Information Lifecycle Governance Leader Reference Guide: A Model for Improving Information and eDiscovery Economics with Information Lifecycle Governance
An e�ffective Information Lifecycle Governance (ILG) program improves information economics and reduces risk by disposing of data debris and modernizing key governance processes to reflect information facts. Th�is Leaders’ Guide is an invaluable tool for helping organizations and governance leaders succeed in improving information and ediscovery economics. Th�e 2010 Report confi�rmed defensible disposal as the most essential outcome of a good governance program but revealed challenges with funding and cross-organizational cooperation that impeded program launch or e�ectiveness. The Guide now provides a construct for how to operationalize an e�ffective program and overcome these barriers.
Learning to Wear the European Union's Data Directive with Style
Should we be horrified by European bureaucracy or beat the drum for watertight data protection? Will the new rules allow for a balance between the data privacy needs of the citizens against the practical issues of managing data in the modern corporate environment? While many security professionals have expressed concerns about the technical problems associated with managing, protecting and auditing access to growing data stores, the reality is that with the right technology in place these issues can easily be solved. This article by David Gibson of Varonis Systems examines how the new European data directives on privacy are likely to impact on organizations in the UK and collaboration with their counterparts in the US.
Rebecca Herold presenting her session Cloud Computing in Healthcare: Key Security and Privacy Issues at Secure360 Conference
Rebecca Herold, author of several Auerbach books, including Managing an Information Security and Privacy Awareness and Training Program, Second Edition, will be presenting her session Cloud Computing in Healthcare: Key Security and Privacy Issues at this year’s Secure360 Conference, May 8 - 9, 2012. Rebecca is a widely recognized and respected expert in information privacy, security and compliance. Rebecca has been named in the "Best Privacy Advisors in the World" list all years Computerworld magazine has released their rankings, along with receiving many other awards and recognitions. Rebecca has been leading the NIST Smart Grid privacy subgroup since June, 2009. Rebecca’s Compliance Helper service helps healthcare organizations and their business associates to meet their HIPAA, HITECH and other information security and privacy requirements. Rebecca has been an Adjunct Professor for the Norwich MSIA program since 2004, and she is working on her 15th published book.
Fake Feds Attack Hijacks Computers for Ransom
Trusteer CTO Amit Klein on a new use of the Citadel malware platform (a descendent of the Zeus Trojan) to deliver code ransomware that poses as the US Department of Justice and highjacks victims' computers.
My Boss Thinks I'm a Security Threat!
In this cautionary tale, Jane Grafton, Director of Product Development at Lieberman Software, interviewed a woman who should have known better. Her story is told in her own words. If this sounds all too familiar, there is some great advice at the end of this article to make your users more secure.
Zeus Targets Cloud Payroll Service to Siphon Money from Enterprises
Trusteer research that has discovered a Zeus attack that focuses on cloud payroll service providers. In this attack, Zeus captures a screenshot of the payroll services web page when a corporate user whose machine is infected with the Trojan visits this website. This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system. These attacks are designed to route funds to criminals, and bypass industrial strength security controls maintained by larger businesses. The financial losses associated with this type of attack can be significant.
Companies Leaving the Security of their Data on Cloud to Chance
Most organizations are now using cloud computing in one form or another, yet businesses are omitting to check out the security controls surrounding their data. These are some preliminary findings from the 2012 Information Security Breaches Survey conducted by PwC in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills.
PricewaterhouseCoopers Releases 2012 Information Security Breaches Survey
According to the results of the 2012 Global State of Information Security Survey®, the majority of executives across industries and markets worldwide are confident in the effectiveness of their organization’s information security practices. Some of the key findings include ...
An Ethical Hacker's View on the Dangers of Mobile Malware and What Steps to Take to Stop It
Jaime Blasco, an ethical hacker at AlienVault, eats, sleeps and beats malware on a daily basis. What he doesn't know about hacking no-one knows, and what's really concerning him at the moment is the rise in mobile malware. In this article, Jaime looks at the type of malware that is hitting our phones and offers some great advice for personal and business users on what they can do to stop becoming a victim of mobile malware.
