Measure and control IT security

Alan Neilson’s blog posted an article on security policy enforcement. What should be the management’s behavior if an employee is suspected of wrongdoing? According to the post, “there may be several forms of evidence available to a firm, which can exist in many locations within a computer system, or even an external storage device such as a CD or Zip drive.”

The quest to secure reliable evidence is not only based on ensuring a conviction of an employee, but also on protecting the firm against a civil claim of wrongful dismissal. A hasty dismissal of an employee would be unwise: the firm will not know his modus operandi, his passwords, and once the employee knows that his actions have been discovered, he may be able to trigger the deletion of all evidence. By contrast, if the firm employs surveillance techniques (by using Trojans or key loggers, for example) then the firm can discover the employee’s modus operandi and passwords.

The next stage involves the gathering of evidence, which can be stored in numerous places, and the firm must be aware of this possibility.

Manual searches may not be particularly useful because stolen documents may have had their filenames changed, and file-type altered. Where forensic software is employed, however, it is the structure of the file itself which is searched, rather than its name or file-type, and this may prove fruitful for the firm.

The evidence may not be on the computer at all: it may be on the firm’s server if it was sent by e-mail. This can prove an excellent source of evidence because of a common misconception that e-mail messages are impermanent. In fact, it is more difficult to remove e-mail than most believe, and on most systems, permanently deleting e-mail is a complex process.

When evidence has been obtained, the firm must undertake a certain procedure to ensure that the evidence is made suitable for use in court. This involves tagging the evidence, bagging it, logging it, copying it and finally securing it.

If a firm adopts such an approach to computer forensics where an employee is suspected of acting illegally, then it maximises its chance of securing a conviction of the employee, and protects itself against the possibility of an unfair dismissal claim.

To make a deep inspection into employees’ files, you can use specific security software. FindProtected is an effective security solution that allows you to enforce an intelligent data security policy across the organization. With FindProtected, you can properly identify protected files and relocate them if necessary.

This blog is run by the authors of FindProtected.

Personal and financial information about 70,000 active and former Ford Motor Co. white-collar workers was stolen along with the computer holding the company information in November, according to the automaker.

The stolen data includes names, addresses and Social Security numbers.

Ford began notifying employees of the theft this week. There is “no evidence indicating that there has been any identity theft or misuse of employee information” according to a company spokesperson.

Ford plans to pay for a credit-monitoring service for the people affected by the theft and is offering them a range of services. Ford has notified Federal Bureau of Investigation, the U.S. Secret Service, the Federal Identity Theft Task Force and the three major credit reporting agencies of the theft.

According to Consumeraffairs.com.

This blog is run by the authors of FindProtected.
Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Schneier’s blog has some fresh ideas on identity theft. It says, the rate of identity theft has been grossly overestimated as “too many things are counted as identity theft that are just traditional fraud”. Although multiple surveys have found that around 20 percent of Americans say they have been beset by identity theft, the whole definition of identity theft is too unclear.

Identity theft is usually understood as as the illegal use of someone’s “means of identification” — including a credit card. Technically, if a person loses a credit card and someone else uses it to buy a “candy bar”, he might be considered the victim of identity theft.

“Of course misuse of lost, stolen or surreptitiously copied credit cards is a serious matter. But it shouldn’t force anyone to hide in a cave.”

21 percent of Americans said they had been an identity theft victim in 2004. However, according to the latest survey, half of self-described victims blamed relatives, friends, neighbors or in-home employees for misuse of their identity information.

The identity theft numbers were still high but not as frightful. “Identity theft is a serious crime, and it’s a major growth industry in the criminal world. But we do everyone a disservice when we count things as identity theft that really aren’t”.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

A survey which has been conducted recently shows that most users are resorting to insecure methods to store passwords because they are being overwhelmed by the number of passwords needed to do their every day jobs.

According to the research, 25% of users keep passwords on a spreadsheet, 22% store them on a PDA while 15% simply write them down and keep them in a “safe place”.

People are forced to handle so many passwords that are not possible to remember. More than 25% of users handle over 13 different passwords, yet another 30% juggle with 6 to 12 passwords. What’s more, most employees in companies are recommended to change their passwords every 3 to 6 months. The passwords must be at least 8 characters wrong, include digits and letters and comply with all existing security standards. Besides, the newly changed password should by no means resemble the previous one.

In this relation, I found some interesting ideas in DMAC blog. From a security standpoint, all security measures continue to have the same flaw: “They are vulnerable to end user laziness”. In fact, a security solution is only as strong as its weakest link and “unfortunately it’s Bill the dad of 4 who doesn’t give two cents about your password policy”.

“Security and Laziness must combine”. We must transform the way we think as security professionals. We must put ourselves in Bill’s shoes. Security professionals and end users must reach a compromise.

This blog is run by the authors of FindProtected, an effective information security solution. With Find Protected, IT administrators can do a deep inspection into employees’ files aiming to enforce an intelligent data security policy across the organization.

A study performed by the Institute of Internal Auditors titled Does Risk Management Curb Security Incidents? which examined the relationship between risk management and information security, shows that businesses that employ information security risk assessment programs and have comprehensive documented security policy are not likely to suffer fewer security incidents.

However, the survey indicated that organizations that conduct risk assessments are more likely to have a documented policy and implement security awareness measures. “This finding suggests that a systematic implementation of security policy measures should include security awareness.”

The study suggests that predominant lack of relationships between security measures and security incidents may be explained in terms outside the scope of the study, i.e. personnel ability (e.g., the skills, knowledge, and abilities of the information technology and security staff), management support of the information security policy, software and hardware equipment, etc.

