Oct 29 2008

Laptop and traveling precautions

Category: Laptop SecurityDISC @ 12:58 am

Laptop security

Best practice emphasize the fact to backup the data if you can’t live without it, in the same way a traveler must avoid taking sensitive data on the road unless it’s absolutely necessary to do so. If you do plan to take sensitive data with you on the laptop, the necessary security controls must be implemented and go with the sensitive data. The data protection controls should be based on your information security policy data classification.

The laptop hardware itself is only worth few hundred dollars these days, but on the other hand it’s hard to put a price tag on the exposed data which may have a drastic impact on your organization, especially these days when most of the organizations are at the edge due to financial chaos.
Frequent travelers know it’s possible to lose a laptop or lose data because laptop may become inoperable due to hardware malfunction. Planning an important business trip should include encrypting sensitive data and backup on a remote website (Carbonite). So in case you lose your laptop or it’s is inoperable for some reason, you can remotely recover backed up files from site within reasonable time.

[TABLE=8]

Here is how you can encrypt your data on Windows laptop with built-in utility EFS

1. Create a new folder, and name the folder Private.
2. Right click the new folder and choose properties
3. Click advanced button
4. Check encrypt contents to secure data box and then click OK, Apply and OK again.

You have created a secure area where you can put your sensitive documents. Any file or subfolder you add to this folder (Private) will be encrypted automatically. Basically any type of file except Windows system file will be encrypted in this folder. Now if the attacker steal your laptop and remove your hard drive and mount on a system where the attacker has administrative privileges, the attacker will not be able to access the contents of the folder Private. On the other hand 256-bit AES encryption key is stored in encrypted form as a file attribute called the data decryption field (DDF). The EFS private key, needed to decrypt the DDF and extract the file encryption key, is also stored in encrypted form in the registry. The master key, which is used to obtain the key needed to access the EFS private key, is encrypted by the systems key and also stored locally. So the attacker will be able to decrypt the EFS protected files if he can somehow get possession of the system key.

Luckily we do have a choice whether to store the system key locally on your laptop. If you click start, then Run and then launch syskey.exe utility, you can choose how and where the system key will be stored. The dialogue box will present three options.

1. Store the startup key locally
2. Store the startup key on the floppy disk
3. Generate the startup key from a password

With the two non default options, you will be requiring to either insert the floppy or enter the password whenever the laptop is BOOTED. The floppy option is highly inconvenient for laptop users but the password options seem sufficient to protect the laptop data. On the laptop which doesn’t have a floppy drive, don’t try to click the floppy option because when you boot next time the laptop will be looking for the system key on a floppy before booting.

Survey: CISOs worried about mobile data security

**The real Hustle – Laptop Theft Scam
httpv://www.youtube.com/watch?v=Gb3ZiTJkCaA


Reblog this post [with Zemanta]

Tags: aes, Backup, Booting, carbonite, Cryptography, data classification, data ptotection, ddf, efs, encryption, exposed data, financial chaos, Hardware, Notebooks and Laptops, private key, Security, security controls, sensitive data, system key, threats, Windows


Oct 13 2008

World Bank security breach and financial crisis

Category: Information Warfare,Security BreachDISC @ 1:56 am

The World Bank controls the World’s banking system, creates plans and strategies to develop economies to protect countries from financial turmoil. This information is a treasure trove of data which can be manipulated for huge monetary or political gain.

Amongst the financial crisis, a major security breach has been reported at World Bank that might tell us a story that protecting consumers’ data during these crisis might not be the first priority for many suffering financial institutions.

World Bank Under Siege in “Unprecedented Crisis”

“It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.”
“In total, at least six major intrusions — two of them using the same group of IP addresses originating from China have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month. ”

The World Bank’s technology and security expert states that the incident is an “unprecedented crisis.” Some security experts are saying that this might be the worst security breach to date at a global financial institution. The hackers controlled around 18 servers for more than a month and World Bank admits that sensitive data could have been stolen but they are not sure about the total impact of the breach.

