Archive for the ‘Business Security’ Category

The US National Security Agency (NSA), the Department of Homeland Security, Microsoft, Symantec and a group of more than 30 other cyber security organizations have formed a group to outline the most dangerous software programming errors.

The group has jointly released a consensus list of the 25 most dangerous programming errors – and how to fix them. These programming errors lead to security bugs and can enable cyber espionage and cyber crime – most errors are not well understood, nor is their avoidance taught by computer science programs. The press release also indicates that these errors are not frequently tested by organizations developing software for sale. This list is, therefore, a big step forward in making software more secure.

“There appears to be broad agreement on the programming errors. Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify.” – SANS Director, Mason Brown

According to the release, just 2 out of these 25 programming errors led to more than 1.5 million website security breaches in 2008. The 25 errors represent the worst things that can happen when software is being written – and will give a minimum set of coding errors that should be eradicated before software gets to the consumer.

The programming errors include sending sensitive information in clear text and hard-coding security passwords into programs. The errors fall into three categories: insecure interaction between components, risky resource management and porous defenses. You can read more here or here.

Via PC World ; Clipart via Microsoft / Presentation Pro

Absolute Software created a new video about its corporate products and services. The video gives you an overview of mobile computing and security, and how Absolute Software fits into your IT planning. It gives you insight into the recovery team and how Computrace gives you control over your IT assets.

In the time it took to watch that video, 3 laptops were stolen. Do you know where all your laptops are?

Bruce Schneier put together a good article for The Guardian about choosing a strong password. Passwords are a huge security issue for businesses, as this report indicated.

Though the most common password used in a 2007 survey was “password”, not much has improved for 2008: the most common password is now “password1″. In order to describe what makes a “good” password, Schneier describes how programs are used to hack passwords. These programs are sophisticated, testing hundreds of thousands of passwords per second in an intelligent pattern.

The password-hacking programs will try the most likely passwords first, then will move on to typical password combinations of root+appendage (or prefix). Something like “nachos123″, for example. There are common number and letter sequences that people use to prefix or suffix common words. 24% of all passwords can be cracked with the first 100,000 combinations of these options. The password program will try different dictionaries, will replace letters with common symbols such as “@” for “a”, etc. Running all of these combinations, which could take weeks, will break two thirds of all passwords.

If the hacking program is fed personal information about you, like the name of a pet, birth date, or postal code, the effectiveness shoots straight up. If you save your password anywhere on your computer memory, including browser-recalled passwords, it can track them down.

So, how do you choose a good password?

Bruce Schneier recommends a password creation process that will turn a sentence into a password. His example was:

“This little piggy went to market” ===> “tlpWENT2m”

This way, you choose a sentence that is meaningful to you, and also choose your own method of code to break it down into a more secure character string. Once you have a password, don’t write it anywhere or use it for multiple applications. If you fear you won’t recall your password, write it down and keep it somewhere more secure, like in your wallet. If you can avoid writing the exact password, write the un-abbreviated sentence or a hint instead. You can also use a program such as Password Safe (free) to create an encrypted username / password list and a single Master Password.

Continue reading this post about choosing strong passwords.

Image: Clipart

Who Breached: Starbucks
Number Affected: 97,000
Information breached: Social Security Numbers
How: stolen laptop

Starbucks Corp. confirmed this week that a laptop containing the information of 97,000 employees was stolen.

A Starbucks laptop containing names, addresses and Social Security Numbers was stolen on October 29th. It is not clear if the laptop was protected in any way, or how it was stolen.

In 2006, Starbucks reported the theft of four laptop computers, so it is sad that such an issue would again come to light. In 2006, the breach affected 60,000 Starbucks employees / partners. Although the Starbucks statement to employees, after this most recent breach, indicates that the company is taking step to protect data, including encryption, one would hope that those steps would have occurred in the 2-year period since the last breach. A copy of the letter sent to affected Starbucks employees can be found here.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute.

Other major data breaches for November, 2008:

• Luxottica Group, 59,000+ affected, hacker [read more]
• University of Florida College of Dentistry, 344,000+, compromised server [read more]
• Christus Health Care, thousands, stolen backup tapes [read more]
• Harvard Law School, 21,000, lost backup tapes [read more]
• North Carolina Division of Aging and Adult Services, 85,000+, lost laptop [read more]
• Baylor Health Care System Inc., 100,000, stolen laptop [read more]
• Arizona Department of Economic Security, 40,000, stolen hard drives [read more]

And in other news…

And in a very strong statement by Canada’s Privacy Commissioner Jennifer Stoddart, Canada was called to shame for inaction on cybercrime. Stoddart called it an “embarrassment” that Canada does not protect the rights of individuals with provisions such as anti-spam legislation, strong identity theft legislation, or mandatory data breach provisions. Read more about this here.

