Applied Computer Security

According to a recent article by Gary S. Miliefsky at SearchCIO.com, “the American Management Association (AMA) performed a survey on employer monitoring of employees and found that 75% of those surveyed already monitor employee Web site surfing… In the survey, more than 50% review and retain emails, while approximately 30% track keystrokes. And more than 80% of these employers surveyed disclose their monitoring policies and practices to their employees”.

It is legal to monitor employees in your organization. However, you have to do it properly, with forethought and purpose. IT organizations planning to monitor their employees should first create a framework with their human resources team to ensure that new hires are aware of the well-documented monitoring policy and given proper disclosure.

Although the federal law allows you to monitor calls unannounced, it’s still best practice to create a written policy about call monitoring and to share this information with your employees and customers. Also, if you accidentally monitor a call that is made for personal purposes and not for business, you are breaking the law.

It is best to ensure your employees are aware of your monitoring policies. For instance, “you could force them to accept a special message at login to their computer or your corporate network that states “all emails will be monitored for business purposes and no personal emails are allowed to be created, edited, received or transmitted using corporate resources.”

As an employer, the best thing your corporation can do is to create an Acceptable Usage Policy and an employee monitoring policy. In the first policy, you define what is appropriate and what is inappropriate for your employees to do when using your corporate resources, including but not limited to all telecommunications and computer and networking systems. In this document, you will clearly spell out to the employees what they can do using company equipment and resources. By providing an employee monitoring policy to your staff members, you’ll let them know exactly where and when you block inappropriate Internet access and when you monitor telephone, computer and Internet usage.

“Just remember that you need to find a balance between ethics, best practices in monitoring and keeping your employees happy and productive”. The best way to do it is to approach the concept of employee monitoring as something that needs to be well thought out in advance and agreed upon by all executives of your organization.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

According to today’s article by Roberta Bragg, computers are “a small part of information security”. Strong information security policy requires “a comprehensive plan that secures information wherever it resides—on the mainframe, on the Linux Web server, in the Active Directory, on a PDA, in or available through smart phones and in the hearts and minds of employees, contractors, partners and customers of your organization”.

Making security as easy and as pervasive as breathing won’t happen overnight. Security campaign should be mounted in at least two directions: “a) The big picture, and b) The intimate reality of your day-to-day work”.

IT security implementation consists of the following steps:

1. Create a Stronger Password Policy

There’s no reason you can’t impose policy-based restrictions on IT administrators or anyone who requires special access to servers. They include those who do backups or have admin privileges on a server in order to administer a database or other server application.

2. Lock Down Remote Administration

Where possible, use IPSec or other protected communications. You can also use IPsec to block access to ports required by your remote administrative programs, and then allow administrative access to the ports by allowing access from designated administrative workstations.

Require that computers with sensitive roles or data be administered from the console only, and enforce that by preventing administrative accounts from accessing the computer across the network.

3. Lock Down Administrative Workstations

Designate certain workstations as administrative workstations and harden them, by putting them in a secured area, reinstalling the operating system and adding the latest service pack and security patches (do this off the network). Use IPSec or a personal firewall to control egress and ingress (what goes in and out) and use software restriction policies to prevent the use of non-approved software. Use the workstations for administration only; no playing Solitaire, no e-mail.

4. Physically Secure All Systems

Keep servers locked up. Remove CD-ROMS and floppies from computers in public areas. Provide traveling laptop users with cable locks. Make sure those with access to the data center don’t allow others in. Don’t allow tailgating—the process where someone follows an authorized person into the data center. Teach security guards to look for contraband. (Even those picture-taking phones should be considered unacceptable in many organizations.)

5. Learn To Shut Your Mouth

It’s not rude to refuse to talk about issues that might compromise security. It’s a good practice. Think of the security of your information systems as if you were protecting your family or your country. Don’t let your complaint, need to impress people with your knowledge or request for help made to a public list reveal more than it should.

Hardening networks isn’t a simple chore, nor is it one that can be done overnight. The key is to start right now. Remember: Hardened systems are secure systems.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

According to today’s article by Mikael Vingaard at itmanagersjournal.com, the new ISO 27001 standard, created by the International Standards Organization for Information Security Management Systems (ISMS), “can help to locate existing security problems and prevent future threats before they prove harmful to your organization”.

An ISMS is a planned way to managing an organization’s information so that it remains secure, by using the right methodology of people, processes, and IT systems. The best practices for ISMS includes a wide range of planning to ensure business continuity, minimize business damage, and maximize ROI and business opportunities.

Internationalization of ISO standards will create a demand for a recognised ISMS certification. Clients in the future may ask whether your organization have achieved ISO 27001 certification. Besides providing “marketing” value, it helps IT managers create a framework, based on a “Plan-Do-Check-Act” approach. In general, achieving the ISO 27001 certification mitigates the risk of human error, by having sound procedures and regulations.

If the Sarbanes-Oxley Act is relevant for your business, ISO 27001 could be your best way to get a framework.

There are clear relationships between ISO 27001 and the Sarbanes-Oxley Act’s requirement to develop an information security management system that is integrated, comprehensive, and incorporates widely recognized best practices.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Public company audit committee members believe they must improve fraud prevention and security audits, but still maintain that they are “very effective,” according to a study by KPMG International.

Of the 317 audit committee members polled, about 70% rated their committee as “very effective.” Even more, 85%, rated themselves that way when it came to ensuring that external auditors remain independent from management, according to KPMG’s Audit Committee Institute.

However, 84% believed routine compliance activities detracted from a greater focus on corporate governance; 78% saw need to improve information security; and 61% saw a need to decrease fraud risk, according to the survey.

