Domino Security Vulnerabilities and How to Maximize Risk

How secure is your Domino environment? Although there are few resources available for Domino security, it is important to protect your systems from threats and minimize risks by identifying weaknesses. In this expert e-guide from SearchDomino.com, learn how to monitor areas that put Domino at risk including, operating system patches and passwords. Find out about Web-centric vulnerabilities and why it is essential to perform manual analysis to ensure optimal security.

View the original article here

Domino Security Vulnerabilities and How to Maximize Risk

How secure is your Domino environment? Although there are few resources available for Domino security, it is important to protect your systems from threats and minimize risks by identifying weaknesses. In this expert e-guide from SearchDomino.com, learn how to monitor areas that put Domino at risk including, operating system patches and passwords. Find out about Web-centric vulnerabilities and why it is essential to perform manual analysis to ensure optimal security.

View the original article here

Coastal Pacific Xpress Makes the Logical Choice: Organization Replaces Three Security Products With the Astaro Security Gateway

Coastal Pacific Xpress, a leader in logistical transportation and warehousing solutions, was managing renewals, license management and updates/upgrades for each product individually.  This task became increasingly difficult and CPX looked for a new solution to protect these numerous products.

Check out this case study to learn how CPX used Astaro Security Gateway to better manage and protect all 500-plus devices in Coastal Pacific Xpress's network.

View the original article here

Coastal Pacific Xpress Makes the Logical Choice: Organization Replaces Three Security Products With the Astaro Security Gateway

Coastal Pacific Xpress, a leader in logistical transportation and warehousing solutions, was managing renewals, license management and updates/upgrades for each product individually.  This task became increasingly difficult and CPX looked for a new solution to protect these numerous products.

Check out this case study to learn how CPX used Astaro Security Gateway to better manage and protect all 500-plus devices in Coastal Pacific Xpress's network.

View the original article here

Astaro Boosts Green County Agency's Security: County Agency Selects Astaro Network Security Over SonicWall

The Greene County Board of Developmental Disabilities, an agency committed to serving individuals with mental and physical disabilities, had a small network with little network protection. The eight users were networked together through a wireless broadband access point with a wireless router as their only form of network protection.

Read this case study to learn how Greene County was able to utilize Astaro Security Gateway software to fully protect its network.

View the original article here

Astaro Boosts Green County Agency's Security: County Agency Selects Astaro Network Security Over SonicWall

The Greene County Board of Developmental Disabilities, an agency committed to serving individuals with mental and physical disabilities, had a small network with little network protection. The eight users were networked together through a wireless broadband access point with a wireless router as their only form of network protection.

Read this case study to learn how Greene County was able to utilize Astaro Security Gateway software to fully protect its network.

View the original article here

Zero Trust Security – The Technical Discussion

With the cultural issues out of the way, let us discuss some technical details. 

Given the state of security technology and where security leadership sits these days, I question if Zero Trust can be implemented.

Essentially, with a ‘Zero Trust’ approach, we are talking about DMZs.  However, instead of our usual externally facing DMZs we are also talking about DMZs that are internally facing. 

These are no ordinary DMZs, these are highly monitored and controlled DMZs with IDS/IPS, NAC, full logging and everything else required to ensure security. 

These technologies are not for the faint at heart as they require a lot of planning in order to get them right.

Where a lot of organizations get things wrong is that they believe that all of these security technologies are like a Ronco Showtime Rotisserie oven, you just “Set it and forget it.” 

If only security worked that way, but it does not.  As a result, one of the first stumbling blocks organizations interested in Zero Trust face is staffing since Zero Trust will require a significant amount of attention both from a security perspective and from their help desk. 

I do not think that we are talking about a significant increase in security and help desk personnel, but the existing staffing levels are likely to be insufficient in a Zero Trust environment.

The next issue that I see is from the technology itself.  Most security technology is designed for Internet facing use, not internal use. 

While these solutions can be used internally, they tend to create issues when used internally because of their severe responses to any perceived attacks. 

As a result, in order to use these solutions, security professionals have to turn off or turn down certain features or functions because they get in the way of getting business done.  Then there are the applications themselves. 

