Interesting Information Security Bits for 10/21/2008

October 21, 2008

Good afternoon everybody! I hope your day is going well.

Here are today’s Interesting Information Security Bits from around the web.

  1. Your Simple Guide To Endpoint Encryption Options |
    Rich gives us a great resource for discussing and determining how and to what extent we should implement endpoint encryption.
  2. PCI, Risk Management & “The Blackberry Arsenal” << Risktical Ramblings
    A good story with some good take aways for both those answering to RFPs and those reviewing the answers to RFPs.
  3. BrokenHalo LABORATORIES >> Midnight Research Labs releases Depant
    This looks like a really neat tool. Scans your target for services with default passwords. Yummy.
  4. .:Computer Defense:. >> NoScript Force SSL
    Using NoScript, you can force sites to SSL that don’t do a good job of it themselves.Hat tip: Michael Farnum and Security4All
  5. IT security guide: Understanding cyber-risks means knowing what questions to ask
    Something free from ANSI. You should go get your copy if for no other reason than that 🙂 Seriously, good stuff in here.
  6. Researchers hack wired keyboards, hijack keystrokes | Zero Day |
    Tempest for the 2000s. Looks like avoiding those wireless keyboards may not actually provide the security you may have felt that it did.

That’s it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.



Where’s my data? Um…it was here a minute ago….

October 21, 2008

In the article “Study: Global information security improves, but still imperfect“, Angela Moscaritolo points us at a report recently released by PriceWaterhouseCoopers, “Safeguarding the new currency of business.”  The report is the findings of the 2008 Global State of Information Security Study®. Her article points out some salient issues found in the report, but I would like to focus on one particular issue.

On page 12 of the report, we find the following:

Finding #5
Many companies, however – if not most – do not know exactly where important data is located.

Other findings in the report indicate that we are doing better in implimenting technical controls and our compliance efforts also appear to be improving. But here is the rub, what value are better technical controls and a clean compliance report if you don’t know where your sensitive data is?

Okay, we don’t know where our data is. We need to find it. How do we do that?

Ask 10 information security professional that question and you will get 12 answers, all of them starting with “it depends.” If we can’t get a definitive answer from these folks, who can we get one from? How about the people who use that data each and every day?

Again, there are plenty of ways you could go about gathering that information from your user populace, many of which would be adequate.  But if we want better than adequate, I think Michael Santarcangelo gives us a great model for producing excellent results in his book Into the Breach.

You should get his book and read it as I have said before, but in short, engage your users in small groups and ask them how they do their jobs, in detail.  This will drive out where your data is. You may think your data is that big honking database, but what if a lot of it is in spreadsheets stored on a file server that you know nothing about?

This is a very simplified treatment of a great process that Michael details in his book. So, again, go get it. Read it. Twice. You will not regret it.