Wikileaks Implications
It became immediately obvious when Wikileaks hit the news by releasing classified information that security had suddenly become a broader issue. While security had broadened in recent years to include such correspondence as email, we are now facing a much bigger step. All internal documents and correspondence, memos, papers, etc.
The new broader security is now being addressed by companies and security consultants are busy devising ways to combat the efforts of Wikileaks imitators.
One of the prime security methods appears to be that old standby - monitoring. Monitoring of the handling of documents and monitoring of downloads to spot excessive accumulation of information. It won't be long until standard security procedures and packages cover this important element. For some additional information, check this article.
Technology, security, analytics and innovation in the world of audit and business.
Thursday, January 27, 2011
Wednesday, January 26, 2011
Criminal Opportunities in the Cloud
Establishing proper security over the cloud is a relatively new process and one that bears some differences from the old approach to security. For example, an obvious one, the cloud features large storage capabilities, such that if it isn't monitored closely, huge amounts of illicit data could be stored in corporate space and distributed from there and ultimately purged, so that the administrator never realizes that the action has happened.Experts at the Black hat Conference in DC pointed to this risk and lots of others.
They said, for example, that this storage capacity along with the computing power that could be available would mean that an array of data could be stored and then the information used to break passwords.
For an article on this and related issues, check out this link.
Establishing proper security over the cloud is a relatively new process and one that bears some differences from the old approach to security. For example, an obvious one, the cloud features large storage capabilities, such that if it isn't monitored closely, huge amounts of illicit data could be stored in corporate space and distributed from there and ultimately purged, so that the administrator never realizes that the action has happened.Experts at the Black hat Conference in DC pointed to this risk and lots of others.
They said, for example, that this storage capacity along with the computing power that could be available would mean that an array of data could be stored and then the information used to break passwords.
For an article on this and related issues, check out this link.
Friday, January 21, 2011
Trusted Identities in Cyberspace
The Obama Administration's initiative to establish a national strategy to establish trusted identities in executing commercial transactions online is much needed. We have been relying for years on simple ad-hoc approaches to security that have grown without any plan or structure. They have just sprouted up.
The result has been that we have multiple signons, with some of them quite effective and many ridiculously ineffective. What is worse, people are expected to remember a great many passwords and pin numbers, some for sensitive information like direct access to their bank accounts. They can't remember everything so they use the same passwords for multiple purposes with some using the same password for their hotmail account as they do for their bank account,. That is more than wreckless.
The idea behind the Trusted Identity is that people would pre-establish their identity in a common database with strict government supervision and then when they execute a transaction online a single signon would be sufficient,. Also, they would not need to give all that long list of personal information that some sites now require. And which causes privacy advocates headaches and nightmares.
Such a policy is more than overdue. Here's an article that explains more as to why.
The Obama Administration's initiative to establish a national strategy to establish trusted identities in executing commercial transactions online is much needed. We have been relying for years on simple ad-hoc approaches to security that have grown without any plan or structure. They have just sprouted up.
The result has been that we have multiple signons, with some of them quite effective and many ridiculously ineffective. What is worse, people are expected to remember a great many passwords and pin numbers, some for sensitive information like direct access to their bank accounts. They can't remember everything so they use the same passwords for multiple purposes with some using the same password for their hotmail account as they do for their bank account,. That is more than wreckless.
The idea behind the Trusted Identity is that people would pre-establish their identity in a common database with strict government supervision and then when they execute a transaction online a single signon would be sufficient,. Also, they would not need to give all that long list of personal information that some sites now require. And which causes privacy advocates headaches and nightmares.
Such a policy is more than overdue. Here's an article that explains more as to why.
Tuesday, January 18, 2011
Mobility, The Cloud and Security
by Gerald Trites
Yet another study has come out warning of the growing exposure that companies are assuming because of the cloud and the ubiquitous mobile devices being used to access cloud applications. This one was released this week by Forrester Consulting and Symantec. Late last year, Websense prepared a list of five predictions for security in 2011, the first one being "2011 is the year when smart phones will account for 50 per cent of mobile phones sold that year, compared to 40 per cent in 2010." The report went on to detail some of the security issues that would accompany this trend.
Also late in 2011, McAfee released a report warning of the dangers of mobile units, particularly those connecting to social networks as well as corporate systems.
by Gerald Trites
Yet another study has come out warning of the growing exposure that companies are assuming because of the cloud and the ubiquitous mobile devices being used to access cloud applications. This one was released this week by Forrester Consulting and Symantec. Late last year, Websense prepared a list of five predictions for security in 2011, the first one being "2011 is the year when smart phones will account for 50 per cent of mobile phones sold that year, compared to 40 per cent in 2010." The report went on to detail some of the security issues that would accompany this trend.
Also late in 2011, McAfee released a report warning of the dangers of mobile units, particularly those connecting to social networks as well as corporate systems.
