Security

HP accused of crippling its own BIOS password security

Paul Mah — Tue, 03 Jun 2008 06:22:56 -0400

HP has come under fire from UK-based security company SecureTest for effectively crippling the BIOS password security measure for its laptops by publishing reset data on its website. This comes against a backdrop of an increasing number of security breaches stemming from stolen laptops. Unlike desktop BIOS reset procedures that involve the shorting together of (guessable) jumpers on the motherboard, laptop BIOS resets typically involve calling up your vendor and enduring a challenge-response, or perhaps even a visit to a dealer. While relying on BIOS security is hardly absolute, the argument is that it does form one layer of an in-depth defense paradigm. Not everyone agrees though, with some putting BIOS passwords down as a "redundant" option. HP, so far, remains silent on the matter.

For more on HP's BIOS password security:
- check out this Channel Register article

Feds encrypt 800,000 government laptops, 1.2 million more to go

Paul Mah — Fri, 23 May 2008 05:50:06 -0400

Government agencies in the United States are scrambling to plug a glaring security hole in the form of sensitive information stored on laptops and portable media such as thumb drives. More than 800,000 licenses for encryption software were purchased by agencies last year alone. Still, the brisk upswing came only after repeated headliners of gross security breaches and against a backdrop of increased risk of identity theft.

Various software from up to 10 leading vendors are available under steep discounts under the DAR (Data at Rest) Encryption program--run jointly by the General Services Administration and the Department of Defense--though the most popular products are hybrid packages that offer both full disk and file folder encryption.

For more on the DAR Encryption program:
- check out this Network World article

ExpressCard device locks down laptops

Mehan Jayasuriya — Fri, 25 Apr 2008 11:52:19 -0400

Here's a novel idea: why not route all of your network traffic through a second computer before it gets to your primary machine, thereby protecting your beloved desktop from all of the nastiness that lives online? Well, because running a separate PC just to handle security would be cumbersome and anything but energy efficient. And that's completely overlooking the fact that many professionals now use laptops as their primary machine. Yoggie Security Systems, however, cooked up a creative solution to these problems: they've created a miniature computer that plugs into your laptop via its ExpressCard slot. Once there, the Linux-based Gatekeeper Card Pro acts a a go-between between your Windows PC and the network, intercepting and analyzing "all traffic, acting as the first line of defense against all incoming hazards, including crud that's embedded in email or trying to hit your system via a Web page or Web-based download." The company claims that this method keeps your PC secure while allowing it to perform at its absolute best, free from the burden of running security apps in the background. The Gatekeeper Card Pro will be available soon for $199.

For more on the Gatekeeper Card Pro:
- see this PC World article

Security clearance gets you a bigger paycheck

Thu, 17 Apr 2008 06:59:58 -0400

A security clearance for your IT job has many benefits. The biggest one is pay. If you have a government-issued clearance, you are likely to earn nearly $20,000 more a year, according to a recent survey by ClearanceJobs.com, a company that matches job applicants with security clearances to federal jobs needing workers who hold clearances. Even if your job doesn't require a security clearance, it is always a good thing to have even though you have to constantly keep it updated and valid. So the next time you are thinking about your paycheck, think a little bit more about a security clearance. You may not be able to get one if you don't work for the federal government, but if you have one in your back pocket, don't forget to let your boss know about it.

For more on the benefits of a security clearance:
- Check out this CSO article

For more stories from the FierceCIO network:
> U.S. to notify H-1B lottery winners. Article
> Dell refreshes Vostro laptops. Article
> Windows XP SP3: April 29th? Article

Data security bill gains traction

Thu, 21 Feb 2008 06:59:59 -0500

Congress is currently grappling with legislation to fight cybercrime and to improve government information security compliance. The measure is likely to have an impact on the private sector, too. The proposal would update the Federal Information Security Management Act, which sets up requirements for securing personal or sensitive data.

The bill includes a broader definition of "personally identifiable information" and strengthens reporting and auditing requirements. It also calls for privacy impact assessments for agency purchases of lists containing potentially sensitive information from commercial data brokers.

The legislation is controversial, and faces some serious opposition. Karen Evans, administrator of eGovernment at the Office of Management and Budget, told a Congressional committee in written testimony that the bill could "seriously impact established agency security and privacy practices while not necessarily achieving the outcomes of improved privacy or security."

Cyber Security Industry Alliance President Tim Bennett said that OMB guidance has been "uneven" and too focused on compliance with memorandum and circulars. A similar bill already passed by the Senate would give federal prosecutors tools to fight identity theft and cybercrime. "The bad guys are moving quicker and getting more sophisticated every day and we don't have time to lose," Bennett said.

For more on this security bill:
- See this GovernmentExecutive article

Protect desktop data, too

Mon, 11 Feb 2008 06:59:58 -0500

You've got your systems secured, or so you think. You have the best anti-hacking software available to keep the bad guys out, that much is for sure. And yet, like many CIOs, you haven't taken the steps to protect data on desktops, laptops and other portable storage devices.

