Posts

Showing posts from August, 2016

Security Basics: Know What's on Your Network

Image
This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here . The most basic of basic security principles is that you must know what you are defending in order to defend it. It sounds obvious at first blush, but it is an oft-neglected step in securing your network, your systems, and your information. Getting a handle on what devices are present on your network is essential to a proper security program. One of the notes in the Office of Personnel Management (OPM) Inspector General's report on their systems security in November 2014 (just before they suffered a massive breach) was that the office did not "maintain a comprehensive inventory of servers, databases, and network devices." 1 This shortcoming clearly underlies many of the other shortcomings there, including the failure to conduct comprehensive vulnerability scans -- you can't be sure if you're scanning

Password Managers

Image
Let us discuss the importance of using strong, complex passwords, and being diligent to use different passwords for everything. Most of us can agree that is good advice, but many of us don't follow it. The reason is simple: it is too hard to remember all those passwords! I understand completely; I personally have about 300 passwords right now! The old wisdom was to never write down your passwords and never record them ANYWHERE. However, the big threat to your data today is not someone who finds your password hidden under your keyboard, but someone on the other side of the world cracking or guessing your password. So to make complex and unique passwords possible, many security professionals recommend the use of a "password manager" software or service. Password managers are apps used to safely store ALL of your passwords and keep them safely encrypted in one place. Most are offered by providers who will store the data in the cloud so that you can sync it to all your

Rethinking Password Policies

Image
Passwords are perhaps the oldest and best-known security technologies in use today, as well as perhaps the most hated and despised. Security professionals dislike passwords because they often provide woefully inadequate security, and users hate them because they are hard to remember and manage. Security policy requirements often exacerbate this situation by imposing arcane requirements for password "complexity" and by requiring users to change passwords frequently (just when they are really, solidly stuck in our memory).The latest publication from the National Institute of Standards and Technology (NIST) on the topic of authenticators (NIST Special Publication 800-63B) advances some exciting ideas that run counter to the typical ideas about how passwords should be chosen and managed: Systems should give users a minimum of ten attempts at entering their password.  Users should be encouraged to make their passwords long, and the length of passwords should not be limited t

Travel Security

Image
Keeping your computer and information secure is challenging all the time, but is especially challenging when you are on the go. Both your device(s) and data can be at risk, and some of the protections you may be used to having on your corporate and/or home networks are not present. Extra vigilance is warranted in such situations. Whether you're traveling out-of-town or just working at a table in the Starbucks down the street, here are a few things to keep in mind to keep secure while traveling: Avoid Wi-Fi hotspots in cafes, hotels, restaurants, etc., especially “open” hotspots (which most publicly-accessible ones are.) iPhones have a built-in capability to connect to a VPN , so this is a way of more safely using open Wi-Fi. A wired connection in your hotel is better than Wi-Fi — less subject to monitoring. When you work over non-secure networks (and any network you don’t control should be treated as such), a good practice is to work over a VPN connection or other remot

Two-Factor Authentication

Image
Many organizations now are using multi-factor security for user authentication, especially in higher-risk cases (e.g., admin users, remote access). Many popular consumer-oriented services offer this as a feature as well. If your Gmail, Apple, Microsoft, Facebook, Twitter, Yahoo, or other account doesn't currently require a two-factor or two-step login, it is easy to enable. If your bank or other online financial service doesn't offer this feature, tell them you want it or move to one that does. Here are two great sites with a lists of services that support two-factor authentication and links to set it up:    https://twofactorauth.org/ http://www.pcmag.com/article2/0,2817,2456400,00.asp Most two-factor authentication schemes can work from an app or a text message on your smartphone. It can take a bit of learning at first, but for most users it quickly becomes routine and trouble-free.

Internet-connected “Things"

Image
The phrase “the Internet of things” (IOT) has gained currency over the past several years as more devices aside from traditional computing devices ​are being connected to the Internet. The term was coined in a 1999 presentation on the use of radio-frequency ID (RFID) chips to track items in the manufacturing and delivery process. Since then it has become a major issue in technology circles and a subject of much concern regarding the security implications of such Internet-connected "things." Many appliances and other devices are connected to the Internet now, primarily in order to provide for remote control and/or monitoring. Common examples include security cameras, thermostats, door locks, automobile systems, medical devices, and home lighting control systems (indeed, whole-house control systems). The Nest thermostat (and later smoke detector and cameras) was perhaps the first highly-visible and widely-known Internet-connected “thing,” and its popularity helped bring th

End-of-Life & Exposed

Image
"Patch your systems in a timely manner" is a mantra of security experts, but what happens when patches are not available because a product's maker no longer supports it? With 30 to 50 percent of the hardware and software assets in the average large enterprise end-of-life these products pose a serious security risk to the enterprise. More than 99 percent of vulnerabilities exploit out-of-date software with known vulnerabilities,   http://www.technewsworld.com/story/83764.html