InfoSec Tip: Shred Confidential Documents

by d.strom, cissp, gsec, gsna on July 3, 2009

I can remember many, many years ago when my Dad disposed of old tax documents. He just threw them in the trash.

The only redeeming factor was that we lived in the country and burned all of our paper trash.

But, have you ever known anyone to just toss a confidential document in the trash? What is considered “confidential“?

Here are some examples of what you should consider confidential

  • Anything with your Social Security number on it
  • Anything with a credit card number on it
  • Anything that is a credit application
  • Anything with user accounts and passwords
  • Anything with bank account numbers

Tip: Purchase a cross-cut shredder and shred confidential documents.

This will help to protect you from identity theft, or someone using your credit to make purchases.

Make you life easier. Shred those documents!

- Dan

{ 0 comments }

No-effort Hacking

by d.strom, cissp, gsec, gsna on June 29, 2009

You can learn alot by watching people.

I had breakfast this morning and was stunned to overhear someone on their cell phone give the administrative login credentials for the company website to someone else. They also very carefully spelled out the entire URL to the login page.

If I were not trustworthy, I could log into their website and cause havoc.

What’s the moral to this story? You never know who is listening to your conversations. Be careful what you share, and with whom you are sharing.

Let’s keep quiet with confidential information…

- Dan

{ 0 comments }

InfoSec Tip: Create A Risk Register

by d.strom, cissp, gsec, gsna on June 25, 2009

I don’t know if your memory is like mine, but sometimes I cannot remember what happened last week.

Do you remember each and every information security exposure that is found?

Several years ago I started keeping a Risk Register. This is very similar to the checkbook register that we all keep.

When I find a new exposure to our organization, I keep track of these things…

  1. Date Risk Found
  2. Description of Risk
  3. Business Unit Impacted
  4. Steps Taken for Remediation
  5. Date of Each Step Taken

Now, I’ll be honest. Many times I keep much more information that what is listed above. But, the above is a good start.

What are the benefits of keeping a Risk Register?

  • Helps with remembering what has been done.
  • Helps with justifying InfoSec expenses.
  • Helps in explaining what has been done to Management.
  • Helps to identify the most vulnerable business unit.

So, remove some items from the list of things you need to remember. Keep a Risk Register.

- Dan

{ 0 comments }

From Sophos: Simple Facebook flaw put all members at risk of identity theft

by d.strom, cissp, gsec, gsna on June 24, 2009

Are Facebook and Privacy mutually exclusive?

Take a read of this article from Sophos. Simple Facebook flaw put all members at risk of identity theft

A flaw has existed in the Facebook security model that has allowed access to private information in a member’s “Basic Information” page.

The reminder cannot be made often enough… Be careful with your private information!

- Dan

{ 0 comments }

The Operations Element

by d.strom, cissp, gsec, gsna on June 17, 2009

The final commonly held element of good Defense in Depth is Operations. I say “commonly held” because various authors make additions to the list of People, Technology and Operations.

For a functioning description, consider Operations to be the tasks required to maintain a desired level of security. It is easy to get bogged down thinking about the security posture and auditing to make sure that we are maintaining that posture.

Regardless of what level of security you want, the following are some ideas to get you started thinking about InfoSec Operations…

Good InfoSec operations will be driven by policy.

  • Acceptable Use Policy – The AUP clearly lays out what the organizations resources can or can not be used for. Check out some reasons you need an Acceptable Use Policy.
  • Configuration Change Policy – Even the smallest of businesses needs to have guidelines and policies of who can make and when changes can be made to computer, software and infrastructure. Chaos ensues without this.

Good InfoSec operations will work to minimize the risk from malware.

  • Operation system patches – Whether you are running Unix, Linux, Windows or OS X as you operating system, there are frequent patches that should be applied. Depending upon your business, you may even need to test patches on test servers and workstations prior to general deployment.
  • Anti-virus updated and scanning – Malware is a significant attack vector. Viruses, worms or spyware are often used to gather personal information from the infected host. A major step in minimizing the risk if to keep the anti-virus software updated and scanning.

Good InfoSec operations will be aware of threats.

  • Know what the risks are to your organization – The risks to a small bank are different than the risks for the fitness club. Awareness of the risks to your specific industry will enable you to establish sound defenses.
  • Know what has been done to remediate specific threats – I keep a “risk register” of the various risks, threats, problems that I encounter. It includes the date found, a brief description of the risk, what I have done to address the risk, and the date that was done. Not only does it help me remember, but it is good to periodically review it to make sure the remediation is still valid.

Good InfoSec operations will be ready to recover from an incident.

  • Backups – Having good backups can make you look like a genius! (and they can be the difference between an inconvenience and the organization shutting the doors…)
  • Disaster Recover Planning – Even the smallest of businesses needs a DRP. Ready.gov can be a good starting place.

- Dan

{ 0 comments }

← Previous Entries