Security Perspectives Inc.
IN THIS ISSUE

1) For Executives - Walking the Talk Makes a Difference to Your Staff
2) For Home Computer Users - Checking Your Firewall's Ability to Stop Hidden Programs From Secretly Sending Out Your Personal Information
3) For Managers and Office Staff - Be on the Lookout for Odd Behaviour in the Workplace
4) For Security Professionals - Password Policies Should Suit the Sensitivity of Information They Protect

More Articles at:

http://www.securityviews.com

If you are interested in reading more of my security and risk management articles, please visit the Security Views web site by clicking on the link above. There are over 50 categorized articles on topics such as insider threats, chain letters, awareness training, application security, and many other issues. 

I try to write at least one practical article a week on issues of interest to people like yourself. If you would like to use any of my articles in your organization's newsletters, please let me know.

Wondering About Security?

I am interested in understanding what kinds of issues are on your mind that might be worth writing about.  

Do any of the following cause you to lose sleep at night?:

  • Unauthorized Internet use by employees or family members
  • Corporate strategy and security
  • Security awareness
  • Screening new hires
  • Personally Identifiable Information (PII) at home or in business systems
  • Regulatory compliance
  • Asset valuation
  • Justifying security investments
  • Any other topics

Please reply to this message or email me at scott@securityviews.com with your questions or suggested topics.

Did You Know?

Breach disclosure laws are coming into fashion around the world. 

This has been prompted by California's State Bill 1386 (passed in 2003). This law requires any entity doing business in the state of California that becomes aware of a breach affecting a California citizen's personal information to notify those citizens in a timely manner.

It's good news for consumers, in general, but many businesses would prefer to keep these incidents quiet. Canada is lagging behind in this type of legislation, but it is almost inevitable.

Keep in mind that the TJ Maxx breach reported in late 2006 (remember Winners?) has already cost the company well over $4 Million in direct losses due to civil claims, and is expected to affect their financial statements as they warn of further potential costs in future quarters.

Let me know if you are interested in hearing about customer surveys indicating what percentage of consumers in Canada indicated they would switch companies if there was a breach in privacy.
Free Security Tools

I have developed some security self-assessment tests that you can use to score yourself on security at home and in the office. Just click HERE to go to the "Free Tools" Web page at www.securityviews.com where you will find the links to download these printable PDF files. 

I expect to have more downloadable tools on this page in the future.
About Scott Wright

While I may seem like your typical Engineer with an MBA, I have been known to actually help businesses and government organizations in the Ottawa area for over 20 years. 

I am always looking for ways to "Secure the Bottom Line".  It is my firm belief that security management is a key element of organizational success. My aim is to put the many different views of security into perspective, which leads to more efficient and effective organizations. Hence the name of my company - Security Perspectives.

Our role can involve facilitating change in areas such as corporate strategy, policy and process analysis, compliance, security awareness, product development methodology and deployment.

Methods we can use include surveys, interviews, workshops, organizational development, technical analysis, strategic discussion, training, coaching and keynote speaking on various topics.

I am a member of the Linked-In network, and would be happy to add you or your associates to my network. You can send an invitation to: swright@securityperspectives.com.
Distribution Information
 
You have received this initial distribution because you are one of the following:
  • A business associate of mine whom I thought might be interested
  • A Security Professional
  • A person who uses a computer, and might be interested in some practical information on how to secure your personal and private information!
  • A friend or associate of one of the above, and they thought you might be interested.
If you are not one in one of these categories, or just wish to be removed from my email distribution list, simply reply and let me know. If you aren’t on the mailing list, but would like to be, you can also send me a reply.

This newsletter is available in either HTML (with graphics and formatting), or in Text Only versions. Just click on the link below to change your profile.
 
You should feel free to print, copy or forward this newsletter to anyone whom you feel might benefit, or be interested.I especially encourage you to pass it along to colleagues in other organizations, or to others at different levels in your organization. However, if you are forwarding or using an excerpt, please include the following copyright attribution:
 
(c) Scott Wright, 2007.  All Rights Reserved.



The Practical
Security News
Issue 01, August 2007
Authored by Scott Wright,
Security Management Coach and Consultant
Security Perspectives Inc.

This is the inaugural issue of The Practical Security News (TPSN) newsletter, aimed at providing news and information you can use today... in the board room, in the office or at home. For more information on this newsletter, why you are on the distribution list, or how to subscribe or unsubscribe, please see the note in the bottom left of this message.

For Executives

  Walking the Talk Makes a Big Difference to Your Staff

It must be hard for some executives to read the news each day and learn about colleagues in other companies who are having to manage the fallout from a security breach. These incidents are becoming so frequent that there are now several industry Web sites (eg. http://breach.scmagazineblogs.com/) that focus solely on reporting the latest incidents across all industries. After reading a few of these, do you find yourself thinking, “There but for the grace of God, go I?”

Or do you have ultimate faith in your organization’s policies and procedures? It’s fine to delegate responsibility for security to the IT department, the Finance and Admin Department, etc. But you are ultimately accountable, as a top executive for the protection of your organization’s assets and information.

Policies and procedures are certainly required in most organizations of any size, either by law, or to maintain order or customer trust.  I know it can give you indigestion just thinking about policy development, let alone the technologies that your people might want to put in place to implement them.  Most people can tell you about how their job would be so much easier if the policy was ... (fill in the blanks). But they don't often think of what could be done to better protect the organization's assets and information, as opposed to just making their life easier. Good policies can be effective and workable.

