Friday, January 29, 2010

The National Cyber Alert System has put out a series of tips on protecting portable devices

Why do you need another layer of protection?

Although there are ways to physically protect your laptop, PDA, or other portable device (see Protecting Portable Devices: Physical Security for more information), there is no guarantee that it won't be stolen. After all, as the name suggests, portable devices are designed to be easily transported. The theft itself is, at the very least, frustrating, inconvenient, and unnerving, but the exposure of information on the device could have serious consequences. Also, remember that any devices that are connected to the internet, especially if it is a wireless connection, are also susceptible to network attacks (see Securing Wireless Networks for more information).

What can you do?

  • Use passwords correctly - In the process of getting to the information on your portable device, you probably encounter multiple prompts for passwords. Take advantage of this security. Don't choose options that allow your computer to remember passwords, don't choose passwords that thieves could easily guess, use different passwords for different programs, and take advantage of additional authentication methods (see Choosing and Protecting Passwords and Supplementing Passwords for more information). 
  • Consider storing important data separately - There are many forms of storage media, including CDs, DVDs, and removable flash drives (also known as USB drives or thumb drives). By saving your data on removable media and keeping it in a different location (e.g., in your suitcase instead of your laptop bag), you can protect your data even if your laptop is stolen. You should make sure to secure the location where you keep your data to prevent easy access. It may be helpful to carry storage media with other valuables that you keep with you at all times and that you naturally protect, such as a wallet or keys.
  • Encrypt files - By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. You may also want to consider options for full disk encryption, which prevents a thief from even starting your laptop without a passphrase. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
  • Install and maintain a firewall - While always important for restricting traffic coming into and leaving your computer, firewalls are especially important if you are traveling and using different networks. Firewalls can help prevent outsiders from gaining unwanted access (see Understanding Firewalls for more information).
  • Back up your data - Make sure to back up any data you have on your computer onto a CD-ROM, DVD-ROM, or network (see Good Security Habits and Real-World Warnings Keep You Safe Online for more information). Not only will this ensure that you will still have access to the information if your device is stolen, but it could help you identify exactly which information a thief may be able to access. You may be able to take measures to reduce the amount of damage that exposure could cause.
See the original posting here  

Tuesday, January 26, 2010

Cloud Computing Security

Tim Brown over at CIO online has a great piece on Cloud Security: Ten Questions to Ask Before You Jump:

From regulations to liability, CA cloud security expert Tim Brown outlines the key security issues you should explore while preparing for a cloud deployment.

The hype around cloud computing would make you think mass adoption will happen tomorrow. But recent studies by a number of sources have shown that security is the biggest barrier to cloud adoption. The reality is cloud computing is simply another step in technology evolution following the path of mainframe, client server and Web applications, all of which had — and still have — their own security issues.

Cloud Computing Definitions and Solutions

Security concerns did not stop those technologies from being deployed and they will not stop the adoption of cloud applications that solve real business needs. To secure the cloud, it needs to be treated as the next evolution in technology not a revolution that requires broad based changes to your security model. Security policies and procedures need to be adapted to include cloud models in order to prepare for the adoption of cloud-based services. Like other technologies, we're seeing early adopters take the lead and instill confidence in the cloud model by deploying private clouds or by experimenting with less-critical information in public clouds.

Defining Cloud Security: Six Perspectives Cloud Security: Danger (and Opportunity) Ahead
Organizations are asking many questions and weighing the pros and cons of utilizing cloud solutions. Security, availability and management all need to be considered. As part of that process, here are 10 security-related questions organizations should consider to help them determine if a cloud deployment is right for them, and if so, which cloud model — private, public or hybrid.

1. How does a cloud deployment change my risk profile? A cloud computing deployment — whether private or public — means you are no longer in complete control of the environment, the data, or the people. A change in control creates a change in risk — sometimes an increase in risk and in some cases a decrease in risk. Some cloud applications give you full transparency, advanced reporting, and integration with your existing systems. This can help lower your risk. Other cloud applications may be unable to modify their security profiles, they may not fit with your existing security measures, and may increase your risk. Ultimately the data and its sensitivity level will dictate what type of cloud is used or if a cloud model makes sense at all.

2. What do I need to do to ensure my existing security policy accommodates the cloud model?
A shift to a cloud paradigm is an opportunity to improve your overall security posture and your security policies. Early adopters of cloud applications will have influence and can help drive the security models implemented by the cloud providers. You should not create a new security policy for the cloud, but instead extend you existing security policies to accommodate this additional platform. To modify your policies for cloud, you need to consider similar factors: where the data is stored, how the data is protected, who has access to the data, compliance with regulations, and service level agreements.

Check out the rest of this great article HERE

Friday, January 22, 2010

Clinton Pushes Cyber-security in Wake of Google Attacks

Secretary of State Hillary Clinton calls for countries to cooperate in defending against cyber-attacks, but remains cautious in her comments regarding the recent attacks reported by Google.

U.S. Secretary of State Hillary Clinton in a speech Jan. 21 took a strong stance in favor of promoting cyber-security partnerships and ending Internet censorship, but stopped short of using harsh language against China in connection with the recent cyber-attacks reported by Google.

China has been at the center of accusations of attacks on Google, Adobe Systems and more than 30 other enterprises. Direct evidence of government involvement in the attacks has been lacking—however, systems used by the attackers were linked to China and the main Trojan used in the attacks included code with a cyclic redundancy check originating in China as well "We have identified that systems in Taiwan were involved, as were systems in the United States," said Dave Marcus, director of security research at McAfee's Avert Labs. "That said, cyber-espionage and state sponsored cyber-attacks are nothing new and we have said in the past that China is one of the nation states that conducts such activities, as does the United States and other countries."

Read the entire eWeek article here.

Technical Cyber Security Alert TA10-021A - Internet Explorer out of band patch released

Microsoft has issued a security patch for a vulnerability in Internet Explorer which was responsible for China’s targeted and sophisticated attacks against Google.

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection under the next section, Vulnerability Information.

This week Microsoft began urging businesses and consumers to upgrade to Internet Explorer 8, explaining that the security benefits are far greater than that of Internet Explorer 6. Both the French and German governments warned their populations to cease using Internet Explorer due to the un-patched flaw. Currently the flaw exists in Internet Explorer versions 6, 7 and 8 but exploit code is only available for Internet Explorer 6.