E-mail and corporate network security are the top concerns

November 20th, 2005

Intranet Blog revealed the new survey regarding corporate information security. The survey conducted among 600 U.S.-based IT professionals and executives representing companies of 150 to 16,000 employees, showed that e-mail and the corporate intranet are to be considered the top two security concerns for enterprises.

Findings include:

· 79% of respondents consider email to be the greatest source of attack

· 26% of respondents regard corporate network as the greatest vulnerability

When it comes to enterprise handheld computing, remote control of password policy is considered a very important security requirement by 55% of respondents; only 18% are comfortable with simple user name and password authentication, traditionally used as a primary layer of protection.

This blog is run by the authors of Find Protected, an effective information security solution.

Simply delete files just won’t do

November 20th, 2005

An article in Iusmentis.com describes secure methods of file deletion. A normal “delete” command does not actually delete files at all. But even when using more advanced “file wiping” utilities, some data may remain on the hard disk that maybe used for some malicious purposes. In particular, the magnetic properties of a hard disk can be exploited to recover data.

Not so long ago, simple Windows system commands were held to be a “secure” method of file deletion. When these were found to offer very little genuine security, specific utilities became available that were able to overwrite the related disk sectors. It seemed that these would surely be foolproof, however not all of these programs provided for the necessary level of security.

There are three areas of particular concern regarding secure files deletion:

1. When a file is written to a disk, it has a certain number of sectors or clusters allocated to it. The area of disk space provided, is always larger than the file itself. Deleting a file alone, leaves a space which can contain sensitive data. There are a number of ways in which this sensitive data can be deposited without a user knowing it.

2. It is in the nature of a computer, to always be updating one file or another. Every time a file is updated or “saved”, new copies are created and written wherever there is sufficient space. Applications can create huge numbers of such files. When a file is eventually deleted, only the last image is accounted for. All other images appearing as free disk space, unseen, unsuspected. That is until a disk is viewed with the appropriate software; then is all is revealed. Even when partially overwritten, these files can make interesting reading ! … As a precaution against this kind of threat, NEVER EVER “save” an edited plaintext file; use “save as” instead. All versions will then remain available for deletion.

3. As if the preceeding were not enough, applications also create “temporary” files as part of their normal execution. That these files are not so “temporary”, can now be appreciated.

Some would say that there is no chance of recovering data that has been overwritten just once or twice. These individuals are without awareness, of the “true” extent to which “data remanence” has been investigated ! Deletion by rewrite is never absolute; more of a sliding greyscale. Once magnetic media have been exposed to a structured magnetic field, it is in reality, very dificult to ever totally diguise the fact. This applies especially to present drive heads, and high coercivity media. When a write function is carried out, magnetic domains are created by the millions for each bit that is written. There is a limit as to how great the write current can be, or adjacent data will be corrupted. Increasing the spacing between adjacent data bit representations, would lower the total capacity of the media. Modern high coercivity magnetic coatings allow much greater data densities, but are more difficult to magnetize.

Consequently, when a rewrite is carried out, a significant number of these tiny molecular domains remain in their original orientation. This orientation is never the exactly the same twice. The precise orientation of the domain would have been influenced by adjacent bit representations. Each precise orientation being individualized like a finger print. With each subsequent rewrite, less of these “permanent” domains remain, and so a molecular history is encoded by a scale of relative molecular domain numbers.

In an age where molecular polarity is such a vital area of science, it should come as no suprise that special techniques exist for its determination. The obvious value of being able to recover data, is not lost to the malicious attackers.

This blog is run by the authors of QuickWiper, a file wipe utility.

People are willing to pay more for better protection

November 13th, 2005

About 73 percent of 1,000 consumers surveyed in the U.S. said they are worried about identity theft and fraudulent use of their bank accounts or credit cards, compared to 51 percent who expressed such fears in 2004. Nearly 17 percent of consumers cited instances of identity theft, while 42 percent said their banks informed them of threats of phishing.

Some 40 percent of people who took part in a poll, are willing to pay fees for greater protection of their online transactions and bank accounts, compared to 27 percent who were ready to do so last year.

This consumer attitude will likely drive banks to adopt more sophisticated security solutions. Otherwise, they risk losing existing and potential customers, as well as revenue streams and brand reputation.

This blog is run by the authors of Find Protected, an effective information security solution.