I cannot tell you how frustrated I get with vendor and in-house developers that cannot tell you from a networking perspective how their applications work. 

As a result, security professionals are required to do extensive research to figure out what ports/services an application requires, if they even do such research. 

That then results in what we tend to see on internal networks with internal DMZs, lots of ports/services open into the DMZ because they do not want the application to break.  In a Zero Trust approach, this is not acceptable.

Then there is logging and the management and maintenance of log data.  It still amazes me the amount of push back I still receive on logging and the management of log data.

Security professionals and managers complain and complain about the amount of data that needs to be retained and the length it needs to be retained.  Hello! 

This is the only way you will ever know what went wrong and how it went wrong so that you can fix it. 

But the security information and event management (SIEM) industry has not helped things by delivering solutions that can cost as much as a large Beverly Hills mansion and are as easy to implement as an ERP system. 

While there are open source solutions, the usability of these solutions are questionable at best.  Unfortunately, the PCI DSS is mandating that log data be reviewed at least daily. 

In order to get that done, merchants either cannot afford or do not have the time to invest to meet this requirement.  As a result, there is a lot of frustration that what merchants are being asked to do cannot be done. 

Yet, log information capture and review is possibly one of the most important aspects of an organization’s security posture.  Because if you do not stop an attack with your firewall and IPS, the only way you know that is from your log data.  Damned if you do, damned if you do not.

So a merchant implements all of the necessary technologies and procedures to make Zero Trust a reality.  Is that merchant more secure?  If a merchant makes such an investment, the reward will likely be improved security. 

But it will take continuous effort to keep Zero Trust running and that is where all organizations run into trouble with security initiatives. 

It takes consistent execution to make security work and people and organizations these days lose interest in things they think are fixed and so security gets swept to the back burner. 

As a result, it takes strong leadership to keep security off of the back burner.  Without that leadership, security will fall into a rut and an incident will occur that will make security a front burner topic again.

So while I think Zero Trust is probably the approach we should all work towards, it will take a lot of effort to make it a reality.

Cross-posted from PCI Guru

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Zero Trust Security – The Technical Discussion

With the cultural issues out of the way, let us discuss some technical details. 

Given the state of security technology and where security leadership sits these days, I question if Zero Trust can be implemented.

Essentially, with a ‘Zero Trust’ approach, we are talking about DMZs.  However, instead of our usual externally facing DMZs we are also talking about DMZs that are internally facing. 

These are no ordinary DMZs, these are highly monitored and controlled DMZs with IDS/IPS, NAC, full logging and everything else required to ensure security. 

These technologies are not for the faint at heart as they require a lot of planning in order to get them right.

Where a lot of organizations get things wrong is that they believe that all of these security technologies are like a Ronco Showtime Rotisserie oven, you just “Set it and forget it.” 

If only security worked that way, but it does not.  As a result, one of the first stumbling blocks organizations interested in Zero Trust face is staffing since Zero Trust will require a significant amount of attention both from a security perspective and from their help desk. 

I do not think that we are talking about a significant increase in security and help desk personnel, but the existing staffing levels are likely to be insufficient in a Zero Trust environment.

The next issue that I see is from the technology itself.  Most security technology is designed for Internet facing use, not internal use. 

While these solutions can be used internally, they tend to create issues when used internally because of their severe responses to any perceived attacks. 

As a result, in order to use these solutions, security professionals have to turn off or turn down certain features or functions because they get in the way of getting business done.  Then there are the applications themselves. 

I cannot tell you how frustrated I get with vendor and in-house developers that cannot tell you from a networking perspective how their applications work. 

As a result, security professionals are required to do extensive research to figure out what ports/services an application requires, if they even do such research. 

That then results in what we tend to see on internal networks with internal DMZs, lots of ports/services open into the DMZ because they do not want the application to break.  In a Zero Trust approach, this is not acceptable.

Then there is logging and the management and maintenance of log data.  It still amazes me the amount of push back I still receive on logging and the management of log data.

Security professionals and managers complain and complain about the amount of data that needs to be retained and the length it needs to be retained.  Hello! 