Via datalossdb

In follow-up to our previous post about the economic impact to IT budgets for 2009, and the secondary budget about the budget impacting the education sector, a new study by the Computing Technology Industry Association indicates that IT spending in the UK will increase next year for small and medium sized businesses.

As with the Global State of Information Security report highlighted here, which shows that 44% of those surveyed would be increasing information security spending, this new study indicates that 51% of small and medium-sized businesses plan to increase their tech spending by 10% or more in the next 12 months. This growth in spending is lower than in the previous year, but the proportion of those decreasing or keeping flat their budgets is still low.

“In the past, tech spending might have been one of the first line items slashed in a tough economy. Today, SMBs are savvier because they rely on technology for an increasing amount of their core business operations. It’s encouraging to see that the majority of SMBs plan to maintain, if not increase, current tech spending during this time of economic uncertainty.” – Todd Thibodeaux, president and chief executive officer, CompTIA

Overall, SMBs continue to remain optimistic about business growth, despite the current economic instability in the UK and around the world.

Another very interesting article on CSO Online is encouraging colleges and universities to step up and include more IT security education for students planning on going into IT. And in terms of “stepping up”, an article in the Vancouver Sun recently also talked about social media and how companies should take stock of what’s being used and how to embrace it, rather than ignore or ban it (which, while also not effective, poses a security risk).

Via VNUNet

Although we’ve talked many times about the security issues around employees working remotely from home or while abroad, we haven’t specifically touched on the issues that the self-employed face when working at home.

We talk many times about the importance of keeping private or sensitive information on the corporate network, accessed remotely, but not stored on mobile devices. At home, this is more of a challenge because that data is in your home, on your home computers. One must consider physical data storage (bank information, tax returns, receipts, etc), as well as protecting the data you store on your desktop or laptop computers.

Basic data security tips:

1. Use strong passwords, and don’t write them down
2. Install an anti-virus solution & encryption solution
3. Keep your software up to date
4. Don’t click links or open files from untrusted sources (and be wary of trusted ones too)
5. Log out of your computer at night
6. Set up a firewall
7. Read our Ten Steps to Laptop Security list

Absolute Software’s Computrace LoJack for Laptops comes with 2 editions, Premium and Standard, allowing you to protect all the computers in your home office. The Premium edition comes with the advanced capabilities to not just help recover lost laptops, but to remotely delete sensitive data.

The FTC also has out a guide for businesses wanting to protect personal information. This guide is geared to businesses of all sizes, but is particularly useful for the small business owner. If you are in the business of dealing with a lot of sensitive information, consider that there may be more advanced solutions to storing data off-premises, via a secure business network solution and even physical data storage.

Other articles on the blog you may find interesting:

• Handheld Devices Big Security Threat
• Hotel Network Security
• NCIX Mobile Security Tips for Overseas Travel
• Federal CISOs Green Light Telework
• Trusting Contractors with Laptops
• Unofficial Teleworkers Put Federal Data at Risk

Employees continue to ignore security policies, notes another survey from RSA. Over 50% of employees work around existing IT security policies in order to get their work done.

The insider threat survey, conducted among 417 industry event attendees by RSA, polled workers across a range of industries, heavier in financial and technology sectors. Nearly half of respondents worked in IT. The survey indicates that, despite awareness of IT policies, convenience trumps security.

Highlights from the survey:

• 94% are familiar with their organizations’ IT security policies
• 53% have felt the need to work around IT security policies in order to get their work done
• 64% frequently or sometimes send work documents to their personal email address in order to access and work on them from home.
• 15% have held a door open for someone at work that they did not recognize
• 89% frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail
• 58% frequently or sometimes access their work email via a public computer / 65% via a public wireless hotspot
• One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it
• 79% frequently or sometimes leave their workplace carrying a data device containing sensitive information related to their jobs
• 43% had switched jobs internally and still had access to accounts/resources which they no longer needed
• 37% have stumbled into an area of their corporate network to which they believe they should not have had access

As you can tell, may of the results mirror the study from Cisco that came out earlier in October. Basically, the lesson to take from this is to rethink the “insider threat” as not just malicious actions taken by employees, but also the “innocent” rule breaking that they do day-to-day in order to get stuff done.

This type of rule breaking is a little complex, as it may be due to a lack of clear instructions. Although employees may be familiar with IT security policies, those policies may be vague in some areas, or employees may receive mixed messages by overlapping policies or a mismatch of policy and procedures. For example, if certain programs and websites are, by policy, not allowed, they should be, by procedure, blocked. That’s not always the case.

