México, rezagado en seguridad de datos

“Comparado con países como Estados Unidos, México está casi 5 años retrasado en la cultura de protección de información y datos personales”, dijo Juan Carlos Carrillo, representante en el país del área de Seguridad de la firma Oracle.

“En México, la mayoría de las empresas consideran que las inversiones en el área de Tecnologías de la Información (TI) son una disminución en sus presupuestos que no reporta beneficios”, comentó Carrillo.

El integrante de la firma Oracle añadió: “La única variable que provoca que las compañías inviertan en tecnología de seguridad es un tema de cumplimiento regulatorio como el que exigen diferentes organismos como el Instituto Federal de Acceso a la Información y Protección de Datos, que implementó legislaciones que obligan a las empresas a proteger los datos personales de sus clientes”.

De acuerdo con reportes del Instituto Nacional de Estadística y Geografía (INEGI), en 2014 México tenía 5.6 millones de empresas, de ellas, las correspondientes al sector financiero (que en porcentaje representan una minoría) son las únicas que cumplen de manera satisfactoria con las regulaciones en materia de seguridad.

“Es muy difícil que fuera de ese sector encuentres un proyecto bien armado de seguridad de la información. La mayoría de las compañías solo actúan cuando se dan cuenta que su información fue sustraída. Entonces sí responden con una inversión fuerte, pero sin un plan de largo plazo, por lo que al siguiente año lo dejan de lado”, explicó Carrillo.

Dijo que a pesar de que desde hace cinco años se encuentra vigente la Ley de Protección de Datos Personales en Posesión de Particulares, las empresas todavía no la cumplen en su totalidad. Al respecto, el especialista aseguró que es mejor invertir de manera preventiva en temas de resguardo de información, ya que varios estudios demuestran que por cada dato sustraído, las empresas pierden en promedio 200 dólares.

http://www.eluniversalqueretaro.mx/vida-q/08-05-2015/mexico-rezagado-en-seguridad-de-datos#sthash.8sXmpngR.dpuf

RSA Conference: We need better cyber hygiene

Presentación sobre CiberCrimen por parte de Juan Carlos Carrillo, CIPP/IT CIRM Security Executive Oracle México

Fight Cybercrime with Oracle Security from the Inside Out from Juan Carrillo

http://event.on24.com/eventRegistration/console/EventConsoleNG.jsp?uimode=nextgeneration&simulive=y&eventid=837212&sessionid=1&username=&partnerref=&format=fhvideo1&mobile=false&flashsupportedmobiledevice=false&helpcenter=false&key=7984E8EBC1E05FAC3A886BB8252D30AB&text_language_id=en&playerwidth=1000&playerheight=650&overwritelobby=y&eventuserid=104304548&contenttype=A&mediametricsessionid=82136496&mediametricid=1311867&usercd=104304548&mode=launch#

Proteja los Datos más Sensibles

To see the complete presentation visit the complete webcast

Study: CISO leadership capacity undervalued by most C-level execs

Study: CISO leadership capacity undervalued by most C-level execs | http://t.co/YGfaLZhkmI #infosec #CISO
— Cyberpöstpunk® ÆlbЯt (@cyberpostpunk) August 13, 2014

61%  
of executives do not believe their CISO would be successful in a leadership role outside of information security.

28% 
of executives say a decision by their CISO has hurt their business’ bottom line. 

Speaking to the New York Times, one CISO compared the position to sheep waiting for the slaughter.  

DATA PROTECTION AND SECURITY MEASURES

How to comply with the Responsibility Principal in the Mexican Data Protection field. (PART I)

You can see my latest blog entry in http://www.molet.mx/noticias 

Cómo crear un buen Password

A estas alturas ya debe saber que "123456 " no es una contraseña inteligente .

Si aún estas utilizando una contraseña débil y ni siquiera ha cambiado todas sus contraseñas en línea desde que la noticia de los miserables vulnerabilidad Heartbleed SSL salió a la luz publica eres el objetivo perfecto para la piratería informática.

El no poder crear fuertes contraseñas en línea deja las llaves de la actividad bancaria, tarjeta de crédito, redes sociales, correo electrónico y más - básicamente toda tu vida - en peligroso alcance de las manos por arranque de los hackers .

