Coastal Pacific Xpress Makes the Logical Choice: Organization Replaces Three Security Products With the Astaro Security Gateway

Coastal Pacific Xpress, a leader in logistical transportation and warehousing solutions, was managing renewals, license management and updates/upgrades for each product individually.  This task became increasingly difficult and CPX looked for a new solution to protect these numerous products.

Check out this case study to learn how CPX used Astaro Security Gateway to better manage and protect all 500-plus devices in Coastal Pacific Xpress's network.

View the original article here

Coastal Pacific Xpress Makes the Logical Choice: Organization Replaces Three Security Products With the Astaro Security Gateway

Coastal Pacific Xpress, a leader in logistical transportation and warehousing solutions, was managing renewals, license management and updates/upgrades for each product individually.  This task became increasingly difficult and CPX looked for a new solution to protect these numerous products.

Check out this case study to learn how CPX used Astaro Security Gateway to better manage and protect all 500-plus devices in Coastal Pacific Xpress's network.

View the original article here

Astaro Boosts Green County Agency's Security: County Agency Selects Astaro Network Security Over SonicWall

The Greene County Board of Developmental Disabilities, an agency committed to serving individuals with mental and physical disabilities, had a small network with little network protection. The eight users were networked together through a wireless broadband access point with a wireless router as their only form of network protection.

Read this case study to learn how Greene County was able to utilize Astaro Security Gateway software to fully protect its network.

View the original article here

Astaro Boosts Green County Agency's Security: County Agency Selects Astaro Network Security Over SonicWall

The Greene County Board of Developmental Disabilities, an agency committed to serving individuals with mental and physical disabilities, had a small network with little network protection. The eight users were networked together through a wireless broadband access point with a wireless router as their only form of network protection.

Read this case study to learn how Greene County was able to utilize Astaro Security Gateway software to fully protect its network.

View the original article here

Radiology Inc. Nukes Cosco Pix: Radiological Services Company Expands with the Help of Astaro

Radiology Inc. had outgrown their Cisco Pix firewalls. The devices did not provide the radiological services company with the throughput required to conduct daily operations.

They expanded their network through VPN connections and point to point fiber circuits. Unfortunately, they also found that their current system was limiting their ability to expand as it wasn't flexible enough to handle the required number of secure VPN connections.

Read this case study to learn how Radiology Inc. utilized Astaro Security Gateway to increase both its network capacity and efficiency.

View the original article here

Radiology Inc. Nukes Cosco Pix: Radiological Services Company Expands with the Help of Astaro

Radiology Inc. had outgrown their Cisco Pix firewalls. The devices did not provide the radiological services company with the throughput required to conduct daily operations.

They expanded their network through VPN connections and point to point fiber circuits. Unfortunately, they also found that their current system was limiting their ability to expand as it wasn't flexible enough to handle the required number of secure VPN connections.

Read this case study to learn how Radiology Inc. utilized Astaro Security Gateway to increase both its network capacity and efficiency.

View the original article here

Best Practices for Virtual Infrastructure Management

There are two sides to virtualization. The positives are well known: better hardware utilization, faster application deployment and increased workload mobility, all in the service of business agility. However, with all of these positives it is easy to forget the challenges. Read this white paper to learn how to address these IT management problems.

View the original article here

Best Practices for Virtual Infrastructure Management

There are two sides to virtualization. The positives are well known: better hardware utilization, faster application deployment and increased workload mobility, all in the service of business agility. However, with all of these positives it is easy to forget the challenges. Read this white paper to learn how to address these IT management problems.

View the original article here

Headline News - November 2, 2010

Tags » Facebook, Mobile POS, Mobile Technology, Payments News - Headline News, PlaySpan, Prepaid Cards, Vindicia  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

Headline News - November 2, 2010

Tags » Facebook, Mobile POS, Mobile Technology, Payments News - Headline News, PlaySpan, Prepaid Cards, Vindicia  » Comments (0)

Headline News is compiled by Glenbrook Partners:

Note: Throughout the day, as we spot interesting developments, this post is updated.

View the original article here

MasterCard Announces 3Q2010 Financial Results

Tags » MasterCard  » Comments (0)

MasterCard this morning has announced financial results for the third quarter 2010. The company reported gross dollar volume increased 8.5% on a local currency basis to $685 billion, cross border volumes increased 15.4% and processed transactions increased 0.6% compared to the same period in 2009, to 5.8 billion.

"Consumers and businesses around the world continue to recognize the benefits of electronic payments and MasterCard remains at the heart of this evolution," said Ajay Banga, MasterCard president and chief executive officer. "Our year-to-date net income is up over 22%, aided by strong volume growth from markets outside of the U.S."

Press release, supplemental operating results, and an accompanying investor presentation are available on the MasterCard website.

View the original article here

MasterCard Announces 3Q2010 Financial Results

Tags » MasterCard  » Comments (0)

MasterCard this morning has announced financial results for the third quarter 2010. The company reported gross dollar volume increased 8.5% on a local currency basis to $685 billion, cross border volumes increased 15.4% and processed transactions increased 0.6% compared to the same period in 2009, to 5.8 billion.

"Consumers and businesses around the world continue to recognize the benefits of electronic payments and MasterCard remains at the heart of this evolution," said Ajay Banga, MasterCard president and chief executive officer. "Our year-to-date net income is up over 22%, aided by strong volume growth from markets outside of the U.S."

Press release, supplemental operating results, and an accompanying investor presentation are available on the MasterCard website.

View the original article here

Aconite Announces Packaged Solution To Speed EMV Adoption

Tags » Aconite  » Comments (0)

Aconite has announced the Aconite Smart EMV Manager, an integrated package that delivers "a sophisticated, fully-featured EMV solution in a single product. With straightforward pricing, simple interfaces and a plug-in deployment model, Aconite Smart EMV Manager offers all the benefits of Aconite's world-leading EMV components in a single, easy to implement package."

View the original article here

Aconite Announces Packaged Solution To Speed EMV Adoption

Tags » Aconite  » Comments (0)

Aconite has announced the Aconite Smart EMV Manager, an integrated package that delivers "a sophisticated, fully-featured EMV solution in a single product. With straightforward pricing, simple interfaces and a plug-in deployment model, Aconite Smart EMV Manager offers all the benefits of Aconite's world-leading EMV components in a single, easy to implement package."

View the original article here

Zero Trust Security – The Technical Discussion

With the cultural issues out of the way, let us discuss some technical details. 

Given the state of security technology and where security leadership sits these days, I question if Zero Trust can be implemented.

Essentially, with a ‘Zero Trust’ approach, we are talking about DMZs.  However, instead of our usual externally facing DMZs we are also talking about DMZs that are internally facing. 

These are no ordinary DMZs, these are highly monitored and controlled DMZs with IDS/IPS, NAC, full logging and everything else required to ensure security. 

These technologies are not for the faint at heart as they require a lot of planning in order to get them right.

Where a lot of organizations get things wrong is that they believe that all of these security technologies are like a Ronco Showtime Rotisserie oven, you just “Set it and forget it.” 

If only security worked that way, but it does not.  As a result, one of the first stumbling blocks organizations interested in Zero Trust face is staffing since Zero Trust will require a significant amount of attention both from a security perspective and from their help desk. 

I do not think that we are talking about a significant increase in security and help desk personnel, but the existing staffing levels are likely to be insufficient in a Zero Trust environment.

The next issue that I see is from the technology itself.  Most security technology is designed for Internet facing use, not internal use. 

While these solutions can be used internally, they tend to create issues when used internally because of their severe responses to any perceived attacks. 

As a result, in order to use these solutions, security professionals have to turn off or turn down certain features or functions because they get in the way of getting business done.  Then there are the applications themselves. 

I cannot tell you how frustrated I get with vendor and in-house developers that cannot tell you from a networking perspective how their applications work. 

As a result, security professionals are required to do extensive research to figure out what ports/services an application requires, if they even do such research. 

That then results in what we tend to see on internal networks with internal DMZs, lots of ports/services open into the DMZ because they do not want the application to break.  In a Zero Trust approach, this is not acceptable.

