http://www.infosecurityconsult.com/weblog/ Ianuzzi's Security Perspective en Copyright 2007 Tue, 23 Oct 2007 11:27:51 -0500 http://www.sixapart.com/movabletype/ http://blogs.law.harvard.edu/tech/rss While developing security plans, we often ignore one of the most powerful tools in our arsenal, corporate culture. Most studies indicate that security breaches by employees account about half of the security problems. Most employees who steal money, information, time or other resources from their employers do so, at least in part, to redress a perceived wrong. Regardless of the law, they rationalize that their actions are justified by the circumstances. If we can influence corporate culture to enhance job satisfaction, we will eliminate some security problems. There are many ways to do this, and I will offer my opinions in the next few posts. In the meantime, I would like to hear from you about what you believe are the most important factors in a positive corporate culture. http://www.infosecurityconsult.com/weblog/2007/10/corporate_culture_as_a_securit.html http://www.infosecurityconsult.com/weblog/2007/10/corporate_culture_as_a_securit.html Tue, 23 Oct 2007 11:27:51 -0500 Changing passwords on a regular basis to improve security has been a part of the security scene for so long that no one questions its wisdom. Certainly provides a line of defense against unknown password compromise or failure to change passwords after working responsibilities change. It can backfire when there is little or no possibility of an unauthorized password holder. The need to remember changing passwords lead to them being written down on post it notes or stored somewhere in your computers files. I would like to hear from you, How often are passwords changed in your organization? What should the interval be, and why? http://www.infosecurityconsult.com/weblog/2007/04/reducing_security_by_changing.html http://www.infosecurityconsult.com/weblog/2007/04/reducing_security_by_changing.html Mon, 02 Apr 2007 20:56:29 -0500 articles this week which indicate that hard drives are a lot less reliable than the manufacturers claim. This is of passing interest to most of us. We know how much we spend per year for drives and that is a much more tangible number than data on spec sheets. But it underscores a terrible truth. Hard drives fail! Even worse, some RAIDs can fail and lose their data! It is enough to make a person think about backing up. If you are like most business people I know, all you will do is think about it. A few are impelled to action and the majority of those have set up tape backup systems which are usually administered by folks who do not understand them, don’t test them, and can’t restore them. If that is not bad enough, when they do get a usable backup, then they have to secure the data in it. Its all more trouble than most businesses are willing to put up with. ]]> http://www.infosecurityconsult.com/weblog/2007/03/hard_drives_shall_not_fail.html http://www.infosecurityconsult.com/weblog/2007/03/hard_drives_shall_not_fail.html Wed, 07 Mar 2007 19:00:04 -0500 Computerworld article states that half of all pirated Vista software is malware – largely trojan horse programs which could subject your computer to outside control. This sounds an ominous note for any company which allows employees to bring in laptops or allows connections via VPN from home. Even if you have policies which require that laptops be examined before being connected to company networks, what happens after that. Where is your data after a family member downloads malware (from any source) onto their personally owned machine? The implications of this is as difficult to manage as they are obvious, Any machine which can access confidential information must be subject to continuous security oversight – No matter who owns it. ]]> http://www.infosecurityconsult.com/weblog/2007/02/a_real_security_challenge.html http://www.infosecurityconsult.com/weblog/2007/02/a_real_security_challenge.html Sun, 18 Feb 2007 10:13:11 -0500 more that 50 terabytes. This will serve to deepen the culture shock that we are experiencing in the security world. Not too many years ago, protecting information was easier. Information had to be physically be carried away, usually on paper, and good physical security could deal with that most of the time. Today we live in a world where many people are culturally not ready to secure information. We institute policies and procedures and train and train and people still don’t get it, If you’re not convinced of this, just get on an airliner and look around. You will usually see spreadsheets, marketing plans and other confidential information displayed for other passengers to see. You think our data losses are catastrophic now. Just wait for better technology.]]> http://www.infosecurityconsult.com/weblog/2007/02/security_shock_1.html http://www.infosecurityconsult.com/weblog/2007/02/security_shock_1.html Sat, 10 Feb 2007 22:07:11 -0500 Computerworld article by Todd Weiss, reinforces a basiic fact – that weak passwords make life easy for hackers. What he also mentions, and is not as obvious to many administrators, is the number of password attempts that are made on their servers. Unless you monitor what is going on computers, you could be living in blissful ignorance. Almost every machine which accepts connections is challenged many times each day and although there are many things you can do to protect your machines, the lowly password is an effective line of defense. The author’s suggestion of an eight digit password using random letters, numbers and special characters is borne out by our own experience cracking passwords in our forensics lab. Dictionary, slightly modified dictionary, and shorter passwords are routinely cracked in minutes. Since technology advances quickly, we routinely use several more digits in our own servers. Defense in depth is the best approach in protecting your machines. But as you pursue sophisticated defenses, don’t ignore the lowly password. Establish and enforce a password policy.]]