Surpassing viruses as the number one internet threat is spyware which can install itself in your computer and monitor your usage as well as record private information. Though the threats of spyware are endless, there are several measures you can take to guard your computer and personal information from being hijacked by spyware.

Spyware is able to get into your system by several methods, one being with downloads you select off the internet. Music, game and other file sharing programs commonly contain spyware that is downloaded in your computer upon your approval to download the main program. Many other types of freeware and screen saver or other image downloads are linked to spyware as well.

Reading the user license agreement will tell you if a particular download will have spyware tagging along. Many users do not read through the agreement, rather they check to agree to the terms and unknowingly have spyware installed. When downloading freeware, music and game programs cancel the installation if you notice any third party software, see ad supported material or are asked to agree to more than one license agreement as they are all signs that spyware and annoying pop ups will occur after the download is complete.

Checking for and performing updates from your software provider regularly will help a great deal in avoiding a privacy invasion. Continue running your anti-virus software but also invest in or use the free spyware tools. Free spyware tools scan your computer and rid of current infections, however those applications can usually re-infect shortly after being removed. For preventative protection purchase well proven spyware software or find free tools that will provide sufficient protection.

Mitch Johnson is a successful freelance author that writes regularly for http://www.spyware-removal-made-easy.com/ , a site that focuses exclusively on spyware removal software, as well as tips on how to prevent spyware from popping up on your computer. This site articles on has spyware guard, http://www.spyware-removal-made-easy.com/spyware_guard.htm as well as spyware scanner, http://www.spyware-removal-made-easy.com/spyware_scanner.htm

In an effort to offer computer users who utilize Internet Explorer an initial protection device against spyware, Jayde Online Inc. and Xblock Software announced a partnership they planned to take on in 2004. The two companies planned to merge the spyware tool X-Cleaner, provided by XBlock, into Jayde’s Internet Explorer search engine toolbar, ExactSeek.com. The ExactSeek toolbar already provided features including web search, pop-up blocking, highlighting and drag and search along with Alexa ranking information.

Executives at Jayde Online are seeking to provide internet users with multiple new features upon the release of each new free toolbar. By working with XBlock the company hopes to provide users with an initial line of defense against spyware threats. Because computer users are constantly being preyed upon by spyware those involved in the industry predict spyware could far surpass the threats computer viruses bring. Executives at XBlock believe the use of anti-spyware tools on the ExactSeek toolbar will not offer computer users a complete defense against spyware but it will protect computers from the most prevalent spyware, adware, keylogger and Trojan problems.

The XBlock company has provided several online security tools for consumers and corporations since its beginning. ExactSeek.com is part of the Jayde Corporation which is comprised of several online network sites. Jayde also focuses on publishing several email newsletters.

Mitch Johnson is a successful freelance author that writes regularly for http://www.spyware-removal-made-easy.com/ , a site that focuses exclusively on spyware removal software, as well as tips on how to prevent spyware from popping up on your computer. This site articles on has spyware guard, http://www.spyware-removal-made-easy.com/spyware_guard.htm as well as spyware scanner, http://www.spyware-removal-made-easy.com/spyware_scanner.htm

Is a known fact that every time you open a browser to view a web page, order something online, or read your email in a web based viewer that information is stored on your computer for later use. Whether you are viewing the weather online, reading sports, catching up on the latest world news or viewing something a little more private, all that information is stored in your computer. Windows operating systems store all this material in what are called Temporary Internet Files or cache. Web pages may store bits of information about who you are when you visit web sites in files called cookies on your computer. Your web browser will store a list of web sites you’ve visited and places you’ve gone in a history file in your computer. Even if you are not online, programs will store histories of the files you’ve opened, played, or viewed.

Generally there might not be any reason to worry about all these files in your computer, but what if you sell your computer and all that information is left for someone else to see. Maybe friends and relatives visit and use your computer and you dont want everyone to know what files you are running on your computer. Then you are going to want to know how to delete these files.

Even if you are not worried about privacy on your computer, you may be surprised to realize how much hard drive space all this information takes up. If you are running out of drive space, you may want to delete these files.

How can I delete these files?

For Internet Explorer 5 and above, you can follow these directions to clear out temporary files and delete cookies.