Well-known security author Richard Bejtlich in his blog considers “this focus on “controls” as more of the “prevention first and foremost” strategy that ignores the importance of detection and response”. At the very least, some attention needs to be paid to the detection and response functions. Otherwise, a lot of money will continue to be spent on prevention, and organizations won’t be any more “secure.”

Phil Hollows also posted his comments on this subject: “monitor and correlate your logs, set up your containment and incident response policies, and don’t let your management team think for one minute that a successful compliance audit means that they’re safe”.

This blog is run by the authors of FindProtected.
Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Security Blog has a witty description on the common attitude to password management called “The Zen of Password Management”.

The first reaction of an employee when a new password policy is enforced in an organization is “denial”. However, it is quickly replaced by anger. In fact, most people think: “I can’t believe that the security of the entire company depends on me changing my password at this time. It’s just a silly policy that IT uses to exercise digital control over the rest of the world”.

An employee fears that she might forget the new password. That’s why she may be forced to put the passwords down or store them in a text file on her computer.

Even the most complete password policy cannot guarantee 100% security. The passwords might be intercepted by the most sophisticated hacker attack. But it is more likely that people could accidentally or deliberately share their paswords with their co-workers, their family and so forth. In fact, there is no such thing as the best password policy.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Information in electronic form and the means to transmit and process it are now indispensable to educational, financial, business and government istitutions. The power and convenience of information technology is, however, counterbalanced by the increasingly complex legislative framework which governs its use and by the wide range of threats to the security of electronic information.

The reasons for adopting a formal policy on the security of electronic information are twofold:

1. To provide a framework for best operational practice, so that the institution is able to minimise risk and respond effectively to any security incidents which may occur;

2. To ensure that the institution complies with relevant legislation in this area.

Security breaches, often involving prominent commercial organisations, are reported periodically in the press and often generate substantial publicity. Such incidents tend to fuel the popular conception that the major threat to information security comes from hostile attacks perpetrated via the Internet. Although there is some truth in this, the picture which it paints is highly oversimplified. Electronic information is at risk for a whole variety of reasons: natural disasters, failure of man-made equipment and services, and accidental as well as malicious acts by human beings.

Since neither the systems themselves nor those who operate them can ever be totally reliable, what this means in fact is that the institution must be able to react promptly and appropriately to any security incident and restore its information systems to their normal operational state in an acceptable period of time.

In terms of general good practice, institutions must be able to rely on the three key aspects of information security:

On the human front, therefore, the policy must define what behaviour is and is not allowed, by whom and in what circumstances. A successful security policy will generate a high degree of consensus amongst all of those involved and should foster a positive attitude towards security in terms of its benefits to the institution and the wider community of which it forms a part.

A useful concept in this context is that of a balance between privileges and responsibilities: making information and resources more freely available to members of an institution arguably places more onus on those members to behave responsibly. Some evidence is beginning to emerge that users of information systems would be willing to adhere to better security practices if they were more knowledgeable (ie better trained) about what good practice actually involved.

Overall, the policy must define the role that information security plays in supporting the mission and goals of the institution. Even though much of the work on information security will be devolved to middle managers and technical staff, it is important that senior management should be committed to the importance of information security and should play its full part in winning acceptance for the policy.

You can find more information on implementing security policies in educational institutions in Developing an Information Security Policy article.

This blog is run by the authors of FindProtected.
Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Musings on Information Security quotes one of the formal definitions of security policy:

A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.

Security policies could be classified into three types, according to policy objectives and an organization’s security profile:

A good policy should address the needs of the particular organization. It should be easily understandable and align with company’s overall business goals. Typically, security policy should contain the following issues:

Security policy is a powerful tool that provides you with the whole scope of necessary security measures and ultimately enables you to significantly redulce security cost.

This blog is run by the authors of FindProtected, an effective information security solution. With Find Protected, IT administrators can do a deep inspection into employees’ files aiming to enforce an intelligent data security policy across the organization.

According to THOMAS J. FITZGERALD article found at globetechnology.com, maintaining privacy in the era of digital information requires work on a number of fronts, from network and applications security to protecting important files with encryption to configuring a Wi-Fi hot spot to keep interlopers off a wireless network.

However, there is one privacy measure that is “easily overlooked”: secure data destruction.

For inividual users, deleting confidential data completely is essential when donating or selling old computers, and it can also help “maintain privacy on computers that may end up lost or stolen”.

And for businesses looking for ways to comply with the security requirements of laws like the Sarbanes-Oxley Act, a sound policy on data control and destruction is crucial.

When normal Windows deletion methods are used, the computer’s operating system, for the sake of speed, creates an illusion that data has been deleted. In fact, it merely earmarks that region of a disk or drive as being available for new data to overwrite the old data. Until that overwriting occurs, the old data can be retrieved with undelete programs and tools used by data recovery labs and law enforcement agencies.

There are, however, several options for securely eliminating data from hard disks, USB flash drives and other storage media. File wiping utilities overwrite data with meaningless characters to render it unrecoverable with today’s data recovery techniques. Some of the programs can overwrite entire drives, while others can single out individual files or other information saved by a computer’s operating system or programs like Web browsers. Such programs should become an important part of overall information security within an enterprise. Besides, they can also be used by individual users.

This blog is run by the authors of QuickWiper, a Windows security program. QuickWiper allows you to delete files with simplicity and ease. When deleting files with QuickWiper, you can choose a fast single pass, or the most secure NSA erasure algorithm.