Archive for April, 2009

Laptop Encryption – Serious lack of security

I believe that more personal information has been stolen than there are actual people in the US. How much was stolen from the government would prove a nice study. And has anyone in the government actually been fired?

So the employee lost the laptop. Do you blame the employee or the agency for not educating the employee and provide wholedisk encryption? The agency believes that an unencrypted harddrive, but that has a “password” is secure? Well maybe someone should explain computer hacking, windows security, encryption and the concept of intrusion prevention to DHS.

Well you will probably see that laptop on Ebay or in a pawn shop. Some halfway intelligent person who buys it might be able to get to the data. Then what?

Five Steps to Laptop Security 101:

1) Encrypt using wholedisk encryption or at a minimum encrypt your data folders. Try PGP encryption (www.auroraent.com)

2) Patch Management, use automated patch management

3) Firewall, use a managed firewall in a corporate environment or a personal firewall, lots of free ones out there and cheap ones.

4) Hard Disk password, you can protect your drive from even booting with a hard disk password. yes this can be broken and have the manufacturer resetm, but its a pain and the casual person will not know what to do

5) Dont let the government have a laptop.

 

regards

gary

http://www.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

* Managed Firewall

* Managed Antivirus

* Managed IDS

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Unencrypted laptop with 1 million SSNs stolen from state

SC Magazine Dan Kaplan April 24, 2009

The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee.

The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma’s Human Services’ clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday.

The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency.

“We feel this was not a situation where someone was targeting the agency or that information,” DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. “We feel it was random.”

Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said.

News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.

Twitter your security away

As social networking takes over our lives, much like the Borg, we are freely giving away our personal information.  Its information devaluation. Twitter, facebook, MySpace, Flickr, Linkedin, etc are all pretty much conditioning us to be one with the Internet universe. Why shouldnt every person we know have the latest update on what you had for lunch or what your favorite color is or your dogs name or your highschool?

Interesting that these are the same questions your online back account asks you as challenge questions. How long until some really cool tool gets released by the underground that can scan a Profile, and ctageorize data into all the fields a bank usually asks as a challenge question? (I should trademark the concept)

Stop the madness. That includes all these Blogs! Down with Blogs!

Gary

baha@kraasecurity.com

www.kraasecurity.com

Managed Security Services

identity_theft

++++++++++++++++++++++++++++++++++++++++++

Gartner have published a document (in PDF format) on their analysis and recommendations on the above subject:

QUOTE
Analysis

Twitter’s recent security issues follow the same arc that many other consumer-grade services have experienced. An innovative idea is quickly turned into a cool Web site that attracts lots of consumer use. Security is, however, not typically part of the cool site’s business model. Hype about the potential businesses use of the new technology quickly leads to malware attacks. After a successful attack, security measures that were not built in are “sprinkled on.”

This pattern will not change anytime soon. There will always be real reliability and security differences between consumer- and business-grade technologies. But there will also be real business benefits to using consumer-grade technologies before they are “business-strength.” Enterprises must consider the cost of integrating or adding security controls to contain the risks of using these technologies before they reach security maturity. Trying to ignore or block them simply will not work.

Recommendations

All enterprises:
Ensure that everyone who accesses enterprise systems is aware of the risks of using consumer-grade technologies such as Twitter.
Update Web security gateways and network intrusion prevention systems to block transmission of the malware used in the Twitter attacks.
Require malware blocking and data loss prevention capabilities in any business plans using Twitter or other consumer-grade technologies
The document can be downloaded from http://www.gartner.com/DisplayDocument?doc…;ref=g_homelink

Ways to Maintain Website Security

With the advancement in technology comes the heavy responsibility of monitoring an organization’s sensitive and valuable information. The use of the Internet has become a necessity in organizations to exchange their data and various other business details with their business partners, vendors and clients. In many cases, during transmission of datahackers compromise a network or transmission medium and illegally gain the data. It maligns not only the market value of the company but also the number of clients that place trust in the company and the company’s infrastructure or website.

There are preventive measures that every company can adopt to maintain the value of the company as well as the client base. It is very important for any company to maintain the data securityase and safeguard the internal information of the company. The clients and business partners share their data only after confirming that the partner company will keep it safe and intact under the safety norms of the company.

By taking a few cautionary measures, one can easily secure the sensitive information of the company. Installing a firewall in the network system keeps the security intact and safe. Earlier, this was a bit expensive for companies but with the advent of technology, this has become an easily accessible tool for the organization. Affordable monthly subscriptiuons are available for firewalls, Intrusion detection systems and host intrusion prevention systems.  They need not spend a lot of money in availing these services now.

A firewall is the main defense. A firewall carries out routine security checks and blocking techniques at particular time intervals and this helps stop attacks. It will sound an alert in case of any threat posed to the data and will automatically start blocking and reporting.  on it. It never compromises on your company’s security and safety and always keeps the information safe. Firewall protection can be easily availed from various online sources at quite reasonable rates but one must always cross-check the credentials of the source company as well and only then purchase it from experts in the field.

Other than installing these tools to maintain web security, companies are also hiring third parties to review the policies and procedures of the organization and also to keep track of the online process of distribution of data of the company. These third parties install web applications that thoroughly review the codes installed in the process and provide valuable feedback to update and upgrade the quality of network systems. hough it is somewhat expensive to employ third-parties but they really keep a detailed track of the security system of their clients’ information.

Many network systems of very renowned companies are getting hacked and misused these days by the hackers. It is high time that the companies take proper action against such activities and thefts as the number of incidents are growing day-by-day. Otherwise, people will start losing their trust in sharing their personal information through web sites.

A web security expert of application security risk assessment has written this article.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity
Managed Security Services
Managed Firewall
Managed Vulnerability Scanning

Enhanced by Zemanta
online pharmacies +|- cialis price comparison canadian pharmacy viagra ;:." buy cialis soft canadian pharmacy online ]|[ eulexin online pharmacy Medical prescription pharmacy online you can buy medicines.