Monday, June 27, 2011

Wiping Out the Data

In her recent report, Canada's Privacy Commissioner noted that Staples, the large business supplier retailer, took in numerous computers on trade and then failed to wipe out the data before re-selling them. This meant that the people turning them in did not wipe out the data themselves. She stated that of 149 computers involved, 54 of them still had previous owners' data on them.

The report points to the responsibility of people for their data. Of course, some of these previous users would be running small businesses and some would have sensitive data on them.

The first responsibility for the data rests with the owners. The people who traded their computers should have wiped out the data right away. In my opinion, they should have re-formatted their hard drives, which is the only way to make sure the data is removed and beyond the reach of recovery tools. As we all know, deleting files simply doesn't do the job, as recovery is usually easy to accomplish.

Then Staples had a responsibility to make sure the computers they sell do not contain any data from the previous owner. The company in its response said that they are investigating data wiping software to determine which will do the job most completely.

Business owners need to have policies for situations like this, even if only to serve a reminders of what to do when old computers, or in fact any equipment containing processors, like fax machines and printers, are traded or sold.

A single loss of data can be catastrophic to a company. All businesses need to have strict policies around the disposal of such equipment. They shouldn't be looking to Staples to protect their data. They should be doing it themselves.

Wednesday, June 22, 2011

CISCO's ARMS Going Down

A group of researchers at Cisco started maintaining an index a few years ago to measure the state of security in the world's computer systems. It's called the Adversary Market Resource Share (ARMS). With all the data breaches and losses in the past year, one might assume that the index is rising to new levels. However, they predict that this year it will be dropping below the previous year's level of 6.8 to perhaps 6.6.

The reason for this is that although the number of attacks has grown, the number of botnets successfully destroyed has also grown, making attacks lower than they might otherwise have been and leaving relatively lower numbers of successful attacks.

Good to hear that there is some progress being made. .

Monday, June 20, 2011

Data Loss Points to Need for Encryption

Yet another data loss has pointed to the need for encryption on laptops. Twenty computers went missing at the London health Services in the UK. One of them, not recovered, contained health records of as many as 8 million people. it was not encrypted.

An article on the subject pointed out that less than half of all UK companies encrypt the data on their laptops. some observers are raising the idea of sanctions for this oversight. It's a good idea. There is little excuse for not encrypting the data on laptops, particularly when they contain sensitive data.

Friday, June 17, 2011

Telecommuting Needs Security Precautions

Telecommuting has become a way of life for most enterprises. It's good for morale, productivity and costs. Employees are often encouraged to work at home, on the road, in planes, in hotels and anywhere else they can connect to the internet.

The perils are well documented and quite well known - loss of mobile devices through theft or carelessness. hacking of the devices at low security locations, like coffee shops or hotels.

Enterprises have been trying to deal with these threats. Many have required encryption of the devices, or at least encrypted data. Some have set up Virtual Private Networks to strengthen access to their networks. These and other precautions are worth considering for most enterprises.

One of the issues with telecommuting these days is the use by employees of their own devices such as laptops, notebooks, tablets and smart phones. All of these have security issues and all need to be addressed by the enterprise. One precaution that needs to be taken is to take steps to ensure that only authorized devices can access the networks. This can be done by device fingerprinting, using such key data as the device serial number and IP address to identify the devices that have been authorized to gain access and thus screen out hackers. Given the considerable extent of telecommuting that takes place now, these and other steps are often critical to an enterprises in devising its security policy. For more on this, check out this article.

Thursday, June 16, 2011

The Value of Pen Testing

Recent attacks on Citibank and the IMF have attracted a good deal of attention, both by the press and by security experts. Quite different views of those attacks are emerging.

In the press, the attacks are often characterized as advanced and sophisticated. They are said to be difficult to protect against - hazards of the modern age of web based cloud computing.

On the other hand, some experts see the attacks as just more of the same old, in this case exploiting a very common vulnerability known as insecure direct object references. These are situations where system objects such as URLs or database references are inadvertently left exposed within system code. Hackers can modify them and thereby gain access to otherwise secure resources. See, for example, this article.

