Identity theft rate has been overestimated

December 25th, 2005

Schneier’s blog has some fresh ideas on identity theft. It says, the rate of identity theft has been grossly overestimated as “too many things are counted as identity theft that are just traditional fraud”. Although multiple surveys have found that around 20 percent of Americans say they have been beset by identity theft, the whole definition of identity theft is too unclear.

Identity theft is usually understood as as the illegal use of someone’s “means of identification” — including a credit card. Technically, if a person loses a credit card and someone else uses it to buy a “candy bar”, he might be considered the victim of identity theft.

“Of course misuse of lost, stolen or surreptitiously copied credit cards is a serious matter. But it shouldn’t force anyone to hide in a cave.”

21 percent of Americans said they had been an identity theft victim in 2004. However, according to the latest survey, half of self-described victims blamed relatives, friends, neighbors or in-home employees for misuse of their identity information.

The identity theft numbers were still high but not as frightful. “Identity theft is a serious crime, and it’s a major growth industry in the criminal world. But we do everyone a disservice when we count things as identity theft that really aren’t”.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

We must transform our way of thinking

December 18th, 2005

A survey which has been conducted recently shows that most users are resorting to insecure methods to store passwords because they are being overwhelmed by the number of passwords needed to do their every day jobs.

According to the research, 25% of users keep passwords on a spreadsheet, 22% store them on a PDA while 15% simply write them down and keep them in a “safe place”.

People are forced to handle so many passwords that are not possible to remember. More than 25% of users handle over 13 different passwords, yet another 30% juggle with 6 to 12 passwords. What’s more, most employees in companies are recommended to change their passwords every 3 to 6 months. The passwords must be at least 8 characters wrong, include digits and letters and comply with all existing security standards. Besides, the newly changed password should by no means resemble the previous one.

In this relation, I found some interesting ideas in DMAC blog. From a security standpoint, all security measures continue to have the same flaw: “They are vulnerable to end user laziness”. In fact, a security solution is only as strong as its weakest link and “unfortunately it’s Bill the dad of 4 who doesn’t give two cents about your password policy”.

“Security and Laziness must combine”. We must transform the way we think as security professionals. We must put ourselves in Bill’s shoes. Security professionals and end users must reach a compromise.

This blog is run by the authors of FindProtected, an effective information security solution. With Find Protected, IT administrators can do a deep inspection into employees’ files aiming to enforce an intelligent data security policy across the organization.

Compliance doesn’t mean security?

December 18th, 2005

A study performed by the Institute of Internal Auditors titled Does Risk Management Curb Security Incidents? which examined the relationship between risk management and information security, shows that businesses that employ information security risk assessment programs and have comprehensive documented security policy are not likely to suffer fewer security incidents.

However, the survey indicated that organizations that conduct risk assessments are more likely to have a documented policy and implement security awareness measures. “This finding suggests that a systematic implementation of security policy measures should include security awareness.”

The study suggests that predominant lack of relationships between security measures and security incidents may be explained in terms outside the scope of the study, i.e. personnel ability (e.g., the skills, knowledge, and abilities of the information technology and security staff), management support of the information security policy, software and hardware equipment, etc.

Well-known security author Richard Bejtlich in his blog considers “this focus on “controls” as more of the “prevention first and foremost” strategy that ignores the importance of detection and response”. At the very least, some attention needs to be paid to the detection and response functions. Otherwise, a lot of money will continue to be spent on prevention, and organizations won’t be any more “secure.”

Phil Hollows also posted his comments on this subject: “monitor and correlate your logs, set up your containment and incident response policies, and don’t let your management team think for one minute that a successful compliance audit means that they’re safe”.

This blog is run by the authors of FindProtected.
Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Employee attitude to password policy

December 11th, 2005

Security Blog has a witty description on the common attitude to password management called “The Zen of Password Management”.

The first reaction of an employee when a new password policy is enforced in an organization is “denial”. However, it is quickly replaced by anger. In fact, most people think: “I can’t believe that the security of the entire company depends on me changing my password at this time. It’s just a silly policy that IT uses to exercise digital control over the rest of the world”.

An employee fears that she might forget the new password. That’s why she may be forced to put the passwords down or store them in a text file on her computer.

Even the most complete password policy cannot guarantee 100% security. The passwords might be intercepted by the most sophisticated hacker attack. But it is more likely that people could accidentally or deliberately share their paswords with their co-workers, their family and so forth. In fact, there is no such thing as the best password policy.


