A “smart grid” refers to the traditional electric power grid updated with modern information technology equipment and knowhow. It is comprised of digitized devices and the industrial facilities in the energy sector that such devices help operate: electrical plants, electrical substations, utility towers, relays, and transformers, nuclear power plants, and oil refineries.

A smart grid pertains to all the facets of the power grid—generation at power plants, distribution and transmission along electrical lines, and delivery and consumption at the customer homes or businesses of a utility. It features intelligent monitoring of the status and amounts of the electricity flowing throughout the grid. A smart grid employs such devices as sensors, programmable logic controllers, field controllers, distributed control systems, emission controls, intelligent electronic devices, and remote terminal units.

For the consumer, a smart grid typically means, rather like with a person’s Internet provider, a two-way digital interaction between the utility and his home and home appliances. Usually this includes smart meters that allow quick and precise measuring and information sharing about the power and electrical supply. This digitized interaction is supposed to allow easy, real-time adjustment of power, heating, and cooling devices, and appliances. It also raises privacy concerns, as smart meters and other tools could provide a utility, or a malicious observer, with access to much more personal and financial data on a consumer.

A smart grid has various purposes: increase the reliability of power supplies, reduce waste of energy, cut costs, enhance consumer choice and flexibility, and permit the merging into the traditional power grid of alternative energy sources. Smart grids can continuously monitor crucial system components and keep track of energy use. They are supposed to diagnose, and to flexibly and precisely respond, to surges in power demand and other grid variables.

Regional and local utilities manage the U.S. electrical grid. The grid’s thousands of miles of transmission lines, substations, and power generation facilities make up three distinct operating networks in the Western and Eastern states, and in Texas.

Due to growing energy and environmental concerns, smart grids have become a subject of growing interest. The financial resources being invested in them are substantial. A year ago, the size of the U.S. smart grid market was about $21 billion. By 2014, it is estimated it will grow to $43 billion. World-wide, the smart grid market in 2009 was $69 billion. By 2014, fueled by large expenditures in East Asia, it should reach about $170 billion. In the U.S., a chunk of the federal stimulus spending in 2009-10, some $3.4 billion, was directed to investment in, and modernization, of smart grids.

The cyber security market for smart grids is also growing fast, about one-third a year. It is thought security-related expenditures on smart grids will reach $4 billion annually by 2013. Major corporate players in this field include General Electric, IBM, Lockheed, and Raytheon in the U.S., and Toshiba and Kyocera overseas.

Cyber security in infrastructure is also a growing concern, because smart grids have many vulnerabilities. Richard A. Clarke, the former federal National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism, has stated that a cyber attack aimed at energy infrastructure “could disable trains all over the country and it could blow up pipelines. It could cause blackouts and damage electrical power grids…It could wipe out and confuse financial records… It could do things like disrupt traffic in urban areas by knocking out control computers. It could…wipe out medical records.”

An obvious vulnerability is the physical infrastructure of electricity grids. The long stretches of overhead transmission lines could make inviting targets for terrorists. In fact, in recent years, terrorists overseas have launched many attacks against the physical infrastructure of power systems. The placement of lines underground would better protect the lines. At the same time, high construction costs render this option impractical. Video surveillance of transmission lines is expected to play a growing role in protecting these valuable assets.

A growing concern is the threat of cyber attacks on smart electrical grids. This is because smart grids by their very nature are susceptible to hacks and malware. In the past, electrical installations were essentially stand-alone operations separated from the outside world. Today, they are increasingly being hooked up to, and operated by, IT devices connected to the World Wide Web.

The connection to the Internet makes them susceptible to many of the same malicious attacks that regularly occur against computer networks outside the electrical and energy sectors. One example of vulnerability is the intelligent electronic ddevices that control the circuit breakers in many electrical networks. A hacker could target the sensor and equipment data that such devices receive from computer networks.

A wide range of IT systems and applications in smart grids cries out for better security. Many energy facilities operate old-school mainframe computers running “tried and true” COBOL code that date from before the Internet. When such systems were built, cyber security was not an issue, and was not incorporated into their design architecture. Therefore security features developed with the Internet in mind have not been incorporated into many of these systems.

