Log inskip to content

Archive for November 9th, 2007

Compliance News

Friday, November 9th, 2007

High-Tech Hackers

 By Mike Paquette · November 2007

 Driven by the age-old lure of easy money, many of today’s criminals are using high-tech cyber crimes and sophisticated building entry methods to commit identity theft and financial fraud. Organizations need to invest in information management and security technology to protect themselves against the evolving threat landscape.

 Security has long focused on preventing break-ins to physical facilities and the IT infrastructure. However, instead of a reactive approach to improving security in the face of experienced threats, organizations are now being more proactive in establishing security policies. Companies are building systems that integrate all of an organization’s physical and logical security to better defend the business and protect the privacy of customers and employee data.

 Contrary to conventional wisdom, these culturally and technologically disparate worlds of physical access control and IT network protection are closely linked, and existing assets are currently being leveraged in a converged solution.

 Data Leakage
The role of security is changing dramatically. As technological capabilities have finally caught up with security theory, many organizations are experiencing the convergence of physical and IT security for unified enterprise security management. And as these companies are realizing its benefits, the industry is beginning to redefine the role of security. Why the renewed push for convergence in security structures? How are physical and IT security related, and how will one affect the other in the long run?

 The driver behind today’s movement toward converged IT and physical security is the realization that a data breach can be extremely costly to an organization. Hardly a day goes by when a high-profile data breach that has compromised the personal information of employees, citizens or customers isn’t in the headlines. A recent study shows that the majority of these breaches are enabled by the theft or loss of physical property, such as laptop computers and portable storage devices (e.g., USB drives). However, computers compromised by malicious software, called malware, are another leading cause of a data breach. Organizations must create a unified security policy that addresses the physical security of computing systems and portable storage media and the IT security policy for the kind of data that can reside on these media.

 On the IT security side, organizations must decide whether to require hard-drive encryption on all employee laptop computers or to install software that prohibits the use of USB drives on company computers. In addition, information control policies should specify clearly what kind of information may be stored on laptop computers.

 On the physical security side, traditional and new loss protection steps must be employed. Laptop cable locks should be used not only in hotels and meeting spaces, but also when the laptop is locked in the car. USB drive use should be prohibited or, at least, controlled. It’s possible for organizations to install RFID systems on USB drives for employees who are authorized to use them.

 Within the organization’s IT infrastructure, network security issues are changing daily, and it is often difficult to keep up with the current threat landscape. Attacks are becoming more sophisticated, and organizations are facing new and increasingly dangerous security threats. Random threats that once plagued the enterprise are not what they used to be—as attacks are evolving into clever, targeted schemes that are finding ways to compromise computers, steal data and seriously affect network systems. To combat these new threats, security strategies need to evolve at the same rate—with organizations being more proactive in their security strategies, moving beyond simple detection to implementing technologies and techniques that proactively block malicious traffic—without degrading network quality.

 Security Siblings
Both sides of security each strive for greater, tighter controls across an enterprise while still enabling business. The physical aspect protects organizations by preventing entry from unauthorized users and by protecting the loss of property. The IT side protects intellectual property and customer data by deploying technologies such as firewalls, network admission control and intrusion prevention systems to prevent network attacks. It only makes sense that these two seemingly different systems can work together to not only enhance a company’s security posture, but also protect the continued operation of the enterprise.

 Network security and physical security are similar in nature, so much so that they can be characterized as siblings separated at birth.

 IT network security almost always starts with a network firewall, which provides controls of whose computer can access which systems. The firewall is like a receptionist with a door buzzer in the physical realm. The receptionist “signs you in” if you don’t look like a bad guy (authentication), “buzzes you in” afterward (access control), but then doesn’t know what you’re doing while you’re behind the closed door. If you appear to be untrustworthy, or do not have your badge, then the receptionist does not allow you access to the facility.

 The IT network intrusion detection system is very much like a closed-circuit video camera system. It’s useless for protection unless there is a diligent and insightful staff to watch it all the time. Such staff can see activity—who’s coming or going and if they’re trying to pick the lock or break down the door.

 Organizations are now deploying network IPS in their IT infrastructures. These devices operate similarly to a firewall, but with much more thorough inspection of the traffic coming into and out of the network.

 In the physical security world, the IPS would be best represented by the previously-mentioned receptionist followed by a metal detector, a bomb-sniffer, an X-ray machine and a pat-down searcher. Only after a thorough inspection is the visitor allowed to gain access into the facility. In addition, visitors are scanned upon exit of the facility, as well.

