Enterprise IT Watch Blog

September 23, 2010  2:21 PM

ISSA International Conference Recap: More of the same

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

The 2010 ISSA International show was just here in my hometown of Atlanta. With the experienced speakers – many of whom work for highly-visible companies and government agencies – I was expecting some new ideas and solutions around security. The quality of the speakers was good; the problem was with the messages that I heard (at least in the keynotes). It was the same old stuff we’ve been hearing since the beginning of “Internet security” as we know it. “You need to have policies,” “You need to train  your people,” “You can’t rely on vendor products completely,” “You need to take a risk-based approach,” “The cloud is our great savior” – blah, blah, blah. Looking around, I could tell that others in the audience were tiring of the same old messages as well.

Is this the way information security is going to be from here on out? I’m not so sure that preaching the same old stuff is viable long-term. Maybe I’m just being impatient; perhaps there is no good solution. Maybe we’re just going to have to keep doing what we’re doing and trust that it’ll eventually sink in. Time will tell.

Although it’s a never-ending and frustrating cycle, it’s good for job security, so I guess I shouldn’t complain.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 22, 2010  3:21 PM

Stop fearing your smartphone: Mobile encryption & your security policy

Melanie Yarbrough Profile: MelanieYarbrough

From possibly causing cancer to posing a major security risk to the enterprise, the smartphone just can’t cut a break. The truth is, smartphones are here to stay, especially in the enterprise. Like many other IT versus the world conflicts, the solution isn’t a yes or no policy to their usage, but a set of security policies and guidelines just like with any other technology adapted by the enterprise. Smartphone security and encryption can be a tricky road to navigate, so take a few things under consideration before deciding.

Assessing the Situation

Like any other policy, there are several factors that go into the crafting of mobile security. Here are a few points to consider when discussing options amongst your team:

  • Rather than looking for the cheapest (or the free-est) application available, assess your company’s mobile encryption needs before beginning the search. Minimizing time wasted will minimize the frustration and loss when incorporating mobile phone security into corporate policy. If you need support for multiple smartphone operating systems, start your search with that detail.
  • Part of your assessment should include your enterprise’s primary security focus and needs. Whether you need the option of remote data-wiping or authentication, knowing these details ahead of time will help to increase efficiency.
  • Once you’ve decided the features your users and data need, you need to allocate some of your security budget to ensuring the data on and accessed by these smartphones is secure.
  • Just like endpoint security has lowered the risk of laptops remotely accessing networks, smartphone encryption software can help you adapt to the changing nature of the enterprise. To better ensure the smooth incorporation of these devices into your operations, you’ll need to incorporate them into the in-place central management system. Treat mobile devices as normal factors in everyday operations (rather than a device sent solely to cause your headaches) and implement its use and security like any other enterprise-level product.

Some smartphone encryption options after the jump. Continued »

September 18, 2010  10:13 PM

Mobile device security – we keep spinning our wheels

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

It’s been a year since I contributed to a piece on mobile security for the Wall Street Journal and was thinking about how things have changed since then. In a nutshell: They’re gotten more complex and less secure.

It’s amazing – and scary – given all the sensitive electronic information scattered everywhere across any given network. Be it workstations, servers, databases, smartphones, mobile storage devices – you name it – it’s so often they go unprotected. By that I mean there are no access controls to prevent unruly employees from doing bad things with your data and no access controls to prevent outsiders from doing bad things, either.

I’m not just talking about corporate intellectual property either. I’m talking about healthcare records, SSNs, credit cards, and other personal information…personal information belonging to me and you! This isn’t just a business issue – it’s a privacy and identity issue that affects us personally.

This is backed by story after story, breach after breach, and study after study. Just Google “mobile security breach” and you’ll see what I mean. The Privacy Rights Clearinghouse Chronology of Data Breaches reveals such breaches practically every week.

If you’re responsible for information security, audit, or compliance in your organization … this subject/dilemma should be on your short list of priorities for the coming year. Rather than just ranting, let me share with you some solutions and further reading:

..and finally, some of my blog posts on the subject.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 16, 2010  8:36 AM

The Seven Deadly Enterprise Security Sins, Part II

Michael Morisy Michael Morisy Profile: Michael Morisy

Last week, the IT Watch Blog took a look at the first three of the Seven Deadly Security Sins. Today, we reveal the other transgressions that are costing companies millions of dollars and putting the privacy and security of their employees and customers at risk.

Continued »

September 16, 2010  6:07 AM

What are certifications worth? Much less than you think!

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

In our current situation with the economy and people going back to get their certifications to increase their value, I thought this post from my Security On Wheels blog was fitting: What’s your IT certification worth? Nothing.

The psychology behind certifications is interesting. A piece of paper showing that you’ve passed a test is a worthy accomplishment, but without practical experience and a whole slew of other skills, a piece of paper is merely that.

