Category: Uncategorized

“In many cases, it’s an unrecognized security problem,” says Jack Gold, founder of J. Gold Associates, an IT consulting firm. “Think about compliance issues if an insurance company employee downloads a couple of thousand customer records onto a flash drive and then loses the device,” he says.

While relatively few companies are addressing the issue, some have tried solutions ranging from total network lockdowns to requiring the use of encrypted flash drives to ensure that data will at least be safeguarded if it is lost. Although CHS has a “thou shalt not copy” policy regarding the downloading of sensitive information to portable memory devices, Valleau says he isn’t about to ban them, because “some people might need to carry protected medical records from one location of ours to another.” As a result, Valleau is looking at requiring employees to use only new, encrypted flash drives at the 1,000 computer workstations at the firm’s 210 offices around Florida.

Hospitals, which must closely guard patient information under the Health Insurance Portability and Accountability Act, are particularly concerned about flash drives.

Gower, vice president of information systems at Martin, Fletcher & Associates uses network-control software to limit both the type of content users can view and the time of day they can see it. Her company totally prohibits employees other than managers from copying data by limiting the network’s ability to write to portable storage devices. “The way we’ve got the network set up, employees can’t plug PDAs, smart phones, flash drives or USB hard drives into the network. “I have no doubt that, with all these portable memory devices in the workplace, there will be a federal privacy compliance breach in the next year.”

First line of defense: Establish a portable-device policy and educate users about it. Second line of defense: Network management tools, used by less than 5 percent of corporations, can restrict network access by individual, workstation or type of device. Third line of defense: Dismiss employees caught.

http://www.computerworld.com.au/index.php/id;1698947885;fp;16;fpid;0

Rather than trying to anticipate a new regulation, it’s better for companies to treat regulation as one more factor in an overall risk portfolio, Heiser said.

From its latest data, Gartner expects information security budgets to increase 4.5 percent over the next year.

Wheatman said companies have shown success in negotiations with security vendors in getting, for example, antispyware included with antispam and antivirus software instead of paying extra. Antivirus software represented 54.3 percent of the revenue, at $4 billion.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9003402

IDPs have become a necessary addition to the security infrastructure of nearly every organization. IDPs typically record information related to observed events, notify security administrators of important observed events, and produce reports.

This NIST publication describes the characteristics of IDP technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them.

Securing IDP components is very important because IDPs are often targeted by attackers who want to prevent the IDPs from detecting attacks or want to gain access to sensitive information in the IDPs, such as host configurations and known vulnerabilities.

IDPs are composed of several types of components, including sensors or agents, management servers, database servers, user and administrator consoles, and management networks.

Administrators should maintain the security of the IDP components on an ongoing basis, including verifying that the components are functioning as desired, monitoring the components for security issues, performing regular vulnerability assessments, responding appropriately to vulnerabilities in the IDP components, and testing and deploying IDP updates.

Organizations should consider using multiple types of IDP technologies to achieve more comprehensive and accurate detection and prevention of malicious activity.

The four primary types of IDP technologies—network-based, wireless, NBAD, and host-based—each offer fundamentally different information gathering, logging, detection, and prevention capabilities. For most environments, a combination of network-based and host-based IDP technologies is needed for an effective IDP solution. Wireless IDP technologies may also be needed if the organization determines that its wireless networks need additional monitoring or if the organization wants to ensure that rogue wireless networks are not in use in the organization’s facilities. NBAD technologies can also be deployed if organizations desire additional detection capabilities for denial of service attacks, worms, and other threats that NBADs are particularly well-suited to detecting. Direct IDP integration is most often performed when an organization uses multiple IDP products from a single vendor, by having a single console that can be used to manage and monitor the multiple products.

Evaluators need to understand the characteristics of the organization’s system and network environments, so that an IDP can be selected that will be compatible with them and able to monitor the events of interest on the systems and/or networks. Evaluators should articulate the goals and objectives they wish to attain by using an IDP, such as stopping common attacks, identifying misconfigured wireless network devices, and detecting misuse of the organization’s system and network resources.

http://www.bankinfosecurity.com/regulations.php?reg_id=307&PHPSESSID=a842e1d4d220653dc1dd762d42e04179

Security accountability is long overdue, says John Pescatore. When a series of worms hit in 2001 and paralyzed businesses, IT staff threw up their hands and blamed vendors. “Five years ago, nobody was responsible and nobody had authority,” Pescatore says. “The business side of the organization has learned to live with accountability and is able to talk about revenues and returns,” Pescatore says. IT managers and security managers aren’t the ones setting corporate policies, yet they’re responsible for enforcing the policies and ensuring security, he says. All in a day’s work IT executives say their jobs are now on the line if an IT event compromises security or im­pedes business performance.

Greater accountability is a natural consequence of IT becoming more central to business operations, says Chris Majauckas, computer technology manager for Metrocorp Publications in Boston. “Upper management is aware that it is impossible to foresee every possible negative event, but they do expect those events to be handled promptly and properly,” he says. “The days of upper executives that aren’t IT-aware are gone,” adds Bruce Meyer, senior network engineer at ProMedica Health System in Toledo, Ohio. The negative publicity surrounding the recent breaches has forced all IT departments “to examine how the events happened and discuss with the executive level what our exposure to the same incident would be,” says Cory Elliott, IT director at Basic Energy Services in Midland, Texas.