Modern IT applications in smart grids are often full of security defects. Web apps, such as online billings applications aimed at providing utility customers more convenience and flexibility, may provide hackers with the account and credit card information of the same clients. Remotely hosted services and applications provided by power and utility companies pose similar risks. The IT departments of such organizations may have insufficient knowledge sets and trained personnel, compared to the IT departments of organizations long accustomed to the Internet, for properly configuring and maintaining the security of server and client-side databases and software.

Modern applications, and smart grids, thrive on vastly greater amounts of data, which poses its own risks. Smart grids employ devices called “synchrophasors,” which measure and stream voltage and other data many times faster than previous devices.  And such data is now “visible” over the Internet. “We’re collecting more data at more parts of the grid, in real time. It becomes more complicated to secure,” noted a NIST security consultant. “If I’m able to see that stream and understand what’s going on,” remarked the consultant, “then I’m able to remotely monitor how my attack is performing… and see in real time how the attack is working, then optimize it.”

Another new device that poses potential risks is a recloser. A recloser is an electrical device, placed in substations or atop electrical poles, that permits the flow of electricity. Facilities are outfitting reclosers with Bluetooth to allow maintenance personnel to manipulate the reclosers from afar. But because security has not been designed into recloser architectures, attackers could use Bluetooth to access and illicitly manipulate the devices.

The two-way digital communications that technologically advanced grids provide between energy suppliers and consumers are other reasons for concern.  A hacker with a basic knowledge of electronics and a few hundred dollars in hardware could interfere with, and get control over, the smart meters that are essential to managing the two-way interaction. By gaining control over the devices of a large number of consumers, a malicious attack could alter the load balance of a power grid, or shut down power to a large number of users.

The sharp expansion in the installation and use of smart meters underlines this worry. In 2009-2010, the number of smart meters in the U.S. is projected to rise from 14 million to 23 million. In California alone, from 2009 to 2012, the number of smart meters is estimated to rise from about 3 million to close to 10 million.

Theoretical concerns have become practical realities, as a number of exploits involving smart grids and power complexes have taken place. Although gaining relatively little publicity, cyber attacks have already occurred across the world: on sewage treatment plants, natural gas and petroleum pipelines, nuclear power plants, hydroelectric power facilities, and electricity transmission infrastructure.

In 2009, the Wall Street Journal reported that cyber spies from China, Russia, and other nations had used the Internet to map electrical grids in the United States. Moreover, they had left behind software apps on the grids that could be activated later to disrupt parts of the electrical infrastructure. In 2008, the CIA reported, hackers disrupted the power systems of multiple cities in several, unidentified foreign countries.

A notorious attack occurred in Maroochy, Australia in 2000. Using pilfered radio gear, a disgruntled former employee of a water treatment plant wirelessly hacked into the plant’s supervisory control and data acquisition (SCADA) system. Issuing multiple radio commands, the hacker triggered the release of 800,000 liters of untreated sewage into local rivers and parks.

In 2009, in a simulated attack, technicians from the cyber security firm IOActive, Inc. designed a computer worm that could penetrate and infect interactive, wireless meters that make up part of an extensive smart grid. The worm “spread from one meter to another,” noted an IT consultant, “and then it changed the text in the LCD screen to say ‘pwned’.” Infrastructure security specialist Joe Weiss, formerly a manager with the Electric Power Research Institute, or EPRI, has compiled a database of more than 170 infrastructure cyber incidents.

A wealth of IT security organizations, such as the Computer Emergency Response Team, or CERT, exist. However, there are few organizations that deal with cyber security in electrical and other industrial infrastructure. At the same time, there is a great deal of information readily available on public infrastructure. Terrorists could gain most of the information required to mount an attack on a smart grid from public sources such as industry journals.