This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Key aspects of information security

December 11th, 2005

Information in electronic form and the means to transmit and process it are now indispensable to educational, financial, business and government istitutions. The power and convenience of information technology is, however, counterbalanced by the increasingly complex legislative framework which governs its use and by the wide range of threats to the security of electronic information.

The reasons for adopting a formal policy on the security of electronic information are twofold:

1. To provide a framework for best operational practice, so that the institution is able to minimise risk and respond effectively to any security incidents which may occur;

2. To ensure that the institution complies with relevant legislation in this area.

Security breaches, often involving prominent commercial organisations, are reported periodically in the press and often generate substantial publicity. Such incidents tend to fuel the popular conception that the major threat to information security comes from hostile attacks perpetrated via the Internet. Although there is some truth in this, the picture which it paints is highly oversimplified. Electronic information is at risk for a whole variety of reasons: natural disasters, failure of man-made equipment and services, and accidental as well as malicious acts by human beings.

Since neither the systems themselves nor those who operate them can ever be totally reliable, what this means in fact is that the institution must be able to react promptly and appropriately to any security incident and restore its information systems to their normal operational state in an acceptable period of time.

In terms of general good practice, institutions must be able to rely on the three key aspects of information security:

  • Availability (knowing that the information can always be accessed)
  • Integrity (knowing that the information is accurate and up-to-date and has not been deliberately or inadvertently modified from a previously approved version)
  • Confidentiality (knowing that sensitive information can be accessed only by those authorised to do so)
  • On the human front, therefore, the policy must define what behaviour is and is not allowed, by whom and in what circumstances. A successful security policy will generate a high degree of consensus amongst all of those involved and should foster a positive attitude towards security in terms of its benefits to the institution and the wider community of which it forms a part.

    A useful concept in this context is that of a balance between privileges and responsibilities: making information and resources more freely available to members of an institution arguably places more onus on those members to behave responsibly. Some evidence is beginning to emerge that users of information systems would be willing to adhere to better security practices if they were more knowledgeable (ie better trained) about what good practice actually involved.

    Overall, the policy must define the role that information security plays in supporting the mission and goals of the institution. Even though much of the work on information security will be devolved to middle managers and technical staff, it is important that senior management should be committed to the importance of information security and should play its full part in winning acceptance for the policy.

    You can find more information on implementing security policies in educational institutions in Developing an Information Security Policy article.

    This blog is run by the authors of FindProtected.
    Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    Security basics

    December 4th, 2005

    Musings on Information Security quotes one of the formal definitions of security policy:

    A security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.

    Security policies could be classified into three types, according to policy objectives and an organization’s security profile:

  • Regulatory policies – are mandated by legal requirements
  • Advisory policies – contain acceptable practices and consequences of violation
  • Informative policies – are not enforceable, as they provide information about security issues and their possible consequences
  • A good policy should address the needs of the particular organization. It should be easily understandable and align with company’s overall business goals. Typically, security policy should contain the following issues:

  • Statement of authority and scope
  • Acceptable use policy
  • Identification and authentication policy
  • Internet use policy
  • Corporate network access policy
  • Remote access policy
  • Incident handling policy
  • Security policy is a powerful tool that provides you with the whole scope of necessary security measures and ultimately enables you to significantly redulce security cost.


    This blog is run by the authors of FindProtected, an effective information security solution. With Find Protected, IT administrators can do a deep inspection into employees’ files aiming to enforce an intelligent data security policy across the organization.

    Secure files deletion is typically overlooked

    December 4th, 2005

    According to THOMAS J. FITZGERALD article found at globetechnology.com, maintaining privacy in the era of digital information requires work on a number of fronts, from network and applications security to protecting important files with encryption to configuring a Wi-Fi hot spot to keep interlopers off a wireless network.

    However, there is one privacy measure that is “easily overlooked”: secure data destruction.

    For inividual users, deleting confidential data completely is essential when donating or selling old computers, and it can also help “maintain privacy on computers that may end up lost or stolen”.

    And for businesses looking for ways to comply with the security requirements of laws like the Sarbanes-Oxley Act, a sound policy on data control and destruction is crucial.

    When normal Windows deletion methods are used, the computer’s operating system, for the sake of speed, creates an illusion that data has been deleted. In fact, it merely earmarks that region of a disk or drive as being available for new data to overwrite the old data. Until that overwriting occurs, the old data can be retrieved with undelete programs and tools used by data recovery labs and law enforcement agencies.

