Posts tagged hacker

Vanguard Security Conference – Supplier Security

Jun 2nd

Posted by admin in Security Assesment

I spoke yesterday at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

  1. No framework for managing vendor risk
  2. Inconsistent processes for tracking vendors
  3. Lack of enforcement capabilities

The Opportunity:

  1. Provide practical steps to manage vendor access/management
  2. Provide cost effective solution for risk mitigation
  3. Provide numerical risk analysis of vendor/partner security issues
  4. Risk reduction or risk acceptance
  5. Documented exposure
  6. Iterative process for risk management
  7. Happy CIO

So a Supplier Security assessment follow 4 main steps:

  1. Analyze current vendor database, catageorize each
  2. determine risk of each supplier, determine threats posed by each supplier
  3. Perform assessment tests of each supplier, their processes of interaction, and data access
  4. develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

, , , , , , ,

Laptop Encryption – Serious lack of security

Apr 30th

Posted by admin in Hacking News

I believe that more personal information has been stolen than there are actual people in the US. How much was stolen from the government would prove a nice study. And has anyone in the government actually been fired?

So the employee lost the laptop. Do you blame the employee or the agency for not educating the employee and provide wholedisk encryption? The agency believes that an unencrypted harddrive, but that has a “password” is secure? Well maybe someone should explain computer hacking, windows security, encryption and the concept of intrusion prevention to DHS.

Well you will probably see that laptop on Ebay or in a pawn shop. Some halfway intelligent person who buys it might be able to get to the data. Then what?

Five Steps to Laptop Security 101:

1) Encrypt using wholedisk encryption or at a minimum encrypt your data folders. Try PGP encryption (www.auroraent.com)

2) Patch Management, use automated patch management

3) Firewall, use a managed firewall in a corporate environment or a personal firewall, lots of free ones out there and cheap ones.

4) Hard Disk password, you can protect your drive from even booting with a hard disk password. yes this can be broken and have the manufacturer resetm, but its a pain and the casual person will not know what to do

5) Dont let the government have a laptop.

 

regards

gary

http://www.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

* Managed Firewall

* Managed Antivirus

* Managed IDS

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Unencrypted laptop with 1 million SSNs stolen from state

SC Magazine Dan Kaplan April 24, 2009

The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee.

The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma’s Human Services’ clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday.

The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency.

“We feel this was not a situation where someone was targeting the agency or that information,” DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. “We feel it was random.”

Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said.

News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.

, , , , , ,
Get Adobe Flash playerPlugin by wpburn.com wordpress themes