Applied Computer Security

AKS-Labs has released some metrics that are very useful for estimation of security risks. These metrics are:

- Identity Theft Risks;
- Security and Privacy;
- IT Security;

Check homepage for details.

In a recent article published on SearchSecurity.com, Ed Skoudis pointed out some useful tips for adapting security strategy of organizations going through a merger or acquisition.

Organizations involved in an M&A should consider the following security measures:

- Adapting IT security policies of both organizations involved in M&A
- Analyzing existing network architecture
- Eliminating LAN architecture differences (for instance, strengthening security of existing WiFi architecture)
- Creating security policy for laptops and portable devices
- Updating current security software solutions
- Implementing employee training on data security
- Monitoring user behavior (ongoing FTP or HTTP transfer scans, etc.)

So, in the end, to avoid information security threats during a merger, companies should have two main goals:
- A long-term alignment of policies, procedures and technology
- An augmented policy supported by a series of quick-hit technical defenses.

Successful execution of this two-pronged strategy can help merging companies significantly lower their risk exposure.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

To protect your organization’s employees and clients, you need to evaluate how well your company protects its PII. Here are seven common mistakes to avoid.

Keep users in the dark

If your users don’t know how to identify and handle PII, it’s only a matter of time before one of them discloses this data to the wrong source.

Partner with the wrong businesses

If your company collects and shares PII with insecure partners, who do you think will end up in the paper and explaining to law enforcement about how a breach occurred? Your company will.

Keep data around past its prime

What do you do with data once it’s served its purpose? If you aren’t destroying PII when it’s no longer required, then you’re not doing your job. That doesn’t mean throwing it away either — that means destroying it.

Don’t worry about physical security

It’s imperative that you implement physical access controls to prevent unauthorized people — including employees — from gaining access to PII. Get a door lock and a badge reader, and start controlling access.

Don’t lock up your records

If you don’t have specific storage areas on your network (as well as file cabinets) for PII, then how can your properly protect it?

Ignore activity on your network

If you’re not going to actively monitor your network for suspicious activity or incidents, then stop collecting the data. Develop a method that’s within your capabilities and budget to monitor your network for suspicious activity or incidents. And while you’re at it, develop a response and mitigation strategy for security incidents.

Audits? Who needs audits?

A lot of businesses either don’t know what security events to audit or don’t read their security logs — or both. If you’re not sure which events to audit, find out. Set up security auditing, and start reviewing your logs today.

From the article by Mike Mullins.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Oracle is suing SAP in federal court, alleging that its chief competitor in business software markets has been stealing corporate secrets. SAP is still reviewing the suit.

Concerns over sabotage or theft are on the rise, prompting companies of all sizes and including utilities to examine their policies and business processes. Because utilities are geographically dispersed and have thousands of employees, breakdowns in security will inevitably occur. The goal then is to mitigate that threat on the front end and if espionage has taken place, perpetrators should be tracked down and held responsible.

According to the FBI, corporate espionage costs U.S. companies between $24 billion and $100 billion annually. Interestingly, only about 20 percent of those losses are tied to cyber threats while the majority of them are associated with low-tech schemes such as stealing from trashcans.

It’s not just big business that is at risk. It can also be the smaller engineering, environmental and law firms. Most corporate crooks can’t break into computer systems. But, they can meander into open offices, taking phone numbers, strategy bulletins and computer info.

“A good spy always looks for the path of least resistance before trying anything fancy or high tech,” says Ira Winkler, an information-security-systems consultant, in a book called Corporate Espionage. “In fact, small businesses tend to be targets more often than large corporations, simply because they have more competitors.”

Beyond cyber threats, companies must keep classified information restricted while requiring employees to sign agreements prohibiting the unlawful use of company trade secrets. Those secrets may include anything that a company knows that is unknown in the marketplace, which gives it an uncommon competitive advantage.

Corporate espionage is a risk for all companies. Utilities are clearly aware of the problem. As a result, their information technology units are now working hand-in-hand with upper management to guard the integrity of the business lines. It’s a sensible solution to what could be a potentially devastating issue.