Tu podrías hacer lo siguiente

a)         No hacer nada y arriesgarse (que recomendamos encarecidamente que no ), o

b)        Tomar las 10 minutos más o menos dolorosos para tu cerebro para construir un ejército de contraseñas seguras y dormir bien por la noche otra vez .

¿Cuáles son las contraseñas seguras?

a)         Son largas.

a.    Estamos hablando de 8 a 15 caracteres.

b)        Son complicados.

a.    Letras, números, símbolos especiales (como mínimo).

c)         Cambiar tus contraseñas (vamos, hazlo ya!)

a.    No sentarse y ponerse cómodo. Estar alerta . Juega un papel proactivo en la protección de su información privada en línea, cambiando regularmente de ellos, de manera óptima con tanta frecuencia como lo haría con las sabanas de su cama, aproximadamente cada seis a ocho semanas.

b.    Si usted está realmente motivado y tener la memoria de un elefante , alterar ellos cada semana .

Para obtener más consejos sobre cómo practicar mejor, más fuerte la higiene contraseña, echa un vistazo a la informativa, infografía reveladora debajo de http://www.whoishostingthis.com .

Tomado del sitio http://m.entrepreneur.com/article/233214

Attorney General Harris Unveils Cybersecurity Guide for California Businesses

The California Attorney General’s Office has announced the release of a new cybersecurity guide designed to help California businesses better protect against and respond to cybersecurity threats.  The guide provides a simple and easy to understand overview of basic security threats and outlines some practical steps for minimizing cyber vulnerabilities, including guidance on how to respond to cyber incidents.

“California is at the center of the digital revolution that is changing the world. Because of work done by companies right here in our home state, we are more connected – and empowered – than ever before” said Attorney General Kamala D. Harris.  “But we are also increasingly vulnerable, a fact underscored by the recent holiday–period data breaches that impacted millions across the country.”

California has long been at forefront of cyber security advocacy and was the first state to pass a law mandating data breach notification.  In 2011, California established the eCrime Unit to prosecute identity theft, data intrusions, and crimes involving the use of technology.  In 2012, California established the Privacy Enforcement and Protection Unit in the Department of Justice, whose mission is to help to regulate and enforce laws addressing the collection, retention, disclosure, and destruction of private or sensitive information.  Continuing that tradition, Attorney General Harris, in collaboration with the California Chamber of Commerce and a mobile security company called Lookout, developed the guide titled, “Cybersecurity in the Golden State” (the “Guide”).

The purpose of the Guide is to specify ways that small and medium-size businesses can reduce cybersecurity risks.  To accommodate individuals who may not be tech-savvy, the Guide uses plain language to describe steps that any business can take to help protect itself, even if it lacks the resources to hire full-time cybersecurity personnel.

Key recommendations include:

• Assume you’re a target and develop an incident response plan now;
• Map your data and review where your business stores or shares information with third parties including backup storage and cloud computing;
• Encrypt the data you need to keep. Strong encryption technology is now commonly available for free, and is generally easy to use;
• Educate employees about cyber threats, as they are often the first line of defense;
• Follow safe online practices such as regularly updating firewall and antivirus software on all devices, using strong passwords, and avoiding downloading software from unknown sources;
• Pick an incident

The issue of cyber security is increasingly important as the recent security breaches at Target and Niemen Marcus help to demonstrate.  According to data cited by the Attorney General’s Office, there were more than one billion cyberattacks in the first three months of 2013, a number that is likely to keep growing as hackers become more sophisticated and organized.  While the  recommendations contained in the Guide are not legally mandated, they do reflect security best practices that, if followed, have the potential to help mitigate the risk of cybersecurity attacks.

https://oag.ca.gov/cybersecurity 

2013 Data Breach Trends

2013 Data Breach at a Glance

1. There were 2,164 incidents reported through December 31, 2013 exposing 822 million records.
2. A single hacking incident involving Adobe Systems exposed 
3. The Business sector accounted for 53.4% of reported incidents, followed by Government (19.3%), Medical (11.5%), Education (8.2%), and Unknown (7.6%). 
4. The Business sector accounted for 73.9% of the number of records exposed, followed by Unknown at 24.5%. 
5. 59.8% of reported incidents were the result of Hacking which accounted for 72.0% of exposed records. 
6. 4.8% of the reported incidents were the result of Web related attacks which accounted 16.9% of exposed records. 
7. Breaches involving U.S. entities accounted for 48.7% of the incidents and 66.5% of the exposed records. 
8. 51.1% of the incidents exposed between one and 1000 records. 
9. Twenty-seven incidents have exposed more than one million records. 
10. Four 2013 incidents have secured a place on the Top 10 All Time Breach List. 
11. The number of reported exposed records tops 2.5 billion and the number of reported incidents tracked by Risk Based Security exceeded 11,200.
12. A review of all reported incidents shows a total of 31.3% of all incidents are attributable to insider activity vs. 2013’s 25.0%.

https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf

Why Proventia End Point security is the next best thing?

