SecureVue Review

Risk and Audit Management Platform

 

I was recently helped a medium sized corporation prepare for security compliance review. It is a necessary step to go through for compliance issues but I dreaded trying to find every node on the client’s network. Once all of the dust had settled I decided to try SecureVue from eIQNetworks. SecureVue combines Security information management with real time governance risk and compliance to help any organization get compliant and just as importantly stay compliant. SecureVue’s integrated model allows logging, configuration and compliance information to be viewed on a single stand alone system.

Installation

Installation is fairly straightforward. A pre-process check is performed to verify that the system being installed meets the prerequisites for SecureVue. From there you answer questions about installation locations and IP addresses. A website will be setup for you to view the settings as well. All very straight forward. Once the system has been installed we can get down to the business of configuring our network for discovery and have a look at what the product can do.

Configuration

The first thing SecureVue wants is Data Sources. It needs to know what devices it is getting information from. Many devices can be auto discovered by SecureVue. For those that cannot there is a manual process. The remainder of the configuration revolves around licensing (for which you must have a license file) and editing the collection policy. The collection policy allows you to define various types of data such as that from vulnerability scanners, performance and configuration matrices as well as syslog events. Although this may sound somewhat daunting, the attached guides are concise and very easy to follow. Once the entire configuration has taken place it is time to have a look at the actual ease of use of the product.

Ease of Use

Like many multi faceted systems, SecureVue has a dashboard which easily allows the administrator a quick glance of many of the aspects of the system. SecureVue ships with over 50 predefined dashboards which should satisfy the majority of your needs. If not you can always modify/create your own to best suit your needs. One of the greatest features I found was the auto discovery feature. This allows you to delve deep into your network. Once the discovery has taken place you can drill down on a specific node and bring up a plethora of data on that particular device. This is extremely useful when analysing past events as all of the data can be referenced and shown back to the administrator. If you are more on the lookout for security events, you can use the Topology tab from the dashboard and drill down based on criteria such as policy violations, vulnerabilities and many other security related issues.
All are colour coded based on severity making it very easy to discern exactly what is going on with your infrastructure. Another likeable feature is QuickVue. QuickVue allows an administrator to see all of the details of every node on the network. With a simple click the administrator can then expand that node and obtain information such as summary, dashboards, configuration and vulnerabilities. So if a computer in accounting has a high security risk, using QuickVue quickly allows a drilldown to see why.

Quarantine

When an event triggers a security feature, the event could be placed in quarantine. On very busy networks, it is extremely difficult to sift through all of the logs and decide if something has gone wrong. With the Quarantine feature, any suspicious activity that trips predefined policies allow the systems to flag the logs and place them in the Quarantine section. Here the administrator can decide what action would be taken. The analytics the product has included is extremely impressive. Analytics such as vulnerability, configuration, asset and performance are all available at the click of a button; making navigation extremely simple. When you start up SecureVue you feel you are at the helm of a 747, with dials and information everywhere. However, once you start navigating around a little, the initial shock turns into pure glee (for those of us who get excited about anomaly detection and compliance anyway) as the product is taken out for a spin. The reporting is a click away with over 1500 canned reports included. The reports vary in audience from senior management all the way to the Security analyst you hired to look at your infrastructure. Filtering makes the reporting versatile and easy to find exactly what you want.


 Visit Their Web Site

TrueCrypt Review

Introduction

TrueCrypt Partition Selection

It seems as though I have been on a quite an encryption kick lately. While not foolproof, encryption adds a substantial layer of security to any system. Encryption helps keep secrets secret. This is not new, encryption and cryptography have been around for hundreds of years. In ancient times, Spartan soldiers would write critical orders on a scytale which was a sheet of papyrus wrapped around a staff. The correct size staff would cause all of the letters to be lined up and read.

What is TrueCrypt?

While ingenious, modern computers are extremely good at guessing computations which try to crack algorithms used to encrypt the data. The average user most likely has a need to perform some form of encryption (i.e. payroll, secret recipe, etc), but little idea how to implement it. Public Key Infrastructure (PKI) is daunting. TrueCrypt is a simple tool which allows a user to encrypt and decrypt data on a hard drive, portable hard drive or USB thumb drive as required.
TrueCrypt is an open source project that is extremely simple to configure and use, which is all most people really want. TrueCrypt does not provide boot sector encryption for full disk encryption like DriveCrypt or the upcoming BitLocker in Vista but does allow a user to mount a virtual encrypted volume on a hard drive instead, still very cool.
You can download TrueCrypt from http://www.truecrypt.org/downloads.php.

Features

TrueCrypt Preferences

TrueCrypt allows mounting of virtual encrypted drives. The product can also be used to encrypt an entire partition or a storage device such as USB flash drive to provide a secure location to store files. The encryption is completely transparent.
TrueCrypt also supplies two levels of plausible deniability. I always get a chuckle when I read about this as my mind helplessly slips into cloak and dagger mode. What does this mean? Depending on the password you enter, you can have access to a hidden drive with no files located there or if you enter another password you would have full access to your secret data. That way if you are forced at gunpoint (or a stern look from your wife) to open up and reveal your secrets, you would only have to reveal the non secret drive.
When the TrueCrypt partitions are not mounted, they are invisible to the operating system. They cannot be identified and according to TrueCrypt, they cannot be distinguished from random data.
The product uses a number of selectable encryption algorithms including AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish. You can even use multiple configurations of different algorithms if you want to be super secure.

Usability

The product can create a virtual encrypted partition or a complete encrypted hard drive. The interface is simple and easy to use. One simply selects the device or file they want to mount and click mount. They will be prompted for a password and the utility will mount the drive as a normal looking drive letter. All files in the mounted drive are encrypted and decrypted on the fly effortlessly. Minimal overhead is introduced.
Please Note: The program does let you “auto” remember passwords when mounting an encrypted volume. It will also let you auto start the program on operating system start-up. You may want to avoid both of these scenarios. The security of encryption lies in the fact that you control when it is being turned on and off. If someone steals your computer, it is extremely easy to bypass a username and password prompt when the computer boots to gain access to the system. If your system auto boots with the password combination for TrueCrypt you have defeated the security you are trying to embrace. Remember to layer those security factors.
The preferences are simple to get used to even for a novice user and basically centre around the aforementioned auto start functions.

Conclusion

For a free utility, TrueCrypt is fantastic. In fact it rivals many pay for programs. The algorithms are sound and well tested in the field. The user interface is simple to use and easy enough for a novice but providing enough under the hood mechanics to keep the tinkerer of cryptography at hand as well. TrueCrypt is a welcome edition to any computer requiring simple and effective security and encryption. I give TrueCrypt 4 stars out of 5. If TrueCrypt gets full disk encryption I would lean to 5 out of 5 stars.

Publisher's Site

SIMP Lite - Secure MSN Chat

Protect Your MSN Chat

Email is a popular communications medium but instant messaging is quickly gaining ground due to its ‘real time’ nature. While it is an effective and quick way to communicate with coworkers, business partners, and even loved ones; it suffers from the same huge problem as email ... it is majority of it is insecure!
Every message that is sent is like talking in an over-crowded elevator; everybody who wants to listen to your conversation can because it is sent in clear across the Internet.