So You Think SharePoint Is Secure? Think Again!
SharePoint makes it easy to collaborate. It enables the sharing of ideas, information and expertise; managing documents from start to finish; publishing reports; and comprehensive searching. The problem is that it's for anyone to find things they shouldn't. The result is inappropriate snooping, and that spells trouble for every organization using the tool. If you're intending to harness the power of SharePoint without compromising security, with this three dimensional approach, no one function needs to have access rights to sensitive information.
IT Security Lessons that Australia Can Teach Us
The Australian Defence Signals Directorate could teach IT security professionals a thing or two when it comes to operating system and application whitelisting plus privilege controls: enforce Draconian rules and don't worry about upsetting users. Are there lessons to be learned from Aussie tough love?
National Security-Related Agencies Need to Better Address ITC Supply Chain Risks
The GAO has identified five threats to the IT supply chain that could create unacceptable risks. These threats stem from actions by foreign governments and counterfeiters who could exploit vulnerabilities. Officials at four departments stated that their respective agencies have not determined or tracked the extent to which their telecommunications networks contain foreign-developed equipment, software, or services. Federal agencies are not required to track this information, and officials from four components of the U.S. national security community believe that doing so would provide minimal security value relative to cost.
Threat Intelligence: What to Share, and Why?
Those in favor of sharing information show that although they've had some limited success, the process has been difficult to build out and integrate, and the results are mixed due to insufficient data. Those against sharing point to a few early experiments where they have publicly collaborated on data sharing, been burned by the public data being used as counter-intelligence, and promptly returned to either not sharing at all, or sharing within a very limited group. So how do we move forward?
The RSA Security Breach 12 Months Later
It's been 12 months since the security world woke to the news that RSA Security's systems had been compromised and, as the company has reluctantly confirmed, its many tens of millions of SecurID hardware tokens would have to be re-issued to clients. In this article, Andy Kemshall, CTO of SecurEnvoy, reviews the IT security fiasco and what could have been done to prevent the fallout.
Investigations in the Workplace: Investigation Defined
A workplace investigation is generally undertaken to learn something. The result is then used to prove or disprove an assertion, claim, or allegation. Thus, prosecution and litigation are a by-product of an investigation, not its purpose. Because of the ability to prove or disprove something, a properly employed workplace investigation can provide many dividends for the employer. In addition to uncovering facts and essential information needed to solve problems, a successful investigation helps restore order. It provides the employer the opportunity to analyze process and system failures and re-engineer them to prevent future problems.
You'd Be a Great (Virtual) Communicator If Only You Could Just Be Quiet
Listerning is the most important skill successful virtual leaders must have, which is usually hardest for them to cultivate. Why it's so important is pretty obvious. Virtual leaders must learn to listen for and interpret an enormous amount of information, within seconds, without benefit of body language or eye contact. And we're not just listening for the words that are (or are not) spoken, but also the tone, pauses, inflections, cadence, lilt, laughter, throat-clearing and perhaps the toughest of all, silence. In this article, Nancy Settle-Murphy of Guided Insights offers tips to cultivate better listening for leaders of virtual teams, where some or all members are geographically dispersed.
Secure Remote Working during the Olympics
Whether you're looking forward to the spectacle, or dreading the disruption, you need to make sure your organization is ready if they're to ensure business continuity and IT security during London's Olympics and Paralympics games. And it's not just London gearing up to host the games as 34 venues throughout the UK will also be taking part. Are you ready?
Symantec February Intelligence Report: Cyber Attackers Impersonate Better Business Bureau
Symantec released its February 2012 Symantec Intelligence Report. The report shows a new wave of cyber-attacks designed to impersonate the Better Business Bureau. The attackers target businesses with emails purporting to originate from the US Better Business Bureau. The emails are socially engineered to suggest that a complaint had been filed against the organization and the details of the complaint could be found in the file attachment. The attachment leads to a PDF file that contains an embedded executable or a URL that leads to the malware. Other highligts include Whitney Houston's death leading to a predictable wave of malicious attacks; the volume of spam messages rose by as much as three and a half times the daily average in ramp up to Valentine’s Day; and spam relating to the 2012 Olympic games continues to increase.
