Measure and control IT security

According to a recent research, many people are taking risks with data on hard drives and memory cards which they are selling via internet. Such sensitive information, as personal letters, passwords, resumes, spreadsheets, phone numbers and e-mail addresses were all found on storage hardware that could be easily bought at any auction site. The problems arose because sellers did not delete data from the hardware altogether.

Besides, it was rather easy to reconstruct almost everything that some users did online, and to grab cookies and login details for sites they visited.

In most cases, people used Windows “delete” function to erase the data. However, in PCs and other digital devices it simply applies a label that says these sections of storage can be over-written. That means, such data remains intact for a long time, especially on large drives.

Recovering such information is quite straight-forward for forensic firms and individuals.

It is extremely hard to completely destroy some pieces of information. That’s why the users are advised to employ specific secure file deletion solutions.

This blog is run by the authors of QuickWiper, a file wipe utility.

Scott Pinzon’s article on password policy enforcement discusses the issues of policy implementation within a company. According to a UK study from 2004, employees could be incented to divulge their password rather easily. The study indicated that 70% of users would tell a stranger their computer password “in exchange for chocolate”.

However, what if we turn the equation around: try to make up specific mechanisms to incent the users to abide by the password policy rules. For instance, management could offer any user who follows the policy perfectly for a year a $100 gift certificate. Although it may seem absurd to pay the people just for getting them to do what they’re supposed to be doing already, such policy enforcement method may be very effective compared to the security risks the company faces when its security is breached.

Compared to the accountability you lose when users share their passwords and turn an individual account into a group account, a hundred bucks is cheap. Compared to the resources compromised on your network when an attacker cracks a 120-day-old password, a hundred bucks is dirt cheap. Compared to the cost of having every user take a class on computer security, a $100 prize is an economical way to generate a security-aware corporate culture.

Although passwords do not provide adequate protection for today’s networks, the “username and password” authentication remains the only access credentials that most small business networks require. So until new authentication methods are available, such as smart cards, tokens, or other two-factor authentication techniques, we need to work on password protections to be “good enough”.

This blog is run by the authors of Find Protected, an effective information security solution.

NetworkWorld.com published a research showing that regulatory compliance has emerged as the biggest driver of information security initiatives, trumping concerns such as worms and viruses for the first time, according to Ernst & Young’s survey of 1,300 organizations worldwide.

Nearly two-thirds of respondents said compliance is the primary driver of information security at their businesses, followed by worms and viruses and meeting business objectives. However, IT organizations and information security groups are failing to take advantage of compliance-related concerns to rearchitect their security organizations.

For example, nearly 90% of those implementing security measures to comply with regulations are focusing on issues such as policies, procedures training and awareness campaigns. Only 41% are also reorganizing their information security function and their architectures as part of the compliance process.

As the focus on general corporate governance and maturity of overall risk management increases, security professionals are being asked not just about the headline issues, but about the broad picture of information security control.

The survey results highlight the growing pressure regulations are putting on information security organizations. At the same time, it also underscores a growing trend by many to use compliance as an excuse for all security spending. Often, technologies that need to be implemented anyway are being described as compliance-related to get executive buy-in.

The two areas where compliance-related efforts have resulted in increased spending are security event management tools and identity management and password management technologies. But in general, the increased investments in these areas comes at the expense of spending in other areas. As a result, the overall spending on information security itself has not increased significantly.

This blog is run by the authors of Find Protected, an effective information security solution.

Intranet Blog revealed the new survey regarding corporate information security. The survey conducted among 600 U.S.-based IT professionals and executives representing companies of 150 to 16,000 employees, showed that e-mail and the corporate intranet are to be considered the top two security concerns for enterprises.

Findings include:

· 79% of respondents consider email to be the greatest source of attack

· 26% of respondents regard corporate network as the greatest vulnerability

When it comes to enterprise handheld computing, remote control of password policy is considered a very important security requirement by 55% of respondents; only 18% are comfortable with simple user name and password authentication, traditionally used as a primary layer of protection.

This blog is run by the authors of Find Protected, an effective information security solution.

An article in Iusmentis.com describes secure methods of file deletion. A normal “delete” command does not actually delete files at all. But even when using more advanced “file wiping” utilities, some data may remain on the hard disk that maybe used for some malicious purposes. In particular, the magnetic properties of a hard disk can be exploited to recover data.

Not so long ago, simple Windows system commands were held to be a “secure” method of file deletion. When these were found to offer very little genuine security, specific utilities became available that were able to overwrite the related disk sectors. It seemed that these would surely be foolproof, however not all of these programs provided for the necessary level of security.

There are three areas of particular concern regarding secure files deletion:

1. When a file is written to a disk, it has a certain number of sectors or clusters allocated to it. The area of disk space provided, is always larger than the file itself. Deleting a file alone, leaves a space which can contain sensitive data. There are a number of ways in which this sensitive data can be deposited without a user knowing it.

2. It is in the nature of a computer, to always be updating one file or another. Every time a file is updated or “saved”, new copies are created and written wherever there is sufficient space. Applications can create huge numbers of such files. When a file is eventually deleted, only the last image is accounted for. All other images appearing as free disk space, unseen, unsuspected. That is until a disk is viewed with the appropriate software; then is all is revealed. Even when partially overwritten, these files can make interesting reading ! … As a precaution against this kind of threat, NEVER EVER “save” an edited plaintext file; use “save as” instead. All versions will then remain available for deletion.

3. As if the preceeding were not enough, applications also create “temporary” files as part of their normal execution. That these files are not so “temporary”, can now be appreciated.