Easy to Use Secure Chat for MSN

How do you solve this problem? There is a small security shop based in France (www.secway.fr) named Secway that have created a product called SIMP (Simple Instant Messaging Privacy). This product installs as a compliment to most of the major chat clients and provides a secure add on to your existing chat client. Yes..that’s right…you don’t have to change your existing chat client for a secure one.
SIMP automatically installs itself as a proxy server for your chat client and performs all the encryption and decryption of the chat session before your client ever sees the information. Encryption requires keys and SIMP has a very elegant key exchange process. When you message someone who has SIMP installed SIMP detects this and prompts you to exchange keys. A simple yes or no and you are chatting securely; if the user does not have SIMP installed the conversation continues on without any encryption as it normally would.
Now that you know what SIMP does, let’s have a look at how easy it is to install and configure. This installation is based on version 2.2.4 of SIMP Lite and the MSN Messenger chat client. Installation for other chat clients is almost identical.

ID Vault Review - ID Vault from GuardID Review

Protects You from Phishing and Pharming

Like many people, I find myself purchasing a number of items online. Not only for the convenience (I love having boxes arrive at my house in the mail), but also because I now have access to stores and merchandise I wouldn’t ordinarily be able to track down (Thinkgeek comes to mind).

Background

I also do a fair amount (if not all) of my banking online. Being in the security field, I keep apprised of the security risks that exist with online banking and consider myself aware so as not to be caught in a phishing scam. However, being aware is not enough. Being vigilant is not enough. Anyone can be caught. So is online banking safe? It can be. Recently with the advent of such products as Passmark and Symantec Confidence, banks are starting to take the security of their clients seriously. But what can the average consumer use to help protect them online? One such product I have evaluated lately has been ID Vault by GuardID.
ID Vault provides multi factor authentication in the form of a USB security token with an embedded smart card chip. This USB key stores a user’s sign on credentials which helps to prevent having users type in their credentials at risk of having them stolen in the process.

Setup (4.5/5 Stars)

The setup process is simple. Load the software (which is as simple as clicking Next five times), insert the key and you are ready to go. You will notice a new icon on your menu. Right clicking the menu brings up a menu bar with all of the immediate choices to get you started.
View ID Vault menu from the Windows tray
Inserting the key into the USB slot prompts the setup and personalization of the product. The user creates a PIN which is paramount to the security of the device (This is the something you know with regards to multi factor authentication). The next step is the generation of the serial number. The serial number allows you to reset the PIN in case you forget it. DO NOT LOSE the serial number. Write it down and put it in your safe (or Password Safe). Lastly, name the token. The token is updated and ready for use. When all is said and done you will receive a popup that states all is ready. You will also see a couple of popups to let you know that ID Vault has updated to the latest database.

Ease of Use (4.5/5 Stars)

Using ID Vault is very simple. In fact, I must commend Guard ID for taking the pain of security out of the product. All is very simple for the average user who has no need to understand the complexity of smart cards or secure tokens. To get started, simply open Internet Explorer and navigate to your favourites. You will notice a new Secure Favourites added to the menu. This is where all of the frequent places you visit will be stored.
Clicking Create a Secure Financial Favourite starts the vault process and you are prompted to choose a financial institution. Unfortunately the software is only geared towards American financial institutions with no mechanism to add a financial institution. However, in fairness you can add a secure website of your favourite bank under the Secure Favourites menu; it just doesn’t appear under the financial institutions menu which may confuse some users. It’s a minor point though and easily worked around.

Select the bank, and enter your credentials using the onscreen keyboard to thwart keyboard loggers!
If the site connects you simply select Next from the menu and the information is stored to your key. The key is updated and you now have an entry under secure favourites. You can have ID Vault automatically pass the credentials if you like each time you visit the site.

Cost (4.5/5 Stars)

Well worth the $49. Period.

Conclusion

ID Vault monitors the financial sites continuously and constantly updates their database to ensure users won’t become caught with a pharming or phishing attack. The use of smart cards is suggested by many financial institutions and the ease of use for the end-user is a welcome site. I would recommend this product to anyone who banks or shops online. This is a great product for non security people to help protect them from phishing and pharming attacks. Simple yet effective.

Vendor's Site

IPCop Firewall Review

Great Open Source Firewall
IT Manager: “We spent a lot of money on our infrastructure. Are we secure”?
IT Support: “Sure…we have a firewall”.
The Support Specialist is perpetuating the myth that having a firewall is the be all and end all for security. But a firewall is an important part of any defence in depth strategy to protect your network. MS’s Ten Immutable Laws of Security, number one states that if the bad guy can change anything on your computer, it is not your computer any more. So, yes, we need firewalls.

Selecting Firewalls

What firewall is best for you is a subject of debate. Your needs, your staff and your budget will play a huge determining factor into what type of firewall you will purchase. Some people swear on hardware based firewalls, while others are strong proponents of software based firewalls. Personally, having installed many of both types, the decision comes down to what is best for your company. A smaller company obviously does not have the staff and budget to support a Cisco PIX firewall so in many cases it would be overkill. What is a small business owner to do? Many times a software based firewall will be a better choice. They are configurable, easily updated and much simpler to support. This review will look at an open source firewall called IPCop. We’ll examine it from various angles including ease of setup, configurability and reliability. It wouldn’t be fair to talk about cost – as it is freely downloadable from SourceForge and was the second runner up in the security category in the 2006 SourceForge.net Community Choice Awards.

IPCop the Linux Distribution

You do not need to know anything about Linux in order to install and manage IPCop. If you have a networking background, even from the Windows world you can get IPCop running in a very short timeframe. Many of my Microsoft skilled networking friends use IPCop for many reasons and most of them are not what you would call Linux users. IPCop is a lean and mean Linux distribution designed to be a firewall. Many small businesses may worry about installing and supporting Linux in their environment. IPCop has simplified the overall experience to the point you don’t even know you are running Linux. IPCop is packaged in a way that there is a single bootable CD (you download the CD image called in ISO) and it installs everything you need in one quick installation routine then you manage the firewall from a web interface. No command line and you don’t need to know anything about Linux. This is very powerful for a small business as they can have the power of a Linux based firewall and the simplicity of a web interface.

Feature Set (4 Stars)

The downloadable ISO is only about 50 MB. The ISO is then burnt to a CD and used to boot the computer and start the installation. The good news is that it will run on almost any computer new or old. You probably have enough spare parts lying around your shop to build a computer that will run IPCop. The feature set is long and great for a SOHO business owner. Such things as IPChains-based firewall and the ability to have the outside interface a modem, an ISDN modem, or an ADSL modem adds some flexibility. DMZ support is built in if you require a safe location to allow web access to your servers. Access is gained by port forwarding rules which are simple to configure.
Features include:

• Firewall
• Intrusion Detection System
• IPSEC VPN
• Caching DNS
• Web Proxy
• DHCP Server
• Time Server
• Traffic Shaping
• NAT

So when examining the feature set for a small or home based business they can take an old or new PC, install IPCop and have a full functional network server with many of the base services a small business needs. All of the features are managed though IPCop’s web based interface and is a cinch to navigate – even for the novice.

