March 15, 2013 1:30 PM
Posted by: Tony Bradley
, data protection
, Microsoft SharePoint
This is a guest post by Antonio Maio, Microsoft SharePoint Server MVP and Senior Product Manager, TITUS:
According to a 2011 AIIM survey, organizations are experiencing a 23% yearly growth in electronic records. This rapid growth presents a challenge to organizations that must comply with records management regulations while ensuring that the right people are accessing the right information.
To address this challenge, many organizations are looking to Microsoft SharePoint. With its powerful record-keeping capabilities, organizations can now manage their records using the same platform as they use for everyday collaboration and document management.
Records Management is one of the most popular drivers for using Microsoft SharePoint. Despite how much has been written on this, Records Management is sometimes confused with Document or Content Management, but it is in fact quite a unique discipline with its own best practices and processes. Microsoft SharePoint provides some great features to enable these processes, and it provides enterprises with the appropriate controls for the data and documents that they declare to be corporate records.
A recordrefers to a document or some other piece of data in an enterprise (electronic or physical) that provides evidence of a transaction or activity taking place, or some corporate decision that was made. A record requires that it be retained by the organization for some period of time. This is often a legal or regulatory compliance requirement. As well, a recordby definition must be immutable, which means that once a document or piece of data is declared to be a record, it must remain unchanged.
The period for which records are retained, along with the process followed once that time period has expired, is a critical requirement for records management. There are legal and business implications to consider when content is kept too long. The business policy could be that after X years, a record is archived and then after Y years from that point it is disposed (which could include deletion or moving it to offline long-term storage). Again, establishing this policy requires planning and getting agreement from stakeholders, especially around any legal, regulatory compliance, revenue or tax implications.
The requirements for records immediately suggest certain processes that must be in place to ensure that records are managed appropriately from several perspectives: business, auditing/legal, tax, revenue, and even business continuity. As we often find, for business processes to be applied consistently across all SharePoint content or records, automation is a key requirement, as well as making appropriate use of metadata.
The first step in implementing records management in SharePoint is to define a file plan, which typically includes:
· A description of the types of documents that the organization considers to be records
· A taxonomy for categorizing the records
· Retention policies that define how long a record will be kept and how to handle disposition
· Information about who owns the record throughout its information lifecycle, and who should have access to the record
It is important to determine what type of content should be considered a record. For example, if I am working on a new HR policy for next year, my initial draft and its various iterations should likely not be considered records because they are still changing – they are not yet approved or final, nor can I make any decisions based on those preliminary versions. But once my HR plan is ‘approved’ or considered ‘final’ then it can be declared a record because I can now base corporate decisions on it. Establishing a policy around what type of data is a record requires planning, meeting with appropriate stakeholders and agreeing on policy that’s communicated to everyone that may be declaring content as a record.
Once the organization has defined what information it wants to preserve as records, SharePoint 2010 provides several methods to declare a record and implement record retention policies. These include the Records Center site, which is a SharePoint site dedicated to centrally storing and managing records. It provides many features that are critical to implementing a records management system, including a dashboard view at the site level for Records Managers with searching capabilities and integration with the Content Organizer for routing records within the site. Depending on the business need, it may make sense to centralize records management and storage in the Records Center. This is particularly true if the business demands that a small number of users be considered “Record Managers” and it is their role alone to declare content as records.
A second method involves declaring records “in-place”.This feature allows individual users to declare content as records in their current SharePoint location. Records do not need to be moved or added to a central Records Center site, nor do they need to be routed within the Records Center. This is a trend in the records management space, because it allows users to continue to find content where it resides, based on its business nature, topic or properties. One drawback of this approach is that end users – who are typically not records managers – may be apprehensive about declaring records, due to the official and legal nature of a record.
The powerful recordkeeping capabilities in SharePoint give organizations an effective enterprise records management system. SharePoint contains valuable features that can be used to define the appropriate records and retention policies for the business.
TITUS is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk.