Deductive Forensics: Anticipating Attacks and Precrime
DFI News is running an excerpt from Jesus Mena's newest book, Machine Learning Forensics for Law Enforcement, Security, and Intelligence.
Far-flung Teams Deserve Fabulous Fanfare: Making It Fun from Afar
A team celebration presents a rare opportunity for virtual team leaders to capture the hearts of team members and inject energy in ways that ordinary team meetings and congratulatory emails cannot. In this article, Nancy Settle-Murph of Guided Insights and Beverly Winkler brainstorm ideas for celebrating achievements and recognizing remarkable performance for virtual teams.
The Scary New Hacking Trend
Starting with Operation Aurora, the brazen 2009 cyber attacks on Google and other large enterprises, through to the recent high-profile data breach that shut down certificate authority (CA) DigiNotar and the recent breach of VeriSign, hackers have learned to exploit a frightening and frequently ignored lapse in network security to gain control of victim networks. The article explains what you can do to mitigate the risks of falling prey to this scary new hacking trend.
Why Are the Hackers Targeting Certificate Authorities and What Can You Do about It?
As we venture into 2012, many are looking for where the biggest opportunities for hackers will lie. We all know history has a habit of repeating itself so, it is a fair assumption that the black hats will stick to what they've proven works. What we need to do is change what we're doing to stop them. This article examines one of 2011's most disturbing IT security development, how certificate authority (CA) third-party trust providers have become the hacker target of choice. It details how it's happened and what we have to do to ensure we keep the bad guys out.
Responsibility Disconnect and Lack of Management Commitment Impedes Database Security Effort
Findings from the Data Security at an Inflection Point: 2011 Survey of Best Practices and Challenges reveal that the greatest challenge to database security may actually come from organizational issues, rather than nefarious or accidental acts. In most cases, database security is overseen by both database and security teams, thereby yielding a disconnect in ownership responsibilities as well as a lack of consensus on top priorities. According to respondents, management, while showing increasing signs of threat awareness, continues to offer inadequate financial support.
Creating a Culture of Security Awareness
If true security is to be realized in any organization, a culture of security awareness must be encouraged at all levels, from the top down. Regardless of the industry in which your organization operates, there are trade secrets, personnel information, customer information, and proprietary data that must be protected. At virtually every level of operation, people must be careful to protect the assets and interests of the organization they serve. This care will most effectively be derived from a workforce whose culture includes an awareness of security issues.
Untangle Your Virtual Team with 10 Most-Needed Norms
In this article, Nancy Settle-Murphy of Guided Insights provides 10 "best practices" norms that can do the most to save time, reduce frustration and boost productivity of virtual teams. Extracted from one of her Bridging the Distance Virtual Leadership workshop series, these examples include specific actions that can support each one. For this piece, she touches on virtual meetings, decision-making, the use of email, shared documents and scheduling, areas for which a lack of explicit norms can cause especially thorny problems for virtual teams.
Lean Management
One of the concepts that is gaining popularity is called Lean management or Lean performance. It’s based on the principles from Toyota’s production system (TPS). These concepts helped take Toyota from a small car company to one of the market leaders in the automotive industry in terms of quality and efficiency. The primary goal is to get rid of waste that occurs in the product process. For most Lean efforts everything is based around the muda (waste). Muda translates into any activity that is wasteful, meaning it does not add any value or is unproductive. Seven activities fall into this category.
Passwords Are Not Enough: Why Enterprises Need Strong Authentication, Too
In this article, Tim Matthews, Symantec’s director of User Authentication, discussing the uselessness of passwords and what organizations should be doing to keep data how it should be--safe and under the right control at all times. He then explains how strong, or two-factor, authentication is a simple and flexible alternative to the antiquated password.
Monitoring the User Experience
One of the great challenges of network administrators is monitoring of the user experience. It's become something of a buzzword, with management telling the network team to do it, without any actual indication of what they want. Without clear direction, it's nearly impossible to know what metrics will be meaningful, and then how to configure monitoring solutions in order to produce useful data. And yet the overall goal of everything IT does is to make the user is able to access the resources needed to be productive. Users won't care if they have state-of-the-art endpoints if the network itself is slow. That, as Brad Reinboldt of Network Instruments explains, means that monitoring the back end of the user experience is vital for IT.