This is the only way you will ever know what went wrong and how it went wrong so that you can fix it. 

But the security information and event management (SIEM) industry has not helped things by delivering solutions that can cost as much as a large Beverly Hills mansion and are as easy to implement as an ERP system. 

While there are open source solutions, the usability of these solutions are questionable at best.  Unfortunately, the PCI DSS is mandating that log data be reviewed at least daily. 

In order to get that done, merchants either cannot afford or do not have the time to invest to meet this requirement.  As a result, there is a lot of frustration that what merchants are being asked to do cannot be done. 

Yet, log information capture and review is possibly one of the most important aspects of an organization’s security posture.  Because if you do not stop an attack with your firewall and IPS, the only way you know that is from your log data.  Damned if you do, damned if you do not.

So a merchant implements all of the necessary technologies and procedures to make Zero Trust a reality.  Is that merchant more secure?  If a merchant makes such an investment, the reward will likely be improved security. 

But it will take continuous effort to keep Zero Trust running and that is where all organizations run into trouble with security initiatives. 

It takes consistent execution to make security work and people and organizations these days lose interest in things they think are fixed and so security gets swept to the back burner. 

As a result, it takes strong leadership to keep security off of the back burner.  Without that leadership, security will fall into a rut and an incident will occur that will make security a front burner topic again.

So while I think Zero Trust is probably the approach we should all work towards, it will take a lot of effort to make it a reality.

Cross-posted from PCI Guru

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Will A Security Conference Help Your Company?

For people who work in the world of computers, we all get our experiences in different ways. Some of us are born to type on the keys as part of our passion and we gain most of our knowledge just from experimenting at a young age.

While others of us are late bloomers and we start to learn how a computer truly works from classes in high school and most likely college.

But no matter how good you may think that you know computers, you have to understand that the world of computer security is a different beast all together.

If you were a hacker as a kid then you can take comfort that you have at least a passing knowledge of computer security.

But if you were a person who just used to mess around on the computer and did not try to break the system, then you have a whole world that needs to be opened up to you. A lot of these people work in the IT field now.

They help make sure that the computers in the offices around the world are running like they are supposed to. They are also, for the most part, in charge of the security as well.

As I said earlier, knowing how to secure a system takes more than just knowing about computers in general. That’s why it helps if you send your IT guy to some of the computer security conferences that happen every year.

Why send them to a conference?

There is a very easy answer to this question; it is because their knowledge will increase greatly. People who go to some of the computer security conferences learn a great deal from not just the other guys on the same side that they are on but from the bad guys as well.

The security conferences are a place where both white and black hat hackers come out to show what they have discovered over the past year. The one thing that a hacker cares about more than money in this world is respect from his peers.

Bringing a new and interesting attack to the attention of his peers is the one thing that will get him noticed. Most security conferences are known as a place where it is all about the education of the individuals and not about the politics of who is a good guy and who is a bad guy.

Getting to see these kinds of attacks in person and being able to ask questions will allow your IT guy to go back home or work and set up the network to the specifications needed to defend itself from these types of attack.

There is no better way to head off an impending attack than already knowing how it works and setting your system up to counteract it. And that is the great thing about most of these conferences as well.

They will show you how to defend yourself from some of the attacks that they show. The person will walk with you step by step through the attack and afterwards they will talk to the group on how the attack can be stopped.

Does your IT guy have the knowledge to implement what he has learned at the conference?

While your IT guy might be good, he may not be able to fully comprehend some of the attacks that he witnessed at the security conference. There is a lot of high level programming that goes into one of these attacks and some of them might deal with parts of the computer that the IT guy does not know about.

If that is the case then at least he still knows what he is missing and he can help you bring in someone that will know about the attacks that the system needs to be defended from.

If he didn't go to the conference in the first place he wouldn't be able to get you this far. You can bring in a freelance consultant and your IT guy will be able to go over his work to a small degree and make sure that he checks for everything that he is supposed to.

This is all because of the knowledge that he gained from the conference.

If you want to make sure that you have all your bases covered when it comes to the security of your network, then you must make sure that the people who are in charge of guarding it are properly trained.