As in many cases with security policies, it comes down to training and enforcement. Train all new employees well, but keep on training existing employees on an ongoing basis. Everyone could use the refresher. And enforce the rules – employees should know what the potential outcomes are of crossing the line at the corporate level (risk of data breach) and the personal level (being reprimanded for going against policy, regardless of outcome).

Technology solutions like Absolute’s asset management software can help you identify if users are operating outside corporate policies.

Via CSO Online ; image: mconnors @morguefile

Network World’s Mark Gibbs has posted a great article about how to exorcise the “ghosts” of past employees that haunt your systems.

Employees, whether they work for you for a short or long period of time, leave a trail of digital information behind. Emails on your mail servers, files, information on desktops, laptops and perhaps even smartphones, customized application settings, contributions to shared spaces like blogs, and much more.

When an employee leaves a company, most (sadly, not all) companies will think to restrict their user access. To delete mail accounts, remove FTP access, restrict privileges and so on. But, what do you do with the rest? And are there issues surrounding any of that clean up (well, of course, there always are!).

“Remove their files without understanding how their work related to the bigger business picture and, for example, the design and supportability of an entire product line could be compromised. Dump their e-mail messages and your ability to be in legal compliance could be lost. There are hundreds of potential consequences to removing their data and it adds up to what we in the pundit business call “a crap shoot.”"

The solution is not just to restrict access privileges, as that doesn’t tell you what the data is used for. Or if any ex-employees have left any surprises behind. The solution that Mark Gibbs poses is not an easy one, but it’s one that improves data security overall. The solution is to rethink data handling architecture - a centralized ID system that defines roles and access from the start. This way you can spot issues, as well as manage exit cleanup.

“This is a combination of identity management and strategic, top-down planning that displaces the old “strong passwords are good enough” approach because they aren’t.”

Of a related note, make sure you read our recent post: Passwords are Not Enough. Absolute Software can also help with some user issues, including software inventory management - knowing what’s installed, tracking machines as they change hands, sending alerts if users operate outside policies, & monitoring data changes.

Also of note, Lanxoma is conducting a survey about insider threats and how companies are tackling that issue. Since that’s something we talk about often on the Absolute blog, perhaps you’d like to take the survey here. Looking forward to seeing the results!

Clipart via Microsoft / Presentation Pro

Corporations, government agencies and academic institutions have formed together to study issues surrounding cybercrime, terrorism, narcotics trafficking and identity management. Together they have formed the Center for Applied Identity Management Research (CAIMR).

CAIMR is hosted by Indiana University and is a non-profit corporation of thought leaders who share a common interest in identity management. Their mission is to “study identity issues impacting commerce, government, and national security, their social implications, and the processes, technologies and policies designed to deal with them.” However, despite all that, the goal is to develop real world solutions to these issues. The outcomes may be in the form of industry or law enforcement best practices, technologies, policy adjustments or training and educational materials.

CAIMR notes that the goal is to be able to adapt more quickly to evolving identity fraud and cyber crimes, understanding the constraints and challenges faced by each set of stakeholders. Gary R. Gordon, scholar in identity management at Indiana University School of Law, will be executive director at CAIMR.

Four initial areas of study will be:

1. Public safety: identity theft, cybercrime, fraud, sexual predator detection, etc.
2. National security: cybersecurity, human trafficking, terrorist tracking, etc.
3. Financial and corporate fraud: mortgage fraud, data breaches, insider threats, healthcare fraud, etc.
4. Individual protection: identity theft, fraud, etc.

Partners in CAIMR include the US Secret Service, VISA, Wells Fargo & Company, and many more.

Via network world, security watch

Some great news from Absolute Software – The ASUS B50 line of business notebooks will now provided embedded support for Absolute’s anti-theft and management solution, Computrace.

ASUS is one of the world’s top 10 notebook manufacturers, with the B50 taking into consideration the needs of mobile business executives. The B50 features an integrated biometric fingerprint scanner, Trusted Platform Module for secure login and encryption, and now embedded Computrace support. You can read more about this news here.

What does embedded support mean?

This means that all the great features of Computrace are embedded at the firmware level, not the software level. When consumers activate the service, Absolute can provide a level of security and recovery capabilities at a higher level.

Embedding support for the Computrace agent into the BIOS provides customers the highest level of persistence and allows the Computrace agent to survive operating system re-installations, hard drive reformats and even hard drive replacements. That means anyone trying to remove the security features to get at your data is going to have a much harder time.

For a full list of computers with embedded support for Computrace (Dell, Fujitsu, etc), check here.

Also in company news, Absolute will showcased it’s laptop security solutions at the Intel Developer Forum (IDF) in Taipei on October 20-21. For more information, read here.