Measures to protect your critical data

November 13th, 2005

Steven Presar wrote in his article on business data security, that a number of security events has increased by more than 80% in the first quarter of this year compared with the previous three months. This is a bad news for any small business who works with a computer, but the small businesses who base their business on computers should be particularly alarmed.

What measures can you take to shield your small office computer systems and data from malicious activity of any kind?

All good computer data security begins with a regularly scheduled data backup plan. All data critical to the running of your business must be backed up regularly. It is also wise to implement an automated backup system to create backup copies on a regular basis.

Make sure that your computer is protected from viruses and malicious worms. Install good anti-virus software and update it regularly.

There is also another potential threat to your data — a disgruntled employee. Employees should by all means be included in your data security policy. Research has shown the greatest threat to a business’s security is from its own staff. Some businesses forget to ensure that policy and procedures are set up to protect against potential threats such as e-mail viruses, internet misuse and mishandling of personal and private data, which can all lead to an attack on the company’s security, not to mention a mark on its reputation.

You may want to include an external security audit to your security policy. The audit is an ongoing process and should be undertaken annually or biannually or following significant change within your business that may affect security (a disgruntled key employee leaving, office break-in, etc.).

People also need to be audited as well. It is also important to make an audit of each user’s authorization and privilege level so confidentiality of business information is secured and maintained. If this policy is adhered to, then security risks will be greatly reduced. Computer and internet use policies have become popular to various businesses. Many such policies are written into the employment contract of the employee.

Security policy is critical to your business efficiency. It should provide for availability, integrity and security of the information that is important for your business procedures.

This blog is run by the authors of Find Protected, an effective information security solution.

Identity breach laws

November 13th, 2005

According to InfoWorld, after a series of data breaches earlier this year, members of the U.S. Congress raged about the irresponsibility of breached companies and introduced a flurry of bills requiring companies to notify affected customers when data is lost.

Major U.S. companies reported more than 60 data breaches between January and September this year, and although the Congress as well as a number of state legislatures have debated a handful of bills regarding identity data protection, no data breach notification bill has been approved. Most observers express hopes that a data notification bill will be passed in the Congress in 2006. Most of the bills that are discussed now may take a step backward from existing state laws. Besides, some consumer and privacy groups aren’t eager to see federal data breach notification legislation pass — at least not most of the legislation introduced in Congress this year.

Twenty-one states have now passed some form of a data breach notification bill, including a tough New York law that makes no exception for small data breaches or breaches unlikely to result in identity theft, set to go into effect next month. However, some large businesses and trade groups have called for a national, unified law that preempts state laws.

Many of the congressional bills allow breached companies to decide if the breach is likely to lead to identity theft, and thus warrants consumer notification. Federal law concerning identity and privacy protection is likely to be a major incentive for businesses to create more efficient security strategy and work out specific data protection techniques.

This blog is run by the authors of Find Protected, an effective information security solution.

Choosing a password

November 10th, 2005

Employees in a company are generally forced to avoid easily stolen passwords. But hard-to-guess passwords that are most often used are not always hard to type as well, and therefore may be vulnerable to prying eyes.

Jacek Kopecky wrote: “When creating a password I choose random keys that are easy to write — alternating the fingers and trying it out. The commonly used passwords, even historical ones, are completely in my muscle memory.

This is also a fairly good defense against shoulder surfers trying to see what I’m typing — I type it very fast, usually sans mistakes, and it’s random enough that a looking person won’t get it.”

You can also use passphrases to create a strong password. Use a poetry line or a quotation that noone except you knows. To make a passphrase more complicated, replace the letters with appropriate symbols, for example type 1N&I@nA J8ne$ instead of “indiana jones”.

This blog is run by the authors of Find Protected, an effective information security solution.

Strong password policy

October 30th, 2005

Alistair McDonald’s article on password policy describes the key elements of the corporate security strategy.
Modern corporate life requires considerable dilegence, adhering to legislation, and many other distractions from the core business of an organisation. Where computers are concerned, there is potential for abuse of corporate systems, infection of corporate systems with viruses, trojans and other malware, and damage to reputation through hacking and improper use of resources by employees.
Each organization needs a comprehensive security strategy which provides for the proper location of protected files, authorization techniques, employees’ access rights, as well as a strong password policy. Password policy is a key element in creating a comprehensive security strategy.