1) Open Internet Explorer and click on Tools

2) Click on Internet Options

3) On the General Tab, in the middle of the screen, click on Delete Files

4) You may also want to check the box "Delete all offline content"

5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files

6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive.

To clear the Internet History in IE:

1) Open Internet Explorer and click on Tools

2) Click on Internet Options

3) On the General Tab, in the middle of the screen,click on Clear History

4) Click OK

To clean up other temporary files on your computer in Windows 98 or higher:

1) Click Start, Programs (or All Programs), Accessories, System Tools, Disk Cleanup

2) Choose the correct drive usually C:

3) Check the boxes in the list and delete the files

This deleting method is only good if you want to free space, because normal file deletion only removes a file’s directory entry, and leaves the data contained in the file on your hard drive, which can be easily recovered by any average computer user using a undelete utility. If you delete cookies or if you delete history using conventional methods anyone can recover them! Even after a hard drive format, files can be recovered using expensive hardware and software which use forensic latency track analysis algorithms.

There are several good utilities such as Privacy Guard that delete cookies and delete history beyond recovery.

Alexandru Marias is an IT student

In Part 1 of Is Your Email Private, We covered the basics of most current email systems, including how they work and why they are not secure. We then started into the topic of encryption and provided a link to PGP (Pretty Good Privacy), considered by many to be the default standard for email encryption on the Internet.

PGP is an encryption tool that uses public key cryptography (that is, cryptography that uses a public / private key pair to encrypt messages so that no other security is needed when sending messages across the Internet…) to maintain secure communications. To send someone a secure message, you "scramble" it using his or her public key before transmission. Then only the correct recipient can "un-scramble" the message using their private key. The same works for you. Someone would use your public key to encrypt a message, send it to you and then only you can decrypt the message using your private key.

If you missed Part 1, you can get your copy of PGP from here: http://www.pgpi.org. It’s free and there are many download sites available. Then walk through the following steps to start guarding your privacy…

1) This may sound simple but, step 1 - install the software! I would suggest that you use the defaults that the install program sets up for the installation. Wait until you’ve got more experience with the program before you modify anything.

2) Once the software is installed, it will walk you through creating your first public / private key pair. Go ahead, walk through the process - there’s nothing like getting you feet wet right away. Besides, you need to create this key pair before you can start using PGP. If you want to wait, you can create the key pair later by using the PGPkeys application.

3) Now that you’ve created your key pair, you need to pass out your public key. Since the key is simply a block of ASCII text characters, you can copy and paste it into the body of an email message or send it as an attached text file. Or you can post it on a public "key server" where anyone can get it anytime they need it. You also have access to other people’s public keys in this same manner.

4) OK - you’ve posted your public key and downloaded the public keys of all the people you want to send encrypted email. Now you need to validate these keys. Why? Because you want to make sure the key you downloaded belongs to the person you want to send email to. You can do this by comparing the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s original key. When you are sure that you have a valid public key, you sign it with your private key to show that you feel safe using it.

5) Now the fun begins! Once you have created your public / private keys and have downloaded the public keys of others you can start sending and receiving encrypted email.

If you are using one of the email applications supported by the included PGP plug-ins, you can send encrypted messages right from your email client by clicking on the appropriate buttons on the PGP toolbar. You can also decrypt messages right in the client.

If your email client is not supported by plug-ins, you can encrypt or decrypt your email using the functions from PGPtray or from PGPtools. Both of these applications are available by clicking on the PGP icon in the system tray of your Windows OS.

There are many other options available inside the PGP program. I suggest you read the user’s guide from top to bottom. You don’t want to miss out on any of the functionalty and versatility available to you from the FREE application.

Next time - Online encrypted email services…

Michael Ameye has been developing web sites since 1995. He started writing about online privacy issues to answer questions from family, friends and co-workers. He is also the chief editor of PSS Online, A Privacy, Safety and Security eZine dedicated to bringing important information to people in order to foster a safer more secure environment - online and off. Visit http://www.pssonline.info to subscribe.

According to an FBI report from 2003 to 2004 online scams doubled with nearly ten million new victims. This crime cost those victims nearly $5 billion of money they could not afford to lose.

