Weakest Link in Network Security

July 17th, 2006

Your small-business network may be protected by firewalls, intrusion detection and other state-of-the-art security technologies. And yet, all it takes is one person’s carelessness, and suddenly it’s as if you have no network security at all.

In March 2006, a major financial services firm with extensive network security disclosed that one of its portable computers was stolen. The laptop contained the Social Security numbers of nearly 200,000 people… An employee of the firm, dining in a restaurant with colleagues, had locked the laptop in the trunk of a SUV. During dinner, one of the employee’s colleagues retrieved an item from the vehicle and forgot to re-lock it. As fate would have it, there was a rash of car thefts occurring in that particular area at that particular time, and the rest is history.

No matter how secure your network may be, it’s only as secure as its weakest link. And people–meaning you and your employees–are often the weakest link. It’s important to note that poor security puts your business, as well as your partners, at risk. As a result, many enterprises and organizations, such as credit-card companies, now specify and require minimum levels of security you must have in order to do business with them.

Here are nine ways to minimize the risks that people can pose to the security of your company’s data:

  • Password-protect your computers and mobile devices–particularly laptops.
  • Don’t store passwords in unprotected areas.
  • Consider laptops with biometric security.
  • Encrypt confidential files.
  • Whenever possible, don’t carry confidential data on a portable device or removable media.
  • Lock your laptop when traveling.
  • Stay up to date.
  • Be vigilant.
  • Create and enforce a security plan.
  • According to an article by Peter Alexander.

    This blog is run by the authors of FindProtected.
    FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

    Next Data Breach Could Mean Your IT Job

    July 17th, 2006

    Today’s article by Larry Greenemeier posted on InformationWeek.com: “The best time to review, improve, and communicate security policies is before potential problems surface”. Usually, “an employee or contractor makes an arbitrary decision to violate security policies so as to make his job easier”, and policies aren’t enforced in a company as long as the work gets done and nothing bad happens.

    What’s particularly alarming is that the desire for security compliance doesn’t sync with the effort businesses put toward training and education, both within the IT department and throughout the workforce. Monitoring user compliance ranked as the No. 1 security priority in a survey of 966 U.S. companies polled by InformationWeek Research and Accenture. Security policies typically define who has access to data, how it can be used, where customer data can and can’t be stored, any potential legislation the company is subject to if the data is breached, and whether data must be encrypted.

    However, more than half of U.S. companies surveyed say security technology and policy training would have no impact on alleviating employee-based breaches, a sentiment shared by more than half of the companies surveyed in Europe and China as part of the InformationWeek 2006 Global Security Survey. In fact, most companies surveyed worldwide admit they don’t train their employees on information security policies and procedures on a regular basis, preferring instead to deliver ad hoc training.

    “Given the increase in the number of data breaches, businesses can’t allow security polices to become hampered by ambivalence and red tape. Next time, it could be your job on the line.”

    This blog is run by the authors of FindProtected.
    FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

    New Federal Discovery Rules are Coming

    July 11th, 2006

    Discovery is the part of the litigation process in which opposing parties exchange relevant information and testimony. Discovery helps both sides understand the facts and evidence before the trial starts. On April 12, 2006 the Supreme Court approved proposed amendments to these rules to address discovery issues that are unique to electronic discovery. These amendments will increase the pressure on corporations to proactively manage the electronic discovery process to avoid sanctions, unfavorable rulings and a loss of public trust.

    The amendments will require that if your company is engaged in a law suit, prior to a discovery request you must furnish to the other party a description of electronically stored information that your company plans to use in its case. In addition, your company will be required to expand the scope of their potentially relevant data sources to include all media and all formats, including backup media, portable media, remote or third-party locations, etc.

    The amendments state that absent “exceptional circumstances” you will not be subject to sanctions for failing to produce email or electronic documents “as a result of the routine, good-faith operation of an electronic information system.” However, the rules make it clear that that IT should in certain circumstances intervene to modify or suspend automatic overwriting or deletion functions to prevent the loss of information that is related to a pending case.

    Here are the specific steps IT should take to be prepared for the new regulations:

    #1 – Map out all places where electronic information is stored

    #2 – Update your records retention policy to include all electronic information

    #3 – Ensure your litigation hold policy fully covers all electronic information including backup tapes

    #4 – Establish systems that simplify identification, retrieval and production of potentially relevant data

    See full article by Kevin B. Roden (posted on July, 7th): New Federal Discovery Rules are Coming. How Can IT Get Ready?

    This blog is run by the authors of FindProtected.
    FindProtected is a security program that allows you to search your network for password protected and evidential files. FindProtected makes it easier to discover electronic evidence that may be used in litigation.

