Category: Uncategorized

The IT trade organisation said that human error is the primary cause of IT security breaches, and in many instances security breaches can be traced back to poor password security.

CompTIA warned that people should use multiple passwords, because if one is compromised or stolen they could become the victim of identity theft or financial loss. And if the lost password is the same one used at work, the organisation warned that “the consequences for your employer could be disastrous”.

“As we have incorporated computer use into more and more of our lives at home and at work, the number of passwords we use has grown exponentially,” said John Venator, president and chief executive at CompTIA.

The organisation recommends that users maintain four passwords. The first should be easy to remember for use on general websites. The same password can be used in many low-risk places because the consequences are minimal if the password is compromised.

The second password should be more complex, with a mix of numbers and letters, for e-commerce websites. But if this password is compromised, CompTIA warned, there may be financial implications, such as credit card theft.

Thirdly a “very complex” password is required for banking websites. This password should contain lower case letters, uppercase letters, numbers and punctuation marks, or at least three of these four categories. If this password is compromised, identity theft is possible.

Finally a separate password should be used only at work, which should not resemble any of the passwords used for home and personal computing. All passwords except the easy website password should be changed at least every 90 days, the trade body advised.

http://www.vnunet.com/news/1161436

In a new book, “Business Under Fire: How Israeli Companies are Succeeding in the Face of Terror—and What We Can Learn from Them,” author Dan Carrison interviewed consultant Danny Halpern, who said, “In Israel, I believe we invest more in the quality of our security people and less in the mechanics.

In America, because of the huge numbers, the investment is in the mechanics—the system—and then they hire minimum wage security staff.” This focus on mechanics has brought us the turf wars between the CIA and FBI, elderly women being forced to remove their shoes at airports and other counterterrorism security nonsense. Similar nonsense—the result of merely going through the motions of physical security—exists in information security.

Security guru Marcus Ranum made this observation to me about poorly configured firewalls and noted that “eventually, if enough data is going back and forth through your firewall, it is no longer a firewall, it’s a router! Deploying security products without first performing such an assessment is like taking medication without knowing what disease you have. Effective risk assessment and analysis ensure that your organization is dealing with real threats. The fact is, the most dangerous threats come from inside, contrary to the widespread perception that they come from the outside.

Hundreds of millions of dollars were wasted on PKI systems because organizations deployed them without understanding what their problem was or what a PKI system could do to solve it.

Too often, organizations go through the mechanics of purchasing and deploying security software and hardware items without knowing why.

http://www.eweek.com/article2/0,1759,1765060,00.asp

The plethora of exploit code available on the web to attack corporate servers should be used as a resource to test computer security. By running such code administrators can judge the efficacy of their defences and make appropriate adjustments.

“There are several legitimate uses for exploit code,” explained Ivan Arce, chief technology officer at Core Security Technologies. “We need to understand the strengths and limitations of our tools. It helps to deploy timely and cost-effective mitigation measures.”

Arce pointed out that code designed to exploit flaws in software programs is a valuable resource and should be used as such. Both legitimate and illegal organisations are now selling such code for use in testing.

This new value on exploit code is such that new vulnerabilities are being traded on the open market. Spammers and malware writers are buying it to further their ends, but legitimate security companies are also buying the information. “There is an increasing perception of value for vulnerability code,” said Arce. “The good guys value it and are not giving it up for free. The bad guys want it so they can carry on their attacks.”

http://www.itweek.co.uk/news/1161395

Not only is it technically impossible to completely secure cyberspace, but the technology is complicated, the vocabulary arcane, and the expertise to make it happen hard to find — and even harder to apply.

Worse yet, most managers never learned how to calculate the value of — and communicate the business case for — cybersecurity. Yes, I realize that overall spending on cybersecurity continues to increase every year. Yet every executive I know is kicking and screaming about its cost along the entire way.

The sad reality is that every computer network has cybersecurity exposures. This is due in large part to the fact that most software and computer systems focus on function, not security. Security is bolted to computer systems using things like firewalls and intrusion-detection systems.

Additionally, the communications methods used to deliver data are over 30 years old, coming from a time when security was less of an issue.

Compounding the problem, as software has become more sophisticated, the code used to write it has grown significantly. Conventional wisdom says you can expect to find about one bug for every 1,000 lines of software code — and every bug is an opening for hackers. The 45 million-line operating system that runs your computer may have 45,000 ways to be breached by a hacker. These hackers are smart, and most have much more time to spend attacking you than a typical system administrator can spend defending against them.

Attacks are also becoming increasingly automated, which compounds the problem. Computer worms and other autonomous, malicious programs can attack and infiltrate these complex environments in a relentless, methodical fashion.

Most senior executives are aware of these cybersecurity issues.

The problem is that these issues rarely turn into funded information-technology projects when evaluated against other business priorities. Sure, every survey of chief information officers says cybersecurity is one of the very top issues for a company.

Yet in most executive suites, cybersecurity is considered necessary to stay in business, but not to make the business bigger. So what if a PC gets hammered by a worm? It won’t kill the business, and the expense to clean it up will be minimal.

There’s a way to deal with this dilemma.

Chief information officers need to translate the IT priority of cybersecurity into a business priority that the CEO can’t ignore.

Asset protection: Most businesses recognize that they must protect their physical and intellectual assets. For example, they can’t let someone steal their patents.