According to Banknet360.com.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Jane Putnam, “Identity theft epidemic on the rise in the U.S.”: “Most people do not realize how easily criminals can obtain personal data without even having to break into a home, according to the United States Department of Justice Web site”.

Identity thieves stole nearly $100 million from financial institutions last year, or an average of $6,767 per victim, according to MY ID Fix, an identity theft prevention and victim center.

In April 2005, computer hackers installed a program that recorded keystrokes onto four computers in the Widtsoe Building computer lab. The program recorded information like credit card numbers, net IDs and passwords. It was discovered by a lab assistant and removed from the lab computers.

“Right now, the thing that is most troubling is the large number of data breaches,” said Paul Stephens, a policy analyst at Privacy Rights Clearinghouse in San Diego. “It is so troubling because even an individual who is extremely responsible and careful, there really is not a whole lot they can do to protect themselves. They have to give out certain information, like Social Security numbers and bank codes, to employers and credit card companies. You trust them [employers and financial institutions] to take care of your private information. When they betray that trust, your identity can be stolen.”

This blog is run by the authors of FindProtected. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Your small-business network may be protected by firewalls, intrusion detection and other state-of-the-art security technologies. And yet, all it takes is one person’s carelessness, and suddenly it’s as if you have no network security at all.

In March 2006, a major financial services firm with extensive network security disclosed that one of its portable computers was stolen. The laptop contained the Social Security numbers of nearly 200,000 people… An employee of the firm, dining in a restaurant with colleagues, had locked the laptop in the trunk of a SUV. During dinner, one of the employee’s colleagues retrieved an item from the vehicle and forgot to re-lock it. As fate would have it, there was a rash of car thefts occurring in that particular area at that particular time, and the rest is history.

No matter how secure your network may be, it’s only as secure as its weakest link. And people–meaning you and your employees–are often the weakest link. It’s important to note that poor security puts your business, as well as your partners, at risk. As a result, many enterprises and organizations, such as credit-card companies, now specify and require minimum levels of security you must have in order to do business with them.

Here are nine ways to minimize the risks that people can pose to the security of your company’s data:

According to an article by Peter Alexander.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Today’s article by Larry Greenemeier posted on InformationWeek.com: “The best time to review, improve, and communicate security policies is before potential problems surface”. Usually, “an employee or contractor makes an arbitrary decision to violate security policies so as to make his job easier”, and policies aren’t enforced in a company as long as the work gets done and nothing bad happens.

What’s particularly alarming is that the desire for security compliance doesn’t sync with the effort businesses put toward training and education, both within the IT department and throughout the workforce. Monitoring user compliance ranked as the No. 1 security priority in a survey of 966 U.S. companies polled by InformationWeek Research and Accenture. Security policies typically define who has access to data, how it can be used, where customer data can and can’t be stored, any potential legislation the company is subject to if the data is breached, and whether data must be encrypted.

However, more than half of U.S. companies surveyed say security technology and policy training would have no impact on alleviating employee-based breaches, a sentiment shared by more than half of the companies surveyed in Europe and China as part of the InformationWeek 2006 Global Security Survey. In fact, most companies surveyed worldwide admit they don’t train their employees on information security policies and procedures on a regular basis, preferring instead to deliver ad hoc training.

“Given the increase in the number of data breaches, businesses can’t allow security polices to become hampered by ambivalence and red tape. Next time, it could be your job on the line.”

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Discovery is the part of the litigation process in which opposing parties exchange relevant information and testimony. Discovery helps both sides understand the facts and evidence before the trial starts. On April 12, 2006 the Supreme Court approved proposed amendments to these rules to address discovery issues that are unique to electronic discovery. These amendments will increase the pressure on corporations to proactively manage the electronic discovery process to avoid sanctions, unfavorable rulings and a loss of public trust.

The amendments will require that if your company is engaged in a law suit, prior to a discovery request you must furnish to the other party a description of electronically stored information that your company plans to use in its case. In addition, your company will be required to expand the scope of their potentially relevant data sources to include all media and all formats, including backup media, portable media, remote or third-party locations, etc.

The amendments state that absent “exceptional circumstances” you will not be subject to sanctions for failing to produce email or electronic documents “as a result of the routine, good-faith operation of an electronic information system.” However, the rules make it clear that that IT should in certain circumstances intervene to modify or suspend automatic overwriting or deletion functions to prevent the loss of information that is related to a pending case.

Here are the specific steps IT should take to be prepared for the new regulations:

#1 - Map out all places where electronic information is stored

#2 - Update your records retention policy to include all electronic information

#3 - Ensure your litigation hold policy fully covers all electronic information including backup tapes

#4 - Establish systems that simplify identification, retrieval and production of potentially relevant data

See full article by Kevin B. Roden (posted on July, 7th): New Federal Discovery Rules are Coming. How Can IT Get Ready?

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. FindProtected makes it easier to discover electronic evidence that may be used in litigation.

UK Government has been urged to crack down on “identity theft” and raise public awareness of a growing form of fraud. The call came as Euro-MPs launched moves for cross-border co-ordination of efforts to prevent criminals stealing individual identities as a cover for their crimes.

According to a recent official report examining the measures in place to combat identity fraud throughout the EU, “European governments are not doing enough to fight rising levels of identity theft”. Chief among the criticisms highlighted is a need to enhance coordination between police forces, internally, within different EU states, and between member states and those outside the EU.

“Tackling identity offences is currently hampered by a lack of official data about the scale of the problem”. Although all European countries have acted to respond to identify offences, public awareness should be stepped up and European cooperation improved to tackle the problem.

In UK alone, more than one in four people are affected by identity theft. With the number of identity theft victims rising every year it is clear that more needs to be done to raise people’s awareness of this issue.

See full article.

This blog is run by the authors of FindProtected. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.