“The electric grid is highly dependent on computer-based control systems,” sums up House Committee on Homeland Security chairman Bennie Thompson. “These systems are increasingly connected to open networks such as the internet, exposing them to cyber risks. Any failure of our electric grid, whether intentional or unintentional, would have a significant and potentially devastating impact on our nation.”

The cyber risks that concern observers include many vulnerabilities that lead to inadvertent mishaps unrelated to malicious hackers or malware. A classic example of this was the 1999 explosion of a pipeline in Bellingham, Washington. There the computer monitoring systems failed to detect the buildup of pressure within the fuel line. The resulting explosion killed three, and the busted line spilled an ocean of gasoline into nearby creeks, resulting in $45 million of damage. A recent example was the highly publicized disruption of suspected nuclear weapons facilities in Iran via the Stuxnet worm, which was specifically designed to penetrate the Windows operating system that run the computer systems of the nuclear plants in question.

Many inadvertent problems stem from trying to graft traditional IT security solutions onto infrastructure systems for which such solutions weren’t designed. Penetration testing, a standard tool of white hat hackers, has been known to destroy the firmware or disrupt the control systems of infrastructure facilities. Maintenance of anti-virus software on such facilities has disrupted control devices and triggered denials of service. Installation of software patches has prevented shutting off the pumps of water utilities, while software for other infrastructure cannot be patched while the facilities are in operation. Inadvertent incidents have even forced nuclear power plants to fall back on auxiliary power.

These mishaps result in part from the lack of testing of, and experience with, cyber security tools applied to infrastructure systems. At the same time there is often a “culture gap” between the employees of IT shops and those of electrical and other infrastructure facilities. The two sets of personnel are simply not yet used to working together. Another gap exists among the infrastructure industry, the IT sector, and federal government regulators. While representatives of software and computer manufacturing firms are regularly invited to government conferences on cyber security, leaders from the infrastructure sector are usually an afterthought at best or forgotten at worst.

Fortunately, despite the exploits that have occurred, malicious or inadvertent, the cyber threat to the electrical grid and other infrastructure elements is still at its early stages. This fact hopefully will allow companies and government agencies the time to take countermeasures to minimize the threat. Most of the steps that have been proposed mirror those that have been taken to better secure the IT industry against malicious attack.

An important first step is standards. The North American Electric Reliability Corp., or NERC, is a non-profit organization of industry working groups and utilities that formulate some Critical Infrastructure Protection (CIP) standards.  The Federal Energy Regulatory Commission, an independent agency that regulates transmission and transport of electricity and energy commodities, provides oversight for NERC. NERC focuses on ensuring reliability of the power system in the U.S. and Canada. Although the standards are limited, and much else remains to be done, NERC and CIP have served to raise awareness of infrastructure security issues, and have provided the context for an increase in funding to bolster infrastructure cyber security.

The development of effective policy, procedures, and procedures for infrastructure security is vital. And, as with IT cyber security, risk management will play a key role. Risk management with smart grids has to do with threat assessment, vulnerability detection and identification, risk assessment itself, and drawing up of countermeasures. A realistic assessment of actual risks must be made, with resources apportioned rationally to deal with risks that are most likely and that could cause the most damage.

As a relatively new field, infrastructure cyber security must begin to embed security into it architecture, as part of the design process. Testing of security applications and of grid components must become more comprehensive and more rigorous. Security software and security threats are evolving continuously, and the test regime must change constantly to keep up.

Testing would be more effective and more credible if the infrastructure sector employed independent testing experts from outside the infrastructure realm. This would be particularly true of the testing of smart meters.

As a new field, infrastructure cyber security would benefit from organizational programs to raise security awareness among employees. A natural part of that would be training programs in security.

Further, the government must strive to bring representatives of the electrical and other infrastructure sectors into its conferences on IT security, along with representatives of the IT industry. And within an organization, management must ensure that the IT and infrastructure operations shops, which often work separately and at cross purposes, collaborate in aligning their functions to bring about better security.

In all of these concerns, the role of upper-level management is key. Management must make security for the electrical grid a priority, and ensure that the various divisions of an enterprise make it their priority as well.

