When times are difficult, employees that are laid off are more likely to steal valuable and sensitive company information, and even delete them. Even business partners who split during these tough times are likely to steal valuable company information and may even delete them as a form of sabotage

While precautions can be taken to protect their data and prevent potential opportunistic thefts and sabotage, sometimes valuable company information is stolen or deletedWith more instances of IT data theft, firms specializing in computer forensic services such as investigation of data theft and recovering deleted data are highly in demand

In this time of looming economic recession, companies are advised to exercise immense caution when dismissing who have access to valuable company information.  In McAfee’s 2009 findings, security experts warned that the global recession could place vital company information at greater risk than ever.  Employees that are laid off are likely to steal valuable company information when given the opportunity, especially when it may help them secure positions with their future employers.

In the first such case brought before the courts of Singapore last year in 2008, seven ex-Citibank employees were sued with breaching client confidentiality when they moved over to UBS and took along sensitive customer information with them. Eventually, the Singapore government charged these seven under its Computer Misuse and Banking Acts when an email containing personal data that was misappropriated surfaced.

In an annual survey conducted at Infosecurity 2008 -  Europe’s largest IT security event, 88% of IT administrators indicated that, if laid off tomorrow, they would steal valuable and sensitive company information including CEO’s passwords, customer databases, R&D plans, financial reports, and company’s list of passwords to unlock access to most of the information on the company’s network.

“Companies in Singapore are still not aware that when employees are told to leave the company, they often still have access to valuable and sensitive information using their passwords. This means they have the opportunity to vindictively steal data for competitive gains or even maliciously delete data to wreck havoc on your operations”, says Felix Chang – managing director of Adroit Data Recovery Centre, a company that also specializes in computer forensics.

Dismissed employees are just one side of the story. During times of economic downturn, companies also have to contend with partners and directors who resign or leave due to differences or board conflicts. Such scenarios present the perfect opportunity for data theft and sabotage. The departing party could very well steal the entire customer database, or even delete entire blocks of data to wreck havoc as a parting gift. In this digital age, all it takes is one click of a button to do destroy years of valuable information, as opposed to the classic method of manually burning papers and files. 

With more instances of IT data theft, firms specializing in computer forensic services such as investigation of data theft and recovering deleted data are highly in demand. Companies such as Adroit Data Recovery Centre (ADRC) offers specialized techniques to uncover evidences related to data theft, or intentional deletion of sensitive or confidential information.

In the event that you suspect potential data theft or malicious data deletion, companies are advised NOT to do anything to the suspected hardware, and immediately contact a computer forensics specialist for assistance. Here are some golden rules that companies should observe:

Do not power on the computer

This will change the last boot up time, which may result in evidence loss. Moreover, many items in the cache may be eliminated.

Do not modify files or even browse through them

Although the action may seem harmless, you are actually changing the timestamp of the files as you browse through them, resulting in evidence loss.

Contact a computer forensics specialist

Without following proper procedures, evidences acquired may not be permissible in Court. It is therefore important to ensure that forensic investigation is carried out by forensic specialists with proper training and experience.

For more information on computer forensics services or to request for a free consultation, you may visit http://www.adrc.com/forensic_investigation.html

Article Source:http://www.articlesbase.com/computer-forensics-articles/survey-reports-increased-it-data-theft-during-times-of-recession-863232.html

Home

This ISO 27001 International Standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations). This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organization’s overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

The ISMS is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.

NOTE 1: References to ‘business’ in this International Standard should be interpreted broadly to mean those activities that are core to the purposes for the organization’s existence.

NOTE 2: ISO/IEC 17799 provides implementation guidance that can be used when designing controls.

The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size and nature. Excluding any of the requirements specified in Clauses 4, 5, 6, 7, and 8 is not acceptable when an organization claims conformity to this International Standard.

Any exclusion of controls found to be necessary to satisfy the risk acceptance criteria needs to be justified and evidence needs to be provided that the associated risks have been accepted by accountable persons. Where any controls are excluded, claims of conformity to this International Standard are not acceptable unless such exclusions do not affect the organization’s ability, and/or responsibility, to provide information security that meets the security requirements determined by risk assessment and applicable legal or regulatory requirements.

NOTE: If an organization already has an operative business process management system (e.g. in relation with ISO 9001 or ISO 14001), it is preferable in most cases to satisfy the requirements of this International Standard within this existing management system.

Delatprima mempersiapkan bagi Anda segala kebutuhan untuk jasa konsultan iso 27000 27001 27002, iso 27001 consultant, it security management consultant, konsultan isms, isms consultant, information security management consultant, it risk management, konsultan keamanan ti, konsultan manajemen keamanan ti, iso it security consultant, konsultan iso 17799, iso 17799 consultant, training iso 27000 27001, it audit, konsultan it bsc, manajemen risiko ti, tata kelola ti, it governance, it scorecard, iso 27000 27001 certification audit.

