Measure and control IT security

The New York Times published today a survey results on the number of people in the US, who suffered from identity theft: “The ranks of identity theft victims are large… In broad terms — including a thief’s use of existing credit card, bank or other accounts — the number of victims is about nine million a year, or roughly 4 percent of the United States adult population, according to surveys by Javelin Strategy and Research, an independent research firm.” About three million Americans each year fall victim to the worst kind of identity theft, new account fraud.

Although there are no exact figures of the crime’s costs, the Javelin study estimates the average annual cost per stolen identity at $6,300, a 22 percent increase since 2003.

Another New York Times article advises the following 8 steps to avoid identity theft:

Identity theives can also steal your identity information from your home PC, or computer at work. In order to secure this data, you need to implement specific technology solutions. But, notwithstanding all these measures, no one can be absolutely sure his identity information is safe.

This blog is run by the authors of FindProtected. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

The report released in April, sponsored by the UK Department of Trade & Industry, highlights the fact that most businesses are a long way from having a security aware culture. Although three quarters of UK businesses rate IT Security as a high priority, with protecting customer information becoming increasingly important, worryingly just 1 firm in 8 has IT security qualified staff to put procedures in place.

Identity theft and fraudulent attacks are ranked as having the most severe impact, with the average ‘worst incident’ ringing in at £12,000, up by £2,000 since 2004. The most obvious and valuable data obtainable from these attacks would be detailed customer information such as credit card and bank details, typically siphoned off by Keylogging software.

“One of the most malicious and real attacks a company faces is from spyware. This software is most likely to enter a company’s computer network through internet downloads and email attachments; simple logic dictates that a free reign as regards accessing the internet and email will significantly increase the chances of this form of attack.”

“Staff should be vetted during the recruitment process with full background checks administered. This should be followed up with an education session about their security responsibilities and regular reminders. The possession of USB drives should also be carefully monitored – they can go unnoticed and could ultimately be used to steal your intellectual property.”

According to IT Voices.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

The Financial Express published a report based on the inputs from the CIOs of 149 IT decision-makers. Information security tops the chart of technologies. According to the study, 55% of the respondents consider security as a key technology priority. ERP and servers are the other two top technologies that large businesses are focusing on.

91% of the respondents still fear viruses and worm attacks the most. The next critical security issue is spam and unsolicited mail, with 67%, followed by Trojans and remote access control.

Most large businesses agree that 65% of their corporate e-mail traffic is spam. To handle this, it is essential to have an anti-spyware solution implemented on desktops as well as at the gateway. Apart from this, it is imperative to conduct user awareness training.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

According to Martin Courtney’s article “Wanted: for crimes against IT”, “The annual policy premium could soon get higher as regulators find new kinds of data to include. Transcripts of voice over IP (VoIP) conversations may be next on the list alongside email and instant messaging chats”.

It’s fair to say that rules to make corporate executives more accountable were long overdue, if only to ensure that shareholders’ cash and employee pension schemes are less likely to fall into a big, black, financial hole. But though security experts always point out that it makes sense to calculate the extent of any potential risk before spending time and money implementing systems to protect against it, the legislators and industry bodies responsible for corporate governance rules and guidelines don’t appear to have been listening.

Recording, indexing and archiving employees’ VoIP calls so they can be retrieved at a moment’s notice when a nosy auditor comes your way would be difficult enough in itself. But what is more worrying is where the precedent of keeping such information could lead.

Because once you take the view that every internal conversation between employees for which there is no written record needs to be noted and stored, where does the line between what should and should not be included begin and end? Does a furtive tête-à-tête in the toilets, a sotto voce exchange in the lift, or a talking heads session by the coffee machine, qualify, for instance? What about the conversations between employees when they are not on company premises and perhaps not even on company time?

More crucially, how do IT managers actually collect this information in the first place without extending their remit to covert surveillance (and would they suffer consequences for any failure to carry out their duties)? “The future looks less corporate security, and more Ceausescu Securitate, it seems”.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Implementation of IT security metrics enables the organizational management to analyze the IT systems technical, operational, and management controls performance.

AKS-Labs has released a version 1.3 of Stategy2Act Balanced Scorecard software. Stategy2Act is a Windows program that supports a balanced score card conception, allows to connect strategy to action. The new version includes IT security metrics.