Other Information:

Certified Information Systems Security Professional (CISSP)

Free CEH online course

For years IT organizations have focused on securing the computer network. Technologies such as firewalls and network access control (NAC) are designed to keep malware and unauthorized traffic from coming in. That makes sense from an operational integrity standpoint. Viruses, worms, spam, phishing attacks, etc. can bring a network to a standstill. But, while the focus has been on keeping bad traffic out, data packets have moved freely – for the most part – through and beyond the private network. After all, that’s what the network is for. It plays a supporting role to the star of the show: your data. Without data, there’s little need for a network. But therein lies the rub! Even as organizations block traffic and prevent infected or noncompliant endpoints from connecting to the network, they allow confidential, sensitive and proprietary information to flow between departments, between LAN segments, between private networks and across the Internet.

Increasingly, companies are recognizing the vulnerability this creates and the need to secure not just the network but also the data that is stored and transmitted across it. That is where data loss prevention comes in. Data loss prevention (DLP) refers to a category of information security products that aim to prevent the unauthorized distribution or loss of sensitive information. It is a complex set of technologies designed to identify confidential information, monitor the network for the transmission of this information and enforce policies accordingly. DLP solutions typically have three components: one at the endpoint where it monitors and controls activities, one at the network where it filters data streams and a component in storage devices to protect data at rest.

The Need for Data Loss Prevention

It used to be there was only one way to steal a company’s valuable assets – through the door. Not so today. Many businesses live and die based on the information they possess, be it customer data, trade secrets or other intellectual property. And that information can leave an organization any number of ways. Perhaps the most high profile means of data loss of late is through the theft or loss of mobile data-bearing devices, such as laptops, thumb drives and smartphones. The storage capacity on these types of devices continues to grow, and companies are eager to enable their users to work anytime anywhere. This means an increasing dependence on mobile devices. Sales teams have access to Web-based CRM applications. Executives email sensitive documents while on the road. While the functionality enables a more productive workforce, it also increases the vulnerability of the company’s data. Smartphones and laptops areleft in taxis,at airport checkpoints, at conferences and hotel rooms – where they can be easily picked up by the next passerby. In fact, according to Ponemon Institute’s Business Risk of a Lost Laptop study,the most vulnerable time to lose a laptop is during travel. But these devices are vulnerable wherever they are used. Laptops have been stolen from office buildings, and even end users’ homes and vehicles. For example, in January 2008 a laptop was taken from a Horizon Blue Cross Blue Shield employee in Newark, New Jersey. The laptop, which was being taken to the employee’s home, held more than 300,000 member names, Social Security numbers and other personal information.

Mobile data-bearing devices are a weak point in your company’s data security, but an even larger threat to data loss is email. In its seventh annual study of outbound email and data loss prevention issues, Proofpoint Inc. found that email is the number one source of data loss risks in large enterprises. According to the study, 35% of respondents investigated a leak of confidential or proprietary information via email in the previous 12 months. Consider how many of your end users use email and have access to sensitive information. Even authorized users sending sensitive information to legitimate recipients put your data at risk if said data is transmitted in clear text. Then there’s the possibility that data is sent to the wrong recipient or perhaps the sender or recipient shouldn’t have access to the data at all. On Sept. 2, 2010 medical technology provider Kinetic Concepts Inc. announced that an attachment with sensitive employee information was accidentally emailed to company employees*. With a simple click of a mouse unauthorized recipients had access to their colleagues’ Social Security numbers, addresses, dates of birth and salary information. Imagine the mess that created for HR!

And that brings us to another looming threat – the insider. Data can be lost by end users via accidental disclosure. These are folks who have access to sensitive information but don’t know how to use it safely. Again, perhaps they are emailing confidential documents to an appropriate recipient but are not encrypting them. Then there are users who intentionally disclose sensitive and confidential information to “get back” at their employer. In February 2010, ITPro.co.uk reported that a database containing contact information of 170,000 Royal Dutch Shell workers was emailed to organizations campaigning against the oil giant. The database is “thought to have been sent by a disaffected former employee of the company,” according to the report. That’s just the tip of the iceberg. According to the Privacy Rights Clearinghouse, 77 data breach incidents resulting from intentional disclosure by insiders were made public from January through October, 2010. Those 77 breaches exposed 1,268,807 records.

