Posts Tagged ‘Security Policy’

PGP has released a new business guide entitled “Five Truths About Enterprise Data Protection” which talks about how to secure all your data devices – your laptops, USB drives, remote logins, phones and more. The five “truths” are basic statements about data and business, skewed towards the security offerings at PGP, including:

1. Business data is everywhere – and it’s on the move
2. Exposed data carries high costs & consequences
3. Only encryption can secure all your data, wherever it is
4. An enterprise-wide data encryption strategy reduces the risk of data breaches
5. Enterprise data protection liberates your business

As we’ve said before, encryption is only one piece of the data security puzzle and is not the only solution to all your security needs. For example, Absolute Software’s Computrace Complete can provide additional security in the form of IT Asset Management & Data & Device Security, such as tracking and remotely wiping missing devices. A comprehensive security policy will do a risk assessment and decide on which security tools are important to your corporate needs.

My favorite section in the brochure deals with the 5th Truth, and how a comprehensive security system will enable a business to protect all its data, all the time, wherever it is stored and however it travels. You can get the guide here.

According to a new report from Sophos, two thirds of businesses fear social networking and its impact on corporate security.

Sophos conducted a poll in February 2009 with 709 respondents. Of those, 63% of system administrators worry that employees share too much information on their social networking profiles. They believe this puts the corporation, and its data, at risk (since cybercriminals have access to more information for identity theft, malware or spam). A quarter of the businesses had been the recipients of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

Over 40% of companies don’t control access to any of these major social networking platforms – for those that do, productivity still represents the largest share of concern, but security concerns are on the rise.

“We’re seeing more incidents of unwanted adverts and malicious links being spammed out, particularly to Facebook users, from their friends’ compromised accounts. Although social networking sites are going some way to mitigate threats to users – activating pop-up windows to confirm if a user really wants to visit that external link for example – unfortunately it’s just not enough. Organisations need to incorporate defences into their IT security policy, and a key part of this is to educate individuals to choose strong passwords and to take good care of them to prevent cybercriminals taking over online accounts which could provide an entry point to the IT infrastructure.” – Graham Cluley, senior technology consultant at Sophos

Sophos summarizes their study with the top 5 tips to combat social networking perils in the business environment, which include:

• Educate your workforce about online risks
• Consider filtering access to certain social networking sites at specific times
• Check the information that your organisation and staff share online
• Review your Web 2.0 security settings regularly
• Ensure that you have a solution in place that can proactively scan all websites for malware, spam and phishing content

Read more here.

Also, beware of an increase in Swine Flu pill spam!

In a clear oversight of security protocols, Britain’s most senior counterterrorism officer, Bob Quick, took Top Secret documents out of the office. The documents, in clear view in his arms, were then photographed by the press as he carried the documents up Downing Street. Bob Quick has resigned as a result of the incident.

The documents outline a Metropolitan Police Service and MI5 counterterrorist operation against al-Qaeda suspects. The document revealed details for a planned arrest of terrorist suspects following a long covert surveillance operation. Steps were made to censor the photographs (only successful in Britain) and Mr. Quick’s location fearing that information would tip off the suspects. The operation was able to continue, with arrests made sooner than was planned, but it is still a major security blunder.

Bob Quick says he “deeply regretted” revealing the documents to photographers, and some people seem willing to forgive him for simply holding the paper the wrong way. However, the secret documents should not have been carried outside of secure areas in printed format – at the very least, they could have been transported in an encrypted drive. This is not the first incident where a government official has accidentally shown secret notes to the journalists who often wait outside of Downing Street.

Bob Quick resigned soon after the incidence, following a meeting with the home secretary and the Metropolitan Police commissioner.

“I have today offered my resignation in the knowledge that my action could have compromised a major counterterrorism operation.

I deeply regret the disruption caused to colleagues undertaking the operation, and remain grateful for the way in which they adapted quickly and professionally to a revised timescale.”

It is a pity that the breach was made, but the repercussions are already wide-ranging. Not only has the public outcry damaged the trust in government security, but the MPS has lost its most senior, and experienced, counterterrorism specialist. This should underscore the importance of having a clear security policy and ongoing employee training – at all levels – to ensure compliance to basic security measures.

Via Schneier

Network World has put together a series of 5 tips for an effective enterprise mobility strategy. Such a strategy will ensure that IT is aware of all the technology purchased for or used for business purposes and how these devices are used.

