Measure and control IT security

IDC research finds that enterprise companies rank insider sources as their top security threat.

In addition, research from Carnegie Mellon University for the Department of Defense (DoD) finds that when it comes to insider attacks, 86 percent of perpetrators held technical positions. Of these, 57 percent performed the attack after termination.

Both reports found that insider attacks result in costly outages, lost business, legal liability and, inevitably, failed audits. In one case study, it took 115 employees 1,800 hours to restore data deleted by a disgruntled insider. At the time of the attack, the perpetrator was an ex-employee of the IT department who was able to remotely access key systems. According to these reports, IT insiders commonly acquire and maintain powerful system access using privileged accounts and passwords even after termination.

Here are six of the best practices recommended by Calum MacLeod (European director, Cyber-Ark Software) to battle insider menace:

1: Create an inventory of privileged (non-personal) passwords

2: Define the role of identity and access management (IAM)

3: Apply change policies to privileged passwords

4. Make sure privileged passwords are stored securely

5. Create a staged approach to deployment

6: Remember computers are people, too

See full story.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

SupportSoft Inc. analyzed about 2 million IT help desk calls from 20 large companies (average workforce: 75,000 employees). James Morehead, vice president of product management and marketing at the Redwood City, Calif.-based vendor, says the result is his company’s Headache Index of the most common problems end users thrust upon IT support operations.

Yes, password issues top the list, with 20% of all calls involving a variation on the phrase, “I forgot my password.” While you’ve no doubt already automated the response to that one, other problems probably lack automated fixes. Morehead thinks you should consider help desk automation for any problem that accounts for 3% or more of all calls. Take e-mail issues, which came in fifth on the Headache Index, chalking up an 11% share of help desk calls. Morehead points to Outlook’s OST (offline storage) file as one likely suspect. It’s regularly overstuffed, which can cause Outlook to sputter and fail.

And he says a lot of home PC users are contacting his company’s recently unveiled consumer help desk site, www.support.com, to express frustration with Microsoft Corp.’s new Vista operating system. “We’re learning now to help IT later,” Morehead says. Of course, when you roll out Vista, you might want to keep a bottle of aspirin handy just in case.

See full story.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

According to the recent article by Dan Morrill, “Google Desktop Applications, or Google Apps is a risky decision to be making, small company or big company it does not matter”.

Information Security - Google has a lot of money to spend on information security, but Google also has a track record like every other software maker, of having code with bugs. If you use Google apps, you have to trust their code over the internet, and you have to trust them to patch their code in a timely manner.

Legal Discovery - so far the law has worked in this fashion, ISP or Company gets a discovery notice, the ISP or Company is not obligated to inform you, rather they usually make a copy of all the data and send it to the legal group requesting the information. Since all your data is hosted outside the company on a 3rd party server system, ownership is most likely not going to be efficiently defined until there is a series of lawsuits to determine who owns information on 3rd party service providers. Technically, it should already all belong to Google.

Control - usually when working with technology and 3rd party outsource, only “authorized” people are allowed to call for support. Control of the help desk, and the services that the help desk provides for lost information, e-mail support, password reset support, and other low level support functions are now being taken over by Google.

Other Legalities - Have you engaged legal counsel before signing up? This is a big one, what do the company lawyers say about the issue? Will they be involved in the decision, and will management listen to what legal counsel is saying, and what the legal liabilities are.

Federal/State Mandates - if you are covered under HIPAA, SOX, GLB, HB1386, or otherwise, how does using Google Apps help you gain compliance, or remain in compliance if you use their system? From the legal mandates and laws side, unless Google can provide a statement of compliance that will stand up in court, anyone who is under any federal or state law for information security compliance might want to think twice before using this service.

Think long and hard before using Google Apps, make sure there are legal protections and someone can not just randomly request data without talking to legal council first. Make sure that the bases are covered, and if you are in a regulated industry that you get a certificate of compliance from Google. Otherwise, there is a ton of free or low cost software out there that will allow you to do the same things, do them in an equal or like manner.