Malware and Web applications also pose a risk to corporate data. Users can download myriad Web apps to their smartphones that use or store data from the phone. For example, software marketed to catch cheating partners can be downloaded onto an unsuspecting user’s phone. The software then records all communications and stores the information on a server where it can be accessed by a third party. Other Web apps aren’t as seemingly malicious. They may enable smartphone users to send and receive virtual business cards or record telephone conversations for later playback. But these applications potentially expose sensitive and confidential information to third parties, especially if it is stored on the Web app providers’ (unsecure) servers.

Malware writers have also come to realize that there is money to be made in possessing sensitive data. Hackers create viruses, spyware and the like to steal data that can later be used to commit identity theft or blackmail, or be resold. Case in point: The United States’ fourth largest credit card payments processing company fell victim to a malware attack in 2008. Heartland Payment Systems’ system became infected with malware that allowed attackers to collect unencrypted payment card data in transit. This went on for several months.

Full articles includes information on following things:

- The Cost of a Data Breach

- Symantec DLP Solutions

- Discover Where Confidential Data is Stored

- Monitor How Confidential Data is Being Used

- Protect and Prevent Confidential Data Loss

- Manage and Enforce Unified Data Security Policies

- Data Loss Prevention Best Practices

For full article visit Logical Security Resources

Other Information:

Certified Information Systems Security Professional (CISSP)

Free CEH online course

Zeus, or Zbot, is a software toolkit that enables malware coders to build hard-to-detect Trojan horses, ones typically employed against the bank accounts of unsuspecting owners. (A Trojan horse is malicious software, secretly embedded in a system or application, that is “turned on” at a time of the attacker’s choosing.) Launched from behind command and control servers, Zeus is known by various names— Zeus, Zbot, Wsnpoem, PRG, Kneber, and Gorhax.

Since 2007, illicit organizations have employed Zeus to launch damaging, highly publicized attacks targeting the login credentials and other personal data associated with millions of computers, thousands of organizations, and uncounted numbers of users and their accounts. Relatively small groups of sophisticated criminal bands based in various nations–particularly in Eastern European countries such as Russia and Ukraine–have stolen tens of millions of dollars.  Computers in 196 countries have been subject to attack. The countries most affected include the U.S., U.K., Saudi Arabia, Egypt, and Turkey.

In a typical scenario, malicious developers generate malware. The malicious code can be purchased on the cyber underground. Black-hat hackers who are part of criminal organizations break into and compromise computers. On the machines, they insert a Trojan which, when activated, pilfers the credentials of targeted persons, and penetrates the targets’ bank accounts. Meantime the thieves’ command and control server collects this sensitive data. The targets can be banks, ATM machines, credit card companies, social networking sites, telecommunication and other firms, and private individuals.

The hackers then transfer funds from these accounts to “mules.” Networks of mules consist of developers, non-technical individuals, and other illicit organizations. Often, they are foreigners who acquire fake passports and other identification in order to enter the country whose individuals and corporations are the targets of the attack.  After opening bank accounts, they “launder” the funds in the accounts to prevent tracking of the stolen funds. In addition, they transfer the funds to the organizers of the illicit scheme, in return for a percentage of the moneys procured.

For full article visit Logical Security Resources

Other Information:

Certified Information Systems Security Professional (CISSP)

Free CEH online course

Smartphones are infiltrating businesses of all sizes. Decreasing price points and increasing functionality puts enterprise-class capabilities in the palm of every Tom, Dick and Harry who connects to the corporate network. No big deal, right? Blackberrys, iPhones and Androids – among many others – enable your users to work more efficiently. But, like every other piece of technology, smartphones come with a price to your organization. That price is in the form of risk. Let’s look at some of the ways smartphones introduce risk to your environment, and then look at some of the best practices for managing that risk.