Hubungi segera NOVI – TEL. 021.7511984, 08161346764.

Article Source:http://www.articlesbase.com/security-articles/deltaprima-konsultan-manajemen-keamanan-informasi-it-security-iso-27000-iso-27001-consultant-business-continuity-bcp-drp-disaster-recovery-787059.html

Here is a very good article why we should and how we can enforce security policies in a corporate environment:

http://www.cw.com.hk/article.php?type=article&id_article=2588

As we have discussed before in this blog, the point is that you need to let employees know why there are security policies and how the policies are benefiting them. And let them know the consequences of violating the policies.

CISCO has recently released a study that shows many employees do not follow Security Policies in the work environment. The reason is that they think the policy is not fair to them, and that the policy is not aligned with the reality of their daily work activities.

http://www.cw.com.hk/article.php?type=article&id_article=2591

In the article, it states:
“The study found that the majority of employees believe their companies’ IT security policies are unfair. Indeed, surveyed employees said the top reason for non-compliance is the belief that policies do not align with the reality of what they need to do their jobs, according to Cisco”.

This reconfirms that the human factor in Information Security is still the primary issue we need to deal with in our day-to-day security management.

Tags: Information Security Policy, Information Security Policy Management, Employee Attitude to Security Policy, Security Policy, Security Policy Management

In other words, it’s actually management’s intention for how various stakeholders, especially employees, should uphold and follow the required security standards in operating the company’s activities.

Policies should:

• state reasons why the policy is needed
• describe what is covered by the policy – whom, what, and where
• define contacts and responsibilities to outside agencies
• discuss how violations will be handled

A recent journal by James and Coldwell (2007) states that corporate policies should consider security and ethics issues. Management should include explicit statements about the following:

• An organization’s method of handling the security of its system and information;
• Privacy and security issues of information;
• Informational assets complying with the impact of ethical behavior and conflict.

Users should be educated to recognize the value of assets, risks, and costs of compromise, as the human being is always the weakest link in security management. Therefore, when designing a security policy, human factors should be closely examined and reviewed. This view is supported by a white paper from British Telecommunication plc (BT White Paper 2004).

If you take a look at most security life cycle models, you will notice that a security policy is at the center of security processes, as shown in some typical models below:

http://www.sans.org/reading_room/whitepapers/testing/260.php (SANS Institute)

http://www.bradreese.com/andrew-r-reese.htm (BradReese.com)

http://www.audisec.com/html/philosophy.html

You should not overlook this important security tool in your organization n, should you?

Reference:

BT Write Paper (2004), ‘Why Security Policies Fail’, http://www.mis.uwec.edu/keys/Teaching/is365/208770-BT%20Why%20Security%20Policies%20Fail%20-20000718.pdf Accessed 08/08/08

James, H. and Coldwell, R.A. (1993), ‘Corporate Security: An Australian Ostrich’, Information Management & Computer Security, Vol 1, (Issue 4), 10-12

Walt, C. (2001a), ‘Introduction to Security Policies, Part One: An Overview of Policies’, SecurityFocus, August 27, 2001, http://www.securityfocus.com/print/infocus/1193 Accessed 08/08/08

Walt, C. (2001b), ‘Introduction to Security Policies, Part Three: Structuring Security Policies’, SecurityFocus, October 9, 2001, http://www.securityfocus.com/infocus/1487 Accessed 08/08/08

Weil, S. (2004), ‘How UTIL Can Improve Information Security’, December 22, http://www.securityfocus.com/infocus/1815 Accessed 08/08/08

Tags: Security Life Cycle Model

To illustrate those concepts, I like to use a popular diagram¹ from Common Criteria, shown below:

In the center of this diagram you’ll find the term vulnerabilities. Vulnerabilities are any weaknesses of a system. A system always contains vulnerabilities. You cannot build a 100% perfect system with no vulnerabilities, even if you have unlimited power, money, and time to build such a system. All systems contain imperfect components, and the integration of imperfect components produces an imperfect system that always possesses certain vulnerabilities.

Threats are elements from various sources that can exploit vulnerabilities and that increase risk. Risk is the probability that the system’s asset will be damaged/abused by the threats that exploit the vulnerabilities. Assets can be tangible (such as hardware/software) or intangible (such as good will and customers’ confidence).

Threats can be initiated by threat agents. A common threat agent for IT systems is people. They can accidentally or intentionally exploit vulnerabilities of a system to impact an IT system.