Then there is logging and the management and maintenance of log data.  It still amazes me the amount of push back I still receive on logging and the management of log data.

Security professionals and managers complain and complain about the amount of data that needs to be retained and the length it needs to be retained.  Hello! 

This is the only way you will ever know what went wrong and how it went wrong so that you can fix it. 

But the security information and event management (SIEM) industry has not helped things by delivering solutions that can cost as much as a large Beverly Hills mansion and are as easy to implement as an ERP system. 

While there are open source solutions, the usability of these solutions are questionable at best.  Unfortunately, the PCI DSS is mandating that log data be reviewed at least daily. 

In order to get that done, merchants either cannot afford or do not have the time to invest to meet this requirement.  As a result, there is a lot of frustration that what merchants are being asked to do cannot be done. 

Yet, log information capture and review is possibly one of the most important aspects of an organization’s security posture.  Because if you do not stop an attack with your firewall and IPS, the only way you know that is from your log data.  Damned if you do, damned if you do not.

So a merchant implements all of the necessary technologies and procedures to make Zero Trust a reality.  Is that merchant more secure?  If a merchant makes such an investment, the reward will likely be improved security. 

But it will take continuous effort to keep Zero Trust running and that is where all organizations run into trouble with security initiatives. 

It takes consistent execution to make security work and people and organizations these days lose interest in things they think are fixed and so security gets swept to the back burner. 

As a result, it takes strong leadership to keep security off of the back burner.  Without that leadership, security will fall into a rut and an incident will occur that will make security a front burner topic again.

So while I think Zero Trust is probably the approach we should all work towards, it will take a lot of effort to make it a reality.

Cross-posted from PCI Guru

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Zero Trust Security – The Technical Discussion

With the cultural issues out of the way, let us discuss some technical details. 

Given the state of security technology and where security leadership sits these days, I question if Zero Trust can be implemented.

Essentially, with a ‘Zero Trust’ approach, we are talking about DMZs.  However, instead of our usual externally facing DMZs we are also talking about DMZs that are internally facing. 

These are no ordinary DMZs, these are highly monitored and controlled DMZs with IDS/IPS, NAC, full logging and everything else required to ensure security. 

These technologies are not for the faint at heart as they require a lot of planning in order to get them right.

Where a lot of organizations get things wrong is that they believe that all of these security technologies are like a Ronco Showtime Rotisserie oven, you just “Set it and forget it.” 

If only security worked that way, but it does not.  As a result, one of the first stumbling blocks organizations interested in Zero Trust face is staffing since Zero Trust will require a significant amount of attention both from a security perspective and from their help desk. 

I do not think that we are talking about a significant increase in security and help desk personnel, but the existing staffing levels are likely to be insufficient in a Zero Trust environment.

The next issue that I see is from the technology itself.  Most security technology is designed for Internet facing use, not internal use. 

While these solutions can be used internally, they tend to create issues when used internally because of their severe responses to any perceived attacks. 

As a result, in order to use these solutions, security professionals have to turn off or turn down certain features or functions because they get in the way of getting business done.  Then there are the applications themselves. 

I cannot tell you how frustrated I get with vendor and in-house developers that cannot tell you from a networking perspective how their applications work. 

As a result, security professionals are required to do extensive research to figure out what ports/services an application requires, if they even do such research. 

That then results in what we tend to see on internal networks with internal DMZs, lots of ports/services open into the DMZ because they do not want the application to break.  In a Zero Trust approach, this is not acceptable.

Then there is logging and the management and maintenance of log data.  It still amazes me the amount of push back I still receive on logging and the management of log data.

Security professionals and managers complain and complain about the amount of data that needs to be retained and the length it needs to be retained.  Hello! 

This is the only way you will ever know what went wrong and how it went wrong so that you can fix it. 

But the security information and event management (SIEM) industry has not helped things by delivering solutions that can cost as much as a large Beverly Hills mansion and are as easy to implement as an ERP system. 

While there are open source solutions, the usability of these solutions are questionable at best.  Unfortunately, the PCI DSS is mandating that log data be reviewed at least daily. 

In order to get that done, merchants either cannot afford or do not have the time to invest to meet this requirement.  As a result, there is a lot of frustration that what merchants are being asked to do cannot be done. 

Yet, log information capture and review is possibly one of the most important aspects of an organization’s security posture.  Because if you do not stop an attack with your firewall and IPS, the only way you know that is from your log data.  Damned if you do, damned if you do not.

So a merchant implements all of the necessary technologies and procedures to make Zero Trust a reality.  Is that merchant more secure?  If a merchant makes such an investment, the reward will likely be improved security. 

But it will take continuous effort to keep Zero Trust running and that is where all organizations run into trouble with security initiatives. 

It takes consistent execution to make security work and people and organizations these days lose interest in things they think are fixed and so security gets swept to the back burner. 

As a result, it takes strong leadership to keep security off of the back burner.  Without that leadership, security will fall into a rut and an incident will occur that will make security a front burner topic again.

So while I think Zero Trust is probably the approach we should all work towards, it will take a lot of effort to make it a reality.

Cross-posted from PCI Guru

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Will A Security Conference Help Your Company?

For people who work in the world of computers, we all get our experiences in different ways. Some of us are born to type on the keys as part of our passion and we gain most of our knowledge just from experimenting at a young age.

While others of us are late bloomers and we start to learn how a computer truly works from classes in high school and most likely college.

But no matter how good you may think that you know computers, you have to understand that the world of computer security is a different beast all together.

If you were a hacker as a kid then you can take comfort that you have at least a passing knowledge of computer security.

But if you were a person who just used to mess around on the computer and did not try to break the system, then you have a whole world that needs to be opened up to you. A lot of these people work in the IT field now.

They help make sure that the computers in the offices around the world are running like they are supposed to. They are also, for the most part, in charge of the security as well.

As I said earlier, knowing how to secure a system takes more than just knowing about computers in general. That’s why it helps if you send your IT guy to some of the computer security conferences that happen every year.

Why send them to a conference?

There is a very easy answer to this question; it is because their knowledge will increase greatly. People who go to some of the computer security conferences learn a great deal from not just the other guys on the same side that they are on but from the bad guys as well.

The security conferences are a place where both white and black hat hackers come out to show what they have discovered over the past year. The one thing that a hacker cares about more than money in this world is respect from his peers.

Bringing a new and interesting attack to the attention of his peers is the one thing that will get him noticed. Most security conferences are known as a place where it is all about the education of the individuals and not about the politics of who is a good guy and who is a bad guy.

Getting to see these kinds of attacks in person and being able to ask questions will allow your IT guy to go back home or work and set up the network to the specifications needed to defend itself from these types of attack.

There is no better way to head off an impending attack than already knowing how it works and setting your system up to counteract it. And that is the great thing about most of these conferences as well.

They will show you how to defend yourself from some of the attacks that they show. The person will walk with you step by step through the attack and afterwards they will talk to the group on how the attack can be stopped.

Does your IT guy have the knowledge to implement what he has learned at the conference?

While your IT guy might be good, he may not be able to fully comprehend some of the attacks that he witnessed at the security conference. There is a lot of high level programming that goes into one of these attacks and some of them might deal with parts of the computer that the IT guy does not know about.

If that is the case then at least he still knows what he is missing and he can help you bring in someone that will know about the attacks that the system needs to be defended from.

If he didn't go to the conference in the first place he wouldn't be able to get you this far. You can bring in a freelance consultant and your IT guy will be able to go over his work to a small degree and make sure that he checks for everything that he is supposed to.

This is all because of the knowledge that he gained from the conference.

If you want to make sure that you have all your bases covered when it comes to the security of your network, then you must make sure that the people who are in charge of guarding it are properly trained.

You do this by getting them all of the material that they need. If that material requires that you send them to a security conference then that is what you have to do. If you do not get this done, then you will be easy pickings for the bad guys out there.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Will A Security Conference Help Your Company?