Cybersecurity: Public Sector Threats and Responses
This accessible primer focuses on the convergence of globalization, connectivity, and the migration of public sector functions online. It examines emerging trends and strategies from around the world and identifies the challenges you need to be aware of. Offering practical guidance for addressing contemporary risks, the book considers global trends, national and local policy approaches, and practical considerations. Suitable for classroom use, Kim J. Andreasson's book will help you understand the threats facing today’s governments at all levels and the issues that must be considered when thinking about cybersecurity from a policy perspective.
Security Is Broken
When discussing the information security sector, the word "broken" crops up quite often in magazines, journals, conferences, blogs, and other sources. In his book The Myths of Security, John Viega says about security, "A lot of little things are just fundamentally wrong, and the industry as a whole is broken." So, if it's broken, can it be fixed? This is a Herculean-like task Ian Tibble has assumed.
Organizational Change: Ignore Roadblocks at Your Peril by Nancy Settle-Murphy
We all have different ways of dealing with roadblocks, based on our personalities, perceived sense of urgency, navigational abilities, experience dealing with similar roadblocks, and other factors. And so it is when we encounter resistance to organizational change, a very particular type of roadblock, that tends to stop even the most experienced leaders in their tracks. Just as drivers must determine how best to handle different types of roadblocks that block their paths, so, too, must company leaders learn how to anticipate and address resistance to organizational change. In this article, Nancy Settle-Murphy of Guided Insights offers tips for determining just how formidable that roadblock is, and deciding which interventions make the most sense to remove the roadblock, or at least to minimize the inconvenience.
Data Mining Applications for Security
While data mining technologies have exploded over the past two decades, the developments in information technologies have resulted in an increasing need for security. As a result, there is now an urgent need to develop secure systems. However, as systems are being secured, malware technologies have also exploded. Therefore, it is critical that we develop tools for detecting and preventing malware. This excerpt discusses the various applications of data mining to support information security.
The Pentration Testing Framework
What is a framework? Moreover, how does it apply to attacking a system? Finally, is a framework a methodology? A framework is collection of measurable tasks, whereas a methodology is a specific set of inputs, processes, and their outputs. A framework provides a hierarchy of steps, taking into consideration the relationships that can be formed when executing a task given a specific method. How does this apply to penetration testing?
The ABCs of a Persuasive Security Awareness Program
This chapter explores and exploits the scientific body of knowledge around the psychology of how humans behave and make decisions. Using psychological principles that social scientists and psychologists have discovered over the past 50 years, we can produce security awareness programs that are more personal, relevant, and persuasive. Ultimately, knowing, understanding, and applying what we know about the engines of personal behavior will allow us to write more effective awareness programs.
6 Steps to Security Policy Excellence
Striking the right balance between risk mitigation and the commercial demands of the business is an essential skill, which must be adapted according to the nature of your industry and the size, culture and risk appetite of your organization. This role needs to have clear ownership at senior management level. Organizations need to take a systematic and proactive approach to risk mitigation if they are to be better prepared to satisfy evolving legal and regulatory requirements, manage the costs of compliance and realize competitive advantage. Achieving and maintaining policy compliance becomes more difficult to sustain as organizations grow, become more geographically dispersed and more highly regulated. But, it doesn't have to be this way.
What Is Insider Computer Fraud?
An organization's employees are often more intimate with its computer system than anyone else. Many also have access to sensitive information regarding the company and its customers. This makes employees prime candidates for sabotaging a system if they become disgruntled or for selling privileged information if they become greedy. This excerpt introduces the fundamental elements of computer fraud, then discusses insider threat concepts, concerns, and defenses.
Protecting Mobile Data: When Is Enough, Enough?
