Security Policy Lifecycle

May 7th, 2006

“Staying ahead and maintaining a healthy, robust policy programme requires diligence throughout the security lifecycle”. Generaly, the security lifecycle includes the following phases:

a. Policy Development Phase
b. Enforcement Phase
c. Assurance phase

To keep a security policy healthy throughout the lifecycle, consider your security policy impact:

1.Security is inconvenient: Recognise and respect security’s disruptions of the business process and daily life. You need not make the process transparent, but each extra step, each extra disruption, makes non- compliance more likely.

2. Avoid Excessive Complexity: Strive for common security tools that have already been tested and proven.

3. Prosecution or reprimand: Decide in advance how far to go, and get management buy-in. If you decide against prosecution in favour of reprimand, it is less important to build evidence once a hack is discovered.

4. Punishment to fit crime: You may merely reprimand employees for sending personal email on the company network, but you want to prosecute someone who hacks the pay toll. Decide in advance how far you will go.

Painless policy in practice:
While on rounds a bank’s security staff enforced a policy that unattended workstations must be secured with password protected screen server. They placed yellow notes reading, “Security needs your help. Please lock your workstation”, over unprotected monitors. This non-disruptive reminder helped change the user community. Bankers would leave their desks for lunch, then return saying, “ I better lock my screen so I do not get one of those yellow notes” .

See “Why information security policies fail”.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Small businesses need a comprehensive Internet security policy

May 7th, 2006

According to the article by Atchison Frazer, paramount among the internet security threats that concern small businesses, are “content-related and physical-access concerns”.

“Content-related threats generally refer to access of content from the Internet by internal users of the network in violation of company policies. But a new type of content-related threat is an infected file that combines several stand-alone viruses or attack methods in one package. For example, the myDoom virus, using e-mail as its carrier, set up an SMTP e-mail relay engine on each computer it infected to propagate the virus throughout the network. These so-called blended threats are complex and often avoid detection entirely”.

Unauthorized access to corporate network resources includes an external hacker attack as well as purposeful or accidental access to company’s restricted resources by internal users.

“Only a thorough, companywide security policy can protect your network equipment and information”. Here are some of the key elements to consider when developing a security policy:

1. Lock up and monitor physical access to all core network resources.
2. Lock and password-protect all physical and logical ports of your network.
3. Lock network services such as FTP, SMTP, Telnet and Web. Additional network services should be allowed on an as-needed basis.
4. Use firewalls to protect all entry and exit points of the network.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search for password protected files. With FindProtected, you can effectively identify protected files containing sensitive data on your network.

Five Myths of Identity Theft

April 30th, 2006

Here are 5 most common myths of Identity Theft:

Myth #1: Identity Theft is on the rise. In reality, the number of people in the US victimized by identity theft has dropped from 11-million in 2003 to 9-million in 2005.

Myth #2: Identity Thieves target the elderly. People in their 20’s are most likely to be victims…. even most college students now know someone who’s been hit by an identity thief. “People in their 20’s often have perfect credit, and as a group can be the most careless with their information”.

Myth #3: Identity Thieves get your information from your trash. Actually, one of the fastest growing forms of identity theft “comes from shoulder surfers”.

Myth #4: Identity thieves steal personal information from the internet. “Truth of the matter is, that the internet is helping us. It’s helping us catch these people faster.”

Myth #5 Our information is most likely to be stolen by a stranger. 51% of identity thefts are committed by someone familiar to the victim….26% from a relative.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Email shock a business horror

April 26th, 2006

There’s an interesting article by David Wishart published at theage.com.au: “On March 1, 2005, the giant US bank Morgan Stanley learned that it had effectively lost a $US1.45 billion fraud case. It lost… because it had simply failed to produce evidence. It had forgotten (or deliberately failed) to discontinue its practice of overwriting emails and it had not produced all emails incorporating 29 specified words between certain dates seven or so years ago. There were more than 2300 back-up tapes”.

“For any business using email, this is scary stuff. Not only are there horrendous cost implications because conventionally you have to pay the cost of finding and providing the information to the other side in a court case, but also if you have destroyed an email you sent or received, the company and its officers and employees may breach provisions soon to be inserted in the Crimes Act”.

It is commonplace that computers and the internet together have revolutionised business life. If all computers’ storage space in an organization were to be filled with basic Word documents and you were to print them out, the pile of documents would be “higher than Mount Kosciuszko”.

