Google Maps Streetview

Google is again on the news for privacy reasons. The Canadian Privacy Commissioner has raised concerns regarding the privacy of individuals captured in each and every photographs of streetwise. The resolution of the pictures is high enough to identify the individuals in the pictures.

It’s a good feature providing better navigational help for folks who are strangers to a city. However, how about certain considerations on the privacy of the individuals as well as physical security of the locations captured in the photographs?

Whenever, Immersive Media is on the road to capture these pictures, I am not aware that I will be included in their captures. I may be coming out of movie theatre, a pharmacy or even a location that is deemed to be confidential only to my employer. This capture can be used against me in a court just because I was included in the capture.

Consider the photos that are freely available with certain buildings that host critical business solutions. Isn’t it easy to plan an attack on these building with a mere search on Google Maps? Streetview is available for well known cities and that’s where most of the top fortune companies are located. Some of them host their critical business functions or their data centers in these buildings.

Of course, Google offer the opportunity to take these pictures off. However, wouldn’t it be late by then?

Official (ISC)2 Guide – Review

The book is highly rich in technical content and reviewed by Hal Tipton, a very well known knowledgeable security professional. I got this book to familiarize with the syllabus and the concepts behind each common body of knowledge. Some of the chapters are easy to digest, however some are really long and tough. I guess it all depends on the reader’s domain knowledge. Since the book has three authors, the book clearly shows three different styles of writing.

The reader will feel the difference while moving from one chapter to another making it an unpleasant experience. This book is an excellent reference with lot of definitions and explanations. I read this book completely and then started attempting questions. I used this book as the primary reference with the “internet” as the secondary reference. I used all other books for more information or clarification. Try to attempt all questions at the end of each chapter of any book. “CISSP Prep” and “Advanced CISSP Prep” by Ronald L. Krutz would be a last minute refresher. It is worth understanding the concept behind each topic than to memorize. The exam tests your knowledge with experience and not on your memory.

Authors: Susan Hansche, et al
Publisher: Auerbach Publications; Bk&CD-Rom edition (January 1, 2004)
Language: English
ISBN: 084931707X

Production Data as Test Data

In order to maintain high quality of code, a company needs to use production quality source data for development, unit test and QA functional test purposes. There could be situations when the company uses unscrambled production source data, which potentially exposes customer sensitive data. Customer sensitive data must be protected. Given that there is a correlation between the quality of test data and the quality of code delivered to production, all efforts should be made to minimize the disruption/distortion of test data, while satisfying the privacy concerns.

Try to desensitize data that is brought down to Development from Production while maintaining its quality such as referential integrity between files/tables/entities that needs to be maintained. Some projects, such as fraud detection, need to maintain meaningful data in fields such as ‘name/address/postal code’ so that patterns and groupings can be detected. All fields are within some field specific domain. The field domain or context cannot be specified ahead of time and may vary with projects. Some projects may need to maintain certain relationships of the field.

Security Guidelines

  • Data that would or deemed to have very serious or significant impact, if exposed, on confidentiality of a customer or an entity should be decoupled. The decoupling of data should be accomplished in such a way, so that after treatment it will not be possible to trace back the sensitive customer data to their real owners.
  • Data that would or deemed to have very serious or significant impact after decoupling process, if exposed, on confidentiality of a customer or an entity should be masked.

Separation of Duties

  • A developer shall determine and request the data that needs to be downloaded to development, however the request has to be reviewed and approved by a person responsible for the data.
  • The personnel executing the extraction and transformation of the data should not be the requester (or developer) and should have the approval for the execution from a person responsible for the data.
  • The above mentioned approvals will be obtained on a per project basis and not per request.

Maintaining and Protecting Referential Integrity

  • Referential Integrity shall be maintained to the records downloaded to development; however the key that maintains referential integrity may help in identifying a customer in production and should be protected. This option is possible only if the source system start protecting it.
  • Developers who have access to downloaded files should not have access to production, since the key that maintain the referential integrity may help identify a customer and associated details in production. In some cases, this option is not practically possible since developers may need to have read access to production for triage purpose.

Audit trail

  • Appropriate mechanism should be in place to properly demonstrate trail of activities (including approval) that led to the execution of a particular extraction.