For anyone out there using Facebook or BLOGS that allow people to post comments check out this tool. Very easy to configure and can help you or your company protect its reputation. Anyone using these tools should make sure they maintain control even in an open world. It is very easy to configure and non-technical. I was impressed with it and what Websense has done with it.
Archive for July, 2010
26
Jul
10
Social Web Security
23
Jul
10
Be Careful Who You Hire
This is an interesting story. A hospital in Massachusetts contracted a company to destroy records. When the hospital tried to get confirmation that the data was destroyed they didn’t receive a response. When they pressed the issues they got the answer.
http://www.scmagazineus.com/hospital-files-with-personal-medical-data-on-800000-gone/article/174970/
By simply purchasing a “Compliant” piece of technology doesn’t make you compliant. Some companies even advertise their products as PCI or HIPAA compliant. This is a dishonest statement as it gives the purchaser a false sense of security. As with all regulations, the legislation or rules do not dictate specific technologies or practices – rather, it states the desired outcome.
It is true that we need to have key products in place to meet compliance obligations it is actually what we do to those products that make us secure. For example I could sell you two top of the line WatchGuard firewalls. As part of the process I explain that they have web blocking and SPAM filtering built right in which meets your needs, great right? Yes if your IT department configures them correctly.
And how should they be configured? They should be based on your company procedures and guidelines. These procedures need to be laid out clearly and by someone with experience in the industry. Too often companies write procedures based on the IT departments recommendations and not with the guidance of a security assessor.
Thank you to WatchGuard for reminding us all of this recently in Seattle.
08
Jul
10
What are they doing?
I had the opportunity to meet with a relatively small business yesterday. This company doesn’t have an in house IT person, they use an outside “Guy”. A month or so back the accountant at the office had the foresight to contact an email and web security company and place an order for email and web blocking services. The intent was so she could add another layer of protection to her assets. She also wants a security assessment as a second pair of eyes to ensure they are doing everything they can to protect their clients.
Now what is wrong with story? For the company, absolutely nothing. They have a fabulous forward thinking accountant paying attention to the details of network security. If she is paying attention to that then I would bet a steak dinner that she is paying attention to all the other little details of the business and the clients they work with.
What about the IT guy in this story? Where was he during all of this? Why did it take the accountant to contact the SaaS company because of security concerns? Most general IT people are not concerned with security and more importantly they are not worried about protecting your assets and reducing partner risk.
One final thought. If a small company of 15 employees takes the time to work on security, are you?
I have been conducting some research lately into DLP and employee theft. DLP is Data Loss Prevention or Data Leak Prevention depending on who you ask. Either way it means the same thing, information that leaves a business.
During my research I started to notice a lot about companies online that was written by current or former employees. Sites like youropenbook.org allow searches inside of Facebook without being signed in or being someones “Friend”. People are very open about what I consider confidential company information. Some people even go as far as discussing patients and breaking privilege.
Having proper policies in place to prevent employees from leaking any company, employee, or client information is the key to protecting privacy. Employees need to be educated on the risks associated with disclosing this information. If you have 50 or more employees consider bringing in an outside speaker that can be more direct with the risks and discuss what happens in other companies. No one can control what people say, but through education everyone will appreciate the risks.
03
Jul
10
Copiers
Think it is safe making copies? Take a look at this video. The first thing I though of was those copy businesses.
01
Jul
10
Kraken is Back
Georgia Tech reported that a troublesome piece of malware is back on the scene. Kraken, as it is known, is currently on 318,000 machines. Each machine can send up to 600,000 pieces of SPAM per day. Kraken gets on machines that are already infected with another piece of malware.
The tools used to build these bot nets are for sale on the internet and the software can be modified rapidly to avoid detection. Companies simply cannot stop these threats from getting into businesses effectively. What companies can do is react to them efficiently. Monitoring the network for activity and changes is required as basic business function.
Just like any other security function a blended approach is necessary for true security. Office buildings use a combination of camera’s and guards to secure the office building. Relying on a single IT product is not enough. The malware in this story can’t be detected by software, but, if someone was monitoring the exit door they would find out in about 30 seconds what was happening and could stop it.