The same kind of rigor that is applied to valuing, protecting, and insuring traditional assets needs to be applied to cyberassets. If someone steals your customer- or product-development data base you could be put out of business.

Brand protection: Every CEO is concerned about the outfit’s brand. CEOs can increase the perceived value of the company through the equity they build in their brands. What if your company is hit by a hacker and all the credit-card data from the e-commerce wWeb site is compromised? What happens to the value of the brand — and to your stock price?

Compliance: Probably the strongest justification for investing in cybersecurity is that you don’t have a choice: It’s the law.

http://www.eweek.com/article2/0,1759,1765331,00.asp

What’s important to energy provider Georgia Power (federal regulation compliance, for example) may not be important to coffee purveyor Starbucks (armed robbery statistics, for example). “Clearly, statistics on their own don’t make a very good read,” says John Hedley, head of group security for food maker Nestlé.

Francis D’addario Starbucks Metrics insight: Rigorous tracking of processes leads to improvements and business value.

Here is the story of four security executives in different industries who give a rare peek into the physical security metrics that are important to them, their CEOs and their organizations. Taken together, data points and measurements help them keep a firm grip on the most important metric of all: How much confidence the rest of the organization has in the security department.

To Francis D’Addario, the connection between security metrics and how effective he is as CSO of Starbucks is simple: His mission to protect people, secure assets and contribute savings year over year is validated with key performance indicators. Whether D’Addario, vice president of partner and asset protection at the $5.3 billion coffee and food retailer, is talking about physical assets (stores and equipment), liquid assets (cash and coffee) or human assets (employees and customers), using metrics is how he judges the success of his security group.

First and foremost on the priority list, D’Addario says, is the safety of people. The frequency of armed robberies at retail outlets, for example, is an important metric at Starbucks and within the retail industry.

Nestlé Metrics Emphasize Prevention and Protection
When there is civil war where your people are working, one physical security metric rises above all others: Keeping all of your employees alive. Hedley’s security staff, led by a regional security manager based in Abidjan, the commercial capital, set in motion an evacuation plan for the international Nestlé employees when it was clear that the violence was escalating to a dangerous level. “We have not done a cost-benefit analysis of how much money we have saved because of the security plan in place,” Hedley says, adding he was not sure of the evacuation’s cost. The areas most important to him are Nestlé employees, distributors and consumers; company property; and the strength of Nestlé’s reputation and brand.

Utility Uses Government Rules to Build Metrics
Margaret Levine, corporate security manager at Georgia Power, has found ways to convert the necessary burden of regulation into a bounty of physical security data for the electric utility. Readiness reviews are planned events and are a key component of Georgia Power’s business continuity program. The reviews assess whether employees and site security professionals at a particular facility understand that facility’s threat plans and know what to do when the threat level is raised or lowered.

Tracking Trends Incident trends and loss trends are next on Georgia Power’s metrics list. Levine says that it’s critical to be able to demonstrate that a CSO’s security program is a significant mitigating factor in preventing increased incidents and losses. Levine can compare incidents by quarter, year-to-year and across multiple years. She can note the changes in the number and frequency of incidents by type of incident (for example, thefts, threats against employees or sabotage), by line of business (generation, transmission, distribution, staff services) or by location.

She follows the same process for tracking losses; she says she tracks property and monetary losses. The key, she says, is if you’re not able to prevent losses, then “you can demonstrate an ability to quickly pinpoint where the weakness was and put in place the appropriate stopgap measures. Levine adds that metrics must be more than in-house security tools; they have to be relevant to the people she supports—business executives, plant operators, substation engineers, customer service managers. She says her reports must contain information that is important to them, not just to security managers.

Depending on the type of data and compliance requirements, Levine reports her metrics monthly, quarterly or yearly. Levine says Georgia Power collaborates on metrics reviews with other security managers from within Southern’s 12 operating companies.

(Besides Georgia Power, there are four electric utilities and companies in wholesale power, power generation management, natural gas, nuclear power and energy services. Southern also owns a wireless company and a fiber optics business.)

As for data quality, Levine says that it’s important to watch out for the equivalent of scorekeeping changes. She says Georgia Power recently transitioned from a 10-year-old case management system to a new system developed last year by Southern’s security managers. The case management system is a database that records all the details of incidents that are reported to corporate security. This includes an incident narrative and summary; victim, witness and reporting party names; losses; investigative activity; and case resolution. For example, the old case management system had separate incident categories for burglary, larceny, fraud and robbery. But in the new case management system, all of those crimes are categorized as financial matters.

“To make an apples-to-apples comparison between the old and the new, we have to select a specific subcategory (for example, larceny) in the new system,” Levine says.

http://www.csoonline.com/read/020105/metrics.html

The 93 page report, written by D. Richard Kuhn, Thomas J. Walsh and Steffen Fries, details the “significant” security and quality of service issues in implementing VOIP telephony and makes extensive recommendations in securing a VOIP implementation.

“Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VOIP components into their already-secured networks and remain secure. However, the process is not that simple.”

NIST emphasizes that VOIP plans should include separate voice and data networks where practical, regular security testing, frequent software updates and avoiding PC based implementations of VOIP, as the platform is so difficult to secure.

The full paper, Security Considerations for Voice Over IP Systems, NIST Special Publication 800-58 is available for free in an Adobe Acrobat file.

Click here for NIST, the National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

http://www.extremetech.com/article2/0,1558,1758174,00.asp?kc=ETRSS02129TX1K0000532