See full story by Ken Silverstein.

See the latest on Oracle’s SAP lawsuit at PCWorld.com.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Imagine all of your network and security devices working as a unit to enforce security policy. That’s the vision of “cooperative policy enforcement,” an emerging concept being promoted by Aventail.

While network admission control (NAC) is emerging and there are many different policy enforcement tools available, there still isn’t a common, coordinated structure for enforcing policy across all devices. Chris Hopen, CTO of Aventail, says the key is having a broader policy that aggregates the traditionally separate policies of firewalls, routers, switches, VPN gateways, and NAC boxes.

Some industry analysts consider cooperative policy a natural progression. “Cooperative policy has to happen. It’s not even a question of if, but of when. You have many network assets as an organization — firewalls, routers, switches, VPN gateways — and each of those should be able to enforce policy, not just any one,” says Robert Whiteley, senior analyst for enterprise networking at Forrester Research. “Most NAC products make you choose one of those” to do enforcement, he says.

With cooperative policy enforcement, the policy servers on each security device can share security problems they find and take action to fix them, he says. When an IPS sitting behind the VPN gateway detects a problem, for instance, it can work with the gateway to pinpoint the source: “So when the IPS raises an event and says here’s malicious traffic, that device can then make a SOAP call back to us, query us, and say ‘what user is responsible for injecting this traffic into the network?’”

Then the offending user could automatically be blocked from the network or certain service. “This is beyond reporting and more about taking action,” he says. “Today devices do not allow any visibility into their policy decisions, let alone providing a mechanism for allowing another network device to control or dictate changes to the policy behavior.”

See full story.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

IDC research finds that enterprise companies rank insider sources as their top security threat.

In addition, research from Carnegie Mellon University for the Department of Defense (DoD) finds that when it comes to insider attacks, 86 percent of perpetrators held technical positions. Of these, 57 percent performed the attack after termination.

Both reports found that insider attacks result in costly outages, lost business, legal liability and, inevitably, failed audits. In one case study, it took 115 employees 1,800 hours to restore data deleted by a disgruntled insider. At the time of the attack, the perpetrator was an ex-employee of the IT department who was able to remotely access key systems. According to these reports, IT insiders commonly acquire and maintain powerful system access using privileged accounts and passwords even after termination.

Here are six of the best practices recommended by Calum MacLeod (European director, Cyber-Ark Software) to battle insider menace:

1: Create an inventory of privileged (non-personal) passwords

2: Define the role of identity and access management (IAM)

3: Apply change policies to privileged passwords

4. Make sure privileged passwords are stored securely

5. Create a staged approach to deployment

6: Remember computers are people, too

See full story.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

SupportSoft Inc. analyzed about 2 million IT help desk calls from 20 large companies (average workforce: 75,000 employees). James Morehead, vice president of product management and marketing at the Redwood City, Calif.-based vendor, says the result is his company’s Headache Index of the most common problems end users thrust upon IT support operations.

Yes, password issues top the list, with 20% of all calls involving a variation on the phrase, “I forgot my password.” While you’ve no doubt already automated the response to that one, other problems probably lack automated fixes. Morehead thinks you should consider help desk automation for any problem that accounts for 3% or more of all calls. Take e-mail issues, which came in fifth on the Headache Index, chalking up an 11% share of help desk calls. Morehead points to Outlook’s OST (offline storage) file as one likely suspect. It’s regularly overstuffed, which can cause Outlook to sputter and fail.

And he says a lot of home PC users are contacting his company’s recently unveiled consumer help desk site, www.support.com, to express frustration with Microsoft Corp.’s new Vista operating system. “We’re learning now to help IT later,” Morehead says. Of course, when you roll out Vista, you might want to keep a bottle of aspirin handy just in case.

See full story.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

According to the recent article by Dan Morrill, “Google Desktop Applications, or Google Apps is a risky decision to be making, small company or big company it does not matter”.

Information Security - Google has a lot of money to spend on information security, but Google also has a track record like every other software maker, of having code with bugs. If you use Google apps, you have to trust their code over the internet, and you have to trust them to patch their code in a timely manner.