Sadly, people are continuing to fall for online scams where identity theft is the spammers goal. These con artists and hackers are just waiting to commit online fraud and steal your identity.

Here are a few of the most popular online scams to be aware of so you can avoid becoming a victim.

Phishing Scam

The phishing scam is when a spammer sends you an email claiming to be from a reputable bank. The email complete with authentic bank logos asks you to log in and verify your account information.

Then the spammer captures your account information and helps himself to your account. They sometimes will sell your information to other criminals and you can become a victim of identity theft.

Congratulations You’ve Won Scam

This email scam tells you have won a big prize like a big screen TV or even the lottery. To claim your prize you need to pay for the shipping and handling with your credit card.

In the case of winning the lottery they ask for advanced fees to cover costs. The only prize you get is discovering mysterious charges on your credit card.

Pharming Scam

Pharming is one of the latest online scams and rapidly growing threat that has been showing up a lot on the Internet. The pharming scam is similar to phishing scams but with a new twist.

The pharming scam works by redirecting your Internet browser. When you type in a website address into your web browser you are redirected without your knowledge to a bogus site that looks identical to the genuine site.

Once you log in with your login name and password, the information is immediately captured by the scammer. With the pharming scam you no longer have to click an email link for your personal information to be stolen.

The best thing to do when you or someone you know has become a victim of one of these online scams is to report it to the authorities. Otherwise these thieves get away without ever getting caught.

Report online scams to The Internet Fraud Complaint Center or (IFCC). They are a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C). Their web address is: http://www1.ifccfbi.gov

IFCC’s mission is to address fraud and online scams committed over the Internet. For victims of online fraud, IFCC provides a convenient and easy-to-use reporting mechanism that alerts authorities of a suspected criminal or civil violation.

Be aware of these online scams and report them to the IFCC so you can avoid becoming a new victim. It makes the Internet a safer and more enjoyable place for all of us.

Copyright © 2005 Spyware Information.com All Rights Reserved.

This article is provided by http://www.spyware-information.com where you will find free spyware cleaners, downloads, removal software, computer firewalls and valuable tips. For regularly updated articles about adware, spyware and protection from identity theft go to http://spyware-information.com/articles_1.html

The jury duty scam is the newest type of identity theft scammers are using to get your personal information. This is a new twist on identity theft, and you should be aware of it so you can avoid becoming a new victim.

With the jury duty scam, the scammer calls you claiming to work for the local court and tells you that you failed to report for jury duty. He then explains that a warrant has been issued for your arrest.

When you explain that you never received the jury duty notification that sets up the perfect question for the identity theft scam. The scammer then asks you for identity verification wanting your social security number.

Once that is provided the scammers go for even more information like birth date and sometimes credit card numbers just because there are some people that will give it out freely.

Scammers tell you that a warrant has been issued for your arrest to catch you off guard. That thought is so powerful you don’t think about protecting your confidential information and quickly become a victim of the identity theft scam.

Here are a few ways you can protect yourself from the jury duty scam.

1. Never give out your Social Security number, credit card numbers, bank or any other personal or confidential information on the phone unless you originated the call and are positive you know who you are talking to.

2. People who work for the courts will never call you to ask for social security numbers or credit card numbers. If someone calls wanting this information, hang up.

3. If you fail to appear for jury duty, the court will send a second summons by mail. The courts do not call and threaten to arrest people.

The jury duty scam is the latest in a series of identity theft scams where scammers use the phone to try to get someones social security number and other confidential information.

The scammers will continue to come up with new ways to try and get your personal information. But if you are aware of how it works you might be able to avoid becoming a victim of this jury duty scam.

Copyright © 2005 Spyware Information.com All Rights Reserved.

This article is provided by http://www.spyware-information.com where you will find free spyware cleaners, downloads, removal software, computer firewalls and valuable tips. For regularly updated articles about adware, spyware and protection from identity theft go to http://spyware-information.com/articles_1.html

Robert Tappan Morris was the first person convicted by a jury under the Computer Fraud and Abuse Act of 1986. The story of the worm he created and what happened to him after it was released is a tale of mistakes, infamy, and ultimately the financial and professional success of its author.