For people who work in the world of computers, we all get our experiences in different ways. Some of us are born to type on the keys as part of our passion and we gain most of our knowledge just from experimenting at a young age.

While others of us are late bloomers and we start to learn how a computer truly works from classes in high school and most likely college.

But no matter how good you may think that you know computers, you have to understand that the world of computer security is a different beast all together.

If you were a hacker as a kid then you can take comfort that you have at least a passing knowledge of computer security.

But if you were a person who just used to mess around on the computer and did not try to break the system, then you have a whole world that needs to be opened up to you. A lot of these people work in the IT field now.

They help make sure that the computers in the offices around the world are running like they are supposed to. They are also, for the most part, in charge of the security as well.

As I said earlier, knowing how to secure a system takes more than just knowing about computers in general. That’s why it helps if you send your IT guy to some of the computer security conferences that happen every year.

Why send them to a conference?

There is a very easy answer to this question; it is because their knowledge will increase greatly. People who go to some of the computer security conferences learn a great deal from not just the other guys on the same side that they are on but from the bad guys as well.

The security conferences are a place where both white and black hat hackers come out to show what they have discovered over the past year. The one thing that a hacker cares about more than money in this world is respect from his peers.

Bringing a new and interesting attack to the attention of his peers is the one thing that will get him noticed. Most security conferences are known as a place where it is all about the education of the individuals and not about the politics of who is a good guy and who is a bad guy.

Getting to see these kinds of attacks in person and being able to ask questions will allow your IT guy to go back home or work and set up the network to the specifications needed to defend itself from these types of attack.

There is no better way to head off an impending attack than already knowing how it works and setting your system up to counteract it. And that is the great thing about most of these conferences as well.

They will show you how to defend yourself from some of the attacks that they show. The person will walk with you step by step through the attack and afterwards they will talk to the group on how the attack can be stopped.

Does your IT guy have the knowledge to implement what he has learned at the conference?

While your IT guy might be good, he may not be able to fully comprehend some of the attacks that he witnessed at the security conference. There is a lot of high level programming that goes into one of these attacks and some of them might deal with parts of the computer that the IT guy does not know about.

If that is the case then at least he still knows what he is missing and he can help you bring in someone that will know about the attacks that the system needs to be defended from.

If he didn't go to the conference in the first place he wouldn't be able to get you this far. You can bring in a freelance consultant and your IT guy will be able to go over his work to a small degree and make sure that he checks for everything that he is supposed to.

This is all because of the knowledge that he gained from the conference.

If you want to make sure that you have all your bases covered when it comes to the security of your network, then you must make sure that the people who are in charge of guarding it are properly trained.

You do this by getting them all of the material that they need. If that material requires that you send them to a security conference then that is what you have to do. If you do not get this done, then you will be easy pickings for the bad guys out there.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Reconnaissance Gone Retail and Security - A Challenging Duality

Reconnaissance has “gone retail.” Capabilities that used to be the costly province of nation states have been democratized.

Communications technologies have become so pervasive that a newborn's first pictures are likely to be transmitted wirelessly within moments of birth, arriving at beaming grandparents half a world away within seconds, if not in real-time.

Smart phones, digital cameras, and netbooks, are only the most recent signposts on a road of information fluidity.

Life can certainly be more pleasant and entertaining when distant events are no longer distant; when a child's birth or first steps can be shared with friends and family half a world away in mere seconds.

At a recent security conference in Tel Aviv, Yuval Diskin, the Director of Shin Beth, an Israeli intelligence agency, recently observed:[1]

“Intelligence once enjoyed only by countries and world powers can now be obtained through Internet systems like Google Earth, Internet cameras that are deployed all over the world and linked to the Web, or applications for IPhone [sic] devices that allow for quality intelligence to be received in real-time.”

Director Diskin has a point, albeit this djinni escaped its bottle long before the most recent cavalcade of portable electronic devices and network connectivity.

I noted that connectivity, accessibility and computing power created a collation hazard in 1995.[2]

In 2002, I noted a corollary of this: that the costs of data collection and correlation had decreased dramatically,[3] from the scale of a nation state to the retail level, exposing people to hazards previously feasible, but uneconomically unviable (e.g., the 1989 murder of actress Rebecca Shaeffer by an obsessed stalker who located her residence from then easily available public motor vehicle records).

Intent is difficult, if not impossible to determine. Nature is always impartial. Physics rules with draconian impartiality.

This underlies a duality that many find troubling: Connectivity brings us closer together, both friend and foe. Our great-grandparents waited anxiously for letters to arrive bearing the first pictures of a new grandchild; often weeks after the birth.

Today, the time span of anxiety is reduced to mere minutes, practically the interval between labor contractions.

This is the dilemma to which Director Diskin refers: the same technology that brings families closer together for the birth of a child, can just as easily be used to celebrate terrorism and other far less peaceful pursuits.

Recently, I had to visit someone in a nearby major hospital center. Just a few years ago, the possession of a notebook computer would have been cause for a cautionary warning that electronic devices are not allowed within the building.

Now, much, if not all of the facility is equipped with Wi-Fi, and there is an unencrypted Wi-Fi available for patients and visitors. I am almost certain that this is not merely altruism.

I expect that the connectivity provided to patients and visitors is, in effect, spare bandwidth from a properly encrypted co-network, one that directly supports patient care.[4,5]

Yet another example of the economics of the cloud; otherwise unused capacity is used for a purpose, rather than simply being discarded.

As a result, families can share precious moments with others at the press of a button. No longer is the hospital an isolating experience.

Indeed, as a visitor, I was able to use my waiting time somewhat productively, securely connected back to my office through my wireless card and virtual private network.

Regrettably, there are no good answers to the concerns raised by Director Diskin. There is no a priori way to differentiate between pictures of new homes or cars, and a pre-attack reconnaissance of the same by a terrorist group.

In the recent Mumbai attack, terrorists are reported to have used communications devices to coordinate or receive instructions; but these same communications channels were also separately being used by civilians to communicate their location for rescue, yet another example of how communications are neutral.

Notes

[1]Reuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times

[2] Robert Gezelter (1995) “Security on the Internet”, Chapter 23 in Computer Security Handbook, Third Edition, pp 23-6, et seq.

[3] Ibid (2002) “Protecting Web Sites”, Chapter 22 in Computer Security Handbook, Fourth Edition, pp 22-20, et seq.

[4] Ibid (2003, June) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society.

[5] Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007 References

Seymour Bosworth and Michel Kabay (2002) Computer Security Handbook, Fourth Edition WileyRobert Gezelter (1995) “Security on the Internet” (Chapter 23) in Computer Security Handbook, Third Edition Wiley(2003) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society. Slides retrieved from http://www.rlgsc.com/ieee/charleston/2003-6/internetdial.html on November 2, 2010Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007. Retrieved from http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html on November 2, 2010Ibid (2009, December 9) “Networks Placed At Risk: By Their Providers” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/networks-placed-at-risk.html on November 2, 2010Ibid (2010, March 31) “Will Long Term Dynamic Address Allocation Record Retention Help or Hurt?” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/retain-dynamic-address-allocation-logs.html on November 2, 2010Ibid (2010, May 25) “New IRS Reporting Requirements Have Implications for Business Large and Small” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/new-irs-reporting-requirements.html on November 2, 2010Ibid (2010, August 31) “GPS Recorders and Law Enforcement Accountability” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/gps-and-law-enforcement-accountability.html on November 2, 2010Ibid (2010, October 25) “Google Street View and Unencrypted Wi-Fi: Not a Hazard” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/google-street-view-and-unencrypted-wifi.html on November 2, 2010Arthur Hutt, Seymour Bosworth, and Douglas Hoyt (1995) Computer Security Handbook, Third Edition WileyReuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times. Retrieved from http://www.nytimes.com/reuters/2010/11/01/technology/tech-us-israel-security.html on November 2, 2010

Reproduced from Reconnaissance Gone Retail and Security: A Challenging Duality, an entry in Ruminations -- An IT Blog by Robert Gezelter. Copyright (c) 2010, Robert Gezelter. Unlimited Reproduction permitted with attribution.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Reconnaissance Gone Retail and Security - A Challenging Duality

Reconnaissance has “gone retail.” Capabilities that used to be the costly province of nation states have been democratized.