It’s easy to be book smart. Study long and hard, memorize the material, and you can pass tests, convey it to others through teaching and so on. But when the time comes for actionable expertise in the real world, such knowledge doesn’t go very far.  There are a handful of certifications that are exceptions to the rule (Cisco’s CCIE comes to mind), but they’re few and far between. Keep all of this in mind if you’re on the other side of the equation working as a hiring manager.

The reality is: Certifications can create a false sense of value. More certifications don’t automatically make a prospective employee more valuable. It could just mean that they’ve accumulated a lot of debt and don’t have much hands-on experience to show for it.

Bottom line: As a hiring manager, you have to look past certifications and see what else the person brings to the table. And as an IT professional, you have to pad your skill set with more than paper. Being successful in IT and information security requires so much more.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 15, 2010  6:35 AM

It’s 10 PM. Where’s your network administrator?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Microsoft’s sixth law of Immutable Laws of Security states that “a computer is only as secure as the administrator is trustworthy.” How does your administrator rank on the trust scale? Working with systems/network administrators in my security assessments – and having been one in the past – their level of access is typically unlimited. And no one seems to be watching.

I’m not saying you should micromanage your IT folks; that’ll only run them off. But don’t let your guard down either. There have been some highly-publicized cases of admins doing misdeeds or simply being sloppy with security when they shouldn’t have been. This is probably something you’re not ready to take on.

If you’re a business manager or internal auditor, never lose sight of the fact that the master key to everything electronic is in your administrator’s hands.  It seems obvious, but it’s something many take for granted, trusting that all’s well in IT-land just because the administrator says everything’s okay. That’s not always the case.

For further reading, I delve into this topic further in the following piece I wrote for SearchWinIT.com:

Are your IT administrators trustworthy?

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 15, 2010  6:10 AM

The Case for SaaS: The Questions You Need to Ask

Melanie Yarbrough Profile: MelanieYarbrough

Updated 9/20/2010 at 4:48 PM ET with additional link.

First things first: What is Software-as-a-Service? From SearchCloudComputing.com:

Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.

Before you SaaS, Ask

SaaS is being hailed as a “savior” by some, but the perfect solution for a company that looks a lot like yours may be what sets your own operations and budgets back. Be sure to ask the right questions before deployment:

  • Should your company rely on software built and utilized by hundreds of other companies?
  • What are the possible repercussions of less specificity?
  • What are the possible repercussions of the buy-over-build mentality?
  • Is this functionality separate from other processes?
  • Are you currently investing in unnecessary customizations? In other words, will outsourcing to SaaS simplify operations in a beneficial way?
  • Can you afford to not own this functionality? Would downtime cause a disruption in business operations?
  • Is there a service-level agreement in place to protect your company from downtime?
  • Have you compared total cost of ownership (not just up-front licensing, but ongoing costs such as support and operations staff, hardware, etc.) to SaaS costs?

Benefits of SaaS (or why CIOs are foaming at the mouth)

We’re all familiar with solutions that look great on paper, but once they’ve been adopted past the point of turning back, they turn on us. Below are some of the reasons CIOs and other execs see SaaS as an answer from the heavens:

  • Faster implementation
  • Faster access to current technologies
  • Fewer bugs due to less complexity and fewer chances at errors
  • Lower cost for enterprise
  • Reduced start-up costs; can get off the ground faster and cheaper
  • Since vendors have less support spend, they can pass on savings to customer
  • Less time spent managing compatibility and upgrades
  • It’s the answer to across-the-board simple processes that allow time and money to go toward the more necessary and complex processes

Protect Yourself Before You Wreck Yourself

With the good always comes some bad, so be sure to know the ways you can protect yourself when entering this growing market.

  • Service-level agreement
  • Stringent security policies
  • Rights to the software and data should the SaaS vendor go out of business
  • Request permission to audit vendors’ controls

Money isn’t the only concern; often smaller companies with fewer resources outsource the risk in addition to the cost of keeping developers in-house. Look at the situation from the angle of worst-case scenario as well; would you be able to afford repair and recovery should something go wrong? If not, it may be worth outsourcing that responsibility to a third-party vendor.

For more information on the ins-and-outs and latest news on SaaS, check out SearchCIO’s Enterprise SaaS news section.

September 14, 2010  6:58 AM

4 things you can do right now to find out if your business is at risk

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

A lot of executives and business owners – especially in smaller organizations – haven’t a clue about where things stand with information security and compliance. But that doesn’t mean they don’t have the fiduciary responsibility to do so. Well, here are four things that can be done right now, over the next week or two, to find out where your business stands and what needs to be done to fill in the gaps:

1. Take inventory of sensitive information. Find out what sensitive electronic information your business processes and/or stores and where it’s located on the network. Sensitive information such as SSNs, health records, credit card numbers, employee records, and intellectual property is likely scattered about on servers, workstations, laptops, smartphones, and external storage devices in Word documents, Excel spreadsheets, emails, database files, log files, zip files, and backups. It’s everywhere and it’s usually unprotected from malicious intent.