See full story.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Amid warnings about the risk of identity theft, Canadian insurance companies have begun offering policies that help defray the cost of setting things right, if you fall victim.

Identity theft occurs when a crook uses another person’s name and other personal information such as social insurance number, credit-card number or bank account illegally to make purchases, borrow money or make some other costly transactions without the victim’s consent or even knowledge.

According to research by Phonebusters, a national anti-fraud organization…, thousands of Canadians a year report cases of identity theft — although the rate may be lower now than it was a few years ago.

It can be time-consuming and costly for innocent victims of identity theft to compile the information and get the legal advice required to verify they aren’t at fault. It’s those expenses — such as lost wages, lawyer and notary fees and courier charges — that are covered by identity theft insurance.

“Those are where the real expenses come in. It’s not the $5,000 or $10,000 loan. It’s the expense of clearing everything up,” says Bryan Seaton, spokesman for ING Canada, which recently began offering identity theft protection across Canada.

There has been increased public awareness of the measures — such as shredding documents with account numbers, proper storage of passwords and account numbers and software protections for your computer — that can be taken to prevent your personal information from getting into the wrong hands.

“We have a duty to defend your title. So we do what we can to get it resolved. Or, in a worst-case scenario, we can pay out the money that you’ve lost as a result of this problem,” says Kathleen Waters, vice-president of Title Plus, a service provided by Lawyers’ Professional Indemnity Co.

See full story.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

- Consider investing in a records-management software system to ensure the secure preservation of records electronically.

There are very reputable companies that make software for legal records management. Most of these software systems are licensed per work station, so it can be a costly investment. So whoever is in charge of this should shop carefully.

- Do not consider an e-mail In Box as a tool with which to manage records.

The e-mail systems like Outlook were never meant to be records-management systems. When e-mail files get really large, they tend to get corrupted…

When it’s e-mail, you probably have all kinds of things in there and don’t separate the wheat from the chaff because it takes too much time. So you get sloppy.

If you are going to use your e-mail as a client file, think about what you want in there and what you’d want someone else not to see. Delete it, and then delete the deletion.

- Store records in a location outside the offices of your law firm.

Even in small and midsize firms, there’s so much data it’s hard to back it all up on one tape, and it becomes harder to recover that much data. So some firms are turning to business continuity systems [with which] they send their data electronically off-site so it can be easily retrieved.

- Leave the records-management responsibility to an expert in the field rather than rely on an in-house policy.

Most large firms have had a director of records or a manager of records, which was mostly a paper-pushing position. But what has happened is that 80 percent of records now are electronic, and so it’s an entirely different process to manage electronic records. That’s where an information officer [comes in and] works closely with a records manager to do the overall management of the electronic records.

- Follow the lead of publicly traded business clients, which have had to pay close attention to their record-management practices as federal regulation of those practices has tightened.

Regulation that’s now affecting publicly traded companies, such as Sarbanes-Oxley [a 2002 federal law that established strict standards for corporate governance], will probably come to affect private industries like law firms, and that will mean lawyers will have to be much more careful about how their firms keep their records.

(c) HENRY CHACE

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Recent files, also referred to as temporary files, are those created automatically and stored on the system’s hard drive. Microsoft Windows uses many temporary files to store data about the users’ web browsing history and settings.

There are some potential risks and dangers associated with recent files, read more about recent files and security risks.

China has launched an information security certification center in Beijing recently. Information security has become a serious problem in China with the rapid growth of the information industry. “Crimes through the Internet, computer viruses and junk mail has threatened security”.

“Some departments have set up systems on evaluation, licensing or purchase of security products but a unified national system is required to avoid repetition,” said deputy director of the Information Office under the State Council.

Apart from certification of security products, the center would also conduct talents training and technology research and development on information security.

China boasts the world second largest population of “netizens” behind the United States, exceeding 123 million last July.