    There are, however, several options for securely eliminating data from hard disks, USB flash drives and other storage media. File wiping utilities overwrite data with meaningless characters to render it unrecoverable with today’s data recovery techniques. Some of the programs can overwrite entire drives, while others can single out individual files or other information saved by a computer’s operating system or programs like Web browsers. Such programs should become an important part of overall information security within an enterprise. Besides, they can also be used by individual users.

    This blog is run by the authors of QuickWiper, a Windows security program. QuickWiper allows you to delete files with simplicity and ease. When deleting files with QuickWiper, you can choose a fast single pass, or the most secure NSA erasure algorithm.

    Secure data wiping is a big deal

    November 27th, 2005

    According to a recent research, many people are taking risks with data on hard drives and memory cards which they are selling via internet. Such sensitive information, as personal letters, passwords, resumes, spreadsheets, phone numbers and e-mail addresses were all found on storage hardware that could be easily bought at any auction site. The problems arose because sellers did not delete data from the hardware altogether.

    Besides, it was rather easy to reconstruct almost everything that some users did online, and to grab cookies and login details for sites they visited.

    In most cases, people used Windows “delete” function to erase the data. However, in PCs and other digital devices it simply applies a label that says these sections of storage can be over-written. That means, such data remains intact for a long time, especially on large drives.

    Recovering such information is quite straight-forward for forensic firms and individuals.

    It is extremely hard to completely destroy some pieces of information. That’s why the users are advised to employ specific secure file deletion solutions.

    This blog is run by the authors of QuickWiper, a file wipe utility.

    Password policy enforcement

    November 27th, 2005

    Scott Pinzon’s article on password policy enforcement discusses the issues of policy implementation within a company. According to a UK study from 2004, employees could be incented to divulge their password rather easily. The study indicated that 70% of users would tell a stranger their computer password “in exchange for chocolate”.

    However, what if we turn the equation around: try to make up specific mechanisms to incent the users to abide by the password policy rules. For instance, management could offer any user who follows the policy perfectly for a year a $100 gift certificate. Although it may seem absurd to pay the people just for getting them to do what they’re supposed to be doing already, such policy enforcement method may be very effective compared to the security risks the company faces when its security is breached.

    Compared to the accountability you lose when users share their passwords and turn an individual account into a group account, a hundred bucks is cheap. Compared to the resources compromised on your network when an attacker cracks a 120-day-old password, a hundred bucks is dirt cheap. Compared to the cost of having every user take a class on computer security, a $100 prize is an economical way to generate a security-aware corporate culture.

    Although passwords do not provide adequate protection for today’s networks, the “username and password” authentication remains the only access credentials that most small business networks require. So until new authentication methods are available, such as smart cards, tokens, or other two-factor authentication techniques, we need to work on password protections to be “good enough”.

    This blog is run by the authors of Find Protected, an effective information security solution.

    Regulatory compliance is the strongest security driver

    November 20th, 2005

    NetworkWorld.com published a research showing that regulatory compliance has emerged as the biggest driver of information security initiatives, trumping concerns such as worms and viruses for the first time, according to Ernst & Young’s survey of 1,300 organizations worldwide.

    Nearly two-thirds of respondents said compliance is the primary driver of information security at their businesses, followed by worms and viruses and meeting business objectives. However, IT organizations and information security groups are failing to take advantage of compliance-related concerns to rearchitect their security organizations.

    For example, nearly 90% of those implementing security measures to comply with regulations are focusing on issues such as policies, procedures training and awareness campaigns. Only 41% are also reorganizing their information security function and their architectures as part of the compliance process.

    As the focus on general corporate governance and maturity of overall risk management increases, security professionals are being asked not just about the headline issues, but about the broad picture of information security control.

    The survey results highlight the growing pressure regulations are putting on information security organizations. At the same time, it also underscores a growing trend by many to use compliance as an excuse for all security spending. Often, technologies that need to be implemented anyway are being described as compliance-related to get executive buy-in.

    The two areas where compliance-related efforts have resulted in increased spending are security event management tools and identity management and password management technologies. But in general, the increased investments in these areas comes at the expense of spending in other areas. As a result, the overall spending on information security itself has not increased significantly.

    This blog is run by the authors of Find Protected, an effective information security solution.