Communications technologies have become so pervasive that a newborn's first pictures are likely to be transmitted wirelessly within moments of birth, arriving at beaming grandparents half a world away within seconds, if not in real-time.

Smart phones, digital cameras, and netbooks, are only the most recent signposts on a road of information fluidity.

Life can certainly be more pleasant and entertaining when distant events are no longer distant; when a child's birth or first steps can be shared with friends and family half a world away in mere seconds.

At a recent security conference in Tel Aviv, Yuval Diskin, the Director of Shin Beth, an Israeli intelligence agency, recently observed:[1]

“Intelligence once enjoyed only by countries and world powers can now be obtained through Internet systems like Google Earth, Internet cameras that are deployed all over the world and linked to the Web, or applications for IPhone [sic] devices that allow for quality intelligence to be received in real-time.”

Director Diskin has a point, albeit this djinni escaped its bottle long before the most recent cavalcade of portable electronic devices and network connectivity.

I noted that connectivity, accessibility and computing power created a collation hazard in 1995.[2]

In 2002, I noted a corollary of this: that the costs of data collection and correlation had decreased dramatically,[3] from the scale of a nation state to the retail level, exposing people to hazards previously feasible, but uneconomically unviable (e.g., the 1989 murder of actress Rebecca Shaeffer by an obsessed stalker who located her residence from then easily available public motor vehicle records).

Intent is difficult, if not impossible to determine. Nature is always impartial. Physics rules with draconian impartiality.

This underlies a duality that many find troubling: Connectivity brings us closer together, both friend and foe. Our great-grandparents waited anxiously for letters to arrive bearing the first pictures of a new grandchild; often weeks after the birth.

Today, the time span of anxiety is reduced to mere minutes, practically the interval between labor contractions.

This is the dilemma to which Director Diskin refers: the same technology that brings families closer together for the birth of a child, can just as easily be used to celebrate terrorism and other far less peaceful pursuits.

Recently, I had to visit someone in a nearby major hospital center. Just a few years ago, the possession of a notebook computer would have been cause for a cautionary warning that electronic devices are not allowed within the building.

Now, much, if not all of the facility is equipped with Wi-Fi, and there is an unencrypted Wi-Fi available for patients and visitors. I am almost certain that this is not merely altruism.

I expect that the connectivity provided to patients and visitors is, in effect, spare bandwidth from a properly encrypted co-network, one that directly supports patient care.[4,5]

Yet another example of the economics of the cloud; otherwise unused capacity is used for a purpose, rather than simply being discarded.

As a result, families can share precious moments with others at the press of a button. No longer is the hospital an isolating experience.

Indeed, as a visitor, I was able to use my waiting time somewhat productively, securely connected back to my office through my wireless card and virtual private network.

Regrettably, there are no good answers to the concerns raised by Director Diskin. There is no a priori way to differentiate between pictures of new homes or cars, and a pre-attack reconnaissance of the same by a terrorist group.

In the recent Mumbai attack, terrorists are reported to have used communications devices to coordinate or receive instructions; but these same communications channels were also separately being used by civilians to communicate their location for rescue, yet another example of how communications are neutral.

Notes

[1]Reuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times

[2] Robert Gezelter (1995) “Security on the Internet”, Chapter 23 in Computer Security Handbook, Third Edition, pp 23-6, et seq.

[3] Ibid (2002) “Protecting Web Sites”, Chapter 22 in Computer Security Handbook, Fourth Edition, pp 22-20, et seq.

[4] Ibid (2003, June) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society.

[5] Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007 References

Seymour Bosworth and Michel Kabay (2002) Computer Security Handbook, Fourth Edition WileyRobert Gezelter (1995) “Security on the Internet” (Chapter 23) in Computer Security Handbook, Third Edition Wiley(2003) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society. Slides retrieved from http://www.rlgsc.com/ieee/charleston/2003-6/internetdial.html on November 2, 2010Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007. Retrieved from http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html on November 2, 2010Ibid (2009, December 9) “Networks Placed At Risk: By Their Providers” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/networks-placed-at-risk.html on November 2, 2010Ibid (2010, March 31) “Will Long Term Dynamic Address Allocation Record Retention Help or Hurt?” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/retain-dynamic-address-allocation-logs.html on November 2, 2010Ibid (2010, May 25) “New IRS Reporting Requirements Have Implications for Business Large and Small” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/new-irs-reporting-requirements.html on November 2, 2010Ibid (2010, August 31) “GPS Recorders and Law Enforcement Accountability” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/gps-and-law-enforcement-accountability.html on November 2, 2010Ibid (2010, October 25) “Google Street View and Unencrypted Wi-Fi: Not a Hazard” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/google-street-view-and-unencrypted-wifi.html on November 2, 2010Arthur Hutt, Seymour Bosworth, and Douglas Hoyt (1995) Computer Security Handbook, Third Edition WileyReuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times. Retrieved from http://www.nytimes.com/reuters/2010/11/01/technology/tech-us-israel-security.html on November 2, 2010

Reproduced from Reconnaissance Gone Retail and Security: A Challenging Duality, an entry in Ruminations -- An IT Blog by Robert Gezelter. Copyright (c) 2010, Robert Gezelter. Unlimited Reproduction permitted with attribution.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Top 5 Ridiculous Hacking Scenes in Movies

Like any technology-fed phenomenon with increasing public exposure, hacking is often ill-conceived and exaggerated in movie scenes.

The following are five of the most implausible and amusing scenes that have resulted from this approach to hacker depiction in movies.

Mission: Impossible

Ving Rhames plays expert computer hacker Luther Stickell in the Mission: Impossible movies. One of the most ridiculous scenes in this series comes in the first film, where Ethan Hunt (Tom Cruise) hangs upside down from the ceiling and hacks into the CIA’s system by executing Luther’s directions (given to him via earpiece).

It’s also just a little too simple when Luther hacks into the CIA Headquarters’ computer-controlled electrical system to trigger the fire alarm on a specific floor. As it turns out, all you have to do is type “ACTIVATE ALARM” and you can manipulate the CIA’s emergency alert system according to your every whim. Oh, and you can do all of this while sitting in a fire truck outside the building.

WarGames

What we can learn from this movie is that all backdoor passwords can be easily guessed if there’s an immediate family member who’s tragically died. Stephen Falken, an artificial intelligence researcher, has created a backdoor with password “Joshua” (the name of Falken’s dead son), which is hacked by a high school student and used to infiltrate the system of War Operation Plan Response (WOPR). And the rest is history - you never know whether you’re playing a game or destroying a country.

Jurassic Park

Lex is just proof that any middle school girl should know Unix. And that it’s not operated by command line, but by graphics. Sure. We can make these well-informed assumptions by watching the Jurassic Park scene in which a velociraptor tries to get into the building and eat everyone, but Lex decides that she can “hack” the security system and lock the doors.

This is irrelevant, since velociraptors can break glass, but let’s just go with it.
Lex takes one look at a graphical interface and announces, “Hey, it’s a Unix system! I know this!” She runs a program called “3D File System Navigator” and saves the day, at least for the next few seconds.

Independence Day

Obviously, there’s more dubious material in this movie than the hacking scene. But it’s still pretty laughable. Even if you accept the premise that aliens have power source technology that’s been impossible for humans to replicate, the hacker is way beyond executing a plausible command.

David Levinson (Jeff Goldblum) uses his trusty Mac to write a virus that infects and destroys the entire alien defense system. Unless the aliens used Unix, the remotest possibility that a human-written virus could affect their superior system is completely without substance. It appears that we’ve seriously underestimated the power of an Apple a day.

Swordfish

The hacker in this movie is played by Hugh Jackman and is an insult to any self-respecting programmer who doesn’t wear a dirty T-shirt every day. Both hacking scenes make the process seem far too easy and use bogus terms like “worms” and “hydras” that are essentially nonsensical.

