Category: Uncategorized

Sarbanes-Oxley, Section 404, requires public companies to annually assess and report on the effectiveness of internal controls over financial reporting. A component of risk management is information technology (IT) risk management and should be part of any IT security program. Every organization, no matter whether private or public, has a mission. For example, if your organization’s mission is to become one of the nation’s (or county’s or state’s) largest financial holdings companies, and you offer services such as commercial and retail banking, mortgage financing and servicing, consumer finance and asset management, then what are you going to protect and how are you going to protect it?

Requests for information arising from internal or external IT auditors are normally fielded by the IT and Security departments. In one particular audit I experienced while working for a financial firm, there was an IT audit finding due to the existence of numerous Domain Admins (everyone in IT had made himself or herself a Domain Admin and Domain Admins have total access to everything on a Windows network).

There are some basic risk management concepts that need to be ingrained into the technology manager’s mind before developing applications, and before deploying applications and technology. For starters, IT managers can look to the National Institute of Standards and Technology for some guidance. NIST Special Publication 800-30, published in July 2002, entitled Risk Management Guide for Information Technology Systems is a good place to start. It is free and does a decent job of explaining the basic concepts and providing a risk management methodology.

For example, “Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization”, is the opening definition of risk.

With management support and IT’s commitment to work through this, you can perform an internal IT risk assessment with some success yourself.

http://www.bankinfosecurity.com/articles.php?art_id=166&PHPSESSID=ceea138966d3138528becabe0eb4b292

That technology isn’t always affordable for midmarket companies, which typically have $50 million to $1 billion in annual revenue and anywhere from 100 to 5,000 employees.

For that reason, midsized IT departments are making the most of network access controls (NAC) offered by their technology infrastructure providers, including Microsoft and Cisco Systems Inc. Those companies recently unveiled plans for more interoperability between their network access control technologies.

Meanwhile, security vendors are trying to entice the midmarket with cheaper authentication tools that are more scalable for growing companies. Mid-sized companies have some unique challenges when it comes to ensuring users are who they say they are and that network access is limited to what their jobs require.

But no matter how good the technological controls are, industry experts agree that midmarket IT professionals won’t be successful at ID and access management unless they educate their users on smart computing habits and convince their bosses of the importance of security.

“Midsized customers are telling us they want smart cards, tokens and two-factor authentication, but they want the benefits without the cost,” said Greg Wood, BioPassword’s VP and CTO.

Overcoming cultural challenges No matter how good their identity and access management technology is, midmarket IT managers won’t be successful unless they have the support of top executives and everyone obeys the written security policies, said Jonathan Penn, an analyst with Cambridge, Mass.-based Forrester Research.

Penn said it’s up to IT professionals to help their bosses understand what’s at stake. “What works is when IT professionals talk about this in terms of risk,” Penn said.

Scalability is certainly a factor for Keith Gosselin, IT officer for Biddeford Savings Bank in Biddeford, Maine. With 72 employees and $12 million in revenue last year, the bank doesn’t fit the criteria of a midmarket company. But the company hopes to grow in the next three to five years, Gosselin said, by opening new branch offices and attracting new customers. Beyond that, Gosselin shares the view of many security professionals that companies large and small can no longer afford to carry on with basic passwords.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1222601,00.html

The Indian Health Service operates in 345 hospitals and clinics and 85 emergency management services, Ross said. Since February, he has been using a Pandemic Management and Notification Service from SWN Communications Inc. in New York.

For commercial real estate company The Cadillac Fairview Corp. in Toronto, the focus this flu season is primarily on how to enable its 1,600 employees to work from home, said Scot Adams, CIO of business innovation and technology services. Adams said his company recently began using MobiKey, a wireless service from Route1 Inc., also in Toronto, that allows end users use a Universal Serial Bus device for remote computing.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003900&source=NLT_AM&nlid=1

As an example, consider a hypothetical gourmet food e-commerce web site. This site displays a map of the world to the user, and as the user navigates the mouse pointer over each country, the page uses Ajax programming to connect back to the web server and retrieve a list of goods originating in that country. SQL injection vulnerabilities allow attackers to execute their own SQL queries and commands against the database, rather than those that the developers of the web site intended. The entire database, including customer names, addresses, and credit card numbers, could be downloaded by such a command.

The average QA engineer typically will be much more thorough. He might even set up an automated test script that will mouse over every single pixel on the screen, and he will check to see if there are any errors in the Ajax programming or underlying page code. But, even this extreme level of thoroughness won’t be enough to find the SQL injection vulnerability. By using a web browser (or automated script recorded from a web browser) as his test tool, the tester has limited his potential requests to only those which the browser can send, and the browser is itself limited by the source code of the web page.

In order to successfully defend against the hacker using SQL injection or some other attack, the QA engineer has to think like the hacker. They use tools that operate at a much lower level, tools that are capable of sending raw HTTP requests to an address and displaying the raw HTTP response. Like programming in standard hyperlink navigation or form submission, Ajax programming actions always have an HTTP request and response. So, armed with his low-level HTTP requestor tool, the hacker is now free to make attacks on the application that could never be possible with a browser alone.

In order to successfully defend against the hacker using SQL injection or some other attack, the QA engineer has to think like the hacker. An even better approach is to use an automated security analysis tool that performs these tests.

http://www.it-observer.com/articles/1242/testing_security_age_ajax_programming/

“In many cases, it’s an unrecognized security problem,” says Jack Gold, founder of J. Gold Associates, an IT consulting firm. “Think about compliance issues if an insurance company employee downloads a couple of thousand customer records onto a flash drive and then loses the device,” he says.

While relatively few companies are addressing the issue, some have tried solutions ranging from total network lockdowns to requiring the use of encrypted flash drives to ensure that data will at least be safeguarded if it is lost. Although CHS has a “thou shalt not copy” policy regarding the downloading of sensitive information to portable memory devices, Valleau says he isn’t about to ban them, because “some people might need to carry protected medical records from one location of ours to another.” As a result, Valleau is looking at requiring employees to use only new, encrypted flash drives at the 1,000 computer workstations at the firm’s 210 offices around Florida.

Hospitals, which must closely guard patient information under the Health Insurance Portability and Accountability Act, are particularly concerned about flash drives.

Gower, vice president of information systems at Martin, Fletcher & Associates uses network-control software to limit both the type of content users can view and the time of day they can see it. Her company totally prohibits employees other than managers from copying data by limiting the network’s ability to write to portable storage devices. “The way we’ve got the network set up, employees can’t plug PDAs, smart phones, flash drives or USB hard drives into the network. “I have no doubt that, with all these portable memory devices in the workplace, there will be a federal privacy compliance breach in the next year.”

First line of defense: Establish a portable-device policy and educate users about it. Second line of defense: Network management tools, used by less than 5 percent of corporations, can restrict network access by individual, workstation or type of device. Third line of defense: Dismiss employees caught.

http://www.computerworld.com.au/index.php/id;1698947885;fp;16;fpid;0

Rather than trying to anticipate a new regulation, it’s better for companies to treat regulation as one more factor in an overall risk portfolio, Heiser said.

From its latest data, Gartner expects information security budgets to increase 4.5 percent over the next year.

Wheatman said companies have shown success in negotiations with security vendors in getting, for example, antispyware included with antispam and antivirus software instead of paying extra. Antivirus software represented 54.3 percent of the revenue, at $4 billion.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9003402