Security and Time

7:17 am on November 20, 2008 | By David Hora | In information security, laptop security, risk management | No Comments

People seem to think that security software is very time consuming. The common conception is either the installation process is long and arduous, or you will be forced to constantly monitor your chosen security solution. Some solutions require an admin to go to each machine and install something, which is simply not feasible in a large company. Not all solutions take hours to install and force an administrator to physically access each machine. It takes more time to play a game of solitaire than it does to install some security software. Some laptop security solutions are as easy to install as simply adding the installer to group policy. To manage some security products, you need to constantly monitor all traffic that comes from a machine. Some solutions require administrators to take hours to examine log files to see if there is a security problem or not. With other solutions, all you need to do is log into a web based UI and see if you have any alerts.

If you spend hours managing your current security product after the installation phase, maybe you should take a look for a new solution. When you research security solutions, you should see how much time it takes to install the solution and how much time, if any, is required to manage the solution post install. Make sure any solution you find gives an intuitive web based interface that will allow you to monitor it from anywhere should the need arise.

In the time it took to read this blog post, you probably could have installed a security solution on your laptop.

Share/Save/Bookmark

 

The Illusion of Security by M.T. Thrett

10:14 am on November 17, 2008 | By Justin Maksim | In data breach, data encryption, information security, risk management, security policy | No Comments

Best I can tell, IT data security expenditures buy compliance, piece-of-mind and sometimes, little else.  But are they buying real, bona fide security? Not really. Hook these buyers to a lie detector and I’ll bet you find that you’d find that most know this to be true. We know for example that antivirus services are always behind the eight ball. The leading antivirus tools are ineffective at combating the latest and greatest viruses.

 

            IT also throws money into encryption. Don’t misunderstand – encryption is necessary but it alone is not true security. After authentication, encryption is ineffective. IT often reasons it prudent to mandate a policy of strong passwords as a first-level barrier to a breach. This policy is parallel to Superman’s kryptonite. Users will write down these complex passwords for fear of forgetting them.

 

            Security products and services offer piece-of-mind but shouldn’t kid themselves – it is not usually true security. As long as computers are operated by humans (even honest ones) this is our greatest security threat. No antivirus or encryption software will eliminate that reality.

 

 

Share/Save/Bookmark

 

You’re responsible for your data – wherever it may be

8:54 am on November 10, 2008 | By Daniel Pagan | In information security, risk management, security policy | No Comments

In a 2008 Ernst & Young Global Information Security Survey covering a wide variety of security concerns, results indicated that approximately 45% of respondents demanded data security measures of their vendors & contractors. If you are a business owner or manager contracting with vendors to provide services that require use of your confidential data, don’t you want them safeguarding that data as diligently as you yourselves do? Consider you vendors who need this data to effectively deliver the services you employ them for. Payroll, health & employee benefits, credit reporting, auditing, financial processing, professional consulting…the list goes on and on.

 

 Any time unprotected data is exposed whether it be through loss, theft or hack, it is your responsibility – even if it was a third party who had the data in their possession. Why? Because the consequences are ultimately yours. Embarrassing press coverage, disclosure costs, credit monitoring services, fines, civil penalties are just the start. The most painful consequence…? Customer exodus.  

 

 

 

Share/Save/Bookmark

 

Data breach: ATF = Another Total Failure?

6:33 am on November 3, 2008 | By Jim Allison | In data breach, data encryption, information security, risk management, security policy | No Comments

In September, the Washington Post reported on a five-year study of the ATF’s handling of government computers and firearms and found that the agency had misplaced over 400 laptops, many of which had sensitive information. While this study focuses on the ATF, the sad truth is that the loss of computers and the often confidential information that they contain has become commonplace in both the public and private sectors. To a great degree, as a reading public we’ve become anesthetized to this news, at least until it impacts us - or our networks….

Of even more concern in the article was that in most cases, the ATF had absolutely no idea of what data might have been compromised and as a result, who the loss might directly impact. Since employees often don’t comply with stated data security policy, it is inevitable that data will find its way to the network’s edge - and be mobile.

It is insufficient that an organization set a data security policy without putting in place the instrumentation and systems to ensure its compliance. Furthermore, that compliance can not depend upon the end-user’s conscious adherence to manual process - it just does not work. Managed solutions must be put in place that can ensure the end user’s compliance with corporate data security policy, without requiring their active participation.

It is critical that data be encrypted - at a minimum - only then can we be assured that data losses will not easily put ourselves and others at unnecessary risk. However, encryption by itself that is not enough.
When the inevitable loss occurs, it is equally necessary to be able to ascertain the risk associated with the loss and to determine the necessary corrective action. Some may feel that plausible deniability is an effective approach to addressing this problem. “If you don’t understand the impact of the loss, you don’t need to consider it as serious.”

I think this is both wrong, and short-sighted. Assuming you have the ability to respond wouldn’t it be better to fully understand your risk so that an appropriate counteraction could be chosen? File and folder cataloging on devices within control of an organization’s IT department should be an integral part of an effective PC data security solution. This feature can be used in many ways, including:

• risk assessment, by identifying the devices that contain particular sensitive data
• risk amelioration, by surgically destroying data that is found on unauthorized devices
• policy management, by identifying and establishing policies on the retention of sensitive data throughout an organization
• data forensics, by understanding the full extent of the impact of any data losses

Tools that can both assess and eliminate risk represent a much better data security strategy than either ignorance or hope.

Share/Save/Bookmark