Setup (4.5 Stars)

© 2006 by Tom Eichstaedt

Once the product has been downloaded, the user can expect 15-30 minutes from start to finish setting it up. There are a number of documents to help setup the product by visiting IPCop Install Docs. The only questions you will have to answer is the type of network cards you will be installing, how many interfaces you want to configure, and their IP addresses. IPCop does a good job of discovering most network cards…even obscure ones. IPCop colour codes its interfaces making installation even simpler. Red is the external interface (usually used to connect to the Internet) and is completely protected. Green is the internal interface and allows all outbound traffic. Orange is for the DMZ which allows the internal interface to talk to it, but no other network traffic. There is also a Blue interface for wireless configurations. The only caveat you may encounter is if you are using different brands of network cards. If all cards are identical, then IPCop sees them all as active. If you have different cards you will have to tell IPCop to add them.
The system can be easily configured from the web interface once all is configured. The network interface screen shot is a view of the web interface for a system with three network cards.

A Summary of State Data Breach Laws

Know the Laws Governing Data Security Breaches in Your States

 

 

California was the first State to pass a data security breach law. Since then, 43 additional states, along with the District of Columbia, Puerto Rico and the Virgin Islands have passed laws that require public disclosure of data security breaches.
Most states require businesses that own, lease or store personally identifiable information to notify every individual whose personal data is stolen or misused. In some cases, businesses must also contact the major credit reporting agencies, State Attorney General, and the news media.
Data breaches do not always have to be disclosed. Exceptions include the loss of encrypted data, and the judgment of law enforcement authorities that the breach is not likely to result in harm to the individuals. In addition, disclosure is not required if it would interfere with an on-going investigation.
Because of the growing threat of identity theft, Congress is considering several laws that would regulate data security breaches from the federal level. As of this writing, however, data security is still regulated on a state by state basis.
If you store personally identifiable information, you need to be aware of your State's data security breach disclosure laws. To help with your research, the following pages contains links to current laws.


California
California led the charge on data breach and privacy laws, and the policies adopted by many other states are variations on the west coast theme. For that reason, I'll give them top billing.
The State of California has adopted four sets of laws to address privacy of medical information, credit reporting companies, state agencies, and businesses.
Like most of the states that followed suit, California law requires immediate disclosure of data breaches involving personal information. The State makes only two exceptions: encrypted data and publicly available government records. Unlike many states, California residents also have the right to take private action against companies that disclose their information.
New laws and summaries will be added in state by state order, so check back often to access the legislation for your specific state.
Alaska
Alaska's breach disclosure law requires immediate disclosure of data breaches. Like California, Alaska exempts publicly available government data. Disclosure may only be delayed if law enforcement determines that immediate action would interfere with their investigation. If an investigation determines that consumers are unlikely to suffer harm as a result of the data breach, then disclosure is not required.
Alaska's law also includes civil penalties of up to $500 for each state resident who was not notified of the breach.
You can access the full text of Alaska's breach disclosure law here.
Arizona
The Arizona breach disclosure law requires disclosure of data breaches without unreasonable delay. Arizona residents may be notified of breaches by phone. The law provides for civil and criminal penalities, but Arizona residents do not have the right of private legal action.
You can access the full text of Arizona's breach disclosure law here.
Arkansas
The Arkansas breach disclosure law requires immediate disclosure of data breaches. Arkansas exempts encrypted data laska exempts publicly available government data. Disclosure may be delayed if law enforcement determines that immediate action would interfere with their investigation. If the entity concludes that consumers are unlikely to suffer harm as a result of the data breach, then disclosure is not required.You can read the full text of the Arkansas law here
Missouri
Missouri's breach disclosure law requires disclosure of data breaches without unreasonable delay. Encrypted data is exempted, although the law does not specify an encryption standard. Notification may be delayed if law enforcement believes the notification will impede a criminal investigation. Breaches involving over 1,000 consumers must also be reported to the attorney general's office and all national consumer reporting agencies. Only the attorney general has the authority to bring an action in Missouri; residents do not have the right to take private action. The Missouri breach notification law was passed as part of an omibus bill. You can read the full text of the bill here.

Securing Your Laptop on the Road

Seven Tips for Traveling with a Laptop

If you lose a laptop, you could be out much more than the money you'll spend to replace the hardware. You may give away sensitive company information and a free ticket into your network. Here are seven things that you can do to keep your traveling computers secure.
Use a Cable Lock
Because a laptop is easy for you to carry, it's also easy for a thief to carry away. A good cable lock can help protect your computer when it is left unattended at your desk. Locks are also an excellent theft deterrent at trade shows and meetings. It's very easy for an unsecured laptop to disappear into a crowd while you are distracted.Don't Use a Laptop Case
A laptop case only advertises the fact that you are carrying a valuable computer. Try using a padded sleeve in your briefcase, or a backpack with a laptop compartment. The less attention you invite, the better. Keep Your Eyes Open at Checkpoints
When your laptop trundles down the conveyor belt at airport security, surrounded by shoes and overnight bags, it's easy to lose sight of. Stay focused on your laptop's location as you move through the line and pick it up as soon as it emerges from the scanner. I learned this the hard way on a trip from Virginia to Texas. Leaving security, I grabbed what I thought was my laptop and headed for the gate. Later I realized that someone had already taken my computer and left their very similar model behind. Back Up Data
The only thing worse than losing sensitive data, is losing the only copy of sensitive data. Make sure that your files are backed up - either to your network, or to external media such as a thumb drive - to avoid a total loss. Practice Good Password Hygiene
Treat your password like your toothbrush - never share it, and replace it often. It's a pain, but frequent password changes do keep you more secure. A good habit to cultivate is that of refreshing your passwords every four to six months. Two bad habits that you need to kick are letting websites remember your passwords and leaving them on slips of paper in your laptop bag or briefcase. Use Two Factor Authentication
Adding a fingerprint reader in addition to your password gives you and extra layer of protection when you log on. Good security - whether physical or IT - is all about layers. No policy or device will be strong enough to protect you on its own, but every new layer adds strength and toughness to your security plan. Choose Your Hot Spots Carefully
Not all WiFi connections are equally secure. It may be possible for a clever hacker to read all of your work - including passwords and account numbers - as you sip your coffee and type. For more information on hot spot security.

