The Disconnect Between Security and Business
by Gerald Trites
In September, 2008, Bearing Point released a study done on its behalf by Forrester Consulting which is posted on Bearing Point's website.
The study was based on a survey of 175 respondents from business and IT during the summer of 08. The results are useful and sadly predictable. The point of the study was to show the extent to which Security and Business personnel differ in their views of, and roles in, security. Of course, one would expect differences, but also since security is generally recognized as such a critical area from a business point of view, one should also expect some congruence in views.
The study indeed found a high degree of agreement on the governance aspects of security, with over 90% believing that security is a C-Level concern and both groups agreeing that security is important from a business viewpoint.
The study also found, however, that there is a communications gap between the two groups, one that is exacerbated by the culture within the business.
The study has real strategic value for companies trying to establish a more effective organizational approach to security and finding an appropriate balance between security needs and business constraints.
Tuesday, April 28, 2009
Sunday, April 26, 2009
Phishing and Smishing
by Gerald Trites, FCA
Phishing is old hat, having been around for a long time and having become transparent and easy to avoid. But is it? New techniques are starting to have their impact. Phishers are becoming more sophisticated. And the are starting to use SMS, which gives rise to Smishing.
It would be nice if we could find an easy to get away from these criminals who perpetuate the phishing plague. But it seems they have lots of resources, and considerable skill in developing new techniques to keep ahead of the opposition. The latest techniques are civered in this recent article.
New techniques have gotten away form he old ploy of strange folks in Nigeria and other places needing to transfer their money to your account. Anyone who get caught in that one any more almost deserves it. Almost.
The phishing plague is something that needs to be controlled, so security professionals need to keep on top of it and to develop those new techniques that will protect the users. It's not an easy job.
by Gerald Trites, FCA
Phishing is old hat, having been around for a long time and having become transparent and easy to avoid. But is it? New techniques are starting to have their impact. Phishers are becoming more sophisticated. And the are starting to use SMS, which gives rise to Smishing.
It would be nice if we could find an easy to get away from these criminals who perpetuate the phishing plague. But it seems they have lots of resources, and considerable skill in developing new techniques to keep ahead of the opposition. The latest techniques are civered in this recent article.
New techniques have gotten away form he old ploy of strange folks in Nigeria and other places needing to transfer their money to your account. Anyone who get caught in that one any more almost deserves it. Almost.
The phishing plague is something that needs to be controlled, so security professionals need to keep on top of it and to develop those new techniques that will protect the users. It's not an easy job.
Tuesday, April 21, 2009
Single Sign-on
by Gerald Trites, FCA
As the need for security has grown in the face of identify theft, viruses and unwanted intruders, the number and scope of applications implementing passwords has grown immensely. It means that within many companies employees need to remember a large number of passwords. Of course, in many cases, they cannot remember them all, and therefore need to record them somewhere. And so they write them on sticky notes, in little notebooks hidden away in a drawer, in files on their computer, in software applications like Roboform that host all the passwords they need to know, and are themsleves proctectd by a single password. Or they store them on their PDA or smartphone.
The fact is that because of the inability of a normal human being to remember a large number of passwords, especially when they need to be changed every month or so, the proliferation of passwords is a growing security risk. Thus the need for single sign-on.
But single sign on can't work in a secure manner just by giving everyone a single password to gain acccess to the whole system. That would seriously erode security. Instead single sign involves a whole review and definition of the systems needs of the users, through a process known as identity management.
Carefully implemented, identity management can improve the overall security of the company's systems and at the same time simplify the lives of the users, while making it possible to open up new areas of information for more users.
Such an approach was taken by New York Transit with their applications and a short case study was written up by the provider - Novell, which highlights the benefits of this approach to a single sign-on environment.
by Gerald Trites, FCA
As the need for security has grown in the face of identify theft, viruses and unwanted intruders, the number and scope of applications implementing passwords has grown immensely. It means that within many companies employees need to remember a large number of passwords. Of course, in many cases, they cannot remember them all, and therefore need to record them somewhere. And so they write them on sticky notes, in little notebooks hidden away in a drawer, in files on their computer, in software applications like Roboform that host all the passwords they need to know, and are themsleves proctectd by a single password. Or they store them on their PDA or smartphone.
The fact is that because of the inability of a normal human being to remember a large number of passwords, especially when they need to be changed every month or so, the proliferation of passwords is a growing security risk. Thus the need for single sign-on.
But single sign on can't work in a secure manner just by giving everyone a single password to gain acccess to the whole system. That would seriously erode security. Instead single sign involves a whole review and definition of the systems needs of the users, through a process known as identity management.
Carefully implemented, identity management can improve the overall security of the company's systems and at the same time simplify the lives of the users, while making it possible to open up new areas of information for more users.
Such an approach was taken by New York Transit with their applications and a short case study was written up by the provider - Novell, which highlights the benefits of this approach to a single sign-on environment.
