Category: Uncategorized

5. Don’t forget what you don’t see. Your traveling and remote users may be out of sight, but they shouldn’t be out of mind.
4. Cover all your bases. While you aren’t rewriting War and Peace, you should be as comprehensive as possible.
3. Be reasonable. Your end-users should be able to comprehend and abide by the policies that you set forth.
2. Understand what a security policy is. But do you really know what a security policy is?
1. Don’t start from scratch. You aren’t the only IT manager facing the Herculean task of writing security polices.

More info: [url=http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci943353,00.html]http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci943353,00.html[/url]

Failing to archive firewall log files: Firewalls are often correctly configured with full logging enabled.

Not knowing where your passwords are documented: Nothing makes supporting customers more of a challenge than if they cannot remember where their passwords are documented.

Not scanning e-mails for viruses: Without question, e-mail borne viruses are today the biggest Internet security threat.

Not blocking Instant Messaging on your firewall: With Microsoft now in a big push to get people using its IM technology we are beginning to see IM clients freely deployed in businesses, mainly by users.

Depending on users to patch their own workstations: Let’s face it, users are terrible at following instructions

Not having an incident response plan: All networking and security professionals know that even with the best planning in the world, something will still go wrong.

Failing to disable accounts for departed employees: You would not believe how frequently HR fails to tell IT that an employee has left the business.

Failing to configure any security on a wireless access point: We all know wireless is here to stay.

Not keeping your firewall patched: This is pretty much tantamount to paying for an expensive lock on your front door at home and then leaving the keys in the lock – on the outside!

Not securing home PCs with their own firewall, VPN and virus detection

More info: [url=http://www.biosmagazine.co.uk/op.php?id=77]http://www.biosmagazine.co.uk/op.php?id=77[/url]

The introduction of an IDS into a organization’s network can be sensitive and often has political implications with the network staff, and thus a checklist written from the perspective of an outside consultant (even if the IDS is deployed internally) that appeases all parties can be useful to ensure a successful implementation. While this topic is broad, there’s sufficient information and planning required to form the basis of the checklist.

When installing an IDS a policy needs to be developed to ensure responsibilities are clearly defined. This is especially important when delivering an IDS capability remotely or to another organisation’s network. The Junction Of Maintenance (JOM) defines where your responsibility for the hardware starts and finishes, and this will usually be the network switch port or tap with which the IDS connects to the target network.

On the subject of failing hardware, people administering the target network must be made fully aware that if network taps are used, even fail safe taps can take up to a second for the interfaces to re-negotiate and could potentially disrupt services, though recent improvements have reduced this latency considerably. If the network is remote then it is advisable for the policy to reflect that the target network manpower can be called upon for a predefined duration for power resets, etc. Attempting this retrospectively through contractual alteration, if required, can be expensive and time consuming.

If you rely on the distant network for support, ensure you have a telephone authentication system in place and don’t fall victim to a social engineering attack. It’s all too easy for an attacker or Pen Tester to call the local staff where your IDS is installed and ask them to power it down. Most of these issues can be avoided if you are willing to have your IDS application reside on one of the target network’s hosts, though in my experience it can never be completely trusted and raises the question of who maintains the software and OS deployed on the system. If an OS update corrupts the IDS application, then who takes responsibility for fixing it?

Finally, discuss and set in policy the rules of engagement for automated response. This is especially important when you are deploying Intrusion Prevention Systems. An Intrusion Prevention System or inline IDS will block packets that meet the criteria of an event signature.
These packets could have legitimately been accepted by the firewall and allowed through. As signatures can block packets in a fashion similar to a firewall, there are some that advocate replacing firewalls with IPS is a dangerous step. An IPS complements the firewall very well and they work well together, but the firewall should be left in place.

The myth that an IPS will kill a network through its false positives doesn’t have to hold true. Rather than blocking packets in line, it can craft various responses: TCP resets to the source or destination (or in some cases both) of the offending packet, crafting unreachable/unauthorized replies and spoofing the border device. For example, you might want to retain corporate knowledge by blocking any document that contains the word “prototype”, from leaving the network through the use of an IPS signature.

Once the IDS starts chattering you can revisit those “practises dangerous to security”. Policy also needs to be defined regarding how you respond to an incident and should include statements that direct forensics and evidence preservation activities. The availability of up-to-date network diagrams is essential not only for locating the best site for an IDS, but also post installation. You have to identify your requirements for the installation such as rack space, switch/hub ports, power outlets, UPS, cooling, taps and any mandatory local requirements like fiber infrastructure and fail over.

The first coarse tuning should have occurred by using the site’s policy to define the initial IDS policy. Rather than attempting this on an event-by-event basis, wait a week and look at the historical information, sorted by count.

More info: [url=http://www.securityfocus.com/infocus/1754]http://www.securityfocus.com/infocus/1754[/url]

Enterprises everywhere have fundamental concerns about the manner in which IT organizations can deliver an identity infrastructure that is both productive and efficient while also being secure. Compliance drivers (i.e., legal and regulatory) are also becoming increasingly important, as evidenced by recent legislation on all continents. These factors have combined to drive significant decision making among IT infrastructure planners regarding how best to manage the identity asset currently in use in the enterprise.

