Staff hold key to successful security

October 24th, 2006

Boardroom backing of security policies is the most important element in effectively securing an organisation’s information, according to the Global Information Security Workforce Study 2006.

However, the second most important factor is getting users to follow a policy. Ed Zeitler, executive director, ISC² speaking at the RSA Conference Europe this week, says there is now a universal focus on people being more important than technology to provide security.

‘Security breaches that have made headlines during the past year have been a result of human error, and this further validates the long-held conventional wisdom of information security professionals that people are the critical component of an effective information security program.’

When asked who was accountable for security in 2004, 38 per cent of respondents said the chief information officer. In 2006 that figure dropped to 19 per cent.

‘Regulatory compliance in the public and private sector with things like Sarbanes-Oxley and Basel II puts information security into the risk profile of a bank, so responsibility for these kind of things goes much higher… The information security profession is being valued as an indispensable business component.’

Allan Carey, program manager at IDC, who led the study, says security professionals are helping CEOs recognise the positive contributions to business of information security.

‘The message of people and processes being absolutely crucial to effective information security is finally starting to resonate with business leaders,’ he said.

See full article.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Asians more diligent about password management

October 6th, 2006

According to the annual RSA Security Password Management Survey, 39 percent of business users in the Asia-Pacific region are required to change their passwords monthly, compared to 34 percent in Europe and 23 percent in the United States.

Over 1,340 respondents participated in the survey conducted last month, which for the first time polled respondents outside the United States. Participants from the United States and Canada made up about half of the respondents, while Europeans and Asians each accounted for 21 percent of the total surveyed.

John Worrall, the security vendor’s senior vice president of marketing, noted in the statement that “business passwords remain one of the weakest links in the security chain”, due partly to the number of passwords that end users are required to manage.

Respondents from Asia reported the highest levels of awareness of breaches relating to the use of passwords–35 percent said they know of a corporate security breach that occurred as a result of a compromised password. About 33 percent of participants in Europe, and 14 percent in the United States, gave the same response.

The high number of passwords that users globally have to manage is apparently a source of annoyance. Some 12 percent of respondents from the Asia-Pacific region and 15 percent of users in the United States, indicated that they were extremely frustrated over having to manage too many passwords at work.

See full article.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Hardware level file shredder released

September 25th, 2006

Raleigh, NC (AKS-Labs) September 25, 2006 — AKS-Labs, has release a version 1.1 of Shred Agent, a file shredder utility that works in background mode and does secure deletion of all deleted files.

With the wider use of encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One way to attack is the recovery of supposedly erased data from hard disk or random-access memory.

Shred Agent is designed to protect your privacy. When you delete files in Windows it is possible to undelete or recover them using different file recovery utilities. If you want to make sure that the file you delete cannot be restored by any means, Shred Agent is the right tool for you.

To make sure nobody else has access to your private files, you might use some encryption software. But encryption is useless if the original plaintext can be recovered. Wiping is the process of writing some information directly into the space where the old file was located.

Shred Agent works on hardware level, thus wiping the files completely, eliminating the possibility of ever recovering them. What makes it different from most file wiping utilities currently available on the market is the capability to control the wiping of files in the background. For example you can configure the corresponding filters to wipe temporary file created by office programs.

If Shred Agent is installed on a server and a remote user is trying to delete a file from the “Include” list, Shred Agent will wipe the file via network.

Shred Agent can be customized to suit just your needs. Configure filters to wipe only the files with certain extensions or belonging to a specific directory. Make sure Shred Agent is launched every time you switch on your computer. Record all the information about the files being wiped to a log file.

Read more at www.shredagent.com

Users still not wiping data from unwanted PCs

September 5th, 2006

A fifth of secondhand PCs finding their way onto the resale market in the UK, Australia, North America and Germany still contain sensitive data on their hard discs: Research by BT, the University of Glamorgan in Wales and Edith Cowan University in Australia, has found that while 41% of the disks were unreadable, 20% contained sufficient information to identify individuals.

The research, based on the acquisition of 300 PCs from auctions, computer fairs and on-line purchases, also found that 5% of the machines held commercial information on organisations, and that 5% held “illicit data”.

Some of the information contained on the disks included payroll information, mobile telephone numbers, copies of invoices, employee names and photos, IP addresses, network information, illicit audio and video files, and financial details including bank and credit card accounts.

