Category: Uncategorized

Some of us stick to a single password that we use everywhere–whether it’s a pet’s name, a memorable date or the make of our monitor.
Some of have thrust upon us by (rightly) paranoid system admins very safe, very convoluted passwords that we promptly write down on a post-it note and stick to our monitors. A few very peculiar souls actually make up their own very safe, very convoluted passwords (over eight characters with non-alpha characters please) that they actually remember them, but I’m not convinced that these people actually exist.

Passwords have an uncommon ability to draw out from the most successful, sensible and intelligent individual, an idle Neanderthal with the memory of a lobotomized goldfish. They make us stupid, but we should all by now have come to expect and accept that.

There are some pretty simple lessons to be learnt here: that you should always e-mail passwords back to account holders, and never display them onscreen; that you should use a fixed list of password prompts and never, under any circumstances, let users make up their own password prompt questions.

More info: [url=http://zdnet.com.com/2100-1107_2-5112223.html]http://zdnet.com.com/2100-1107_2-5112223.html[/url]

Defining accurately what identity management and information security really are for the enterprise and its IT organization – and then correlating those explicit functional definitions – can provide a starting point for initial planning decisions and approaches to both identity management and information security, and ensure efficient use of IT resources.

META Trend: The strategic approach to information security will transform from a monolithic set of controls to an evolving program of principles, behaviors, and solutions (2003-05).

The pervasive nature of information security will result in establishment of strategic programs – 40% of Global 2000 organizations in 2003, rising to 80% by 2006/07.

These will be managed via dedicated program offices and budgets, and led by a chief security officer or equivalent.

Proper planning for identity management in the context of information security can result from defining identity, identity management, and information security from a functional business and an IT organization perspective and from determining the relationships that exist in those definitions.

More info: [url=http://techupdate.zdnet.com/techupdate/stories/main/Identity_Management_Information_Security_Part_1.html?tag=tu.scblog.6673]http://techupdate.zdnet.com/techupdate/stories/main/Identity_Management_Information_Security_Part_1.html?tag=tu.scblog.6673[/url]

The resulting security breakdowns occur because there’s a perception that security is only the responsibility of a company’s information technology security officer.

A company that fails to correct that impression may inadvertently foster a casual attitude among employees, who then naturally view security as outside of their day-to-day purview.

It is surprising how much impact a vigilant attitude can have.

Making security a high priority for each employee begins with a company culture that stresses how much each individual contributes to a company’s overall IT security.

For starters, management should invest in security training and educate the work force about best practices. It’s the simple stuff–such as encouraging employees to reset their own passwords–that can ease the burden placed on IT staffs. Ensurin that they reset pass codes regularly, avoiding the use of birthdays and names as passwords, and being conscientious about logging out when working from a remote or public location, als help.

Individual users also need to get the message that opening e-mail attachments from unknown sources or using one’s own name as a network password are also security risks.

Companies also need to articulate a thorough security policy. Security measures that protect against unauthorized network access are obviously necessary, but that only tells part of the story.

As security budgets grow and threats continue to mount, companies should begin to educate employees and instill cultures that encourage individuals to take responsibility for IT security.

More info: [url=http://rss.com.com/2010-7355_3-5110588.html?part=rss&tag=feed&subj=news]http://rss.com.com/2010-7355_3-5110588.html?part=rss&tag=feed&subj=news[/url]

It also contradicts the way security is usually addressed. While there is much to recommend with regards to automating portions of the patch process, there are also compelling reasons to support manual intervention as a component of the work flow.

Too many have been burned by server farms going dark with a collective “blue screen of death” after applying a buggy service pack and are, quite reasonably, skittish about automatically slapping the latest patches on their production servers. Many release vulnerability warnings concurrently with the patch fixes, escalating the urgency of the patch cycle.
The result is that the industry is between a rock and a hard place on the patch issue.

Case in point: Six months before SQL Slammer hit companies such as Bank of America and Washington Mutual and brought portions of their automatic teller machine networks to their knees, Microsoft had released a vulnerability warning and a patch.

First and foremost, it means taking preventative measures that surround and support the patch management efforts. For patch management, services and tools that fit into the overall system and network management solution–not just that stay siloed in security–work more effectively.

Part of the reason the industry is in reactive mode so much of the time is that security is not seen as critical to the overall business profitability. Part of being proactive is knowing when something doesn’t need to get done and when a patch requires immediate attention. Sometimes reacting after the fact is essential, none of us are soothsayers, and even the most well protected and patched systems may ultimately be attacked.

So be ready with a plan for when that happens; the ability to recover from a critical failure is a part of the overall security posture. The truth is that patching and protecting proactively will reduce vulnerability, but being prepared for the inevitable reactive patching and recovery is essential as well.

More info: [url=http://news.com.com/2010-7355-5107678.html?tag=nefd_gutspro]http://news.com.com/2010-7355-5107678.html?tag=nefd_gutspro[/url]

To secure the appropriate space, you’ll need to work closely with the people who are responsible for facilities management in your organization. As long as the locations are well outside the line-of-sight horizon, you can shore up these facilities with extra power and air conditioning, allowing them to find new life as backup data centers.

Or look for new facilities that your company has acquired as a result of mergers or takeovers to house the data centers for DR operations. In many cases, you can find floor space already configured to run data operations, since the acquired company most likely has data centers for its operations that won’t be necessary after the merger is complete.

You can also obtain dedicated space in a colocation facility, along with space to house vital employees during an emergency. The downside is that your company may share this reserve space with multiple companies, operating under the idea that only one of the companies will fail over at any give time.

If the first two options aren’t viable, consider working with another company to share data center space so that both organizations have a location for failover.

No matter how you secure space to house your DR failover, it’s a necessary step in your business continuity planning process.

More info: [url=http://techupdate.zdnet.com/techupdate/stories/main/Address_proper_facilities_in_your_disaster_recovery_plan.html?tag=tu.scblog.6673]http://techupdate.zdnet.com/techupdate/stories/main/Address_proper_facilities_in_your_disaster_recovery_plan.html?tag=tu.scblog.6673[/url]

Others that are not obligated to have them may question whether they need a formal CIRT. Those companies believe there is in-house expertise to sort out incidents, but they should ask themselves whether there is a system to alert the necessary people when an incident occurs.

The first job for a CIRT is to assess the scope of damage and figure out how to lessen it, not necessarily gather evidence. The optimal CIRT would consist of core members from IT auditing, information security and corporate security, in additional to the legal department. Each group brings a different skill set to the team. “If someone questions the CIRT team’s response, then the auditor will make sure the report is auditable,” Poulios said. As such, they should probably handle the evidence gathering so the chain of custody is preserved.

More info: [url=http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci935950,00.html]http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci935950,00.html[/url]