Thursday, August 27, 2009

Moveable Data and Encryption
by Gerald Trites, FCA

There has been a great deal of emphasis in recent years on the idea that data moves around systems. At one time, many years ago, data was fixed in one place, usually on disks in a glass house, but since the advent of networks in the 1980s, this has changed substantially. More recently, change has taken place again, with the growth of portable handheld units, like the Blackberry and smart phones. These new portable devices are extremely powerful and can handle a lot of data. Also, there has been a trend to wireless networks, so data is literally flying through the air.

When data is on the move, the security issues become much more difficult to manage. In other words, it becomes much more difficult to prevent hackers from grabbing the data, literally from out of the air. Also, even common laptops have presented a risk of data loss, since they are so portable and can easily be forgotten or stolen. Stories abound in the press of these kinds of data loss events.

All this means that encryption has become a central method of protecting data. Companies that do not have an encryption policy that focuses on moving data are putting themselves at risk. Not only is the risk one of losing sensitive information to competitors, but there is a risk of losing information about their customers or employees that is private and puts the company at risk of legal action.

So encryption is a necessity. But simple encryption is not enough. Much research goes into finding methods to break encryption codes. People have always been challenged by the activity of breaking codes, since the earliest times in history. Many argue that the code breakers at Bletchley Park during the second world war essentially made victory possible because of their success in breaking German codes. By inference, it then follows that the Germans lost the war because of inadequate data security. Much is at stake with good data security.

The wireless data encryption (WPA) that is used for wireless networks is a good example of encryption that does not do the job. It has been broken several times, most recently by a group of Japanese academics. That means that the WPA system is not adequate for high security. Companies need to use at least WPA 2 in order to be secure.

Encryption policy is a must in a modern company. The policy must not only cover the data on the move, it must deal with the question of the adequacy of the encryption methods acvailable and what level of security is needed in the company.

Monday, August 24, 2009

Securing Embedded Computing Devices

In a video, Kevin Fu, a software engineer and assistant professor of computer science at the University of Massachusetts, Amherst, explains some issues around securing embedded systems, such as RFID tags from would-be hackers. The video is on the Technology Review site.

Friday, August 21, 2009

Free Gartner Research

Gartner research is generally expensive, but they do publish some free research on their website. Research under various categories are there, and the one most relevant to this blog is probably Security and Risk Management. The webpage on this topic contains papers dealing with "Key Issues for Risk and Security Roles, 2009", which covers the role of the CISO and other related roles. "In 2009, program creation, maturity and maintenance will be critical concerns for stakeholders".

There is also a paper on "Security in 2013 and Beyond", in which they categorize future security as a "Perpetual Arms Race" between the enterprise and hackers. "Enterprise security planners should expect attackers to continue to undermine their defenses for the foreseeable future, forcing them to continually change their responses."

The page also includes a paper on "Critical Capabilities for Security Information and Event Management Technology". Finally there is a podcast on "Security Information & Event Management Use Cases".

Gartner Research is good stuff, and the website is well worth monitoring.

Wednesday, August 19, 2009

World's Largest Identity Theft Case

US Courts have charged three men for perpetrating the largest ID theft case in history, one which potentially affected some 130 million people. The men broke into the systems of Heartland Payment Systems and planted programs that captured the credit card data of customers as it was being entered. The information therefore related to active accounts. The security breach has not yet been explained, but in broad terms, the approach used is one of the oldest methods favoured by hackers and numerous variations of the method have been used. It points to a need for strong safeguards against unauthorized intrusion and the need for monitoring systems to ensure that here are not activities related to unauthorized programs and program changes. A summary of the case as it stands is included in this Globe and Mail article.

Monday, August 17, 2009

E-Mail and Social Media
Security Concerns


A recent survey carried out by Proofpoint, which included responses from over 220 employees of 1000 companies, shows that e-mail security is a top concern. One of the major reasons is because of the cost of e-discovery, which is happening with increasing frequency. Social Media also raises similar concerns, and there are several reports in the survey about misuse of social media, such as Facebook and Youtube.

Companies are addressing these concerns in part by issuing new corporate policies regarding employee use of email and social media. there are also reports that they are cracking down on compliance by firing those who violate the policies.

An article discussing these findings can be found on this site, which also points to a study on e-discovery.

Friday, August 14, 2009

The Business Case for Security

The recession has sparked a reduction in IT spending as everyone knows. Quite often, spending reductions have a tendency to hit security and control first, which is a mistake, but something that strangely often happens. As a result CIO's are often faced with a need to build a business case for their security programs and particularly their new initiatives. This is not always an easy task.

The operative word is "business". If the other C suite executives are going to be persuaded to contribute scarce resources to a security plan, they need to hear a business case. How the plan will help them to achieve the company's goals. So aspects of security like - it serves to minimize shut downs of service, which can cost big money in lost revenues and lost customers - need to be highlighted. Security helps to protect valuable property as well, which can be critical to an organization, particularly intellectual property. That's another useful and valid argument.

An article in Computerworld this month sets out five catagories of arguments like this. It's something that could be helpful to any number of CISs these days.

Monday, August 10, 2009

Modern web attacks

Sophos has a number of papers interesting to the IS professional and researcher. "This paper provides an overview of modern malware that uses the web to attack victims. Example attacks are used to illustrate some of the tricks and techniques used by hackers. The roles of "attack sites" and compromised sites are discussed together with some of the technologies that can be used to provide protection."

This paper is very relevant to any IS professional who needs to help launch safeguards against malicious attacks. Such attacks are becoming increasingly frequent and serious. To download this paper, go to the Sophos Website.

Friday, August 7, 2009

Twitter's Denial of Service Attack

There has been much analysis of Twitter's recent DofS hacker attack that brought down its servers for a few hours. DofS attacks are one of the most common types of hacker attack and have been for years. So most high profile sites have installed software or otherwise engaged protection from them. There are lessons to be learned from the Twitter attack. For some businesses, and outage of their IS service for several hours can be disastrous and cost them customers and a great deal of business and money. Prevention is paramount and strong preventive measures need to be in place. For a quick analysis of the Twitter attacks, check out this article in CIO Magazine. Also, for a more detailed view of Dof S attacks, the Wikipedia article is worth a look. Finally, CERT has an archived document that is quite informative.