March 15, 2013 12:35 PM
Posted by: Tony Bradley
, security best practices
This is a guest post by Bala Venkatramani, marketing manager at ManageEngine Password Manager Pro:
News media in the U.S. are abuzz with stories about cyber-attacks on top banks as financial institutions emerge as the prime targets of cyber-criminals. Reports suggest that since September 2012, cyber-attacks on bank networks have exploded.
Actually, banking and other financial institutions have always been a top target of hackers. During the past few years, renowned banking organizations across the globe have fallen prey to criminal hacks. Beyond huge financial losses, the victims suffer irreparable damage to their trust and credibility, the hallmarks of financial institutions.
The hackers’ predominant activities include spreading malware infections, syphoning of login credentials and denial of service attacks that disrupt service to legitimate users. The traditional security attack channels include viruses, keylogger trojans and cross-site scripting. The Trojans monitor keystrokes, log them to a file and send them to remote attackers. Scripting, on the other hand, enables malicious attackers to inject client-side script into web pages viewed by other users and exploit the information to bypass access controls.
Evolving Attack Patterns
Perimeter security software and traffic analysis solutions help in combating traditional attack vectors. However, hackers are starting to change their modus operandi. Cyber-criminals are now siphoning off login credentials of employees and administrative passwords of IT resources, using techniques that include spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT).
Once the login credential of an employee or an administrative password of a sensitive IT resource is compromised, the institution is vulnerable. The criminal can initiate unauthorized wire transfers, view the transactions of customers, download customer information and/or carry out sabotage.
Another emerging threat is sabotage caused by the insiders at the financial institutions. Disgruntled staff, greedy techies and sacked employees have all been involved in cyber security incidents. Clearly, breaches of trust can occur anywhere, leading to grave consequences.
In internal and external attacks alike, unauthorized access and misuse of privileged passwords — the ‘keys to the kingdom’ — have emerged as the main activities. Administrative passwords, system default accounts and hard-coded credentials in scripts and applications have all become the prime targets of cyber-criminals.
Overlooking Privileged Passwords
While internal and external hackers are exploiting administrative passwords with increasing frequency, many financial institutions fail to recognize the importance of this crucial aspect of privileged password management. Passwords of enterprise IT resources are often stored in spreadsheets, text files, homegrown tools, papers or even in physical vaults. Yet these volatile sources are inherently insecure and do little to enhance data security or business reputation.
Passwords are further compromised in IT divisions that deal with thousands of privileged passwords, which are used in a ‘shared’ environment. This is a standard practice, which leaves a group of administrators to use a common privileged account to access a given resource.
Apart from the ‘officially shared’ passwords, users also tend to reveal administrative passwords to their colleagues, unofficially, for some reason or other. The most common reason for unofficial sharing of a password is to handle an emergency, e.g., an IT manager may reveal the password to a senior member when the manager is on vacation.
Developers, help desk technicians and even third-party vendors may require access to privileged passwords purely on a temporary basis. The passwords are often supplied via email or over the phone, both of which are highly insecure media. Worse, there is no process to revoke access and reset the password after the temporary usage, leaving an even bigger security hole.
Privileged password negligence often proves costly. Haphazard password management makes the enterprise a paradise for hackers inside and outside the financial organization. Many security breaches stem from inadequate password management policies, access restrictions and internal controls.
Tightening Internal Controls
Combating sophisticated cyber-attacks demands a multi-pronged strategy incorporating an exhaustive set of activities. Financial institutions need to deploy security devices, enforce security policies, control access to resources, monitor events, analyze logs, detect vulnerabilities, manage patches, track changes, ensure compliance and monitor traffic among other activities.
Of all the combat measures, bolstering internal controls holds special significance in light of the recent attack trends. Access to IT resources should strictly be based on job roles and responsibilities. But access restrictions alone are not enough and must be supplemented with clear-cut trails that reveal ‘who’ accessed ‘what’ and ‘when.’ Likewise, password sharing should be regulated, and a well-established workflow should be in place for release of passwords of sensitive resources. Standard password management policies, including usage of strong passwords and frequent rotation should be enforced.
