encryption

Why security needs more 'Joe's' and fewer geeks

Judi Hasson — Tue, 28 Oct 2008 21:36:33 -0400

When it comes to security, having too many IT geeks may not be a good thing, according to the 2008 Global State of Security Survey. CSO and PricewaterhouseCoopers recently released the survey of 7,097 business and technology executives that found that security has improved significantly in some areas. But it also found that too many enterprises continue to view security as a task best left to the IT shop. Companies may be focused on putting out fires and stewing over network logs, rather than big-picture strategies and better awareness among the larger workforce.

"When we compared last year's survey results to this year's results, we found that the people and priorities part of security still isn't growing as much as tech spending," said Bob Bragdon, publisher of CSO. "If you don't focus on people and process, you're not going to get the full value out of your technology."

The survey did have some positive findings, however. It showed that companies are buying and applying such technological tools as software for intrusion detection, encryption and identity management at record levels.

For more on security trends:
- check out this CSOonline.com article

IT disasters to avoid

Judi Hasson — Wed, 17 Sep 2008 21:34:58 -0400

There's always the potential for big IT mistakes that can cause cost overruns, missed deadlines and sometimes even lost jobs. But there are plenty of ways to be forewarned and take action to prevent the worst from engulfing your world. CIO.com this week lists 20 mistakes that IT managers can avoid. Some of them you know well, but there are plenty of new ones to deal with. They include the need for a consistently enforced password policy, mismanaging your data center, and losing control over critical IT assets, not to mention ignoring the human element of security.

It's always a good idea to take out your checklist and check on these items twice. Meanwhile, make sure that all your systems are up and operating and are never neglected.

For more on avoiding IT disasters:
- see this CIO.com article

Spending doesn't guarantee data security

Judi Hasson — Tue, 08 Jul 2008 22:34:07 -0400

InformationWeek recently polled 1,100 IT and business professionals about their plans for security and found that they believe their data is safer, even with budgets holding steady or increasing. Sixty-six percent of respondents said their vulnerability to breaches and malicious code attacks was either the same as last year, or even worse.

If money is not the issue, what gives? One answer is the need to focus risk management processes, carefully evaluating threats and placing the resources where the needs are the greatest. The survey found only about half of the respondents actually had risk management plans, and only 22 percent paid attention to such issues as code security. The survey also found companies behind in implementing encryption to protect customer and employee data.

All the while, viruses, phishing attacks, and worms continue to cause major headaches. What's the problem? Complexity was cited as the biggest security challenge by 62 percent of respondents. "More data is ending up on the network. More agents are running on company computers, and employees expect some control over the PCs they use,'' the article stated.

For more:
- check out this InformationWeek.com article

Kingston's BlackBox is Fed. certified

Mehan Jayasuriya — Fri, 18 Apr 2008 12:22:03 -0400

When it comes to security, few organizations are more stringent than federal governments. Which is why a federal seal of approval is never a bad thing to have on a storage device. Say hello to Kingston's latest DataTraveler flash drive: the BlackBox. Not only is this little guy waterproof, it also meets the Federal Information Processing Standard (FIPS) set by the National Institute of Standards and Technology and the Communications Security Establishment of the Government of Canada. What does that mean? It means that the pint-sized device sports "256-bit hardware-based AES encryption via a dedicated processor which automatically encrypts and decrypts data on the fly" and will automatically lock down if an incorrect password is entered 10 consecutive times. Not too shabby, eh? Available now in sizes ranging from 2GB to 8GB and starting at $165.

For more on the Blackbox:
- see this Engadget article

Mifare Classic RFID successfully hacked

Fri, 14 Mar 2008 07:59:58 -0400

Two groups of researchers have independently cracked the Mifare Classic RFID chip's algorithm, prompting the Dutch government to issue a public warning. The matter is serious, as besides being heavily used in access cards worldwide, the Mifare Classic RFID technology also is employed by transit operators in various locations such as London, Boston and the Netherlands. In fact, some reports note that as many as one billion actively used access cards worldwide could be affected. The irony of the matter is that NXP Semiconductors have been quick to announce a new, "more secure" version of the chip called Mifare Plus. Mifare Plus leverages on 128-bit encryption, instead of the 48-bit encryption used by the Mifare Classic. However, it won't be cheap to upgrade, as new RFID readers will need to be installed to utilize the more advanced encryption. The question here is: Does it always take a demonstrated hack before a company will get its security act together?

