Category: Uncategorized

The rapid development of the internet has made it easier to reach and communicate with your clients and suppliers, and whether you choose to be an e-tailer or are forced by suppliers to order online, IT functions will probably be at the core of your business.

This may be in the form of communications, customer/supplier management or just product/company information. As the majority of us rely so heavily on email for communication, I challenge anyone who is happy to tell their board of directors that email is not working and “might not be back online for a while”!

When disasters strike, the media will want to know what has happened, how it happened, whose fault it was, what you are doing to recover and how you are managing the relationships with your clients and suppliers. You are not just responsible for creating the plan and deciding on appropriate levels of protection and recovery methods but also for training your staff. Remember these are not the only skills required and I am looking at a fairly basic level, but without these key skills your business continuity plan is unlikely to get off the ground, let alone be effective.

http://www.it-observer.com/articles/1209/when_disaster_strikes_manage_it/

While we have installed firewalls, intrusion detection systems, robust anti-virus and anti-spyware solutions, and strengthened authentication methods, we have still largely ignored security awareness training. And when the authors say ignored, she means that most companies now have an Acceptable Use Policy in place that employees have to sign upon employment, but that’s where the effort stops. Security awareness programs are about changing culture.

http://www.bankinfosecurity.com/articles.php?art_id=157&PHPSESSID=ccd23e68b1848b308c34fd9680492a63

Secure outer “areas” provided a forum for trade and agriculture to be developed and helped the castle community to develop and prosper, in much the same way that controlled third party access, virtual private networks and secure remote access help to increase overall efficiency and productivity for businesses today. Castles were constructed to anticipate the likeliest path of attack and to force attackers into positions of weakness. They were designed so that attacks would be as difficult as possible, forcing enemies to charge uphill, expose their own weakensses to attack and leave themselves unguarded.

Harlech’s unsurpassed natural setting — with the mighty protection of the sea, the mountains, steep impenetrable cliff faces and the natural strength of the rock — certainly played a major role in helping King Edward build a castle to meet the defensive requirements of the age. Applications are built as rapidly as possible and put onto the network landscape, often no consideration is given to their security at it is assumed that they will be secured with the overall perimeter fencing. An integrated, multi-layered approach is necessary to guard against today’s sophisticated IT security threats and protect business critical systems across an organisation. Protecting The Crown Jewels Harlech castle’s architectural design and impressive security defences played an equally important role as its natural defences in protecting the inhabitants and their assets from hostile attack.

The moat and draw bridge formed the first line of defence, and for those who penetrated these initial lines, there lay the and outer wall and an impressive twin-towered gatehouse with three portcullises (more on this later). Here, key locations were protected by high inner walls, round towers and battlements, designed to offer the utmost protection and security to the King and valuable assets.

We must look at Infosecurity issues in much the same way, ensuring that business critical systems remain secure and protected against attack.

Encouraging Trade and Commerce Maximum security is all well and good, but the castle architect also had to design a fortress which would control access to third parties such as merchants and tradespeople whose presence would benefit the castle community and help it to prosper. In today’s increasingly mobile and flexible workplace, it is important that security architecture be developed with improved openess and accessibility to network applications and services for maximum productivity, while also maintaining the security of core business systems.

http://www.it-observer.com/articles/1180/what_cios_can_learn_mediaeval_castles/

“This type of protection doesn’t come easy or cheap,” says Nick Sharma, global head of infrastructure management services at Satyam Computer Services, which provides hosted services from a data center in Chennai, India, and other sites such as Cleveland.

This requires different types of experts: those who can understand and interpret the security aspects of regulations such as Sarbanes-Oxley, as well as those skilled at engineering a secure network, making threat assessments, and developing business-continuity plans.

As the threat of computer-initiated attacks increases and as regulators pressure financial institutions to shore up their information assets, banks are turning toward outsourcing their information-security functions to third parties.

In a managed security deal, the organization shares information security and business risks with the managed services provider. Such deals provide access to a range of security services and to skilled staff whose full-time job is security. The cost of managed security services is typically less than hiring in-house, full-time secur- ity experts. For example, a managed security provider can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps) Internet gateway for about $75,000 a year, excluding hardware.

When retaining a managed security services provider, banks need to consider issues such as trust, dependence, and ownership. Establishing a good working relationship and building trust between a client and service provider are critical in deciding whether to outsource security services. The shared operational environment used by many service providers to support multiple clients poses more risks than an in-house environment. Service-level agreement guidelines fall into two categories: ser- vice-specific agreements and operational security practice agreements.

Managing the relationship with a service provider should include guidelines for moving from in-house services to provider-supplied ones or from one provider to another.

Finally, there are guidelines to consider using when terminating a relationship with a service provider, whether at the end of a contract or at some earlier point.

http://www.informationweek.com/story/showArticle.jhtml?articleID=189800154

E-mail pipelines will continue to be a favourite target for malicious attacks at a time when IT departments are tasked with preventing information leakage, meeting compliance standards and ensuring spam does not clog networks, servers and inboxes.

“Solutions need to cover outbound threats to cover compliance, intellectual property and theft of confidential information,” he said. “About 80 percent of corporate IP leakage is through e-mail; also, e-mail is involved in 85 percent of corporate litigation.”

http://www.computerworld.com.au/index.php/id;1628487510;fp;16;fpid;0

For most companies it is either the theft of proprietary or confidential/classified information or the injection of malicious code or surveillance software into the corporate network. If this is the case then memory devices attached via the USB port is not your only worry.

Take the problem of installing malicious code into a network, and please note that malicious code can be as small as a few Kb. Device Protection solutions are not able to identify malicious code inside the network or prevent it from being introduced into the network other than by a single method alone.

If it is preventing classified information from leaving the company that you are trying to achieve then controlling the use of the USB drive and other I/O devices is only going to give you a partial answer. In cases like these where device protection vendors claim to stop confidential information leaking to unauthorized parties, they are merely marketing their solutions to you and avoiding the real world scenarios.

To put ones faith in a single security solution that gives full granular control of any type of attachable memory device is flawed.

http://www.it-observer.com/articles/1168/endpoint_device_control_dont_believe_hype/