Strategy2Act is a Balanced Scorecard (BSC) support software. It is designed to help build a Balanced Scorecard. The new version 1.3 includes new metrics necessary to measure and control IT Security. New groups are “Risk Management”, “Contingency Planning”, “System Life Cycle”, “Personnel Security”, “Data Integrity”. The new scorecard allows to learn strong and weak points of organization IT security and suggest possible ways to solve security problems.

Read more at Strategy2Act home page

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. FindProtected makes it easier to discover electronic evidence that may be used in litigation.

With e-mail dramatically increasing the sheer volume of electronic information stored and disseminated on a daily basis, your organization can ill-afford the consequences of not being prepared to deal with the evolving legal landscape of electronic discovery.

Business organizations should consider the following steps in order to avoid the potential perils of electronic discovery:

1. Establish a written, comprehensive record retention and destruction policy.

2. Develop a preservation/litigation hold policy. A comprehensive litigation hold policy must effectively advise employees of their obligation to preserve records relevant to anticipated litigation.

3. Create a litigation hold team. Team members may include people from the legal department, (including outside counsel to oversee compliance), a paralegal or project manager responsible for day-to-day supervision of the collection and production of electronic discovery materials, a records management person, senior management, and a member of the IT department (who may assist counsel in gaining familiarity with your retention policies and data preservation architecture).

4. Identify all sources of potentially relevant information.

5. Continually follow up and improve items 1, 2 and 3.

See original article.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. FindProtected makes it easier to discover electronic evidence that may be used in litigation.

People ages 18-29 make the most reports of identity theft in the US, according to the Identity Theft Data Clearinghouse, a division of the Federal Trade Commission.

According to the experts, colleges and universities are a prime target for electronic data thefts because of their wide use of names, addresses and Social Security numbers. “The reason is simple. Colleges have a tendency to use information, like Social Security numbers, for student IDs,” said Jay Foley, executive director of the Identity Theft Research Center.

In the past year, security issues have been reported in Kent State, Miami and Cleveland State universities, as well as the Ohio State University. Some have been computer thefts or hacking, while in other cases personal information was accidentally posted online. Many of the schools are updating their computer security systems and urging students to be careful when storing personal information.

See original article.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

“Staying ahead and maintaining a healthy, robust policy programme requires diligence throughout the security lifecycle”. Generaly, the security lifecycle includes the following phases:

a. Policy Development Phase
b. Enforcement Phase
c. Assurance phase

To keep a security policy healthy throughout the lifecycle, consider your security policy impact:

1.Security is inconvenient: Recognise and respect security’s disruptions of the business process and daily life. You need not make the process transparent, but each extra step, each extra disruption, makes non- compliance more likely.

2. Avoid Excessive Complexity: Strive for common security tools that have already been tested and proven.

3. Prosecution or reprimand: Decide in advance how far to go, and get management buy-in. If you decide against prosecution in favour of reprimand, it is less important to build evidence once a hack is discovered.

4. Punishment to fit crime: You may merely reprimand employees for sending personal email on the company network, but you want to prosecute someone who hacks the pay toll. Decide in advance how far you will go.

Painless policy in practice:
While on rounds a bank’s security staff enforced a policy that unattended workstations must be secured with password protected screen server. They placed yellow notes reading, “Security needs your help. Please lock your workstation”, over unprotected monitors. This non-disruptive reminder helped change the user community. Bankers would leave their desks for lunch, then return saying, “ I better lock my screen so I do not get one of those yellow notes” .

See “Why information security policies fail”.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

According to the article by Atchison Frazer, paramount among the internet security threats that concern small businesses, are “content-related and physical-access concerns”.

“Content-related threats generally refer to access of content from the Internet by internal users of the network in violation of company policies. But a new type of content-related threat is an infected file that combines several stand-alone viruses or attack methods in one package. For example, the myDoom virus, using e-mail as its carrier, set up an SMTP e-mail relay engine on each computer it infected to propagate the virus throughout the network. These so-called blended threats are complex and often avoid detection entirely”.

Unauthorized access to corporate network resources includes an external hacker attack as well as purposeful or accidental access to company’s restricted resources by internal users.

“Only a thorough, companywide security policy can protect your network equipment and information”. Here are some of the key elements to consider when developing a security policy:

1. Lock up and monitor physical access to all core network resources.
2. Lock and password-protect all physical and logical ports of your network.
3. Lock network services such as FTP, SMTP, Telnet and Web. Additional network services should be allowed on an as-needed basis.
4. Use firewalls to protect all entry and exit points of the network.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.