Write your security policies last!

October 16th, 2005

To secure your business’s confidential information against all kinds of malicious activity, you need to have a comprehensive security policy. Each organzation should work out its own security policy, depending on its security profile. It must not interfere with common business procedures but rather provide for data integrity and availability. Security policy should take into consideration what kind of protection level should be applied for certain information assets. It should as well locate all sensitive information and store it properly.

Steve Fallin in Procrastinators, unite: write your security policy last! says that “writing security policies often seems like a nuisance whenever time and resources are short”. It proves to be more effective to work out a security policy based on well-documented business processes.

The existence of a policy supposes that you understand something-or-other in your organization well enough to make rational decisions about it. That level of knowledge comes only from experience. The only way to catalog that experience is to study what you do now: not the security technology, but the business processes that require the technology.

In other words, you have to know what your business procedures are before you write a security policy. You should analyze your business processes, risks and mitigation strategies first.

The biggest danger for identity theft

October 16th, 2005

It is generally considered that traditional offline dangers of identity theft are more real than technology driven ones. Amanda Welsh (Identity Theft blog) suggests that this is not exactly so. Although an individual may be safe against most common online identity threats, provided he takes some measures to locate and secure personal information on his computer, the increase of highly interconnected databases maintained by business corporations and various government institutions is, indeed, where the biggest danger for identity theft probably lies. However, it is hard to track identity theft cases, as most people usually don’t know, how their information is stolen. This seems to prove they were not the cause of their identity problems. “Just because someone doesn’t choose to be online, that doesn’t mean their data isn’t. ”

Identity theft

October 16th, 2005

A perfect article has been posted in the SEO Blog about common identity theft issues. Identity theft is the unsanctioned use of another persons identity, usually for financial gain or to commit a crime. Identity theft is one of the most serious threats to the modern-day economy. It not only places an entire Internet infrastucutre at risk, but it also affects non-Net users.

ID theft is, according to FTC figures, the most popular and fastest growing form of consumer fraud. Over 2004, the FTC reported ID thieves took over $100 million from financial institutions, or an average of $6,767 per incident. For individual consumers, the numbers are even more staggering. As reported by Janet Wu of by Boston television station WCVB-TV, money stolen through identity theft amounted to over $50 billion in the United States last year. In other words, nearly $200 per US citizen was somehow stolen due to identity theft.

The first thing to know is how identity thieves acquire your personal information. They may obtain identity information through compromising the corporate network of businesses and government institutions. They may also steal a person’s identity information by attacking her personal computer. They may also steal your wallet or purse.

To secure identity information, business and government institutions as well as individuals should take measures to actively protect their personal data. Identity theft is a problem that is not going to go away soon. That is why it is essential for consumers to be aware of the ways their personal data is collected and managed.

Security management

October 9th, 2005

I’ve just read a fine article from SecurityPark.net. It is widely considered that most security breaches result from human errors rather than technology malfunction. What’s more, the recent surveys signify that employers typically allow diverse online activities in the workplace, even if they are considered abusive. “By doing so, they are not only impacting their network performance but are compromising the productivity of employees whilst putting themselves at legal risk.” In fact, corporate senior management proves to be unprepared to take responsibility for Internet threats and more specifically the growing menace now facing us all that is spyware. Such activities as instant messaging, using Web-based email, recreational network surfing, downloading free software, personal online banking, storing personal files, sharing free music/video files, playing online games, running CD-Rom/DVD media or the use of USB flash drives on work PCs, are usually associated with high risks to information and privacy security.

A large number of companies are doing nothing to govern, manage and protect their networks from spyware and an even higher number are only going half way to combating the problem. Time and time again we have seen that policies alone – although essential from a legal perspective – are not enough to protect against a breach of company rules.

Security management should consider such issues as identifying, locating and finally securing confidential information and files. Above all, to make the security strategy work, management must ensure that employees realize their responsibility for providing secure information environment.

Weakest link in security strategy

October 9th, 2005

An effective security strategy is more about promoting a new way of thinking rather than a new technology. I’ve found interesting ideas in DMAC blog regarding this issue.
Although more and more security technologies emerge every day, they all have the same flaw, from the security standpoint: “they are vulnerable to end user laziness”.

A security solution is only as strong as its weakest link and unfortunately it’s Bill the dad of 4 who doesn’t give two cents about your password policy… It is evident that we will never be able to escape the impact of our weakest link. The solution is to implement security measures that are easy and acceptable to the end user while still maintaining a satisfactory level of security. We have to implement solutions that allow Bill (our weakest link) to continue his normal habits…
Security and Laziness must combine! We must transform the way we think as security professionals. We must put ourselves in Bill’s shoes… Security professionals and end users must reach a compromise.

Corporate security strategy should enhance information availability and integrity. It must let people continue doing their every day tasks. At the same time, all employees within a company must understand the risks of information and identity theft and provide for secure information environment.

Write down your passwords

October 9th, 2005

There’s been a lot of discussion around whether we should or should not put down our passwords. Although most security specialists agree that it is usually necessary to jot passwords down, some say it just cannot solve the problem. Nathan’s Daily Grind blog regards password security as “a MAJOR problem”.

We need some sort of federated, independent seciurity model that uses some form of two-factor authentication… The kicker is that we need a system that is (relatively) universally accepted and used, and not one organization (corporate or government) out there has the reputation to be trusted by all of us. Plus I don’t think we can get away with just one way of doing the two-factor authentication.

Each organization needs its own password policy, based on certain principles. It’s essential to create strong and reliable passwords, but it’s also important to track all the password protected files within a corporate network. To work out a comprehensive password policy, you need to identify and locate all confidential files first. You can find more information on this issue at Find Password Protected Files.

Welcome note

October 2nd, 2005

Welcome to Applied Security blog. We are going to write here about computer security problems of businesses and persons.

You are welcome to comment new posts and share your opinion.