1. Define Requirements – how the workforce needs to work
2. Be Selective - decide what is necessary and cost-effective
3. Establish who is in charge - of ongoing device management, security, mobile application development, carrier relationships and network deployments
4. Commit to documenting policies – start with good polities, review them and educate employees
5. Evaluate – decide if your strategy continues to keep up with new technology and needs of the company

Having a centralized mobility policy will help ensure that employees have access to the technology they need and are not driven to break security policies by using their own devices unbeknownst to the IT department. As part of your mobile security policy, Computrace Mobile can help your organization manage your handheld devices and protect your data if they go missing.

Normally we hear about the massive data breaches that happen due to some loss of electronic data – whether it’s a lost data storage device or laptop or from hacking. However, we can’t forget that paper too is at risk for breaching data. This week there were 4 reports of data breaches the result of incidents with paper.

1. Dozens of files with Social Security Numbers for public housing residents were dumped on the street in New York. People were seen picking up the loose papers, raising concerns of identity theft. The New York Housing Authority has policies to shred documents for disposal, but that policy was overlooked. [read more]
2. Medical records were found discarded in a trash bin at a convenience store in Shreveport; Social Security Numbers were included. A Doctor has admitted to his mistake in improperly disposing of the files. [read more]
3. Files about seriously ill patients at a New York hospital were found 2 miles away on the pavement. The files contained name, age and medical history, breaching confidentiality though not risking identity theft. [read more]
4. A Dallas man found a box of medical records, including Social Security Numbers, the the parking lot at a storage business. The storage unit belonging to a doctor was broken into and the records left out. [read more]

I think we can learn some important things from these breaches of trust and data. Most indicate a lack of awareness about the data and how it should be treated for storage and disposal. Policies to restrict how data moves about – whether paper or electronic – should be considered. The data retention policy should define how information is disposed of, which can include policies on shredding or purging electronic devices. In terms of data storage for physical papers, standard consumer storage facilities may not have enough security; try looking for companies that specialize in business data storage.

As we shared in a report earlier this month, data breaches at small companies often go unreported. There’s a great deal of education that needs to be done to small business owners – including those practicing in the medical fields – about how to securely handle confidential data in all stages of its life cycle.

Hat tip to databreaches.net ; image: clarita @morguefile

Cisco recently released a whitepaper about data leakage and insider threats. Several predictions for 2009 have indicated that, particularly with the uncertain economic climate, insider data breaches would become more of an issue. With 88% of respondents admitting they’d take sensitive information if they were laid off, this is a clear and present threat to data security.

In 2008, insider theft accounted for 15.7% of data breaches and that 43% of surveyed companies had experienced fraud, theft or losses as a direct result of employees with access to sensitive data.

Bruce Schneier recently addressed the issue of insiders, which he points out are a perennial problem for organizations. Insiders have the means and opportunity to breach data – intentionally or not. The issues coming up lately refer to an increase in intentional data theft or fraud.

“With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks. This is one of the most significant threats companies face” – Microsoft’s Doug Leland

So, given that you need to trust your employees in order to keep your company running, how do you go about addressing the problem of inside threats? Schneier recommends 5 basic techniques, many of which we’ve talked about here on the Absolute blog:

1. Limit the number of trusted people
2. Ensure that trusted people are also trustworthy
3. Limit the amount of trust each person has
4. Give people overlapping spheres of trust
5. Detect breaches of trust after the fact and prosecute the guilty

You can read these recommendations in detail here. Hopefully it will give you some ideas about how to prepare for insider issues. Just like with all security planning, it’s about being prepared and about having multiple layers of security in place.

—-

In other news, there have been a high number of data breaches thus far in February (see latest incidents). One getting a lot of attention is from the Federal Aviation Administration (FAA) that affects 45,000 FAA employees.

Image anitapatterson @morguefile

Bill Brenner of CSO Online shares “The Seven Deadly Sins of Network Security“, sins which he links with nearly all serious data breaches. Bill notes and asks, “Companies that suffer serious security breaches have almost always committed one (or all) of 7 deadly security sins. Is your company guilty?”

