Measure and control IT security

The survey of nearly 200 IT security professionals, conducted at Europe’s largest information security event, Infosecurity, revealed:

Only 40 per cent of survey participants change administrative passwords monthly or more frequently; 30 per cent change them quarterly and a staggering 15 per cent never change IT administrative passwords.

A quarter also admit that their IT staff can access the administrative passwords without permission, which is a serious oversight considering it is these very passwords that are the most powerful and critical of all passwords, overriding all the others and enabling the “administrator” to access the network, systems and the very applications which provide the backbone of enterprises worldwide.

Twenty eight per cent keep their administrative passwords in their heads - while 38 per cent still resort to writing down their passwords and storing them on paper.

Less than a third (32 per cent) are storing administrative passwords digitally. The remainder continue to use labor-intensive, manual processes, including paper copies stored everywhere from locked cabinets to safes.

Twenty two per cent of respondents estimate that their colleagues are still keeping passwords on Post-It Notes, while 14 per cent use unsecured spreadsheet files - making it relatively easy for an infiltrator to access the administrative passwords.

According to tmcnet.com.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Harris Weisman’s recent article “Security policies: Don’t be an army of one”:

One of the most difficult duties the majority of information security professionals face is the development, implementation and enforcement of information security policies. While many organizations accept the fact that security policies are needed, more often than not projects that address policy issues are given a low priority, insufficient resources and inadequate funding. In many cases, information security professionals are left on their own to create and implement policy, train staff and run enforcement.

However, with the change in the legislative climate (the passing of SOX, GLBA and HIPAA), organizations can no longer afford to relegate information security policies to the back burner. Information security professionals must therefore spur the organization into action.

For successful implementation of security policy, the following departments of an organization should be involved: executive management, the Board of Directors, auditors, as well as employees from around an organization. “The key to obtaining their support is to help them understand the importance of security policies and policy enforcement”.

External auditors can be a great resource and their advice is often taken more seriously by management. Auditors may also be able to provide you with a list of resources and contacts, and act as a sounding board. It is better to obtain and implement auditors’ input before an actual audit, since an unfavorable audit could have an adverse effect on year-end reporting. Remember to “keep your friends close and your enemies closer.”

When creating your own security policy, you may use existing policy resources from reputable sources. You can also discuss your security policy with “business peers, trade associations, or regional and national information security organizations”.

To enforce your security policy within an organization, make sure all employees understand the security policies that pertain to their role in the organization. “A policy that no one knows about cannot be enforced”. Showing employees what they need to do and how they can make an impact on the security of the organization can help motivate them to abide by the policies and assist in policy enforcement.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Cyber crime is costing UK companies up to £270,000 every 60 minutes - but many are unaware of the sheer scale of the outbreak, independent risk consultants have warned.

The investigators claim many established businesses are unaware of the scale of computer crime due to the virtual nature of the attacks, and their authors.

Through greater connectivity and technological advances, e-crime is growing at a rapid rate and will continue to do so for the foreseeable future. However, the factors behind this also make it easier to identify the electronic ‘fingerprints’ of the criminals. With the proliferation of computers, PDAs and mobile phones, electronic evidence is proving ever more important in solving crimes.

In order to minimise the risk the company faces, the investigators replied with the following best practice recommendations:

“Contain and Preserve:”
• Act decisively to prevent the loss or damage of digital evidence, which is a volatile medium
• Initiate all responses with the most serious consequences in mind; it can always be scaled down as more facts/information come to light. It’s too late once you are at court
• Never use internal IT staff to collect your evidence because mistakes can be embarrassing or leave the organisation open to the possibility of being counter-sued

“Ascertain the extent of the incident:”
• Determine to what extent the company has been exposed by the incident
• Determine if future incidents can be avoided
• Determine if changes to infrastructure, systems, policy or contracts need to be made

“Resolve the matter:”
• You will now be in the position to know how to address the situation. This could include doing nothing, dealing with IT in-house, formalising the incident with legal debate or escalating the matter to a higher authority e.g. Police
• Assess what damage control may be required

See full article.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. FindProtected makes it easier to discover electronic evidence that may be used in litigation.

In the past 15 months, corporations, universities and other organizations alerted more than 85 million U.S. consumers that their personal or financial data might have been exposed through electronic breaches, disgruntled employees or just plain incompetence. While consumer data leaks don’t automatically result in financial losses or identity theft, experts say your chances of becoming a victim depend on how well you know your rights and how quickly you spring into action.

A speedy response is most important in cases when a data breach or loss involves a consumer’s Social Security number, which thieves can use to open new lines of credit in the victim’s name, said Betsy Broder, assistant director of the Federal Trade Commission’s Division of Privacy and Identity Protection.

“Anyone whose Social Security number was lost or stolen should immediately report it to one of the three major credit bureaus and request that a 90-day fraud alert be placed on all credit files. Consumers have the right to renew this alert indefinitely, but they must contact one of the credit bureaus every three months to do so”.

Consumers who have evidence of attempts to open fraudulent accounts in their name should contact those creditors immediately, and file a report with the local police department. If possible, obtain a copy of the police report, or at least the police report number.

For many identity-theft victims, being denied a loan or line of credit or receiving a call from a debt collection agency is the first sign of trouble. By law, if you inform a collector that a debt is the result of identity theft, that collector also must inform the creditor, and creditors are prohibited from selling debt that results from identity theft or placing it for collection. You also are entitled to a copy of all information about fraudulent debt, including late notices and account statements.

See full article.