 The Need to Converge
As the threat landscape changes, the critical threat of the data breach is driving a need to converge physical and network security. No longer is it sufficient to make sure that physical property is not stolen from the facility. It also is important to help employees secure laptops at home, in transit and at remote office locations.

 Securing company data requires proactive steps from both the IT security and the physical security elements of an organization. A unified security policy, covering both IT and physical security, is the effective way to reduce risks and losses associated with a data breach.

 About the author

Mike Paquette is the vice president and chief security officer for Top Layer Networks.  

Posted in General | No Comments »

Compliance News

Friday, November 9th, 2007

Compliance News from the IT Compliance Institute

 ·         PCI Security Standards Council publishes new payment software security standard

 New standard is based on best practices already established by Visa

 ·         Environmental factors are becoming important in purchasing decisions, survey shows

 Many enterprises want to reduce their environmental impact, with IT leading the way

 ·         Microsoft fires CIO for violating corporate policies

 Company remains mum on details, however

 ·         Inadequate staffs hamper most large data centers, survey shows

 Many lack the staff needed to fulfill increasingly demanding internal service-level agreements

 ·         Data center migration leads to business continuity nightmare

 ISP unsuccessfully attempts to consolidate two data centers and leaves tens of thousands of Web sites off-line

 ·         Minnesota Department of Public Safety flunks IT security audit

 Unencrypted laptops and unauthorized users were among the flaws

 ·         Fears concerning mobile and remote access are up, but few organizations are doing anything about it, survey shows

 Implementing security awareness training does appear to help, however

 ·         Fed approves final Basel II rules

 Mandatory for large banks, the new rules will involve a lengthy, staged implementation

 ·         One in six PCs is infected, UK survey shows

 Most businesses have at least one infected PC

 ·         IT salaries likely to rise at twice the rate of inflation, expert warns

 Lead developers and wireless experts will be in demand

 ·         Massachusetts announces anti-cybercrime initiative

 Six-point plan includes special training for large numbers of law enforcement officials

 ·         Australian police accused of breaching troubled database

 Law enforcement database in Victoria has a history of problems

 ·         Electronic healthcare records not living up to their potential, expert tells Congress

 Important features are missing, but at least one vendor is working to supply them

 ·         Most office workers remain indifferent to IT security, survey shows

 More than a third have knowingly violated office IT policies at least once

 ·         Taken together, PCs are huge power gluttons and polluters, researchers find

 Simply turning them off when not in use can generate significant savings

 ·         Outsourcing megadeals are becoming a thing of the past, experts say

 Shorter, more complex deals have become popular

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Posted in General | No Comments »

Compliance News

Friday, November 9th, 2007

Prosecution Watch from the IT Compliance Institute

  • Insider indicted for breaching university database

    IT help desk employee helps himself to better grades and now faces charges of unauthorized computer access and identity theft

  • Microsoft fires off 20 lawsuits against software pirates

    Microsoft filed federal lawsuits against 20 resellers for allegedly distributing "counterfeit or infringing" software

  • AOL spammer gets two years in jail

    Spam operator earns a 27-month prison sentence and $180,000 fine

  • QVC fraudster nabbed for e-shoplifting

    Glitch between IT and operations allowed woman to fleece QVC home shopping network out of $412,000

  • Posdata insiders go to jail for $80MM IP theft

    Five Korean engineers get prison time for attempting to steal employer’s wireless broadband technology so they can set up shop overseas in the US

  • Fraudsters face five years in prison for massive Microsoft fraud

    Four sentenced to prison for $29MM Microsoft software resale scam

  • Finance chief goes to jail for $4MM accounting fraud

    Con artist concealed her criminal past and pilfered $4MM from her employer

  • Botmaster nets one year of jail and fine

    10.30Authorities nabbed Jason Downey during Operation Bot Roast and he now faces one year in prison and a $21,000 fine

    • Posted in General | No Comments »


    « Oct iCalendar Dec »
    November 2007
    M T W T F S S
     1234
    567891011
    12131415161718
    19202122232425
    2627282930EC

    Upcoming Events

    • No events.

    Just as with the Y2K crisis of seven years ago, IT workers are being called upon to don superhero suits and save the enterprise from impending technology trouble. But this time, IT will be sifting through the complexities of the federal Sarbanes-Oxley Act of 2002

    Public Companies over 75 million already need to comply by 12/15/2007...

    Will your SMB be Ready?

    Monthly Archives

    Google
    Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon Sign up for our Email Newsletter