2. Assess the risks. Find out how this sensitive information is at risk. Look at all external entry points such as Web applications, network connections, wireless networks, and mobile devices as well as internal entry points such as unprotected server shares, weak Windows/database/application passwords, missing patches that can be exploited (very easily) to allow a malicious insider to gain full access to a “protected system.” Don’t forget about physical entry points including server rooms and unmanned reception areas that have unfettered network connections (such as VoIP phones). Using the right tools and a malicious mindset, you’ll be amazed at what’s putting your business at risk right now. Outsource this expertise if you have to. Network admins and developers – as smart as they are – often cannot see the forest through the trees. There’s also the conflict of interest factor.

3. Draft and finalize a policy on paper. Find out what documentation you have – or don’t have – that outlines what’s expected of your users and what steps will be taken when a breach or disaster occurs. This is one of the biggest areas of security that’s overlooked and taken for granted the most.

4. Consult laws and regulations. Find out which state, federal, and even international privacy and security laws and regulations govern your business; outsource this as well, if needed. By all means don’t rely on your legal counsel if he/she has limited experience in this area.

    Best of luck.

    Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

    September 14, 2010  6:09 AM

    The Security Soapbox: Our 10 Favorite Information Security Blogs

    Melanie Yarbrough Profile: MelanieYarbrough

    To keep from falling asleep on the job (figuratively and literally), keep your mind sharp with the musings, analysis and tips from these information security pros:

    1. …And you will know me by the trail of bits: Dino Dai Zovi has 9+ years of information security experience under his belt. He is a regular at conferences, speaking on what he knows best: “red teaming, penetration testing and software security assessments.” His claim to fame? Dino discovered and wrote the exploit that won him the first PWN2OWN contest at CanSecWest in 2007; not to mention being named one of eWeek’s 15 Most Influential People in Security.

    2. Application Security: Perspective from the field: Michael Coates, leader of web security at Mozilla, blogs here about all things security, from application security, security codes, and penetration assessment. I especially enjoyed this piece about a flaw he found in Black Hat’s video stream a few months ago: The Irony – Black Hat Video Stream Hack.

    3. /dev/random: Written by a security consultant in Belgium, this blog provides general information and theory on IT security down to minute instructions for integrating blacklisting in your own DNS server.

    4. Tao Security: Richard Bejtlich, Director of Incident Response at General Electric, blogs about “digital security and the practices of network security monitoring, incident response, and forensics.” He also reviews products and provides insight into daily industry and popular tech news.

    5. Infamous Agenda: Matthew Hackling (great name for a security guy, right?) runs a security consultancy and writes about information security management, with “a keen interest in infrastructure and web application security.” He’s funny and informative, an essential mix when writing about IT. Check out this useful checklist for avoiding shelfware – ISMS implementation tips. [More great security blogs after the jump.] Continued »

    September 13, 2010  12:29 PM

    Email insecurity: How a GMail trick could trash your server

    Melanie Yarbrough Profile: MelanieYarbrough

    It seems innocent enough, forwarding your work email to your Gmail (hotmail, yahoo, etc.). Your work email will be more accessible: on the train, at home, on the go. You pat yourself on the back for working harder than anyone else in the office. They really ought to give you a raise.

    The flipside of that, of course, are the risks of forwarding potentially sensitive corporate materials to a third party email host, where your company and IT security department has no means of protecting it. We recently had an IT Knowledge Exchange member ask about the ways to forward work email to Gmail, and the response we received from the community had one underlying theme: BE CAREFUL. So what, exactly, could go wrong?

    David Vasta, one of our member bloggers, brings to light the possible legal repercussions.

    You want to be very careful you are now sending company mail that belongs to your company from your company owned and operated email to an external source. In most states it is considered Corporate Theft and it’s a felony.

    For more of David’s thoughts on the subject, check out what he wrote for his blog: Question of the Day – Forwarding Emails.

    Sc00ter63 gave brief instructions on how to go about forwarding emails, but informed our user that his company has the option disabled “because of the security issues that can arise with forwarding company email to a personal/civilian account.”

    CallMeRich brings up an often-overlooked but important concern: Bringing down your company’s mail servers. It could happen with the slightest oversights, such as setting up your email to forward to Gmail, setting up a Gmail “out-of-office” auto-response that gets sent to your work email, which gets automatically forwarded back to Gmail and so on until, within minutes, your Gmail account is full and your corporate mailbox grows terabytes in size. This could in turn take down or seriously hinder your mail servers. Rich further warns that he’s seen this “simple gotcha” happen and it can be devastating.

    What sorts of email security blunders have you run into or been careful to avoid?

    Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her onTwitter or send her an email at Melanie@ITKnowledgeExchange.com.

    Forgot Password

    No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

    Your password has been sent to: