Category: Uncategorized

Educating end users about spyware should be part of any comprehensive security awareness training. It should be part of at least half-day or, preferably, whole-day training required by all employees at all levels, from the executive suite down to the receptionists and security guards at the front door.

Training should be a condition of employment with mandatory attendance noted as part of annual performance reviews.

As the number of security threats keeps growing every year, training should be updated annually and employees should be required to take it once a year. Training conducted in groups of a few dozen at a time will not disrupt daily operations, yet it can still cover the entire staff over the course of a year. Your IT/ Information Security staff members should have the background to put together and conduct training without having to look elsewhere.

Reinforce training efforts with monthly newsletters that include security awareness tips. Internal publicity is a real morale booster.

Policies for preventing spyware are similar to those for protecting a network from other uninvited malware, such as viruses, worms and Trojans. The most effective policy is to prohibit employee access to the Internet altogether.

Spyware/malware policies include prohibiting users from downloading software from the Internet, including file-sharing software and toolbars, and prohibiting users from visiting questionable Web sites, the most obvious being pornography and gambling sites. “Users are advised to report to the Help Desk suspicious activity on their desktops, such as excessive pop-windows opening simultaneously, unusually slow desktop performance or their Web browser being redirected to unwanted sites, such as pornographic or gambling sites.”

http://bankinfosecurity.com/node/2639

It is not unusual for organisations to have a number of disparate documents distributed throughout the business, each addressing various issues such as acceptable use of company e-mail and the Internet, physical security of company assets, and so on.

Security policies have a number of human, financial and legal consequences. Because of this, great care needs to be taken to ensure that such policies accurately reflect the current situation.

Certainly, the legal requirements for the protection of personally sensitive data have changed dramatically of late and it is common to discover that individual organisations’ security policies have not kept pace. Additional legislation dealing with the protection of data and monitoring in the workplace has been introduced recently that may have a significant impact on both public and private sector organisations. Many organisations are required to demonstrate to external and internal auditors that they meet prescribed standards in the way in which they secure and operate their businesses Correctly interpreting how the various pieces of legislation and corporate governance guidelines apply to your organisation is a serious challenge and one where mistakes potentially can prove very costly.

Best practise (BS-7799/ISO-17799) recommends that security polices are updated regularly so as to ensure organisations continue to protect themselves from the risk of security breaches whilst remaining legally compliant.
· Does your current policy incorporate sufficient procedures to cover the use of Personal Digital Assistants (PDAs) and similar mobile devices?
· Do any of your personnel work remotely or on the move and, if so, are they connecting securely?
· Are you aware of the main areas contained within ‘The Telecommunications Lawful Business Practise Regulations’ and ‘The Employment Practices Data Protection Code’ in respect of the monitoring of communications?
• Does the Civil Contingencies Bill (which came into force last year) apply to your organisation?

If you are unsure about any of these issues – and this is by no means an exhaustive list – it is highly likely that your security policy needs reviewing and updating.

http://www.ebcvg.com/articles.php?id=935

The tasks the security operations center handles can range from typical event management and incident response to account administration, investigations and forensics. Some companies choose to outsource their SOCs, because they want the expertise and 24-hour monitoring of a dedicated security team without staffing and building a SOC. For many, it makes sense to maintain an internal SOC, especially when a NOC already exists.

Building a separate infrastructure is expensive and probably not worth the effort. In many cases, the data center is a good fit, because it already has manned guard stations, cameras, security clearance and sign-in/sign out requirements and other physical security controls. Common and successful approaches to this end include having highly restrictive firewall policies for the SOC and placing an IDS–or better yet, an IPS–with restrictive policies inline between the SOC and the rest of the company network.

If remote access to the SOC is needed from within the company network, require a VPN connection. An additional network connection will give your SOC personnel an outsider’s view of your network. This link could be a T1 line or even an inexpensive DSL connection, preferably from an ISP other than the one providing your primary Internet connections.

Undoubtedly, you’ll need a wireless network in the SOC so workers can roam between conference rooms and offices. One possible solution is to have wireless users access the SOC network over a VPN requiring two-factor authentication.

http://www.secureenterprisemag.com/howtos/showArticle.jhtml?articleID=166400611

From the customer not understanding the relevance of security, through to the web developers not understanding the power of the technologies they are using, it’s hardly surprising 97% don’t make the grade. Ask most small businesses how important web site security might be, and there will be much shrugging of shoulders as they explain that they don’t handle credit card data so must be safe.

1. More and more criminals are using hacking as a way of committing their crimes in relative safety. Hacking can no longer be thought of as simple “vandalism”, it’s rapidly turning into a tool of the trade.
2. Identity theft is turning into a more lucrative line of business for many criminals than credit card fraud. And you’d be surprised just how many small business web sites collect valuable customer data – data which could easily be re-used to commit identity fraud. In one recent example, we reviewed the security of a recruitment company who had just spent a small fortune on a website with sophisticated functionality that allowed the user to manage their “account details” online.

Which brings me on to another major cause of poor security – bad design. Often naive developers with little experience of “real world” applications working to tight budgets often turn to the Internet to get the answers they need – and end up producing applications riddled with errors, bugs and security loopholes. And of course hackers are becoming increasingly sophisticated at detecting and exploiting flaws in the very programming that makes up a web site. And they use that knowledge against unsuspecting businesses with relative ease.

So how should a small business, with a limited budget and even more limited understanding of web technology get a foothold onto the Internet which is relatively safe?

