Month: February 2005

In a new book, “Business Under Fire: How Israeli Companies are Succeeding in the Face of Terror—and What We Can Learn from Them,” author Dan Carrison interviewed consultant Danny Halpern, who said, “In Israel, I believe we invest more in the quality of our security people and less in the mechanics.

In America, because of the huge numbers, the investment is in the mechanics—the system—and then they hire minimum wage security staff.” This focus on mechanics has brought us the turf wars between the CIA and FBI, elderly women being forced to remove their shoes at airports and other counterterrorism security nonsense. Similar nonsense—the result of merely going through the motions of physical security—exists in information security.

Security guru Marcus Ranum made this observation to me about poorly configured firewalls and noted that “eventually, if enough data is going back and forth through your firewall, it is no longer a firewall, it’s a router! Deploying security products without first performing such an assessment is like taking medication without knowing what disease you have. Effective risk assessment and analysis ensure that your organization is dealing with real threats. The fact is, the most dangerous threats come from inside, contrary to the widespread perception that they come from the outside.

Hundreds of millions of dollars were wasted on PKI systems because organizations deployed them without understanding what their problem was or what a PKI system could do to solve it.

Too often, organizations go through the mechanics of purchasing and deploying security software and hardware items without knowing why.

http://www.eweek.com/article2/0,1759,1765060,00.asp

The IT trade organisation said that human error is the primary cause of IT security breaches, and in many instances security breaches can be traced back to poor password security.

CompTIA warned that people should use multiple passwords, because if one is compromised or stolen they could become the victim of identity theft or financial loss. And if the lost password is the same one used at work, the organisation warned that “the consequences for your employer could be disastrous”.

“As we have incorporated computer use into more and more of our lives at home and at work, the number of passwords we use has grown exponentially,” said John Venator, president and chief executive at CompTIA.

The organisation recommends that users maintain four passwords. The first should be easy to remember for use on general websites. The same password can be used in many low-risk places because the consequences are minimal if the password is compromised.

The second password should be more complex, with a mix of numbers and letters, for e-commerce websites. But if this password is compromised, CompTIA warned, there may be financial implications, such as credit card theft.

Thirdly a “very complex” password is required for banking websites. This password should contain lower case letters, uppercase letters, numbers and punctuation marks, or at least three of these four categories. If this password is compromised, identity theft is possible.

Finally a separate password should be used only at work, which should not resemble any of the passwords used for home and personal computing. All passwords except the easy website password should be changed at least every 90 days, the trade body advised.

http://www.vnunet.com/news/1161436

You fail to take into account that threats will move where you are weakest, and not where you have strengthened your defenses. You don’t have to be the most secure, you simply have to be secure enough to either effectively block reasonable threats or convince attackers to attack someone else.

Mistake One: No Security Goal
If you don’t know where you are going it is reasonably certain you won’t get there. You should go beyond simple data security or physical plant security and include the security of traveling executives, branch offices, home offices, and key partners.

Mistake Two: No Risk/Security Assessment
The first step (after assuring you have good people), is to understand where you need to go. To do this, you typically need a security expert to come in and provide you with an assessment of just how exposed you are. You need to set the goal first, because the security expert needs something to set context, otherwise the assessment will showcase exposures that you don’t need to correct and miss exposures that could be relatively important to address. By using someone that is independent of your company and your provisioning security vendor, you help insure that they are focused on your company’s needs and not their own.
This is not a one-time event either, threats are rapidly changing and you will need to change your security plan to address these changes. In his view you should do this annually; this allows the assessment entity to remain up to date on your firm and gives you a relatively current assessment to use as a baseline to help determine needs when looking at changes or purchases addressing your security needs.

Mistake Three: No Plan
You often see failure to plan at national borders; they will spend a lot of money securing the border-crossing. while people continue to cross the border illegally, out of sight of the border station. This is the same as security the front door and datacenter but allowing rouge wireless access points in the company, which can bypass this physical and electronic security.

Mistake Four: Linux/Firefox
Actually, the mistake here is not implementing Linux and Firefox, but rather leading with the product and not leading with the plan. Products come last. You may, in fact, decide to move platforms, but that decision should come as a result of the plan and not despite or without it.

In the end, your company has layers of security around it, much like a home surrounded by fences, with locked doors and windows, and with a panic room inside (a secure room with hardened walls you can lock yourself into if someone breaks into your home). The nature of the exposures you face, your resources. including the skill sets of your people, and your access needs define the nature of the security solution you provide.

http://www.networkingpipeline.com/60403185