Lessons Learned: Planning for Identity Management

1. Managing Expectations Increases the Likelihood of Successful Implementations
2. Executive Sponsorship Is Not Optional
3. Identity Must Be Defined as a Strategic Asset and Used as the Basis for Planning
4. Identity Management Is Integration Management
5. Nothing Is As Political As identity
6. A Sound Identity Infrastructure Is a Prerequisite to Effective Identity Management Deployment
7. It

Bugs are an inevitable problem in a sector where companies are driven by shareholders to rush out equipment before it is ready.

From a security perspective, this presents users with a huge problem. Empirical evidence suggests that the average device – whether it is a perimeter network resource such as a firewall or router, or a core device such as a server – has more holes in it than a piece of Gruyere.

One of the rarest but most devastating security vulnerabilities in host computers is the buffer overflow error, said Gary Jones, professional services manager of security consultancy MIS Corporate Defence Solutions.

The problem is that too many companies are not implementing patches in a structured way. “If you are running a corporate database, you cannot just slap on a patch when it is released,” he said. “You need some form of development environment and the patch must be tested first.”

Companies must also react to critical patches. If another aggressive internet worm appears, companies must be aware of it before they read about it in the press and they must be able to implement a patch quickly.

One solution is to have an employee checking newsgroups, supplier sites and bulletins to pick up on patches before the hackers do. Unfortunately, many companies are not in a position to pay this extra salary.

Common sense plays a big part in locking down your network vulnerabilities, but resources are also an important factor.

Virtual patching, where an intrusion dection system dynamically configures against threats, is the way on insuring against unknown vulnerabilities.

More info: [url=http://www.computerweekly.co.uk/articles/article.asp?liArticleID=127212&liArticleTypeID=20&liCategoryID=1&liChannelID=7&liFlavourID=1&sSearch=&nPage=1]http://www.computerweekly.co.uk/articles/article.asp?liArticleID=127212&liArticleTypeID=20&liCategoryID=1&liChannelID=7&liFlavourID=1&sSearch=&nPage=1[/url]

Intellectual property (IP) can be anything from a particular manufacturing process to plans for a product launch, a chemical formula or a list of the countries in which your patents are registered. It may help to think of it as intangible proprietary information.

The formal definition, according to the World Intellectual Property Organization is creations of the mind – inventions, literary and artistic works, symbols, names, images, and designs used in commerce. IP includes but is not limited to proprietary formulas and ideas, inventions (products and processes), industrial designs, and geographic indications of source, as well as literary and artistic works such as novels, films, music, architectural designs and web pages.

Authoritative sources report that each year, intellectual property theft costs U.S. companies about $300 billion.

To protect the secret, a business must prove that it adds value to the company – that it is, in fact, a secret – and that appropriate measures have been taken within the company to safeguard the secret, such as restricting knowledge to a select handful of executives.

In some ways, trade secrets are easy to protect. Stealing them is illegal under the 1996 Economic Espionage Act. Employees usually know that they’re valuable, and nondisclosure agreements may protect your company further.

What’s more complicated is helping employees understand how seemingly innocuous details can be strung together into a bigger picture-, and how a simple company phone list becomes a weapon in the hands of snoops.

Espionage is sometimes sanctioned – or even carried out – by foreign governments, which may view helping local companies keep tabs on foreign rivals as a way to boost the country’s economy. Executives traveling to Pakistan, for example, might need to register under pseudonyms, have their hotel rooms or work spaces swept for bugs, or even have security guards help protect information. Over the years, France, China, Latin America and the former Soviet Union have all developed reputations as places where industrial espionage is widely accepted, even encouraged, as a way of promoting the country’s economy. A good resource for evaluating the threat of doing business in different parts of the world is the Corruption Perceptions Index published each year by Transparency International (and made famous by The Economist).

India is another country of increasing importance to American businesses because of the rapid rise of offshore outsourcing. The prevalence of outsourcing of IT functions introduces some vulnerabilities to companies that may not think of themselves as having a global presence. In legal terms, the most pertinent global standard is the World Trade Organization’s intellectual property add-on, TRIPS (Trade-Related Aspects of Intellectual Property Rights). But TRIPS protections still must be enforced locally, and none of the countries prominent in software outsourcing, including India, have local laws covering theft of trade secrets. Experts say India’s culture is generally more IP-friendly, but the legal status of intellectual property in India is in a state of flux.

Protect important information, such as source code, with passwords and access codes, and make sure that these are not widely available, either in the United States or at the outsourcing location. Look for employee retention figures, find out if competitors do business with the same companies, and if so, ensure that there is no contact between teams.

Regulated industries such as health care and financial services need to keep closer controls over data and software development than, say, packaged goods companies.

Companies that don’t have the resources to take these steps should think twice about what they are putting at risk by offshoring, whether it’s software development or some other function like call centers involving sensitive customer data.

More info: [url=http://www.csoonline.com/fundamentals/abc_ip.html]http://www.csoonline.com/fundamentals/abc_ip.html[/url]