News Journal
All UH employees are to complete mandatory security awareness training ISAT
Last week in class we talked about access controls. The topic of authentication involving passwords came up and that is why I choose this article. The article is important because it encourages awareness of security in the educational community. When all employees at UH have to complete an Information Security Awareness Training, that's a sign that the previous polices have not kept an acceptable level of security. Another reason for the training has to do with the Sarbanes Oxley new laws that mandate employees to take part in such training. This is progress but will 30 minutes of IT security training be enough? Perhaps janitors working in research facilities will be informed on proper disposal protocol. As intelligent as most academic employee's maybe, they don't get paid to ensure security. If a short session is enough to stop the careless or disregard for security than this is the way to go. At least they won't write their passwords on a yellow sticky anymore or will they?
iPods remember where data comes from
The topic at hand last week included that of physical security. In this day in age when you can store any kind of data on any type of media, data destruction is vital to a company's security. When trade secrets are stored on an iPod and someone loses it, serious damages could arise. More importantly if someone finally gets on the ball and decides to use a more secure medium for storing data, that person should know that the files on the iPod could still be there even after deletion. Once files are recovered via a live CD for example the vital information previously deleted could be compromised. Also, coding within recovered files would tell investigators not only what machine (MAC address) but also what operating system (though file format also tells them that) and username was used. If someone has already taken the time to recover the files with dubious intentions then chances are they are one step closer to attacking the corporate network with the reconnaissance data found on the recovered files.
Google's new Desktop Search could prove to be the biggest government invasion of privacy of all time
In our previous class different types of security laws were mentioned. Some of the new laws are difficult to comprehend to the average person. Perhaps legal clerks are purposely told to create laws that don’t are ambiguous so that when someone has to be ruled down by a judge the law is somehow interpreted to mean something. Depending on that judges decision a case around that law would be formed so that other judges would follow the same proceeding from there on out. As professor Crowley has said, when you ask a lawyer about a security related concern the answer will always be “it depends”. So what is legal when it comes to privacy? That’s right, you fill in the blank. As it stands now, access to records of what we search on Google are temporarily private. If however the government sees the need to investigate anyone even remotely suspicious all privacy is completely lost. This becomes an even bigger nuisance if Google desktop search and/or Google toolbar is installed on your system. These two applications not only inform Google of all your activities online but also allow Google to search your data from a remote location. My advice is too keep all your vital data on an external hard drive and only hook it up to your system to a live CD that’s not connected to any network to avoid losing system and data integrity and keep peace of mind.
Security fixes come faster with Mozilla
While covering topics in operations security the subject of preventive administrative controls was discussed. Professor Crowley mentioned how now that it has 25% of the market share, Firefox has now began to gain similar notoriety with security holes similar to those found Internet Explorer. This was only a matter of time as only the most popular browser get cracked because of the high probability of vulnerable users. The results are in and Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems. The fact that Mozilla is providing faster updates shouldn’t justify having them in the first place. Just as we shouldn’t be led to believe that any browser is completely secure. Using the most frequently updated and secure browser available should be the standard in a multi layered security environment for now. Perhaps the future will provide a better solution for a browser but for now this is what we have.
Proof: Employees don't care about security…Like we didn't already know...
The reason I choose this article was because of the blatant confirmation that alas there is actual proof that employees really don’t care about security. The article talks about how a couple of techies gave out CD’s at the beginning of the day in the banking districted of London. Recipients were told the disks contained a special Valentine's Day promotion. Even though the disk contain warnings about installing third party software and acting in breach of company acceptable use policies that didn’t hinder people from installing it. Once a user installed it on their machine it would show how many people had fallen for stunt. Rob Chapman, CEO of the Training Camp, who carried out the stunt to promote a course in security for non-IT professionals, said: "Fortunately these CDs contained nothing harmful. No personal or corporate data was transmitted due to the actions of these individuals but the fact remains that this could have been someone wanting to cause havoc in the City." Imagine if the CD’s contained a series of rootkits, torjans, and keyloggers to spy on all the banks in the financial district. Last year a Japanese bank in that same financial district fell victim to a spyware infection which almost ended with the theft of £220m. That case should have highlighted the threat posed by applications entering the enterprise through unofficial channels and yet it appears few companies have taken note.