyber attack would not create problems like global pandemics or financial crises.

So, who are these Chicken Little’s scaring up fear among government leaders, members of industry and even consumers? According to the NY Times, it’s books like “Cyber War: The Next Threat to National Security and What to Do About It” by Richard A. Clarke, the former U.S. counterterrorism chief, and Robert K. Knake of the Council on Foreign Relations that are doing the bidding:

This particular book describe a digital “Day After” in which large parts of the U.S. transportation, energy and communications systems have been wiped out by Internet-borne attackers, leaving the authorities struggling to maintain control and consumers scrambling for food.

Scrambling for food?  That does sound s bit extreme and it’s good that the Organization for Economic Cooperation and Development is injecting a dose of reality and rationality into our collective psyche. Does this mean though that we should be resting on our laurels and not worry about cyber warfare?   Our gut is telling us “no.”  And, thankfully the government is stepping up its cybersecurity efforts with the groundbreaking of a new cyber security center for the NSA.  The NSA is also enhancing its war for talent by developing a recruiting app.

So, yes, good to know that a cyber “Day After” will not happen.  However, we are not Switzerland and the U.S. will continue to be a target by nefarious hackers.  No cyber war happening, but there are plenty battles happening in the field these days.

Welcome all thoughts and feedback!

Protect Yourself From Identity Theft on Cyber Monday
Now that the holiday shopping season is in full swing the malls, internet, and other shopping centers are packed with shoppers. While the holiday shopping season may be busy for you, it can be even busier for identity thieves. Whether you are shopping at brick-and-mortar stores or doing your holiday shopping online, it is important that shoppers take measures to ensure their identity is protected. Read the full All News Wire post here.

London 2012 Olympics: Ticket Sites for the Games Vulnerable to Cyber Attack
The London 2012 Olympic-related websites for ticketing, timing, results and television broadcasting are more vulnerable to cyber-attack than established websites because of their temporary status, it has been claimed. The warning by the International Olympic Committee’s security adviser comes before eight million Olympic Games tickets worth £500 million go on sale to the public next February and March with applicants expected to lodge their ticket preferences online. Read the full Telegraph UK article here.

DHS Cybersecurity Center Promotes Information Sharing
The Department of Homeland Security (DHS) has launched a new cybersecurity center aimed at communicating more efficiently with state and local governments about potential cybersecurity threats to critical U.S. infrastructure. The Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Security Operations Center is a 24-hour watch and warning facility aimed at giving government officials at the state and local levels better situational awareness about cybersecurity incidents, according to the DHS. Read the full InformationWeek article here.

Bill Could Give Homeland Security Power Over Tech Giants
Some members of Congress, concerned about shoddy cybersecurity at government and critical technology websites, are proposing that the Department of Homeland Security should have the power to force private networks to secure themselves more effectively. But several cybersecurity experts say a broadly worded bill that has been referred to the House Committee on Homeland Security could impact many ordinary tech firms that merely play a role in infrastructure. If the bill becomes law, even firms like Apple, Microsoft and Google could come under DHS’s thumb, says Michael Gregg, chief operating officer of the cybersecurity firm Superior Solutions. Read the full Fox News post here.

Arming Cyber Warriors to Fight and Win Global Cyber War
Despite military superpower status, the United States is more vulnerable to cyber attack than any other country today with key financial, communications, and military operations networked via infrastructures riddled with vulnerabilities. Compounding this problem is a growing cyber warrior crisis. U.S. forces are badly outnumbered by those with the means and motivation to inflict massive damage on our vulnerable infrastructures. While we in the United States study the problem, rival nations and criminal organizations invest heavily in cultivating their cyber warriors, recruiting thousands of computer-savvy soldiers tasked with developing new, more advanced techniques and attacks. Read the full CivSource column here.

Welcome to the Monday Morning News Kick Off post from the ITAC blog. We are huge fans of the NY Times Sunday magazine and we were pleasantly surprised to see that they did a cover story on notorious hacker Albert Gonzalez. Although the first thing we noted was that Rolling Stone Magazine already did this story - about five months ago. Anyhow, we can’t fault the NY Times for being slow to the punch. They did get an interview with Gonzalez for this piece. Be sure to check out this story and much more in today’s post. Happy Monday.

The Great Cyberheist – Profile of Albert Gonzalez
One night in July 2003, a little before midnight, a plainclothes N.Y.P.D. detective, investigating a series of car thefts in upper Manhattan, followed a suspicious-looking young man with long, stringy hair and a nose ring into the A.T.M. lobby of a bank. Pretending to use one of the machines, the detective watched as the man pulled a debit card from his pocket and withdrew hundreds of dollars in cash. Then he pulled out another card and did the same thing. Then another, and another. The guy wasn’t stealing cars, but the detective figured he was stealing something. Read the full NY Times Sunday Magazine (cover story) profile of Albert Gonzalez here.

