Category: Uncategorized

It may be time to protect your data where it lives–in your database.

But you can’t encrypt everything in your database. Indexed fields, for example, can’t be encrypted because your database-management software will sort the encrypted strings in hexadecimal values, which won’t match the real, unencrypted form. So your index, which is supposed to speed access to the data by preordering it, won’t work. Even if you could relate the encrypted index field to the original data, the collation order wouldn’t match.

Until databases support encryption natively, encrypted indices will be a problem. Remember that any indices generated from encrypted fields won’t be valid, either. And because these fields don’t relate to the actual data, it’ll be harder for the database administrator and developer to debug problems.

Database software, such as Sybase’s, lets you create encrypted databases.

Ingrian Networks’ DataSecure Platform, which lets you encrypt certain fields before you enter them in the database and automatically decrypts them on the way out, has been around for a couple of years.

Bottom line: When building your disk capacity for database encryption, anticipate that your data will triple or quadruple in size.

More info: [url=http://www.securitypipeline.com/story/showArticle.jhtml?articleID=16600160]http://www.securitypipeline.com/story/showArticle.jhtml?articleID=16600160[/url]

The recent spate of viruses has exposed the dangers of providing network rights to laptops that operate both on and off the network.

– Security organizations must employ both technology and policy to protect network resources.

– User management aggregation (identity management, provisioning) will mature rapidly (2004).

– Security event management consoles (collecting intrusion detection system, firewall, and host events) will remain out of the mainstream until 2005.

– Security configuration consoles (central distribution points for firewall, personal firewall, and eventually server configurations/policies) are the least mature, with viable integrated products appearing in 2006/07.

Numerous META Group clients are reporting virus infections that traverse well-designed perimeter defenses in the briefcases of consultants and other roaming users.

Corporate laptop users should be protected with standard antivirus (AV) software, personal firewalls, and regular security patch management. But what about end users not under the IT management umbrella?

Most organizations have a small army of consultants, outsourcers, business partners, customers, and other visitors that require network access in some form.

Even organizations with a federated corporate or security structure must validate security compliance (e.g., patch levels, AV update level, security software installed, security process such as AV and firewalls running) on affiliate PCs before granting network rights.

Best-practice security organizations are employing both written policy and technical means to ensure their network is safe from these roaming “Typhoid Marys.”

Before any technical solutions are deployed, IT organizations (ITOs) must first establish a clear policy and ensure that security compliance and acceptable usage education are embedded in the process.

Computing facilities provided for non-contracted visitors should include instructions on how to use, help desk contact info, and brief security/acceptable-usage guidelines. For contract visitors, security policy compliance should be a contractual obligation with clear penalties for non-compliance. Shifting liability to the outsourcers/contractors creates an incentive for their ITO to prevent problems. However, embedding security compliance in business contracts will require consultation with the business and legal departments and may not be possible to append existing contracts.

The ITO must perform random audits to ensure compliance before a security incident, particularly if no automated compliance technology is deployed.

The first step organizations should take is to identify and classify all non-corporate-managed users based on the trust level of network resources they require and the duration of that access.

Creating a “guest network” that is isolated from the corporate network. If the type and number of internal applications needed by guests are predictable, ITOs can route users outside the organization on the guest network and back into a secure portal (i.e., Citrix, Sybase) that includes host integrity/policy checking prior to providing access. On-site outsourcers/contractors are the easiest to manage.

Another best practice is to reformat the hard drive and install a new image on loaner PC before re-issue it to ensure it is secure, user levels are appropriate, and no residual confidential information is present.

ITOs can use logon scripts to check for security agents and dynamically install it – with approval from the end user – if necessary. These tools typically can report only on compliance and cannot deny network access for non-compliance unless combined with logon scripts.

More info: [url=http://techupdate.zdnet.com/techupdate/stories/main/Defending_Against_Insider_Infections.html?tag=tu.scblog.6673]http://techupdate.zdnet.com/techupdate/stories/main/Defending_Against_Insider_Infections.html?tag=tu.scblog.6673[/url]

Some of us stick to a single password that we use everywhere–whether it’s a pet’s name, a memorable date or the make of our monitor.
Some of have thrust upon us by (rightly) paranoid system admins very safe, very convoluted passwords that we promptly write down on a post-it note and stick to our monitors. A few very peculiar souls actually make up their own very safe, very convoluted passwords (over eight characters with non-alpha characters please) that they actually remember them, but I’m not convinced that these people actually exist.