If you are monitoring your end point infrastructure with different monitors to look for compliance, policy control, data security, administrative control and visibility, scalability and you want to have Agility for next generation solutions and deployment and removal of applications, then you want to read further, there is a solution that in just 1 screen can give you all

Lets make the count for the resources you need for Antivirus (at least 42MB), HIPS (at least 75 MB), DLP (at least 6 MB), Encryption (at least 18 MB) plus whatever it is added on technology in the following weeks, months or years, Proventia ESC can reduce that at least at half of this memory utilization

A lot of clients can have a ROI only for the power management piece, so you buy a product that can help you with at least 10 things with the cost of only 1, if math doesn’t fail, the rest 9 products are for free!!! Reduce up to $50 per machine per year plus potential utility company rebates, also going green by saving up to 400 kg of CO2 emissions which can be applied to carbon trades and offsets.

You can reduce in several subjects, for example, the number of server that you need to monitor the entire infrastructure, reduce cost on switch AV saving in switching, labor, deployment and support costs, in patch management you can reduce cost by reallocating security staff to proactive detection rather than passive patching and to finish the examples reducing support costs based on securely configured desktops and servers

I have the personal experience of using BigFix and to be honest it was so easy to use with some much benefit that the cost is so small that is a no brainer. From a technical standpoint is as easy of 3 steps Install ESC Console and Server, Export SiteProtector policies from SiteProtector and import into ESC console and Push ESC clients to endpoints

I think IBM made the best approach by selecting BigFix as a partner

You can read the press release at http://www-03.ibm.com/press/us/en/pressrelease/26878.wss

Who should the CISO must report to?

I was thinking this morning about how the CISO worked and it come to my attention that even when must of the organizations ask the CISO to report to the CIO, but those the CIO knows the value of the information? If He does, then the CISO should report to the CFO, but if he doesn't then we must see it from the compliance perspective and then the CISO should report to the Compliance, Auditor manager or maybe the risk manager, or maybe in a few years we are going to see the CISO reporting to the CEO.

At the beginning of the decade, when companies were in the process of establish or creating organizations to struggle a wide range of computer security pressure, it was a widespread practice for CIO to take on the double role of CIO and CISO.

The need for information risk administration in companies, governments, enterprises or family business has never been greater and since september 11 or the financial crisis, never more perceptible. Who is the Chief/Corporate Information Security Officer (CISO)? What is the role of today’s information security cluster? Who bridges the gap among business and technologists? How can the organization be successful in the eBusiness environment?

With the years it became a good practice in the organizations to produce a new C-level administration position: a chief security officer (CSO) who would have responsibility not only for corporate information security, but also for physical security. According to a survey released in June 2009 by consulting firm PricewaterhouseCoopers, it appears that a majority of organizations now have a meeting between the security chief (either with the chief security officer or chief information security officer title), the problem becomes how often that happens more than 40% only have this meetings once a year, while other 45% have their meetings either twice or 4 times per year and only 15% have this meetings on a monthly basis

Outside the big picture difficulty of who the CISO should report to or who reins the security funds, companies must also fight with the more street-level inquiries of what happens in the occurrence of an explicit security breach or incident. When a member of staff is found to be viewing pornography or downloading sensitive financial information onto a USB device or burning it to a CD against the enterprise policy, or when a hacker is found to have infiltrated the network and stolen sensitive client information, what is the string of command and processes for responding to the incident?

The positional control of the CISO must award the power to scrutinize roughly any information at the company from an angle of understanding fortification efficacy. This must contain access to audit reports and the capacity to pressure audits, access to shield settings down to the minimum point, access to proof of various sorts, and access to all the groups within the organization and their ability to understand and report on actions. This is more often a people feedback mechanism than a technological feedback method at the CISO's level.

The moment in time has come for more companies to take information safety sincerely. Does the upper management think the same way?