State Using Facial Recognition Technology to Prevent Identity Theft
Face by face, the state is going high tech to stop identity thieves every day. The Department of Licensing is using facial recognition scans to compare your drivers license picture to other pictures in the DOL database. The goal is to make sure every picture only matches up to one name. So far, the system is flagging more than 10 photos each day. “It’s really math-based,” said Tony Sermonti, DOL spokesman. “So it’s not really comparing my face to yours. What’s it is doing is comparing how far apart my ears are compared to yours. So its really a helpful tool.” Read the full KOMO News post here.

Identity Theft Ring Breaches Holy Cross Hospital
An identity theft ring managed to breach emergency room files at Holy Cross Hospital to steal Social Security numbers and personal details of about 1,500 patients, officials said last Wednesday. Emergency room employee Natashi Orr was among four people arrested as part of an investigation that began before June, U.S. postal inspectors and prosecutors said. After federal agents uncovered the scheme, hospital technicians spent months tracking Orr’s computer activity but cannot be sure which 1,500 patients she compromised while working there from April 2009 to September. That’s when she was fired. Read the full TMCNet article here.

Verizon Intros Cyber Attack Information App
As part of its continuing focus on collecting information on data breaches and thefts, Verizon Business has released VERIS Community application, a new application that enables security professionals to enter anonymous information about an incident and receive a detailed report in return. The application is based on the company’s Verizon Enterprise Risk and Incident Sharing Framework, which it uses to gather and assess information on the data breach incidents that Verizon Business investigates for its customers. That data also serves as the basis for the company’s comprehensive Data Breach Incident Report, an in-depth look at the trends and conclusions that can be drawn from the data. The new application builds on the methodology that the company has used in its investigations and DBIR releases to give security staffs at companies of all sizes a chance to enter as much data as they want about a specific incident and immediately see how the attack methods, tools and outcomes compare to other incidents. Read the full Threat Post article here.

Air Force Vice Commander on Cybersecurity: ‘We are Under Attack Every Day’
The cyber threat is real, said Vice Commander of the Air Force Space Command Maj. Gen. Michael J. Basla. And the military services, aided by new cybersecurity training programs, must be ready to defend the United States on the digital battlefield. Basla, who operates out of Peterson Air Force Base in Colorado spoke at a “DOD Live” bloggers’ roundtable Nov. 8. Read the full ExecutiveGov post here.

NY Congresswoman: 100 Percent Chance of Cyber Attack against Power Grid
A New York congresswoman says the possibility of cyber attack against the nation’s power grid is 100 percent, and that such an attack would likely do untold harm. Speaking before the SC World Congress Data Security Conference, Rep. Yvette Clark (D-N.Y.), who chairs the Emerging Threats, Cybersecurity, Science, and Technology Subcommittee, said the United States faces chilling odds of an electrical-grid attack. Read the full ExecutiveGov post here.

We have all gotten used to receiving the scam emails trying to bilk us out of money. Many of these faux emails are from relatives in dire need of money, but they are so poorly written, we know they are fake. Well, we came across a story of a woman who was the target of a cybercrime that went a bit deeper that the usual fake email scam.

Julie Burkhart-Haid of Hudson, NY, knew immediately that something was wrong when on the morning of Oct. 1 friends from all over the nation started to call her with concern. According to the Hudson Star Observer, a number of Julie’s friend had received a long e-mail message for her detailing the fact that they had taken an unexpected trip to Wales and had been robbed at gunpoint. The email from Julie also said that she was injured and nearly raped in front of her son (also identified) and Joseph was seriously injured and still being treated. It went on to say while they still had their passports, they needed $1,800 dollars to pay the hotel bill and buy return tickets.

While this type of cybercrime is not all that new, it does go a bit deeper. Cyber criminals can easily find out the names of our children, spouses and siblings via Facebook and the social networks. So, really, all it takes is someone hacking into a Hotmail or Yahoo! Mail account, drafting up a well-written/convincing email, then you are off to the races.

We all have gotten anesthetized to the poorly written emails that we receive from hackers. But now, they are taking it to the next level. And what does this mean? We need to be smart and vigilant. Don’t fall for this one.

Welcome to the Monday Morning News Kick Off post from the ITAC blog. With National Cybersecurity Awareness Month now in full swing, there seems to be no limit to the amount of cybersecurity-related news that’s happening right now. From the GAO report on the lack of progress on the cybersecurity front by the Obama Administration to NATO and its struggle with cybersecurity, cyber issues are everywhere. And, this us a good thing. We need to continually shine a light on this issue until we come up — as a nation and as members of private industry — with long-lasting solutions.

New Cyber-Security PSA Wants You to ‘Stop. Think. Connect.’
“Stop. Think. Connect.” That’s the unifying message for this year’s Cyber Security Awareness Month, and the slogan for a new public education campaign. Said campaign is being spearheaded by the National Cyber Security Alliance, the Anti-Phishing Working Group (APWG), countless government agencies (including the Department of Homeland Security), and companies such as Microsoft, Google, PayPal and Facebook. It’s a first-of-its-kind campaign in the U.S., a result of widespread fears that the country’s digital infrastructure could one day face a serious cyber-attack, and that computer users comprise the Web’s weakest link. Read the full Switched post here.