You do this by getting them all of the material that they need. If that material requires that you send them to a security conference then that is what you have to do. If you do not get this done, then you will be easy pickings for the bad guys out there.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Will A Security Conference Help Your Company?

For people who work in the world of computers, we all get our experiences in different ways. Some of us are born to type on the keys as part of our passion and we gain most of our knowledge just from experimenting at a young age.

While others of us are late bloomers and we start to learn how a computer truly works from classes in high school and most likely college.

But no matter how good you may think that you know computers, you have to understand that the world of computer security is a different beast all together.

If you were a hacker as a kid then you can take comfort that you have at least a passing knowledge of computer security.

But if you were a person who just used to mess around on the computer and did not try to break the system, then you have a whole world that needs to be opened up to you. A lot of these people work in the IT field now.

They help make sure that the computers in the offices around the world are running like they are supposed to. They are also, for the most part, in charge of the security as well.

As I said earlier, knowing how to secure a system takes more than just knowing about computers in general. That’s why it helps if you send your IT guy to some of the computer security conferences that happen every year.

Why send them to a conference?

There is a very easy answer to this question; it is because their knowledge will increase greatly. People who go to some of the computer security conferences learn a great deal from not just the other guys on the same side that they are on but from the bad guys as well.

The security conferences are a place where both white and black hat hackers come out to show what they have discovered over the past year. The one thing that a hacker cares about more than money in this world is respect from his peers.

Bringing a new and interesting attack to the attention of his peers is the one thing that will get him noticed. Most security conferences are known as a place where it is all about the education of the individuals and not about the politics of who is a good guy and who is a bad guy.

Getting to see these kinds of attacks in person and being able to ask questions will allow your IT guy to go back home or work and set up the network to the specifications needed to defend itself from these types of attack.

There is no better way to head off an impending attack than already knowing how it works and setting your system up to counteract it. And that is the great thing about most of these conferences as well.

They will show you how to defend yourself from some of the attacks that they show. The person will walk with you step by step through the attack and afterwards they will talk to the group on how the attack can be stopped.

Does your IT guy have the knowledge to implement what he has learned at the conference?

While your IT guy might be good, he may not be able to fully comprehend some of the attacks that he witnessed at the security conference. There is a lot of high level programming that goes into one of these attacks and some of them might deal with parts of the computer that the IT guy does not know about.

If that is the case then at least he still knows what he is missing and he can help you bring in someone that will know about the attacks that the system needs to be defended from.

If he didn't go to the conference in the first place he wouldn't be able to get you this far. You can bring in a freelance consultant and your IT guy will be able to go over his work to a small degree and make sure that he checks for everything that he is supposed to.

This is all because of the knowledge that he gained from the conference.

If you want to make sure that you have all your bases covered when it comes to the security of your network, then you must make sure that the people who are in charge of guarding it are properly trained.

You do this by getting them all of the material that they need. If that material requires that you send them to a security conference then that is what you have to do. If you do not get this done, then you will be easy pickings for the bad guys out there.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Reconnaissance Gone Retail and Security - A Challenging Duality

Reconnaissance has “gone retail.” Capabilities that used to be the costly province of nation states have been democratized.

Communications technologies have become so pervasive that a newborn's first pictures are likely to be transmitted wirelessly within moments of birth, arriving at beaming grandparents half a world away within seconds, if not in real-time.

Smart phones, digital cameras, and netbooks, are only the most recent signposts on a road of information fluidity.

Life can certainly be more pleasant and entertaining when distant events are no longer distant; when a child's birth or first steps can be shared with friends and family half a world away in mere seconds.

At a recent security conference in Tel Aviv, Yuval Diskin, the Director of Shin Beth, an Israeli intelligence agency, recently observed:[1]

“Intelligence once enjoyed only by countries and world powers can now be obtained through Internet systems like Google Earth, Internet cameras that are deployed all over the world and linked to the Web, or applications for IPhone [sic] devices that allow for quality intelligence to be received in real-time.”

Director Diskin has a point, albeit this djinni escaped its bottle long before the most recent cavalcade of portable electronic devices and network connectivity.