Although the research results show that there has been an improvement in the number of owners properly erasing data, a large number of the discs examined still contained significant volumes of sensitive information. Despite widening security awareness, more regulations and significant publicity, organisations are still not modifying their procedures to ensure that information is effectively removed before disposing of computer discs.

See full article at ComputerWeekly.com.

This blog is run by the authors of QuickWiper, a Windows security program. QuickWiper allows you to delete files with simplicity and ease. When deleting files with QuickWiper, you can choose a fast single pass, or the most secure NSA erasure algorithm.

Sensitive data found in computers on sale

August 15th, 2006

According to the article by Clive Akass, there has been a series of incidents when sensitive data was found in computers on sale in developing-world markets. A recent BBC report has revealed hard disks containing personal data, and even banking details.

However, Computer Aid and Digital Links International (DLI) both said they wipe hard disks as part of their refurbishment process. A DLI statement said it provided a data-destruction certificate to all donors. Chief executive David Sogan said: “We work in partnership with professional refurbishment companies to ensure absolute security and environmental excellence for our donors.”

The problem of sensitive information on hard disks is not restricted to developing-world countries. A lot of data can be retrieved from PC if Windows delete function is used. When selling a laptop, for instance, it is usually necessary to reformat the hard drive and reinstall the operating system. However, it could not be enough.

“The only way to be 100 percent sure that nobody with computer talents can ferret out some stuff from a hard drive is to use software that writes a 0 or a 1 to each spot on the drive. Even then, Pentagon standards call for repeating the write-over several times” (by James Coates).

This blog is run by the authors of QuickWiper, a Windows security program. QuickWiper allows you to delete files with simplicity and ease. When deleting files with QuickWiper, you can choose a fast single pass, or the most secure NSA erasure algorithm.

Employee monitoring should be done with care

July 30th, 2006

According to a recent article by Gary S. Miliefsky at SearchCIO.com, “the American Management Association (AMA) performed a survey on employer monitoring of employees and found that 75% of those surveyed already monitor employee Web site surfing… In the survey, more than 50% review and retain emails, while approximately 30% track keystrokes. And more than 80% of these employers surveyed disclose their monitoring policies and practices to their employees”.

It is legal to monitor employees in your organization. However, you have to do it properly, with forethought and purpose. IT organizations planning to monitor their employees should first create a framework with their human resources team to ensure that new hires are aware of the well-documented monitoring policy and given proper disclosure.

Although the federal law allows you to monitor calls unannounced, it’s still best practice to create a written policy about call monitoring and to share this information with your employees and customers. Also, if you accidentally monitor a call that is made for personal purposes and not for business, you are breaking the law.

It is best to ensure your employees are aware of your monitoring policies. For instance, “you could force them to accept a special message at login to their computer or your corporate network that states “all emails will be monitored for business purposes and no personal emails are allowed to be created, edited, received or transmitted using corporate resources.”

As an employer, the best thing your corporation can do is to create an Acceptable Usage Policy and an employee monitoring policy. In the first policy, you define what is appropriate and what is inappropriate for your employees to do when using your corporate resources, including but not limited to all telecommunications and computer and networking systems. In this document, you will clearly spell out to the employees what they can do using company equipment and resources. By providing an employee monitoring policy to your staff members, you’ll let them know exactly where and when you block inappropriate Internet access and when you monitor telephone, computer and Internet usage.

“Just remember that you need to find a balance between ethics, best practices in monitoring and keeping your employees happy and productive”. The best way to do it is to approach the concept of employee monitoring as something that needs to be well thought out in advance and agreed upon by all executives of your organization.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Five things you can do right now

July 27th, 2006

According to today’s article by Roberta Bragg, computers are “a small part of information security”. Strong information security policy requires “a comprehensive plan that secures information wherever it resides—on the mainframe, on the Linux Web server, in the Active Directory, on a PDA, in or available through smart phones and in the hearts and minds of employees, contractors, partners and customers of your organization”.

Making security as easy and as pervasive as breathing won’t happen overnight. Security campaign should be mounted in at least two directions: “a) The big picture, and b) The intimate reality of your day-to-day work”.

IT security implementation consists of the following steps:

1. Create a Stronger Password Policy

There’s no reason you can’t impose policy-based restrictions on IT administrators or anyone who requires special access to servers. They include those who do backups or have admin privileges on a server in order to administer a database or other server application.