Further to these studies, and serving to amplify the concerns, a study released in December by security software vendor AdaptiveMobile found "that malware specifically targeting mobile devices rose 33 percent in 2010, primarily as a result of new sophisticated phishing campaigns that targeted specific individuals or organizations."(source here)
The Symantec study points out, as most of the others have, that enterprises haven't yet figured out how to integrate their security processes with these new mobile upstarts. So users are being asked to remember multiple passwords. This does not work, however, because people can't remember their passwords and are forced to write them down or list them in a separate file. It's not unusual for a single person to have many dozens, perhaps hundreds of passwords they are supposed to remember for all the apps they use on the internet.
Single signon is a potential solution, but again, the necessary software has not yet been integrated with most enterprise systems, so while it may be an answer down the road, it isn't yet.
The Symantec study suggest another approach, which merits consideration. Symantec and other security software vendors say "the key to keeping up with both the hackers and the exponential growth in mobile- and cloud-based apps and devices starts with installing strong, two-factor authentication security apps that have become cheaper and much easier to install via the cloud.
By requiring anyone accessing enterprise data to use two-factor authentication gateways, essentially an application that asks for two simultaneous but independent forms of information to log onto an application, companies could prevent a majority of the serious data breaches that cost millions per incident to resolve and unnecessarily expose proprietary information." See the source here.
Enterprises need to move fast in this area. The issue has the potential of running out of control.
Monday, January 17, 2011
Survey Shows Computer Crime Up
"PRINCETON, N.J., Dec. 13 (UPI) -- Increasingly, Americans are being victimized by computer crimes, Gallup's 2010 crime survey finds.
Eleven percent of U.S. adults said they or a household member were the target of a computer crime on their home computer in the past year, up from 6 to 8 percent in recent years, Gallup reported Monday.
Theft of money or property was the most common crime overall, at 16 percent, followed by vandalism of a home, car or other property at 14 percent. Next, after computer crime, was the closely related category of identity theft at 8 percent.
Fewer than 5 percent of respondents reported being victimized by a home break-in, a car theft or a violent crime. A third of all U.S. households suffered at least one of the nine categories Gallup found.
The computer crime rise was felt most in younger age groups.
The telephone survey of 1,025 adults was conducted Oct. 7-10 with a margin of error of 4 percentage points."
Courtesy of Computer Crime Research Centre.
"PRINCETON, N.J., Dec. 13 (UPI) -- Increasingly, Americans are being victimized by computer crimes, Gallup's 2010 crime survey finds.
Eleven percent of U.S. adults said they or a household member were the target of a computer crime on their home computer in the past year, up from 6 to 8 percent in recent years, Gallup reported Monday.
Theft of money or property was the most common crime overall, at 16 percent, followed by vandalism of a home, car or other property at 14 percent. Next, after computer crime, was the closely related category of identity theft at 8 percent.
Fewer than 5 percent of respondents reported being victimized by a home break-in, a car theft or a violent crime. A third of all U.S. households suffered at least one of the nine categories Gallup found.
The computer crime rise was felt most in younger age groups.
The telephone survey of 1,025 adults was conducted Oct. 7-10 with a margin of error of 4 percentage points."
Courtesy of Computer Crime Research Centre.
Thursday, January 13, 2011
A Business Model for Information Security
Since security began, there has been an inherent conflict between safety and freedom. The words of Benjamin Franklin have been quoted often during the recent controversy over airline security policies - "The man (sic) who gives up his freedom for his safety deserves neither." For him the conflict was real, and the resolution simple.
In the world of information security, the conflict has been between security (or privacy) and efficient running of a business. Heavy security procedures can be a burden to efficient business processes. This has been the burden that IS auditors have had to carry; the reason why their recommendations often go unheeded year after year.
ISACA recognized this conundrum when it introduced its Business Model for Information Security. a set of comprehensive guidance, "a series planned around the Business Model for Information Security. Based on the white paper “Systemic Security Management,” developed by the USC Marshall School of Business Institute for Critical Information Infrastructure Protection, this guide provides a starting point for discussion and future development. It defines the core concepts that will evolve into practical aids information security and business unit managers can use to align security program activities with organizational goals and priorities, effectively manage risk, and increase the value of information security program activities to the enterprise."
Serious thought needs to be given to the concepts in this guidance by all IS Security professionals. Blind adherence to the idea of safety for its own sake impinges unnecessarily on business efficiency, which is just not good enough.
Perhaps the TSA and Transport Canada could learn from these concepts as well.
Since security began, there has been an inherent conflict between safety and freedom. The words of Benjamin Franklin have been quoted often during the recent controversy over airline security policies - "The man (sic) who gives up his freedom for his safety deserves neither." For him the conflict was real, and the resolution simple.
In the world of information security, the conflict has been between security (or privacy) and efficient running of a business. Heavy security procedures can be a burden to efficient business processes. This has been the burden that IS auditors have had to carry; the reason why their recommendations often go unheeded year after year.
ISACA recognized this conundrum when it introduced its Business Model for Information Security. a set of comprehensive guidance, "a series planned around the Business Model for Information Security. Based on the white paper “Systemic Security Management,” developed by the USC Marshall School of Business Institute for Critical Information Infrastructure Protection, this guide provides a starting point for discussion and future development. It defines the core concepts that will evolve into practical aids information security and business unit managers can use to align security program activities with organizational goals and priorities, effectively manage risk, and increase the value of information security program activities to the enterprise."