I noted that connectivity, accessibility and computing power created a collation hazard in 1995.[2]

In 2002, I noted a corollary of this: that the costs of data collection and correlation had decreased dramatically,[3] from the scale of a nation state to the retail level, exposing people to hazards previously feasible, but uneconomically unviable (e.g., the 1989 murder of actress Rebecca Shaeffer by an obsessed stalker who located her residence from then easily available public motor vehicle records).

Intent is difficult, if not impossible to determine. Nature is always impartial. Physics rules with draconian impartiality.

This underlies a duality that many find troubling: Connectivity brings us closer together, both friend and foe. Our great-grandparents waited anxiously for letters to arrive bearing the first pictures of a new grandchild; often weeks after the birth.

Today, the time span of anxiety is reduced to mere minutes, practically the interval between labor contractions.

This is the dilemma to which Director Diskin refers: the same technology that brings families closer together for the birth of a child, can just as easily be used to celebrate terrorism and other far less peaceful pursuits.

Recently, I had to visit someone in a nearby major hospital center. Just a few years ago, the possession of a notebook computer would have been cause for a cautionary warning that electronic devices are not allowed within the building.

Now, much, if not all of the facility is equipped with Wi-Fi, and there is an unencrypted Wi-Fi available for patients and visitors. I am almost certain that this is not merely altruism.

I expect that the connectivity provided to patients and visitors is, in effect, spare bandwidth from a properly encrypted co-network, one that directly supports patient care.[4,5]

Yet another example of the economics of the cloud; otherwise unused capacity is used for a purpose, rather than simply being discarded.

As a result, families can share precious moments with others at the press of a button. No longer is the hospital an isolating experience.

Indeed, as a visitor, I was able to use my waiting time somewhat productively, securely connected back to my office through my wireless card and virtual private network.

Regrettably, there are no good answers to the concerns raised by Director Diskin. There is no a priori way to differentiate between pictures of new homes or cars, and a pre-attack reconnaissance of the same by a terrorist group.

In the recent Mumbai attack, terrorists are reported to have used communications devices to coordinate or receive instructions; but these same communications channels were also separately being used by civilians to communicate their location for rescue, yet another example of how communications are neutral.

Notes

[1]Reuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times

[2] Robert Gezelter (1995) “Security on the Internet”, Chapter 23 in Computer Security Handbook, Third Edition, pp 23-6, et seq.

[3] Ibid (2002) “Protecting Web Sites”, Chapter 22 in Computer Security Handbook, Fourth Edition, pp 22-20, et seq.

[4] Ibid (2003, June) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society.

[5] Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007 References

Seymour Bosworth and Michel Kabay (2002) Computer Security Handbook, Fourth Edition WileyRobert Gezelter (1995) “Security on the Internet” (Chapter 23) in Computer Security Handbook, Third Edition Wiley(2003) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society. Slides retrieved from http://www.rlgsc.com/ieee/charleston/2003-6/internetdial.html on November 2, 2010Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007. Retrieved from http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html on November 2, 2010Ibid (2009, December 9) “Networks Placed At Risk: By Their Providers” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/networks-placed-at-risk.html on November 2, 2010Ibid (2010, March 31) “Will Long Term Dynamic Address Allocation Record Retention Help or Hurt?” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/retain-dynamic-address-allocation-logs.html on November 2, 2010Ibid (2010, May 25) “New IRS Reporting Requirements Have Implications for Business Large and Small” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/new-irs-reporting-requirements.html on November 2, 2010Ibid (2010, August 31) “GPS Recorders and Law Enforcement Accountability” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/gps-and-law-enforcement-accountability.html on November 2, 2010Ibid (2010, October 25) “Google Street View and Unencrypted Wi-Fi: Not a Hazard” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/google-street-view-and-unencrypted-wifi.html on November 2, 2010Arthur Hutt, Seymour Bosworth, and Douglas Hoyt (1995) Computer Security Handbook, Third Edition WileyReuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times. Retrieved from http://www.nytimes.com/reuters/2010/11/01/technology/tech-us-israel-security.html on November 2, 2010

Reproduced from Reconnaissance Gone Retail and Security: A Challenging Duality, an entry in Ruminations -- An IT Blog by Robert Gezelter. Copyright (c) 2010, Robert Gezelter. Unlimited Reproduction permitted with attribution.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Reconnaissance Gone Retail and Security - A Challenging Duality

Reconnaissance has “gone retail.” Capabilities that used to be the costly province of nation states have been democratized.

