Applied Computer Security

Alistair McDonald’s article on password policy describes the key elements of the corporate security strategy.
Modern corporate life requires considerable dilegence, adhering to legislation, and many other distractions from the core business of an organisation. Where computers are concerned, there is potential for abuse of corporate systems, infection of corporate systems with viruses, trojans and other malware, and damage to reputation through hacking and improper use of resources by employees.
Each organization needs a comprehensive security strategy which provides for the proper location of protected files, authorization techniques, employees’ access rights, as well as a strong password policy. Password policy is a key element in creating a comprehensive security strategy.

Password policy should contain the folowing rules:
1. Never base a password on a single word. A password should be at least eight characters, and ideally 12 or more. The longer a password, the less chance of a hacker breaking it quickly. To connotate two words will create a longer word, but hacker tools will search for this, and it is better to misspell one or both of the words, so a straight dictionary approach will not work. Try to avoid using words in your passwords that can be associated with you or your work. Passwords must be based on a random combination of words. You can also replace occasional letters with numbers or punctuation marks. Using both upper and lower case will definitely help too.

2. Never write passwords down in an easy to read form. If you do write them down, try to disguise them. Never leave passwords near the PC.

3. Never share accounts or give out passwords.

4. Never use a work password for leisure. Sharing a password on more than one system will make the user’s life easy as they only have to remember one password. Single-sign-on systems can be very useful in the corporate environment, but users should not use their work passwords for any systems they use at home. Some websites and applications don’t give enough protection to its accounts, so the password may be easily intercepted. If you use similar passwords for a number of services, once the attacker intercepts a single password, he may access a large amount of information.

5. Reset accounts as soon as employees leave the firm. Every account that employees have access to should have its password reset as soon as they leave the building. The manager can take control of the accounts if required, but the passwords should be reset as soon as possible. This is vitally important if shared accounts are in use.

CIS462Robert’s blog contains some thoughtful ideas about risk assessment techniques. Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Impact refers to the magnitude of harm that could be caused by a threat’s exercise of a vulnerability. The risk assessment methodology encompasses nine primary steps, as shown below:

1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation

Risk assessment and mitigation procedures are an important stage in creating a comprehensive security strategy.

In the information age, it seems alsmost impossible to assure your privacy. A person’s first and last name in combination with SSN, DL or financial accounts are a combination of data that is dangerous to lose track of. As IS202 Discussion Board says, combining and publishing certain types of information “make one not only identifiable in virtual space, but in reality.” With too much personal information available online, it is incredibly easy these days to track someone down. Even personal address and phone numbers are sensitive pieces of information – for both electronic identity and personal safety. Jeff Kalvass writes :

The battle between security policy and mechanism is never ending – essentially a game of cat and mouse …There seems to be plenty of security policies floating around, but their implementions are inconsistent, fuzzy, and in some places non-existent… The solutions to implement many exisiting security policies are out there, it’s just deploying these mechanisms properly that seems to be problematic. There also exist economic incentives to protect systems, which directly relate to who should be accountable for breaches of security.

Identity protection is a major problem and it should be seriously considered by IT specialists as well as businesses and government institutions.

Computer and network security used to be the concern of only the largest corporations. However, with the networks becoming more interconnected and generally available, the tide is turning. Now, small businesses and individuals may experience a security breach that is likely to have catastrophic results. VPN blog relates the basics that even the smallest network should adhere to:

- Never use a computer system for both personal and business use. This is an immediate risk to public disclosure of confidential information and accidental loss of data.
- A daily and monthly data backup process should exist which also provides for off-site or fireproof storage of the backup data in a non-editable format (i.e. offline magnetic tape or CD-R (not CD-RW)).
- Any connection to the Internet should be behind a software or hardware-based firewall.
- Use a password to login to your computer even if it is not on a network.
- Use and update daily an anti-virus software suite

These measures may help dramatically reduce the risk of a security breach. However, it is equally important to manage the confidential information stored on your computer properly. Confidential files should be given adequate password protection. Besides, the password protected files should be properly located on your computer. The names of the files shouldn’t reveal the confidential nature of the information it contains. Store protected files in hidden or secure folders. Try to avoid having more than one copy of the same file, as multiple copies are more likely to be revealed by the attacker (in case the attack takes place). For more information on password protected files, see Find protected files.

To secure your business’s confidential information against all kinds of malicious activity, you need to have a comprehensive security policy. Each organzation should work out its own security policy, depending on its security profile. It must not interfere with common business procedures but rather provide for data integrity and availability. Security policy should take into consideration what kind of protection level should be applied for certain information assets. It should as well locate all sensitive information and store it properly.

Steve Fallin in Procrastinators, unite: write your security policy last! says that “writing security policies often seems like a nuisance whenever time and resources are short”. It proves to be more effective to work out a security policy based on well-documented business processes.