See full story.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

In today’s workplace, it’s impossible to eliminate mobile computing devices — laptops, thumb drives, mobile phones, PDAs and iPods. However, “since California enacted a data breach notification law in 2002 (followed by 32 other states), there have been a host of embarrassing disclosures about missing computers”.

About half of the states’ breach-reporting laws give companies a way to avoid disclosing such breaches: the use of encryption on the mobile devices.

But encrypting data on mobile systems isn’t a simple task. CIOs and CISOs have found that while the technology to encrypt laptop hard drives is pretty straightforward and simple to deploy, there are several aspects of mobile security for which technology is not yet solid, particularly for protecting data on removable media and handheld devices. That’s why security leaders who have adopted encryption make sure to use other techniques — both technological and managerial — to protect their mobile data.

The first decision when implementing an encryption strategy is whether to use full-disk encryption or file-based encryption. Although most operating systems have built-in file encryption tools, this approach has a significant security flaw: It relies on users putting files in the encrypted folders.

The other option is full-disk encryption, which protects everything on the hard drive. The latest disk-encryption solutions are easy to use and are not likely to slow down performance. “Several companies — including PGP, Pointsec and GuardianEdge Technologies — provide enterprise-class full-disk encryption software that can be installed and managed using standard tools, and that works with backup software and password management systems.”

See full story.

Data encryption is important for the security of stored data. However, it is also important to use secure file removal applications. If the sensitive data was deleted from laptop or PC using unsecure operations, it can still be recovered. To protect your deleted data, you need to use specific file wiping tools.

This blog is run by authors of Shred Agent and QuickWiper.

According to the annual RSA Security Password Management Survey, 39 percent of business users in the Asia-Pacific region are required to change their passwords monthly, compared to 34 percent in Europe and 23 percent in the United States.

Over 1,340 respondents participated in the survey conducted last month, which for the first time polled respondents outside the United States. Participants from the United States and Canada made up about half of the respondents, while Europeans and Asians each accounted for 21 percent of the total surveyed.

John Worrall, the security vendor’s senior vice president of marketing, noted in the statement that “business passwords remain one of the weakest links in the security chain”, due partly to the number of passwords that end users are required to manage.

Respondents from Asia reported the highest levels of awareness of breaches relating to the use of passwords–35 percent said they know of a corporate security breach that occurred as a result of a compromised password. About 33 percent of participants in Europe, and 14 percent in the United States, gave the same response.

The high number of passwords that users globally have to manage is apparently a source of annoyance. Some 12 percent of respondents from the Asia-Pacific region and 15 percent of users in the United States, indicated that they were extremely frustrated over having to manage too many passwords at work.

See full article.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Raleigh, NC (AKS-Labs) September 25, 2006 — AKS-Labs, has release a version 1.1 of Shred Agent, a file shredder utility that works in background mode and does secure deletion of all deleted files.

With the wider use of encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One way to attack is the recovery of supposedly erased data from hard disk or random-access memory.

Shred Agent is designed to protect your privacy. When you delete files in Windows it is possible to undelete or recover them using different file recovery utilities. If you want to make sure that the file you delete cannot be restored by any means, Shred Agent is the right tool for you.

To make sure nobody else has access to your private files, you might use some encryption software. But encryption is useless if the original plaintext can be recovered. Wiping is the process of writing some information directly into the space where the old file was located.

Shred Agent works on hardware level, thus wiping the files completely, eliminating the possibility of ever recovering them. What makes it different from most file wiping utilities currently available on the market is the capability to control the wiping of files in the background. For example you can configure the corresponding filters to wipe temporary file created by office programs.

If Shred Agent is installed on a server and a remote user is trying to delete a file from the “Include” list, Shred Agent will wipe the file via network.

Shred Agent can be customized to suit just your needs. Configure filters to wipe only the files with certain extensions or belonging to a specific directory. Make sure Shred Agent is launched every time you switch on your computer. Record all the information about the files being wiped to a log file.

Read more at www.shredagent.com