While policies are necessary, don’t forget that culture is one of the most cost-effective things you can invest in, when it comes to security. The point is, if everyone in the organization understands the value of their responsibilities for safeguarding or building the company's intellectual capitaland their "rational self-interests" are served by doing the right thing, they are much more receptive to good security policies. Even understanding the purpose of the security tools you've already provided them with will have a significant impact on staff's ability to comply with policy.

The one thing you must do, however, is Walk the Talk. You can’t expect everyone else in the organization to practice safe computing in the office because policy says so; especially if you, as an executive, carry a laptop, USB key or PDA around that has no hard disk or memory encryption safeguards. You need to understand, just as everyone else does, that the weakest link is usually where the breach occurs. If they observe that you don't need to comply, then they will follow suit. 

With the estimated cost of security breaches now approaching $200US per affected individual (Ponemon Institute), there should be an incentive for you to look at your own habits. Otherwise, it's only a matter of time until you make the news...

Security Perspectives can help assess your organization's information protection profile and provide guidance on how you can have staff initiate positive changes to protect your bottom line.

For Home Computer Users

  Checking Your Firewall's Ability to Stop Hidden Programs From Secretly Sending Out Your Personal Information
(Warning: this article contains relatively simple technical content!)

Steve Gibson is a well-respected computer security expert who develops easy-to-use tools and provides advice on how to protect yourself in the home computing environment. You may have seen him if you have ever watched “Call For Help” (http://www.callforhelptv.com ) on G4-TechTV with Leo Laporte. I find his tips and tools to be very useful for everyone, from security professionals to everyday users.

One tool Steve has on his Web site is called LeakTest (http://www.grc.com/lt/leaktest.htm ). It is a small program that you can download from his site. When it is run from your computer, it intentionally tries to contact his Web site in a way that replicates how Trojan Horse programs and viruses try to send information from PC’s to a hacker’s “master computers”. This program pretends to be a dangerous program to see if your security software can detect it and prevent it from successfully reaching the Internet. (While I know you are probably aware that you should not click on email attachments that you aren't expecting, or visit unsavoury web sites, it can still happen accidentally by you or by other family members using your computer.)

I recently tried running LeakTest and my Norton Internet Security program detected it, as it should, and asked me if I wanted to allow or deny this program to send information from my computer. When I pick “Block Always”, the test passes. However, this doesn’t mean Norton always works as it should for every user on every computer. You should try it on your computer to make sure it is configured properly.

There is another set of tests on Steve’s “Shields-Up” page that are easier to run, and which can test whether or not various other functions of your firewall are providing proper security. 

Hackers will always be trying to find new ways to steal information covertly from computers. So, there are no guarantees that tools like Steve’s will be 100% reliable, but it is essential for you to make reasonable efforts to protect your data by making sure your safeguards are working.

Check out the Home Computer Security Self-Assessment checklist at www.securityviews.com/blog/free-security-tools to see how well your home computer is protected.

For Managers and Office Staff

  Be on the Lookout for Odd Behaviour in the Workplace

When we work closely with the same people for long periods of time, we get to know their habits. We sometimes start to think of their idiosyncrasies as “That’s just what they do...” But we should always be watching for behaviour that might impact our organization's security.

I know. You say, "Everyone has passed the security screening (if there is any) before they are hired"... but most inside attackers have had no problem with passing the small hurdles that aim to screen out those who can’t be trusted. Probationary periods are supposed to weed out those who just slipped through the cracks, right? But insiders are still committing the majority of the malicious breaches.  (Click HERE to see an example at http://breach.scmagazineblogs.com/ which has some interesting examples of insider threats from established employees.)

So, next time you see something that looks odd, document it. That will help with investigation if something does happen. If it looks down-right suspicious, report it to the Corporate Security Officer.

You obviously need a culture of trust in order for people to be motivated and empowered to do their job. However, you have to remember that if people are given the Motive, Means and Opportunity there is a significant chance that someone will act on it some day.

The organization has the right and the obligation to protect its assets and information.  Employee trust is not the issue. Employees need to understand that you can’t explain a breach to hundreds or thousands of customers by saying, “Well, we thought we could trust Humphrey, but I guess we were wrong.”  That dog won’t hunt.

In fact, all staff should be on the look-out for strange occurrences or behaviours, and should report them to their manager, or to the Security Officer. This needs to be encouraged, without apology, by management.

Security Perspectives can provide security awareness training and workshops to reinforce staff's alertness to potential threats and risks.


For Security Professionals

 Password Policies Should Reflect the Sensitivity of the Information the Passwords Protect

Whether you are implementing a new internal system, a software product or a service on the Web, you should spend time considering the types of users and information that will be protected by your authentication facility.

In my recent blog article on password policies at http://securityviews.com/blog/2007/07/10/practical-password-policies/  you will find some discussion of how today’s user population is getting inundated with differing password policies that are not always appropriate.

Think about how many passwords you have to manage yourself each day, week, month for your own business and personal activities.  Maybe you use the same password all the time; maybe you write them down; maybe you use a different strategy.  But remember that most users are not wired for remembering 10 character, Upper and Lower Case, Special Character, Numeric passwords that have to change every 30 days and can not be the same as any of their last 3 passwords...

So, as security professionals, we should try to keep a balance.  Strong passwords are essential, but before we go far beyond what the banks require of us, let’s make sure there are complementary safeguards in the back end so there is no clear “weakest link” to exploit.

(c) Scott Wright, 2007. All rights reserved.