Risk

12/31/2007
04:34 PM
Keith Ferrell
Keith Ferrell
Commentary
50%
50%

Some New Year's Security Resolutions Can Also Be Security Solutions

Meet the New Year's security challenges -- same as the old year's security challenges in many ways. And of all of them -- vulnerabilities, cybercrime, flawed old technologies, powerful new technologies, human nature, it's that last that's the most easily addressable. And probably the least addressed.

Meet the New Year's security challenges -- same as the old year's security challenges in many ways. And of all of them -- vulnerabilities, cybercrime, flawed old technologies, powerful new technologies, human nature, it's that last that's the most easily addressable. And probably the least addressed.Doesn't have to be that way, and this is as good a time of year as any to make a run at reigning in the riskier and more dangerous personnel practices at your business.

Of course it's also the time of year when we decide to exercise more, stress less, get organized, quit smoking, save money and anything else we care to improve ourselves with. Most of us know how well those work out. Still...

When you and your team get back to work on Wednesday (or whenever), why not take a few minutes to insist that everyone change their passwords? Then, before the day is out, send out a memo insisting that the passwords be changed every month (at least!) henceforth.

Or how about a post-holiday device inventory, desk by desk, station by station? How many new iPods, phones, thumb-drives etc. have come into the workplace? And how many are already connected to your network? Your policy about such devices is your business -- but you should at least have a personal device policy, and make sure that every employee with access is aware of it.

For that matter what about a log-on audit? How many log-ons are floating around your small or midsize business? How many have been "inactive" -- departed employees, perhaps, or temporary accounts that no one deleted -- for more than a few days? (If any of the log-ons -- or open e-mail accounts or etc. -- belong to terminated employees, there should be some New Year's whipcracking as well as cork-popping.)

Other areas worth reviewing with the staff over the first few days of the year include backups (and what backups can and cannot be removed from the premises), hotspot and other public access for business purposes policies, physical safety of remote devices and equipment, regulatory compliance adherence if appropriate, commonsense security compliance for everybody.

Like our diets, financial plans and other resolutely undertaken New Year's new directions, it'll be all too easy to backslide, to allow new discipline to relax into old slackness, to fail to follow-through.

But as with any successful diet or financial plan or whatever, the benefits of actually sticking to a new, tighter, more consistent security program will begin to show up quickly, both enforcing your rules and reinforcing itself among your employees.

Give it a try -- it's a New Year, after all. The old threats and emerging new ones are not only not going to go away, they're going to gte thornier and more aggressive. Take the human factor out of your security as much as possible now and you'll free up that many more resources to fight the threats that 2008 will bring.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVE-2018-12698
PUBLISHED: 2018-06-23
demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVE-2018-12699
PUBLISHED: 2018-06-23
finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVE-2018-12700
PUBLISHED: 2018-06-23
A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
CVE-2018-11560
PUBLISHED: 2018-06-23
The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.