One of the effective ways to bolster internal controls is automating the entire lifecycle of privileged access management and systematically enforcing best practices. Privileged password managers like ManageEngine’s Password Manager Pro replace manual practices and automatically assist with securely storing privileged identities in a central vault, selectively sharing passwords, enforcing policies and above all, restricting access to and establishing total control over privileged identities. Enterprise-class password managers offer advanced protection of IT resources by helping establish access controls to IT infrastructure, and seamlessly video recording and monitoring all user actions during privileged sessions, providing complete visibility on privileged access.
Bolstering internal controls as detailed above will ensure that privileged identities will not be compromised — even if a hacker manages to penetrate the perimeter. Similarly, the threats due to attacks by malicious insiders are greatly mitigated.
Once internal controls have been tightened, financial institutions must remain vigilant and keep an eye on activities going on inside and around them. Logs from critical systems carry vital information that could prove effective in preventing security incidents. For instance, monitoring activities like user logons, failed logins, password access, password changes, attempts to delete records and other suspicious activities could help identify hacking attempts, malicious attacks, DoS attacks, policy violations and other incidents. Monitoring network activity to establish real-time situational awareness is essential to enterprise security.
Of course, not all security incidents can be prevented or avoided. Nor can privileged password management thwart all cyber security incidents. However, too many security incidents occur as a result of lax internal controls — poor password management, in particular — and those violations can certainly be prevented. It’s time for IT organizations to take the bull’s eye off of the financial community networks and data and enforce some enterprise-class password protection.
ManageEngine is exhibiting at Infosecurity Europe 2013, the No. 1 industry event in Europe held on 23rd – 25th April 2013 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk
February 26, 2013 1:48 PM
Posted by: Tony Bradley
New research from Symantec reveals that there was a variant of Stuxnet even earlier than the variant that made headlines a couple years ago. According to a Symantec spokesperson, this earlier version had a slightly different approach. “Rather than affecting the speed of uranium enrichment centrifuges, Stuxnet 0.5 was designed to close crucial valves that feed uranium hexafluoride gas into the centrifuges, causing serious damage to the centrifuges and the uranium enrichment system as a whole.”
Despite evidence that Stuxnet 0.5 stopped spreading in 2009, Symantec claims that it still found dormant infections as late as last year.
Check out the white paper from Symantec for more details on this new cyber espionage threat.
February 14, 2013 10:36 AM
Posted by: Tony Bradley
, Cyber War
The Economist recently quoted Richard Bejtlich, a respected authority on cybersecurity and CSO of Mandiant, saying, “No one in the United States is expected to provide for their own air defence.”
Bejtlich added, “We have an army to repel a land invasion, so who is out there protecting the cyber lanes of control? Nobody. It is a free for all.”
The Bejtlich quote is an interesting prelude to President Obama calling on Congress to act to strengthen cybersecurity during the recent State of the Union speech, and issuing a cyber security executive order to get the ball rolling.
Based on a survey conducted by Tenable Network Security, the vast majority of people tend to agree that the United States–both private and public sector–is ill-prepared to defend itself against cyber warfare attacks, and support efforts to strengthen our cyber defenses, and expand the power of the President to respond to cyber threats.
Results from the survey include:
- 60% support government-trained “cyberwarrior” program
- 92% of Americans believe critical infrastructure (e.g., public utilities) are vulnerable to attack
- 93% believe U.S. corporations are vulnerable to state-sponsored cyberattacks
- 94% support President having authority to respond as he would to physical attacks against the country
- 66% believe corporations should be held responsible for cyberattacks against consumers
- 62% say government should be responsible for protecting U.S. businesses from cyberattacks
“It’s clear American citizens see the threat of cyber conflict around the corner, and the nation’s state of readiness for such attacks is a major concern,” said Ron Gula, a former cyber security expert with the NSA and now CEO and CTO of Tenable Network Security.
February 13, 2013 9:11 AM
Posted by: Tony Bradley
, Stuart McClure
Shhhh…Cylance is coming. Ha. See what I did there?
What is Cylance? It’s a new security company started by Stuart McClure, former CTO of McAfee. McClure is more than that, though. He was also a co-founder of Foundstone–which was acquired by McAfee–and he is one of the primary authors of the venerable, and highly respected book Hacking Exposed, which is currently in its seventh printing.
