InfoSec Blog
Find valuable news, tips, and guidance in information security.
Guidelines for Username and Password Risk Management
Posted by: JurInnov | Posted on: February 1st, 2011 | 0 Comments
Eric Vanderburg
Usernames and passwords still represent a great information security risk to organizations. This basic but crucial element can nullify the effectiveness of some of the best systems. That is why it is important to keep usernames and passwords secure if you hope to have assurance in your information system. To help manage information security risks, this article outlines several common bad password practices and the risks they present along with steps to take to reduce this risk and protect company information. Some of the most prevalent mistakes users make regarding passwords include:
- Sharing passwords
- Using the same password for multiple accounts
- Creating insecure passwords
- Retaining passwords long-term
Physical Security for Data in Transit
Posted by: JurInnov | Posted on: January 25th, 2011 | 1 Comments
Eric Vanderburg
Briefcase chained to his wrist, the officer cautiously looks for anything out of the ordinary as he makes his way purposefully to a black vehicle with government plates. You would think he might relax with two armed men flanking him and another waiting at the car but his rigorous training keeps him focused. The thought of the coded orders he protects falling into another’s hands reminds him of the need to stay alert.
The scene depicted here highlights the importance the government places on data being transported. Organizations also transport valuable data but too often little is done to protect it. The scene above is an extreme case. Shareholders do not expect companies to go to that same length to protect each hard drive or backup tape but they do expect reasonable physical security measures to be taken to protect data in transit.
Fail Secure – The Correct Way to Crash
Posted by: JurInnov | Posted on: January 5th, 2011 | 0 Comments
Eric Vanderburg
Anyone who has taken a martial art class could speak to the importance of learning how to fall. In the course of training, a person will fall many times and it is important to know how to fall properly so that injury does not occur. Similarly, software needs to be able to crash in such a way that injury in the form of an information security vulnerability does not occur.
Systems and software will crash and attackers will try to make it crash to reveal potential vulnerabilities in its startup routine. The job of security professionals and security minded developers is to architect a solution that fails securely by determining what should happen if a component in a system were to fail. This concept, called “Fail Secure”, is defined by Wikipedia as “a device or features which, in the event of failure, responds in a way that will cause no harm, or at least a minimum of harm, to other devices or danger to personnel.”
Cisco Access Controls and Security
Posted by: JurInnov | Posted on: December 29th, 2010 | 0 Comments
Many organizations use Cisco devices to interconnect, protect, filter, and manage networks so it is important to understand ways to improve the security of these devices as part of your information security program. Within this article three basic access controls you can implement on any Cisco device will be discussed. These access controls are intended for those who are new to Cisco, so if you are a Cisco veteran, please peruse some of our more advanced articles on Cisco and information security.
Criteria for Selecting an Information Security Risk Assessment Methodology: Qualitative, Quantitative, or Mixed
Posted by: JurInnov | Posted on: December 10th, 2010 | 0 Comments
Eric Vanderburg
An information security risk assessment is the process of identifying vulnerabilities, threats, and risks associated with organizational assets and the controls that can mitigate these threats. Risk managers and organizational decision makers use risk assessments to determine which risks to mitigate using controls and which to accept or transfer. There are two prevailing methodologies for performing a risk assessment. These are the qualitative and quantitative approaches. A third approach, termed mixed or hybrid, combines elements of the qualitative and quantitative approaches.
The Essential Link between Awareness and Security Policies
Posted by: JurInnov | Posted on: November 15th, 2010 | 0 Comments
Information security policies and security awareness go hand in hand. Frankly, a policy is worthless if it sits on someone’s desk. Information security policies find value when they are understood, adhered to, and enforced. In order to do this, employees must be made aware of the policy, the policy’s reason for being, and how it impacts them.
This article outlines the problem of enacting security policies without associated awareness programs. It also cites recent research on harmful user activities that could be mitigated through implementing awareness training following policy enactment.
Developing a Virtualization Security Policy
Posted by: JurInnov | Posted on: November 12th, 2010 | 0 Comments
Eric Vanderburg
Since many organizations are rapidly virtualizing servers and even desktops, there needs to be direction and guidance from top management in regards to information security. Organizations will need to develop a virtualization security policy that establishes the requirements for securely deploying, migrating, administering, and retiring virtual machines. In this way a proper information security framework can be followed in implementing a secure environment for hosts, virtual machines, and virtual management tools. This article is part two of a series on virtualization. The previous article was titled “Critical security considerations for server virtualization.”
Understanding Data Loss Prevention (DLP)
Posted by: JurInnov | Posted on: October 29th, 2010 | 0 Comments
Eric Vanderburg
Data Loss Prevention (DLP) is one of those terms that is often mentioned but less often defined. The term can be as ambiguous as its scope which can be both large and small. So what is DLP and why does it matter?
Data Loss Prevention (DLP) is an effort to reduce the risk of sensitive data being exposed to unauthorized persons. Data is extremely valuable to organizations. Just think of trade secrets, financial information, research data, health information, personal information, source code or credit card numbers and you begin to understand both the value this data holds for the organization and the threat its unauthorized disclosure would have on a company. Data loss prevention focuses on this threat by enacting controls to limit access and distribution of data. DLP still establishes controls to restrict outsiders but it has a major focus on controlling the usage of data within the organization.
Reducing privacy and compliance risk with data minimization
Posted by: JurInnov | Posted on: October 7th, 2010 | 0 Comments
Eric Vanderburg
What if I told you that you could reduce risk and costs at the same time? Skeptical? I would be. It sounds like some cheesy marketing ploy chuck full of hidden costs or high upfront costs with low ROI. No, I am not pitching a product or trying to sell you a solution. I am however trying to get your attention. I am talking about data minimization.
Companies collect millions of gigabytes of information, all of which has to be stored, maintained, and secured. There is a general fear of removing data lest it be needed some day but this practice is quickly becoming a problem that creates privacy and compliance risk. Some call it “data hoarding” and I am here to help you clean your closet of unnecessary bits and bytes.
Business Continuity and Backups in the Virtual World
Posted by: JurInnov | Posted on: September 27th, 2010 | 0 Comments
Eric Vanderburg
Virtualization has really become a mainstream technology and an effective way for organizations to reduce costs. As mentioned in previous articles, it simplifies processes but also creates new information security risks to handle. This article is concerned with business continuity and how virtualization can create many new opportunities and efficiencies in your business continuity plan. This is the third article in a series on virtualization. The first article was titled “Critical security considerations for server virtualization.” and this was followed with “developing a virtualization security policy.”
