Archive for the ‘Security Problem Solution’ Category
Attacks on your network will be happening continuously on a 24/7/365 basis – attacks cause a range of issues from simple nuisance issues through to slowing your network performance and functionality and all the way through to causing your network and even worse, your data, to be lost or corrupted.
Attacks on your network are not just through email containing malicious code and attachments being sent to staff, or by simple web browsing and visiting sites which cause malware, viruses and Trojans to be downloaded – your network is exposed at any point where users (both authorized and non-authorized) can gain access to the network or wherever the network is connected to the outside world and particularly at the web gateway.
Security issues are very real and the losses which may be caused by attacks come with a huge financial price tag. The damage is not just to your bottom line but also to your assets, and particularly your business reputation. How many customers will be happy to learn that because your network security was breached, their private banking and personal information has been stolen or lost? What do you think a business regulator is going to make of your inability to produce financial records when they ask for them? How about an inability to produce email correspondence if you are engaged in a legal dispute?
Wireless connectivity is increasing and becoming an industry standard for accessing networks and the internet as well as being able to work remotely over the web. This means that there is a never ending variety of opportunities to gain access to the network by breaking in through the wireless gateway or by taking control of a remotely-linked machine.
One solution is to strengthen application security. Application security deals with the software programs which your staff are using and security solutions need to be put in place in order to ensure that hardware they are using cannot be compromised by non-authorized parties and also, that when they are running a program it only performs authorized tasks. For instance, an employee loses a laptop through theft – the laptop must not then be allowed to access the network remotely which can be achieved by using machine access codes, strong password policies to use an application and to access the network.
Another solution is to ensure that WiFi security is strengthened. Try this yourself, in your neighborhood, whether at work or at home, ask your computer to show you existing wireless networks (if you’re running Windows you can usually see an icon in your bottom taskbar on the right hand side). If there are wireless networks in the area, it will show you whether they are secured or unsecured. If you see an unsecured network, which is likely, you will be able to hop onto the internet using that connection and wireless router. Effectively this is stealing someone’s bandwidth but more importantly, it is allowing a third-party to come closer to gaining access to the network core, your data and your hardware.
For those Americans who are lucky enough to have a summer home in these troubling economic times, it is important to remember how to take care of it. After all, wintertime months might mean a whole lot less maintenance, but they definitely don’t mean that it’s a good idea to neglect your other property. Hopefully, come June, you’ll have remembered to do the right kind of checking up, and the first time that you unlock the door to your lakeside cabin or exciting ranch home, there won’t be a world of repairs and obligations waiting for you.
One of the biggest steps in ensuring that all is well for your summer season is starting to think about home security before it’s even time to pack up for the winter. If you are renting out your property to others during the busier parts of the year, or even in the off-season, it is crucial that you have a space separate for keeping your personal belongings safe and secure. Be sure to also have a checklist at the beginning of each season, and take note of what is actually on the premises. This way, if someone accidentally breaks a bunch of important kitchen items or happens to try to steal a piece of stereo equipment or a painting, you will know which renters are responsible, and can hold them accountable accordingly.
At the same time, you should also be considering your home security at your own home if you’re jetting off to a summer cabin or other space for a big chunk of time. During periods of extended absence, your home is immediately more vulnerable to burglars, who are able to tell that no one is home due to the fact that there are often tell-tale signs that the property is not currently occupied. Learn what these signs are, so that you can work against them. Never forget to cancel your newspaper or mail delivery, and try to keep lights turned on, but not in an obvious fashion. This way, your house will look just as occupied as when you are there, saving you a whole world of trouble.
If you are going to be able to get away to your summer property, be sure that you are also taking care of it while having fun. Do a quick walk-through to make sure that other guests haven’t wreaked any havoc, and always remember to lock the deadbolt when you’re heading out for the afternoon, as well as take care to shut and lock all doors and windows. While even a quiet getaway town might seem like a spot where there aren’t going to be any problems, the fact is that home security matters here just as much as anywhere else. Don’t end up getting robbed while you’re on vacation, as it can be a truly frustrating experience, especially for those who need their computers to work remotely. If you remember to stay alert and to take all of the same steps that you take at home, though, then you and your summer property should be just fine.
Interim management is a growth area, especially in the field of information security. An interim manager works for a company on a temporary basis, either implementing a special project or bridging a gap caused by the departure of a permanent manager. It can often be the ideal solution when a new project requires specialist skills and experience not currently available in the company.
Compared to the traditional management consultant, an interim equivalent brings a lot of added value to the table. Whereas a consultant will make recommendations for the business to carry out, an interim manager will in addition implement these measures and take full responsibility for them. Unlike a consultant or a low-level “temp”, an temporary manager is judged on the effective delivery of a specific project, rather than being assessed merely on production of a voluminous report, or simply turning up for work. Not the least of the advantages of interim management is the fact that this solution can be a lot cheaper than using management consultants!
In the field of information security, hiring an interim manager can make even more sense. Relatively few professionals have the skills needed, since information security is a fairly new field, and so there can be difficulties in filling a position that suddenly falls vacant. In addition, a temporary information security manager can be of immense value in setting up the organisation’s Information Security Management System (ISMS), but thereafter there may not be a need for a full-time position with those specialist skills. In this situation, a temporary manager could be the most cost-effective solution by far.