Some would say that there is no chance of recovering data that has been overwritten just once or twice. These individuals are without awareness, of the “true” extent to which “data remanence” has been investigated ! Deletion by rewrite is never absolute; more of a sliding greyscale. Once magnetic media have been exposed to a structured magnetic field, it is in reality, very dificult to ever totally diguise the fact. This applies especially to present drive heads, and high coercivity media. When a write function is carried out, magnetic domains are created by the millions for each bit that is written. There is a limit as to how great the write current can be, or adjacent data will be corrupted. Increasing the spacing between adjacent data bit representations, would lower the total capacity of the media. Modern high coercivity magnetic coatings allow much greater data densities, but are more difficult to magnetize.

Consequently, when a rewrite is carried out, a significant number of these tiny molecular domains remain in their original orientation. This orientation is never the exactly the same twice. The precise orientation of the domain would have been influenced by adjacent bit representations. Each precise orientation being individualized like a finger print. With each subsequent rewrite, less of these “permanent” domains remain, and so a molecular history is encoded by a scale of relative molecular domain numbers.

In an age where molecular polarity is such a vital area of science, it should come as no suprise that special techniques exist for its determination. The obvious value of being able to recover data, is not lost to the malicious attackers.

This blog is run by the authors of QuickWiper, a file wipe utility.

About 73 percent of 1,000 consumers surveyed in the U.S. said they are worried about identity theft and fraudulent use of their bank accounts or credit cards, compared to 51 percent who expressed such fears in 2004. Nearly 17 percent of consumers cited instances of identity theft, while 42 percent said their banks informed them of threats of phishing.

Some 40 percent of people who took part in a poll, are willing to pay fees for greater protection of their online transactions and bank accounts, compared to 27 percent who were ready to do so last year.

This consumer attitude will likely drive banks to adopt more sophisticated security solutions. Otherwise, they risk losing existing and potential customers, as well as revenue streams and brand reputation.

This blog is run by the authors of Find Protected, an effective information security solution.

Steven Presar wrote in his article on business data security, that a number of security events has increased by more than 80% in the first quarter of this year compared with the previous three months. This is a bad news for any small business who works with a computer, but the small businesses who base their business on computers should be particularly alarmed.

What measures can you take to shield your small office computer systems and data from malicious activity of any kind?

All good computer data security begins with a regularly scheduled data backup plan. All data critical to the running of your business must be backed up regularly. It is also wise to implement an automated backup system to create backup copies on a regular basis.

Make sure that your computer is protected from viruses and malicious worms. Install good anti-virus software and update it regularly.

There is also another potential threat to your data — a disgruntled employee. Employees should by all means be included in your data security policy. Research has shown the greatest threat to a business’s security is from its own staff. Some businesses forget to ensure that policy and procedures are set up to protect against potential threats such as e-mail viruses, internet misuse and mishandling of personal and private data, which can all lead to an attack on the company’s security, not to mention a mark on its reputation.

You may want to include an external security audit to your security policy. The audit is an ongoing process and should be undertaken annually or biannually or following significant change within your business that may affect security (a disgruntled key employee leaving, office break-in, etc.).

People also need to be audited as well. It is also important to make an audit of each user’s authorization and privilege level so confidentiality of business information is secured and maintained. If this policy is adhered to, then security risks will be greatly reduced. Computer and internet use policies have become popular to various businesses. Many such policies are written into the employment contract of the employee.

Security policy is critical to your business efficiency. It should provide for availability, integrity and security of the information that is important for your business procedures.

This blog is run by the authors of Find Protected, an effective information security solution.

According to InfoWorld, after a series of data breaches earlier this year, members of the U.S. Congress raged about the irresponsibility of breached companies and introduced a flurry of bills requiring companies to notify affected customers when data is lost.

Major U.S. companies reported more than 60 data breaches between January and September this year, and although the Congress as well as a number of state legislatures have debated a handful of bills regarding identity data protection, no data breach notification bill has been approved. Most observers express hopes that a data notification bill will be passed in the Congress in 2006. Most of the bills that are discussed now may take a step backward from existing state laws. Besides, some consumer and privacy groups aren’t eager to see federal data breach notification legislation pass — at least not most of the legislation introduced in Congress this year.

Twenty-one states have now passed some form of a data breach notification bill, including a tough New York law that makes no exception for small data breaches or breaches unlikely to result in identity theft, set to go into effect next month. However, some large businesses and trade groups have called for a national, unified law that preempts state laws.

Many of the congressional bills allow breached companies to decide if the breach is likely to lead to identity theft, and thus warrants consumer notification. Federal law concerning identity and privacy protection is likely to be a major incentive for businesses to create more efficient security strategy and work out specific data protection techniques.

This blog is run by the authors of Find Protected, an effective information security solution.

Employees in a company are generally forced to avoid easily stolen passwords. But hard-to-guess passwords that are most often used are not always hard to type as well, and therefore may be vulnerable to prying eyes.

Jacek Kopecky wrote: “When creating a password I choose random keys that are easy to write — alternating the fingers and trying it out. The commonly used passwords, even historical ones, are completely in my muscle memory.

This is also a fairly good defense against shoulder surfers trying to see what I’m typing — I type it very fast, usually sans mistakes, and it’s random enough that a looking person won’t get it.”

You can also use passphrases to create a strong password. Use a poetry line or a quotation that noone except you knows. To make a passphrase more complicated, replace the letters with appropriate symbols, for example type 1N&I@nA J8ne$ instead of “indiana jones”.

This blog is run by the authors of Find Protected, an effective information security solution.