Two Security Cameras that Overcome Difficult Lighting Situations

Images of customers or visitors walking into a room are important surveillance shots to capture. They can also be very difficult images for your security camera to handle since your subject is often moving from bright sunlight into a relatively dark room. The resulting images often show little more than a bright rectangle where the sun is shining in through the entry door. Here are two security cameras that will allow you to capture these difficult images.
Honeywell HCCM474M
Bright Light Operation
The HCCM474M uses backlight compensation to deal with variances in light. With this feature, you can program the camera to ignore hotspots in your picture, such as those created by sun shining through windows and doors. This feature allows the camera to maintain its adjustment to the overall lighting condition of the room.
You can use this security camera with a variety of lenses, which you will have to order and install separately. When using the HCCM474M in bright light situations, choose a manual iris lens. The iris in a camera lens adjusts automatically to let in more or less light. If your camera is aimed at an open door, sun shinng through the door will cause the iris to close in much the same way that bright light causes you to squint. As a result, anyone walking through that open door will appear as a dark silouhette. With a manual iris lens, you can adjust for bright light and then leave the lens locked onto that setting.
Small Size
A physical advantage of this camera is its very small size, making it ideal for covert applications. The camera body is slightly larger than 1.5" wide and 1.5" high so it makes for a very unobtrusive installation.
Speco CVC7WMTD
Bright Light Operation
The Speco CVC7WMTD also utilizes backlight compensation, but it's the electronic shutter that makes it especially useful in bright light situations. The Speco Dome Camera comes with a 4-9mm auto iris lens installed. This lens is ideal for taking a wide view of an entire room, but it can also focus in on a set of double doors. Thanks to the electronic shutter, the auto iris lens works very well in bright-to-dark transitions.
Vandal Resistant Construction
A helpful physical feature, this camera's vandal resistant housing will will survive a blow from a 10lb. sledge hammer. The housing is also weather resistant, making it ideal for outdoor applications.

How to Choose a Deadbolt Lock

Selecting the Proper Deadbolt to Protect Your Business

 

 

Choosing a Deabolt
A deadbolt is a physical security standard for protecting exterior doors. When selecting a deadbolt protect your business, there are several factors that you should consider.

ANSI Grade 1
ANSI stands for American National Standards Institute. They are a non-profit group that oversees the development of standards for a variety of industries. In order for a deadbolt to be considered commercial grade, it must meet the ANSI Grade 1 specification. This means that the deadbolt

• Has been tested to 250,000 open/close cycles
• Has a bolt that projects 1 inch into the door frame
• Can withstand 10 hammer blows without giving way

Double or Single Cylinder?
Deadbolts come in both double and single cylinder models. A double cylinder deadbolt requires a key to operate the deadbolt from either side of the door. A single cylinder deadbolt can be locked or unlocked from inside by a thumb turn.
Conventional security wisdom has dictated that double cylinder deadbolts be used on doors with windows. This eliminates the danger of someone breaking the glass and reaching inside to unlock your door. However, there are a few reasons to re-think this approach and use a single cylinder deadbolt in most applications.
The first reason is a concern for life safety. A double cylinder deadbolt may prevent you from exiting quickly in case of emergency. You don't want to be fumbling for a key when your building is burning. Some manufacturers do make a "captive thumb turn" key - basically a removable thumb turn that transforms the lock from a single to a double cylinder. But the fact that the thumb-turn can be removed means that it may not be handy when you need it.
The second reason to reconsider this policy is the strength of modern windows. Back when single-pane glass was the norm, the single cylinder deadbolt was a bigger risk. The glass on most newer doors is nowhere near as flimsy.
My recommendation is that you use single cylinder, Grade 1 Deadbolts on all your exterior doors. If possible, use solid doors with no glass.
UL 437
Underwriters Laboratories is another well-known organization that tests products and writes standards. The UL 437 is the standard for high security locks accepted across the security industry. In order to pass the UL 437 test, locks must resist a variety of attacks including drilling, picking, prying, etc.
Proper Installation
The "strike" is the metal plate the attaches to your door jamb and receives the bolt. This should be installed using 3 inch screws. Using long screws secures the strike to the door frame, not just the jamb. In addition, your lock should also have a reinforced strike plate with off-set screw holes. The off-set holes ensure that the screws aren't driven into the same grain of wood. When someone is trying to kick in your door, the jamb will normally give way before the deadbolt; but the extra long screws and reinforced plate will stand up to some serious pounding.
Key Control
All of this physical security is powerless to stop someone with a key. This is why you also need to pay close attention to your key control policy.
Locksmith or DIY?
If you're the do-it-yourself type, and you only have a few doors to protect, the information in this article should help you to make a wise choice regardless of whether you purchase your locks from a locksmith or a big-box store. If, however, you require a master key system or patented key control it would behoove you to spend the extra money and use the services of a professional locksmith.

Do You Need an Armed Guard?

The Pros and Cons of Armed Deterrence

 

 

Deadly force. Just using the phrase has a sobering effect. When you decide to hire an armed guard, you are choosing to introduce a deadly force into your business or institution. Not a decision to make without careful consideration.

Pros and Cons
Uniformed guards are chiefly used for deterrence. When those guards are armed, the deterrent effect is amplified. The presence of a gun may be all that is needed to convince a robber or attacker to leave you alone and find a softer target.
You may also save lives — an unarmed guard has limited tools to defend you; in the proper hands, a gun is an instrument of protection.
On the negative side, you may escalate a situation. Once an armed guard reaches for his or her weapon, expect shots to be fired – by the guard, by the assailant, or by both.
Armed guards are also more expensive. Not only are you paying your security contractor for a higher level of training and responsibility, but your insurance costs may rise, as well.
Some Points to Consider
Assess the need carefully. Does your line of business or location make you liable to a violent attack? If so, armed protection may be necessary.
Another decision-making factor is whether or not surrounding businesses use armed protection. If so, you may be the softest target in the area, and become more attractive to violent offenders. If theft is the main threat, it may be better to let the robber get away than to invite a gun battle.
Ideally, armed guards should have military or police experience, in addition to formal training. If you are using contract guards, inquire into the background and experience of the officers assigned to you facility. You may also want to consider hiring an off-duty police officer. You can usually expect a higher level of training and experience with a sworn officer. Check with your local police department to see if they allow off-duty personnel to moonlight.
Consult your legal and insurance advisors to help you weigh the potential benefits and liabilities. One serious question to ask you insurance provider is whether you are covered in the case of a wrongful shooting.
Finally, communicate with your employees. If you bring an armed guard into your facility, make sure they understand why you’ve made the decision, and why you think this change will make them safer. This will most likely be a sensitive cultural issue. Many employees will feel safer with armed protection, however, some may resent the introduction of weapons into the workplace. As with any policy change, communication is critical.
A Real Life Example
Early Sunday morning, on December 9, 2007, a gunman named Matthew Murray walked into a missionary training center in Arvada, Colorado. He opened fire, killing two. As a result of the shooting, area churches and businesses went on high alert.
Later that day, Murray entered New Life Church, a 10,000 member congregation in nearby Colorado Springs. He was carrying an assault rifle and two handguns. He opened fire, killing two more victims.
New Life had already developed a security plan which included the use of volunteer, undercover guards. One of the guards was Jeanne Assam, a former Minneapolis Police Officer. As the attack began on December 9, Assam confronted the assailant, identified herself and opened fire. She wounded the attacker, who then took his own life.
While these twin shootings were a horrible tragedy, the loss of life could have been deeper. Two things went right in this scenario. First, New Life recognized the need to provide discreet protection and had a proactive policy in place. Second, Ms. Assam drew on her professional training and reacted appropriately to the threat.
This incident underscores the seriousness of providing armed protection. While five lives were lost, many more would almost certainly have been killed without a well considered security plan.