Passwords have an uncommon ability to draw out from the most successful, sensible and intelligent individual, an idle Neanderthal with the memory of a lobotomized goldfish. They make us stupid, but we should all by now have come to expect and accept that.

There are some pretty simple lessons to be learnt here: that you should always e-mail passwords back to account holders, and never display them onscreen; that you should use a fixed list of password prompts and never, under any circumstances, let users make up their own password prompt questions.

More info: [url=http://zdnet.com.com/2100-1107_2-5112223.html]http://zdnet.com.com/2100-1107_2-5112223.html[/url]

Defining accurately what identity management and information security really are for the enterprise and its IT organization – and then correlating those explicit functional definitions – can provide a starting point for initial planning decisions and approaches to both identity management and information security, and ensure efficient use of IT resources.

META Trend: The strategic approach to information security will transform from a monolithic set of controls to an evolving program of principles, behaviors, and solutions (2003-05).

The pervasive nature of information security will result in establishment of strategic programs – 40% of Global 2000 organizations in 2003, rising to 80% by 2006/07.

These will be managed via dedicated program offices and budgets, and led by a chief security officer or equivalent.

Proper planning for identity management in the context of information security can result from defining identity, identity management, and information security from a functional business and an IT organization perspective and from determining the relationships that exist in those definitions.

More info: [url=http://techupdate.zdnet.com/techupdate/stories/main/Identity_Management_Information_Security_Part_1.html?tag=tu.scblog.6673]http://techupdate.zdnet.com/techupdate/stories/main/Identity_Management_Information_Security_Part_1.html?tag=tu.scblog.6673[/url]

The resulting security breakdowns occur because there’s a perception that security is only the responsibility of a company’s information technology security officer.

A company that fails to correct that impression may inadvertently foster a casual attitude among employees, who then naturally view security as outside of their day-to-day purview.

It is surprising how much impact a vigilant attitude can have.

Making security a high priority for each employee begins with a company culture that stresses how much each individual contributes to a company’s overall IT security.

For starters, management should invest in security training and educate the work force about best practices. It’s the simple stuff–such as encouraging employees to reset their own passwords–that can ease the burden placed on IT staffs. Ensurin that they reset pass codes regularly, avoiding the use of birthdays and names as passwords, and being conscientious about logging out when working from a remote or public location, als help.

Individual users also need to get the message that opening e-mail attachments from unknown sources or using one’s own name as a network password are also security risks.

Companies also need to articulate a thorough security policy. Security measures that protect against unauthorized network access are obviously necessary, but that only tells part of the story.

As security budgets grow and threats continue to mount, companies should begin to educate employees and instill cultures that encourage individuals to take responsibility for IT security.

More info: [url=http://rss.com.com/2010-7355_3-5110588.html?part=rss&tag=feed&subj=news]http://rss.com.com/2010-7355_3-5110588.html?part=rss&tag=feed&subj=news[/url]

It also contradicts the way security is usually addressed. While there is much to recommend with regards to automating portions of the patch process, there are also compelling reasons to support manual intervention as a component of the work flow.

Too many have been burned by server farms going dark with a collective “blue screen of death” after applying a buggy service pack and are, quite reasonably, skittish about automatically slapping the latest patches on their production servers. Many release vulnerability warnings concurrently with the patch fixes, escalating the urgency of the patch cycle.
The result is that the industry is between a rock and a hard place on the patch issue.

Case in point: Six months before SQL Slammer hit companies such as Bank of America and Washington Mutual and brought portions of their automatic teller machine networks to their knees, Microsoft had released a vulnerability warning and a patch.

First and foremost, it means taking preventative measures that surround and support the patch management efforts. For patch management, services and tools that fit into the overall system and network management solution–not just that stay siloed in security–work more effectively.

Part of the reason the industry is in reactive mode so much of the time is that security is not seen as critical to the overall business profitability. Part of being proactive is knowing when something doesn’t need to get done and when a patch requires immediate attention. Sometimes reacting after the fact is essential, none of us are soothsayers, and even the most well protected and patched systems may ultimately be attacked.

So be ready with a plan for when that happens; the ability to recover from a critical failure is a part of the overall security posture. The truth is that patching and protecting proactively will reduce vulnerability, but being prepared for the inevitable reactive patching and recovery is essential as well.

More info: [url=http://news.com.com/2010-7355-5107678.html?tag=nefd_gutspro]http://news.com.com/2010-7355-5107678.html?tag=nefd_gutspro[/url]