The Health Insur­ance Portability and Account­abil­ity Act (HIPAA) and the Sarbanes-Oxley Act (SOX) were designed to protect patient pri­vacy and im­prove financial re­porting, respectively. The burden of providing that falls to IT – which can become a scapegoat if efforts come up short. “Oversights, either deliberate or inadvertent, now become part of reports to audit committees and boards, who have obligations to show due diligence in responding to compromised situations,” he says. “This may produce more pressure and require dismissals that would not necessarily occur in private companies.” Dismissing or shuffling IT staff is often a signal to the public that punitive and preventive measures have been taken, Donnelly says.

The company’s IT department is spending more time and money on security investments such as intrusion-prevention systems, firewall, security appliances and anti­virus software. “If you have a regulatory stick, use it,” Pescatore says. While greater IT accountability is a good thing, it has to come with authority, Pescatore says.

Ground your assertions in reason: “It has to be about more than just fear.”

http://www.networkworld.com/news/2006/082806-security-risk.html?WT.svl=bestoftheweb1

Internal controls, established to mitigate a variety of business risks, provide the dashboard to inform management on the status of core activities and to apply the brakes that keep the enterprise safely on course. The security organization plays a critical role in identifying, measuring, preventing and responding to a growing inventory of risks. We must be able to measure the probability and potential consequences of an identified risk, or management has no gauge to assess and prioritize what actions to take. Metrics are central to understanding the adequacy of security controls and where to focus our limited resources for the greatest contribution to the protection strategy.

This excerpt from the book Measures and Metrics in Corporate Security, Communicating Business Value gives a few examples of the ways CSOs can think about the data they collect as part of their security operations and identifies what is important to measure, and how to communicate with senior business executives about what the data indicates about their organization’s risk environment and how it’s being managed.

Security programs gather volumes of data every day. The successful security executive defines his business plan and the performance of resources and services around clearly articulated measures. Those measures should be aligned with core business strategy and priorities.

Figure 1 illustrates how a CSO has evaluated the importance of various security metrics, based on their relevance to business drivers such as managing costs and risks, focusing on return on investment, complying with the law and company policies, and protecting the lives and safety of employees. Note the last column on the right, which is checked every time: internal influence.

Effective use of metrics that matter to business leadership, demonstrating the value of security operations, wins a security executive important capital. Every CSO should have half a dozen dials to watch on a regular basis. These indicators could be “survival metrics,” the hot buttons on a dashboard you are expected to address that monitor the wellness of your organization or an issue of particular concern to management.

You may find that you have more than one dashboard—yours and the one your boss and a few key players expect you to watch and report on. The CFO could be an excellent resource to advise you on the presentation of dashboard metrics since this officer typically reports performance metrics to management on a regular basis. While these dashboards view an array of priorities, you need first to identify what risks are important.

One way to drill down on a particular risk and determine its priority level is through risk mapping. Risk mapping is about plotting the dynamics of the risk incident landscape. A presentation model of risk dynamics or risk profiling may be found in the risk map on Figure 2. More consequential incidents are at the top of the map, and more frequent ones are to the right. In Figure 2, eight types of internal misconduct cases were plotted for the month, and the five highlighted all had inadequate supervision and poor policy awareness as contributing causes of the infractions.

There is a valuable story to be told to management, and it is particularly useful in quarterly or annual presentations to display notable trends, their contributing causes and suggestions for mitigation tactics. Measures mapping helps you do that by looking at areas of risk, the contributing causes to those risks and actions implemented to mitigate those risks, and then measuring the effectiveness of those actions.

It’s a CSO’s job to find the appropriate model for security measurement and reporting objectives that fits his organization.

http://www.csoonline.com/read/080106/fea_metrics.html

These messages, supposedly from a legitimate company, may try to convince you to visit a malicious site by claiming that there is a problem with your account or stating that you have been subscribed to a service.

Not only does this hide the real attacker’s identity, it allows the attacker to increase the number of targets (see Understanding Denial-of-Service Attacks for more information).

Trying to gain access to account information – In some areas, cell phones are becoming capable of performing certain transactions (from paying for parking or groceries to conducting larger financial transactions). An attacker who can gain access to a phone that is used for these types of transactions may be able to discover your account information and use or sell it.

Follow general guidelines for protecting portable devices
– Take precautions to secure your cell phone and PDA the same way you should secure your computer (see Cybersecurity for Electronic Devices and Protecting Portable Devices: Data Security for more information).

– Be careful about posting your cell phone number and email address – Attackers often use software that browses web sites for email addresses. These addresses then become targets for attacks and spam (see Reducing Spam for more information). By limiting the number of people who have access to your information, you limit your risk of becoming a victim.

Messages from unknown person = While the links may appear to be legitimate, they may actually direct you to a malicious web site.

Be wary of downloadable software – There are many sites that offer games and other software you can download onto your cell phone or PDA.

Disable Bluetooth when you are not using it to avoid unauthorized access (see Understanding Bluetooth Technology for more information).

http://www.us-cert.gov/cas/tips/ST06-007.html