    Call for identity theft crackdown

    July 5th, 2006

    UK Government has been urged to crack down on “identity theft” and raise public awareness of a growing form of fraud. The call came as Euro-MPs launched moves for cross-border co-ordination of efforts to prevent criminals stealing individual identities as a cover for their crimes.

    According to a recent official report examining the measures in place to combat identity fraud throughout the EU, “European governments are not doing enough to fight rising levels of identity theft”. Chief among the criticisms highlighted is a need to enhance coordination between police forces, internally, within different EU states, and between member states and those outside the EU.

    “Tackling identity offences is currently hampered by a lack of official data about the scale of the problem”. Although all European countries have acted to respond to identify offences, public awareness should be stepped up and European cooperation improved to tackle the problem.

    In UK alone, more than one in four people are affected by identity theft. With the number of identity theft victims rising every year it is clear that more needs to be done to raise people’s awareness of this issue.

    See full article.

    This blog is run by the authors of FindProtected. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    IT professionals lax about password management

    June 30th, 2006

    The survey of nearly 200 IT security professionals, conducted at Europe’s largest information security event, Infosecurity, revealed:

    Only 40 per cent of survey participants change administrative passwords monthly or more frequently; 30 per cent change them quarterly and a staggering 15 per cent never change IT administrative passwords.

    A quarter also admit that their IT staff can access the administrative passwords without permission, which is a serious oversight considering it is these very passwords that are the most powerful and critical of all passwords, overriding all the others and enabling the “administrator” to access the network, systems and the very applications which provide the backbone of enterprises worldwide.

    Twenty eight per cent keep their administrative passwords in their heads – while 38 per cent still resort to writing down their passwords and storing them on paper.

    Less than a third (32 per cent) are storing administrative passwords digitally. The remainder continue to use labor-intensive, manual processes, including paper copies stored everywhere from locked cabinets to safes.

    Twenty two per cent of respondents estimate that their colleagues are still keeping passwords on Post-It Notes, while 14 per cent use unsecured spreadsheet files – making it relatively easy for an infiltrator to access the administrative passwords.

    According to tmcnet.com.

    This blog is run by the authors of FindProtected.
    FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

    Security policies: Don’t be an army of one

    June 30th, 2006

    Harris Weisman’s recent article “Security policies: Don’t be an army of one”:

    One of the most difficult duties the majority of information security professionals face is the development, implementation and enforcement of information security policies. While many organizations accept the fact that security policies are needed, more often than not projects that address policy issues are given a low priority, insufficient resources and inadequate funding. In many cases, information security professionals are left on their own to create and implement policy, train staff and run enforcement.

    However, with the change in the legislative climate (the passing of SOX, GLBA and HIPAA), organizations can no longer afford to relegate information security policies to the back burner. Information security professionals must therefore spur the organization into action.

    For successful implementation of security policy, the following departments of an organization should be involved: executive management, the Board of Directors, auditors, as well as employees from around an organization. “The key to obtaining their support is to help them understand the importance of security policies and policy enforcement”.

    External auditors can be a great resource and their advice is often taken more seriously by management. Auditors may also be able to provide you with a list of resources and contacts, and act as a sounding board. It is better to obtain and implement auditors’ input before an actual audit, since an unfavorable audit could have an adverse effect on year-end reporting. Remember to “keep your friends close and your enemies closer.”

    When creating your own security policy, you may use existing policy resources from reputable sources. You can also discuss your security policy with “business peers, trade associations, or regional and national information security organizations”.

    To enforce your security policy within an organization, make sure all employees understand the security policies that pertain to their role in the organization. “A policy that no one knows about cannot be enforced”. Showing employees what they need to do and how they can make an impact on the security of the organization can help motivate them to abide by the policies and assist in policy enforcement.

    This blog is run by the authors of FindProtected.
    FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

    Cyber crime ‘costs UK plc £270,000 an hour’

    June 23rd, 2006

    Cyber crime is costing UK companies up to £270,000 every 60 minutes – but many are unaware of the sheer scale of the outbreak, independent risk consultants have warned.

    The investigators claim many established businesses are unaware of the scale of computer crime due to the virtual nature of the attacks, and their authors.

    Through greater connectivity and technological advances, e-crime is growing at a rapid rate and will continue to do so for the foreseeable future. However, the factors behind this also make it easier to identify the electronic ‘fingerprints’ of the criminals. With the proliferation of computers, PDAs and mobile phones, electronic evidence is proving ever more important in solving crimes.