For more on the Mifare Classic RFID hack:
- check out The Tech Herld article

For the truly paranoid: RFID-protected storage

Tue, 15 Jan 2008 06:59:57 -0500

How secure is your physical storage? If your answer was "not secure enough," you might want to check out the E08 2.5" hard drive enclosure from Systen. The drive uses an RFID keychain to ensure that no one, other than the holder of the keychain, can get at the data inside. If you've got the RFID key in hand, the portable drive disarms its on-board encryption and lets you at the data. And if you don't have the key? Why, the drive appears to be blank and ready for formatting. It's a pretty ingenious idea and I wouldn't be surprised to see it popping up in enterprise-class products in the near future. In the meantime, you can import this bad boy from Hong Kong for only $56.

For more on the RFID-equipped drive enclosure:
- see this Gizmodo article

Vista SP1 RC1 released to testers

Fri, 16 Nov 2007 06:59:58 -0500

Good news for everyone who's waiting with baited breath for the release of Windows Vista Service Pack 1: Microsoft released the first release candidate of SP1 to beta testers today, which means that a final release can't be that far off. As you might recall, Vista SP1 is set to deliver a whole slew of improvements to Microsoft's latest OS, including a speed boost, increased third-party application compatibility, more drivers, better encryption and improved battery life for laptops. The company has previously stated that the service pack will be available in early 2007 and as far as we can tell, they should have no problem making it happen.

For more on Vista SP1 RC1:
- see this Daily Tech article

Protect your networks

Mon, 15 Oct 2007 06:59:58 -0400

You've likely heard about honey pots, fake sites that can lure the bad guys to the wrong place. There are other ways to test your site to make sure the door is bolted to keep intruders out. You can put messages in the mail stream in real time, to see how your security responds to spam and viruses, for example, before committing to any one messaging-security gateway.

The bottom line for all CIOs investing in anti-spam software is to see how the mail comes in from the spammers and to extract specific information about how they get in and how to respond to the attack. If you are using security settings, such as encryption requirements, you will need to put that device in its final position to test its accuracy. One suggestion: keep your old messaging-security gateway inside of the new test system. And be sure to keep the old system until you are certain that the new one works.

For more on protecting your network:
- see NetworkWorld article

Vista SP1 beta gets reviewed

Mon, 08 Oct 2007 06:59:59 -0400

As we inch ever closer to the release of Vista Service Pack 1, more and more information is starting to make its way to the general public. Now, PC Magazine has gotten their hands on a private beta version of SP1 and judging by their in-depth review, the update looks to be solid, if not quite as monumental as Windows XP SP2. "The latest iteration of the SP1 beta, which is closed to the public, reveals a useful set of OS updates, but one that's not as critical as SP2 was for XP," PC Magazine writes. "SP1 speeds up a few operations and enhances third-party program compatibility, but it changes little you'll notice in your day-to-day experience." Still, the reviewer found that in addition to an overall boost in speed, SP1 brought a few other wanted features to Vista, like more drivers, improved encryption and speed boosts inside demanding applications.

For more on the beta:
- check out this review from PC Magazine

Un-integrated security can be dangerous

Wed, 18 Jul 2007 20:01:38 -0400

Perhaps the only thing that enterprises find more threatening than security vulnerabilities are the potential penalties for falling out of compliance. There is a consensus emerging that these two corporate pitfalls should not be viewed in a vacuum and that companies should integrate encryption, access control, and auditing functions. According to Wikibon, a newly formed community of experts that offers free research and advisory services on storage issues, companies need to integrate compliance requirements with life cycle management. David Floyer, a former IDC analyst and one of the founders of Wikibon believes that encryption is one way to secure data when it comes to storage, but that's only part of the solution. It's not feasible to encrypt all of the data in a data center, since the volumes of data are typically too large and there are too many servers accessing data, among other factors. It does, however, make sense to encrypt data where there's a regulatory requirement, such as personal records. Encryption also makes sense when transporting data over a network or physically by tape.

For more on the intersection between security and compliance:
- see this InformationWeek article