Facial Recognition (and Identity Theft) Made Easy

Today, Facial Recognition scans require specialized tools. But the time may be near when anyone with a webcam can obtain your name, birth date and Social Security Number.

Alessandro Acquisti (the same Carnegie Mellon professor who figured out how to reverse engineer your Social Security number) has developed a method for identifying individuals with only a webcam image.
Acquisti's process goes something like this:

• Take a webcam photo of the subject;
• Use a facial recognition tool called PittPatt (developed by Carnegie Mellon researchers) to match the webcam image to a Facebook profile image;
• Using the profile information posted on Facebook and the professor's previously developed SSN formula, divine the subject's Social Security Number.

Don't have a Facebook profile? That's ok, because a tagged image of you on someone else's page may work too.
Acquisti says that this method has "ominous implications for privacy." Facial recognition and search engine technologies are developing to the point where you may soon be able to snap a picture with your BlackBerry and instantly pull down enough information to steal an identity.
Two intersecting trends are set to challenge the very concept of privacy. The first trend is the enormous amount of personal information available online. The second trend is the ever increasing speed at which that information can be searched and analyzed.
So, short of going through life with a bag over your head, what can you do? First of all, limit the information you share online. Second, establish a Social Media Policy for your company. Third, invest in an identity protection service such as LifeLock. Finally, if all else fails, try the bag. Who knows. It may catch on.

Using Security Cameras While Respecting Privacy

4 Tips for Implementing a Reasonable Surveillance Policy

 

Preventing internal theft, drug use and workplace violence; these are all valid reasons for using security cameras in the workplace. Such activities can cost your business plenty in terms of lost inventory, decreased productivity and injury. But while you are responsible to protect your company's bottom line, you also need to respect your staff's right to privacy. This article will give business managers and owners some guidelines for using security cameras as part of a reasonable security policy.
Communicate

I know of a company whose IT people installed a web cam on a factory floor. They were preparing for a web cast from a trade show, and wanted to run some tests before going live. The conspiracy theories that started to fly when workers noticed the new camera would have made Jerry Fletcher proud. The camera came down, and fears were laid to rest, but the entire dust up might have been avoided by a simple memo explaining why and for how long the camera would be used. If you plan on deploying security cameras in your organization, please communicate with your employees and explain the new initiative to them. Express your concerns with theft, or safety, or whatever the motivation happens to be and give employees the opportunity to ask questions. This kind of openness will go a long way to alleviate the suspicions that security cameras can raise.
Communicating - whether via email, memo, or company-wide meeting - gives you another advantage. When you require employees to acknowledge your surveillance policy, you may be saving yourself from legal challenges down the road.
Stay Visible In my opinion, security cameras should be kept in full view whenever possible. Not only do visible cameras have a strong deterrent value, but they are another way to encourage trust. Employees may be less likely to believe they are being watched covertly if they know where your cameras are stationed.
However, there are times when covert cameras are necessary. If a crime has been committed, recorded evidence may be necessary to prosecute the crime or prevent further instances. In such cases, a fascinating array of hidden cameras are available. Thanks to advances in miniaturization and wireless technology, cameras can be hidden in computer speakers, smoke detectors, eye glasses, neck ties, pagers, clocks, pens, exit signs and more. Just search on the term "covert cameras" or visit a company like Supercircuits to learn more.
Keep Quiet The recording of audio is restricted under the Electronic Communications Privacy Act of 1986. The legal considerations for recording audio are outside the scope of this article. Suffice it to say that when you record audio, you are essentially wiretapping and you have to meet strict requirements in order to do so legally. Silent video recordings are not covered by the ECPA, so limit your surveillance to video.
Be Reasonable There are certain areas, such as restrooms, that you just shouldn't monitor. The law recognizes a "reasonable expectation of privacy" when considering surveillance issues. Public dressing rooms, restrooms and phone booths are all examples of places designed for privacy, and so a person can reasonably assume they are not being watched in these locations. Public areas such as shopping malls, sports stadiums, hallways and parking lots are not built for privacy and so monitoring and recording in such locations is usually legal. Let common sense be your guide when deciding where to install cameras. If you have questions, it's in your best interest to speak with an attorney familiar with your state's privacy laws before you begin your monitoring program.

The News of the World Phone Hacking Scandal

The Tracking Methods that Brought Down a Historic Newspaper

 

 

One of journalism's most notorious security scandals involved the British tabloid, News of the World. NOTW was part of Rupert Murdoch's media empire. Founded in 1843, it was at one time the most popular English language newspaper on the planet.
But in 2011, wide-spread privacy breaches brought the once proud paper to sudden, ignominious end. Log on to the NOTW website and (as of the this writing) the only words you'll find are "The World's Greatest Newspaper 1843-2011. Thank You & Goodbye."
Growing Scandal
The chain of events that would eventually silence NOTW's presses traces back to 2002 and the death of British teenager, Milly Dowler. In the early days of Dowler's disappearance a NOTW investigator, along with journalists covering the story, hacked into the missing teen's voicemail box. They listened to Dowler's messages and even deleted some, destroying potential evidence and leading to speculation that the missing girl was still alive.
As it turns out, Dowler's was not the only voicemail box that NOTW agents had surreptitiously accessed. The weight of the collected phone hacking scandals reached critical mass in 2011 and forced the historical publication to close its doors.
Phone Hacking
The common references to News of the World "phone hacking" are a little misleading. Reporters and investigators didn't actually intercept anyone's calls or plant spyware on phones. Rather, they invaded voicemail accounts to gather private information.
The dirty deeds were pretty low-tech. Some perpetrators used a technique known as pretexting. Pretexting is simple; I call your phone company and pretend to be you. Your phone company gives me the password I need to access your voicemail. Now I can hear your messages. Others may have dialed into voicemail accounts by simply guessing at weak passwords.
It should be noted that intercepting cell phone calls is relatively easy, though, provided you can gain physical access to the phone on which you want to spy. Many inexpensive applications allow you to remotely listen in on phone conversations, and even turn on a phone's speaker or camera to do a little eavesdropping.
In order to load one of these applications, however, you need to be in possession of the handset. Therefore, one of the best defenses against this type of attack is simply to password protect your smartphone.
Pinging
Besides invading voicemail boxes, News of the World reporters also engaged in a practice called "pinging" to stalk the subjects of their investigative journalism.
More precisely, they paid the police to ping for them.
Pinging works by reading a phone's signal strength at cell towers. Whenever a mobile phone is powered up, it constantly sends out a signal to determine the closest tower. The towers record the strength and direction of the signals they receive, so with the data from two cell towers and some basic trig, you can dial in on a phone's location.
Under the UK's Regulation of Investigatory Powers Act (RIPA), pinging data must be requested by a senior police officer on a case by case basis. But the late Sean Hoare, a former News of the World reporter turned whistleblower, had said that the paper could purchase pinging data directly from the Metropolitan Police. The pinging requests cost the paper the equivalent of about $500 each. News of the World is said to have used this technique to locate, among others, author James Hewitt, a former paramour of Princess Diana. RIPA requests, however, are intended for national security and crime prevention purposes, not for tracking pop stars and royals.
Summary
The News of the World scandal was one of the more notorious privacy breaches of the digital tracking age. The mobile devices we've come to rely on spray tracking data around like so many digital bread crumbs. That being the case, there will always be a strong temptation for those who value this information to snatch at it with no regard to our privacy or security. Each of us has the responsibility to guard private data. And those, such as the Metropolitan Police, who have the power to either guard or invade our privacy must do so without compromise.