I first met McClure as Guide of the About.com Internet / Network Security site. I hosted an online chat session with him and George Kurtz (another co-founder of Foundstone who is also working on launching a new startup called CrowdStrike) to talk about Hacking Exposed and field questions from the audience. We’ve been friends ever since.
McClure explains at length why he chose to leave a top executive role to start a new security company in a blog post. There is a hell of a story there, and it’s worth a read. The bottom line is that we now have Cylance–built on the simple premise that the current security industry is broken. The success of so many attacks–particularly threats like Stuxnet or Flame that have been operating undetected for years–and the reactionary model of the security industry support the premise, and McClure is certainly in a position to know how the security industry is broken, and perhaps even how to fix it.
Cylance announced that it has raised $15 million in early funding, and it has named a number of high-profile individuals to its board. It seems that things are heading in the right direction for the young startup. I will be spending some time with McClure at the RSA Security Conference in San Francisco in a couple weeks, so I’ll have more to share about Cylance then.
February 8, 2013 9:15 AM
Posted by: Tony Bradley
, Patch Tuesday
Get ready. Microsoft is unleashing 12 security bulletins next Tuesday to address a whopping 57 separate vulnerabilities.
Andrew Storms, director of security operations for nCircle, explains, “The dirty dozen affects a wide range of operating system versions and includes Exchange Server, a critical business application. Over the past few months Microsoft has released a number of bug fixes for Oracle’s Outside In technology used by Exchange Server, but none of the bugs fixed represented severe threats. Exchange server bugs make a lot of people nervous; let’s hope this month’s Exchange patch is as dull as ditch water.”
According to the Microsoft Advance Notification, five of the 12 security bulletins are rated as Critical, while the remaining seven are Important.
Alex Horan, senior product manager, CORE Security, says, “This month we see some significant vulnerabilities with the potential to create a formidable one-two punch, which could be key to hackers unleashing the most powerful attacks in their arsenals. When these exploits are used in the right combination, the effects can be deadly for system administrators.”
Rapid7’s Senior Manager of Security Engineering, Ross Barrett, tries to find some silver lining, “It’s both good and bad news that the patches are mostly clustered on Windows Operating System, without dipping too much into Office or more esoteric specialty Microsoft products. It’s good because administrators probably don’t have to worry about applying multiple patches for the same advisory to a single host. It’s bad because an organization with even the simplest deployment of Microsoft products will probably be hit by all of these advisories, meaning their desktop and server teams will be extra busy.”
Storms has some concerns about Internet Explorer. “Internet explorer patches are always a top priority and this month we’re going to get two Internet Explorer bulletins. That’s unusual because generally, when Microsoft patches IE, the patch is delivered as a single bulletin. The planned delivery of two separate IE bulletins has my ‘Spidey’ senses on alert. I’m sure other IT security teams are wondering exactly what kind of IE valentine we’re going to get.”
Qualys CTO Wolfgang Kandek points out that Microsoft is not the only vendor issuing patches. “Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.”
I hope you didn’t have anything going on for Valentine’s Day, because you might be busy.
February 7, 2013 2:10 PM
Posted by: Tony Bradley
Sixth edition. That alone should tell you a lot about this book. There are tons of CISSP exam prep resources out there, and a virtually endless supply of information security books–but very few can claim to be in their sixth edition. The fact that Shon Harris’ CISSP All-In-One Exam Guide is still the #1 CISSP exam guide after all these years is a testament to the knowledge and skills of Harris, and the quality of this book.
Does my praise for the book seem a tad “glowing”? It should. I took the Certified Information Systems Security Professional exam in 2002. I had a strong foundation as an MCSE and Windows network administrator, but the CISSP exam covers an intimidating breadth of information. I used the CISSP All-In-One Exam Guide to prepare for the exam, and passed without any problem. I have been an ardent fan, and evangelist for the book ever since.
