January 2010 Archives

Counting the cost

| 1 Comment | No TrackBacks
| More

As my colleague, Peter Cooke, wrote a couple of weeks ago, few businesses in the UK were prepared for the recent wintry conditions and snow, and small businesses in particular found themselves out in the cold. For those of us living on the continent, which was once again bathed in fresh snow over the weekend, the inability of the UK to cope with inclement weather has been gleefully reported on the news channels. With only minor, localised inconvenience seen on the continent, most workers found themselves little disadvantaged.

In the UK, it has been a different matter. In trying to put a figure on what the recent cold spell has cost the UK--and it may not be the last--the Federation of Small Businesses estimates that three million people in the UK missed work on the first working day of 2010 owing to severe weather conditions, costing businesses some £600 million as workers were not able to securely access corporate networks remotely. The Centre for Economics and Business Research estimates that more than 2,000 companies could go bankrupt as a result.

Such a situation clearly illustrates the need for provide secure remote access for employees to work from home in order to minimise productivity losses. To prevent further disruptions, organisations of all sizes should investigate services that are available, the majority of which are subscription-based and, because they are provided in the cloud, require little in the way of setup or management. Because of this, any organisation subscribing to such as service can quickly add users as required, even if just for a limited period of time. Let's hope that the recent weather has been a wake up call to UK businesses. Had the recent Mexican flu scare turned into a pandemic, the damages and lost work hours would undoubtedly have been even greater as workers were sent home in droves and schools shut in an effort to contain the problem. The figures above speak for themselves. If you are not connected these days, you are not in business.

By Fran Howarth, senior analyst

Common passwords 123456 and qwerty finally exposed

| 3 Comments | No TrackBacks
| More

A report by database security firm Imperva has highlighted the most common consumer passwords. The study was based on an analysis of 32 million passwords exposed in the recent Rockyou.com breach.

The report can be downloaded here - no registration required. The top ten passwords are:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

Will users never learn?

By Nigel Stanley, Practice Leader - Security, Bloor Research

Oracle Sun deal approved by European Commission

| No Comments | No TrackBacks
| More
Oracle Corporation has just received regulatory approval from the European Commission for its acquisition of Sun Microsystems.  This decision gives the go-ahead for the deal that has been waiting for an outcome since last September.  Oracle is planning a day long event next week for customers, partners and the press, most likely to cover its intentions once the deal is complete.

Both companies have a strong Identity Management presence with their own product suites deployed at many important customer sites.  It will be vital for the success of the acquision to manage these customers going forward and to build a solution set for the future that is greater than the sum of its parts.  I will be watching with interest to see what Oracle has to say on this subject.

Peter Cooke
Associate Analyst - Bloor Research

Cracking a 768-bit RSA key

| No Comments | No TrackBacks
| More

As computing power has increased, the available horsepower to brute force crack RSA algorithms has grown as well. The most recent announcement, in December 2009, was that a group of mathematicians, computer scientists and cryptographers had managed to factorise a 768-bit RSA key using a technique called the number field sieve or NFS. That puts the next milestone, the 1024-bit RSA key, in reach in the next decade or so.

More here.

By Nigel Stanley
Practice Leader - Security, Bloor Research

Mobile Phone Secret codes being hacked

| No Comments | No TrackBacks
| More

The end of 2009 and the first couple of weeks of 2010 has seen the world of cryptography, and more specifically data encryption, thrust into the media spotlight.
News of "Secret codes being hacked" that "Rocked the mobile phone establishment" get splashed across the tabloids as mobile phone users are told their signals can now be hacked.

And more recently, but with less mainstream fanfare (well in fact none to be honest...) a group of academics have managed to factorise a 768-bit RSA public key resulting in some of the more technical media questioning the future of RSA.

So what is the importance of these announcements and are they something your boss needs to worry about?

This short article will explore the recent mobile phone encryption attack, and a follow up article, when I get a chance, will explore the issues behind the RSA key factoring.

By Nigel Stanley, Practice Leader - Security, Bloor Research

Are we prepared for another cold spell?

| No Comments | No TrackBacks
| More
In the UK, Business Continuity Planning is usually associated with issues such as fire, illness of key staff or a major computer failure.  We tend to think we are immune to the natural disasters that can affect businesses abroad - but with severe winter weather causing mass disruption across the country for a second year running, the problem is closer to home than we might think.  

A recent poll of 225 UK SMEs carried out by remote access company LogMeIn found that 53% of small businesses were not prepared for events that would prevent employees from accessing the office.

It has never been easier or more affordable to provide employees with home access to company resources, especially with the advent of cloud-based subscription services.  If climate change is going to cause similar problems with our future winter weather, it would be advisable to start putting measures in place now.  This would leave all businesses better prepared for future disruptions, whatever they may be.