In order to manage risk, we deploy countermeasures (controls) to a system to reduce the vulnerabilities. The decision to deploy certain countermeasures to reduce the vulnerabilities and hence reduce risk lies solely on the information owner, who bears all consequences arising from the risk.

In a formal risk management exercise, an organization should undergo an intense brainstorming session to discover all possible threats that can exploit the vulnerabilities of a system. The difficult part of this step is not determining whether a certain threat will cause risk to a system, but the effort required to locate all possible threats to a system. Anything overlooked could lead to possible serious exposure to risks that have not been identified.

It is of the utmost importance for the owner (the “Owners” in the diagram) of an organization to identify all possible threats to its information system to the very best of his/her effort and knowledge, in order to fulfill fiduciary duties to customers and other stakeholders. Without knowing what the risks are, it’s impossible to implement suitable countermeasures to contain and mitigate those risks.

Reference:

¹Picture from Common Criteria

http://www.commoncriteria.org/docs/PDF/CCPART1V21.PDF p.14

Tags: Vulnerability, Countermeasure, Security Controls, Risk mitigation, Information Security Management, Information Risk Management

brute force password crackers

To break a password, a Password Cracker uses two methods of attack to break into your account.

The first method is Brute Force Attack. That is the name Brute Force Password Crackers that comes in.  In this type of attack, the software generates passwords of every possible combination of words, letters, or even symbols to try to break into your account. The longer the password, the longer it takes to break into the system. However, since computers are gearing up the speed every year (according to Moore’s law, the computer speed doubles every 18 months), the time to break a password of any certain length reduces 50% every 1.5 years.

The second method is Dictionary Attack. This is a more clever method in which the attacker uses a pool of words such as names, common vocabularies, etc., and tries various combinations of them to crack the system. The pool of effective possible choices to use in the trial and error process is much smaller than in a Brute Force Attack because of the more confined choices of numbers and letters to combine. It is very easy to get a word list. Do a search on Google for the search phrase “word list” to look for many databases available on the web.

Originally, I’d planned to write a summary on tactics you can use to choose passwords that you can easily memorize but at the same time are difficult to be cracked. But then I accidentally stumbled upon a page that has this done nicely. And in the interest of not reinventing the wheel, here is the link to that page:

http://www.wikihow.com/Remember-Your-Password

Enjoy, and if you have other innovative ways to remember difficult passwords, let me know.

Bruce began the discussion by stating the difference between two types of security in our lives. One type has to do with what you feel about security, and other type is about the reality of security.

These are two separate things. You can feel secure yet not actually be secure. On the other hand, you can have real security but not feel it. These two tend to diverge from each other. But what surprises us is that in linguistics, we do not find two different words to describe these two types of security. We have only one word in English and it seems the situation is quite similar in other languages.

Perhaps the reason for this is that in the ancient world, while our languages were being developed, these two types did always go together. You can observe the physical environment with your five senses and judge whether it is secure or not. So essentially you feel secure when you really do in fact have physical security.

But today in the information world, these two types of security do not go together all the time. We have security measures installed in our information systems that “safeguard” our information assets, even when we do not actually “see” or “feel” them.

What is worrisome is that most of the time we may not actually “feel” there is lack of security in our system when in fact it does contain serious security flaws.

So the first thing we need to do in regards to security is educate people to be more aware of the need for security. Educate them so they have the knowledge necessary to “see” the security measurements installed in their systems.

What helps us do this, according to Schneier’s idea, is to use “systems” to explain the security implementations in our society. System refers to the simplification of the real world situation into models, to help people understand in a simpler way how something works. For example, we can explain the mechanism of a camera surveillance system in a way that helps people understand its value in not only monitoring a crime taking place, but also in helping to deter the crime from happening as well, since criminals know that its presence increases the risk of being caught.

By helping people understand the working mechanism behind a camera surveillance system, people are more likely to support its implementation, and to be less likely to object to the concern about privacy issues involved with a surveillance system.

As I have always emphasized, successful security management has to first be built on the trust, support, and understanding of people. After all, it is always a tradeoff to obtain security. You need to forgo first convenience, and second, the time and money invested in the security system in exchange for something you cannot really “feel,” even when has been properly put into place.

So security is kind of a “second thought” in many people’s minds. People tend to think of many excuses not to commit to the best security practices simply because they don’t really feel insecure, even when they do not have proper security measures in place.

All in all, I think Bruce used a very good approach to present this idea at the conference. If you want know more about Bruce Schneier, visit his personal website here: http://www.schneier.com/.

For details of the conference, please visit: http://www.infosecurityproject.com/

Tags: Information Security Awareness