Password policy should contain the folowing rules:
1. Never base a password on a single word. A password should be at least eight characters, and ideally 12 or more. The longer a password, the less chance of a hacker breaking it quickly. To connotate two words will create a longer word, but hacker tools will search for this, and it is better to misspell one or both of the words, so a straight dictionary approach will not work. Try to avoid using words in your passwords that can be associated with you or your work. Passwords must be based on a random combination of words. You can also replace occasional letters with numbers or punctuation marks. Using both upper and lower case will definitely help too.

2. Never write passwords down in an easy to read form. If you do write them down, try to disguise them. Never leave passwords near the PC.

3. Never share accounts or give out passwords.

4. Never use a work password for leisure. Sharing a password on more than one system will make the user’s life easy as they only have to remember one password. Single-sign-on systems can be very useful in the corporate environment, but users should not use their work passwords for any systems they use at home. Some websites and applications don’t give enough protection to its accounts, so the password may be easily intercepted. If you use similar passwords for a number of services, once the attacker intercepts a single password, he may access a large amount of information.

5. Reset accounts as soon as employees leave the firm. Every account that employees have access to should have its password reset as soon as they leave the building. The manager can take control of the accounts if required, but the passwords should be reset as soon as possible. This is vitally important if shared accounts are in use.

Risk assessment

October 30th, 2005

CIS462Robert’s blog contains some thoughtful ideas about risk assessment techniques. Risk assessment is the first process in the risk management methodology. Organizations use risk assessment to determine the extent of the potential threat and the risk associated with an IT system. The output of this process helps to identify appropriate controls for reducing or eliminating risk during the risk mitigation process.
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system. Impact refers to the magnitude of harm that could be caused by a threat’s exercise of a vulnerability. The risk assessment methodology encompasses nine primary steps, as shown below:

1. System Characterization
2. Threat Identification
3. Vulnerability Identification
4. Control Analysis
5. Likelihood Determination
6. Impact Analysis
7. Risk Determination
8. Control Recommendations
9. Results Documentation

Risk assessment and mitigation procedures are an important stage in creating a comprehensive security strategy.

Is it possible to retain privacy?

October 22nd, 2005

In the information age, it seems alsmost impossible to assure your privacy. A person’s first and last name in combination with SSN, DL or financial accounts are a combination of data that is dangerous to lose track of. As IS202 Discussion Board says, combining and publishing certain types of information “make one not only identifiable in virtual space, but in reality.” With too much personal information available online, it is incredibly easy these days to track someone down. Even personal address and phone numbers are sensitive pieces of information – for both electronic identity and personal safety. Jeff Kalvass writes :

The battle between security policy and mechanism is never ending – essentially a game of cat and mouse …There seems to be plenty of security policies floating around, but their implementions are inconsistent, fuzzy, and in some places non-existent… The solutions to implement many exisiting security policies are out there, it’s just deploying these mechanisms properly that seems to be problematic. There also exist economic incentives to protect systems, which directly relate to who should be accountable for breaches of security.

Identity protection is a major problem and it should be seriously considered by IT specialists as well as businesses and government institutions.

Security basics

October 22nd, 2005

Computer and network security used to be the concern of only the largest corporations. However, with the networks becoming more interconnected and generally available, the tide is turning. Now, small businesses and individuals may experience a security breach that is likely to have catastrophic results. VPN blog relates the basics that even the smallest network should adhere to:

- Never use a computer system for both personal and business use. This is an immediate risk to public disclosure of confidential information and accidental loss of data.
- A daily and monthly data backup process should exist which also provides for off-site or fireproof storage of the backup data in a non-editable format (i.e. offline magnetic tape or CD-R (not CD-RW)).
- Any connection to the Internet should be behind a software or hardware-based firewall.
- Use a password to login to your computer even if it is not on a network.
- Use and update daily an anti-virus software suite

These measures may help dramatically reduce the risk of a security breach. However, it is equally important to manage the confidential information stored on your computer properly. Confidential files should be given adequate password protection. Besides, the password protected files should be properly located on your computer. The names of the files shouldn’t reveal the confidential nature of the information it contains. Store protected files in hidden or secure folders. Try to avoid having more than one copy of the same file, as multiple copies are more likely to be revealed by the attacker (in case the attack takes place). For more information on password protected files, see Find protected files.