The number of incidents involving these kinds of devices is growing. Two recent examples include Horizon Blue Cross Blue Shield of New Jersey and Georgetown University. Both faced data compromises that could have been avoided. If you are thinking about saving a few dollars by shaving down the security budget, think again. If you think it's unlikely this could happen on your watch, study these recent thefts.

Horizon notified about 300,000 members of the potential compromise of their personal information following the theft of a laptop containing the data on Jan 5th. Although a security feature on the stolen laptop deleted all of the confidential information on Jan. 23rd, it's unclear whether the thief accessed the data before then. The data on the laptop was not encrypted, but it was password-protected. That sounds like a job half done.

Meanwhile, the CIO at Georgetown University faced a different headache when a computer disk was stolen from a locked room. The disk contained Social Security numbers and other identifiable data for 38,000 current and former students. Ignorance is not bliss for the CIO and other IT executives. A theft is a theft by any terms. And letting your guard down may just be showing criminals the door to get in.

For more on securing it all:
- See this ComputerWorld article

Also check out these technology stories from the FierceCIO network:
> What happened with the Asian Internet outage? Article
> Get ready for February Patch Tuesday. Article
> The made-to-order smartphone. Article

Security is a business decision

Thu, 24 Jan 2008 06:59:58 -0500

It's time to stand up tall and look the threat of security violations straight in the eye. It's also time to recognize that it will cost you eight percent of your IT budget to insulate your system from hack attacks. Get used to it now because failing to do so could cost you much more later. "Security can be a valued business component. It can help the business grow, and it can become a competitive edge," said Roland Cloutier, chief security officer of EMC's global security organization. Rather than defining security in terms of defending software systems, think of it as protecting the business, he says.

Not only that, it is a business issue, not an IT one, and it is essential that every part of your team is on board with your plan. One size never fits all, according to Cloutier, who spoke recently at the Center for Information Management Studies at Babson College in Wellesley, Mass. Just remember, 65 percent of all terrorist attacks are targeted at business, not government. And more importantly, there is plenty to lose if a business database is hacked successfully. Two-thirds of these attacks come from inside a company.

That's why protecting the perimeter of your system is not enough, according to Scott Matsumoto, principal consultant at Citigal, a consulting firm in Dulles, Va. "Software security is not security software," he said. And Cloutier advised that CIOs will never be able to sell security as a company asset to the CEO unless they think like a CEO. That means emphasizing the importance of protecting the supply chain and the company's intellectual property. In addition, he advises that security be sold as a service, with the business units taking responsibility for the level of risk they're willing to tolerate.

For more on how IT security pays off:
- Check out this SearchCIO article

Tips for avoiding Web hacks

Mon, 08 Oct 2007 06:59:58 -0400

Over the past 18 months or so, websites have replaced email as the main source of risk for being attacked by a hacker. Websites are rich targets for bad guys because most organizations have taken significant steps to "harden" only internal applications. Very little thought, however, is being put into web-development initiatives from a security standpoint while these apps are being built. Security is typically an afterthought that is bolted on after the Web application has been built. The biggest problem is designers aren't building walls within Web applications to partition and validate data moving between parts of the system. Khalid Kark, senior analyst at Forrester, tells InfoWorld, that as a result, most websites can be easily hacked. It is an issue that is being taken on at the Open Web Application Security Project (OWASP). The organization has released a report entitled "The Ten Most Critical Web Application Security Vulnerabilities."

Read about their findings:
- in the article in Infoworld

Bluetooth security still a challenge

Mon, 24 Sep 2007 06:59:58 -0400

Bluetooth offers a tremendous opportunity for mobile users, but Ooi Szu-Khiam, senior security consultant at Symantec, says that security is still a big issue. Indeed, research firm InsightExpress revealed that 73 percent of mobile device users are not aware of security issues that could put mobile devices such as cell phones and Bluetooth-equipped notebooks at risk. "There are many other methods that (launch) a variety of denial-of-service attacks, and even some that could allow an attack to eavesdrop on private conversations," Szu-Khiam told Cnet. He also noted that "numerous instances of mobile viruses, worms and Trojan horses" have occurred in the last year. Some of the terms used to describe these security vulnerabilities: bluejacking, bluespamming and bluebugging.

For more information on Bluetooth security:
- see the article in Cnet

Un-integrated security can be dangerous

Wed, 18 Jul 2007 20:01:38 -0400

Perhaps the only thing that enterprises find more threatening than security vulnerabilities are the potential penalties for falling out of compliance. There is a consensus emerging that these two corporate pitfalls should not be viewed in a vacuum and that companies should integrate encryption, access control, and auditing functions. According to Wikibon, a newly formed community of experts that offers free research and advisory services on storage issues, companies need to integrate compliance requirements with life cycle management. David Floyer, a former IDC analyst and one of the founders of Wikibon believes that encryption is one way to secure data when it comes to storage, but that's only part of the solution. It's not feasible to encrypt all of the data in a data center, since the volumes of data are typically too large and there are too many servers accessing data, among other factors. It does, however, make sense to encrypt data where there's a regulatory requirement, such as personal records. Encryption also makes sense when transporting data over a network or physically by tape.

For more on the intersection between security and compliance:
- see this InformationWeek article