Archive for Information Security
Author: Dave Lewis
August 20, 2007 at 9:05 pm · Filed under Information Security, Security Mgmt
Here is an interesting piece from InformationWeek. Basically the piece outlines the obvious when it comes to FaceBook. I have witnessed several companies in the Toronto area that allow their employees to use the popular social networking site. The marvel of this is the viral nature of the site and the sheer volume of time people piss away interacting with others. Now let’s calculate the cost to the affected employers…
Workers at the office using social networking sites, like Facebook, are costing employers more than $5 billion a year and putting corporate networks at risk of attack, according to a new study.
The data is out of Australia, but a spokeswoman at security company SurfControl noted that country is ranked fifth among global Facebook users, coming in behind the United States. That, she pointed out, means the problem of lost time and network risk is even greater here in the U.S.
If one employee spends one hour of company time on Facebook everyday, it potentially costs his or her employer more than $6,200 per year. Factored across the 800,000 businesses in Australia, that one wasted hour a day adds up to a productivity loss of $5 billion annually for the Australian economy.
And SurfControl’s researchers also noted in an advisory the rise of what they’re calling “underground intranets,” such as groups of users dedicated to nothing more than slacking off at work. Some of the groups are specific to employees at individual companies.
In addition to the slacker factor is the danger of data leakage. Yet another hole in the perimeter. Sometimes telling your staff “no” is not such a bad thing.
Article Link
Tags: Facebook, Data Leakage, Indirect Corporate Theft
Author: Dave Lewis
August 14, 2007 at 6:52 am · Filed under Information Security
Jon Espenschied has an amusing (or scary) piece on security claims in Computerworld:
A child with a chocolate-smeared shirt says, “I didn’t do it.” The phone rings, and Mom assures you, “There’s nothing to worry about.” A systems administrator carrying a box of tapes says, “We’ll have everything back up in a few minutes.” Sometimes the first words you hear — despite their distance from the truth — tell you everything you need to know.
That’s so with information security as well. Some words sound reassuring at first glance, but I’ve found they often point to problems safeguarding internal information assets and technical resources, or with the people and processes that protect them. Here are a few of the telltale phrases signaling that security trouble could be boiling over.
“We have a culture of security.”
No, you don’t.
Enjoy.
Article Link
Tags: Security Claims, Security, Information Security
Author: Dave Lewis
August 10, 2007 at 2:01 pm · Filed under Dumbass, Information Security
HAHAHAHAHA! I’m weeping inside.
From Federal Times:
What’s the easiest way to get Internal Revenue Service employees to compromise computer security protocols? Ask them to.
In a test conducted in March and April by the agency’s inspector general, 60 percent of more than 100 IRS employees revealed their user names and changed their passwords when government auditors, posing as help desk employees, asked them to. What’s more, only eight employees contacted administrators to report the calls or determine if they were legitimate. Those tested included managers and contractors at many office locations across the agency.
“Employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work,” said Michael Phillips, deputy inspector general for audits, in his write-up analyzing the test.
The results in this test, released in late July, were even worse than those of a similar test three years ago when 35 percent of employees forked over their passwords and user names. In 2001, the failure rate was 71 percent.
The IRS has 100,000 employees who handle 220 million tax returns with personally identifiable information. Last month, the inspector general reported the loss of 490 computers in three years and other security violations, including weak password protections and a failure to encrypt data.
Article Link
Tags: Social Engineering, Hacking the IRS, Stupidity
Author: Dave Lewis
July 26, 2007 at 9:56 pm · Filed under Information Security
Sometimes a day is little more than a blur at the end of it. Today I had a moment of “I told you so” that I refrained from engaging in. Several years ago I warned someone I know that their company had a potential problem. He shrugged and didn’t see it as a big deal. Well, this problem that we talked about in 2002 resurfaced today with a vengeance and bit this person and their shop in the ass. I hung up the phone after offering my sympathies and paused for a moment. Our conversation from ‘02 came into sharp focus. I went to my offline email archives and sure enough there was the thread.
Sometimes you have to just bite your tongue.
Author: Dave Lewis
July 20, 2007 at 9:26 am · Filed under Education, Information Security
Here is a white paper from Microsoft that describes IPsec and NAP.
Network Access Protection (NAP) is a platform for Microsoft® Windows Server® 2008 (now in beta testing), Windows Vista™, and Windows® XP Service Pack 3 (which includes the NAP Client for Windows XP, now in beta testing), that provides policy enforcement components to help ensure that computers connecting to or communicating on a network meet administrator-defined requirements for system health. Internet Protocol security (IPsec) is a set of Internet Engineering Task Force (IETF) standards that provides cryptographic protection for IP-based traffic. This document provides an overview of the Network Access Protection platform and IPsec and how IPsec enforcement in the Network Access Protection platform works to provide system health policy enforcement for IPsec-protected communication.
I have not read this one yet but, seemed like it would be worth sharing.