    In order to minimise the risk the company faces, the investigators replied with the following best practice recommendations:

    “Contain and Preserve:”
    • Act decisively to prevent the loss or damage of digital evidence, which is a volatile medium
    • Initiate all responses with the most serious consequences in mind; it can always be scaled down as more facts/information come to light. It’s too late once you are at court
    • Never use internal IT staff to collect your evidence because mistakes can be embarrassing or leave the organisation open to the possibility of being counter-sued

    “Ascertain the extent of the incident:”
    • Determine to what extent the company has been exposed by the incident
    • Determine if future incidents can be avoided
    • Determine if changes to infrastructure, systems, policy or contracts need to be made

    “Resolve the matter:”
    • You will now be in the position to know how to address the situation. This could include doing nothing, dealing with IT in-house, formalising the incident with legal debate or escalating the matter to a higher authority e.g. Police
    • Assess what damage control may be required

    See full article.

    This blog is run by the authors of FindProtected.
    FindProtected is a security program that allows you to search your network for password protected and evidential files. FindProtected makes it easier to discover electronic evidence that may be used in litigation.

    Rapid response key in fighting ID theft

    June 23rd, 2006

    In the past 15 months, corporations, universities and other organizations alerted more than 85 million U.S. consumers that their personal or financial data might have been exposed through electronic breaches, disgruntled employees or just plain incompetence. While consumer data leaks don’t automatically result in financial losses or identity theft, experts say your chances of becoming a victim depend on how well you know your rights and how quickly you spring into action.

    A speedy response is most important in cases when a data breach or loss involves a consumer’s Social Security number, which thieves can use to open new lines of credit in the victim’s name, said Betsy Broder, assistant director of the Federal Trade Commission’s Division of Privacy and Identity Protection.

    “Anyone whose Social Security number was lost or stolen should immediately report it to one of the three major credit bureaus and request that a 90-day fraud alert be placed on all credit files. Consumers have the right to renew this alert indefinitely, but they must contact one of the credit bureaus every three months to do so”.

    Consumers who have evidence of attempts to open fraudulent accounts in their name should contact those creditors immediately, and file a report with the local police department. If possible, obtain a copy of the police report, or at least the police report number.

    For many identity-theft victims, being denied a loan or line of credit or receiving a call from a debt collection agency is the first sign of trouble. By law, if you inform a collector that a debt is the result of identity theft, that collector also must inform the creditor, and creditors are prohibited from selling debt that results from identity theft or placing it for collection. You also are entitled to a copy of all information about fraudulent debt, including late notices and account statements.

    See full article.

    This blog is run by the authors of FindProtected. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    Identity theives sentenced to 14,15 years

    June 23rd, 2006

    A Sunnyvale man was sentenced today to 14 years in prison for identity theft as part of a more than $1 million real estate scam. John Shaw, 47, faced up to 27 years after being convicted last year on 14 felony counts, including forgery, grand theft, identify theft, recording false documents, and conspiracy.

    A licensed real estate agent, Shaw assumed the identities of at least five people, mostly his clients, and purchased real estate in their names. He then sold the property to other names he assumed, pocketing the profits.

    Another identity thief who stole 16-thousand dollars from his victims, was sentenced Wednesday in Honolulu Circuit Court to 15 years in prison. The 28-year-old Saatkamp was also ordered to pay restitution to his victims – eight individuals and three financial institutions.

    According to MercuryNews.com, kpua.net.

    This blog is run by the authors of FindProtected. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    Encryption alone is not enough

    June 18th, 2006

    A recent article by Kerry Davis mentions an identity case involving the theft of an Ernst & Young auditor’s laptop containing the credit card details and addresses of more than a quarter of a million customers of hotels.com in the US. Sure, the auditor should never have left the laptop in his car, “but even if he had taken it with him there was always a risk of theft or loss”.

    This incident demonstrates that encrypting data is important, but encryption alone is not enough.”Data security requires a holistic approach. It’s as much about mindset as about the need for passwords, secure ID tokens and encryption”.

    Security should be considered from all angles: physical, personnel, procedural, technical, policy and regulatory. However, most companies rely on the physical and technical alone.

    “According to the DTI, a quarter of companies don’t carry out any background checks when recruiting [new employees] and one in eight does nothing to educate staff about their security responsibilities”.

    It’s not good enough to give a laptop to someone who is always on the road and tell them never to leave it in their hotel room. This sort of ‘no choice’ edict simply brings a security policy into disrepute. Everyone will have to ignore it in order to do their jobs.

    All aspects of security should be considered together, so controls support and mitigate each other and a failure of one does not invalidate the others. For instance, if an auditor regularly has to leave a laptop in a car for good reason, the company should provide a secure storage box. What’s more, if a laptop containing sensitive data is stolen, the consequences may be by far less disastrous if it is protected by strong authentication and encryption systems.


    This blog is run by the authors of FindProtected.
    FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.