Risk
12/31/2007
04:34 PM
Keith Ferrell
Keith Ferrell
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Some New Year's Security Resolutions Can Also Be Security Solutions

Meet the New Year's security challenges -- same as the old year's security challenges in many ways. And of all of them -- vulnerabilities, cybercrime, flawed old technologies, powerful new technologies, human nature, it's that last that's the most easily addressable. And probably the least addressed.

Meet the New Year's security challenges -- same as the old year's security challenges in many ways. And of all of them -- vulnerabilities, cybercrime, flawed old technologies, powerful new technologies, human nature, it's that last that's the most easily addressable. And probably the least addressed.Doesn't have to be that way, and this is as good a time of year as any to make a run at reigning in the riskier and more dangerous personnel practices at your business.

Of course it's also the time of year when we decide to exercise more, stress less, get organized, quit smoking, save money and anything else we care to improve ourselves with. Most of us know how well those work out. Still...

When you and your team get back to work on Wednesday (or whenever), why not take a few minutes to insist that everyone change their passwords? Then, before the day is out, send out a memo insisting that the passwords be changed every month (at least!) henceforth.

Or how about a post-holiday device inventory, desk by desk, station by station? How many new iPods, phones, thumb-drives etc. have come into the workplace? And how many are already connected to your network? Your policy about such devices is your business -- but you should at least have a personal device policy, and make sure that every employee with access is aware of it.

For that matter what about a log-on audit? How many log-ons are floating around your small or midsize business? How many have been "inactive" -- departed employees, perhaps, or temporary accounts that no one deleted -- for more than a few days? (If any of the log-ons -- or open e-mail accounts or etc. -- belong to terminated employees, there should be some New Year's whipcracking as well as cork-popping.)

Other areas worth reviewing with the staff over the first few days of the year include backups (and what backups can and cannot be removed from the premises), hotspot and other public access for business purposes policies, physical safety of remote devices and equipment, regulatory compliance adherence if appropriate, commonsense security compliance for everybody.

Like our diets, financial plans and other resolutely undertaken New Year's new directions, it'll be all too easy to backslide, to allow new discipline to relax into old slackness, to fail to follow-through.

But as with any successful diet or financial plan or whatever, the benefits of actually sticking to a new, tighter, more consistent security program will begin to show up quickly, both enforcing your rules and reinforcing itself among your employees.

Give it a try -- it's a New Year, after all. The old threats and emerging new ones are not only not going to go away, they're going to gte thornier and more aggressive. Take the human factor out of your security as much as possible now and you'll free up that many more resources to fight the threats that 2008 will bring.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3352
Published: 2014-08-30
Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an "iFrame vulnerability," aka Bug ID CSCuh...

CVE-2014-3908
Published: 2014-08-30
The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.