Category: Uncategorized

Earlier this month, the CBO released a report with projections on the likely economic impact of a pandemic on the United States, and concluded that in a “mild” scenario, 100,000 Americans would die and the gross domestic product (GDP) would drop 1.5 percent.

http://www.securitypipeline.com/news/175003156;jsessionid=L4U2AUHYNRLYYQSNDBCSKH0CJUMEKJVN

Most organizations spend a tremendous amount of resources, time and money to protect their network perimeters from Internet-borne threats and hackers. But no matter how good a defense may be, it usually falls short in addressing the vulnerabilities inside the network at the application layer.

Recent research findings indicate that the application layer is one of the highest-risk areas and where the most potential damage can occur, either through insider targets or lack of protection. As a result, confidential company information can be exposed, resulting in harm to a company, its customers and its reputation. While many variables affect Web application security, improving security in a few key areas can help eliminate vulnerabilities.

It’s critical that security be included in the initial Web design and not retrofitted after the application is developed. While some experts argue over where and when security integration and testing should be applied in the development life cycle, no one would argue that it has become an essential ingredient.

The software industry is making headway in this area, with some providers offering incentives to development teams to integrate security during the application development process. Integrating security into the application development life cycle is not an all-or-nothing decision, but rather a process of negotiation within policy, risk and development requirements. Engaging security teams — in-house or outsourced — during the definition stage of application development determines the security areas necessary to satisfy policy and risk tolerance in the context of the organization.

http://www.computerworld.com/securitytopics/security/story/0,10801,106805,00.html

Educating end users about spyware should be part of any comprehensive security awareness training. It should be part of at least half-day or, preferably, whole-day training required by all employees at all levels, from the executive suite down to the receptionists and security guards at the front door.

Training should be a condition of employment with mandatory attendance noted as part of annual performance reviews.

As the number of security threats keeps growing every year, training should be updated annually and employees should be required to take it once a year. Training conducted in groups of a few dozen at a time will not disrupt daily operations, yet it can still cover the entire staff over the course of a year. Your IT/ Information Security staff members should have the background to put together and conduct training without having to look elsewhere.

Reinforce training efforts with monthly newsletters that include security awareness tips. Internal publicity is a real morale booster.

Policies for preventing spyware are similar to those for protecting a network from other uninvited malware, such as viruses, worms and Trojans. The most effective policy is to prohibit employee access to the Internet altogether.

Spyware/malware policies include prohibiting users from downloading software from the Internet, including file-sharing software and toolbars, and prohibiting users from visiting questionable Web sites, the most obvious being pornography and gambling sites. “Users are advised to report to the Help Desk suspicious activity on their desktops, such as excessive pop-windows opening simultaneously, unusually slow desktop performance or their Web browser being redirected to unwanted sites, such as pornographic or gambling sites.”

http://bankinfosecurity.com/node/2639

It is not unusual for organisations to have a number of disparate documents distributed throughout the business, each addressing various issues such as acceptable use of company e-mail and the Internet, physical security of company assets, and so on.

Security policies have a number of human, financial and legal consequences. Because of this, great care needs to be taken to ensure that such policies accurately reflect the current situation.

Certainly, the legal requirements for the protection of personally sensitive data have changed dramatically of late and it is common to discover that individual organisations’ security policies have not kept pace. Additional legislation dealing with the protection of data and monitoring in the workplace has been introduced recently that may have a significant impact on both public and private sector organisations. Many organisations are required to demonstrate to external and internal auditors that they meet prescribed standards in the way in which they secure and operate their businesses Correctly interpreting how the various pieces of legislation and corporate governance guidelines apply to your organisation is a serious challenge and one where mistakes potentially can prove very costly.

Best practise (BS-7799/ISO-17799) recommends that security polices are updated regularly so as to ensure organisations continue to protect themselves from the risk of security breaches whilst remaining legally compliant.
· Does your current policy incorporate sufficient procedures to cover the use of Personal Digital Assistants (PDAs) and similar mobile devices?
· Do any of your personnel work remotely or on the move and, if so, are they connecting securely?
· Are you aware of the main areas contained within ‘The Telecommunications Lawful Business Practise Regulations’ and ‘The Employment Practices Data Protection Code’ in respect of the monitoring of communications?
• Does the Civil Contingencies Bill (which came into force last year) apply to your organisation?

If you are unsure about any of these issues – and this is by no means an exhaustive list – it is highly likely that your security policy needs reviewing and updating.

http://www.ebcvg.com/articles.php?id=935

The tasks the security operations center handles can range from typical event management and incident response to account administration, investigations and forensics. Some companies choose to outsource their SOCs, because they want the expertise and 24-hour monitoring of a dedicated security team without staffing and building a SOC. For many, it makes sense to maintain an internal SOC, especially when a NOC already exists.

Building a separate infrastructure is expensive and probably not worth the effort. In many cases, the data center is a good fit, because it already has manned guard stations, cameras, security clearance and sign-in/sign out requirements and other physical security controls. Common and successful approaches to this end include having highly restrictive firewall policies for the SOC and placing an IDS–or better yet, an IPS–with restrictive policies inline between the SOC and the rest of the company network.

If remote access to the SOC is needed from within the company network, require a VPN connection. An additional network connection will give your SOC personnel an outsider’s view of your network. This link could be a T1 line or even an inexpensive DSL connection, preferably from an ISP other than the one providing your primary Internet connections.

Undoubtedly, you’ll need a wireless network in the SOC so workers can roam between conference rooms and offices. One possible solution is to have wireless users access the SOC network over a VPN requiring two-factor authentication.

http://www.secureenterprisemag.com/howtos/showArticle.jhtml?articleID=166400611

From the customer not understanding the relevance of security, through to the web developers not understanding the power of the technologies they are using, it’s hardly surprising 97% don’t make the grade. Ask most small businesses how important web site security might be, and there will be much shrugging of shoulders as they explain that they don’t handle credit card data so must be safe.

1. More and more criminals are using hacking as a way of committing their crimes in relative safety. Hacking can no longer be thought of as simple “vandalism”, it’s rapidly turning into a tool of the trade.
2. Identity theft is turning into a more lucrative line of business for many criminals than credit card fraud. And you’d be surprised just how many small business web sites collect valuable customer data – data which could easily be re-used to commit identity fraud. In one recent example, we reviewed the security of a recruitment company who had just spent a small fortune on a website with sophisticated functionality that allowed the user to manage their “account details” online.

Which brings me on to another major cause of poor security – bad design. Often naive developers with little experience of “real world” applications working to tight budgets often turn to the Internet to get the answers they need – and end up producing applications riddled with errors, bugs and security loopholes. And of course hackers are becoming increasingly sophisticated at detecting and exploiting flaws in the very programming that makes up a web site. And they use that knowledge against unsuspecting businesses with relative ease.

So how should a small business, with a limited budget and even more limited understanding of web technology get a foothold onto the Internet which is relatively safe?

1. Understand the importance of keeping any form of customer data
2. When choosing web developers, remember that you really do get what you pay for.
3. Don’t be too ambitious
4. Consider buying an off-the-shelf solution
5. Cnsider getting the site independently “penetration” tested. This may be expensive (perhaps 10-20% of the total cost of the site) but will be a fraction of the cost of a real-life break-in.

http://www.ebcvg.com/articles.php?id=879