> http://www.infosecurityconsult.com/weblog/2007/02/all_hail_the_lowly_password_1.html http://www.infosecurityconsult.com/weblog/2007/02/all_hail_the_lowly_password_1.html Wed, 07 Feb 2007 10:43:50 -0500 If a bag of flour were exploded in your kitchen, covering every surface with fine white powder, could you walk out of the room without carrying any trace of the flour with you. It is virtually impossible. We face the same problem designing information security systems. Information by itself is usually static but add people and it explodes onto networks, laptops, USB drives, PDA’s and even (heaven forbid) paper. You can’t secure it until you figure out where it actually is. This is probably the largest challenge in Information Security. http://www.infosecurityconsult.com/weblog/2007/01/its_10_oclock_do_you_know_wher.html http://www.infosecurityconsult.com/weblog/2007/01/its_10_oclock_do_you_know_wher.html Tue, 30 Jan 2007 20:18:21 -0500 Harris Interactive poll shows that 61% of business executives are worried about compromise of corporate information systems. That shouldn’t be too surprising considering that without these systems, most companies are effectively shut down. In spite of this, when limited budgets force choices between protecting confidentiality of information and business continuity efforts, Confidentiality usually wins. This isn’t surprising when you consider that information breaches are more likely to bring intense public and regulatory pressure to bear. What is unfortunate is that many companies look at business continuity as an all or nothing effort. Faced with a shortage of resources, plans are deferred. Inexpensive stopgap plans, which provide for the most damaging aspects of the most likely risks are a better idea. Not only can they provide some protection, but they can also serve to focus continuing attention on the issues.]]> http://www.infosecurityconsult.com/weblog/2007/01/some_plan_is_better_than_no_pl.html http://www.infosecurityconsult.com/weblog/2007/01/some_plan_is_better_than_no_pl.html Sun, 28 Jan 2007 18:19:03 -0500 cramming, most of us are familiar with schemes involving 900 numbers, unordered services and similar issues. Recently, my company was crammed by an internet advertiser. This was my second experience with these folks While resolving the problem, I discovered that others had reported similar experiences. I called my phone company to alert them to the problem. I expected a concerned response. After being sent to several different departments, I was told that I could make a complaint to the Federal Trade Commission. Resolving these problems takes a great deal of time and effort. Long waits for customer service and trips to the Post Office to send certified letters are par for the course. It is often less expensive to pay the bill. If utilities are not able to directly resolve complaints involving the charges on the bills they send, we need legislation to end, or at the very least, impose strict controls, on the practice of third party billing.]]> http://www.infosecurityconsult.com/weblog/2007/01/its_time_to_end_third_party_bi.html http://www.infosecurityconsult.com/weblog/2007/01/its_time_to_end_third_party_bi.html Sat, 06 Jan 2007 19:19:08 -0500 article in the Washington Post predicts that computer crime will rise in 07. This comes as no surprise to most of us. While we can pursue our part of the endless arms race by designing better systems, and vigorously improving the ones we have, We need to remember that this activity is increasing BECAUSE IT WORKS! The crooks get money. Our only real defense is education. We need to spread the word not only within our businesses but to our friends, families and neighbors This activity will only stop when it doesn’t pay.]]> http://www.infosecurityconsult.com/weblog/2007/01/because_it_works.html http://www.infosecurityconsult.com/weblog/2007/01/because_it_works.html Sat, 06 Jan 2007 18:02:49 -0500 inserting a tool at the top center and snagging and pulling the emergency door release cord. Units equipped with a rolling frequency system are available and will prevent cloning. Removing the pull cord from the emergency release will solve the second problem. A week later it happened again and I discovered that it had been caused, both times, by my wife rummaging in a kitchen drawer which contained another remote. I am relieved that I don’t have the problem I suspected but looking at the issue reminded me of the dismal lack of effective security in most homes.]]> http://www.infosecurityconsult.com/weblog/2007/01/the_dismal_state_of_home_secur.html http://www.infosecurityconsult.com/weblog/2007/01/the_dismal_state_of_home_secur.html Thu, 04 Jan 2007 21:01:34 -0500 The ability of most people to ignore the elephant in the room knows no bounds. Today’s security elephant has got to be the laptop. When I ask most executives about laptop use in their companies, they are usually very quick to assure me that they are few and contain no sensitive information. Their employees seldom agree. I am not sure where this reluctance comes from. Perhaps it is the fear of truly finding out that they don’t control the information in their operations or maybe they believe that securing these pesky little machines is not really possible. Whatever it is, they would rather risk seeing their companies listed on the wall of shame than confront the issue. In the weeks to come, we will continue to read news about companies who would rather leave it to chance. http://www.infosecurityconsult.com/weblog/2007/01/the_elephant_in_the_room_1.html http://www.infosecurityconsult.com/weblog/2007/01/the_elephant_in_the_room_1.html Thu, 04 Jan 2007 19:56:44 -0500