Sunday, May 31, 2009

Ethical Hacking

A practitioner of ethical hacking writes a great overview of the ethical hacking process and how companies can get the most out of it. The article appears in the May issue of the Information Systems Security Association Journal.

Monday, May 25, 2009

White House Disk Lost

A portable hard drive containing private information of members of the Clinton White House has been reported lost. Ironically, the drive was being used to re-copy the information to safeguard it against loss.

It is yet another example of the use of removable media to store sensitive data. And it would appear that the data was not encrypted.

The case illustrates once again the risks associated with the use of portable media to store data. Where such use is necessary, appropriate precautions should be takem, principally encryption.

There is an article on the data loss at eSecurity Planet and a Q&A at the National Archives site.

Saturday, May 23, 2009

Web 2.0 - The Security Challenges
by Gerald Trites

Web 2.0 applications, like facebook, twitter, blogs, wikis and the like have been infiltrating into corporate systems, much to the dismay of the security administrators. Conflict between content availability and security is an old issue, but Web 2.0 has brought a whole new meaning to the difficulties being faced by the administrators.

One of the issues is that facebook originated as a medium of personal interaction. It was never intended for, nor initially used as, a means of business interaction. So one of the trends happening is that there is a growing mixture of personal and business life in the use of social media at work. This of course also concerns the employers.

But it's a trend that one can find in many areas of modern life and points to a deeper issue. The lines between personal and business life are becoming increasingly blurred. People work at home and at the office. They text personal messages during the day and it doesn't matter whether they are supposed to be working or not. There are new management issues here for employers, and new management techniques are required.

From a security point of view, administrators are facing a losing battle in many respects. They cannot stop the incursion of social media into the office. Nor can they really control the content. They could, perhaps, but the cost would be very high, both financially and in terms of employee morale and pushback. The development of specific business oriented applications could help, but would not necessarily gain acceptance. It's a scenario that is yet to play out to a conclusion.

Thursday, May 21, 2009

Browser Insecurity

Common sense tells most of us not to do functions like online banking when on a wireless system while travelling. A research team at Microsoft has uncovered a set of unexpected reasons to support this caution. They determined that most browsers have flaws in their communications protocols when connected through a proxy, such as happens when a wireless network is being used. Their conclusion is that significant improvements are needed in browser connections. This finding has serious implications for system security and for corporate security policy, especially for travelling road warriors.
The research is reported at this website.

Thursday, May 7, 2009

Cloud Computing and Moving Data
by Gerald Trites

There continues to be progress in the Cloud Computing arena, with a new application recently out, called Cloudkick, which enables the movement of data between Cloud applications run by different vendors, such as Amazon and Google. This will address one of the big concerns that many companies have, that is having their data tied up with one company. This means there can be a stronger element of competition in the Cloud, which is presently dominated by Amazon, Google and Microsoft.

The other side of the coin, however, is that the easy movement of data may complicate the control issues that have dominated IT management with regard to the movement of data across organizations, between applications and between companies. Also, data has moved on different platforms, notably small mobile devices, amaking it very difficult to avoid occasional data loss and the resultant privacy concerns. This movement of data has also given rise to the issues of data level security and data level assurance.

It's nice to be able to move data around, for sure, but IT security administrators have to be cognizaant of the risks involved, and address them appropriately.

Friday, May 1, 2009

Accenture has published a white paper to outline how the financial indistry should respond to the financial crisis, based on possible ouitcomes of the London G20 Summit held in April, 2009. Among their suggestions, and a theme that runs through the report, is an emphasis on risk management designed to protect revenues. This in itself is not remarkable, but they go further and emphasize that risk management must be treated as an integral part of the organizational management, and not as just a compliance function. This would entail organizational and cultural changes in the banks, but changes that would place a greater role on risk management in ongoing strategic and managerial decisions. It's a good sound paper, that also provides a number of examples of sound risk management by banks in other (non US) countries, including Canada, whose financial system has weathered the crisis more successfully. The white paper is downloadable from the Accenture site.