Serious thought needs to be given to the concepts in this guidance by all IS Security professionals. Blind adherence to the idea of safety for its own sake impinges unnecessarily on business efficiency, which is just not good enough.
Perhaps the TSA and Transport Canada could learn from these concepts as well.
Tuesday, January 11, 2011
Mobile Security a Growing concern
The iPad has been a tremendous success not only among consumers but also in business. Growing numbers of companies are providing iPads for their executives. As the use of these devices increases, they will inevitably contain sensitive data. Therefore, Corporate IT departments need to find ways to integrate security policies for iPads with corporate security. This is a challenge because the iPad was never constructed for security.
Given their security limitations combined with their popularity, we can be sure that 2011 will see a rush of new intrusion efforts from numerous sources. Security needs to be in place to deal with these threats. For some ideas, check this link.
The iPad has been a tremendous success not only among consumers but also in business. Growing numbers of companies are providing iPads for their executives. As the use of these devices increases, they will inevitably contain sensitive data. Therefore, Corporate IT departments need to find ways to integrate security policies for iPads with corporate security. This is a challenge because the iPad was never constructed for security.
Given their security limitations combined with their popularity, we can be sure that 2011 will see a rush of new intrusion efforts from numerous sources. Security needs to be in place to deal with these threats. For some ideas, check this link.
Thursday, January 6, 2011
Enterprise Security Isn't Ready for Mobility
McAfee has released a report that says companies are going to get in deep trouble in 2011 because of the rapid proliferation of mobile devices, particularly the iPad, iPhone and Android devices. Not only does the problem lie with the devices themselves and their easy connection with corporate systems, but it also lies with the use of those devices for social media and other apps that make use of geographical location. By tracking a particular device, hackers can see where a particular device is located at any time, graph those locations over time, obtain the personal information of the users and use this information to launch targeted attacks, which have a track record of success better than random attacks. It all adds up to major headaches for security administrators and the enterprises overall, not only from the point of view of the users but also the protection of enterprise data. For an article on the McAfee release, check this link.
McAfee has released a report that says companies are going to get in deep trouble in 2011 because of the rapid proliferation of mobile devices, particularly the iPad, iPhone and Android devices. Not only does the problem lie with the devices themselves and their easy connection with corporate systems, but it also lies with the use of those devices for social media and other apps that make use of geographical location. By tracking a particular device, hackers can see where a particular device is located at any time, graph those locations over time, obtain the personal information of the users and use this information to launch targeted attacks, which have a track record of success better than random attacks. It all adds up to major headaches for security administrators and the enterprises overall, not only from the point of view of the users but also the protection of enterprise data. For an article on the McAfee release, check this link.
Tuesday, January 4, 2011
Security Threats to Watch out for in 2011
Websense has prepared a list of five predictions for security in 2011. In summary, they are:
Websense has prepared a list of five predictions for security in 2011. In summary, they are:
- 2011 is the year when smart phones will account for 50 per cent of mobile phones sold that year, compared to 40 per cent in 2010.
- Expect one or two Stuxnet-type attacks in 2011 now that hackers have proven it can be done and it works. Such attacks are highly complex in design so they will not emerge frequently
- Blended threats—which use multiple vectors such as e-mail, Web, social media sites and data leaks—will evolve and spread through social media. Such threats will be script-based or embedded in rich media instead of the traditional binary files.
- Hackers will manipulate search algorithms in popular social media sites to expose visitors to malware. With enterprises increasingly using social media sites for corporate initiatives, policies should be put in place to avoid accidental posting of confidential information or other potentially damaging behaviour
- Data loss prevention (DLP) strategies and technologies will be ever more important in 2011 as more zero-day vulnerabilities will be discovered.
For the article, please check this link.
Monday, January 3, 2011
Securing a Virtualized Server Environment.
Virtualization is a top priority for many IT Managers and implementation is taking place around the world. As with so many new IT trends, the question arises of whether implementation is taking into account the security implications. In the case of virtualization, some evidence indicates that current projects may be falling short in this regard. HP has recently published a white paper in IT World that addresses this concern. Generally, they have indicated that many organizations have failed to reorganize their security structure to align with the virtualization concept. Accordingly, security structures continue to focus on physical machines rather than virtual machines. That could result on some typical security lapses, such as lack of segregation of duties. As virtualization moves forward, this issue needs to be addressed. For the white paper (registration required), check this link.
Virtualization is a top priority for many IT Managers and implementation is taking place around the world. As with so many new IT trends, the question arises of whether implementation is taking into account the security implications. In the case of virtualization, some evidence indicates that current projects may be falling short in this regard. HP has recently published a white paper in IT World that addresses this concern. Generally, they have indicated that many organizations have failed to reorganize their security structure to align with the virtualization concept. Accordingly, security structures continue to focus on physical machines rather than virtual machines. That could result on some typical security lapses, such as lack of segregation of duties. As virtualization moves forward, this issue needs to be addressed. For the white paper (registration required), check this link.
Subscribe to:
Posts (Atom)