Legal Discovery - so far the law has worked in this fashion, ISP or Company gets a discovery notice, the ISP or Company is not obligated to inform you, rather they usually make a copy of all the data and send it to the legal group requesting the information. Since all your data is hosted outside the company on a 3rd party server system, ownership is most likely not going to be efficiently defined until there is a series of lawsuits to determine who owns information on 3rd party service providers. Technically, it should already all belong to Google.

Control - usually when working with technology and 3rd party outsource, only “authorized” people are allowed to call for support. Control of the help desk, and the services that the help desk provides for lost information, e-mail support, password reset support, and other low level support functions are now being taken over by Google.

Other Legalities - Have you engaged legal counsel before signing up? This is a big one, what do the company lawyers say about the issue? Will they be involved in the decision, and will management listen to what legal counsel is saying, and what the legal liabilities are.

Federal/State Mandates - if you are covered under HIPAA, SOX, GLB, HB1386, or otherwise, how does using Google Apps help you gain compliance, or remain in compliance if you use their system? From the legal mandates and laws side, unless Google can provide a statement of compliance that will stand up in court, anyone who is under any federal or state law for information security compliance might want to think twice before using this service.

Think long and hard before using Google Apps, make sure there are legal protections and someone can not just randomly request data without talking to legal council first. Make sure that the bases are covered, and if you are in a regulated industry that you get a certificate of compliance from Google. Otherwise, there is a ton of free or low cost software out there that will allow you to do the same things, do them in an equal or like manner.

See full story.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

An adviser to the UK Cabinet warns that civil servants’ low awareness of data security threats puts information collected by the government at risk.

A key advisor to the Cabinet Office on information assurance issues, said that with the exception of the police, defence and intelligence communities, public servants have little grasp of information security threats. “What keeps me awake at night is that, with some notable exceptions, across government there’s too little awareness of the scale and breadth of the risk facing us at the moment,” he said.

Ignorance of information security threats at board level is actually more of a threat than the threats themselves, according to Burton. “No-one knows the scale of the risk. We need to energise boards. The technical risks are nothing compared with ignorance at board level,” he said in a panel discussion at a British Computer Society (BCS) security event this week.

The UK government recently announced two sets of controversial plans around data use - plans to form the database for the ID Cards National Identity Register from three existing databases, and plans to relax data-sharing laws so government departments can share information more easily.

See full story.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

- Consider investing in a records-management software system to ensure the secure preservation of records electronically.

There are very reputable companies that make software for legal records management. Most of these software systems are licensed per work station, so it can be a costly investment. So whoever is in charge of this should shop carefully.

- Do not consider an e-mail In Box as a tool with which to manage records.

The e-mail systems like Outlook were never meant to be records-management systems. When e-mail files get really large, they tend to get corrupted…

When it’s e-mail, you probably have all kinds of things in there and don’t separate the wheat from the chaff because it takes too much time. So you get sloppy.

If you are going to use your e-mail as a client file, think about what you want in there and what you’d want someone else not to see. Delete it, and then delete the deletion.

- Store records in a location outside the offices of your law firm.

Even in small and midsize firms, there’s so much data it’s hard to back it all up on one tape, and it becomes harder to recover that much data. So some firms are turning to business continuity systems [with which] they send their data electronically off-site so it can be easily retrieved.

- Leave the records-management responsibility to an expert in the field rather than rely on an in-house policy.

Most large firms have had a director of records or a manager of records, which was mostly a paper-pushing position. But what has happened is that 80 percent of records now are electronic, and so it’s an entirely different process to manage electronic records. That’s where an information officer [comes in and] works closely with a records manager to do the overall management of the electronic records.

- Follow the lead of publicly traded business clients, which have had to pay close attention to their record-management practices as federal regulation of those practices has tightened.

Regulation that’s now affecting publicly traded companies, such as Sarbanes-Oxley [a 2002 federal law that established strict standards for corporate governance], will probably come to affect private industries like law firms, and that will mean lawyers will have to be much more careful about how their firms keep their records.

(c) HENRY CHACE

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.