1. Understand the importance of keeping any form of customer data
2. When choosing web developers, remember that you really do get what you pay for.
3. Don’t be too ambitious
4. Consider buying an off-the-shelf solution
5. Cnsider getting the site independently “penetration” tested. This may be expensive (perhaps 10-20% of the total cost of the site) but will be a fraction of the cost of a real-life break-in.

http://www.ebcvg.com/articles.php?id=879

As a result companies are adopting a more strategic approach as they recognise that contingency to guarantee a robust and reliable IT infrastructure is critical. This is because they have neglected to make long-term plans which take into account the speed at which technology develops and changing market forces. Businesses are finding themselves locked into vendor relationships that fail to offer cost-efficient solutions for the long-term management of escalating volumes of data.

It is important to recognise that an effective managed business function is achieved through assessment, planning, execution and evolution. Through the adoption of a long-term strategy and the effective forward planning of data management, an enterprise can make more efficient use of existing capacity and have greater control over the movement and location of data.

For example, as it’s been estimated that approximately 65% of online data is rarely accessed, businesses should look to free up online resources for more core business applications.

The effective management and control of a comprehensive back-up solution is critical to minimising business risk, but companies are failing to make thorough disaster recovery plans or are adopting inefficient processes. It is vital in the current corporate environment, to ensure that a partner has a reliable support infrastructure, suitably skilled personnel and can guarantee levels of service. Failure to meet any of these critical elements will threaten the success of a managed services approach.

As standards become more defined and universally accepted, the rush to storage attached to the network is bound to accelerate.

http://www.ebcvg.com/articles.php?id=865

Despite the headlines, the conferences and the stated objectives of many large public and private organizations, many executives still wrestle with how to effectively deploy security measures that protect critical information assets underpinning their mission critical operations.   It is the position of this White Paper that the challenges many organizations face in markedly reducing the risk posture of their organizations stem from a tactical understanding of risk and vulnerability assessment, perimeter security, threat remediation including anti-spyware, patch management and other critical security activities.

Today, many organizations still treat each of these activities in a distinct and discrete manner, making it difficult to get a big picture understanding of their risk posture, inhibiting their ability to respond appropriately and cost-effectively to threats.

According to analysts at IDC, worldwide spending on information technology will grow at 6 percent a year through 2008 to reach 1.2 trillion dollars, up from 965 Billion in 2004.  That increase in spending is an explicit recognition of the role IT plays in helping organizations to achieve their strategic business objectives.  However, it also represents a growing target of opportunity for those who wish to exploit our growing dependence on technology.   This helps explain why in the United States alone the market for information security will grow at 19 percent a year through 2008, according to recent data from the Freedonia Group.

That is more than three times the rate of the global IT spend.

According to the Freedonia analysts, much of this growth will be driven by efforts to integrate security on an enterprise-wide basis.  It would seem that people are voting with their wallets, and acknowledging that security is indeed a strategic issue.

But is there truly a broad strategic recognition of security’s strategic imperative?  In the summer of 2004, a survey by the Conference Board revealed that almost 40 percent of respondents consider security an overhead activity that must be minimized.

The situation appears no better in the public sector.  Agencies in the federal government continue to struggle with meeting the requirements of Federal Information Security Management Act (FISMA).   In early 2005, the Government Accounting Office (GAO), the investigative arm of Congress, concluded that poor information sharing and management was responsible for exposing homeland security to unacceptable levels of unnecessary risk.The problem illustrated by the above points is not one of effort or discipline.

Millions of dollars are invested on security technology and hundreds of thousands of man hours are brought to bear on protecting critical information assets by IT and security personnel.

The problem, rather, is one of perspective.  In both cases, security measures appear to be treated as stand-alone activities that are divorced from the technologies, business processes and information assets they are meant to protect.

Security, in short, is treated by many organizations as an afterthought.   According to PatchLink CEO Sean Moshir, “One of the greatest threats to enterprises today is that many — too many — organizations still consider security the lock they put on the door after the house gets built.”  Blind, in the sense that is difficult to get a clear, complete and accurate picture of an organization’s security posture.It is also costly.

According to recent research from Yankee Group, it can cost as much as $1 million to manually deploy a single patch in a 1,000-node network environment.  The firm has documented an instance in which an organization spent $2 million to rush a patch in a telecommunications network that had 500,000 nodes.  It is the manual labor, the fixing of problems, the downtime for businesses while the patches are being deployed,” explains Phebe Waterfield, Senior Analyst, Security Practice, Yankee Group.

Waterfield confirms that many organizations remain highly reactive in their approach to patch management, and therefore have not developed automated and integrated strategies for making sure that the most current measures are in place within the enterprise to deal with known threats to their IT assets.  This contributes to a reactive and expensive approach to security that does not make progress toward the goal of reducing an organization’s risk posture.

Malicious hackers, authors of viruses and other sources of threats have become a major cost of doing business in the digital economy.  Their handiwork is now covered by the mainstream media as well as the business and technology press.  Their destructive impact on the economy is measured in the billions — if not trillions — of dollars.

We are seeing the rise of hybrid threats in which viruses are used as launching points for initiatives that are designed to gather sensitive corporate data and/or execute identity theft.  For instance, spam is being used for phishing (an online con in which a “fake” site is set up to attract victims and solicit sensitive information from end-users), at which point spyware/malware or viruses are planted on consumer computers, while simultaneously gathering information that makes it easier to hack into the networks of the organizations they are spoofing.

Where once the hacker community may have been seen as kids playing games, today we see malicious activity that is profit driven in some cases, and guided by fanaticism in others,” notes Moshir.

According to PatchLink’s Moshir, an effective strategic response to these threats must consist of four basic elements.  The data gathered by sensors and reporting tools should be presented in ways that are meaningful to the users who must make decisions based on that information.  And the data must be standardized so that information from one security system makes sense to the rest of the organization.Moshir emphatically states, “From a management standpoint, there must clarity and transparency within and between all security systems.

Lane is the founder and director of Cooper Research Associates.

http://www.net-security.org/article.php?id=814