Archive for February, 2006

IP Surveillance

Monday, February 27th, 2006

When managers discuss physical security, it’s usually restricted to what types of locks to place on what doors.  This is a good start, but locks are only one component of effective physical security.  In fact, a lock is intended as one of many safeguards to delay an intruder until he is identified and intercepted by security guards or police officers.  Good physical security requires the combination of locks, barriers, and sensors.  But these safeguards must be supported by the capability for human assessment of alerts or alarms.  The quickest method for gaining visibility into sensitive areas is the use of cameras.

Until recently, CCTV (Closed Circuit Television) technology was the principle means of viewing physical assets.  Today, IP Surveillance systems are taking over and providing significant improvements.  

In this article, I define IP Surveillance, explore how it works, and list the potential value it brings to your security efforts.   


Sorting through the Security-in-the-cloud Debate

Friday, February 24th, 2006

There’s a lot of talk these days about security-in-the-cloud.  Security-in-the-cloud is generally defined as protection provided by Internet Service Providers (ISP) that results in only “clean” packets arriving at a subscriber’s perimeter.  Positions on the topic range from “it’s a bad idea” to “give everything over to a managed service provider.”  Based on my experience as a Director of Security, I have sort of a middle-of-the-road position.  In this article, I explore both sides of the managed services debate.  I’ll also explain why I believe the most effective solution lies somewhere between the two extremes.


Unified Internet Identity Management

Thursday, February 23rd, 2006

Microsoft’s new Windows project, code named Longhorn, is supposed to bring many improvements to the enterprise.  Not the least of which is better overall security.  But possibly the most interesting development is Microsoft’s recent announcement about changes to Active Directory.  These changes not only impact how user authentication and authorization are handled in your network.  They also impact how you protect yourself on the Internet through the use of what Microsoft calls the Identity Metasystem.

In this paper, I explore the common identity and privacy challenges facing Internet users are they move from one content location to another.  I’ll then describe the thinking that led Microsoft down the path leading to its approach to unified identity management for the Internet – our final topic.  

Download the full paper   

Author:  Tom Olzak

Listen to our Podcasts: add to my PodNova  


Review: Surf Control ETS (Enterprise Threat Shield)

Wednesday, February 22nd, 2006

From a security and a general IT perspective there is a not so new and growing threat, unauthorized software. Call it what you like, spyware, adware, malware. The simple fact remains that if it is unsupported and was not installed by the IT staff, it could potentially wreak havoc on your environment. I’m going to give you a quick review of a software solution by SurfControl, who is also known for their solid web filtering solution. Let’s move on to see why Threat shield can help save you from the malware, but can also help save you from your users as well.

Security Critical Success Factors

Tuesday, February 21st, 2006

Within the context of information security, Critical Success Factors (CSFs) are objectives or goals that must be met before an organization can provide reasonable and appropriate protection of its information assets.  In this article, I explore seven CSFs that lead to an acceptable level of information asset assurance.


Laptop Encryption: Reasonable and Appropriate?

Monday, February 20th, 2006

Senior U.S. District Judge for the District of Minnesota, the Honorable Richard H. Kyle, ruled last week that companies don’t have to encrypt their data as a requirement of the Gramm-Leach-Bliley Act of 1999.  The GLBA places a set of constraints on how financial insitutions should handle customer information.  There’s been plenty of coverage on this issue since the ruling.  But I’d like to look at this from a different perspective; given HIPAA, SOX, GLBA, and the standards of ethical behavior, what actions should be considered reasonable and appropriate when protecting sensitive consumer information?


eDiscovery Challenges

Friday, February 17th, 2006

During the past two decades, the shift from paper to electronic filing of business documents introduced a new challenge: meeting the requirements of litigation discovery.  Not only are organizations keeping more information; the vast amounts of email messages and other types of documents are typically not organized in a way that facilitates quick, cost effective extraction from personal and enterprise storage. 

If you’re responsible for the security of your company’s information, your role extends to protecting documents required by discovery requests.  Are you prepared to assure your executive management, or to testify, that you’ve done everything reasonable and appropriate to meet the court’s expectations?

In this article, I explore the challenges of eDiscovery (Electronic Discovery) followed by recommendations that might help avoid the high costs of compliance – or non-compliance.


Google desktop v3 “search across computers”

Wednesday, February 15th, 2006

To those of us who use it, the Google desktop was a god send. It truly was and is a revolutionary step in productivity and information management. Google’s world class search, but against your PC…..we were all thinking “the internet is good for something!” My personal favorite, the email search has single handedly saved me (and most likely others) hours. As opposed to the slow and un-indexed outlook search. So with all the warm and fuzzies we get from Google and their super neat products, why is a security blog writing about them? Let’s find out.


Goodmail Systems CertifiedEmail: What is it, and why all the fuss?

Tuesday, February 14th, 2006

Last month, AOL announced it was beginning to use a certified email system designed by Goodmail Systems.  Basically, the Goodmail solution attaches an encrypted token to business/marketing email from certified businesses.  When AOL sees the token, and validates it, the email is treated as a non-spam message.  The catch for the sender is a small fee per message.  The impact on AOL email users is an increase in email with no other purpose than the delivery of unsolicited marketing material.

In this article, I’ll explore how Goodmail’s CertifiedEmail works, what the implementation of this solution means to business, and what users of AOL email services can expect.


Invasion of the Botnet Armies

Sunday, February 12th, 2006

In previous articles, I wrote about  malicious hackers (crackers) moving away from attacks for bragging rights to attacks for profit.  Part of this transition is the increased use of zombie PCs, or bots, to surreptitiously acquire personal and business information with criminal intent.  In this article, I describe the nature of bots and botnets, the danger to your organization from these growing threats, and some things you can do to protect your information assets.