External and internal
threats to information security. Sane password policy.
security is a hard challenge for most organizations. In this newsletter, we
discuss some security issues regarding external and internal threats to
information security and password policy management.
Show Hidden Files
Issue 9, June 7, 2005
Show Hidden Files News
following information security issues are discussed in this newsletter:
writers are more intent on obtaining personal data
Data leaks highlight complexities of electronic documents
USB drives and data leakage
Put policies before products in IT security battle
Jotting down passwords is better than using one for all
Back in the good old
days of computer viruses, malicious hackers wrote them for notoriety alone.
Now, it's all about the money.
The Sober-N virus,
which is responsible for roughly 80 percent of all virus reports and 5
percent of all global e-mail volume currently, is a fine example that
viruses are used increasingly to obtain personal information and access to
bank-account numbers, passwords and other sensitive financial data.
The Sober-N virus
dwarfs the virus currently in the second place, which represents just over 6
percent of all virus reports and accounts for just 0.4 percent of all e-mail
It got so big, so quickly, because its writers
probably used spam technology to distribute it in the first place. This
shows the tendency that those who would launch malware into the public realm
are doing it with more intention to distribute it more widely than ever
Once opened and launched on a personal computer, such
malware often attempts to install software that captures a user's
keystrokes, with the aim of gaining access to user's personal data.
Just a few clicks were
enough to reveal “blacked out” names, training procedures and other
secrets of an electronic report the U.S. military has released recently.
The U.S. military command in Baghdad produced a report
in Portable Document Format, or PDF, and posted it on the command's Web site
Saturday. Its censors simply put black rectangles over the text and did not
delete any of the text itself from the documents. Readers can see what's
buried beneath by simply opening the document in Acrobat Reader, hitting the
“select text” button, copying and then pasting all the text into any
Such cases of confidentail data leakage are not
uncommon. Besides offering the ability to uncover blacked-out text, many
documents carry “metadata”, or embedded information like the document's
author and company. For example, users of Microsoft Corp.'s Word routinely
send files embedded with previous drafts, all revealed with a few clicks.
The users should realize that it's always a bad idea
to email sensitive electronic documents or place them on a web site.
Generally, when you release documents electronically, they have to be
scrubbed with certain tools or procedures.
USB flash drives have
become as common as CD burners in most organisations. However, these drives
can also be a tremendous source of data leakage from an organisation's
Users often store the information they need, such as
passwords or other corporate secrets, on these USB flash devices. Although
confidential data can as well be easily transferred to 3.5-inch floppy
disks, writeable CDs, or any other removable media allowed on the network,
it is the size of USB devices that pose such a great risk.
Because these devices are so small, they're an easy
target for thieves, and they're also easier for users to lose or misplace.
And that means that vital secrets can disappear before you know it.
While it may be tempting to ban the use of these
devices altogether, that really isn't necessary. These common devices are
extremely useful, and it's perfectly fine to allow them on your network.
However, to better protect corporate data, you have to take steps to add a
layer of security to go with the information these handy devices can store.
For example, you can configure Windows Encrypting File
System (EFS) to encrypt user data on the fly. This works extremely well with
laptops that travel outside of your company walls.
There is still room
for improvement when it comes to IT security staff training. Education of
information security staff is paramount in improving security management.
Education has to be directed to IT security staff so
they can more effectively manage the technology already in place. The view
within enterprises is that more dollars will solve security problems, but it
is really about implementing and maintaining the right policies.
Putting the value of products before people and
procedure had created a dangerous environment. Policies need to be embraced
as one of the four 'P's' - people, policy, process and last of all products.
IT education is about ensuring a security policy is
delivered and clearly understood, rather than tutoring people on how to use
For example, a company needs a unified policy
regarding sensitive information and protected files. People within an
organization have to realize that this type of data should exist in a single
copy, and it cannot be transferred from the corporate network through
Write down your
passwords: It's better than using the same one for all...
Companies should not ban employees from writing down
their passwords, because it forces users to use the same weak term on many
senior programme manager for security policy at Microsoft, said the security
industry had been giving out the wrong advice to users by telling them not
to write down their passwords: "I claim that password policy should say
you should write down your password. I have 68 different passwords. If I am
not allowed to write any of them down, guess what I am going to do? I am
going to use the same password on every one of them," he said.
Storing all personal passwords in an encrypted file
may be a solution for IT administrators. However, storing a password list in
an encrypted file may not work for users because they would then forget the
password to decrypt the password file.
newsletter coming every 3-weeks and we are happy that you read it and
find it useful. If you think that others, for instance your friends or
colleagues, can benefit from it then please, share subscription url
with them http://www.aks-labs.com/php/public_html/lists/?p=subscribe&id=1
Protected Common Information:
free fully-functional 30-days trial: http://findprotected.com/download.htm
question to support: http://findprotected.com/support.htm