The best way to achieve some protection for insecure direct object references is by using penetration testing. This involves employing professional hackers to try to hack into a system thereby identifying such points of vulnerability.

Once again, the risk of so-called sophisticated attacks can be mitigated by using well established and time-tested techniques such as pen-testing.

Saturday, June 11, 2011

Updating A Security Program

Companies that have a security policy (don't all of them?) need to update it regularly. This has been a basic precept of good security. But in modern times, it still is not always done and the times point even more than ever to the need for it.

Ernst & Young has released a document called "Information Security in a Borderless World" in which it points out, based on a survey, that many companies feel their security risk has increased. The reasons relate to the increasing incidence of global attacks, the increase in cloud computing and the use of mobile devices. On the latter, the study points out that banning mobile devices will actually increase security, contrary to the instincts of some companies.

Because of the current high risk environment, a corporate risk profile needs to be constantly revised. The study addresses three key questions to ask:

  • What is your organization’s risk culture?
  • Are you detecting and monitoring threats inside and outside the organization?
  • Have you anticipated new technology risks, such as mobile devices, social media and cloud computing?
You can download a free copy of the study from the E&Y website.

Thursday, June 9, 2011

Passwords and Reality

The recent rash of hacker attacks on Sony websites prompted at least one researcher to conduct a study of the use of passwords by users. What he found was unremarkable - that people are using passwords that are easy to crack. They are re-using passwords on different sites, and they are not using non alphanumeric passwords.

This is understandable. By now it is well known that strong passwords should not be common words, should be at least 8 characters in length and should use non alphanumeric characters. The problem is people want to use passwords they can remember, and they can't remember passwords that are difficult to crack. This is the basic conundrum of password administration. It's why passwords will never work as a security device.

Traditionally, the response of administrators and auditors has been to promote the use of stronger passwords, complete with frequent password changes, which makes it even more difficult to remember them. It just doesn't work.

The answer is to abandon the password system and adopt a biometric system. With biometrics, users don't have to remember anything. And their mode of entry is extremely difficult to duplicate and hack. There already are biometric solutions available, such as fingerprint readers, and more recently face recognition has been introduced. The ongoing rash of hacking attacks, that depend on the use of old fashioned passwords, will continue until passwords are abandoned.

Monday, June 6, 2011

Control of Personal Email Systems

Recent phishing attaches from China through Gmail has been reported to have been directed to high level government officials. This raises the question as to why high ranking government officials are using Gmail. Presumably they have access to secure private email systems run by the government. Gmail is not necessarily a weak system security-wise, however it is public and high profile and more easily accessible then other private systems. Also, it is in the cloud.

One would think that high level government officials would be using the most secure email system possible, and Gmail does not fit this profile.

There are some possible explanations, according to a recent article in Computerworld. For example, it is noted that most users have two accounts - one for business and one for personal usage. Often gmail is the system of choice for the personal account. That in itself may not be a problem, but it does raise the question whether it is possible to fully separate your personal from your business email. A user might, for example, forward business emails to a personal account to facilitate off site access. Or might answer a business message from a personal account.

This common situation raises security issues for any enterprise. Should personal email accounts be banned? Probably not enforceable. Should their use be controlled? That can be done. And the Chinese phishing expedition has raised the issue to a higher level.

Friday, June 3, 2011

Stronger E-Mail Security

The threats to security through email are growing daily. Now almost 20% of emails contain a link to malicious code. And then there are all the privacy concerns that go with the territory.

Email is one of the most critical elements of any information system. it forms the core of the communications structure within most organizations. So tight security over email is a necessity.

The webinar linked to this post provides an update to the modern threat scene and offers some positive ideas for string security measures. The webinar is offered by Lee Rothman, Manager of Security Systems Engineering Group at Symantec Hosted Services. Bullet-Proof Email: Mission Possible.

Wednesday, June 1, 2011

Relevant Factors in Security Risk Analysis

An independent consultancy, The Enterprise Strategy Group, recently asked 308 security professionals in large organizations what factors motivated their security risk analyses. Predictably, the most critical factor was regulatory compliance. However the frequency of security threats and general security best practices were also among the most critical items, not to mention the mention of security breaches in the press.. For a summary of the survey, visit this link.