Article Link
Tags: NAP, NAC, IPsec, Access Protection
Author: Dave Lewis
July 9, 2007 at 8:06 pm · Filed under Education, Information Security
They are? When did this happen? Does this mean I’m going to get a raise because there is an alphabet soup after my name on my business card?
Nah. But, it seems to be working for some folks. I tend to see these certifications as a check box for an HR filter person. I have a hard time appreciating them after I have met some “paper CISSP” folks.
From Computer World:
A report released last week by New Canaan, CT.-based Foote Partners LLC shows that formally certified security professionals on average are still commanding about 10% to 15% higher salaries than non-certified individuals in comparable roles. The numbers were marginally higher than the premiums offered for certified security professionals six months ago. Among the certification programs commanding the highest premiums were Certified Information Systems Security Professional (CISSP) , Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).
In contrast, the premiums being offered for individuals with professional certifications in other IT areas fell by about 2% over the past one year, according to the Foote report. The analysis was based on salary data from 33,800 U.S and Canadian IT professionals.
“Security certifications bucked the overall trend by growing in value from October to April, up an average of 1.7 percent across the entire group of twenty-seven security certifications that we survey,” the report said. “This is a very important development, because salaries as well as skills pay for IT security professionals stopped growing and in some cases declined a few years ago following what had been a strong wave of hiring in the wake of Patriot Act, Homeland Security Act, and Sarbanes-Oxley Act legislation,” the Foote report said.
Hmm. In-ter-esting.
Article Link
Tags: Security Certifications, Salary Premiums, Security Resumes
Author: Dave Lewis
May 27, 2007 at 6:02 pm · Filed under Information Security
IT security at the FBI has been given a thumbs down in a new report from the US Government Accountability Office.
The report found that the FBI was subject to critical security flaws, and a lack of staffers properly trained in network & computer security.
Download the GAO report (via Cryptome)
Tags: GAO FBI Report, FBI, GAO Information Security Report
Author: Dave Lewis
May 8, 2007 at 4:00 pm · Filed under Education, Information Security
One of the great resources on the interweb for all things security is the National Institute of Standards and Technology (NIST). Namely their computer security group (CSRC).
A few weeks ago NIST made some headlines when they recommended against a quick adoption of Vista. This was a huge kick in the knickers for Microsoft but, NIST was only being cautious. Justifiably so. That very day I had a junior external consultant give me an earful as to “What the hell do they know?”. They being NIST. When he came to, after suffering a thrashing about the head and neck with a trout, I offered that maybe he should become acquainted with some of their documents. I then pulled him back in the window and let go of his ankles.
Now, to avoid similar food/vertical related assaults, NIST has created a document that walks the reader though the NIST resources.
A new resource especially useful for newcomers to this excellent collection is the “Guide to NIST Computer Security Documents” edited by Tanya Brewer and Matthew Scholl and dated February 2007 (but the PDF file shows that it was updated in April). The editors write:
“Currently, there are over 250 NIST information security documents. This number includes Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, Information Technology Laboratory (ITL) Bulletins, and NIST Interagency Reports (NISTIR). These documents are typically listed by publication type and number or by month and year in the case of the ITL Bulletins. This can make finding a document difficult if the number or date is not known. In order to make NIST information security documents more accessible, especially to those just entering the security field or with limited needs for the documents, we are presenting this Guide.
So, if ever confronted with a similar situation please refrain and simply share their Guide.
Article Link
Tags: NIST, Guide to Documentation, NIST Computer Security Documents
Author: Dave Lewis
May 8, 2007 at 1:40 pm · Filed under Information Security
(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. It can be distributed only in the form of the original non-modified PDF document.
In this issue:
* On the security of e-passports
* Review: GFI LANguard Network Security Scanner 8
* Critical steps to secure your virtualized environment
* Interview with Howard Schmidt, President and CEO R & H Security Consulting
* Quantitative look at penetration testing
* Integrating ISO 17799 into your Software Development Lifecycle
* Public Key Infrastructure (PKI): dead or alive?
* Interview with Christen Krogh, Opera Software’s Vice President of Engineering
* Super ninja privacy techniques for web application developers
* Security economics
* iptables - an introduction to a robust firewall
* Black Hat Briefings & Training Europe 2007
* Enforcing the network security policy with digital certificates
Article Link
Download
Tags: INSECURE Magazine, Computer Security, Security Publications
Author: Dave Lewis
March 19, 2007 at 4:55 pm · Filed under Information Security
The European Network and Information Security Agency (ENISA) posted a study today on the emerging risks in information security.
In order to build reliable risk scenarios, it is necessary to perform an in-depth analysis of information sources on threats, vulnerabilities, incidents and their impact on infrastructure components. Based on existing information on security, the study provides analysis on:
* how to collect emerging risk related information as well as how to structure such information;
* how to investigate and monitor available information sources in order to build Emerging Risk scenarios;
* how to disseminate Emerging Risks related information to stakeholders.
Here is the study:
ENISA Study on Emerging Risks related Information
And for the rest of the supporting documentation click here.
Tags: ENISA, Information Security, Future Proofing, Security
« Previous entries