This article discusses how the dramatic increase in smart mobile device use makes it impossible for organizations to know everywhere their potentially sensitive data will travel. It provides an in-depth analysis on how encryption technology can be used to round out a defense in-depth approach to mobile security to ensure sensitive corporate data is protected no matter where it might end up. It also provides practical best practices organizations should follow when implementing mobile-specific encryption policies.
Whitelisting
Documenting all network resources and being able to use whitelisting will give the enterprise more control over those resources and lessen the risk to the enterprise. The upfront work for implementing whitelisting will require a larger effort. Once completed, the whitelisting will enable the enterprise to specifically know what resources are available and who has access to what resources. Overall, implementing whitelisting will reduce the risk of findings during a compliance audit.
Terrorism: An Overview
What do you know about terrorism? Yes, it's a violent, destructive, political act. What else? If you can't easily explain terrorism, then is excerpt from The Counterterrorism Handbook: Tactics, Procedures, and Techniques, Fourth Edition will help bring you up to speed.
Security Risk Assessment Approaches
There are nearly as many security risk assessment approaches as there are organizations that perform them. There are strengths and weaknesses within each approach, but the applicability of the approach to your specific environment, objective, and available resources will be the biggest driving factor in selection of the appropriate approach. The following briefly describes some of the differences between currently available approaches to assist in your understanding and to aid in the selection process.
Smart Card Security: The SIM/USIM Case
Open smart card-based platforms used by mobile systems are new generation trusted personal devices with enhanced flexibility in terms of connectivity and interoperability. Smart cards can host several applications and allow new applications to be added after their issuance. This excerpt from Security of Mobile Communications discusses some of the known and well-documented attacks against smart card-based systems. A particular interest will be given to the attacks against the smart card itself, its interaction with the system, and the API and OS it uses.
Rootkits: The Ultimate Malware Threat
Fifteen years ago, damage and disruption due to virus and worm infections also comprised one of the most serious types of security risks. Things have changed considerably since then; certain types of malicious code ("malware") other than viruses and worms have moved to the forefront of risks that organizations currently face. Rootkits in particular now represent what might safely be called the ultimate malware threat. This chapter covers the ins and outs of rootkits, the relationship between rootkits and security-related risk, how to prevent rootkits from being installed in the first place, and how to detect and recover when rootkits have been installed in victim systems.
Hacking Windows
Many people have the opinion that security does not count when an attacker has physical access to your computer. Jesse Varsalone, co-author of Defense against the Black Arts: How Hackers Do What They Do and How to Protect against It, strongly disagree with that opinion. Security always counts, especially when an attacker is able to get physical access to your box. It does not have to be "game over" just because an attacker gets physical access to your machines. There are measures you can take to secure your computers from physical attack. This chapter will discuss what measures can be taken to secure a Microsoft Windows operating system and how vulnerable these systems can be when proper precautions are not taken.
Security Countermeasure Goals and Strategies
The term security countermeasures implies correctly that they are measures taken to counter a threat action. In an ideal world, security countermeasures would be so effective as to completely eliminate the will of potential threat actors to take action. This excerpt from Risk Analysis and Security Countermeasure Selection by Thomas Norman explains why security countermeasures are required, and the elements of countermeasure objectives, goals, and strategies.
Targeted Network Attacks
In recent years, your company has made substantial investments into its information security infrastructure, which have had a major impact on the detection and eradication of typical malware threats. These investments notwithstanding, companies are still often not aware of a more significant threat to their network: network attacks that are targeted specifically for their organization. This whitepaper gives a broad overview of some common methods used by hackers during targeted network attacks and some steps your organization can take to combat them.
Establishing a Patch Management Policy
The main reason for the implementation of a patch management policy is to define the process which IT security teams must follow to ensure that their systems and applications are up-to-date, known vulnerabilities are addressed and that the organization is compliant with several regulations and standards. So, what should your patch management policy cover?
Virtual Meetings: Design for Worst-Case Scenarios for Best Outcomes
This article offers some practical tips for anticipating and addressing problems that arise frequently during virtual meetings. Of course, in an ideal world, we think through every possible risk and mitigate each one before a problem occurs. But in the real world, which admittedly is not quite perfect, we can only take our best guess about what might go wrong and plan accordingly.