Communications technologies have become so pervasive that a newborn's first pictures are likely to be transmitted wirelessly within moments of birth, arriving at beaming grandparents half a world away within seconds, if not in real-time.

Smart phones, digital cameras, and netbooks, are only the most recent signposts on a road of information fluidity.

Life can certainly be more pleasant and entertaining when distant events are no longer distant; when a child's birth or first steps can be shared with friends and family half a world away in mere seconds.

At a recent security conference in Tel Aviv, Yuval Diskin, the Director of Shin Beth, an Israeli intelligence agency, recently observed:[1]

“Intelligence once enjoyed only by countries and world powers can now be obtained through Internet systems like Google Earth, Internet cameras that are deployed all over the world and linked to the Web, or applications for IPhone [sic] devices that allow for quality intelligence to be received in real-time.”

Director Diskin has a point, albeit this djinni escaped its bottle long before the most recent cavalcade of portable electronic devices and network connectivity.

I noted that connectivity, accessibility and computing power created a collation hazard in 1995.[2]

In 2002, I noted a corollary of this: that the costs of data collection and correlation had decreased dramatically,[3] from the scale of a nation state to the retail level, exposing people to hazards previously feasible, but uneconomically unviable (e.g., the 1989 murder of actress Rebecca Shaeffer by an obsessed stalker who located her residence from then easily available public motor vehicle records).

Intent is difficult, if not impossible to determine. Nature is always impartial. Physics rules with draconian impartiality.

This underlies a duality that many find troubling: Connectivity brings us closer together, both friend and foe. Our great-grandparents waited anxiously for letters to arrive bearing the first pictures of a new grandchild; often weeks after the birth.

Today, the time span of anxiety is reduced to mere minutes, practically the interval between labor contractions.

This is the dilemma to which Director Diskin refers: the same technology that brings families closer together for the birth of a child, can just as easily be used to celebrate terrorism and other far less peaceful pursuits.

Recently, I had to visit someone in a nearby major hospital center. Just a few years ago, the possession of a notebook computer would have been cause for a cautionary warning that electronic devices are not allowed within the building.

Now, much, if not all of the facility is equipped with Wi-Fi, and there is an unencrypted Wi-Fi available for patients and visitors. I am almost certain that this is not merely altruism.

I expect that the connectivity provided to patients and visitors is, in effect, spare bandwidth from a properly encrypted co-network, one that directly supports patient care.[4,5]

Yet another example of the economics of the cloud; otherwise unused capacity is used for a purpose, rather than simply being discarded.

As a result, families can share precious moments with others at the press of a button. No longer is the hospital an isolating experience.

Indeed, as a visitor, I was able to use my waiting time somewhat productively, securely connected back to my office through my wireless card and virtual private network.

Regrettably, there are no good answers to the concerns raised by Director Diskin. There is no a priori way to differentiate between pictures of new homes or cars, and a pre-attack reconnaissance of the same by a terrorist group.

In the recent Mumbai attack, terrorists are reported to have used communications devices to coordinate or receive instructions; but these same communications channels were also separately being used by civilians to communicate their location for rescue, yet another example of how communications are neutral.

Notes

[1]Reuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times

[2] Robert Gezelter (1995) “Security on the Internet”, Chapter 23 in Computer Security Handbook, Third Edition, pp 23-6, et seq.

[3] Ibid (2002) “Protecting Web Sites”, Chapter 22 in Computer Security Handbook, Fourth Edition, pp 22-20, et seq.

[4] Ibid (2003, June) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society.

