Computer Weekly Security Think Tank
- Author:
- Brian McKenna
- Posted:
- 09:27 08 May 2008
- Topics:
- Social Networking | Security
ComputerWeekly.com's Security Think Tank puts information security questions to a group of experts in the field. This page compiles all those questions with links to the experts' answers. Our security panel comprises experts from: (ISC)2, British Computer Society (BCS), Gartner, Isaca, Information Security Forum (ISF), Information Systems Security Association (ISSA), National Computing Centre (NCC), Royal Holloway, University of London, and The Corporate IT Forum (Tif).
ISSA: Traditional controls inadequate
There is a common misconception that because an organisation has anti-virus, it must be safe. read full article
The notion of a boundary existing between "locked down" IT systems inside the corporate network and everything else operating outside it does not make as much sense as it once did. read full article
ISF: Extend the security perimeter
By and large, corporates have solved the problem of protecting the security of workstations against malware in their own internal environment. read full article
ISACA: Constantly mutating challenge
The idea that enterprises have made great progress in locking down their infrastructure to protect end-users from malware may not be totally accurate. read full article
Gartner: Control devices and encrypt data
As new and improved technologies appear in the mobile markets, and are adopted by businesses, so new threats and attacks appear. read full article
Attend the likes of InfoSec to ensure you are up to date with the latest products and then seek the advice of an expert consultant to help in cutting through the snake oil. read full story
Working outside an organisation's physical domain brings certain responsibilities with it and the road warrior must take caution along in the kit bag. read full story
Has the government got the business case for ID cards right?
Royal Holloway: Benefits to the citizen have yet to be proven
In asking whether the government has got the business case for ID cards right, we need to understand precisely what that business case is. read full article
BCS: Now is the time for action
I don't need platitudinous diktat from government indicating that they are doing me a new favour. read full article
NCC: Be sure of making the complete case
ID cards are only part of the identity management solution - not the solution - nothing ever is. read full article
ISSA: ID cards - analyse the facts
Let's put emotion aside when asked about national identity cards and analyse the facts presented by the Identity and Passport Service. read full article
What tools can be used to prevent or mitigate employee wrongdoing?
NCC: Put your faith in standards
Implementing the right security standards is the best way to stop insider fraud. read full article
ISSA: Control is the key
You need to get the security fundamentals right, and then ensure your controls can be (and are) effectively enforced. read full article
ISF: Take a holistic approach
People, motive, opportunity and means: you need to cover all the angles if you're serious about protecting the organisation. read full article
Tif: Access management comes first
Sure, tools are useful, but only after you have identified which staff need which information, and you have processes in place that can deliver and control that access. read full article
(ISC)2: Protect controls as well as systems
Vigorous and independent audits are key in underpinning the controls that safeguard your systems against fraud. read full article
BCS: Management buy-in essential
Until the management of large organisations understands the need for the ongoing maintenance of IT security systems, and fully supports it, employees will continue to evade controls and commit fraud. read full article
Royal Holloway: Control the controllers
So what really happened at Société Générale? read full article
Social networking sites: what are the associated risks at a corporate and at an individual level?
Gartner: at-a-glance guide to social networking risks
Multiple worms and viruses have been introduced to various social network environments. Content distribution within a social network parallels peer-to-peer environments and can support rapid distribution of malware embedded in applications and graphics read full article
BCS: Individual risks become corporate risks
As a result of the strong human desire to connect, social networking websites have encouraged online behaviour where security and privacy are not always the first priority. The key cause for concern is the late realisation of the open nature of the web and thus how much personal information has been left exposed to any passing stranger read full article
Tif: Limit your liability from social networking
The main risk of social networking comes from the blurring of a participant's professional and personal profile. Very often, social networkers align themselves with professional networking groups that indicate clearly who employs them and what their job function is. Potentially, this can make it very easy for criminals to harvest information that can be used against them or their companies - so called "social engineering" read full article
NCC: Social networking security is a people issue
It is an enticing technology but few of the associated risks are really technology problems. It is no different from that old managerial adage of "less gob, more job". And heavy handed bans are unlikely to mitigate the risks. You may curtail the workplace access, but you cannot control the cybercafe or home PC without instilling staff with a risk-literate attitude read full article
ISSA: Would you shout your details in the street?
The danger of giving too much information away on social networking sites is of significant concern. Even information that seems innocuous, such as date of birth and postcode can be used for nefarious motives. How many times is this sort of information used as a challenge when speaking to a call centre operative to prove your identity? read full article
ISF: A greater social networking threat on the horizon
Last year, Facebook purchased Parakey, a start-up from two of the creators of Firefox that promises a web-based operating system designed to bridge the gap between desktop and web and make it easier to move content between the two. How long will it be before one of these sites gives simple remote access from PC to PC? read full article
(ISC)2: Policies hold key to social networking security threat
The rapid take up of social networking sites offer cyber criminals and mischief makers a new large target. Remind colleagues not to use any workplace e-mail addresses or passwords on these websites. Many of these websites do not encrypt user log-on details. Passwords and user IDs transmitted in clear text across the public internet are subject to possible interception or compromise read full article