Now, we must address the question “Where do we want to be?

Over the years I’ve had several people express that they don’t know where to begin in thinking about this.

Covey says to begin with the end in mind. So, what is the end that you are after? Have you given any thought to this?

The Payment Card Industry (PCI) has created data security standards (DSS) that are to be followed by any organization accepting Visa, MasterCard, American Express, JCB, and Discover cards. It is a very good standard to use as a framework. The PCI DSS quick start can be downloaded here.

In a nutshell, here are the general steps…

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

You can always find more details for each of these steps in the full PCI DSS documents. Check out www.pcisecuritystandards.org for more information.

Keep in mind that not every organization needs to follow all of the details of the PCI DSS. You should aim for security that is reasonable for your organization.

Have fun!

- Dan

The end of the year is a good time to take stock of your security measures and operational practices and do some maintenance.

I like to ask the question Where are we? at the end of the year. What is being done to protect the information assets of my company or myself and family? After I have a good grasp of this, then I like to ask myself the logical next question, which is Where do we want to be? Comparing the two gives some idea of where to focus my information security energies.

Yeah, I know that previous paragraph is pretty vague.

How about some specific ideas when asking that Where are we? question.

• Do I know where all the important data is being stored? Is it all on the hard drive of one notebook computer? Or, is some stored on my computer, some stored on my wife’s computer? Maybe it is stored on a file server on the network!
• What am I doing to protect the data on my notebook computer? Am I doing backups? How do I know that the backups can be used?
• What if my notebook computer gets stolen and my personal financial information (with bank account numbers and passwords) is stored on it? What am I doing to encrypt or adequately protect that data?
• If you host your own web services, you should evaluate the access rules on your firewall. Do I really need to allow access on the ports that I have open?
• Am I patching the OS on my servers? Do I test patches in a controlled environment before installing them on the production servers?What about the patch level of my workstations? Am I using Automatic Updates (on Windows) to keep them updated?
• When was the last time I changed the WEP/WPA key on my wireless access? Am I using WEP or WPA or something else? Am I sure that only authorized people know what it is? Maybe the neighbors are leaching the signal!
• Do I have any idea of what “normal” traffic looks like on my network? What applications are being used – P2P, chat, BitTorrent, webcams? What about filtering? Is my filtering functioning as desired?
• When was the last time that I forced password changes for users? How about administrator/root accounts?

Wow! That sounds like a lot of work! It’s not, really, but these things need to be considered periodically.

In the next entry, I will be discussing the Where do we want to be? question.

- Dan

getdropbox.com is a relatively recent entry into the fray of on-line storage and is still in “beta” mode. Getting an account requires an invitation from someone who already has an account. This free account gives the beta-user 2GB of storage. Once an account has been set up, a bit of software is installed on the local computer. This software creates a new folder (dropbox) on the local computer. As files are moved into that folder, they are auto-magically uploaded to the folder on the getdropbox.com servers. These files are only accessible by you, or any other computer with the getdropbox software and and that is linked to your account. Pretty simple, eh?

getdropbox.com also allows you to make some of your files publicly accessible. A unique URL is provided for each file. Anyone who knows, or is lucky enough to guess, this URL can access this file. The file is readable, but changes cannot be written back to the servers.

The capability is also included to share a folder with other getdropbox.com users, but whose computer is not linked to your account. You just need to send them an invitation (via email) to the shared file. At this point they have full read/write access.

Now, how can this be used for an online backup? As mentioned earlier, the software watches the dropbox folder on your computer and automatically synchronizes with the on-line server. If you are using Mac OS X you can simply create a symbolic link in the dropbox folder pointing to any other folder you want automatically backed up. (Unfortunately, this capability is not available to Windows users at this time.) The developer indicates that they are internally testing a Linux client. Then, this should be available for LInux, also.

So, how secure is your data? According to the FAQ, the data transfer takes place over an SSL connection. I’ve not yet had the chance to examine the network traffic to verify this. But, and this is significant, does not state that the files are encrypted on their servers. According to the FAQ, “Files are encrypted with AES-256 before being stored on our backend.” They indicate that in the future users will be able to define their own private keys to encrypt the data, but this is not currently implemented. I would highly recommend that any confidential information be encrypted prior to putting it in the dropbox folder on your computer.

So, would I recommend that you use getdropbox.com for on-line data storage for your company? Yes, if the following conditions are met…

1. Sensitive data is encrypted before being put in the dropbox folder for synchronization
2. The total amount of data is less than the amount allocated to your account. Right now the maximum folder size is 2 GB
3. There is a need to share files with others trusted individuals outside the company
4. You business model allows for your company information to be stored outside of your control

Ok, then, what about personal use? Pictures that need be shared with family would be fine to have stored. Likewise, other personal files may be fine. But, I sure wouldn’t put my Quicken data files up on a service like this unless I first encrypt it. (TrueCrypt would be a fine piece of software to use for encryption.)

Finally, the getdropbox.com privacy statement only speaks to personally identifiable information you submit as you create your account. Of course, they reserve the right to sell or disclose your information to service providers, business partners, and others. It is curious to note that they omit speaking to what they will do with the files you store on their site!

Disclaimer: The information in this post is current as of the date and time of the posting. The details of the getdropbox.com service are always subject to change.