Successful hacks are done by “visualizing code” and continuing to type despite warnings of “Access Denied.” The hacker does his thing while drinking wine, dancing obnoxiously in his chair, and having a gun pressed against his head. It doesn’t get much more ridiculous than that.

This is a guest post by Alexis Bonari. She is a freelance writer and blog junkie. She is a passionate blogger on the topic of education and free college scholarships. In her spare time, she enjoys square-foot gardening, swimming, and avoiding her laptop.

Cross-posted from ShortInfosec

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Top 5 Ridiculous Hacking Scenes in Movies

Like any technology-fed phenomenon with increasing public exposure, hacking is often ill-conceived and exaggerated in movie scenes.

The following are five of the most implausible and amusing scenes that have resulted from this approach to hacker depiction in movies.

Mission: Impossible

Ving Rhames plays expert computer hacker Luther Stickell in the Mission: Impossible movies. One of the most ridiculous scenes in this series comes in the first film, where Ethan Hunt (Tom Cruise) hangs upside down from the ceiling and hacks into the CIA’s system by executing Luther’s directions (given to him via earpiece).

It’s also just a little too simple when Luther hacks into the CIA Headquarters’ computer-controlled electrical system to trigger the fire alarm on a specific floor. As it turns out, all you have to do is type “ACTIVATE ALARM” and you can manipulate the CIA’s emergency alert system according to your every whim. Oh, and you can do all of this while sitting in a fire truck outside the building.

WarGames

What we can learn from this movie is that all backdoor passwords can be easily guessed if there’s an immediate family member who’s tragically died. Stephen Falken, an artificial intelligence researcher, has created a backdoor with password “Joshua” (the name of Falken’s dead son), which is hacked by a high school student and used to infiltrate the system of War Operation Plan Response (WOPR). And the rest is history - you never know whether you’re playing a game or destroying a country.

Jurassic Park

Lex is just proof that any middle school girl should know Unix. And that it’s not operated by command line, but by graphics. Sure. We can make these well-informed assumptions by watching the Jurassic Park scene in which a velociraptor tries to get into the building and eat everyone, but Lex decides that she can “hack” the security system and lock the doors.

This is irrelevant, since velociraptors can break glass, but let’s just go with it.
Lex takes one look at a graphical interface and announces, “Hey, it’s a Unix system! I know this!” She runs a program called “3D File System Navigator” and saves the day, at least for the next few seconds.

Independence Day

Obviously, there’s more dubious material in this movie than the hacking scene. But it’s still pretty laughable. Even if you accept the premise that aliens have power source technology that’s been impossible for humans to replicate, the hacker is way beyond executing a plausible command.

David Levinson (Jeff Goldblum) uses his trusty Mac to write a virus that infects and destroys the entire alien defense system. Unless the aliens used Unix, the remotest possibility that a human-written virus could affect their superior system is completely without substance. It appears that we’ve seriously underestimated the power of an Apple a day.

Swordfish

The hacker in this movie is played by Hugh Jackman and is an insult to any self-respecting programmer who doesn’t wear a dirty T-shirt every day. Both hacking scenes make the process seem far too easy and use bogus terms like “worms” and “hydras” that are essentially nonsensical.

Successful hacks are done by “visualizing code” and continuing to type despite warnings of “Access Denied.” The hacker does his thing while drinking wine, dancing obnoxiously in his chair, and having a gun pressed against his head. It doesn’t get much more ridiculous than that.

This is a guest post by Alexis Bonari. She is a freelance writer and blog junkie. She is a passionate blogger on the topic of education and free college scholarships. In her spare time, she enjoys square-foot gardening, swimming, and avoiding her laptop.

Cross-posted from ShortInfosec

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

SAP Disaster Recovery Solution with VMware Site Recovery Manager and EMC CLARiiON

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

SAP Disaster Recovery Solution with VMware Site Recovery Manager and EMC CLARiiON

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

Microsoft Exchange Server 2010: Best Practices

Are you ready to make the move to Exchange 2010, but concerned it’s going to be a long, complex and expensive job? One thing your company can’t afford is a costly, never-ending migration that burns countless man hours while increasing downtime and frustration.

This new Quest Software white paper gives you a better look at the power of Exchange 2010 – and takes you through some of the best practices for planning and performing the migration. Read the white paper today.

View the original article here

Microsoft Exchange Server 2010: Best Practices

Are you ready to make the move to Exchange 2010, but concerned it’s going to be a long, complex and expensive job? One thing your company can’t afford is a costly, never-ending migration that burns countless man hours while increasing downtime and frustration.

This new Quest Software white paper gives you a better look at the power of Exchange 2010 – and takes you through some of the best practices for planning and performing the migration. Read the white paper today.

View the original article here

Seven Keys to Making or Breaking Your Exchange Infrastructure

Exchange Server 2007 changed the way your communications infrastructure operated forever, delivering a potent and powerful e-mail engine. And with Exchange Server 2010, Microsoft’s upped the ante, delivering a more powerful feature set and functionality. But does all of this mean bigger management headaches?

In this Quest white paper, discover seven key aspects of the Exchange infrastructure, and learn to:

Gain control of your critical e-mail servicesGet peak performance from Exchange 2007See if your company is ready to move from Exchange 2007 to Exchange 2010

Harness the power of Exchange for your communications environment. Read the white paper today.

View the original article here

Seven Keys to Making or Breaking Your Exchange Infrastructure

Exchange Server 2007 changed the way your communications infrastructure operated forever, delivering a potent and powerful e-mail engine. And with Exchange Server 2010, Microsoft’s upped the ante, delivering a more powerful feature set and functionality. But does all of this mean bigger management headaches?

In this Quest white paper, discover seven key aspects of the Exchange infrastructure, and learn to:

Gain control of your critical e-mail servicesGet peak performance from Exchange 2007See if your company is ready to move from Exchange 2007 to Exchange 2010

Harness the power of Exchange for your communications environment. Read the white paper today.

View the original article here

DDoS Attacks Aim to Censor Human Rights Groups

A rash of distributed denial of service attacks (DDoS) were levied against the websites of at least six human rights organizations in an apparent attempt at cyber censorship and retribution for the airing of controversial video footage that allegedly shows human rights abuses on the part of the Indonesian government against several Papuan civilians.

The websites for the Free West Papua Campaign, Survival International, Friends of People Close To Nature, West Papua Media Alerts, the Asian Human Rights Commission, and West Papua Unite all suffered downtime of varying durations after airing the video footage (some sites remained disabled as this article was written, so their Twitter accounts have been linked instead).

From London's Channel 4 News:

Dave Clemente, an international security expert from Chatham House, said this appears to be a "very basic attack" and is a "poor attempt at cyber censorship", which could have been launched by any hacker around the world.  

"This attack is not even in same universe as the Stuxnet, which targeted the Iranian nuclear units. It's targeted at a handful of relatively small websites, the sort of thing governments, corporations and small businesses are used to dealing with."

While initial reports indicate a lack of sophistication employed in the DDoS attacks, the subsequent results are nonetheless noteworthy, as they demonstrate that cyber aggression as a means of gaining tactical advantages in political conflicts is more than just fodder for discussions on the viability of cyberwar.

This is yet another example of one group's technological savvy being instrumental in disrupting another group's ability to functionally disseminate information, as were the cases in Estonia in 2007 and Georgia 2008.

DoS attacks are nothing new, and are perpetrated by simply flooding a target server with simultaneous communications.

The attacks are generally performed using as many as thousands of "zombie" PC's or servers that have been compromised unbeknownst to the rightful owner, through the dissemination of botnet malware.

Techniques also include the use of multiple IP addresses in an attack from a limited number of sources which can give the appearance of wide distribution, and still others claim to be able to perform a non-distributed DoS attack from a single low-spec source.

