Category: Uncategorized

These messages, supposedly from a legitimate company, may try to convince you to visit a malicious site by claiming that there is a problem with your account or stating that you have been subscribed to a service.

Not only does this hide the real attacker’s identity, it allows the attacker to increase the number of targets (see Understanding Denial-of-Service Attacks for more information).

Trying to gain access to account information – In some areas, cell phones are becoming capable of performing certain transactions (from paying for parking or groceries to conducting larger financial transactions). An attacker who can gain access to a phone that is used for these types of transactions may be able to discover your account information and use or sell it.

Follow general guidelines for protecting portable devices
– Take precautions to secure your cell phone and PDA the same way you should secure your computer (see Cybersecurity for Electronic Devices and Protecting Portable Devices: Data Security for more information).

– Be careful about posting your cell phone number and email address – Attackers often use software that browses web sites for email addresses. These addresses then become targets for attacks and spam (see Reducing Spam for more information). By limiting the number of people who have access to your information, you limit your risk of becoming a victim.

Messages from unknown person = While the links may appear to be legitimate, they may actually direct you to a malicious web site.

Be wary of downloadable software – There are many sites that offer games and other software you can download onto your cell phone or PDA.

Disable Bluetooth when you are not using it to avoid unauthorized access (see Understanding Bluetooth Technology for more information).

http://www.us-cert.gov/cas/tips/ST06-007.html

The rapid development of the internet has made it easier to reach and communicate with your clients and suppliers, and whether you choose to be an e-tailer or are forced by suppliers to order online, IT functions will probably be at the core of your business.

This may be in the form of communications, customer/supplier management or just product/company information. As the majority of us rely so heavily on email for communication, I challenge anyone who is happy to tell their board of directors that email is not working and “might not be back online for a while”!

When disasters strike, the media will want to know what has happened, how it happened, whose fault it was, what you are doing to recover and how you are managing the relationships with your clients and suppliers. You are not just responsible for creating the plan and deciding on appropriate levels of protection and recovery methods but also for training your staff. Remember these are not the only skills required and I am looking at a fairly basic level, but without these key skills your business continuity plan is unlikely to get off the ground, let alone be effective.

http://www.it-observer.com/articles/1209/when_disaster_strikes_manage_it/

While we have installed firewalls, intrusion detection systems, robust anti-virus and anti-spyware solutions, and strengthened authentication methods, we have still largely ignored security awareness training. And when the authors say ignored, she means that most companies now have an Acceptable Use Policy in place that employees have to sign upon employment, but that’s where the effort stops. Security awareness programs are about changing culture.

http://www.bankinfosecurity.com/articles.php?art_id=157&PHPSESSID=ccd23e68b1848b308c34fd9680492a63

Secure outer “areas” provided a forum for trade and agriculture to be developed and helped the castle community to develop and prosper, in much the same way that controlled third party access, virtual private networks and secure remote access help to increase overall efficiency and productivity for businesses today. Castles were constructed to anticipate the likeliest path of attack and to force attackers into positions of weakness. They were designed so that attacks would be as difficult as possible, forcing enemies to charge uphill, expose their own weakensses to attack and leave themselves unguarded.

Harlech’s unsurpassed natural setting — with the mighty protection of the sea, the mountains, steep impenetrable cliff faces and the natural strength of the rock — certainly played a major role in helping King Edward build a castle to meet the defensive requirements of the age. Applications are built as rapidly as possible and put onto the network landscape, often no consideration is given to their security at it is assumed that they will be secured with the overall perimeter fencing. An integrated, multi-layered approach is necessary to guard against today’s sophisticated IT security threats and protect business critical systems across an organisation. Protecting The Crown Jewels Harlech castle’s architectural design and impressive security defences played an equally important role as its natural defences in protecting the inhabitants and their assets from hostile attack.

The moat and draw bridge formed the first line of defence, and for those who penetrated these initial lines, there lay the and outer wall and an impressive twin-towered gatehouse with three portcullises (more on this later). Here, key locations were protected by high inner walls, round towers and battlements, designed to offer the utmost protection and security to the King and valuable assets.

We must look at Infosecurity issues in much the same way, ensuring that business critical systems remain secure and protected against attack.

Encouraging Trade and Commerce Maximum security is all well and good, but the castle architect also had to design a fortress which would control access to third parties such as merchants and tradespeople whose presence would benefit the castle community and help it to prosper. In today’s increasingly mobile and flexible workplace, it is important that security architecture be developed with improved openess and accessibility to network applications and services for maximum productivity, while also maintaining the security of core business systems.

http://www.it-observer.com/articles/1180/what_cios_can_learn_mediaeval_castles/

“This type of protection doesn’t come easy or cheap,” says Nick Sharma, global head of infrastructure management services at Satyam Computer Services, which provides hosted services from a data center in Chennai, India, and other sites such as Cleveland.

This requires different types of experts: those who can understand and interpret the security aspects of regulations such as Sarbanes-Oxley, as well as those skilled at engineering a secure network, making threat assessments, and developing business-continuity plans.

As the threat of computer-initiated attacks increases and as regulators pressure financial institutions to shore up their information assets, banks are turning toward outsourcing their information-security functions to third parties.

In a managed security deal, the organization shares information security and business risks with the managed services provider. Such deals provide access to a range of security services and to skilled staff whose full-time job is security. The cost of managed security services is typically less than hiring in-house, full-time secur- ity experts. For example, a managed security provider can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps) Internet gateway for about $75,000 a year, excluding hardware.

When retaining a managed security services provider, banks need to consider issues such as trust, dependence, and ownership. Establishing a good working relationship and building trust between a client and service provider are critical in deciding whether to outsource security services. The shared operational environment used by many service providers to support multiple clients poses more risks than an in-house environment. Service-level agreement guidelines fall into two categories: ser- vice-specific agreements and operational security practice agreements.

Managing the relationship with a service provider should include guidelines for moving from in-house services to provider-supplied ones or from one provider to another.

Finally, there are guidelines to consider using when terminating a relationship with a service provider, whether at the end of a contract or at some earlier point.

http://www.informationweek.com/story/showArticle.jhtml?articleID=189800154

E-mail pipelines will continue to be a favourite target for malicious attacks at a time when IT departments are tasked with preventing information leakage, meeting compliance standards and ensuring spam does not clog networks, servers and inboxes.

“Solutions need to cover outbound threats to cover compliance, intellectual property and theft of confidential information,” he said. “About 80 percent of corporate IP leakage is through e-mail; also, e-mail is involved in 85 percent of corporate litigation.”

http://www.computerworld.com.au/index.php/id;1628487510;fp;16;fpid;0