Correspondence is routinely kept on the recipient’s computer (and the business’ server and back-up storage, as well as the sender’s equivalents). Moreover, someone with something to gain or lose can easily recall a document and delete or alter it, or resend an email after alteration so that it appears to be the original… If a crime has been committed, all of this makes discovery difficult.

Computer forensics techniques step in here. Instead of foraging through our pile of paper, the expert gets the computer to do the work. Specific programs may be used to search for and within documents and other files. Besides, to deal with alterations or destruction of the data, or even forgery, the expert may need to take an electronic copy of a hard disk.

“Meanwhile, the next time you consider whether to delete an email weigh up whether it is better to add habitually to the massive archive of material in your business and thus risk the Morgan Stanley result and also risk strike suits against you, as opposed to deletion, which might lose a dispute and even might be a crime. Perhaps you might reflect on the insanity of a system that tells you what is right or appropriate only after the event.”

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. With FindProtected, it is way much easier to discover electronic evidence that may be used in litigation.

Security Metrics are Executive Priority

April 21st, 2006

Intellitactics announced the results of a recent survey of top information security and IT decision makers regarding the use of business-driven metrics for measuring security effectiveness and value.

The findings confirm the view that security has matured as a management discipline. Security professionals now realize that in order to advance their strategy, they need to measure value and communicate it clearly to other executives and stakeholders across the business.

Results of the survey show that 89.5% of the organizations surveyed use metrics to describe the current security posture. 46%, use metrics to measure security value, with 42.5% planning to take action within the year. About 60% of those already taking steps to measure security performance do so to justify spending; and almost 80% reported that demonstrating IT security effectiveness to other functional managers helps IT to justify action and budgets.

“Investment in security, driven by compliance initiatives and the desire to protect customers, patients, and the companies themselves from unnecessary risk, continues to increase. All managers are asking the question ‘How secure are we, really?’,” explains Pamela Casale, Chief Marketing Officer for Intellitactics.

Key survey findings emphasize that the ability to measure value requires a centralized reporting capability, presentation of information in context, and automated processes for dynamically generating the metrics.

“If you manage security as part of an integrated business process, you will be able to quantify improvements in security and demonstrate results over time,” says Casale. “Demonstrating improvement, however, can be difficult if the metrics are not communicated effectively to recipients. Businesses executives need an easy-to-understand communication vehicle populated with practical metrics in order to create a picture of enterprise security – this means an executive dashboard.”

More information at www.businesswire.com.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files containing sensitive data on your network and relocate them if necessary.

Hire A Security Guru

April 21st, 2006

An interesting article, called “Security: Under Lock & Key”, appeared today on Processor.com:

For most enterprises, security is best defined as a process, not a product. Although firewalls and monitoring software have their place, they’re only part of an overall security strategy that is likely to have many components.

In creating a more comprehensive security strategy, many SMEs bring in vendors and consultants who can address different tools and tactics. In choosing a candidate to walk IT through a proposed strategy, a company shouldn’t look only for technical expertise.

“A consultant should be able to talk in business terms, not just technology terms,” says Russell Morgan, president of the Information Technology Solution Providers Alliance. The consultant should be able to chat about return on investment, key metrics, and long-term goals, Morgan notes. Putting security information within the context of the rest of the business plan will also boost buy-in from other departments.

Although SMEs often have budget restrictions when it comes to hiring, some analysts have noted that the cost of hiring an experienced security expert outweighs both the financial impact of a security breach and the expense of trying to implement security measures using an overtaxed staff.

“A really good security chief doesn’t just track down problems,” says John Challenger, CEO of outplacement firm Challenger, Gray & Christmas. “He or she keeps on top of what is a constantly changing field… Designating one person to handle security will also free up considerable time for other staff members.”

As frustrating as constant security upkeep might be, it’s time to recognize that the IT department will be in it for the long haul. Part of being realistic is understanding that security will need a healthy chunk of the budget.

“Many SMEs have technology apprehension, especially around security,” says Yankee Group analyst Steve Hilton. “It feels like a monumental headache. But if they accept that it’s a vital part of the job, sometimes it seems easier.”

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Passwords cumbersome for small firms

April 15th, 2006

Howard Schmidt, president and CEO of R&H Security Consulting LLC: “password management is a challenge for small firms”.

Hacking a small business doesn’t afford a hacker the same level of financial gain or infamy as a large target. However, “you can’t afford, as a small business, to take as many risks”.

Small businesses may need to rely more on automated security solutions than their larger counterparts, because they often don’t have enough personnel to manage security effectively.

