firewalls

A new technique to assess network security

Judi Hasson — Sun, 27 Jul 2008 11:39:41 -0400

Researchers at the National Institute of Standards and Technology have figured out a new way to help IT administrators assess security risks using attack graphs and the National Vulnerability Database.

"We analyze all of the paths that system attackers could penetrate through a network and assign a risk to each component of the system," computer scientists Anoop Singhal said. "Decision makers can use our assigned probabilities to make wise decisions and investments to safeguard their network."

NIST notes that a hacker can take a number of routes through the network to find confidential data once inside the firewalls. The new technique evaluates each route and assigns a risk based on the level of difficulty for the hacker. Using an attack graph analysis, three potential attack paths are determined, and an attack probability is assigned for each path.

For more:
- see this eWeek.com article

Endpoints face security weaknesses

Judi Hasson — Tue, 24 Jun 2008 17:14:25 -0400

IT security and control product vendor Sophos said its own research suggests that corporate networks are not as secure as some CIO's believe. In a survey, Sophos found that 81 percent of corporate endpoints surveyed failed basic security tests, meaning they lacked Microsoft security patches, had disabled firewalls, or did not have security software updates. The tests were conducted on 583 corporate networks in the United States, the U.K., Australia and Germany, and involved companies ranging in size from fewer than 100 employees to organizations with more than 1,000 people.

To read more:
- check out this CIO.com article

USA Today: Personal data theft triples

Thu, 13 Dec 2007 06:59:59 -0500

The theft of personal data has tripled, according to a new piece by USA Today. More than 162 million records were reported stolen or lost in 2007, triple the 49.7 million that went missing in 2006. And to make the loss even more painful, there have only been prosecutions in 19 cases. So what is a CIO to do? Work harder. Find more secure ways of protecting your data and test new tools that provide impenetrable firewalls for hackers.

As they "cram more and more data into a single place," companies and agencies present thieves with more opportunities for a big score, says Benjamin Jun, vice president of technology at Cryptography Research. Attrition.org keeps track of incidents, mostly in the United States. Many are made public as a result of new data-loss-disclosure laws. Of more than 300 cases tracked in 2007, 261 were reported in the USA, 16 in Great Britain, 15 in Canada, six in Japan, two in Australia, and one each in Denmark, Ireland, Sweden and Norway. Sometimes, but not always, employees are responsible for these data thefts with their own thoughtlessness. Nearly two-thirds of those surveyed by security firm RSA, said they email work home to continue the job at night. And 35 percent said they felt compelled to bend company security rules to get the job done. While the CIO's may not see their role as a security guard, in a way they are. And the sooner they realize they have an added responsibility to protect what they have in-house, the more successful they will be.

For more on the growth of data theft:
- See this USA Today Article

How one CIO manages change

Mon, 03 Dec 2007 06:59:57 -0500

Every CIO wants to save money, and that has given a big boost to outsourcing. Craig Lee, CIO of Honolulu-based American Savings Bank, outsourced key banking applications at his facility, which has $6.7 billion in assets. His biggest problem was finding a way to cut costs in a location that is bounded by water and not growing. And his answer was outsourcing key banking applications. It was a tough challenge for a bank which was moving from a savings and loan institution to a full-service commercial bank with 65 branches. Lee became the CIO at the institution in 2001. And what he found was a decentralized IT operation. "Some of the controls you'd expect weren't there. We needed firewalls and new technology like email to bring us into the 21st century." Read Lee's interview for insights on how one CIO is managing change.

Fore more on bringing an operation into the 21st century:
- See this SearchCIO.com Article

CIOs seek out NAC on the net

Thu, 16 Aug 2007 06:59:58 -0400

One of the more interesting high-wire acts in the enterprise IT space is how CIOs manage the tension between opening their networks to mobile workers, customers, partners and suppliers, and securing the integrity of their information resources. Network access control, or NAC, is emerging as an interesting topic of discussion in IT, because of its promise of introducing some measure of order in the chaos that is the extended enterprise. NAC is the process whereby devices are checked for security risks prior to admission onto a network. A survey conducted by ComputerWorld shows that there is still a gap between discussion and implementation of this technology. Only about 14 percent of respondents said that they apply endpoint checks for application and operating system patching; the presence of firewalls or anti-virus or anti-spyware tools; USB-attached devices; and password strength. Cost and complexity account for most of the gap between the level of checking desired and the level of checking actually implemented.

For more on the NAC report:
- read the article in Computerworld

From IT security to business risk

Sun, 15 Apr 2007 20:01:36 -0400

Instead of focusing on IT security, focus on business risk. We have been trained over time to associate IT security with certain actions--protecting the perimeter of the data center, for example--and certain products--intrusion detection, encryption, firewalls, anti-virus software, etc.--that are all merely tactical and do not address any of the real strategic issues in protecting people and organizations from threats. By limiting our scope to IT security rather than risk, we ensure that the emphasis remains tactical rather than strategic. Thinking about risk prompts us to think larger: Who has the best shot at mitigating the router risk? Who is best qualified to shoulder the responsibility for owning the risk? The risk was, and is, in the data.

Read more about IT security and business risk:
- read the blog at CIO

Recruiting networking talent

Sun, 08 Apr 2007 20:01:36 -0400

It's difficult enough to find qualified IT professionals as it is, but when you throw networking expertise into the equation, it just gets that much tougher. The most in-demand skills include TCP/IP, wireless, WAN, routers, network engineering, firewalls and VoIP. Well-qualified network professionals can pretty much name their own terms, and companies looking for talent must be resourceful and flexible. To attract top networking talent, offer competitive and fair market salaries and comprehensive benefits packages that illustrate how your company values its IT employees. In addition, supporting continued training and certification to keep technology employees' skills current can attract networking professionals.

Read more about recruiting networking professionals:
- read the article at ComputerWorld

Security focus shifting away from perimeter defense

Sun, 11 Feb 2007 19:01:39 -0500

With more companies doing business with each other over the Internet, the old 'castle and moat' strategy of perimeter security is becoming increasingly useless. Constant collaboration with business partners has companies poking more and more holes in their firewalls, creating a need for a new approach to data security. As perimeters dwindle away, it would be helpful to focus on developing ways to authenticate and authorize users on your network and monitor all their activities to watch out for malcontents.

For more on this:
- read this article from ComputerWorld

Taking a proactive approach to IT support

Tue, 30 Jan 2007 19:01:38 -0500

Although there are times when it's tempting to react to IT problems as they are encountered, it's much more productive to treat them pro-actively whenever possible. That means everything from the simplest installing of antivirus software on every computer in the organization to failsafe backups. Other proactive measures include downloading and installing all critical updates and locking down your systems via firewalls and setting up comprehensive intrusion detection systems.

Learn more about acting pro-actively:
- read the blog at Computerworld