Risk
12/31/2007
04:34 PM
Keith Ferrell
Keith Ferrell
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Some New Year's Security Resolutions Can Also Be Security Solutions

Meet the New Year's security challenges -- same as the old year's security challenges in many ways. And of all of them -- vulnerabilities, cybercrime, flawed old technologies, powerful new technologies, human nature, it's that last that's the most easily addressable. And probably the least addressed.

Meet the New Year's security challenges -- same as the old year's security challenges in many ways. And of all of them -- vulnerabilities, cybercrime, flawed old technologies, powerful new technologies, human nature, it's that last that's the most easily addressable. And probably the least addressed.Doesn't have to be that way, and this is as good a time of year as any to make a run at reigning in the riskier and more dangerous personnel practices at your business.

Of course it's also the time of year when we decide to exercise more, stress less, get organized, quit smoking, save money and anything else we care to improve ourselves with. Most of us know how well those work out. Still...

When you and your team get back to work on Wednesday (or whenever), why not take a few minutes to insist that everyone change their passwords? Then, before the day is out, send out a memo insisting that the passwords be changed every month (at least!) henceforth.

Or how about a post-holiday device inventory, desk by desk, station by station? How many new iPods, phones, thumb-drives etc. have come into the workplace? And how many are already connected to your network? Your policy about such devices is your business -- but you should at least have a personal device policy, and make sure that every employee with access is aware of it.

For that matter what about a log-on audit? How many log-ons are floating around your small or midsize business? How many have been "inactive" -- departed employees, perhaps, or temporary accounts that no one deleted -- for more than a few days? (If any of the log-ons -- or open e-mail accounts or etc. -- belong to terminated employees, there should be some New Year's whipcracking as well as cork-popping.)

Other areas worth reviewing with the staff over the first few days of the year include backups (and what backups can and cannot be removed from the premises), hotspot and other public access for business purposes policies, physical safety of remote devices and equipment, regulatory compliance adherence if appropriate, commonsense security compliance for everybody.

Like our diets, financial plans and other resolutely undertaken New Year's new directions, it'll be all too easy to backslide, to allow new discipline to relax into old slackness, to fail to follow-through.

But as with any successful diet or financial plan or whatever, the benefits of actually sticking to a new, tighter, more consistent security program will begin to show up quickly, both enforcing your rules and reinforcing itself among your employees.

Give it a try -- it's a New Year, after all. The old threats and emerging new ones are not only not going to go away, they're going to gte thornier and more aggressive. Take the human factor out of your security as much as possible now and you'll free up that many more resources to fight the threats that 2008 will bring.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.