Morris was a 23-year-old graduate student at Cornell University in 1988 when he wrote the first Internet worm in 99 lines of C code. According to him, his worm was an experiment to gain access to as many machines as possible. Morris designed the worm to detect the existence of other copies of itself on infected machines and not reinfect those machines. Although he didn’t appear to create the worm to be malicious by destroying files or damaging systems, according to comments in his source code he did design it to "break-in" to systems and "steal" passwords. Morris’ worm worked by exploiting holes in the debug mode of the Unix sendmail program and in the finger daemon fingerd.

On November 2, 1988, Morris released his worm from MIT to disguise the fact that the author was a Cornell student. Unfortunately for Morris, his worm had a bug and the part that was supposed to not reinfect machines that already harbored the worm didn’t work. So systems quickly became infested with dozens of copies of the worm, each trying to break into accounts and replicate more worms. With no free processor cycles, infected systems soon crashed or became completely unresponsive. Rebooting infected systems didn’t help. Killing the worm processes by hand was futile because they just kept multiplying. The only solution was to disconnect the systems from the Internet and try to figure out how the worm worked.

Programmers at the University of Berkeley, MIT, and Purdue were actively disassembling copies of the worm. Meanwhile, once he realized the worm was out of control, Morris enlisted the help of a friend at Harvard to stop the contagion. Within a day, the Berkeley and Purdue teams had developed and distributed procedures to slow down the spread of the worm. Also, Morris and his friend sent an anonymous message from Harvard describing how to kill the worm and patch vulnerable systems. Of course, few were able to get the information from either the universities or Morris because they were disconnected from the Internet.

Eventually the word got out and the systems came back online. Within a few days things were mostly back to normal. It is estimated that the Morris worm infected more than 6,000 computers, which in 1988 represented one-tenth of the Internet. Although none of the infected systems were actually damaged and no data was lost, the costs in system downtime and man-hours were estimated at $15 million. Victims of the worm included computers at NASA, some military facilities, several major universities, and medical research facilities.

Writing a buggy worm and releasing it was Morris’ second mistake. His first mistake was talking about his worm for months before he released it. The police found him without much effort, especially after he was named in the New York Times as the author.

The fact that his worm had gained unauthorized access to computers of "federal interest" sealed his fate, and in 1990 he was convicted of violating the Computer Fraud and Abuse Act (Title 18). He was sentenced to three years probation, 400 hours of community service, a fine of $10,500, and the costs of his supervision. Ironically, Morris’ father, Robert Morris Sr., was a computer security expert with the National Security Agency at the time.

As a direct result of the Morris worm, the CERT Coordination Center (CERT/CC) was established by the Defense Advanced Research Projects Agency (DARPA) in November 1988 to "prevent and respond to such incidents in the future". The CERT/CC is now a major reporting center for Internet security problems.

After the incident, Morris was suspended from Cornell for acting irresponsibly according to a university board of inquiry. Later, Morris would obtain his Ph.D. from Harvard University for his work on modeling and controlling networks with large numbers of competing connections.

In 1995, Morris co-founded a startup called Viaweb with fellow Harvard Ph.D. Paul Graham. Viaweb was a web-based program that allowed users to build stores online. Interestingly, they wrote their code primarily in Lisp, an artificial intelligence language most commonly used at universities. Viaweb was a success, and in 1998, ten years after Morris released his infamous worm, Viaweb was bought by Yahoo! for $49 million. You can still see the application Morris and Graham developed in action as Yahoo! Shopping.

Robert Morris is currently an assistant professor at MIT (apparently they forgave him for launching his worm from their network) and a member of their Laboratory of Computer Science in the Parallel and Distributed Operating Systems group. He teaches a course on Operating System Engineering and has published numerous papers on advanced concepts in computer networking.

_____________________________________________________

Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums.

The morning of September 11th, 2001 started like any other for employees of the law firm Turner & Owen, located on the 21st floor of One Liberty Plaza directly across the street from the North World Trade Center Tower. Then everyone heard a huge explosion and their building shook as if in an earthquake. Debris rained from the sky.

Not knowing what was happening, they immediately left the building in an orderly fashion–thanks to systematic practice of evacuation drills–taking whatever files they could on the way out. File cabinets and computer systems all had to be left behind. In the disaster that ensued, One Liberty Plaza was wrecked and leaning with the top ten floors twisted–the offices of Turner & Owen were decimated.