Removable media - the next encryption frontier?

| No Comments | No TrackBacks
| More

People are slowly getting their heads around full disk data encryption, but now the focus needs to move onto removable devices.

As data proliferates, and more importantly becomes fragmented across organisations on a variety of media the control of removable storage has rapidly become one of the most important challenges facing information security professionals and business alike. By simply observing the thousands of people that commute into the major railway stations across Europe each working day it is easy to see the huge range of smart phones, cameras, USB drives and music players being carried by commuters. Or more often not see these devices as they become less visible as form factors shrink following technical progress.

How can the removable media challenge be addressed in a sensible, strategic way so that maximum business benefit can be generated from these incredibly useful devices? Here are some ideas I'd like to kick around.

The ICO gets teeth at long last

| No Comments | No TrackBacks
| More

After years of being an enforcement also ran the Information Commissioner's Office (ICO) is finally going to get some teeth to deal with those that contravene data protection principles - see the details here

With the government now in agreement to beef up fines to £500,000 we may start to see those that look after our data take their jobs more seriously.Hopefully the next step will be a data breach notification law as well, so when our personal data is lost we have some come back. I'll watch this space with interest.

Education, education, education

| No Comments | No TrackBacks
| More

According to the European Network and Information Security Agency, "Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks." Yet, given the number of data security incidents reported in the press recently that can be put down to human error or fallibility, it is clear that awareness of security issues is still not as widespread as it could be. Governments are trying to address issues of awareness among the general public with initiatives such as www.getsafeonline.com from the UK providing an example of a website offering security awareness tips for the public. Also in the UK, lessons in safe use of the internet will become a compulsory part of the primary school curriculum from 2011 onwards in England to inculcate awareness of security issues among schoolchildren from a young age.

Initiatives such as these are needed and will be vital in protecting citizens in the future. However, too few of today's employees have benefited from any education in security and even computer science courses are only just beginning to incorporate an element of security. Because of this, security training needs to be a core part of business education programmes provided to employees. And providing security awareness training to employees will help to safeguard organisations from damage resulting from security incidents, but will also help them to ensure that they are in compliance with any number of industry standards and government regulations that they face as many demand that security awareness training is provided to employees, ranging from data protection acts to the Payment Card Industry Data Security Standards.

It is often said that business is all about people, process and technology. When looking at security, virtually every organisation deploys some sort of security technology to safeguard their business from attack, with anti-virus tools and firewalls almost ubiquitously used. Most also define processes that govern how the business runs, backed up by policies that outline procedures that must be followed and the behaviour that is expected of employees. But people are fallible, and just providing a policy does not guarantee that employees have read it, or, more importantly, understand its provisions.

In order to ensure that policies are adhered to, there are two essential elements required--communication and awareness. This is where automated tools come into play as an addition to training programmes. Such tools aid in the creation, review and publishing of policy documents, with the system being capable of sending out the resulting policy to all employees electronically, providing notifications for management and audit purposes when each user has read the policy. But that does not ensure that they have taken in and understood all elements of the policy and the behaviour that is expected of them.

To aid in this process, automated policy compliance tools are available on the market that provide e-learning, testing and evaluation modules to ensure that employees read and understand what behaviour is expected of them according to the provisions of the policy. This can include the use of security controls such as encryption of data on all portable devices to guard against data theft, the need to keep security applications such as anti-virus tools updated with the latest defences, or the imperative to never give their passwords or personal information out without validating who it is asking for that information, and why.

Such tools use libraries of questions that aim to educate employees about the provisions set and the behaviour expected of them, which can be used to test their level of knowledge and to ascertain whether or not further awareness training is required. Users can take the courses and tests at times set by the organisation, or can complete them in their own time, with notifications sent to their managers when courses have been successfully completed. Automation of such tasks also allowed an audit trail to be generated that can be used to prove that policies have been adequately communicated and that users understand their provisions.

The role of employee awareness of security is not being lost on organisations today, many of which have implemented training programmes for all their employees in recent months. However, most such programmes lack any way of ensuring that the training is effective and that employees really understand what is required of them. With cost control an issue for all today, a means must be found of making that training as efficient, cost-effective and reliable as possible. Since awareness is the fist line of defence against the security threats that we face today, only by using automated tools that can audit the effectiveness of programmes and can ensure that no employees have missed out on training can organisations be sure that their defences are adequately manned.

Further details on this subject can be found by clicking on this link: The human element of compliance.

By Fran Howarth, Senior analyst, Bloor Research

Find recent content on the main index or look in the archives to find all content.

-- Advertisement --