Data Loss

Perhaps the most significant risk posed by smartphones is that of data loss. There are a number of ways data can be lost or stolen from smartphones. Most obvious is the loss or theft of the device itself. These small handheld devices can be easily forgotten in public places or picked up by casual passersby. Many users either don’t password protect their phone because of the inconvenience it poses or, if they do, use a simple four-character password that can easily be cracked. So all of the data – be it sensitive company data or personal data – is accessible by an unauthorized user.

There are also occasions upon which users have legitimate possession of another’s smartphone, but have no business accessing the data on it. For example, it is not unusual for a user to give an old phone to a friend who has lost their own or to donate an outdated phone to a charity. Data can also be exposed if a smartphone is resold or sent in to the manufacturer for repair.

But physical possession is not required to steal data off of a smartphone. Mobile applications can access the data on your users’ smartphones and, in some cases, even store that information on third-party servers. For example, applications marketed as tools to catch cheating partners and protect children can be downloaded to an unsuspecting users’ smartphone. The application captures emails, texts, browsing history and telephone calls, and stores that information on a server where it can be retrieved by an unauthorized individual. If any of those communications include corporate data then it too is saved and accessed by a third-party.

All of these scenarios put companies at risk of being noncompliant with laws and regulations around data privacy. If a user loses a smartphone storing unprotected corporate data or your data is stored on an unauthorized third-party server, your company is liable and can face fines.

Common vulnerabilities

Contrary to popular belief, smartphones are no better protected against denial-of-service attacks or malware infections than an unprotected PC. In fact, the applications that run on smartphones are subject to all of the same vulnerabilities. Consider Web applications, which have been used to spread malware, spyware, phishing attempts, etc., via PCs. Users are downloading similar applications to their smartphones, the difference being that smartphones typically do not have antivirus protection, so these infected files can propagate onto an IP network.

The smartphone’s small form factor further facilitates propagation of malware. It’s more difficult to identify risk web sites and suspicious emails and links on pared down sites built specifically for a small screen. Plus, users tend to be more trusting of the data they receive on their smartphones because the devices represent a more intimate communications channel. Thus, they are more likely to click on potentially dangerous links.

For full article with Ten Smartphone Security Best Practices please visit Smartphone Security Article at Logical Security.

Other Information:

Certified Information Systems Security Professional (CISSP)

The online predator, Joel Garcia, finally got what he deserved. The 29-year-old Texan had been communicating online for some time with a 12-year-old.  He’s sent the child a number of pornographic images. In other postings he discussed having sex with the child. Finally, he and the child agree to meet to have sex.

When Garcia arrived at the agreed-on place, however, he was met by FBI agents and Corpus Christi police. One official had masqueraded online as the child. In Garcia’s car, investigators found 14 child sex videos, and hundreds of photographs of child pornography. The arrested man was later sentenced to 14 years without parole.

The Internet is a great boon for learning, including children. Yet children, due to their age and trusting nature, are at particular risk to the dangers of the Internet. The Web Wide Web poses a great many and growing risks to children.

Online predators trawl the Web seeking to involve youngsters inappropriate and illegal sexual relationships. The Internet allows sexual deviants to more easily gain access to information about youths they may be targeting. Such information can include a youth’s email address, web site, birth date and age, photos, family data, other friends, hobbies, and individual likes and dislikes. Based on such information, predators can begin to befriend impressionable youths, perhaps gaining their trust over a long period of time, perhaps through enticements such as the provision of free software games. At the same time, predators can maintain relative anonymity about themselves, or readily post false or misleading information. Once friendship is gained, predators may seek to physically meet their targets, sometimes by sending them money, tickets, or other means to travel to a rendezvous.

Common “hunting grounds” for predators include email, blogs, and social networking sites such as Facebook and MySpace. Another is online chat rooms, which by their nature promote anonymity on the one hand and encourage children eager to converse and make friends to let down their defenses. By their very nature, children are vulnerable to predators. Emotionally immature, they crave attention.  They have a natural curiosity, especially about topics that their parents may have declared off limits. They are accustomed to obeying the requests of adults, and are unlikely to doubt such requests are illegitimate.