2. Lock Down Remote Administration

Where possible, use IPSec or other protected communications. You can also use IPsec to block access to ports required by your remote administrative programs, and then allow administrative access to the ports by allowing access from designated administrative workstations.

Require that computers with sensitive roles or data be administered from the console only, and enforce that by preventing administrative accounts from accessing the computer across the network.

3. Lock Down Administrative Workstations

Designate certain workstations as administrative workstations and harden them, by putting them in a secured area, reinstalling the operating system and adding the latest service pack and security patches (do this off the network). Use IPSec or a personal firewall to control egress and ingress (what goes in and out) and use software restriction policies to prevent the use of non-approved software. Use the workstations for administration only; no playing Solitaire, no e-mail.

4. Physically Secure All Systems

Keep servers locked up. Remove CD-ROMS and floppies from computers in public areas. Provide traveling laptop users with cable locks. Make sure those with access to the data center don’t allow others in. Don’t allow tailgating—the process where someone follows an authorized person into the data center. Teach security guards to look for contraband. (Even those picture-taking phones should be considered unacceptable in many organizations.)

5. Learn To Shut Your Mouth

It’s not rude to refuse to talk about issues that might compromise security. It’s a good practice. Think of the security of your information systems as if you were protecting your family or your country. Don’t let your complaint, need to impress people with your knowledge or request for help made to a public list reveal more than it should.

Hardening networks isn’t a simple chore, nor is it one that can be done overnight. The key is to start right now. Remember: Hardened systems are secure systems.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

A new standard for IT security

July 27th, 2006

According to today’s article by Mikael Vingaard at itmanagersjournal.com, the new ISO 27001 standard, created by the International Standards Organization for Information Security Management Systems (ISMS), “can help to locate existing security problems and prevent future threats before they prove harmful to your organization”.

An ISMS is a planned way to managing an organization’s information so that it remains secure, by using the right methodology of people, processes, and IT systems. The best practices for ISMS includes a wide range of planning to ensure business continuity, minimize business damage, and maximize ROI and business opportunities.

Internationalization of ISO standards will create a demand for a recognised ISMS certification. Clients in the future may ask whether your organization have achieved ISO 27001 certification. Besides providing “marketing” value, it helps IT managers create a framework, based on a “Plan-Do-Check-Act” approach. In general, achieving the ISO 27001 certification mitigates the risk of human error, by having sound procedures and regulations.

If the Sarbanes-Oxley Act is relevant for your business, ISO 27001 could be your best way to get a framework.

There are clear relationships between ISO 27001 and the Sarbanes-Oxley Act’s requirement to develop an information security management system that is integrated, comprehensive, and incorporates widely recognized best practices.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Information Security Issues Top Audit Committee Concerns

July 27th, 2006

Public company audit committee members believe they must improve fraud prevention and security audits, but still maintain that they are “very effective,” according to a study by KPMG International.

Of the 317 audit committee members polled, about 70% rated their committee as “very effective.” Even more, 85%, rated themselves that way when it came to ensuring that external auditors remain independent from management, according to KPMG’s Audit Committee Institute.

However, 84% believed routine compliance activities detracted from a greater focus on corporate governance; 78% saw need to improve information security; and 61% saw a need to decrease fraud risk, according to the survey.

According to Banknet360.com.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Identity theft epidemic

July 17th, 2006

Jane Putnam, “Identity theft epidemic on the rise in the U.S.”: “Most people do not realize how easily criminals can obtain personal data without even having to break into a home, according to the United States Department of Justice Web site”.

Identity thieves stole nearly $100 million from financial institutions last year, or an average of $6,767 per victim, according to MY ID Fix, an identity theft prevention and victim center.

In April 2005, computer hackers installed a program that recorded keystrokes onto four computers in the Widtsoe Building computer lab. The program recorded information like credit card numbers, net IDs and passwords. It was discovered by a lab assistant and removed from the lab computers.

“Right now, the thing that is most troubling is the large number of data breaches,” said Paul Stephens, a policy analyst at Privacy Rights Clearinghouse in San Diego. “It is so troubling because even an individual who is extremely responsible and careful, there really is not a whole lot they can do to protect themselves. They have to give out certain information, like Social Security numbers and bank codes, to employers and credit card companies. You trust them [employers and financial institutions] to take care of your private information. When they betray that trust, your identity can be stolen.”

This blog is run by the authors of FindProtected. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.