Friday, November 27, 2009

Those Old Hard Drives

A great deal of effort has been spent by companies in recent years to stem the leakage of data from their systems, or the risk of it. Much of the risk has come from the variety of hardware now connected in one way or another to the corproate systems. This includes a plethora of laptops and the stories of lost laptops containing sensitive data are legion. There is another aspect to laptops that does not get quite as much attention. That is the fact that they are retired from corporate use with increasing frequency, largely because of the decline in pricing and the increase in power of the newer units.

When laptops are retired, they are sometimes simply sold or given away to employees or even to outsiders. When this happens, a responsible IT department will take proper steps to make sure that sensitive data is removed before the old computer is retired. Here is where the problem can arise.

Simply erasing files will not get rid of them. Pretty well every IT person and many, if not most, non-IT people know this. Even reformatting the drives will not necessarily get rid of the data. The safest way to obliterate data is by having the drive degaussed. This is an old technique going back to mainframe days, which involves making use of a special magnet to erase the drive by changing the electronic fields that hold the data. It is a time tested and the most effective way to make sure that computers do not retain any data. It is a necessary component of the processs that should be followed in retiring computers from corproate service. For some more information, check out this article.

Tuesday, November 24, 2009

iPhone Security

The popularity of any technology helps to determine its susceptibility to hackers, viruses and other intrusions. A platform that is widely used simply makes it worthwhile to take the time to construct the means of intrusion. The iPhone is no exception, although in this case the story begins with illegally altering the smartphone's structure to free it from the Apple storefront.

Many cell phones and smartphones are is some ways tied into proprietary systems, and there are many users who take steps to "unlock" them or, in the case of iPhones, "jailbreak" them. These are somewhat different concepts, but nevertheless similar in their alteration of the basic configuration of the units. The problem that the procedures open up for the users is that the units are them exposed to risks that they were never designed for. In the case of the iPhone, this risk has shown itself in the spread of a new worm, called "Duh", that focuses on stealing online banking data. The cost could be tremendous, both for the immediate user and for other systems that the particular smartphone might be tied into. Read more in this article.

Wednesday, November 18, 2009

Using ERM to Manage Emerging Risks

PricewaterhouseCoopers released, earlier in the year, an interesting booklet on emerging risks for enterprises and how traditional Enterprise Risk Management (ERM) techniques can be used to manage them. This differs considerably from the management of traditional risks. For example a particularly difficult but important element of dealing with emerging risks is identifying the risks. For this, the study looks first to the global risks developoed by the World Economic Forum. Enterprises need to consider how these megatrends might present risks for their enterprise. For example, one of the risks of the WEF is coastal flooding brought about by climate change. If an enterprise owns coastal properties. ERM techniques would suggest that the risk of their being flooded be monitored and measured such that if the risk begins to exceed enterprise risk tolerances, then action needs to be taken. In this way ERM techniques bring a measure of discipline and rigor to the process. The PWC study is worthwhile reading for any ERM practitioners. It is downloadable free from the PWC website.

Monday, November 16, 2009

DNS Security

Since the world wide web began to be used, the issue of domain name fraud has been a concern. This type of fraud lures users into sites that steal their information by emulating a site that they would normally use and that they trust. For example, they might go to a site thinking they are at their bank site, but in reality are at a site that is stealing their password and bank access numbers.

Implementation of a security system that addresses this type of activity had been feasible for some time. However it requires changes in the server systems, and therefore has met with some resistance. Now however, Verisign is coming out with a system, based on adding encrypted data to a site that validates it as a real site. It's about time, some would say. Read more in this article.

Wednesday, November 11, 2009

SOA Security Using VPN's

Service Oriented Architecture (SOA) has been around for a few years now and has presented security challenges to users. Usually based on Web Services, SOA comes in a variety of configurations and platforms. And yet, critical applications are sometimes run using SOA.

One useful approach to securing SOA is to make use of simple VPNs. VPNs can be used to route service requests and thereby provide authentication and encryption techniques to protect the transmissions. They can be an important element of SOA security. For more on this approach, see this article on the CIO site.

Monday, November 9, 2009

Computer and Communications Security Conference

The 16th annual conference on Computer and Communications Security is being held this week (Nov 9 - 13) in Chicago. The conference program, features sessions and workshops on most of the current major issues in computer security. They include Cloud Security, RFID, Digital Rights Management, Privacy, mobile devices, and many other topics.

This first day, Microsoft announced a new security tool, called Ripley, which is designed to enhance control over development projects by cloning the application to enable monitoring of activity on servers during the development process. This approach seeks to address the issues around possible poor controls at the server level, which is becoming more common with collaborative and cloud projects.

Friday, November 6, 2009

eMail Security

Control over eMail is a huge and growing concern that many organizations need to deal with. Training, acceptable use policies, strategies for record keeping ad retention, security and training are just some of the thorny problems that need to be faced down. Computerworld has released a white paper that addresses these concerns and is worth a read. The paper can be downloaded free from this page (after completing a short form).

Tuesday, November 3, 2009

Cloud Computing & Security

ISACA has released a new white paper on cloud computing with a security perspective. There has been a great deal of material written on cloud computing, but a publication by ISACA is noteworthy because of its knowledge bases and its expertise in the security and controls area. The paper sets out concisely and clearly the characteristics of cloud computing and the related security concerns, pointing out that these concerns are not new nor peculiar to the cloud. To download the paper, go to this link.

Sunday, November 1, 2009

A New Honeypot Project for Better Internet Security

Honeypots have been used for a long time to help to deter hacker attacks. They are designed to attract hackers or divert them from their real objective and document their characteristics and actions.


A student named Rist built the honeypot, called Glastopf through the Google Summer of Code (Gsoc) 2009 program, where student developers write code for open-source projects.

"Unlike other Web honeypots that use templates posing as real Web apps, Glastopf basically adapts to the attack and can automatically detect and allow an unknown attack. Glastopf uses a combination of known signatures of vulnerabilities and also records the keywords an attacker uses when visiting the honeypot to ensure it gets indexed in search engines, which attackers often use to find new targets. The project uses a central database to gather the Web attack data from the Glastopf honeypot sensors installed by participants who want to share their data with the database."

For more on this interesting project, see this writeup.