Although Turner & Owen IT staff made regular backup tapes of their computer systems, those tapes had been sent to a division of the company located in the South World Trade Center Tower and they were completely lost when the South Tower was destroyed. Knowing they had to recover their case databases or likely go out of business, Frank Turner and Ed Owen risked their lives and crawled through the structurally-unstable One Liberty Plaza and retrieved two file servers with their most critical records. With this information, the law firm of Owen & Turner was able to resume work less than two weeks later.

Many other companies were never able to recover the information lost in this disaster.

What Has Changed?

One might think that years after such a devastating loss of lives, property and information there would be dramatic differences and improvements in the way businesses strive to protect their employees, assets, and data. However, changes have been more gradual than many had expected. "Some organizations that should have received a wakeup call seemed to have ignored the message," says one information security professional who prefers to remain anonymous.

A look at some of the trends that have been developing over the years since September 11th reveals signs of change for the better–although the need for more information security advancement is abundantly clear.

Federal Trends

The most noticeable changes in information security since September 11th, 2001 happened at the federal government level. An assortment of Executive Orders, acts, strategies and new departments, divisions, and directorates has focused on protecting America’s infrastructure with a heavy emphasis on information protection.

Just one month after 9/11, President Bush signed Executive Order 13231 "Critical Infrastructure Protection in the Information Age" which established the President’s Critical Infrastructure Protection Board (PCIPB). In July 2002, President Bush released the National Strategy for Homeland Security that called for the creation of the Department of Homeland Security (DHS), which would lead initiatives to prevent, detect, and respond to attacks of chemical, biological, radiological, and nuclear (CBRN) weapons. The Homeland Security Act, signed into law in November 2002, made the DHS a reality.

In February 2003, Tom Ridge, Secretary of Homeland Security released two strategies: "The National Strategy to Secure Cyberspace," which was designed to "engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact" and the "The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets" which "outlines the guiding principles that will underpin our efforts to secure the infrastructures and assets vital to our national security, governance, public health and safety, economy and public confidence".

Additionally, under the Department of Homeland Security’s Information Analysis and Infrastructure Protection (IAIP) Directorate, the Critical Infrastructure Assurance Office (CIAO), and the National Cyber Security Division (NCSD) were created. One of the top priorities of the NCSD was to create a consolidated Cyber Security Tracking, Analysis and Response Center following through on a key recommendation of the National Strategy to Secure Cyberspace.

With all this activity in the federal government related to securing infrastructures including key information systems, one might think there would be a noticable impact on information security practices in the private sector. But response to the National Strategy to Secure Cyberspace in particular has been tepid, with criticisms centering on its lack of regulations, incentives, funding and enforcement. The sentiment among information security professionals seems to be that without strong information security laws and leadership at the federal level, practices to protect our nation’s critical information, in the private sector at least, will not significantly change for the better.

Industry Trends

One trend that appears to be gaining ground in the private sector, though, is the increased emphasis on the need to share security-related information among other companies and organizations yet do it in an anonymous way. To do this, an organization can participate in one of dozen or so industry-specific Information Sharing and Analysis Centers (ISACs). ISACs gather alerts and perform analyses and notification of both physical and cyber threats, vulnerabilities, and warnings. They alert public and private sectors of security information necessary to protect critical information technology infrastructures, businesses, and individuals. ISAC members also have access to information and analysis relating to information provided by other members and obtained from other sources, such as US Government, law enforcement agencies, technology providers and security associations, such as CERT.

Encouraged by President Clinton’s Presidential Decision Directive (PDD) 63 on critical infrastructure protection, ISACs first started forming a couple of years before 9/11; the Bush administration has continued to support the formation of ISACs to cooperate with the PCIPB and DHS.

ISACs exist for most major industries including the IT-ISAC (https://www.it-isac.org/) for information technology, the FS-ISAC (http://www.fsisac.com) for financial institutions as well as the World Wide ISAC (http://www.wwisac.com/) for all industries worldwide. The membership of ISACs have grown rapidly in the last couple of years as many organizations recognize that participation in an ISAC helps fulfill their due care obligations to protect critical information.