Alan Calder wrote about “Data protection and financial chaos” and mentioned that “When financial markets appear to be in free fall, many organizations might think that data protection is the least of their worries. Who cares, they might wonder, about protecting personal data if tomorrow we might not exist anymore?”
I concur with Alan on this point, in the midst of this chaos, our personal data might be at great risk and we have to be vigilant and carry the load to protect our data. At the same time, this might become another reason for the financial institutions’ demise if they let their guards down now and do not make a priority to protect customers’ data.

During this turmoil, some financial institutions’ upper management doesn’t have to worry about their responsibility of securing the customers data adequately when they already know that eventually the taxpayers will be paying for their mistakes and their bonus plan will stay intact. Unprecedented crisis are sometimes the result of unprecedented greed.

Glassner “I don’t know that the captain of the Titanic got a bonus for driving the boat into iceberg. They at least had the decency to go down with the ship” [quoted in ‘Wachovia’s Golden Parachutes” story in S.F. Chronicle of 10/10/08 pg. C1].

Bill Gates “I’m quite worried about the fiscal imbalances that we’ve got and what that might mean in terms of financial crisis ahead.”

Chinese hackers: No site is safe
httpv://www.youtube.com/watch?v=ovNVhk1rVVE&feature=related


(Free Two-Day Shipping from Amazon Prime). Great books

Tags: china, consumers data, data protection, deeply penetrated, financial chaos, financial crisis, full access, hackers, inicident, monetary gain, restricted treasury, Security Breach, sensitive data, spy software, treasure trove, unprecedented crises, unprecedented greed


Sep 29 2008

Vista and defense in depth

Category: Information Security,Vista SecurityDISC @ 3:47 pm

To be competitive and successful in today’s business environment demands a serious consideration of information security. Sometime low risk item could damage your company business and can lead to lose sensitive data. To recover from the aftermath of an incident can be a costly proposition.

One way to deal with the new threats is to be vigilant and know your weaknesses by assessing your infrastructure. On the other hand it helps a great deal to have an operating system which comes with built in security controls which you can turn on and off based on your security needs. Microsoft claims that Vista is the most secure operating system yet and was built with security as a top priority. However with all these built in security features, you may need to make some configuration changes to fit in your security requirements.

Windows Vista comes with many built in security features to protect your business assets. Below are the new security features.

[TABLE=4]

In the past access was the top priority for Microsoft operating system (open by default – start locking down as needed). Now in Vista the control is a top priority (closed by default – start opening up as needed).
Vista security development life cycle (SDLC) follows defense in depth model which compartmentalized and makes it tough for the intruder to get to the crown jewel. At the same time intruder risk the chance of detection at every layer. Defense in Depth model:

[TABLE=5]

Vista Service Hardening:
Vista service hardening is designed to run services with the least possible privileges. Four different features are utilized to achieve service hardening.

o Service isolation
o Least privilege
o Restricted network access
o Session 0 isolation

Service isolation – is a method by which a service can access an object without having a super user access account to secure the objects like registry keys.

Least privilege – Based on best practice each service should utilize the least privilege necessary to accomplish the task. Under Vista, when service initiate, it request for specific privileges provided by the local system.

Restricted network access – Under Vista, a service access can be restricted by TCP/UDP port, protocol, and direction that network traffic is flowing. Restricted network access will limit attack vector by blocking unnecessary ports, protocols and direction of the traffic.

Session 0 isolation – Vista does not allow any user application to run with session 0. All user applications must run in session 1 or higher. Only services and other non-user facing application run on session 0, to maintain isolation between services and user application.

Service hardening, when combined with other security features provides a tough defense. This defense in multiple layers is aimed to safeguard your system and also enables your business to be successful by keeping the threats at acceptable distance.


(Free Two-Day Shipping from Amazon Prime).

Tags: closed by default, compartmentalize, defense in depth, incident, intruder, least privilege, open by default, restricted network access, safeguard, sdlc, security features, sensitive data, service hardening, service isolation, session isolation