In an email correspondence with Tim Murphy, webmaster at the Free West Papua Campaign, one of the organizations targeted by the recent DDoS attacks, Tim emphasized the effectiveness that such a campaign can have against small, non-profit organizations given their lack of financial resources:

I have just talked with the people who fixed Survival International's problem with the same DDoS attack, BUT they want lots and lots of money to fix it, and FWPC is a poor organization. In addition to dealing with the DDoS we also need to mirror this video so that the attackers get the idea that "the Internet sees any censorship as damage and reroutes around it."

Niels Groeneveld, who deserves full credit for bringing this story to our attention at Infosec Island, is recognized as an information systems security professional by the US Committee on National Security Systems (CNSS) and the US National Security Agency (NSA).

Niels has been instrumental in organizing an international response to the DDoS attacks, and indicates the momentum is building. We are looking forward to the pending investigation, and hope to share the results of their findings as soon as they are available.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

DDoS Attacks Aim to Censor Human Rights Groups

A rash of distributed denial of service attacks (DDoS) were levied against the websites of at least six human rights organizations in an apparent attempt at cyber censorship and retribution for the airing of controversial video footage that allegedly shows human rights abuses on the part of the Indonesian government against several Papuan civilians.

The websites for the Free West Papua Campaign, Survival International, Friends of People Close To Nature, West Papua Media Alerts, the Asian Human Rights Commission, and West Papua Unite all suffered downtime of varying durations after airing the video footage (some sites remained disabled as this article was written, so their Twitter accounts have been linked instead).

From London's Channel 4 News:

Dave Clemente, an international security expert from Chatham House, said this appears to be a "very basic attack" and is a "poor attempt at cyber censorship", which could have been launched by any hacker around the world.  

"This attack is not even in same universe as the Stuxnet, which targeted the Iranian nuclear units. It's targeted at a handful of relatively small websites, the sort of thing governments, corporations and small businesses are used to dealing with."

While initial reports indicate a lack of sophistication employed in the DDoS attacks, the subsequent results are nonetheless noteworthy, as they demonstrate that cyber aggression as a means of gaining tactical advantages in political conflicts is more than just fodder for discussions on the viability of cyberwar.

This is yet another example of one group's technological savvy being instrumental in disrupting another group's ability to functionally disseminate information, as were the cases in Estonia in 2007 and Georgia 2008.

DoS attacks are nothing new, and are perpetrated by simply flooding a target server with simultaneous communications.

The attacks are generally performed using as many as thousands of "zombie" PC's or servers that have been compromised unbeknownst to the rightful owner, through the dissemination of botnet malware.

Techniques also include the use of multiple IP addresses in an attack from a limited number of sources which can give the appearance of wide distribution, and still others claim to be able to perform a non-distributed DoS attack from a single low-spec source.

In an email correspondence with Tim Murphy, webmaster at the Free West Papua Campaign, one of the organizations targeted by the recent DDoS attacks, Tim emphasized the effectiveness that such a campaign can have against small, non-profit organizations given their lack of financial resources:

I have just talked with the people who fixed Survival International's problem with the same DDoS attack, BUT they want lots and lots of money to fix it, and FWPC is a poor organization. In addition to dealing with the DDoS we also need to mirror this video so that the attackers get the idea that "the Internet sees any censorship as damage and reroutes around it."

Niels Groeneveld, who deserves full credit for bringing this story to our attention at Infosec Island, is recognized as an information systems security professional by the US Committee on National Security Systems (CNSS) and the US National Security Agency (NSA).

Niels has been instrumental in organizing an international response to the DDoS attacks, and indicates the momentum is building. We are looking forward to the pending investigation, and hope to share the results of their findings as soon as they are available.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Five Ways to Create High Quality Security Policies

Security policies are the foundation of an enterprise information security program.

Without a solid foundation in place you simply cannot build a sturdy long-lasting structure; be it a building or a security program.

Below are five things that can help you ensure your foundation is strong.

1. Use a framework

By starting with a trusted framework you can avoid reinventing the wheel. A framework like ISO2700x will provide you with the areas you need to cover in your policies. Then it's your job to customize the policies so they fit your environment.

2. Make sure your policies are readable to non-technical folks

A policy is a strategic statement. It is not meant to give the details on what technology will be used, or how it will be implemented.

If you include too much detail you run the risk of making an unreadable document. A good policy can be read and understood by anyone in the organization. Leave the technical-speak for your standards and procedures.

3. Get executive buy-in

Board or senior leadership buy-in is critical to a security program. Some standards (such as GLBA) even require Board sign off on security policies.

By getting the organization's senior leadership on-board we ensure that security will have the funding, personnel and support it needs to succeed.

The senior leaders do not need to be an active part of the policy creation, but they should approve of the completed policies so they can understand and support them.

4. Communicate your policies

Too many organizations create a set of security policies, only to see those policies sit on a server, unread by anyone outside the groups who created and approved them.

Policies should be communicated widely throughout the organization. Security awareness training is the most obvious way to educate employees about the security policies, but topical posters, relevant emails, and on-going reminders at staff meetings can be effective and cost effective as well.

5. Maintain your policies

Organizations are dynamic. What worked for you in 2008 probably doesn't work in 2010. And what works for us here in 2010 will most likely not work in 2012.

As such, keeping policies up to date is a crucial task for organizations. A regular schedule should be created for reviewing and updating policies as appropriate.

Ideally, policies should be reviewed quarterly. But it should be no less than annually.

High quality policies aren't the whole story. We also need structure through quality standards, and detailed procedures, but without the foundation your program doesn't have a chance for success.

Give your security policies the time and resources they need.

Cross-posted from Enterprise InfoSec Blog from Robb Reck 

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Five Ways to Create High Quality Security Policies

Security policies are the foundation of an enterprise information security program.

Without a solid foundation in place you simply cannot build a sturdy long-lasting structure; be it a building or a security program.

Below are five things that can help you ensure your foundation is strong.

1. Use a framework

By starting with a trusted framework you can avoid reinventing the wheel. A framework like ISO2700x will provide you with the areas you need to cover in your policies. Then it's your job to customize the policies so they fit your environment.

2. Make sure your policies are readable to non-technical folks

A policy is a strategic statement. It is not meant to give the details on what technology will be used, or how it will be implemented.

If you include too much detail you run the risk of making an unreadable document. A good policy can be read and understood by anyone in the organization. Leave the technical-speak for your standards and procedures.

3. Get executive buy-in

Board or senior leadership buy-in is critical to a security program. Some standards (such as GLBA) even require Board sign off on security policies.

By getting the organization's senior leadership on-board we ensure that security will have the funding, personnel and support it needs to succeed.

The senior leaders do not need to be an active part of the policy creation, but they should approve of the completed policies so they can understand and support them.

4. Communicate your policies

Too many organizations create a set of security policies, only to see those policies sit on a server, unread by anyone outside the groups who created and approved them.

Policies should be communicated widely throughout the organization. Security awareness training is the most obvious way to educate employees about the security policies, but topical posters, relevant emails, and on-going reminders at staff meetings can be effective and cost effective as well.

5. Maintain your policies

Organizations are dynamic. What worked for you in 2008 probably doesn't work in 2010. And what works for us here in 2010 will most likely not work in 2012.

As such, keeping policies up to date is a crucial task for organizations. A regular schedule should be created for reviewing and updating policies as appropriate.

Ideally, policies should be reviewed quarterly. But it should be no less than annually.

High quality policies aren't the whole story. We also need structure through quality standards, and detailed procedures, but without the foundation your program doesn't have a chance for success.

Give your security policies the time and resources they need.

Cross-posted from Enterprise InfoSec Blog from Robb Reck 

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

5 Ways to Prevent Check Fraud Scams

Check fraud is a billion dollar problem.

Check fraud victims include banks, businesses and consumers. Our current system for cashing checks is somewhat flawed.

Checks can be cashed and merchandise can be purchased even when there is no money in the checking account.

There are 5 main forms of check fraud to watch out for:

Forged signatures are the easiest form of check fraud. These are legitimate checks with a forged signature. This can occur when a checkbook is lost or stolen, or when a home or business is burglarized.