[5] Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007 References

Seymour Bosworth and Michel Kabay (2002) Computer Security Handbook, Fourth Edition WileyRobert Gezelter (1995) “Security on the Internet” (Chapter 23) in Computer Security Handbook, Third Edition Wiley(2003) “Internet Dial Tones & Firewalls: One Policy Does Not Fit All” Charleston, South Carolina chapter of the IEEE Computer Society. Slides retrieved from http://www.rlgsc.com/ieee/charleston/2003-6/internetdial.html on November 2, 2010Ibid (2007) “Safe Computing in the Age of Ubiquitous Connectity”, Long Island Science Applications Technology 2007. Retrieved from http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html on November 2, 2010Ibid (2009, December 9) “Networks Placed At Risk: By Their Providers” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/networks-placed-at-risk.html on November 2, 2010Ibid (2010, March 31) “Will Long Term Dynamic Address Allocation Record Retention Help or Hurt?” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/retain-dynamic-address-allocation-logs.html on November 2, 2010Ibid (2010, May 25) “New IRS Reporting Requirements Have Implications for Business Large and Small” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/new-irs-reporting-requirements.html on November 2, 2010Ibid (2010, August 31) “GPS Recorders and Law Enforcement Accountability” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/gps-and-law-enforcement-accountability.html on November 2, 2010Ibid (2010, October 25) “Google Street View and Unencrypted Wi-Fi: Not a Hazard” Ruminations - An IT Blog Retrieved from http://www.rlgsc.com/blog/ruminations/google-street-view-and-unencrypted-wifi.html on November 2, 2010Arthur Hutt, Seymour Bosworth, and Douglas Hoyt (1995) Computer Security Handbook, Third Edition WileyReuters (2010, November 1) “Google Earth and iPhone Trouble Israeli Security Chief” The New York Times. Retrieved from http://www.nytimes.com/reuters/2010/11/01/technology/tech-us-israel-security.html on November 2, 2010

Reproduced from Reconnaissance Gone Retail and Security: A Challenging Duality, an entry in Ruminations -- An IT Blog by Robert Gezelter. Copyright (c) 2010, Robert Gezelter. Unlimited Reproduction permitted with attribution.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Five Ways to Create High Quality Security Policies

Security policies are the foundation of an enterprise information security program.

Without a solid foundation in place you simply cannot build a sturdy long-lasting structure; be it a building or a security program.

Below are five things that can help you ensure your foundation is strong.

1. Use a framework

By starting with a trusted framework you can avoid reinventing the wheel. A framework like ISO2700x will provide you with the areas you need to cover in your policies. Then it's your job to customize the policies so they fit your environment.

2. Make sure your policies are readable to non-technical folks

A policy is a strategic statement. It is not meant to give the details on what technology will be used, or how it will be implemented.

If you include too much detail you run the risk of making an unreadable document. A good policy can be read and understood by anyone in the organization. Leave the technical-speak for your standards and procedures.

3. Get executive buy-in

Board or senior leadership buy-in is critical to a security program. Some standards (such as GLBA) even require Board sign off on security policies.

By getting the organization's senior leadership on-board we ensure that security will have the funding, personnel and support it needs to succeed.

The senior leaders do not need to be an active part of the policy creation, but they should approve of the completed policies so they can understand and support them.

4. Communicate your policies

Too many organizations create a set of security policies, only to see those policies sit on a server, unread by anyone outside the groups who created and approved them.

Policies should be communicated widely throughout the organization. Security awareness training is the most obvious way to educate employees about the security policies, but topical posters, relevant emails, and on-going reminders at staff meetings can be effective and cost effective as well.

5. Maintain your policies

Organizations are dynamic. What worked for you in 2008 probably doesn't work in 2010. And what works for us here in 2010 will most likely not work in 2012.

As such, keeping policies up to date is a crucial task for organizations. A regular schedule should be created for reviewing and updating policies as appropriate.

Ideally, policies should be reviewed quarterly. But it should be no less than annually.

High quality policies aren't the whole story. We also need structure through quality standards, and detailed procedures, but without the foundation your program doesn't have a chance for success.

Give your security policies the time and resources they need.

Cross-posted from Enterprise InfoSec Blog from Robb Reck 

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Five Ways to Create High Quality Security Policies

Security policies are the foundation of an enterprise information security program.

