Skip to main content

Sidebar - interesting tid bit from ISC SANS site

http://isc.sans.org/diary.html?storyid=6253

A couple interesting points from John Bambeck at SANS regarding a talk he is preparing on data leakage prevention and what controls have been established as "reasonable security" to protect trade secrets and/or non-public information.

I like John's list of what he considers to be some of the general requirements (based on previous Federal Trade Commission actions mostly).

  • Use of encryption with data at rest and in transit, both within and outside the organization
  • Limiting access to wireless networks
  • Use of strong passwords (and multiple passwords) for administrators to access systems and networks
  • Limit access of internal systems to the internet
  • Employ measures to detect and prevent unauthorized access
  • Conduct security investigations, as appropriate
  • Patching and Updating of anti-virus
  • Requiring periodic changes to passwords
  • Locking accounts after too many failed attempts at logging in
  • Storing credentials in insecure formats (i.e. cookies in the clear)
  • Use of secure transit for credentials (i.e. HTTPS / SSH)
  • Forbidding sharing of accounts
  • Regular assessment of networks and applications for security vulnerabilities
  • Implementing defenses to well known attacks
  • Inventory of NPI data stored, on what servers, for what purposes
  • Secure deletion of NPI once it is no longer needed
These are all really good points that should be considered for controls in any organization, especially with any compliance requirements (SEC, NASD, HIPAA, state privacy laws, etc.). How to establish and then prove that these controls exist and are effective is the "fun part".

->Pierre

Comments

Unknown said…
Great post--one of the driving forces behind my interest in Windows 2008 domains is the new "granular password policy" feature. Used to be that you got one password policy per account database (domain). Now, you can dump administrators into a separate OU and have a much more rigorous password policy for them, and God forbid even go so far as to require two-factor authentication for all admins. Oh, the humanity...
April 24, 2009 at 10:36 AM
Pierre said…
I didn't know 2008 was going to support that, that is pretty huge! From a policy perspective I know I've usually written in the Admin level accounts need additional complexity or factors for authentication, and also additional process for validation/re-verification of account need. Nice to know we can actually live up to that now in a 2008 environment. Now just to deploy one.. :)
April 24, 2009 at 10:55 AM
Post a Comment

Popular posts from this blog

Requirements for Information Security

If you want to get into Information Security you HAVE to be a/have this skill... Why this is total BS. Almost daily I see someone posting on twitter, trying to be helpful to folks who are looking to get into InfoSec. Often I see "If you want to be in Information Security (Cyber Security) then you HAVE to be a programmer" or "If you want to be successful you have to be a hacker/have a criminal record/have abused systems without permission" etc. While having technical capabilities (such as programming) and having the ability to compromise a system shows a specific skillset neither are required. When talking to people who are interested in Information Security I often refer to it as a cake, there are tons of slices, many flavors, many pieces and parts you can sample, choose to focus on, will be expected to know something about, etc. Incident Response and Forensics (my current focus) is not the only part of Information Security, and certainly not the only part tha...
Post a Comment
Read more

Privacy considerations for home users

In light of the recent new stories regarding the recently signed legislation allowing ISP's to be able to sell your data http://www.vox.com/new-money/2017/3/29/15107110/republican-isp-data-privacy Here are a couple ideas and tips about privacy in general. Don't panic - a lot of the info was already being gathered, this isn't that large of a change regarding scope, it's more of a change to who can profit or sell it (which is a shift for sure). Remember a lot of the services you use today already gather your browser, activity, and search info (google, bing, yahoo, facebook, etc.). ISP's haven't implemented this yet, expect to see new terms of service in an upcoming bill, or an email sent to you, etc. If you would like to take some steps to try to preserve your privacy, here are some ideas and examples: VPN (Virtual Private Network) - this in essence creates an encrypted tunnel between two points on the Internet. One point being your system...
Post a Comment
Read more
Weekly recap and why you should be concerned about "attackers" even if you have "nothing to hide" Why you should be aware of, defend against, and prevent attackers... even at home: I often hear from future victims "well I don't have anything to hide/anything of value/why would they target me!?" It's really not about you, usually the attackers aren't looking for your data (if they get it, or have easy access to it, they may try to profit from it, but the people doing the compromising aren't usually the same folks that monetize). What the attackers want are compromised systems they can use to do what they want at scale. So if they can compromise 50 systems, they can send 50X the amount of SPAM... 100 systems, 100X, etc. Some operations get paid based on the number of emails they can send per day. Of course the email will likely not just be SPAM, but may also be malicious (ransomware, etc.). http://thehackernews.com/2017/09/linux-ma...
Post a Comment
Read more