 

High Profile Data Breach Cases

Data breaches are high stakes, high drama crimes. Not only do they impact the target companies, but milllions of innocent consumers can have their financial worlds turned inside out as a result of one breach. Here is a run down of some high profile data breach cases.
Aetna Insurance
On May 28, 2009, Aetna Insurance contacted 65,000 users to let them know that their personal data may have been compromised. The company was alerted to the breach when customers began complaining of spam emails asking for personal information. While it wasn't clear if any Social Security Numbers had been compromised, Aetna erred on the side of caution, notifying 65,000 current and former employees of the breach and offering free credit monitoring services.
Corneilus Allison, a former employee is the plaintiff in a class action lawsuit alleging that Aetna failed "to adequately protect the private personal information of its current, former and potential employees."
This wasn't Aetna's first experience with data loss. In 2006 a laptop containing sensitive information was stolen from an employee's car. Aetna notified 38,000 customers of the breach, offering free credit monitoring to the victims. According to a company spokesman, the employee carrying the laptop did not follow corporate data protection policies.
LexisNexis
On May 1, 2009, LexisNexis disclosed a data breach to 32,000 customers. Although the data theft took place between June 2004 and October 2007, notification was withheld while the US Postal Service investigated. The USPS was investigating, apparently, because the thieves has set up phony post office boxes as part of the scam. LexisNexis bills itself as the "world’s largest collection of public records, unpublished opinions, forms, legal, news, and business information." According to Douglas Curling, COO of parent company ChoicePoint, the database company has suffered 45-50 breaches.
Heartland Payment Sytems
In 2008, credit card processor Heartland Payment Systems was breached. The exact number of financial records stolen remains a mystery, but on August 17, 2009 Albert Gonzales was indicted for stealing more than 130 million credit and debit records. Heartland was one of his high-profile victims, and the system he hacked processess 100 million card transactions every month.
Commonwealth of Virginia
Virginia was the victim of an interesting twist on identity theft. On April 30, 2009 a hacker posted a ransom note on the website of the Prescription Monitoring Program. The hacker claimed to have stolen a database containing millions of customer pharmaceutical records.
The note read "You have 7 days to decide. If by the end of 7 days, you decide not to pony up, I'll go ahead and put this baby out on the market and accept the highest bid".
The hacker demanded $10 million by May 7 in return for a password that would access the stolen records. The Commonwealth elected not to pay the ransom. As of this writing, the disposition of the database containing 8 million patient records and 35 million prescriptions is still unclear.
RBS Worldpay
In 2008, RBS Worldpay, a division of the Royal Bank of Scotland, admitted to a massive data breach involving 2.6 million records. In 2009, they were awarded an IRS contract to process taxpayer credit card payments.
Senator Norm Coleman
Norm Coleman was embroiled in a legal battle over his photo finish election loss to Al Franken. Adria Richards was an IT pro who exposed an unprotected donor data base stored on his campaign website. She says she did not download any information.
But the database turned up on Wikileaks, a website devoted to "untraceable mass document leaking." Whoever was responsible, one thing is clear; 4,700 of Coleman's on-line donors had their financial data strewn all over the Internet.

GPS Tracking: An Invasion of Privacy?

A Look at the Supreme Court's Decision in United States v. Jones

The Supreme Court's unanimous decision in the United States v. Jones GPS tracking case has been hailed as a victory by privacy rights advocates. Indeed, the fact that both sides of the ideological bench could mount a united defense of the Fourth Amendment makes a powerful statement. But many difficult questions remain unanswered.
Background
Before analyzing the court's decision, let's review the basic story line:
Antoine Jones owned a Washington DC night club. The FBI, as well as the Metropolitan Police Department, suspected Jones of dealing drugs and enlisted a plethora of surveillance techniques to make their case. These techniques included a camera trained on the front door of his night club, visual surveillance, and a wire tap of his cell phone. Beyond that, the authorities obtained a search warrant to attach a GPS device to a Jeep registered to Jones's wife.
The warrant for the GPS specified that the device had to be installed within 10 days in the District of Columbia. Authorities attached the device on the 11th day in Maryland. Ergo, they conducted a warrantless search.
Jones was convicted of possession of cocaine with an intent to distribute the same and sentenced to life in prison. The conviction was later reversed because of the warrantless use of GPS data.
The authorities contended that the GPS tracking did not constitute a search as defined by the Fourth Amendment. The evidence, therefore, should be admitted.
The Decision
The case of United States v. Jones eventually came before the Supreme Court and was decided on January 23, 2012. The Court's task was to determine whether attaching a GPS tracking device to a vehicle constituted a search under the Fourth Amendment.
Justice Antonin Scalia's Opinion opens with these words:

We decide whether the attachment of a GlobalPositioning-System (GPS) tracking device to an individual's vehicle, and subsequent use of that device to monitor the vehicle's movements on public streets, constitutes a search or seizure within the meaning of the Fourth Amendment.

By attaching a GPS tracking device, Scalia argued,

The government physically occupied private property for the purpose of obtaining information.

The Supreme Court unanimously decided that the FBI and the Metropolitan Police Department violated Mr. Jones's rights as defined by the Fourth Amendment.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The Supreme Court's decision, while hailed as a signal victory by privacy rights advocates, deals exclusively with physically attaching a GPS device to private property, and the Court has not outlawed this practice. Indeed, GPS tracking remains a common tactic in terrorism and narcotics investigations. But after this decision, it will be legally problematic to use these devices without first obtaining a Search Warrant.
What This Decision Does Not Mean
In a concurring Opinion, Justice Samuel Alito questioned the premise of the Decision, based as it is on physical property. In the digital age, he noted, physical trespass is not required for close tracking. And, he argued, accessing such tracking data may violate a citizen's reasonable expectation of privacy.

In some locales closed-circuit television video monitoring is becoming ubiquitous. On toll roads, automatic toll collection systems create a precise record of the movements of motorists who choose to make use of that convenience. Many motorists purchase cars that are equipped with devices that permit a central station to ascertain the car's location at any time so that roadside assistance may be provided if needed and the car may be found if it is stolen.

Scalia did not dismiss Alito's viewpoint, noting

It may be that achieving the same result through electronic means, without an accompanying trespass, is an unconstitutional invasion of privacy, but the present case does not require us to answer that question.