Without a solid foundation in place you simply cannot build a sturdy long-lasting structure; be it a building or a security program.

Below are five things that can help you ensure your foundation is strong.

1. Use a framework

By starting with a trusted framework you can avoid reinventing the wheel. A framework like ISO2700x will provide you with the areas you need to cover in your policies. Then it's your job to customize the policies so they fit your environment.

2. Make sure your policies are readable to non-technical folks

A policy is a strategic statement. It is not meant to give the details on what technology will be used, or how it will be implemented.

If you include too much detail you run the risk of making an unreadable document. A good policy can be read and understood by anyone in the organization. Leave the technical-speak for your standards and procedures.

3. Get executive buy-in

Board or senior leadership buy-in is critical to a security program. Some standards (such as GLBA) even require Board sign off on security policies.

By getting the organization's senior leadership on-board we ensure that security will have the funding, personnel and support it needs to succeed.

The senior leaders do not need to be an active part of the policy creation, but they should approve of the completed policies so they can understand and support them.

4. Communicate your policies

Too many organizations create a set of security policies, only to see those policies sit on a server, unread by anyone outside the groups who created and approved them.

Policies should be communicated widely throughout the organization. Security awareness training is the most obvious way to educate employees about the security policies, but topical posters, relevant emails, and on-going reminders at staff meetings can be effective and cost effective as well.

5. Maintain your policies

Organizations are dynamic. What worked for you in 2008 probably doesn't work in 2010. And what works for us here in 2010 will most likely not work in 2012.

As such, keeping policies up to date is a crucial task for organizations. A regular schedule should be created for reviewing and updating policies as appropriate.

Ideally, policies should be reviewed quarterly. But it should be no less than annually.

High quality policies aren't the whole story. We also need structure through quality standards, and detailed procedures, but without the foundation your program doesn't have a chance for success.

Give your security policies the time and resources they need.

Cross-posted from Enterprise InfoSec Blog from Robb Reck 

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Server Security: Unnecessary, Unmanaged or Under Control?

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

Server Security: Unnecessary, Unmanaged or Under Control?

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

RSA Unveils New Solution to Deliver End-To-End Data Security

Tags » End-to-End Encryption, Security  » Comments (0)

RSA has announced the general availability of the RSA Data Protection Manager, which "combines tokenization and application encryption, two popular application-based controls, with advanced token and key management to deliver end-to-end data security." RSA tokenization technology is currently used with partners like First Data Corporation and VeriFone to secure payment card data.

View the original article here

RSA Unveils New Solution to Deliver End-To-End Data Security

Tags » End-to-End Encryption, Security  » Comments (0)

RSA has announced the general availability of the RSA Data Protection Manager, which "combines tokenization and application encryption, two popular application-based controls, with advanced token and key management to deliver end-to-end data security." RSA tokenization technology is currently used with partners like First Data Corporation and VeriFone to secure payment card data.

View the original article here

E-Guide-- Risk-Based Audit Methodology: How to Achieve Enterprise Security

Risk-based auditing is a broad topic, one that can be applied to many areas such as finance and information technology (IT). This e-guide focuses on risk-based auditing from an enterprise IT perspective. It covers the requirements for a risk-based audit and the steps necessary before, during and after an audit. Additionally, it discusses risk mitigation methods, and provides analysis for selecting controls and measuring control effectiveness. This e-guide offers a simple risk-based audit methodology for organizations to develop an internal IT audit program, or those looking for new ways to assess security risks.

View the original article here

E-Guide-- Risk-Based Audit Methodology: How to Achieve Enterprise Security

Risk-based auditing is a broad topic, one that can be applied to many areas such as finance and information technology (IT). This e-guide focuses on risk-based auditing from an enterprise IT perspective. It covers the requirements for a risk-based audit and the steps necessary before, during and after an audit. Additionally, it discusses risk mitigation methods, and provides analysis for selecting controls and measuring control effectiveness. This e-guide offers a simple risk-based audit methodology for organizations to develop an internal IT audit program, or those looking for new ways to assess security risks.

View the original article here