A major lesson learned from 9/11 is that business continuity and disaster recovery (BC/DR) plans need to be robust and tested often. "Business continuity planning has gone from being a discretionary item that keeps auditors happy to something that boards of directors must seriously consider," said Richard Luongo, Director of PricewaterhouseCoopers’ Global Risk Management Solutions, shortly after the attacks. BC/DR has proven its return on investment and most organizations have focused great attention on ensuring that their business and information is recoverable in the event of a disaster.

There also has been a growing emphasis on risk management solutions and how they can be applied to ROI and budgeting requirements for businesses. More conference sessions, books, articles, and products on risk management exist than ever before. While some of the growth in this area can be attributed to legislation like HIPAA, GLBA, Sarbanes Oxley, Basel II, etc., 9/11 did a lot to make people start thinking about threats and vulnerabilities as components of risk and what must be done to manage that risk.

Technology Trends

Most companies realized the need to monitor their networks 24×7 prior to 9/11, but afterwards it became a top priority if such a capability wasn’t already in place. More and more companies are implementing intrusion detection systems (IDS) including network intrusion detection systems (NIDS) and host intrusion detection systems (HIDS) solutions. According to a 2003 Global Security Survey by Deloitte Touche Tohmatsu, 85 percent of respondents have deployed intrusion detection systems. Since these systems can entail large expenses of equipment and software purchases, consulting fees and staff time, some companies are turning to managed security service providers (MSSPs) to manage their network monitoring. Some MSSPs also offer their clients advance notice of threats that the MSSP may have identified while monitoring other networks.

Largely due to rampaging worms and viruses such as Slammer, patch management, change management and configuration management technology solutions have been raised in precedence within corporate risk management initiatives. A slew of applications and tools exist to address the needs of patch, change, and configuration management, but the challenge is to find the right combination of tools that will do the job in any given environment.

Information security staffs don’t have time to sift through the growing multitude of threat warnings and vulnerability alerts that crop up for all possible platform combinations every day. So another information security technology trend that has developed is intelligent threat analysis–a service that provides threat and vulnerability alerts customized to a client’s specific environment.

What Still Needs to Change

The information security changes in government, industry, and technology are notable, but where do we still need to improve in these areas?

If our government is serious about protecting critical information it will have to pass some sensible laws, contend information security experts. "Make companies liable for insecurities, and you’ll be surprised how quickly things get more secure," says Bruce Schneier, Founder and CTO of Counterpane Internet Security, Inc.

Information security managers need to do a better job of conveying how a company needs to protect its information to their CEOs and boards of directors. Siebel Systems CIO Mark Sunday says that although corporate boards are more aware of security issues than ever, they still don’t fully understand them–and most boards don’t like to fund things they don’t understand. "As aware as CEOs and boards have become of security issues, spending in that area hasn’t gone up in proportion and certainly not to the levels people expected," Sunday said.

Advanced information security technology exists that isn’t widely known or used by the mainstream. "Our technology is too signature-based," says Jim Reavis, editor of CSOinformer and information security industry analyst. "We’re only prepared to fight the last battle. We need to get more predictive. We need to use more behavioral technology."

Conclusion

In a survey conducted jointly by the Internet Security Alliance (ISAlliance), the National Association of Manufacturers (NAM) and RedSiren Technologies Inc. one year after September 11th, 2001, 40 percent of respondents reported that information security was considered more important than prior to September 11th. Yet almost one-third said their companies were still not adequately equipped to deal with an attack on their computer networks. The survey concluded that "many organizations need to revise how security risks, threats and costs are identified, measured and managed."

Is our information more secure two years after September 11th? Unfortunately, not by a lot. While some trends since 9/11 demonstrate progress in the field of information protection, opportunities for better information security practices clearly remain.

_____________________________________________________

Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums.

The popularity, availability and speed of the internet continue to grow which in turn has consequences such as spyware threats. With all of these advancements on the internet spyware also advances and creates more prevalent and sometimes dangerous threats. Spyware can easily be downloaded while surfing the internet and downloading files or software.

