 |
|
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|
|
|
 |
|||
 |
|||
|
|
|
 A woman mistakenly thinking she was about to be fired allegedly took revenge on her employer by going into the office late one evening and deleting data files worth $2.5m. Although the deleted data were later recovered, the potential remains for trusted insiders with access to corporate IT assets to cause enormously costly damage by sabotage. NIST security standard SP800-114 is a 46-page User’s Guide to Securing External Devices for Telework and Remote Access covering aspects such as securely configuring and maintaining operating systems, using VPNs for remote access and backups. An office breakin story appears to indicate a targeted theft of computers for the valuable data they contained, rather than the hardware itself. Thieves stole three PCs containing a customer database, leaving other PCs, valuable office equipment and even cash behind. An IT systems administrator having a bad day at the office (fearing that he was about to be laid off) planted a logic bomb in his employer's systems. He survived the round of redundancies but detonated the logic bomb anyway. Fortunately for all concerned, bugs in the code prevented it working properly. In court, he was found guilty, sentenced to 30 months' jail time and found liable for $81,200 in restitution. When a vehicle maintenance contractor's car was stolen, thieves removed a clipboard with a sheet of paper listing access codes for pushbutton locks on 73 Police station yards in West London. Whether you use pushbutton or key locks or card access systems for your office, do you have adequate procedures in place in case the codes, keys or cards are lost or stolen? Office security awareness video sampler from AIG. A new book review on Computer Security For The Home and Small Office (2004) by Thomas C. Greene is available elsewhere on this website (~ Computer Security: 20 Things Every Employee Should Know - The Employee Handbook for Securing the Workplace (2005) by Ben Rothke is also reviewed on this site (~$8 from Amazon). It’s a neat little booklet summarizing computer security for ordinary employees, and covering many of the items included in this month’s module. Some companies are evidently so confident in their physical security measures that they describe them in some detail on the Web. Disaster Solutions Management Ltd. for example, clearly explains the layered access controls protecting its data recovery center IT facility from the outer perimeter to the racks in the computer suite. Handy for some. “The widespread availability of sensitive information on corporate Web sites appears to have been largely overlooked by IT and security managers … Freely available on the Web, for example, are 3-D models of the exterior and limited portions of the interior of the Citigroup Inc. headquarters building in Manhattan …” (Computerworld). Portable PCs are not safe from theft, even if left for only ten minutes in a locked office. IT equipment was stolen from the MTV awards in Scotland in 2003. “The computer’s not the important thing, it’s the information that was on the hard drive that’s important.” The cost of encrypting data on laptops has been estimated at around $50 to $100 per machine. However this needs to be set against the cost of losing a laptop to theft and dealing with the aftermath - “in excess of $50,000” according to Matrix Capital Bank that had two laptops stolen from its HQ. If that cost is typical, laptop encryption is economic if it prevents theft of data from between one in 500 and one in 1,000 laptops. Given that a few percent of laptops go missing each year, the business case for encryption looks overwhelming to me. Information security issues and resources for small and entrepreneurial companies is a report expanding on the OECD’s Guidelines for the security of information systems and networks - towards a culture of security. It offers general advice on basic information security controls. The sequence of events that led to various bugs being shipped in the Mac versions of Microsoft Word is quite revealing - not least because the author acknowledges (Shock! Horror!) that he and his colleagues are only human and make mistakes. The blog entry hints at the subtleties and complexities of those pesky Word bugs that remained after gross/more obvious bugs had been identified and removed by conventional software quality control/testing processes. Thanks to input from PGP, a short article on the technical architecture options for email encryption (e.g. endpoint-to-endpoint vs endpoint-to-email-gateway) only mentions PGP but the same principles and concerns apply to other email encryption methods. ‘Forced disclosure’ of emails can be a concern for organizations facing regulatory and legal inquiries into their business practices, such as British supermarket chains Tesco and Asda. Thousands of internal emails that the senders and recipients probably considered confidential may soon be exposed to the glare of public scrutiny. A US court ruled that email users have the same reasonable expectation of privacy as they do in respect of their phone calls. A search warrant is therefore required before the Government can legitimately access and search emails stored by ISPs. Furthermore, the owner of the emails must be notified and given the right to object. The 25 most common mistakes on email covers several email security issues. Special delivery - secure email is a conference presentation about encrypted email. It outlines the process of symmetric and asymmetric encryption used for secure message and key exchange, respectively, and briefly mentions the main options available for secure email. The big question remains: why do so few people use email encryption? Is it just ‘too hard’? If so, Thomas Green’s book explains the process of installing and using PGP or GPG quite well. USA Today reported that 119 University of Kansas students who failed classes inadvertently found out who shared their misfortune. The email informing them was sent “To:” all 119 students so all recipients could see who else received the email - if it had been “cc’d” instead, the recipients might have remained anonymous.
|
US$24 from |
|
|