About

Subscribe to InfoSec

  • Enter your email address:

    Delivered by FeedBurner

Bookmark and Share

Recent Posts

Westfield Links

Westfield Blogs

Categories

Blogroll & other links

« April 2009 | Main | June 2009 »

May 2009

26 May 2009

Secure Cell

President Obama is still awaiting the security enhancements to his Blackberry that allows him to securely send/receive email and voice communications.  Officially, the government uses the Sectéra Edge smartphone to securely communicate.  While this should be the standard for ALL paranoid cell phone users; it may be overkill for the average user if the $3000+ price tag isn’t prohibitive.

While the casual cell phone user doesn’t require military grade security, the proliferation of smartphones or feature phones raises the risk of identity theft or social engineering.  Today’s cell phones are no longer restricted to making and receiving calls.  They are a major component of our everyday lives.  They hold our address books, calendars, email, music and much more.  While it is very convenient to hold all of this information in a single place, it poses a risk if they are lost or stolen.

Millions of cell phones are lost or stolen each year.  Think about the important information you store on your phone.  Names and numbers of friends and relatives; passwords; sensitive emails or text messages.  Not only does it expose this information to strangers, it is also very inconvenient for you.  Are you backing up this information?  While not all phones are capable of doing backing-ups or syncing data, the ones that do…should.

Spend a moment to review the information on your phone.  What could a stranger learn about you and your contacts if they had access?  At a minimum, they would be able to harass them.  At worse, they may have access to their physical location.  Is your phone tied to social networking sites such as Facebook or My Space?  How would you feel if a stranger or criminal had access to your friends’ and families’ contact information, pictures, etc.  Personally, it creeps me out to think that someone might browse photos of my wife and daughters.

So what should you do about this?  First, learn to live with a password to access your phone.  It is inconvenient at times to “log-in” to your phone but the level of protection that even a 4 digit password or pin provides is well worth the extra keystrokes.  My phones are set up so that calls can be made and received; however, access to address books and calendars, etc. are password protected.

Does your phone support remote wipe?  Enterprise Blackberries allow system administrators to delete content of lost or stolen cell phones, but what protection do you have if you are an iPhone, Palm or Windows Mobile user?  Utilities like Teallock for Palm allows you to send a “self destruct” text message to your phone wiping all information from the phone and memory cards.

Finally, be aware of where you leave your cell phone.  With cell phone insurance and “new every so many year” plans; people forget the value of the phone and particularly the information it contains.  Would you leave your wallet or purse lying around even if it was not filled with cash?  I often see phones left unattended on desks as I stroll through the hallways in the office.  I’ve seen them left in cars to charge.  I have even seen them dangling from a wall charger, unattended no less, at the airport.  The unfortunate reality is that a lost cell phone is not just a hassle for the owner, like with a wallet or purse, but also for the friends and families of those who are “lucky” enough to be in your contact list!

Posted by John Doan | | Comments (0) | TrackBack (0)

| | | | |

18 May 2009

The scam that keeps on giving

Recently I like many others have received a painful slurry of telephone calls, postcards, and Spam email asking me if I would like to renew my auto warranty. The pain solicitors tend to offer is usually bearable, however this specific solicitation is beginning to feel more and more like a scam attempt to harvest my personal information. This all started several months back, at first only a single postcard, which I discarded without a second thought. Now I am receiving multiple calls and postcards per week, which to me really points out a problem. This company or group of individuals is very persistent, even to the point of switching their call back phone numbers faster than you can call them back to complain.

How does it apply to information security?

Scams like this can waste your time, put your information at risk, and challenge your patience not to mention your pocket book. If not handled appropriately these scams can really become a headache to get out of. The best way to avoid being a victim is to avoid jumping into anything, always remember if it's to good too be true, it probably is.

Why is it important to know this?

Recently a message was left on my grandparent's answering machine, the message told them their auto coverage was about to expire and to call back to have it renewed. My grandfather immediately called his auto insurance agent thinking they were talking about his auto insurance rather than a warranty. His agent reassured him everything was just fine, however how many of us might have just called the number back and accidentally entered into an agreement with this company?

So what should you do?

I haven't found any quick answers or easy fixes, however the Federal Trade Commission provides several recommendations on how to stay safe and protect yourself and others. It includes links to the National Do Not Call Registry, the ability to File a Complaint, and several great explanations about auto warranties (Service Contracts).  In addition suit has been filed recently to try and stop this deception.

In the mean time, if you get a call, don't react; just tell them you will contact them back if you're interested. Thanks for reading and please forward this information along to your friends and family to keep them aware as well.

Posted by Jake Harris | | Comments (0) | TrackBack (0)

| | | | |

13 May 2009

Why is Disaster Recovery a part of Information Security?

I attended an event last week.  You know the kind where everyone was required to go around the room and introduce themselves and describe what position and responsibilities they had at their company.  When it was my turn, I mentioned I was responsible for Information Security, Disaster Recovery, IT Risk Management and IT Compliance.  Later on, during a networking break, an individual came up to me and was curious why Disaster Recovery responsibilities were included in a department that focused on Information Security and Risk Management type activities. 

 

I have had this one asked of me before so I had my answer ready.  I explained that the term "Information Security" is really an umbrella of activities that are focused on three areas commonly referred to as CIA or Confidentiality, Integrity and Availability.

 

The Confidentiality piece is easy to understand as Information should only be accessible to the people who are authorized to access to it.  

 

Integrity is also an easy one to follow as only the appropriate people should be able to update information.  Preserving the integrity of information is important so that good business decisions can be made from it and that it can be trusted.

 

But when it comes to Availability, the reason that it is included under the Information Security umbrella is not always obvious.  Basically, information security is providing accurate information only to the appropriate people when they need it.  In a business interruption, this is still the case (and arguably even more important!).  Also, during a business interruption when things become chaotic, controls that allow only the authorized people access to information they can trust at the time they need it, can save your business.  Protecting the Confidentiality, Integrity and Availability of information at all times, regardless of the situation is what Information Security all about.

 

On a side note, in the unfortunate event of a business interruption, the same laws that govern protecting your company’s information still apply.  For example, if a company has an interruption that requires them to execute their disaster recovery plans, they will still need to comply with the regulations that they normally do during regular operations such as GLBA, HIPAA, PCI, State Breach Disclosure and other laws.   This means that systems and processes that protect access to information such as ACF2, RACF, Active Directory, LDAP, etc... must be included in recovery plans.  Often, information security controls are overlooked during business interruption situations.  This approach really can get you into trouble.

 

After talking a little while, my new friend understood the alignment of Disaster Recovery and Information Security a little better.

Posted by Bill Murray | | Comments (0) | TrackBack (0)

| | | | |