The Internet is awash with pornography sites, including children’s porn sites. Predators may seek to photograph or film children and young adults for use by such sites. To gain material for such sites, or for their own illicit purposes, predators may “cyberstalk” children, constantly harassing them, or attempting to gain their trust in online “friendships” leading to destructive real-life encounters.

A great many free online resources are available for parents, children, and other concerned individualson how to safely and effectively use Internet tools and devices.

14-year-old Phil loved his parents’ new laptop, and the Internet, and spent hours on the Web playing games and conversing with friends on Facebook. One week, however, Phil began receiving disturbing messages. A “friend” from middle school posted messages on Phil’s Facebook “wall” using offensive language and made-up slurs. An adult stranger commented weirdly about Phil’s Facebook photos, while requesting Phil’s personal email. Phil was bothered by the messages, and told his mother about it.

Phil’s mom was herself, for her job as a marketing manager, a practiced user of social networking sites. She got on Facebook with her son, and showed him how to tighten up the security and privacy of his account. Together they changed his privacy settings to allow access to his photos and profile only to certain actual friends and relatives. They blocked messages from the adult stranger. And Phil’s mother stressed to him that he should in the future only accept messages and friend requests from persons and organizations he knew and trusted.

One site full of information about the risks the Internet can pose to children, and how to mitigate those risks, is Web Wise Kids, located at: http://www.webwisekids.org/

Web Wise Kids, sponsored in part by the Department of Justice, is a 501(c)3 non-profit organization that offers informative and easy-to-understand programs for both children and adults on matters such as online predators and stalking, safe blogging and cell phone use, and computer fraud and piracy.

Programs include interactive games where children and teens play detective to “turn the tables” on Internet predators, by investigating and collecting evidence about their illicit use of spyware and counterfeit software.  For parents, instructors, and law enforcement personnel, the Wired with Wisdom program is a user-accessible, online game that explores topics such as chat rooms, personal web sites, and email and social networking.

The federal government provides a number of such resources, in particular free publications from theFederal Trade Commission (FTC). The FTC publications include:

Net Cetera: Chatting with Kids about Being Online

Helps parents protect their kids and to talk to them about living their lives online. Topics covered include: parental controls, protecting the family computer, sexting, social networking sites, and increasing the safety of mobile phones. 56 pages.

Social Networking Sites: A Parent’s Guide

Urges parents and kids to talk about the risks involved in using social networking sites. Offers tips for using such sites safely. Helps parents with issues like: keeping information private, how their kids get online, avoiding sex sites, reviewing your children’s friends list, computer privacy settings.

Social Networking Sites: Safety Tips for Tweens and Teens
Deals with such issues as: limiting the posting of personal information such as photographs, street address, and credit card data, being wary of meeting online “friends,” how posted information stays online “forever”.4 pages.

For full article with 7 Practices for Safer Computing please visit Logical Security Resources

Other Information:

Certified Information Systems Security Professional (CISSP)

Data security breaches are a concern for every organization that holds sensitive data.  Until now, studies released have covered data that either must be kept confidential, or that contain a small number of breaches for analysis.  ”The Leaking Vault – Five Years of Data Breaches” analyzes over 2,800 data loss incidents from publicly accessible sources, with a known disclosure of 271.9 million records.  This study—the largest of its kind to date—provides analysis on which breach vectors carry the most risk, and should help provide organizations with more accurate information when combating this problem.

To assist organizations and current and future members of this workforce, the Department of Homeland Security National Cyber Security Division (DHS-NCSD) worked with experts from academia, government, and the private sector to develop a high-level framework that establishes a national baseline representing the essential knowledge and skills IT security practitioners should possess to perform.

DHS-NCSD developed the IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development as an umbrella document that links competencies and functional perspectives to IT security roles fulfilled by personnel in the public and private sectors.

Other Information:

Certified Information Systems Security Professional (CISSP)