Usually, sites with questionable material are those that contain spyware. When visiting one of these sites spyware is automatically downloaded onto your computer or done so when you authorize the download of a file off the site. Spyware has spread to other sites now, sites that are seemingly secure and legitimate, but still download spyware on your computer. Microsoft has released its solution to spyware, however hackers have found ways around it and viruses to stop its capabilities.

Cookies, which are picked up each time you visit nearly any website, are often harmless and cleaned up easily but the information the can track and record can sometimes become a problem. The cookies coming from websites allow some webmasters to pick up data about you, including personal information that could lead to identity theft.

The cost of identity theft and fraud is estimated to cost trillions of dollars world wide. Protect yourself from spyware and other threats by using multiple spyware removal and prevention tools. Run both spyware and virus software regularly and keep each updated with the latest defined threats. When keying in personal information online do so only at secure web sites.

Mitch Johnson is a successful freelance author that writes regularly for http://www.spyware-removal-made-easy.com/, a site that focuses exclusively on spyware removal software, as well as tips on how to prevent spyware from popping up on your computer. This site articles on has spyware guard, http://www.spyware-removal-made-easy.com/spyware_guard.htm as well as spyware scanner, http://www.spyware-removal-made-easy.com/spyware_scanner.htm

Recent years have shown a trend in corporations being held responsible for information security negligence. In particular, the Federal Trade Commission (FTC) and the Attorney General of New York have been actively pursuing companies that fail to follow effective security practices. Many high-visibility cases illustrate how companies are being required to implement stronger security controls, the Guess case being a good example.

In June 2003, Guess, Incorporated agreed to settle FTC charges that it exposed consumers’ personal information to commonly known attacks by hackers, contrary to the company’s claims. "Consumers have every right to expect that a business that says it’s keeping personal information secure is doing exactly that," said Howard Beales, Director of the FTC’s Bureau of Consumer Protection. The settlement required that Guess implement a comprehensive information security program that would be certified as meeting or exceeding the standards in the consent order by an independent professional within a year.

The Problem

A key reason why corporations demonstrate poor or inconsistent information security controls is the lack of a widely accepted and comprehensive set of good security practices. Standards bodies such as the U.S. National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) publish security standards with varying degrees of corporate acceptance and use. The Information Systems Security Association (ISSA) has identified the need for a universally agreed-upon collection of essential security practices and is currently developing the Generally Accepted Information Security Principles (GAISP)–although how well accepted these principles will be upon publication remains to be seen.

The Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule and the Gramm Leach Bliley Act (GLBA) Interagency Guidelines are customer privacy laws specifying the security rules that must be followed by the healthcare and financial services industries respectively. If entities covered by these laws fail to follow the required security practices they may not only be exposing their customers’ private information but may also be subject to regulatory penalties and fines. These laws, in essence, define information security due care standards–the security practices that must be followed to avoid liability–for the healthcare and financial services industries. The entities covered by these laws, however, only represent approximately 25% of the U.S. Gross Domestic Product. Other industries must rely upon their best judgment to protect customer information–clearly not an effective approach as the cases mentioned earlier demonstrate.

Most companies certainly want to do the right thing and protect their customers’ information, but avoiding legal liability and harm to their reputation are also factors that motivate them to implement appropriate information security controls. While most corporate information security professionals probably think they understand how to protect customer information, many wouldn’t be comfortable attesting that their practices would protect their employer from liability. Lacking a commonly accepted set of security practices, many corporate information security professionals are uncertain how to secure customer information in a way that also limits their company’s liability.

Proposed Solution

The best approach for companies that wish to protect their customer’s information and potentially avoid liability is to implement the security practices required by both HIPAA and GLBA. There are 12 security practices in common between these two customer privacy laws. By following these 12 practices, companies will be practicing information security due care and can potentially avoid liability. Indeed, all of the security requirements mandated in the settlement of the cases mentioned earlier are among the 12 practices in common between HIPAA and GLBA.

What is Due Care?

Companies that handle the personal information of their customers may be breaking the law and not know it, as evidenced by the Guess case. This ignorance may partly stem from substantial gaps of prosecutable computer crimes that exist in federal criminal code and individual state criminal statutes. Federal and state criminal statutes are slow to evolve to adequately prosecute crimes based on the fast-changing technology of information systems. Companies and information security professionals may find little direction in criminal codes and statutes to help them avoid inadvertently breaking the law when it comes to protecting their customers’ personal information.

