Category: Uncategorized

Secure outer “areas” provided a forum for trade and agriculture to be developed and helped the castle community to develop and prosper, in much the same way that controlled third party access, virtual private networks and secure remote access help to increase overall efficiency and productivity for businesses today. Castles were constructed to anticipate the likeliest path of attack and to force attackers into positions of weakness. They were designed so that attacks would be as difficult as possible, forcing enemies to charge uphill, expose their own weakensses to attack and leave themselves unguarded.

Harlech’s unsurpassed natural setting — with the mighty protection of the sea, the mountains, steep impenetrable cliff faces and the natural strength of the rock — certainly played a major role in helping King Edward build a castle to meet the defensive requirements of the age. Applications are built as rapidly as possible and put onto the network landscape, often no consideration is given to their security at it is assumed that they will be secured with the overall perimeter fencing. An integrated, multi-layered approach is necessary to guard against today’s sophisticated IT security threats and protect business critical systems across an organisation. Protecting The Crown Jewels Harlech castle’s architectural design and impressive security defences played an equally important role as its natural defences in protecting the inhabitants and their assets from hostile attack.

The moat and draw bridge formed the first line of defence, and for those who penetrated these initial lines, there lay the and outer wall and an impressive twin-towered gatehouse with three portcullises (more on this later). Here, key locations were protected by high inner walls, round towers and battlements, designed to offer the utmost protection and security to the King and valuable assets.

We must look at Infosecurity issues in much the same way, ensuring that business critical systems remain secure and protected against attack.

Encouraging Trade and Commerce Maximum security is all well and good, but the castle architect also had to design a fortress which would control access to third parties such as merchants and tradespeople whose presence would benefit the castle community and help it to prosper. In today’s increasingly mobile and flexible workplace, it is important that security architecture be developed with improved openess and accessibility to network applications and services for maximum productivity, while also maintaining the security of core business systems.

http://www.it-observer.com/articles/1180/what_cios_can_learn_mediaeval_castles/

“This type of protection doesn’t come easy or cheap,” says Nick Sharma, global head of infrastructure management services at Satyam Computer Services, which provides hosted services from a data center in Chennai, India, and other sites such as Cleveland.

This requires different types of experts: those who can understand and interpret the security aspects of regulations such as Sarbanes-Oxley, as well as those skilled at engineering a secure network, making threat assessments, and developing business-continuity plans.

As the threat of computer-initiated attacks increases and as regulators pressure financial institutions to shore up their information assets, banks are turning toward outsourcing their information-security functions to third parties.

In a managed security deal, the organization shares information security and business risks with the managed services provider. Such deals provide access to a range of security services and to skilled staff whose full-time job is security. The cost of managed security services is typically less than hiring in-house, full-time secur- ity experts. For example, a managed security provider can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps) Internet gateway for about $75,000 a year, excluding hardware.

When retaining a managed security services provider, banks need to consider issues such as trust, dependence, and ownership. Establishing a good working relationship and building trust between a client and service provider are critical in deciding whether to outsource security services. The shared operational environment used by many service providers to support multiple clients poses more risks than an in-house environment. Service-level agreement guidelines fall into two categories: ser- vice-specific agreements and operational security practice agreements.

Managing the relationship with a service provider should include guidelines for moving from in-house services to provider-supplied ones or from one provider to another.

Finally, there are guidelines to consider using when terminating a relationship with a service provider, whether at the end of a contract or at some earlier point.

http://www.informationweek.com/story/showArticle.jhtml?articleID=189800154

E-mail pipelines will continue to be a favourite target for malicious attacks at a time when IT departments are tasked with preventing information leakage, meeting compliance standards and ensuring spam does not clog networks, servers and inboxes.

“Solutions need to cover outbound threats to cover compliance, intellectual property and theft of confidential information,” he said. “About 80 percent of corporate IP leakage is through e-mail; also, e-mail is involved in 85 percent of corporate litigation.”

http://www.computerworld.com.au/index.php/id;1628487510;fp;16;fpid;0

For most companies it is either the theft of proprietary or confidential/classified information or the injection of malicious code or surveillance software into the corporate network. If this is the case then memory devices attached via the USB port is not your only worry.

Take the problem of installing malicious code into a network, and please note that malicious code can be as small as a few Kb. Device Protection solutions are not able to identify malicious code inside the network or prevent it from being introduced into the network other than by a single method alone.

If it is preventing classified information from leaving the company that you are trying to achieve then controlling the use of the USB drive and other I/O devices is only going to give you a partial answer. In cases like these where device protection vendors claim to stop confidential information leaking to unauthorized parties, they are merely marketing their solutions to you and avoiding the real world scenarios.

To put ones faith in a single security solution that gives full granular control of any type of attachable memory device is flawed.

http://www.it-observer.com/articles/1168/endpoint_device_control_dont_believe_hype/

“It is shocking how many of these are stolen laptops and that fact that the users of the laptops did not use encryption to secure the data,” Beth Givens, director of the Privacy Rights Clearinghouse, said of recent data losses. If thieves read the newspaper, they can readily figure out that they have got more than just a piece of hardware.”

Since June 2005, there have been at least 29 known cases of misplaced or stolen laptops with data such as Social Security numbers, health records and addresses of millions of people, according to the Privacy Rights Clearing House, a San Diego-based nonprofit that tracks data thefts. So far, there is no evidence the stolen data were used for identity theft or other nefarious purposes. Hospitals, universities, consulting firms, banks, health insurers and even a YMCA have lost personal data.

The portable computers are usually protected by passwords needed to boot them up, but the data on their drives are still accessible.

Ernst & Young, which has 30,000 laptops used by its highly mobile staff of consultants, is encrypting all contents on the computers, according to company spokesman Charlie Perkins.

In several cases, laptops were lost or stolen when employees violated company rules by leaving them in parked cars or in their homes.

http://seattlepi.nwsource.com/business/1700AP_Laptops_Security.html

The regulations and standards come from many sources, such as national and local governments. Examples include the Sarbanes-Oxley Act (SOX) and the California Law on Notice of Security Breach, formerly known as SB-1386. They also come from industry-specific oversight groups, such as the Payment Card Industry Data Security Standards.

Not surprisingly, many companies find it difficult to understand how to respond appropriately to these regulatory requirements, and then maintain their regulatory compliance through cost-effective processes and procedures.

http://www.it-observer.com/articles/1161/regulatory_compliance_planning_guide/