Archive - November 2000
Risk Homeostasis: Is Risk Reduction a Pipe Dream?
How often do you speed? What is your investment strategy? Answers to questions like these could provide insight into an individual’s level of acceptable risk. We embrace or avoid risk, consciously and unconsciously, based on the level of risk someone is willing to accept. This level of risk acceptance is applicable to the use of computers as well. With the constant influx of new threats and the implementation of security controls, the level of risk felt by employees can fluctuate causing an increase or decrease in risk-taking behavior.
Is Your TV a Security Risk? Embedded Devices May be the Next Target.
The latest televisions and Blu-ray players are being shipped with more than high definition video and audio. Internet access and a host of new applications are being built in to run directly on these devices. A popular built-in feature is wireless access which enables the user to avoid plugging in an Ethernet cable. Accessing the internet and your favorite apps directly from your TV is convenient. However, what security risk does this pose?
Stop Hoarding! Improve Security, Efficiency and the Bottom Line through an Effective Data Retention Policy
Organizations are accumulating data at a pace that would cause a hoarder to blush. Just like that old bicycle seat stored in the attic, data is often kept “just in case it may be needed someday.” This practice, however, comes at a cost.
Some organizations think that it is inexpensive to store data, especially with the steady decline in hard drive prices. The fact is, however, data is expensive to keep. Organizations spend a significant portion of time managing, archiving and securing data. Data is housed on servers, each of which must be maintained. Data is also archived regularly according to the organization’s backup schedule and it is audited and secured against loss. Each of these activities consumes the time (i.e. increases the cost) for those in information management.
Transferring Information Security Risk with Cyber Insurance
There are four ways of dealing with risk; Avoid, Mitigate, Accept, or Transfer. Avoiding a risk would involve changing procedures or systems so that the risk does not apply anymore such as removing old encryption protocols so that their risk is avoided. Risks are mitigated by implementing security controls. If the risk is within acceptable levels it can be accepted and lastly risks can be transferred, primarily through insurance.
The Social Networking Threat
Social Networking is a godsend and a concern, a help and a hindrance, an amazing feat and a terrible nuisance. While these descriptors apply for the individual, they are exacerbated multiple times for a corporation. A corporation needs to be concerned with everything from profits to people, and social networking websites like Facebook, Twitter, or the new Googleplus among others have tremendous impact on how a corporation looks at its priority list. Certain facets of social networking can be beneficial to businesses, for example social networking provides a business with free publicity. In addition to publicity, social networking allows a business to expand into new markets and different demographics. Though networking brings many new possible clients and expands a business, it can also be riddled with potential pitfalls. For example, a business can divulge too much information via social networking. Also, privacy on sites like Facebook can be a little suspect, and thus put important corporate information at risk.
Mitigating the Threat of Corporate Espionage
The term corporate espionage often stirs thoughts of big evil companies, high tech equipment, and government-trained spies. As disturbing as this might sound, it seems far removed from everyday corporate life, thus corporate espionage seems of little concern for the organization. In reality, however, corporate espionage often doesn’t take the face of a big evil company, nor does it require high tech equipment or government-trained spies. It is performed in the everyday workings of a company. Maybe even your company.
This article aims to shed light on the tools of corporate espionage used against everyday businesses and the strategies companies can use to reduce the threat of corporate espionage that ultimately comes down to the unauthorized disclosure of sensitive information.
Leveraging Vulnerability Scoring in Prioritizing Remediation
Eric Vanderburg
The average organization has numerous types of equipment from different vendors. Along with the equipment, businesses also utilize multiple software applications from various developers throughout the organization. This diversity provides many helpful opportunities, but also creates a higher probability for vulnerability. Risk managers are able stay aware of new vulnerabilities through vendor systems or services such as SANS @RISK, the National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), or Bugtraq, but how do they prioritize the vulnerabilities. Certainly risk managers need to know which vulnerabilities with the highest risk can be resolved before lesser vulnerabilities? Understanding these vulnerabilities and their impact relevant to other vulnerabilities is quite a challenge.
To overcome this challenge, several scoring systems have been developed. These include the US-CERT (United States Computer Emergency Readiness Team) Vulnerability Notes Database and the Common Vulnerability Scoring System (CVSS). This article provides an overview of both systems and how risk managers can use them to prioritize remediation.
Does One Bad App Spoil the Bunch?
Eric Vanderburg
Smartphones are replacing traditional phones. These handheld devices offer users more than just the ability to make calls; smartphones such as the iPhone, Google Android, or Blackberry let owners browse the Internet, check email, and run applications. In many ways, the modern smartphone is a merger of the computer and the phone into one small pocket sized device delivering information to you anytime, anywhere. But what else is your smartphone up to? With all its similarities to the PC, smartphones also share one of the PC’s less desired attributes…malware.
All three vendors, Google, Apple, and RIM maintain a directory of applications, or apps, allowing developers to publish applications to a directory for downloading. Some of those applications contained malicious code allowing phones to be converted into “zombies” for launching attacks or giving attackers access to data on smartphones such as contacts, emails, attachments, browsing history, or passwords. Some applications made calls to 900 numbers or premium texting services that you could be billed for. Both Google and Apple have identified and removed malicious apps from their directory and Google has implemented measures to remotely remove malicious apps from users’ phones. However, even this fact is disturbing because it demonstrates that Google has backdoor access to the Android phone. This system that today is used to remove malware, could one day be used to deploy it. Read More
Guidelines for Username and Password Risk Management
Eric Vanderburg
Usernames and passwords still represent a great information security risk to organizations. This basic but crucial element can nullify the effectiveness of some of the best systems. That is why it is important to keep usernames and passwords secure if you hope to have assurance in your information system. To help manage information security risks, this article outlines several common bad password practices and the risks they present along with steps to take to reduce this risk and protect company information. Some of the most prevalent mistakes users make regarding passwords include:
- Sharing passwords
- Using the same password for multiple accounts
- Creating insecure passwords
- Retaining passwords long-term
