Data Protection Strategies
A recent survey by Ponemon Institute of 115 C-level executives in the UK clearly points to the fact that the need for a data level security strategy is gaining traction with that group. All of them said that their organization had been targeted during the past year with attacks on their data. All understand the damage that such attacks can do to the organization and also recognize the effect that such attacks can have on their bottom line. For a summary of the survey, check out this link.
Technology, security, analytics and innovation in the world of audit and business.
Wednesday, March 31, 2010
Wednesday, March 24, 2010
It's Time to Scrap the Password System
Passwords are out of hand. They are based on an archaic approach that is outdated and no longer manageable or effective. The idea of most password systems is the same as it was when computers were used through a terminal on a desk by one person to access specific applications. The idea is that the user should remember that password and not write it down anywhere.
But times have changed. users now use a variety of devices to access a variety of applications. Many of the applications are on the web. They have numerous passwords to "remember". This writer, for example, has 81 passwords for the applications he uses. Nobody can remember 81 passwords, so they need to be recorded somewhere, automatically creating a security risk. This is not uncommon. People often make use of password management software, but the security of that software is often weak or virtually non-existant.
Also, the passwords are used for multiple sessions, meaning if they are stolen they can be used fraudulently. This is at the core of much of the hacking that goes on.
The answer to this unfortunate dilemma lies in establishing a new password paradigm under which passwords are used only once. So if they are stolen they cannot be used. Since users couldn't remember these passwords either, there needs to be a system that recognizes a user and then hands out a password when needed and then makes it expire after the user logs out. Such systems are possible, and some examples of them are in use, but to make them available across the board requires the involvement of the internet service providers, who would supply the infrastructure to make the system work globally. The time for making this change is long past due. For an interesting take on this issue, see this article.
Passwords are out of hand. They are based on an archaic approach that is outdated and no longer manageable or effective. The idea of most password systems is the same as it was when computers were used through a terminal on a desk by one person to access specific applications. The idea is that the user should remember that password and not write it down anywhere.
But times have changed. users now use a variety of devices to access a variety of applications. Many of the applications are on the web. They have numerous passwords to "remember". This writer, for example, has 81 passwords for the applications he uses. Nobody can remember 81 passwords, so they need to be recorded somewhere, automatically creating a security risk. This is not uncommon. People often make use of password management software, but the security of that software is often weak or virtually non-existant.
Also, the passwords are used for multiple sessions, meaning if they are stolen they can be used fraudulently. This is at the core of much of the hacking that goes on.
The answer to this unfortunate dilemma lies in establishing a new password paradigm under which passwords are used only once. So if they are stolen they cannot be used. Since users couldn't remember these passwords either, there needs to be a system that recognizes a user and then hands out a password when needed and then makes it expire after the user logs out. Such systems are possible, and some examples of them are in use, but to make them available across the board requires the involvement of the internet service providers, who would supply the infrastructure to make the system work globally. The time for making this change is long past due. For an interesting take on this issue, see this article.
Thursday, March 18, 2010
APT Attacks Can't be Stopped
One would think that with all the money and effort going into security of corporate systems, it would be getting more and more difficult to break into those systems. However, that's not the way it's playing out. Instead the advances in technology, plus the availability of tools and technology on the Web are making it much more difficult to stay (or get?) ahead of the crooks out there. They can run quick tests of vulnerabilities in systems and if they find even one, can leverage it to gain access. This is working for them through a technique known as Advanced Persistent Threat (APT) Attacks. The technology just escalates, but the attacks can't be stopped. Read about it here.
One would think that with all the money and effort going into security of corporate systems, it would be getting more and more difficult to break into those systems. However, that's not the way it's playing out. Instead the advances in technology, plus the availability of tools and technology on the Web are making it much more difficult to stay (or get?) ahead of the crooks out there. They can run quick tests of vulnerabilities in systems and if they find even one, can leverage it to gain access. This is working for them through a technique known as Advanced Persistent Threat (APT) Attacks. The technology just escalates, but the attacks can't be stopped. Read about it here.
