admini – Page 274 – CyberSecurity Institute

Security awareness training: How to educate employees about spyware

Posted on October 24, 2005December 30, 2021 by admini

Educating end users about spyware should be part of any comprehensive security awareness training. It should be part of at least half-day or, preferably, whole-day training required by all employees at all levels, from the executive suite down to the receptionists and security guards at the front door.

Training should be a condition of employment with mandatory attendance noted as part of annual performance reviews.

As the number of security threats keeps growing every year, training should be updated annually and employees should be required to take it once a year. Training conducted in groups of a few dozen at a time will not disrupt daily operations, yet it can still cover the entire staff over the course of a year. Your IT/ Information Security staff members should have the background to put together and conduct training without having to look elsewhere.

Reinforce training efforts with monthly newsletters that include security awareness tips. Internal publicity is a real morale booster.

Policies for preventing spyware are similar to those for protecting a network from other uninvited malware, such as viruses, worms and Trojans. The most effective policy is to prohibit employee access to the Internet altogether.

Spyware/malware policies include prohibiting users from downloading software from the Internet, including file-sharing software and toolbars, and prohibiting users from visiting questionable Web sites, the most obvious being pornography and gambling sites. “Users are advised to report to the Help Desk suspicious activity on their desktops, such as excessive pop-windows opening simultaneously, unusually slow desktop performance or their Web browser being redirected to unwanted sites, such as pornographic or gambling sites.”

http://bankinfosecurity.com/node/2639

Full biometrics ID plan to reach U.K. by 2009

Posted on October 20, 2005December 30, 2021 by admini

Speaking at the Biometrics 2005 conference in London, Bernard Herdan, chief executive of the U.K. Passport Service (UKPS), said Thursday that the passports would be phased in by February 2006 and completed by July 2006.

“We have to make sure that as we cross from digital production to e-passport production that the technology works in all other countries,” Herdan said.

The move may have been spurred by U.S. demands for all countries within its visa-waiver program to have a machine-readable biometric passport by October 2005. Existing U.K. passport holders will not need to have their passports updated, but they will have to comply with the new guidelines when they renew or replace their passports, Herdan said.

E-passports will incorporate a special chip that stores basic data, including the passport holder’s name, and date and place of birth. U.K. ID cards will be issued with the passports, which will contain finger and thumb images; two iris images; and facial images. These will also be stored on a National Identification Register. Herdan explained that “this is all part of a more holistic approach to move towards more rigorous identification.”

The chips will be embedded in the front cover of the passport. New applicants will also face an interview for further authentication.

“We believe there is a pressing need for an improved integrated system of identity authentication. One part of this is the Personal Identity Project, through which information supplied by passport applicants is checked against information held on private and public sector databases,” Herdan said. “Facial recognition has to be the direction the travel industry is heading in,” he added. “We want to move to an environment where airlines are doing pre-board checks, but our first step is to secure our borders.”

http://news.com.com/Full+biometrics+ID+plan+to+reach+U.K.+by+2009/2100-7348_3-5905430.html?part=rss&tag=5905430&subj=news

Microsoft muscles into security market with Client Protection

Posted on October 19, 2005December 30, 2021 by admini

“This approach enables businesses to spend less time dealing with malicious software threats and more time managing other IT needs that help improve the bottom line,” said Microsoft.

Microsoft Client Protection will also integrate with Active Directory and software distribution systems to reduce the time it takes to deploy security updates and patches.

Microsoft also plans to release Microsoft Antigen anti-virus and anti-spam security software for messaging and collaboration servers, based on technology from recently acquired Sybari Software. Antigen for Exchange is scheduled to be available in beta in the first half of 2006.

In spite of its intention to offer “a single solution” for desktop security, Jay Heiser, research vice-president at analyst firm Gartner, said Microsoft was unlikely to produce a strong security suite.

http://81.144.183.106/Articles/2005/10/19/212523/MicrosoftmusclesintosecuritysoftwarewithClientProtection.htm

Tighten Web Security, Banks Told

Posted on October 17, 2005December 30, 2021 by admini

In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute. Other types of two-factor authentication include costlier hardware involving biometrics or “smart” cards that would be inserted into designated readers on a user’s computer.

Banks might also issue one-time passwords on scratch-off cards or require “secret questions” about a customer’s account, such as the amount of the last deposit or mortgage payment.

The council also suggested that banks explore technology that can estimate a web user’s physical location and compare it to the address on file.

The most common way of stealing consumers’ personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony websites. Data harvested at such sites is then used fraudulently. The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.

While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.

FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks’ practices are audited. Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to “federate” their websites with banks, said Michael Aisenberg, director of government relations for internet service provider VeriSign.

http://www.wired.com/news/business/0,1367,69243,00.html

NEW USA FFIES Guidance

Posted on October 12, 2005December 30, 2021 by admini

Highlights:
– Financial institutions offering Internet-based products and services should use effective methods to authenticate the identity of customers using those products and services.
– Single-factor authentication methodologies may not provide sufficient protection for Internet-based financial services.
– The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
– Risk assessments should provide the basis for determining an effective authentication strategy according to the risks associated with the various products and services available to on-line customers.
– Customer awareness and education should continue to be emphasized because they are effective deterrents to the on-line theft of assets and sensitive information.
http://www.fdic.gov/news/news/financial/2005/fil10305.html

PGP Encrypts BlackBerry Messaging

Posted on October 10, 2005December 30, 2021 by admini

The solution runs in conjunction with PGP Universal, a series of products for enterprises, businesses and departments requiring multiple encryption and digital-signature solutions managed from a single console. With PGP Universal, enterprises deploy one key infrastructure and may later add new encryption capabilities and devices without changing that infrastructure.

PGP support is fully integrated in the BlackBerry user interface (see top image) and provides e-mail encryption, decryption, digital signature, and verification services for e-mail sent from and received on BlackBerry devices. Users authenticate themselves with their private key passphrase before decrypting or signing e-mail on their BlackBerry. Outgoing messages are automatically protected according to a centralized policy specified by the PGP Universal administrator. PGP Universal uses PGP Additional Decryption Key (ADK) capabilities, automated key management and recovery, and automated enrollment and centralized policy management.

PGP VP of marketing Andrew Krcik told SmartPhoneToday PGP Support Package for BlackBerry will be available as part of the BlackBerry handheld 4.1 operating system next month.

It also requires BlackBerry Enterprise Server for Exchange 4.0.2 or Lotus Notes 4.1 and PGP Universal Series 500 plus PGP Desktop 9.0 or PGP Universal Satelite client to run.

Furthermore, Krcik said PGP brought the idea for the solution to RIM because they shared so many customers and it filled a need requested by many enterprises. “BlackBerry is the overwhelming leader for enterprise mobile messaging. By providing an integrated PGP Universal and BlackBerry solution, we address a strategic requirement of our joint customers,” according to PGP CEO & President Phillip Dunkelberger.

PGP Support Package for BlackBerry costs $249 per client, with volume discounts available for channel partners.

http://www.rimroad.com/articles/2005/10/2005-10-10-PGP-Encrypts-BlackBerry.html