Naturally, there are a few disadvantages to this solution. The chief one is the loss of continuity: once the temporary management arrangement is over, that skill-set is no longer available to the organisation. This means there may difficulty in finding appropriate expertise at short notice if an information security related problem should occur. This is a risk that directors should consider carefully before opting for a temporary management solution.
In addition, there is a limit to the degree in which an interim manager will be able to effect a change in company culture towards a greater awareness of information security as the responsibility of all employees. Cultural change takes time, and time is one element necessarily unavailable to a temporary manager. If there is no-one to pick up this requirement after the completion of the project, then (although the short-term project may be delivered on time and within budget), the longer-term requirement for change may “fall between the cracks”. Again, this is a matter for careful consideration at Board level. However, both this and the first disadvantage will also be seen in situations where management consultants are hired, and so cannot be considered unique to the use of interim managers.
Interim security management, in short, has the potential to provide an excellent solution to situations that can occur fairly frequently in businesses. Although not without its disadvantages, which must be assessed and addressed by the organisation, temporary management can offer added value compared to hiring management consultants, and will often be considerably cheaper. These factors no doubt lie behind the current significant growth in the use of interim managers.
Lawyers who create contracts for outsourced information technology (IT) services, on behalf of their clients who are purchasing the outsourced services, understand the need to include service-level agreements (SLAs) for the availability of the IT services. But for the benefit of their clients, they also need to include SLAs for the security of the IT services.
The business reason for having a security SLA is that it minimizes the risk to the client of incurring liability resulting from a security breach suffered by the outsourcer. For instance, if a publicly traded U.S. client’s financial information is tampered with while in the custody of the outsourcer, and as a result the client publishes an inaccurate financial report, the client could be held accountable by the U.S. federal government for breaching the Sarbanes-Oxley Act. This could result in jail sentences for the client’s CEO and CFO.
Lawyers also want to minimize their clients’ liability with regards to the following:
1. The accuracy of disclosure of financial information, in compliance with legislation such as Sarbanes-Oxley.
2. The privacy and integrity of individuals’ private information, in compliance with privacy protection legislation such as California’s identity theft law, SB 1386, and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) .
3. The results of an information security breach that could result in their clients’ incurring costs associated with lost revenues, damage to their reputation, loss of productivity, and of course legal costs.
I have not yet spoken with a law firm that currently includes a security SLA for their clients’ outsourced contracts. Instead, the law firms rely upon written vague assurances and references to security standards, which are provided by outsourcers.
The problem with referring to standards is that they are not related to a law firm’s specific requirements. The bottom line is that the outsourcing clients have placed some control for their security-related liability in the hands of their outsource, while the clients have no means of verification or recourse.
The key elements of an enforceable security SLA are to clearly and simply identify the following:
1. What information is to be protected and from what risks.
2. Components of the outsourcer’s network architecture, which may be associated with risks to the information.
3. How to define non-compliance with the security SLA.
4. Issues beyond the scope of the security SLA.
5. The auditing steps for determining non-compliance.
6. Remedies for dealing with results of non-compliance of an audit.
7. Which party pays for auditing and for resulting remedial costs.
From a business expediency perspective, the security SLA must:
1. not impede the closing of the deal at hand;
2. be written to appeal to both executives who make decisions about risk, and to IT staff who will interpret the technical security and compliance related issues; and
3. provide a process for identifying security vulnerabilities and mitigating them during the entire period of the outsourced contract, without having to specify the vulnerabilities at the time of signing the contract.
Since new security threats are constantly emerging, and since the outsourcer may upgrade its network with new software and hardware, it is simpler to define non-compliance rather than compliance. The auditing process for determining non-compliance should be defined in the security SLA.
It is common for many companies to notice a security problem and then immediately look for technology solutions to plug up the hole. In the end, companies wonder why they have an abundance of solutions that do not efficiently secure company assets. This is where planning becomes a necessity.
The Importance of Planning
Planning your security policy requires a close analysis of employee behavior in different job roles and is also the time for company security goals to be articulated. Having problems and goals evaluated simultaneously makes it easier to come up with all-encompassing solutions that will be effective and advantageous for all. A good rule of thumb when planning a security policy is to base the policy around risks rather than technology. A policy should not change as the technology changes.(1)
The Planning Stage helps to address this, by focusing on employee behavior. This is crucial because, changes in policy often start with changes in procedure. “Organizations need to understand that much of information security and privacy work that needs to be done are people-based [regarding] policies, procedures, training, awareness [and] response activities.”(2)
Planning Your Security Policy
There are three factors to keep in mind when planning your policy. The first requires you to express the goals of your policy. What are you trying to accomplish? What are you trying to protect? The second step requires you to scan the work environment and identify vulnerabilities that exist within current processes. The final step asks you to create a plan of action that will help alleviate the flaws. All are equal contributors to planning success.
Step 1: Setting Goals for Your Security Policy
Your security policy goals should run parallel with the goals set for your company. For example, if your company is customer oriented, then a goal of your security policy should be to protect your customer and their data through use of encryption and network security.
