Archive for the ‘All’ Category

Email Authentication with Sender ID

Tuesday, March 7th, 2006

In a February 14, 2006 article, I described the new Goodmail CertifiedEmail solution.  Goodmail provides a service to senders of marketing email that allows messages to bypass the normal spam filtering processes of email service providers like AOL.  The sender is charged a fee.  The objective of this for-fee service is to authenticate senders.       

Sender ID is an free standard that also meets the objective of sender authentication.  Developed by Microsoft, Sender ID is enjoying increasing acceptance by email and email filtering vendors.  It also provides significant flexibility to receivers when making automated decisions about what to do with unauthenticated messages.    In this article I examine the two primary contenders for email authentication standard, how Sender ID works, what senders must do to be considered “safe”, and what the emergence of this standard means to businesses and individuals.

(more…)

User Awareness Alert: Legal Worm

Monday, March 6th, 2006

A new worm is working  its way throught the Internet.  Known as Bagle.do, the worm threatens email recipients with legal action if they don’t open the attached .exe file and respond to the sender.

 For the whole story, click here

 Listen to our Podcasts –>  add to my PodNova 

(User Awareness Alerts are a service provided by Erudio Security, LLC)

Review our Podcast

Sunday, March 5th, 2006

In the past several weeks, we changed our format.  We’d like your opinion.  Please let us know if you like the new format or if a single host is better.  Also, let us know how we can improve.

You can either leave a blog comment or sent an email to tom.olzak@erudiosecurity.com.

Thanks for your support.

Podcasts –> add to my PodNova

 

A Practical Approach to Threat Modeling

Saturday, March 4th, 2006

Today’s security management efforts are based on risk management principles.  In other words, security resources are applied to vulnerabilities that pose the greatest risk to the business.  There are several processes for identifying and prioritizing risk.  One of the most effective is threat modeling.           

There has been much written about threat modeling.  But most of the papers and books come at the problem of threat and vulnerability management from an academic perspective.  The papers and articles that do take a business management approach typically cover one or two aspects of the process. 

This paper is a practical, high-level guide to conducting threat modeling activities within a business environment.  It begins by exploring why threat modeling is important.  This is followed by a step-by-step process, including some tools you might find helpful.    

Download the paper     

Download the Risk Calculation Tool   

Author:  Tom Olzak 

Listen to our podcast

add to my PodNova

Political Risks Associated with Personal Information Storage

Thursday, March 2nd, 2006

When we think of risks related to malicious hacking, we usually list financial ramifications.  But as global information delivery changes, the risks are increasing in severity. 

This week, Google moved its search records from its Chinese site to the United States.  The reason stated for the move was the possibility that the Chinese government might access those records without Google’s consent.  This was a responsible move by Google, given the potential reprisals against individuals whose searches cause concern within political circles in Beijing.  But is the data safe in the U.S.?

I wrote in a January 26, 2006 blog article about a successful attempt to acquire U.S. Military secrets by alleged representatives of the Chinese government.  A foiled attack against the British government prompted the article.  What prevents these same attackers from breaking into databases in other countries to search for evidence of dissident activity in China?

I don’t know what the solution is.  But I do know that maintaining information that can be used to reconstruct an individual’s Internet habits is becoming a bigger problem than the privacy issues touted by many Americans.  It’s important for Internet companies to understand that the emergence of a truly global Internet requires vigilance that many organizations operating within democracies may find difficult to comprehend.  Business intelligence isn’t a good enough reason to store search information or other personal data that might be compromised by a foreign government for political purposes.

Author:  Tom Olzak

Listen to our podcasts

add to my PodNova

Hacker’s Beware

Wednesday, March 1st, 2006

“Quantum cryptography is trying to make all transmissions secure, so this could be very useful for online banking, for example,” says Professor Hoi-Kwong Lo, an expert in physics and electrical and computer engineering at U of T’s Centre for Quantum Information and Quantum Control and the senior author of a new study about the technique. “The idea can be implemented now, because we actually did the experiment with a commercial device.”

 Read the rest of the article

 Listen to our podcasts

add to my PodNova

Your email:  
subscribe unsubscribe  

IP Surveillance

Monday, February 27th, 2006

When managers discuss physical security, it’s usually restricted to what types of locks to place on what doors.  This is a good start, but locks are only one component of effective physical security.  In fact, a lock is intended as one of many safeguards to delay an intruder until he is identified and intercepted by security guards or police officers.  Good physical security requires the combination of locks, barriers, and sensors.  But these safeguards must be supported by the capability for human assessment of alerts or alarms.  The quickest method for gaining visibility into sensitive areas is the use of cameras.

Until recently, CCTV (Closed Circuit Television) technology was the principle means of viewing physical assets.  Today, IP Surveillance systems are taking over and providing significant improvements.  

In this article, I define IP Surveillance, explore how it works, and list the potential value it brings to your security efforts.   

(more…)

Sorting through the Security-in-the-cloud Debate

Friday, February 24th, 2006

There’s a lot of talk these days about security-in-the-cloud.  Security-in-the-cloud is generally defined as protection provided by Internet Service Providers (ISP) that results in only “clean” packets arriving at a subscriber’s perimeter.  Positions on the topic range from “it’s a bad idea” to “give everything over to a managed service provider.”  Based on my experience as a Director of Security, I have sort of a middle-of-the-road position.  In this article, I explore both sides of the managed services debate.  I’ll also explain why I believe the most effective solution lies somewhere between the two extremes.

(more…)

Unified Internet Identity Management

Thursday, February 23rd, 2006

Microsoft’s new Windows project, code named Longhorn, is supposed to bring many improvements to the enterprise.  Not the least of which is better overall security.  But possibly the most interesting development is Microsoft’s recent announcement about changes to Active Directory.  These changes not only impact how user authentication and authorization are handled in your network.  They also impact how you protect yourself on the Internet through the use of what Microsoft calls the Identity Metasystem.

In this paper, I explore the common identity and privacy challenges facing Internet users are they move from one content location to another.  I’ll then describe the thinking that led Microsoft down the path leading to its approach to unified identity management for the Internet – our final topic.  

Download the full paper   

Author:  Tom Olzak

Listen to our Podcasts: add to my PodNova  

 

Review: Surf Control ETS (Enterprise Threat Shield)

Wednesday, February 22nd, 2006

From a security and a general IT perspective there is a not so new and growing threat, unauthorized software. Call it what you like, spyware, adware, malware. The simple fact remains that if it is unsupported and was not installed by the IT staff, it could potentially wreak havoc on your environment. I’m going to give you a quick review of a software solution by SurfControl, who is also known for their solid web filtering solution. Let’s move on to see why Threat shield can help save you from the malware, but can also help save you from your users as well.
(more…)