Don’t take my word for it. This latest edition includes the following quote from me in the front matter at the beginning of the book: “Shon is brilliant when it comes to network security, and even better at conveying network security concepts to others. Her book, CISSP All-In-One Exam Guide, single-handedly helped me to achieve the CISSP certification, and I recommend her lectures and training materials every chance I get. She has been a tremendous source of advice and support for me, and I highly recommend working or training with Shon to anyone.”
The CISSP certification is still regarded as the de facto credential for information security professionals. It has become table stakes expected of applicants to even get a foot in the door for potential information security roles. The exam itself is a grueling six hours, but if you’ve prepared yourself with this book you don’t need to stress about it.
About The Book
At first glance, the book seems more overwhelming than the exam itself. I swear each edition of the book gets a little longer. The sixth edition comes in at nearly 1,500 pages. It’s an intimidating three inches of small print text packed cover to cover with information you need to know to pass the CISSP exam.I like that Shon opens the book with a discussion of what it means to be a CISSP. She covers the million dollar question “Why become a CISSP?” right on page one. Someone considering a career in information security should just peruse the first chapter of this book at their local library or corner book store to get an idea of what they’re getting themselves into.
If you get past the first chapter and you still want to be an information security professional, buckle up. The CISSP exam is broken into ten domains, and Harris delves into each one in painstaking detail. The book covers Information Security Governance and Risk Management; Access Control; Security Architecture and Design; Physical and Environmental Security; Telecommunications and Network Security; Cryptography; Business Continuity and Disaster Recovery; Legal, Regulation, Compliance, and Investigations; Software Development Security; and Security Operations.
One of the things that I appreciated when using the book to study for my own exam is that Harris doesn’t just teach the test. The reason the book is so thick is that she provides detailed explanations and walks you through the hows and whys of information security. The book makes no assumptions about what you may or may not already know, and provides the details to reinforce the knowledge you need for the exam with the underlying foundation you need to actually put it to use in the real world. That isn’t to say that it’s the only resource you’ll ever need. The CISSP covers a broad range of information by design, but it’s not meant to make you an expert in any particular domain.
Each chapter ends with practice questions (the answers are in Appendix A), and the book includes a CD with additional training and practice exams.
If you’re familiar with the field of information security–or technology in general–then you’re aware that the only constant is change…rapid change. There are certainly core elements of information security that have remained the same from the first edition to the sixth edition of this book, but the reason there is a sixth edition at all is because information security is constantly changing. Harris does a superb job of staying on top of those changes, and incorporating them into this book to ensure the CISSP All-In-One Exam Guide remains the best resource available for potential CISSP candidates.
January 18, 2013 12:07 PM
Posted by: Tony Bradley
, data security
, mobile security
Remember when people showed up at an office from 9am to 5pm and sat at desk to get stuff done? Some still do, but the reality is that the work culture has shifted dramatically over the past decade, and mobile computing and devices are at the heart of that shift. Thanks to ultrabooks, smartphones, and tablets, combined with 3G/4G cellular connectivity, and free public Wi-Fi hotspots the “office” is really anywhere you happen to be.
That is awesome from an efficiency and productivity perspective, but it also exposes sensitive data and network resources to new risks. In a nutshell, if users can access the personal information of customers from the other side of the world through their smartphone, so can a cyber criminal. If your users can connect to internal network resources from an ultrabook or tablet, then so might an attacker–particularly an attacker that possesses a stolen laptop or tablet that’s already configured to access your network.
It’s a brave new world, but one that requires awareness of the new risks it imposes, so you can properly protect mobile devices and take advantage of the benefits with confidence and peace of mind. Pankaj (PJ) Gupta, CEO and Chief Architect at Amtel–a company that offers an integrated Mobile Device Management and Telecom Expense Management platform for enterprises–shares his thoughts on the top five mobile security threats, along with tips to mitigate and minimize the risks.
1. BYOD—Allowing employees to use their personal devices either in the company setting or to conduct company business can be a recipe for disaster. Aside from the risk of mixing business and personal data, photos, social media activity and more, allowing access to corporate data on a device or network that the company does not own or control can easily allow sensitive information to fall into the wrong hands. Establishing specific rules and guidelines or placing access restrictions on the use of company information and/or apps on employee-owned devices is the first line of defense in thwarting the BYOD risk.