Special Report: The Pentagon’s New Cyber Warriors
Guarding water wells and granaries from enemy raids is as old as war itself. In the Middle Ages, vital resources were hoarded behind castle walls, protected by moats, drawbridges and knights with double-edged swords. Today, U.S. national security planners are proposing that the 21st century’s critical infrastructure — power grids, communications, water utilities, financial networks — be similarly shielded from cyber marauders and other foes. The ramparts would be virtual, their perimeters policed by the Pentagon and backed by digital weapons capable of circling the globe in milliseconds to knock out targets. Check out the full Reuters story here.

GAO: Little Progress on Cybersecurity
Most of the 24 recommendations outlined in President Obama’s 2009 cyber policy review report have not been implemented, according to a Government Accountability Office report. Officials charged with carrying out cybersecurity efforts told GAO they have not received specific roles and responsibilities. They also said that some recommendations are too broad and could take several years to implement. Only two recommendations have been fully implemented: the appointment of Howard Schmidt as White House cybersecurity coordinator in December 2009, seven months after the report, and the appointment of White House privacy and civil liberty official, Tim Edgar, also in late 2009. The report found that 16 of the 22 partially implemented recommendations do not have milestones or plans for implementation. Read the full Federal Times article here.

Cybersecurity is a ‘Constant Struggle,’ NATO Commander Says
NATO Supreme Allied Commander for Europe Adm. James Stavridis says governments the world over are battling cybersecurity issues. “Governments are struggling with [cybersecurity] individually,” he said. “Within their borders, within their cyberspace, they’re attempting to find the balance between availability of information and control of information.” Stavridis also said nations around the world “face a constant struggle to understand the interchanging world of cybersecurity,” because of the Internet’s massive size and number of users from across the globe. Read the full ExecutiveGov post here.

FBI Thwarts Data Breach at Akamai Technologies
Elliot Doxer, who worked in the Akamai finance department, was arrested and charged with secretly providing confidential business information over an 18-month period to an undercover FBI agent he thought worked for a foreign government, according to a release from the US Attorney’s Office for the District of Massachusetts. Doxer is charged with one count of wire fraud for providing Akamai customer lists, contract details, and employee information. He also is charged with describing Akamai’s physical and computer security systems and offering to travel to the foreign country and to support special and sensitive operations in his local area, if needed. In 2006, Doxer contacted the undisclosed foreign country’s consulate in Boston to offer confidential Akamai information. The likely country of contact was Israel because Doxer identified himself in court papers as a Jewish-American who wanted to help “our homeland and our war against our enemies”. He also asked for $3000 because of the risks he was taking. Read the full InfoSecurity article here.

A Data Breach Doesn’t Have to be a Death Sentence for Business
In today’s high-tech era, data breaches have become increasingly more common, and increasingly costly, with the average breach costing more than $200 per compromised record, according to estimates by the Ponemon Institute. These estimates do not take into account the increasing possibility that a company that experiences a breach could become a target of an investigation by law enforcement, including state attorneys general, incurring additional costs and harm to the company’s reputation that can accompany such investigation. Attorneys general have become increasingly aggressive in enforcing their states’ data breach notification and data privacy laws, and they are using those laws to justify investigations into how those data breaches occurred. The attorneys general in D.C., Maryland and Virginia are no exception, and they have acted both independently, and with their brethren in other states, to punish businesses they believe have been lax in data security matters. Read the full Washington Business Journal article here.

National Guard Leak Highlights ID Theft Concerns
While the Mississippi National Guard is trying find out how personnel records of more than 2,600 members of the 155th Brigade Combat Team were accidentally posted online, it’s uncertain if any of the information was actually compromised. Still, that kind of situation shows some form of potential identity theft can happen to anyone at any time. In fact, it’s considered the fastest growing crime in America. Many, though, don’t know how to defend themselves. Read the full WTVA.com post here.

Greg Link of Franklin Covey made the case that leadership today isn’t about expertise. It’s about establishing trust – with your customers, your employees and partners. Without trust, you can cooperate and coordinate, but you can’t collaborate in the way that spurs innovation. He made a compelling statistical case that the lack of trust has a direct negative impact on productivity and profit.

Financial services companies are among the least trusted companies, with insurance companies and the media at rock bottom, according to the Edelman Trust Barometer. That same barometer found that stock performance once increased corporate trust. Now it’s transparency and quality of product.

Finally, hats off to Jim Van Dyke at Javelin Strategy & Research who made the case we have on these pages – there are signs consumers may be willing to work as partners with their financial services company to secure their data. We’re going to need their collaboration to keep them safe.

Trust me.

Following is an exclusive podcast with Craig Speizle, Executive Director and Founder of Online Trust Alliance who discusses this event and other cybersecurity trends.