An individual who is invited into your home or business can rip a single check from your checkbook and pay themselves as much as they like. Banks don’t often verify signatures until a problem arises that requires them to assign liability.

Forged endorsements generally occur when someone steals a check written to someone else, forges and endorsement and cashes or deposits it.

Counterfeit checks can be created by anyone with a desktop scanner and printer. They simply create a check and make it out to themselves.

Check kiting or check floating usually involves two bank accounts, where money is transferred back and forth, so that they appear to contain a balance which can then be withdrawn.

A check is deposited in one account, then cash is withdrawn despite the lack of sufficient funds to cover the check.

Check washing involves altering a legitimate check, changing the name of the payee and often increasing the amount. This is the sneakiest form of check fraud.

When checks or tax-related documents are stolen, either from the mail or by other means, the ink can be erased using common household chemicals such as nail polish remover. This allows the thieves to endorse checks to themselves.

Uni-ball pens contain specially formulated gel ink that is absorbed into the paper’s fibers and can never be washed out. The pen costs two bucks and is available at any office supply store.

Consider a locked mailbox so nobody can access your bank statements.Using online banking and discontinuing paper statements.Never toss old checks in the rubbish, always shred them.Have checks delivered to the bank for pick up opposed to your home.Guard your checks in your home or office, lock them up.Go over your bank statements carefully.

Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

5 Ways to Prevent Check Fraud Scams

Check fraud is a billion dollar problem.

Check fraud victims include banks, businesses and consumers. Our current system for cashing checks is somewhat flawed.

Checks can be cashed and merchandise can be purchased even when there is no money in the checking account.

There are 5 main forms of check fraud to watch out for:

Forged signatures are the easiest form of check fraud. These are legitimate checks with a forged signature. This can occur when a checkbook is lost or stolen, or when a home or business is burglarized.

An individual who is invited into your home or business can rip a single check from your checkbook and pay themselves as much as they like. Banks don’t often verify signatures until a problem arises that requires them to assign liability.

Forged endorsements generally occur when someone steals a check written to someone else, forges and endorsement and cashes or deposits it.

Counterfeit checks can be created by anyone with a desktop scanner and printer. They simply create a check and make it out to themselves.

Check kiting or check floating usually involves two bank accounts, where money is transferred back and forth, so that they appear to contain a balance which can then be withdrawn.

A check is deposited in one account, then cash is withdrawn despite the lack of sufficient funds to cover the check.

Check washing involves altering a legitimate check, changing the name of the payee and often increasing the amount. This is the sneakiest form of check fraud.

When checks or tax-related documents are stolen, either from the mail or by other means, the ink can be erased using common household chemicals such as nail polish remover. This allows the thieves to endorse checks to themselves.

Uni-ball pens contain specially formulated gel ink that is absorbed into the paper’s fibers and can never be washed out. The pen costs two bucks and is available at any office supply store.

Consider a locked mailbox so nobody can access your bank statements.Using online banking and discontinuing paper statements.Never toss old checks in the rubbish, always shred them.Have checks delivered to the bank for pick up opposed to your home.Guard your checks in your home or office, lock them up.Go over your bank statements carefully.

Robert Siciliano personal security expert to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Presentation Transcript: Overcoming the Challenges with Configuration and Patch Mgmt

This presentation focuses on the patching and vulnerability and configuration management, but what does that really mean? Well, looking at patching overall, it’s actually just a component of the total vulnerability management lifecycle. While patching is only one piece of the process it isn’t the entire process and if you just think of it as an atomic unrelated piece, you’re not going to be able to do it as effectively as you could and you might add overhead to the entire process. So, you may actually lose some pieces that you need to patch or be aware of or to control as well as add additional time. So, we are going to talk about making it a component rather than an atomic piece of your program, and then obviously implementing that program itself.

Remediation, what you do, you found the problem. Now, what are you going to do to actually fix it, because it’s not always patched? It would be nice if it was always patched but there are a number of reasons why patch may not always be the best fit. What you do, if you can patch right away or sometimes you can’t patch it all. And that will be the alternative and then finally we will wrap up with some of the keys to success how you can actually build a program, if you’ve got a program in place, how you can strengthen it or if you’re still developing a program. Read on to learn more about creating a vulnerability and patching lifestyle and program.

View the original article here

Presentation Transcript: Overcoming the Challenges with Configuration and Patch Mgmt

This presentation focuses on the patching and vulnerability and configuration management, but what does that really mean? Well, looking at patching overall, it’s actually just a component of the total vulnerability management lifecycle. While patching is only one piece of the process it isn’t the entire process and if you just think of it as an atomic unrelated piece, you’re not going to be able to do it as effectively as you could and you might add overhead to the entire process. So, you may actually lose some pieces that you need to patch or be aware of or to control as well as add additional time. So, we are going to talk about making it a component rather than an atomic piece of your program, and then obviously implementing that program itself.

Remediation, what you do, you found the problem. Now, what are you going to do to actually fix it, because it’s not always patched? It would be nice if it was always patched but there are a number of reasons why patch may not always be the best fit. What you do, if you can patch right away or sometimes you can’t patch it all. And that will be the alternative and then finally we will wrap up with some of the keys to success how you can actually build a program, if you’ve got a program in place, how you can strengthen it or if you’re still developing a program. Read on to learn more about creating a vulnerability and patching lifestyle and program.

View the original article here

Server Security: Unnecessary, Unmanaged or Under Control?

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

Server Security: Unnecessary, Unmanaged or Under Control?

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

Defender 5: The Right Way to Prove, Identify and Establish Trust

Are you certain each person accessing your network resources is who they say they are? In this Quest technical brief, learn how Defender 5 gives you more control over who has access to resources, applications and data – well beyond a simple login name and password. Defender 5:

Seamlessly integrates with Microsoft Active DirectoryScales to fit your specific needsMaximizes your current assets

Right now, someone’s logging into your network and accessing vital resources. Are you sure you know who it is? Read this technical brief today.

View the original article here

Defender 5: The Right Way to Prove, Identify and Establish Trust

Are you certain each person accessing your network resources is who they say they are? In this Quest technical brief, learn how Defender 5 gives you more control over who has access to resources, applications and data – well beyond a simple login name and password. Defender 5:

Seamlessly integrates with Microsoft Active DirectoryScales to fit your specific needsMaximizes your current assets

Right now, someone’s logging into your network and accessing vital resources. Are you sure you know who it is? Read this technical brief today.

View the original article here

Stuxnet Could Be Chinese Hit on India's Space Program

Stuxnet and Wikileaks were the top news last week. Questions still abound as to who created Stuxnet.

Many believe that it was Israel, but now some are saying that it could be China, and the intended target was not an Iranian power plant, but India’s space program. 

The question remains though if Stuxnet attacks Windows based vulnerabilities, how is Iran even using the software, if Microsoft can’t export to Iran?

But what most experts will agree that the sophistication of Stuxnet fairly limits the country source of origin. Computer Security company Eset Security released an in-depth technical analysis (PDF format) of the cyber weapon called “Stuxnet Under the Microscope”.

Wikileaks does it again. But this time they released nearly 400,000 classified reports on the Iraq war.

Wired.com had some great articles on the release. Superbombs and Secret Jails: What to Look for in WikiLeaks’ Iraq Docs talks about Iran’s involvement in the Iraq war.

And thanks to Wikileaks, we now have proof that there were Weapons of Mass Destruction found in Iraq.

One would wonder how Wikileaks could get away with taunting the United States. In the past, Wikileaks used servers in a converted Swedish cold war nuclear bunker to host their data.

But in a brazen move, recently used mirrors in not only Ireland and France, but also used Amazon.com in the US.

The document release was not without incident though. According to one report, Wikileaks was hacked by a very skilled hacker prior to the publication.

Lastly, should cyber-attacks against a NATO nation trigger a physical response?

If they are included in Article 5 of the North Atlantic Treaty they could, according to a Miller-Mccune article.

NATO countries will discuss this next month at its annual conference. I just hope they take Russian Col.