This blog is run by the authors of FindProtected. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

A Sunnyvale man was sentenced today to 14 years in prison for identity theft as part of a more than $1 million real estate scam. John Shaw, 47, faced up to 27 years after being convicted last year on 14 felony counts, including forgery, grand theft, identify theft, recording false documents, and conspiracy.

A licensed real estate agent, Shaw assumed the identities of at least five people, mostly his clients, and purchased real estate in their names. He then sold the property to other names he assumed, pocketing the profits.

Another identity thief who stole 16-thousand dollars from his victims, was sentenced Wednesday in Honolulu Circuit Court to 15 years in prison. The 28-year-old Saatkamp was also ordered to pay restitution to his victims - eight individuals and three financial institutions.

According to MercuryNews.com, kpua.net.

This blog is run by the authors of FindProtected. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

A recent article by Kerry Davis mentions an identity case involving the theft of an Ernst & Young auditor’s laptop containing the credit card details and addresses of more than a quarter of a million customers of hotels.com in the US. Sure, the auditor should never have left the laptop in his car, “but even if he had taken it with him there was always a risk of theft or loss”.

This incident demonstrates that encrypting data is important, but encryption alone is not enough.”Data security requires a holistic approach. It’s as much about mindset as about the need for passwords, secure ID tokens and encryption”.

Security should be considered from all angles: physical, personnel, procedural, technical, policy and regulatory. However, most companies rely on the physical and technical alone.

“According to the DTI, a quarter of companies don’t carry out any background checks when recruiting [new employees] and one in eight does nothing to educate staff about their security responsibilities”.

It’s not good enough to give a laptop to someone who is always on the road and tell them never to leave it in their hotel room. This sort of ‘no choice’ edict simply brings a security policy into disrepute. Everyone will have to ignore it in order to do their jobs.

All aspects of security should be considered together, so controls support and mitigate each other and a failure of one does not invalidate the others. For instance, if an auditor regularly has to leave a laptop in a car for good reason, the company should provide a secure storage box. What’s more, if a laptop containing sensitive data is stolen, the consequences may be by far less disastrous if it is protected by strong authentication and encryption systems.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

According to a recent article by Darrell Dunn, “more emails are used as evidence in legal suits now, making new tools to better monitor and manage email usage crucial”.

Despite so many highly publicized legal cases involving email, only 35% of companies have email retention policies, and 37% of employees say they don’t know which messages should be retained and which purged, according to surveys conducted by the American Management Association and the ePolicy Institute, a training and consulting firm.

Most companies don’t realize that failure to get a handle on email–and soon instant messages and blogs and other forms of business communications–can cost them a lot of money and their reputation.

“The first thing my clients want to see now is email and email attachments,” says Eric Blank, managing attorney of law firm Blank Law & Technology, which specializes in electronic evidence detection. “Sometimes that’s the only thing they search.” Legal battles involving email can be costly. A good paralegal or attorney can review about four documents per minute looking for evidence, Blank says. If a company has to review millions of pages of email, legal fees of US$300 an hour can quickly add up to hundreds of thousands of dollars.

“A few years ago, many businesses said they should delete [old E-mail], but today the conventional wisdom is to keep it,” says Aaref Hilaly, chief executive of Clearwell Systems. “Once an email is out there, it’s out there, and you can’t guarantee an email has been obliterated. It could always be lurking on some user’s machine or be in the hands of a competitor. Deleting email is like playing poker without knowing what all your cards are. Do we fight or settle?”

The companies may employ specific software to search for particular pieces of data or individual messages. In this case, the ability to dive down into the data, index it, and retrieve it radically simplifies the processing of getting particular content.

Speed is good when hit with a lawsuit or subpoena. But advance planning is better. Businesses are expected to start spending substantially more money on email archiving applications, with sales predicted to jump from US$796 million this year to US$7.8 billion in 2010, according to consulting firm the Radicati Group.

Even companies not facing legal threats need to consider better ways of managing and monitoring email, and they also should review their policies on message retention and archiving. It’s better to deal with these issues in advance than have to confront them on the witness stand.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. FindProtected makes it easier to discover electronic evidence that may be used in litigation.

Australian police in Queensland are to be given power to force suspects to hand over passwords and encryption codes.

The legislation, to come into force in July, covers mobile phones, PCs, handhelds and other electronic devices. Non-compliance carries up to 12 months’ jail.

While police have software tools to crack encryption, Queensland Police Minister Judy Spence said the powers, which required a warrant, would save time and resources.

“This law prevents criminals from withholding electronic evidence by forcing them to give police access to data from their computers, mobile phones and other electronic storage devices… As computer technology becomes more sophisticated, so must the safeguards that protect our society.”

Civil liberties groups, however, were concerned the legislation would allow police access to suspects’ digital signatures.

Ironically federal legislation due to come into force shortly is moving in the opposite direction, offering users more protection for so-called stored data such as voicemails and messages stored on mobile phones.

See full article.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. FindProtected makes it easier to discover electronic evidence that may be used in litigation.

An article by David Perry at IT-director.com describes the benefits and shortcomings of single sign-on authentication method:

“Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access”.

“The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can’t get into the application and do their work?”

The other thing we need to realise is that SSO is not an authentication solution in itself; the connection to the proxy can be as open or tightly controlled as you like. An SSO proxy also needs to be 100% reliable, otherwise it will lock out all users from the system when it fails. Furthermore, security of the SSO solution itself is a big consideration as the proxy necessarily contains the login credentials and access rights of every user on the network.

However, if implemented appropriately, a well-executed SSO solution gives network and security managers a central point for implementing network policies, such as application access rights.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files containing sensitive data on your network and relocate them if necessary.