Tuesday, March 16, 2010
E-Discovery
The Institute of Internal Auditors has a useful introductory article on e-discovery on its website. E-discovery is the process of retrieving and preparing data and documents that can be used in legal proceedings. This is a relatively new procedure, because until the past few years, only paper documents were used in court. Now, however, this has changed drastically, and presents new challenges with regard to data storage and retrieval as well as compliance with established data handling policies. The article is at this website.
The Institute of Internal Auditors has a useful introductory article on e-discovery on its website. E-discovery is the process of retrieving and preparing data and documents that can be used in legal proceedings. This is a relatively new procedure, because until the past few years, only paper documents were used in court. Now, however, this has changed drastically, and presents new challenges with regard to data storage and retrieval as well as compliance with established data handling policies. The article is at this website.
Friday, March 12, 2010
Towards More Secure RFID Chips
Researchers at MIT and a related spinoff company have been working on a new system to enhance the encryption of data on RFID chips. RFID has long been a concern of security professionals and has been identified by the Privacy Commissioner of Canada as a major privacy concern.
The researchers have been working on algorithms that are derived from faults that exist in every chip and that differ for every chip. Thus, since the algorithms are unique to each chip, they can be used for authentication purposes.
Encryption is the single most important means for safeguarding data, particularly data in mobile units like RFID chips. Click here for an article on this research.
Researchers at MIT and a related spinoff company have been working on a new system to enhance the encryption of data on RFID chips. RFID has long been a concern of security professionals and has been identified by the Privacy Commissioner of Canada as a major privacy concern.
The researchers have been working on algorithms that are derived from faults that exist in every chip and that differ for every chip. Thus, since the algorithms are unique to each chip, they can be used for authentication purposes.
Encryption is the single most important means for safeguarding data, particularly data in mobile units like RFID chips. Click here for an article on this research.
Tuesday, March 9, 2010
Little Flaws Can Mean Big Vulnerabilities
At a recent conference, Fabian Yamaguchi showed how small design weaknesses in systems can mean real opportunities for hackers. He's the guru who gained a lot of press last year by revealing huge vulnerabilities in TCP. This year he's focusing on areas like instant messaging and drivers. And revealing some real concerns. For more, see this write-up.
At a recent conference, Fabian Yamaguchi showed how small design weaknesses in systems can mean real opportunities for hackers. He's the guru who gained a lot of press last year by revealing huge vulnerabilities in TCP. This year he's focusing on areas like instant messaging and drivers. And revealing some real concerns. For more, see this write-up.
Thursday, March 4, 2010
Major Issues Around Social Networking and Security
The RSA Conference currently taking place in San Francisco is understandably touching on, among other things, Social Networks. In this video,Ben Rothke shares his impressions of his peer-to-peer session on the major issues surrounding corporate information security and social networks.
The RSA Conference currently taking place in San Francisco is understandably touching on, among other things, Social Networks. In this video,Ben Rothke shares his impressions of his peer-to-peer session on the major issues surrounding corporate information security and social networks.
Wednesday, March 3, 2010
The RSA Conference
The world's leading IT Security Conference is being held this week in San Francisco. A look at the program is a look at the top issues facing the world of security. There are sessions on cloud security, Cryptography, White House Cybersecurity, transparency and others. It's worth plugging into their RSS feed, as there will be many notable stories coming out of the conference this week. The feed can be obtained from the conference site.
The world's leading IT Security Conference is being held this week in San Francisco. A look at the program is a look at the top issues facing the world of security. There are sessions on cloud security, Cryptography, White House Cybersecurity, transparency and others. It's worth plugging into their RSS feed, as there will be many notable stories coming out of the conference this week. The feed can be obtained from the conference site.
Subscribe to:
Posts (Atom)