Anatoly Tsyganok comments to heart when they do, “These attacks have been quite successful, and today the alliance has nothing to oppose Russia’s virtual attacks.”

Cross-posted from Cyber Arms

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Stuxnet Could Be Chinese Hit on India's Space Program

Stuxnet and Wikileaks were the top news last week. Questions still abound as to who created Stuxnet.

Many believe that it was Israel, but now some are saying that it could be China, and the intended target was not an Iranian power plant, but India’s space program. 

The question remains though if Stuxnet attacks Windows based vulnerabilities, how is Iran even using the software, if Microsoft can’t export to Iran?

But what most experts will agree that the sophistication of Stuxnet fairly limits the country source of origin. Computer Security company Eset Security released an in-depth technical analysis (PDF format) of the cyber weapon called “Stuxnet Under the Microscope”.

Wikileaks does it again. But this time they released nearly 400,000 classified reports on the Iraq war.

Wired.com had some great articles on the release. Superbombs and Secret Jails: What to Look for in WikiLeaks’ Iraq Docs talks about Iran’s involvement in the Iraq war.

And thanks to Wikileaks, we now have proof that there were Weapons of Mass Destruction found in Iraq.

One would wonder how Wikileaks could get away with taunting the United States. In the past, Wikileaks used servers in a converted Swedish cold war nuclear bunker to host their data.

But in a brazen move, recently used mirrors in not only Ireland and France, but also used Amazon.com in the US.

The document release was not without incident though. According to one report, Wikileaks was hacked by a very skilled hacker prior to the publication.

Lastly, should cyber-attacks against a NATO nation trigger a physical response?

If they are included in Article 5 of the North Atlantic Treaty they could, according to a Miller-Mccune article.

NATO countries will discuss this next month at its annual conference. I just hope they take Russian Col.

Anatoly Tsyganok comments to heart when they do, “These attacks have been quite successful, and today the alliance has nothing to oppose Russia’s virtual attacks.”

Cross-posted from Cyber Arms

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Expert Guide: Developing an Email Retention Policy and Advantages of Using Sharepoint for Archiving

Although you know how important it is to archive email to meet government regulations, it can be difficult to tell how long to store messages and when it’s no longer valuable to do so. This expert eguide from SearchExchange.com explains how to develop a message archiving strategy for your company. Learn how to address storage considerations and the risks of long-term message retention. Discover the pros and cons of utilizing Microsoft SharePoint for email archiving and find a technique that strikes a balance between legal compliance and business needs.

View the original article here

Expert Guide: Developing an Email Retention Policy and Advantages of Using Sharepoint for Archiving

Although you know how important it is to archive email to meet government regulations, it can be difficult to tell how long to store messages and when it’s no longer valuable to do so. This expert eguide from SearchExchange.com explains how to develop a message archiving strategy for your company. Learn how to address storage considerations and the risks of long-term message retention. Discover the pros and cons of utilizing Microsoft SharePoint for email archiving and find a technique that strikes a balance between legal compliance and business needs.

View the original article here

A Clean Slate for Enterprise Scheduling

You’ll learn why the current model for enterprise scheduling solutions is considered aging technology, with growing hardware requirements that don’t meet new regulations and total costs of ownership that continue to rise. You’ll also learn about the new model for Enterprise Scheduling, that offers multiple access points, ease of deployment, reduced costs, and increased security. And, you’ll learn about Skybot Scheduler, the newest enterprise scheduling solution for your Windows, UNIX, and Linux servers.

Topics include:

An overview of current enterprise scheduling solutionsBenefits of Web 2.0 technologiesThe cloud computing advantageSkybot Scheduler

View the original article here

A Clean Slate for Enterprise Scheduling

You’ll learn why the current model for enterprise scheduling solutions is considered aging technology, with growing hardware requirements that don’t meet new regulations and total costs of ownership that continue to rise. You’ll also learn about the new model for Enterprise Scheduling, that offers multiple access points, ease of deployment, reduced costs, and increased security. And, you’ll learn about Skybot Scheduler, the newest enterprise scheduling solution for your Windows, UNIX, and Linux servers.

Topics include:

An overview of current enterprise scheduling solutionsBenefits of Web 2.0 technologiesThe cloud computing advantageSkybot Scheduler

View the original article here

RSA Unveils New Solution to Deliver End-To-End Data Security

Tags » End-to-End Encryption, Security  » Comments (0)

RSA has announced the general availability of the RSA Data Protection Manager, which "combines tokenization and application encryption, two popular application-based controls, with advanced token and key management to deliver end-to-end data security." RSA tokenization technology is currently used with partners like First Data Corporation and VeriFone to secure payment card data.

View the original article here

RSA Unveils New Solution to Deliver End-To-End Data Security

Tags » End-to-End Encryption, Security  » Comments (0)

RSA has announced the general availability of the RSA Data Protection Manager, which "combines tokenization and application encryption, two popular application-based controls, with advanced token and key management to deliver end-to-end data security." RSA tokenization technology is currently used with partners like First Data Corporation and VeriFone to secure payment card data.

View the original article here

Ensure Your Access Certification Strategy Achieves Your User Access and Compliance Goals

Today, companies are more dependent than ever on computer systems to gather, analyze and process a wide variety of vital IT resources, including sensitive data such as nonpublic personal information.

With access to this data comes the responsibility to ensure that it is kept secure. This means making certain that only authorized personnel have access to it, and that their access is limited to the lowest level of privilege required for them to perform their business function effectively and efficiently.

Implementing a strategy that includes periodic access certification reviews by the business to ensure that only the right people have the right level of access to vital IT assets will reduce the likelihood of a data breach, which can be devastating in terms of costs, such as law suits, regulatory fines and brand damage.

View the original article here

Ensure Your Access Certification Strategy Achieves Your User Access and Compliance Goals

Today, companies are more dependent than ever on computer systems to gather, analyze and process a wide variety of vital IT resources, including sensitive data such as nonpublic personal information.

With access to this data comes the responsibility to ensure that it is kept secure. This means making certain that only authorized personnel have access to it, and that their access is limited to the lowest level of privilege required for them to perform their business function effectively and efficiently.

Implementing a strategy that includes periodic access certification reviews by the business to ensure that only the right people have the right level of access to vital IT assets will reduce the likelihood of a data breach, which can be devastating in terms of costs, such as law suits, regulatory fines and brand damage.

View the original article here

E-Guide-- Risk-Based Audit Methodology: How to Achieve Enterprise Security

Risk-based auditing is a broad topic, one that can be applied to many areas such as finance and information technology (IT). This e-guide focuses on risk-based auditing from an enterprise IT perspective. It covers the requirements for a risk-based audit and the steps necessary before, during and after an audit. Additionally, it discusses risk mitigation methods, and provides analysis for selecting controls and measuring control effectiveness. This e-guide offers a simple risk-based audit methodology for organizations to develop an internal IT audit program, or those looking for new ways to assess security risks.

View the original article here

E-Guide-- Risk-Based Audit Methodology: How to Achieve Enterprise Security

Risk-based auditing is a broad topic, one that can be applied to many areas such as finance and information technology (IT). This e-guide focuses on risk-based auditing from an enterprise IT perspective. It covers the requirements for a risk-based audit and the steps necessary before, during and after an audit. Additionally, it discusses risk mitigation methods, and provides analysis for selecting controls and measuring control effectiveness. This e-guide offers a simple risk-based audit methodology for organizations to develop an internal IT audit program, or those looking for new ways to assess security risks.

View the original article here

Astaro is a No Brainer for NeuroScience Consultants: Physician Network Saves $100,000 a Year with Astaro Security Gateway

NeuroScience Consultants is a multi-location group of over 30 doctors spread out over 16 locations with a central administrative office to handle the billing needs of the practice. Until recently, each of their locations had its own private network routed over the Internet using Multiprotocol Label Switching (MPLS) with Cosco Routers.

With Astaro Security Gateway, NeuroScience Consultants was able to connect all 16 of its locations and protect its 250-300 users from spam, malware and spyware. Check out this case study to learn more.

View the original article here