Furthermore, all parties should play a role in goal setting. This is crucial because if a security breach was to occur, each department plays a different role in the recovery process, as well as in re-evaluating procedures for policy improvement. Global involvement allows each department time to invest in the policy, ensuring a higher level of cooperation when the time comes to implement the policy.
Step 2: Identifying Security Vulnerabilities
A company must examine existing procedures and identify all processes that pose a security risk. For example, policies regarding data management; how data is protected during storage, how long it is kept and proper methods for data deletion are common pains in the corporate world. Some questions that may help identify such vulnerability include:
What types of sensitive information does your company handle?
Which department handles each piece of sensitive information?
Is sensitive information stored with non-sensitive information?
Such questions should spur some thought as to what changes need to be made in order to begin alleviating the risks that accompany current processes within departments.
Step 3: Creating a Plan of Action
After identifying which processes require change, create a plan of action for mitigating these risks. Each plan should consider how long it will take for the each change to occur, what type of training is necessary for each individual/department to meet the newly adopted standards and also what responsibilities each individual/department can be held accountable for (i.e. how often are gap analyses(3) regarding security conducted and who conducts them?)
Other challenges include budget limitations and optimizing upon security measures while still adhering to auditing standards. Such measures “should be traceable from one document to another so that audits can easily verify that policies are being enforced.”(4) If technology solutions are an option, comparing different products may be helpful.
After procedures have been established, decision makers should be able to identify “which personnel roles are responsible for which activities, which activities need to be logged, [and] how often inspections and reviews are done internally.”(5) They should also have followed up with a procedure for making additional changes to the policy in the future.
Security Policies to the Rescue
Security policies are a necessary element to prevent your business from facing disaster. “Information security and privacy cannot be a band-aid-add-on after a product or system has been launched; it must be incorporated into the mindset of all personnel,”(6) with ample time and training provided to ensure internalization.
Now that you have your security policy planned out, it’s time for policy implementation. But before you try putting your security policy into action, read Implementing Your Security Policy [http://www.essentialsecurity.com/news_business.htm?id=1383] to get some implementation tips.
Video Cassette Recording (VCR)
Today, security camera system may consist of many different products and technologies. Many suppliers build pieces of the system, whether it is part of a hybrid analog/digital implementation or an end-to-end networked IP solution. The following sections explain the evolution of the CCTV system, starting with a fully analog system and adding components until it achieves networked capability.
A traditional analog surveillance system consists of analog cameras, time-lapse VCRs and monitors. A coaxial cable runs from each camera to a multiplexing device, which allows multiple cameras recording to one VCR, with a monitor for viewing. The time-lapse VCR allows the operator to adjust when the VCR records so the standard two-hour VHS tapes can he used for much longer. The trade-off results in lower-quality images in return for less frequent tape changes or image overwriting.
Analog CCTV recording systems have been the basis surveillance and monitoring for the past twenty years .This technology is extremely old and outdated and is rapidly being replaced by digital recording technology which now represents over 80% of all new installations.
Digital Video Recording (DVR)
A DVR is a computer with a special video graphics card that connects it to an analog camera via 75-ohm coaxial cable. The card also converts the analog signal to a digital signal and compresses the resulting image so it can be stored on an internal hard drive, viewed or transported across a network. DVRs typically utilize a computer operating system such as Windows or Linux along with video management System (VMS) software. DVRs are controlled and accessed via keyboards, mice and external monitors in order to setup, run surveillance software and replay stored video. DVRs usually have an internal Ethernet connection for LAN or WAN attachments.
Network-Attached Digital Video Recorder (NDVR)
A Network-attached Digital Video Recorder is part PC and part “Network Appliance” A NDVR is very similar to a DVR and is sometimes called a “Network Appliance” because it does not require-attached keyboard, mouse or video monitor. The device is plugged directly into an Ethernet switch and the only way to access the device is through the network. The device still has an operating system but it resides in firmware burned into a chip on the motherboard. Most of these NDVRs rely on Video Management Software (VMS) loaded on a network-attached client PC, however some have it ‘embedded’ in another motherboard chip, where it can be accessed from any PC through an Internet Browser. Most of these products have internal hard drives for local video file storage, but they can be inter-connected with Direct Attached Storage Arrays (DAS), Network Attached Storage (NAS) equipment or Storage Area Networks (SANs) through the LAN or WAN.
Network Video Recorders (NVR)
The ‘pure’ Network Video Recorder (NVR) is not a “turn-key box” or network appliance, but created with a combination of network devices. An NVR can be a standard network server with internal or attached storage capability along with recording software, video surveillance system or communication software and possibly even intelligent video analysis software. Digitization of the analog video is done by a separate ‘Video Encoder’ or ‘Video Server’ which is also attached to the Ethernet/IP network. Using an NVR configuration, true IP cameras can act as Video Servers and input images directly to the NVR and be managed directly by the NVR video software.
Video Encoders & Decoders
Encoders are used to take video signals in analog or digital form and make them suitable for transmission where bandwidth or storage capacity is an issue. Encoding applies to many video surveillance system applica