2. Apps management—While there are thousands of incredibly helpful apps on multiple platforms, there are also many that have no place in the corporate environment, from either a productivity or security standpoint. To ensure company data is uncompromised, use a whitelist/blacklist program and software that controls and/or monitors app use to manage what’s available and/or accessible.
3. Productivity drain—While not exactly a security threat, time wasted on games, social networking and other leisure apps can be a serious threat to productivity and competitive position. Geo-fencing, or the use of GPS location boundaries to secure/restrict access to certain apps can solve the problem. For example, companies can set up a geofence that disables Angry Birds and Cut the Rope while within the office building. Geo-fence technology can also be used to restrict features on the device, prohibiting the use of the camera in areas where trade-secret equipment or sensitive documents are kept, for example, or enabling access to data-heavy apps only when Wi-Fi is available to control data costs.
4. Content sharing—Companies may want to be selective about the type of content made available on mobile devices. For example, investor documents, proprietary information and other sensitive material can fall into the wrong hands if the device is lost or stolen. The use of content-sharing controls can secure access to those documents, as well as push automatic updates as documents are changed, to ensure the latest version is always available. Sharing controls can even restrict the ability to transmit documents via a mobile device without proper authorization.
5. Password security—It’s hard to believe that in 2013, passwords are still an issue. Yet, some reports show that roughly half of mobile phone users don’t use a password to protect their device. For those that contain corporate apps or access to company data, that’s a huge security hole just waiting to be exploited. Use of a containerized solution can plug the hole, requiring a separate password or PIN to access corporate data, regardless of whether the device itself is password protected.
I agree for the most part that these are five of the top issues facing organizations when it comes to effectively embracing mobile computing without compromising security. I recommend reading Five Steps to Creating an Effective Mobile Device Policy, and 5 Essential Capabilities of an MDM Solution.
January 14, 2013 3:23 PM
Posted by: Tony Bradley
Happy Monday! IT and security admins are off to a busy start this week with urgent out-of band patches from both Oracle and Microsoft.
Oracle has been under fire for days following attacks against a new zero day flaw in Java. Zero day vulnerabilities are certainly not unique to Oracle, or Java, but many security experts and IT admins are disgruntled over how Oracle’s approach to security in general, and its response to serious incidents like this.
Andrew Storms, director of security operations for nCircle, shared some thoughts about the urgent updates. “Pushing the Java patch out ahead of their regular bulleting is a step in the right direction for Oracle, but it may be too little too late. There has already been some lost confidence in Java. Oracle really needs to step up their security game.”
Wolfgang Kandek, CTO of Qualys, says, “I still recommend disabling Java in the browser using the Java Control Panel. for better security against future threats that tend to come down through the browser attack vector.” Kandek goes on to say that users who actually need to use Java should at least go into the Java Control Panel and uncheck the box labeled “Enable Java content in the browser”.
On the subject of Internet Explorer, Storms said, “The out-of-band IE bulletin should come as no surprise. Microsoft issued an advance notification this weekend announcing their intention to go out-of-band with a single CVE to address the zero-day bug currently being exploited in the wild,” adding, “I wouldn’t be at all surprised to see another IE bulleting in February in addition to today’s patch. Some people moan and complain about the volume of IE patches, but in my book regular browser patches are a good thing. Browsers are the primary window to the Internet for almost everyone so they are constantly under attack by cyber criminals.”
Kandek emphasizes some important information about the IE patch. “Please note that this update is a real patch and not a cumulative update, as we are used to for typical Internet Explorer updates. It is highly recommended to have MS12-077 (the last cumulative Internet Explorer update) installed before applying MS13-008.”
If you use Java and/or Internet Explorer 6, 7, or 8 you should immediately apply the appropriate updates. An alternate solution for Java would be to simply uninstall it if you aren’t actively using it. Windows Vista, Windows 7, and Windows 8 users can also avoid the zero day issue by updating to Internet Explorer 9–which is not affected by this vulnerability.