Risk
12/31/2007
04:34 PM
Keith Ferrell
Keith Ferrell
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Some New Year's Security Resolutions Can Also Be Security Solutions

Meet the New Year's security challenges -- same as the old year's security challenges in many ways. And of all of them -- vulnerabilities, cybercrime, flawed old technologies, powerful new technologies, human nature, it's that last that's the most easily addressable. And probably the least addressed.

Meet the New Year's security challenges -- same as the old year's security challenges in many ways. And of all of them -- vulnerabilities, cybercrime, flawed old technologies, powerful new technologies, human nature, it's that last that's the most easily addressable. And probably the least addressed.Doesn't have to be that way, and this is as good a time of year as any to make a run at reigning in the riskier and more dangerous personnel practices at your business.

Of course it's also the time of year when we decide to exercise more, stress less, get organized, quit smoking, save money and anything else we care to improve ourselves with. Most of us know how well those work out. Still...

When you and your team get back to work on Wednesday (or whenever), why not take a few minutes to insist that everyone change their passwords? Then, before the day is out, send out a memo insisting that the passwords be changed every month (at least!) henceforth.

Or how about a post-holiday device inventory, desk by desk, station by station? How many new iPods, phones, thumb-drives etc. have come into the workplace? And how many are already connected to your network? Your policy about such devices is your business -- but you should at least have a personal device policy, and make sure that every employee with access is aware of it.

For that matter what about a log-on audit? How many log-ons are floating around your small or midsize business? How many have been "inactive" -- departed employees, perhaps, or temporary accounts that no one deleted -- for more than a few days? (If any of the log-ons -- or open e-mail accounts or etc. -- belong to terminated employees, there should be some New Year's whipcracking as well as cork-popping.)

Other areas worth reviewing with the staff over the first few days of the year include backups (and what backups can and cannot be removed from the premises), hotspot and other public access for business purposes policies, physical safety of remote devices and equipment, regulatory compliance adherence if appropriate, commonsense security compliance for everybody.

Like our diets, financial plans and other resolutely undertaken New Year's new directions, it'll be all too easy to backslide, to allow new discipline to relax into old slackness, to fail to follow-through.

But as with any successful diet or financial plan or whatever, the benefits of actually sticking to a new, tighter, more consistent security program will begin to show up quickly, both enforcing your rules and reinforcing itself among your employees.

Give it a try -- it's a New Year, after all. The old threats and emerging new ones are not only not going to go away, they're going to gte thornier and more aggressive. Take the human factor out of your security as much as possible now and you'll free up that many more resources to fight the threats that 2008 will bring.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.