Blog: NIST Draft Publication Offers Guidelines for Safeguarding Personal Data

NIST Draft Publication Offers Guidelines for Safeguarding Personal Data

SANS NewsBites Vol. 11 Num. 4; 1/16/2009 (January 14, 2009)

The National Institute of Standards and Technology (NIST) has released a draft of Special Publication 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information," to help government agencies decide how to best protect the information they retain. NIST makes several recommendations, including identifying and categorizing all personally identifiable information (PII) that the organization retains; limiting data retention to only what is necessary; applying a risk-based approach to data protection; and creating and implementing an incident response plan for breaches of PII. NIST is accepting public comment on the draft document through March 13, 2009.

http://gcn.com/Articles/2009/01/14/NIST-on-securing-personal-data.aspx?Page=2

http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800-122.pdf

[Editor's Note (Northcutt): I am a big fan of NIST and if you can take a few minutes to read the draft and comment, broad input helps make the final work better. I think the title is wrong, however, there is less "protection" explained than "identification." They have a nice section on incident response for privacy incidents (section 5). There is a line in that section that government folks need to be aware of: PII incidents should be reported to US CERT within an hour. They also mention the OECD guidelines in Appendix D. To this day, the OECD guidelines seem to be the clearest, most well thought out guidance on privacy I have seen.]

Blog: Burned Once, Intel Prepares New Chip Fortified by Constant Tests (formal methods)

Burned Once, Intel Prepares New Chip Fortified by Constant Tests
The New York Times (11/17/08) P. B3; Markoff, John

Despite rigorous stress testing on dozens of computers, Intel's John Barton is still nervous about the upcoming release of Intel's new Core i7 microprocessor. Even after months of testing, Barton knows that it is impossible to predict exactly how the chip will function once it is installed in thousands of computers running tens of thousands of programs. The new chip, which has 731 million transistors, was designed for use in desktop computers, but the company hopes that it will eventually be used in everything from powerful servers to laptops. The design and testing of an advanced microprocessor is one of the most complex endeavors humans have undertaken. Intel now spends $500 million annually to test its chips before selling them. However, it still is impossible to test more than a fraction of the total number of "states" that the new Core i7 chip can be programmed in. "Now we are hitting systemic complexity," says Synopsys CEO Aart de Geus. "Things that came from different angles that used to be independent have become interdependent." In an effort to produce error-free chips, Intel in the 1990s turned to a group of mathematical theoreticians in the computer science field who had developed advanced techniques for evaluating hardware and software, known as formal methods. In another effort to minimize chip errors, the Core i7 also contains software that can be changed after the microprocessors are shipped, giving Intel the ability to correct flaws after the product's release.

View Full Article

Security: Identity Theft: Costs More, Tech Less; average loss - $30K+

Identity Theft: Costs More, Tech Less
Network Computing (10/23/07) Claburn, Thomas

A study by Utica College's Center for Identity Management and Information Protection (CIMIP) revealed that the median actual dollar loss for victims of identity theft is $31,356, a much higher figure than suggested by past studies. However, earlier studies primarily concentrated on consumer losses, whereas Utica's study reviewed 517 cases investigated by the U.S. Secret Service, which tend to be major incidents, not minor scams. Indeed, the CIMIP study is the first to review the Secret Services' closed case files, and as such aims to provide empirical data. The report proved that companies as well as individuals are affected by identity theft. The study also discovered that the Internet is not always an essential tool for identity thieves. Of the 517 cases reviewed, 102 cases involved Internet use and 106 involved non-technological means, such as mail rerouting. In other instances, criminals used mail theft to access sensitive information and then used Internet-related tools to create fake documents. Another unanticipated finding was that in the 274 cases with identifiable points of compromise, businesses were the starting point for half of the breaches. Moreover, one-third of the identity theft cases reviewed implicated insiders. Finally, the study's results challenged the belief that most identity thieves are white males, as roughly 50 percent of the offenders were black and roughly 40 percent were white. CIMIP works with corporate, government, and academic institutions to research identity management, information sharing, and data protection, including the Carnegie Mellon University Software Engineering Institute, Indiana University's Center for Applied Cybersecurity Research, and Syracuse University's CASE Center.
Click Here to View Full Article