Looking at the decision from an entirely different angle, Justice Sotomayor questioned the traditional legal reliance on a "reasonable expectation of privacy" in the digital age.

People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries and medications they purchase to online retailers. I, for one, doubt that people would accept without complaint the warrantless disclosure to the government of a list of every Web site they had visited in the last week, or month, or year.

Sotomayor, alone, attempted to detach the question of privacy from technology. She maintained that individual privacy rights should not change as technology continues to develop.
Conclusion
While the Jones Decision set an important limitation on surveillance in the digital age, it leaves other important issues undecided. Among these are:

• How extensively can an individual be tracked, if that tracking does not require physical trespass? Tracking via cell phone data, toll booth records and vehicle guidance systems is not directly addressed in this decision.
• What expectation of privacy does an individual have when sharing or releasing information via search engines, email programs, and online purchases?

As new technology continues to make extensive data mining easier and more attractive to law enforcement, such questions will no doubt reach the Supreme Court. A Court which, at least for now, is united in its understanding of the Fourth Amendment.

Fingerprint Scanner :Help Remembering Passwords with Your Finger

Introdiction

Entry level biometrics have reached the price point that they are a great tool that could benefit many businesses. The fingerprint scanner is a form of biometrics which enables us to use something we have (in this case our finger) to help authenticate us to a computer or network. I have written about the virtues of tools to help with passwords such as PasswordSafe, but this is different. The more I deal with small businesses, the more I realize that users have a hard time remembering passwords. What do they do with them when they can’t remember them...they write them down where they can be found. With the fingerprint scanner, a user doesn’t even have to know what their password is and they can still access secure systems.
Apart from the James Bond-esque applications, Fingerprint scanners are starting to show up in many mom and pop shops all over. They are cheap and easy to configure. I still get a thrill logging into an application with the press of a finger.

How Does It Work?

The scanner remembers the patterns of ridges and valleys unique to your finger. The scanner then compares the stored pictures of your finger to the one that is being presented to the scanner. If there is a match, it lets you in. The Microsoft Fingerprint Scanner I use uses optical scanning as opposed to Capacitance scanning. You can check out the differences in scanning methods at HowStuffWorks.com. To configure the scanner you need to place each finger you want the scanner to recognize a total of four times on the scanner so it can get a good picture.

Pros and Cons of Fingerprint Scanners

The pros of such a system are many. It is fast and extremely easy to setup. Certain fingerprint scanners actually allow you to access Active Directory accounts although the one from Microsoft does not at present but Three scanners that are popular within the markert are the Verifi P2000, Fingkey Hamster II and the BioMini. does. Physically compromising a system is a lot harder than simply guessing passwords in many cases. You don’t often forget your fingers as you do a password. Even so, do as I have done and use multiple fingers from each hand to ensure you can survive an unfortunate accident. Multiple people can log onto the same computer with different profiles without ever having to know their passwords. The fingerprint scanner does not forget your password like you might after you go to Disneyworld for two weeks. So it is definitely a time saving device too. With that said, the systems are not error free. Never, never ,never substitute any device for a little common sense. If you do use a scanner to protect something like PasswordSafe, you will definitely want to verify that you remember the password in case of a mishap. If you use encrypted drives, and you use your finger to mount and dismount the drives, again have a backup. Lastly, (and it even says this on the fingerprint scanner package), think of such devices as a convenience.

Conclusion

Don’t trust everything you own to a fingerprint scanner. In my daily routine I have over 150 passwords I am responsible for. The combination of PasswordSafe and a finger print scanner is fantastic for me. However, I also make sure I back up my password database and know the password to manually open the password database. So for around $50 you can outfit a computer and make your user’s lives a little more convenient.

Vista's User Access Control

UAC Keeps You Safe While Using Vista

Introduction

With the release of Vista there have been many new security aspects in the operating system. One of the most talked about features is User Access Control or UAC. UAC has gotten a lot of bad press, but I disagree with them. Here is a quick run down on UAC and why it is a good thing. In the not to distant past, users of Windows would find themselves logged on automatically as an administrator when setting up Windows XP. If you install XP and do not join a domain, the default user you create has full administrative privileges and can access all aspects of the computer operating system.
What’s the big deal you ask?
Many computer users found it convenient to never have to elicit the help of the IT team to install a new software application or reconfigure the Windows registry or change the system clock. While convenient for the computer user, in a small company the effects can be devastating for two reasons.

1. Inadvertent Experimentation

Many users consider themselves Power Users and editing the registry or installing new drivers is old hat to them. However, problems arise when the latest drivers for that new video card are in beta only and have known issues with the accounting software you are also running. This causes the system to crash repeatedly. The user now loses productivity as hi system has to be rebuilt. In a smaller organization, this might actually mean installing from scratch as opposed to an imaging process. That equates to lost time and productivity.

2. Personal Use of Corporate Computers

This second reason is a little more ominous. Many users tend to use their work computers as their own private portals to the Internet. Surfing inappropriate sites, checking stocks and downloading bit torrents at work is fast becoming a major security issue. When a user downloads executable code such as a script or even a screen saver and then runs the code they are doing so as the administrator of the computer. If the code is nefarious, it get’s a bump start on its road to destruction as it does not even need to try to escalate its privileges as it is running as administrator already. The potential for loss and breach of security is huge. Microsoft has long touted the benefits of running as a non administrative user on a system. Until now it was impractical for many users and cumbersome. UAC was defined to address these shortcomings.

UAC Explained

User Access Control (UAC) which is enabled by default in Vista allows standard users (non administrators) to complete both standard and administrative tasks (if they have the administrative credentials on hand) without having to log off. Very similar to the ‘su’ command in Linux. The process works by assigning two security tokens to a logon. One token contains group membership information and the second controls the authorization and access data. Until Vista there was only a single token which stated what a user could do. It was all or nothing. With User Access Control (UAC) even administrators must provide acceptance for various tasks. For example, the user of a computer wants to add a file to the Startup Menu to begin a chat application at start up. This function is trying to write to the registry and will cause UAC to request access even if the user is the administrator. When the user attempts to create the shortcut they are presented with a similar screen. The only difference between a standard user and administrative user is that the latter will not be prompted for credentials.
While it may seem cumbersome at first, UAC prevents applications from writing to the registry inadvertently with out the user’s knowledge. It also prevents applications from installing without a user’s knowledge.
Some articles have said that UAC is in fact security vulnerability because by default users are still by default administrators when their account is created. True. But they will still need to use UAC to install program, perform system maintenance or run some applications. However, the onus is still on the owner to be using the correct account. Microsoft can’t do that for you. At the end of the day operating system and software application vendors can only do so much, computer users need to be aware of proper secure practices.
Some users complain that it is annoying having a popup extended every time they open the control panel. But let’s think for one moment. Let’s take the majority of users of systems. Standard everyday computer users. How many times a day to most users have to open MMCs, adjust video settings or monkey with the registry? The fact is, once the system has been configured, most users will probably not have to even see the popups. Even when I run my system in Admin mode I leave the UAC turned on as a secondary measure of security. This way I am notified when when operating system or a software application is doing a task that should have my approval to proceed.