The existence of a policy supposes that you understand something-or-other in your organization well enough to make rational decisions about it. That level of knowledge comes only from experience. The only way to catalog that experience is to study what you do now: not the security technology, but the business processes that require the technology.

In other words, you have to know what your business procedures are before you write a security policy. You should analyze your business processes, risks and mitigation strategies first.

It is generally considered that traditional offline dangers of identity theft are more real than technology driven ones. Amanda Welsh (Identity Theft blog) suggests that this is not exactly so. Although an individual may be safe against most common online identity threats, provided he takes some measures to locate and secure personal information on his computer, the increase of highly interconnected databases maintained by business corporations and various government institutions is, indeed, where the biggest danger for identity theft probably lies. However, it is hard to track identity theft cases, as most people usually don’t know, how their information is stolen. This seems to prove they were not the cause of their identity problems. “Just because someone doesn’t choose to be online, that doesn’t mean their data isn’t. ”

A perfect article has been posted in the SEO Blog about common identity theft issues. Identity theft is the unsanctioned use of another persons identity, usually for financial gain or to commit a crime. Identity theft is one of the most serious threats to the modern-day economy. It not only places an entire Internet infrastucutre at risk, but it also affects non-Net users.

ID theft is, according to FTC figures, the most popular and fastest growing form of consumer fraud. Over 2004, the FTC reported ID thieves took over $100 million from financial institutions, or an average of $6,767 per incident. For individual consumers, the numbers are even more staggering. As reported by Janet Wu of by Boston television station WCVB-TV, money stolen through identity theft amounted to over $50 billion in the United States last year. In other words, nearly $200 per US citizen was somehow stolen due to identity theft.

The first thing to know is how identity thieves acquire your personal information. They may obtain identity information through compromising the corporate network of businesses and government institutions. They may also steal a person’s identity information by attacking her personal computer. They may also steal your wallet or purse.

To secure identity information, business and government institutions as well as individuals should take measures to actively protect their personal data. Identity theft is a problem that is not going to go away soon. That is why it is essential for consumers to be aware of the ways their personal data is collected and managed.

I’ve just read a fine article from SecurityPark.net. It is widely considered that most security breaches result from human errors rather than technology malfunction. What’s more, the recent surveys signify that employers typically allow diverse online activities in the workplace, even if they are considered abusive. “By doing so, they are not only impacting their network performance but are compromising the productivity of employees whilst putting themselves at legal risk.” In fact, corporate senior management proves to be unprepared to take responsibility for Internet threats and more specifically the growing menace now facing us all that is spyware. Such activities as instant messaging, using Web-based email, recreational network surfing, downloading free software, personal online banking, storing personal files, sharing free music/video files, playing online games, running CD-Rom/DVD media or the use of USB flash drives on work PCs, are usually associated with high risks to information and privacy security.

A large number of companies are doing nothing to govern, manage and protect their networks from spyware and an even higher number are only going half way to combating the problem. Time and time again we have seen that policies alone - although essential from a legal perspective - are not enough to protect against a breach of company rules.

Security management should consider such issues as identifying, locating and finally securing confidential information and files. Above all, to make the security strategy work, management must ensure that employees realize their responsibility for providing secure information environment.

An effective security strategy is more about promoting a new way of thinking rather than a new technology. I’ve found interesting ideas in DMAC blog regarding this issue.
Although more and more security technologies emerge every day, they all have the same flaw, from the security standpoint: “they are vulnerable to end user laziness”.

A security solution is only as strong as its weakest link and unfortunately it’s Bill the dad of 4 who doesn’t give two cents about your password policy… It is evident that we will never be able to escape the impact of our weakest link. The solution is to implement security measures that are easy and acceptable to the end user while still maintaining a satisfactory level of security. We have to implement solutions that allow Bill (our weakest link) to continue his normal habits…
Security and Laziness must combine! We must transform the way we think as security professionals. We must put ourselves in Bill’s shoes… Security professionals and end users must reach a compromise.

Corporate security strategy should enhance information availability and integrity. It must let people continue doing their every day tasks. At the same time, all employees within a company must understand the risks of information and identity theft and provide for secure information environment.

There’s been a lot of discussion around whether we should or should not put down our passwords. Although most security specialists agree that it is usually necessary to jot passwords down, some say it just cannot solve the problem. Nathan’s Daily Grind blog regards password security as “a MAJOR problem”.

We need some sort of federated, independent seciurity model that uses some form of two-factor authentication… The kicker is that we need a system that is (relatively) universally accepted and used, and not one organization (corporate or government) out there has the reputation to be trusted by all of us. Plus I don’t think we can get away with just one way of doing the two-factor authentication.

Each organization needs its own password policy, based on certain principles. It’s essential to create strong and reliable passwords, but it’s also important to track all the password protected files within a corporate network. To work out a comprehensive password policy, you need to identify and locate all confidential files first. You can find more information on this issue at Find Password Protected Files.