Just as Absolute Software recommends a multi-layered security solution, Bill Brenner notes that any solid security defense plan is built upon a multi-layered approach involving technology, policy and practice. The technology layers are just one piece there, but only account for part of the network security sins listed here:

1. Not measuring risk – failing to identify and protect important information assets, while doing so within the parameters of business needs and requirements
2. Thinking compliance equals security – regulations like HIPAA and PCI DSS are only a starting point for strong (and evolving) data security practices
3. Overlooking the people – the ‘people problem’ is a common thread on this blog. People who access data & technology pose a large risk to it – losing laptops, falling for phishing attacks, downloading rogue software, etc
4. Too much access for too many – having access controls set in both policy and in management technology
5. Lax patching procedures - the latest Verizon report showing that 90% of known vulnerabilities exploited in hack attempts had patches available for at least six months prior to the breach
6. Lax logging, monitoring – like with the first item, one must know what’s going on in the network prior to security it
7. Spurning the K.I.S.S. – ‘keep it simple, stupid’ or ‘keep it simple for security’ is often overlooked if security is approached without planning and ’solutions’ are tacked on one after the other.

The article looks at common issues that have led these seven items to becoming “sins” in network security terms. This can include, in the case of the first sin, a lack of understanding of business needs and requirements that results in end users circumventing security protocols and risking data even further. Continue reading it here.

RSA’s Meena Raju asks if “you are scared of the word policy,” in a blog post about Asking the Right Questions When Implementing a Data Loss Prevention Policy. I think that’s a fantastic way to bridge into this topic. Scared is exactly the word. Individuals and companies are scared of putting together a policy on something that seems as complicated as security. Particularly since whatever is ’set down on paper’ becomes an actionable set of guidelines. What if it misses areas? What if it’s confusing? What if it is an accurate policy, but one that’s ‘wrong’ for your company?

The RSA team put together a series of best practices when considering a data loss prevention (DLP) policy.

What is the data that you want to protect? And how should you protect it? Sounds simple, right? As our customers find, there are many more questions that need to be asked upfront.

Some of the questions that RSA suggests asking are:

1. Who is the policy going to apply to and how does it impact them? 
2. What type of information are you trying to protect?
3. Why are you protecting it?
4. Where should you protect it? Is data in motion or in a datacenter? Is it being used at endpoints? Strategize which information state needs protecting first.
5. When should you trigger a violation?
6. How should you protect the information? Audits, encryption, blocking, etc. Choices should be made depending on the type of information. 

As Meena notes, “policy” isn’t a bad word or a word to be scared of. “Be smart and be strategic and you’ll love your policies.”

Stay tuned to our Security Policy category for tips on how to create effective security policies, as well as relevant studies or facts on the topic.

SANS Internet Storm Center’s Lenny Zeltser put together an article that caught my attention for being both accurate and blunt: “Security Awareness Training Is Boring.”

So true, and perhaps why it’s not kept up, or is completely ignored. And when something is ignored, it’s a good time to shake it up. We’ve offered some suggestions in the past for being creative in training methods.

Lenny put together some ideas for shaking things up in the security training department – doing things that are unsual and personally relevant to make them remember. Ideas include making a “commercial” style interruption during another meeting, one that reminds employees of security issues. Rewarding employees for reporting unsafe IT practices anonymously can work, and has been suggested in many articles. Also, “bribes” like food at security meetings can help bolster attendance.

And you can integrate funny videos like this one, “The Duhs of Security,” created by the Virginia Government:

The SANS article references another great article written by Marcum Ranum entitled “The Six Dumbest Ideas in Computer Security“. Worth a read.

Secunia has followed-up to a survey done one year ago to see if PCs are any more secure this year than last. The data was collected from 20,000 new users of their software in the period of a week, mirroring the same sample from a year previous. The software is thus able to give a snapshot of how many installed programs are “secure” or “patched.”

Based on the data, PCs are more insecure than they were last year. Only 1.91% of PCs scanned could claim to have full secure / patched programs. The rest were not running the latest (and most secure) version of software available on at least one program.

• 0 Insecure Programs: 1.91% of PCs
• 1-5 Insecure Programs: 30.27% of PCs
• 6-10 Insecure Programs: 25.07% of PCs
• 11+ Insecure Programs: 45.76% of PCs

Quite scary that nearly half of those 20,000 PCs had more than 11 programs unpatched! Leaving programs unpatched makes them targets for hackers, which can lead to data leak issues if not stopped up. Mainstream programs like Microsoft Office, Adobe Flash and broswers are major targets for hackers.

So, perhaps now is a time to run your security updates? On PC and Mac, most programs can be updated automatically, or all together. In a few instances, you may need to ‘check for updates’ in individual programs. Of course, in a corporate environment, where you’re dealing with hundreds or thousands of computers, you need a way to manage this at once. Absolute’s asset tracking can help inventory what software and patches are installed, but other strategies (including Secunia PSI) can supplement in rolling out updates regularly.

Via security focus