Thursday, April 16, 2009
Privacy and Security in Website Development
by Gerald Trites
A company website is a face the company puts forward to the world, and needs to reflect the best possible policies the company could follow. This particularly applies to privacy and security, but many company websites do not reflect the practices, particularly those of small companies.
It's true that many websites have privacy policies stated on them, for example, but the question is - do they really follow those policies? Are the policies an important part of the way they do business or just something they copied from some other site to give the best impression.
How many companies actually show a trust certificate on their site, to demonstrate they are paying attention to best practices in website security. How many actually take the steps to ensure they are compliant with PCI standards if they accept credit cards. True, for some cards, such as Visa, they are required to comply. However this is not always the case. Issues like this are raised in a recent article in the E-Commerce Times on building websites for small business.
These matters are important, particularly in an era of increasing incidence of identify theft and data loss. Ultimately, it can even make the difference in the viability of a company. Stating the right policies is important. Following them is even moreso.
by Gerald Trites
A company website is a face the company puts forward to the world, and needs to reflect the best possible policies the company could follow. This particularly applies to privacy and security, but many company websites do not reflect the practices, particularly those of small companies.
It's true that many websites have privacy policies stated on them, for example, but the question is - do they really follow those policies? Are the policies an important part of the way they do business or just something they copied from some other site to give the best impression.
How many companies actually show a trust certificate on their site, to demonstrate they are paying attention to best practices in website security. How many actually take the steps to ensure they are compliant with PCI standards if they accept credit cards. True, for some cards, such as Visa, they are required to comply. However this is not always the case. Issues like this are raised in a recent article in the E-Commerce Times on building websites for small business.
These matters are important, particularly in an era of increasing incidence of identify theft and data loss. Ultimately, it can even make the difference in the viability of a company. Stating the right policies is important. Following them is even moreso.
Monday, April 13, 2009
Major Cybersecurity Bill Introduced In Senate -- Cybersecurity -- InformationWeek
A major new bill has been introduced into the US Senate to place unprecedented emphasis on cybersecurity. The bill includes provision for appointment of a National Cybersecurity Advisor reporting directly to the President.
The bill calls for a unified and coordinated approach to security,and supports the formation of partnerships and new research into the area. There is an article on the proposals at the following link:
Major Cybersecurity Bill Introduced In Senate -- Cybersecurity -- InformationWeek
The bill calls for a unified and coordinated approach to security,and supports the formation of partnerships and new research into the area. There is an article on the proposals at the following link:
Major Cybersecurity Bill Introduced In Senate -- Cybersecurity -- InformationWeek
Thursday, April 9, 2009
Guidance on Monitoring Internal Control Systems (2009)
Guidance on Monitoring Internal Control Systems (2009)
"The COSO board recognizes that management's assessment of internal control often has been a time-consuming task that involves a significant amount of annual management and/or internal audit testing. Effective monitoring can help streamline the assessment process, but many organizations do not fully understand how to take full advantage of this important component of internal control. COSO’s Monitoring Guidance is designed to improve the use of monitoring by helping organizations:
- Identify and maximize effective monitoring, and
- Identify and improve ineffective or inefficient monitoring"
Saturday, April 4, 2009
Compensating Controls
by Gerald Trites
Many of us who have worked in the field in controls work have from time to time been impressed and even amazed at the skill of some people in designing systems sontrols. We recognize in these times just how much of an art form good systems design can be.
The feature article in the Information Systems Security Association (ISSA) Journal this month recognizes this artistry as it relates to the design of compensating controls. When we discover vulnerabilities in a system, one of the first things we do is to look for compensating controls. If there are none, then the vulnerability must be addressed directly, hopefully by changing the system in some way to remove the problem or at least mitigate it. If this proves not to be possible or practical, then we must design a compensating control.
This raises issues, including developing a control that is going to be sustainable and one that will actually mitigate the existing vulnerability. Sometimes, compensating controls are developed that involve more work, but do not actually address the vulnerabilolity.
Compensating controls are not necessarily the most efficient way of dealing with an issue, but they can be effective and necessary. The article, which is available online, discusses these and other issues around compensating controls, in an entertaining and informative way.
by Gerald Trites
Many of us who have worked in the field in controls work have from time to time been impressed and even amazed at the skill of some people in designing systems sontrols. We recognize in these times just how much of an art form good systems design can be.
The feature article in the Information Systems Security Association (ISSA) Journal this month recognizes this artistry as it relates to the design of compensating controls. When we discover vulnerabilities in a system, one of the first things we do is to look for compensating controls. If there are none, then the vulnerability must be addressed directly, hopefully by changing the system in some way to remove the problem or at least mitigate it. If this proves not to be possible or practical, then we must design a compensating control.
This raises issues, including developing a control that is going to be sustainable and one that will actually mitigate the existing vulnerability. Sometimes, compensating controls are developed that involve more work, but do not actually address the vulnerabilolity.
Compensating controls are not necessarily the most efficient way of dealing with an issue, but they can be effective and necessary. The article, which is available online, discusses these and other issues around compensating controls, in an entertaining and informative way.
Subscribe to:
Posts (Atom)