Conclusion

I like to know what my system is doing and UAC is a great mechanism to allow me do that. For the average user, it may be cumbersome at first, but that will be up to a company’s security team to determine the benefit. Personally, I would enforce the UAC as an education experience to show users exactly what they are playing with and the ramifications of their actions.

8 Reasons for Full Disk Encryption

Protecting the Whole Hard Drive

Introduction

Disk Encryption is used to protect the entire hard drive or portable storage device such as a USB thumb drive or portable hard drive. Disk Encryption is used mainly on portable computers, but can also be used on any computer that contains highly sensitive data especially if it is located in high risk areas. As many operating systems, especially Windows, stores application data, configuration information, and temporary files in numerous locations, even a diligent user can have sensitive information stored on the computer in the clear. Full disk encryption protects the whole hard drive no matter the sophistication of the user, application or operating system – everything is protected all the time.
How it works in a nutshell.

When using full disk encryption, when the computer boots, the computer asks for a password and/or a USB token in order to load the operating system. It is very important that the boot password is complex as if the password is simple then the protection of the full disk encryption is nullified by simple password - remember, weak passwords trump strong security - always.
So what will encryption provide:

1. Protects Data When Laptop Lost

No matter who finds the laptop, the data on the hard drive is protected.

2. Protects Data When Laptop Stolen

If unfortunately your laptop is stolen then the data on the laptop is protected.

3. Better than Mountable Encrypted Volumes for Normal Users

Mountable encrypted volumes turns an encrypted file to a drive letter, like a “F” drive. The issue is the user has to remember to run the encryption software and mount the volume before they can save their data. Some would say, “Why don’t you have the drive automount?” Well it would not give you much protection if some one can boot your operating system. For users that are diligent TrueCrypt is an open source volume encryption software that I have been using for little less than a year and it works great.

4. Better than Encrypted File System (EFS)

Encrypted File System (EFS) is included with Windows 2000 and Windows XP Professional. It allows you to encrypt selected files, like files in you’re My Documents folder. EFS does not let you encrypt operating system files. It is good for securing data but as the operating system stores configuration and temporary files in many places EFS is not as effective as full disk encryption, but better than nothing.

5. Help Meet With Regulatory Concerns

If the laptop is lost or stolen, or if the laptop has private customer data on it then the loss of the data must be reported and customers notified. This can be a huge embarrassment for any company and bring about the PR fiasco that no one looks forward to.

6. Transparent to User

Unlike EFS and Volume Mounted encryption, the only evidence that full disk encryption is active is the password request when the computer boots. During heavy disk operations there is only a 5% performance hit while reading and writing to the encrypted drive. I have been running SecurStar for over a year I don’t even notice the performance difference.

7. Beyond Username and Password of the Operating System

Many people think the username and password protects the data on the laptop. This is not the case. Without full disk encryption if someone has physical access to your laptop, it is not your data anymore.

8. Protects Against Rip and Attack

Not only laptops need full disk encryption. There may be desktops in your organization that contain sensitive information if stolen would not be good. I am not talking about servers that are locked in server rooms guarded by men with guns, but maybe a CAD workstation and/or a research workstation that may have local files (even cached) that could be a target for attackers. Attackers could take out the hard drive, make a copy and put it back before anyone knows.

Conclusion

For portable data and confidential data in high risk locations consider full disk encryption to protection your corporate data.

Top 10 Reasons Security Pros Might Want Vista

Is Vista Under Your Christmas Tree?

1. Engineered for Security

Vista is the first operating system from Microsoft developed end-to-end with security as the focus. Microsoft is working toward Common Criteria (CC) certification with the goal of achieving an Evaluated Assurance Level 4 (EAL4) and Single Level OS Protection Profile certifications. Security from the ground up is not a bad place to “Start Me Up.”

2. Internet Explorer (IE) Protected Mode

This feature is only available in the Vista version of Internet Explorer 7 (IE). Protected mode does not allow other applications to access Internet Explorer. I worked on an application for Windows XP that hooked IE that could capture the data during a FORM POST even over SSL. Nice to know the bad guys can’t do this anymore, as long you run in protected mode.

3. Windows Defender

Anti-Spyware built in! When looking at friends and family PCs I find them full of malware. Windows Defender is a good start in protecting your computer when surfing the wild sections of the Internet.

4. Windows Firewall with Advanced Security

All the great features of the firewall in Windows XP SP2 with the added protection of securing outgoing traffic. The firewall also has an option to disable all incoming connections, especially useful when connecting to a high risk network like a free wireless network or a hotel network.

5. New Logon Architecture

New methods and APIs for independent software vendors (ISVs) and developers to build their own authentication methods, such as biometrics or tokens, by writing credential providers. This can open unique methods of authenticating to your Vista PC. As a software developer I find this very interesting.

6. Windows BitLocker™ Drive Encryption

BitLocker provides full disk encryption. This protects the operating system, boot files and all the data on the hard drive. Computers with a Trusted Platform Module (TPM 1.2) heightens the protection of user data, and helps to ensure that a client computer running Windows Vista cannot be tampered with while the system is offline.
This is a very useful feature for laptops. Lost and stolen laptops can cause serious business issues, especially when those laptops contain intellectual properties or private customer data.

7. Windows Service Hardening

Windows Service Hardening restricts critical Windows services from doing nasty activities to the file system, registry, or network. This protects the operating system from malware being installed or by compromised Windows Services. I will be watching the security bulletins for this exploit. Will there be security issues in Vista that are mitigated by this feature? Time will tell.

8. Improved Encrypted File System (EFS)

Under Windows XP, EFS was good at protecting your data, that was about all. Doing anything fancy became complex and cumbersome. One major downfall with the previous version of EFS was the difficulty storing the EFS certificates on a smart card. This now works! An interesting feature as well is the page file and cached offline files can now be encrypted.

9. Windows Security Center (WSC)

WSC is a method for third party software and web sites to query the security state of a computer before interacting with the computer. For example, a bank web site could make sure you have anti-spyware and anti-virus software with up to date signatures before allowing you to login to your online banking.

10. Device Control

Today’s USB drives can now hold 4 gigabytes of data, this is basically a whole DVD of data. This has been a security headache for a long time. Employees walking out of the office with all the company secrets on USB drives, ouch. Now there is a group policy setting that disables USB drives from being accessed in a corporate Vista PC.

Conclusion

I have been using Vista since Beta2. I am now running Vista Ultimate thanks to my MSDN subscription. I have been enjoying Vista and as a security pro, looking at ways that it can help the security of a small/medium business. Vista rolls many security features into an operating system which allows Vista to worry about the security and you worry about your business. Christmas Time
The 11th reason is not about security but the enjoyment of using your computer. It may be more secure, but is it Christmas time and it is time to relax and enjoy your family, friends and some downtime with your computer (geek out!). Vista sports the new glass interface which gives the environment a very solid feel. With Windows Media Player your can enjoy DVDs, music and last year’s Christmas Video. The upcoming DirectX 10 games will defiantly be a blast.