Since there is little guidance for companies to follow when it comes to avoiding criminal or civil liability or harsh settlements from the FTC, they need to consider how legal standards are created in the first place. Legal standards are developed based on the concept of due care, which is the care that an ordinarily prudent person would have exercised under the same or similar circumstances. Failure to practice due care is equivalent to demonstrating negligence. Companies that demonstrate negligence relative to their information security practices are susceptible to lawsuits, fines, and other sanctions, whereas companies that practice due care should be largely protected from such punishments.

Where to Find Due Care Information Security Practices

Companies that wish to find due care information security practices need look no further than to two major federal laws that regulate the protection of customer information: HIPAA and GLBA. While both HIPAA and GLBA enacted a lot more than just customer privacy requirements, they both have spawned substantial regulatory guidance on security controls for protecting customer information. The regulations for HIPAA are called the Final Security Rule and those for GLBA are referred to as the Interagency Guidelines.

While some of the requirements in these regulations are industry-specific, there is a lot of commonality between the two. In particular, 12 security practices were found in both the HIPAA Final Security Rule and the GLBA Interagency Guidelines. The fact that these two sets of regulations intersect in 12 places is no coincidence. This is a clear signal from the federal government of the level of due care it expects the country’s health care providers and financial institutions to practice. If these are the standards of due care that must be practiced by industries that represent about a quarter of the country’s GDP, it stands to reason that other industries will be expected to follow these same practices.

HIPAA & GLBA Security Due Care Practices in Common

The 12 security practices in common between HIPAA and GLBA are all "high-level" practices. There are no specific technology controls. Some practices are required while others are required only if a risk assessment conducted by the entity determines that the practice is appropriate.

The HIPAA Final Security Rule and the GLBA Interagency Guidelines were designed to provide guidance to senior management. How the practices are implemented is left largely up to the companies to determine.

Following is the list of the 12 security practices in common between HIPAA and GLBA (please refer to the HIPAA/GLBA Due Care Practice Matrix in the Laws and Regulations section of the OpenCSOProject for detailed analysis and references):

1. Assess and Control Risk
2. Assign Security Responsibility
3. Appropriate Access and Authorization
4. Security Awareness and Training
5. Incident Response and Reporting
6. Disaster Recovery
7. Security Evaluation
8. Vendor Contracts
9. Facility Access Controls
10. Data Integrity Controls
11. Encryption
12. Security Monitoring Procedures

Validation from Recent Enforcement Actions

If the companies in the FTC settlement cases mentioned earlier had faithfully implemented these 12 practices, they would not have suffered any penalties and their customers’ information would have been protected. For instance, in the Guess case, the FTC ordered Guess to:

• Designate an employee or employees to coordinate and be accountable for the information security program (HIPAA/GLBA Due Care Practice #2: Assign Security Responsibility);
• Identify material internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment must include consideration of risks in each area of relevant operation. (HIPAA/GLBA Due Care Practice #1: Assess and Control Risk);
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures. (HIPAA/GLBA Due Care Practice #7: Security Evaluation);
• Evaluate and adjust its information security program in light of the results of testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that Guess knows or has reason to know may have a material impact on its information security program. (HIPAA/GLBA Due Care Practice #7: Security Evaluation)

These four requirements would have been fulfilled by following just three of the 12 HIPAA/GLBA Due Care Practices: Assess and Control Risk, Assign Security Responsibility, and Security Evaluation. The other settlement cases had similar requirements, also covered by the HIPAA/GLBA Due Care Practices. It is clear that the security practices required by both HIPAA and GLBA establish a basis of due care.

Conclusion

Companies are finding that they will pay the price for not maintaining strong security controls and protecting their customers’ information. They must proactively implement and maintain prudent security processes to demonstrate that they are practicing due care. Until a universally accepted set of information security practices is produced, the best approach for companies is to implement the security practices required by both HIPAA and GLBA.

_____________________________________________________

Marc R. Menninger is a Certified Information Systems Security Professional (CISSP) and is the founder and site administrator for the OpenCSOProject, a knowledge base for security professionals. To download security policies, articles and presentations, click here: Security Officer Forums.