As Dan Geer, vice-president and chief scientist at Verdasys, claimed, “it is better to implement what you have rather than be frozen by indecision… a good way to start is to keep a record of security procedures: Measure something, for heaven’s sake. Even if you don’t believe the number. There’s lots of things you can measure. I don’t think we can improve unless we can keep score.”

By keep tracking of the number of security incidents or the way patch management is handled between departments, a company can learn something about itself.

According to ITBusiness.ca.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files containing sensitive data on your network and relocate them if necessary.

Internal security controls implementation

April 15th, 2006

Adam Bosnian, Is There A Digital Vault In Your Future (http://www.s-ox.com/): “As auditors become savvier about investigating companies’ security practices, more and more businesses are being put on notice that existing safeguards are not up to snuff”.

As we enter the second year of Sarbanes-Oxley regulations, and as companies continue to face increasingly stringent regulatory mandates from FDA, the Federal Reserve, and other agencies, it will be vital for organizations to proactively be aware of and address these shortcomings before they become a vulnerability identified on an audit result.

“Companies suffered $250 billion in intellectual property theft in 2004 alone. According to a study by the FBI, an estimated 70 percent of these network breaches originate from within”.

“After all, security concerns are similar, regardless of what information you’re looking to protect. Are you changing passwords on a regular basis? What measures are in place to shield high-level passwords? Do you securely store and transmit sensitive data? How do you prevent misuse of information, internally and externally?”

It’s often necessary for system administrators to give out “super user” passwords to numerous internal parties, such as technicians troubleshooting an issue or developers maintaining their own applications. These privileged user passwords are extremely powerful if they fall into the wrong hands: “Users with these passwords can wreak havoc on internal systems”.

In order to prevent security vulnerabilities, the companies need to consider the following issues:

Multi-layered security: Using multiple security technologies will prevent single points of failure that can hinder internal controls. This may include a combination of session encryption, firewall, access control, file encryption, strong authentication, secure backup, and version control. This end-to-end layered approach is essential for protecting sensitive data throughout the information lifecycle.

Dual control: This added security measure requires two individuals to give consent before allowing access to confidential records. When dual control is configured, any attempt to access protected information will trigger a request for clearance to the pre-defined secondary person.

Security systems should allow for passwords to be issued for specific time frames, such as during working hours, or for one-time use. Passwords can also limit access based on user location. For example, confidential records might only be accessible from certain rooms or buildings.


This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

New Study on Identity Theft

April 9th, 2006

According to an April 2 report by the US Justice Department’s Bureau of Justice Statistics, 3 percent of all households in the US became the victim of at least one type of identity theft during a six-month period in 2004. The estimated loss during this period was about $3.2 billion.

About one-third of households that were identity theft victims discovered the loss by noticing missing money or unfamiliar charges on an account, and about one-quarter were contacted by a credit bureau.

Approximately one-quarter of all victimized households said the misuse had not stopped. The misuse was more likely to have stopped for households experiencing credit card theft (78 percent) than those experiencing theft of other existing accounts (65 percent) or the misuse of personal information (54 percent). Loss of personal information was the cause of trouble for 15 percent of the surveyed households.

About one in five households spent at least one month resolving their problems, while one-third said the problems were resolved in one day.

According to Jim Kouri’s post at Postchronicle.com.

This blog is run by the authors of FindProtected.
FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

Former employee is sued for losing data

April 9th, 2006

Declan McCullagh posted a report on ZDNet News, telling that a former employee is claimed to have used a secure file deletion utility in violation of federal hacking laws.

The employee had worked in a real estate related business. His work consisted of identifying “potential acquisition targets.” When he quit and decided to start a business of his own, he had to return his work laptop — and the company consequently tried to undelete files on it to prove he did something wrong. However, it turned out that he had used a “secure delete” program to make sure that the files were not just deleted, but overwritten and unrecoverable.

The company claimed that the former employee’s alleged secure deletion violated a federal computer crime law called the Computer Fraud and Abuse Act. That law says whoever “knowingly causes damage without authorization” to a networked computer can be held civilly and criminally liable.

However, the employee pointed out that his employment contract permitted him to “destroy” data in the laptop when he left the company.

This blog is run by the authors of QuickWiper, a Windows security program. QuickWiper allows you to delete files with simplicity and ease. When deleting files with QuickWiper, you can choose a fast single pass, or the most secure NSA erasure algorithm.