Security News, Vulnerabilities, Data Breaches, Website Security
Posts tagged antivirus
Vanguard Security Conference – Supplier Security
Jun 2nd
I spoke yesterday at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.
The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.
My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.
The Problem:
- No framework for managing vendor risk
- Inconsistent processes for tracking vendors
- Lack of enforcement capabilities
The Opportunity:
- Provide practical steps to manage vendor access/management
- Provide cost effective solution for risk mitigation
- Provide numerical risk analysis of vendor/partner security issues
- Risk reduction or risk acceptance
- Documented exposure
- Iterative process for risk management
- Happy CIO
So a Supplier Security assessment follow 4 main steps:
- Analyze current vendor database, catageorize each
- determine risk of each supplier, determine threats posed by each supplier
- Perform assessment tests of each supplier, their processes of interaction, and data access
- develop risk mitigation plan, update processed, monitoring processes
Gary Bahadur
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
US to set out cyber security plan -Baha to the rescue
May 29th
Why did it takes us over 2 decades to really approach the cybersecurity topic. When I started in informatio security in in 1994, it was the wild west. People were creating processes, developing security frameworks and growing a whole new industry. I like to think I played some part in being on the early team at PriceWaterhouse and we had the first ever corporate “Hacking Lab” in NJ to test our clients security weaknesses. Those were Good time. Now we are just in Regular times.
So what can we expect from the Czar?
The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April.
Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is “untenable”.
Here is my plan for cybersecurity:
1) Put ME in charge of the whole thing.
Good plan right?
My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term.
We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start:
1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme.
2) Conduct continuous vulnerability assessment of the High and Medium risk systems.
3) MUST have Patch management for all systems.
4) Encrypt any data leaving a secure internal system
5) Figure out what Data Loss Prevention means!
6) FUND Cybersecurity like its part of the Defense Budget.
Baha – new Cybersecurity Czar
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
+++++++++++++++++++++++++++++++++++
BBC
US President Barack Obama is to set out plans for securing American computer networks against cyber attacks.
In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House. Both US government and military bodies have reported repeated interference from hackers in recent years.
In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said. Mr Obama will not discuss the Pentagon plan during Friday’s announcement, the newspaper said.
But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.
Laptop Encryption – Serious lack of security
Apr 30th
I believe that more personal information has been stolen than there are actual people in the US. How much was stolen from the government would prove a nice study. And has anyone in the government actually been fired?
So the employee lost the laptop. Do you blame the employee or the agency for not educating the employee and provide wholedisk encryption? The agency believes that an unencrypted harddrive, but that has a “password” is secure? Well maybe someone should explain computer hacking, windows security, encryption and the concept of intrusion prevention to DHS.
Well you will probably see that laptop on Ebay or in a pawn shop. Some halfway intelligent person who buys it might be able to get to the data. Then what?
Five Steps to Laptop Security 101:
1) Encrypt using wholedisk encryption or at a minimum encrypt your data folders. Try PGP encryption (www.auroraent.com)
2) Patch Management, use automated patch management
3) Firewall, use a managed firewall in a corporate environment or a personal firewall, lots of free ones out there and cheap ones.
4) Hard Disk password, you can protect your drive from even booting with a hard disk password. yes this can be broken and have the manufacturer resetm, but its a pain and the casual person will not know what to do
5) Dont let the government have a laptop.
regards
gary
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
* Managed Firewall
* Managed Antivirus
* Managed IDS
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Unencrypted laptop with 1 million SSNs stolen from state
SC Magazine Dan Kaplan April 24, 2009
The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee.
The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma’s Human Services’ clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday.
The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency.
“We feel this was not a situation where someone was targeting the agency or that information,” DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. “We feel it was random.”
Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said.
News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.
Recent Comments