Integration: The Missing Link in the Cloud
Cloud computing or cloud-based solutions have been portrayed as a panacea for companies looking for the flexibility and scalability they need to grow their businesses, while keeping costs down. Unfortunately for many businesses, data, application or business-to-business (B2B) integration is an afterthought when evaluating the cloud, and it becomes the stumbling block that prevents companies from realizing the cloud’s true benefits. Companies should absolutely look at how the cloud could improve their agility and business impact. There are three key rules when evaluating a cloud migration or implementation.
Productivity vs. Security
Enterprises are increasingly concerned about the risk in cyber threats, and the rising number of incidents revealed publicly justifies their worries. Yes, budgets are being reduced and technology departments are being asked to cut resources. Attackers use the downturn in security enforcement to step up the pace of exploitation at a time when an enterprise can ill afford downtime, decreased productivity, stolen data, lost sales and a damaged enterprise reputation. This is the "security paradox" or "productivity versus security. This debate is becoming harder to implement as single point external attacks have moved toward multi-source external attacks and the model of the "trusted employee" is being eroded.
Does Your Business Continuity Plan Cover Cyberattacks?
In this day and age, most companies, regardless of whether a single office or a large international conglomerate, are reliant on computer systems to function. If you were attacked tomorrow, the reality is it will shut you down. How long it takes to get back up and running, if at all, is down to you. Sit up, take note, and plan for the inevitable.
Strong Virtual Leadership + a Few Essential Tools = Great Collaboration
As a successful leader of virtual teams, you know you have what it takes to keep the team motivated and focused: choosing the best combination of tools to enable this team to collaborate and communicate in lockstep. Fortunately, your company has invested heavily in collaboration tools over the last few years. Your team needs to determine which tools will work best, under what conditions, to achieve these ambitious goals, from afar. Here's a "short list" of "must have" tools for geographically dispersed teams, or for any type of team that relies on virtual collaboration tools to get work done.
Realizing the Benefits of Vulnerability Management in the Cloud
In this white paper, Gordon MacKay, CTO of Digital Defense, Inc., discusses two types of vulnerability management deliveries: cloud-based and premised-based. I highlight several challenges with vulnerability management and I argue that a cloud-based vulnerability management delivery keeps organizations more secure as compared to a premise-based solution.
Tips on Living with and Managing Microsoft Outlook PST Files
IT administrators know that mailbox quotas imposed on network users encourage the use of Microsoft Outlook's AutoArchive feature, which creates personal storage (PST) files. Messages and attachments often contain sensitive company data that should be part of a central store. Difficult to locate and manage, PSTs clog up local drives and server space and are rarely included in normal security and backup processes. The need to use PST files can have a negative impact on business productivity. On the other hand, managing and living with PSTs scattered around the network may not be a problem for some organizations. The following PST management tips from C2C are intended to help you determine whether action should be taken and how to live with PST files.
Protection of Sensitive Data
The amount of data that a staff member comes across daily can be enormous. It is not possible to protect all the data that a staff member can come across. The enterprise needs to document what constitutes sensitive data (data classification policy) and identify the level of protection required. This article discusses the physical (not logical through access control) protection of sensitive data and what to consider in the environment.
Security Patch Management: Getting Started
This excerpt provides initial insight into the patch management process, and concludes with additional background on the patch management process and how to get started.
How to Tilt the Work-Life Balance in your Favor in a 24x7 World
Is achieving "work-life balance" really possible in an always-on, constantly connected world? In this article, Nancy Settle-Murphy offers some observations and practical tips for those who want to reclaim more of the "life" in that elusive work-life balance equation.
IPv6: An Introduction and Overview
IPv6 is the next-generation Internet Protocol. The current version of the Internet Protocol, IPv4, has been in use for almost 30 years and exhibits some challenges in supporting emerging demands for address space cardinality, high-density mobility, multimedia, and strong security. This is particularly true in developing domestic and defense department applications utilizing peer-to-peer networking. IPv6 is an improved version of the Internet Protocol that is designed to coexist with IPv4 and eventually provide better internetworking capabilities than IPv4.
