Thursday, June 30, 2011

Getting Technical Help from Forum Win­dows 7

If you are new to Windows 7 and actively testing its new features, then the best place where you can get technical support is from a Windows 7 forum. There are lots of online forums that cropped up discussing Windows 7.

However, if you want to get involved in the liveliest and productive Windows 7 forums, then the official Microsoft forums would be your best choices. First there is the MSDN forum for developers. You will be able to browse technical discussions and other important information on this forum. You can simply browse and read the discussions if you do not want to become a member of this forum.

There are also independent online communities that are not affiliated with Microsoft. You can get valuable inputs from these forums especially from independent developers who are studying Windows 7.

Almost all types of discussions about Windows 7 can be found on such forums. You can read post about individual experience of users who tried Windows 7. There are also rants about Windows 7 which you should read also in order to get the point of view of those who thrash the new Microsoft operating system.

The Windows 7 Forums and the Microsoft Tech Net Fo­rum are two of the most productive online communities about Windows 7. Useful technical information can be found in these forums as well as detailed description of issues. You may find several bugs in Windows 7 and you can find solutions to them through the forum posts.

Explain BGP, the Differences between BGP and OSPF, What Prefixes Are, and What Attributes and Types Are Used in BGP

The Border Gateway Protocol (BGP) is a favorite subject for many technical interviewers. It is the exte­rior routing protocol of choice in today’s networks and is quite different from interior routing protocols such as OSPF. BGP fulfills the role of mediating between two “administratively controlled” networks. These administratively controlled networks are known as autonomous systems (ASs). BGP, requiring a reliable connection between peers, uses TCP port 179. Each peer session gets a single TCP session. BGP is an application layer protocol, so it requires the TCP session to be established before exchanging any route information. BGP sessions can be authenticated using MD5 signatures when exchanging updates. An UPDATE message can have a variable number of attributes; however, they cannot be repeated. As for the prefixes, an UPDATE message can advertise only one route. It can, however, list routes to be deleted. BGP is considered a path vector protocol because it stores route information in addition to path attributes. The route selection is done in a deterministic fashion based on best route policy. The policy is based off the path attributes. Where interior routing protocols use metrics such as delay, link utilization, or hops, BGP does not. Understand that BGP is capable of running in two modes: exterior and interior. EBGP is used for peering between different autonomous systems (AS). IBGP is used for routers within the same AS. Path attributes are different for the two modes; these are discussed shortly.

There are two key differences between BGP and OSPF (or any internal routing protocol). The first differ­ence is how the protocols scale up to accommodate large numbers of routes. BGP scales up well because it sends a complete route update only once when a session is established with a peer. After that, the BGP speaker will send only incremental changes. Even though OSPF mostly sends link state information, there are still periods in which all its routing information is sent. The second key difference is the support for path attributes in BGP. BGP uses path attributes to form routing policies. This works well when you have to route between separately owned and maintained networks (autonomous systems). The routing policies allow you to make a decision as to whether to accept, reject, or change (summarize/aggregate) routes from a peer network. This helps protect the network and control how routes are propagated throughout the internal network.

A prefix is the network portion of the IP address and implies the use of classless addressing. BGP uses prefixes in the Network Layer Reachability Information (NRLI) field in the UPDATE messages. The path attributes convey the prefix characteristics to the peer router. Another hot topic in BGP is the ability to perform route dampening. Route dampening is a feature that controls the frequency of routes changing state — up, down, up, down, and so on. This frequent changing of state is called route flapping. Most routers today can sense the flapping and remove the offending route. To do so, they monitor how often the flapping occurs and penalize the route each time. After the penalties exceed a set threshold, the route is removed and updates are ignored. The route can be reused after a certain amount of time.

One of the greatest arguments in BGP is which attributes should or should not be used when sharing information between two networks. (Just a quick definition note: The words update and advertisement are used interchangeably.) In BGP, there are numerous path attributes that accompany an update between two BGP speakers who wish to exchange routing information. We draw from RFC 4271/1771 for the following information. There are four defined categories for BGP attributes:

  • Well-known mandatory

  • Well-known discretionary

  • Optional transitive

  • Optional nontransitive


 

As the name implies, any vendor who wishes to implement BGP must have the well-known attributes. The mandatory attributes are ones that have to be included in every update. Discretionary attributes do not. Optional attributes are ones that some BGP speakers may use and others may not. The transitive bit in the update determines whether a BGP neighbor propagates the attribute or simply deletes it. It is always good to review the well-known mandatory attributes first. There are three mandatory attributes that are well-known: ORIGIN, AS_PATH, and NEXT_HOP. There are two well-known, discretionary attributes: Local Preference, and Atomic Aggregate. All these attributes are described in the following list:

ORIGIN: The Origin code is how the route originated, or the source of the route. The choices are internal gateway protocol (IGP), external gateway protocol (EGP), or incomplete. A great follow-up question is, “What is the cause of an unknown/incomplete?” Some of the most com­mon reasons are route aggregation/summarization and redistribution.

AS_PATH: The AS_PATH attribute is simply a list of all the autonomous systems (AS) that the given route in the update transits through. As the update passes through each AS, each BGP host adds its own AS to the list.

NEXT_HOP: The NEXT_HOP attribute is the IP address of the first router in the next AS. And this first router may be more than one hop away. When this is the case, the interior routing pro­tocol will compute a route to the BGP NEXT_HOP IP address. Just remember that Internal BGP sessions will not change the NEXT_HOP attribute — only external BGP sessions do.

LOCAL_PREF: The local preference attribute is used to inform internal BGP peers of the pre­ferred AS egress point for the included route.

ATOMIC_AGGREGATE: The atomic aggregate attribute is used when a BGP speaker has over­lapping routes from one of its peers. The BGP speaker will set the attribute when it makes a less-specific route selection. Aggregation, also known as summarization, hides network reacha­bility and topology information. The atomic aggregate attribute is the mechanism used to hide the AS path.

 

Examples of the optional transitive attributes are the Aggregator, Communities, and Extended Communities attributes.

Aggregator: The Aggregator attribute is a way for a BGP speaker to notify its peer that it has aggregated a given route and provides its own AS number and IP address.

Communities: Communities are the “catch-all” attributes. In most large networks today, BGP communities are used to enforce policy. They do not directly affect the route selection algorithm of BGP, but they can shape how routes are treated when received in an update. There are three communities that are commonly used: NO_EXPORT, NO_ADVERTISE, and NO_EXPORT_ SUBCONFED. The NO_EXPORT community attribute is a tag that notifies the peer whether the route can be exported to an external AS. The NO_ADVERTISE community attribute notifies the peer to not advertise the route at all. The NO_EXPORT_SUBCONFED community extends the NO_EXPORT attribute to include confederated ASs.

Extended Communities: Extended Communities extend the BGP attributes further. There are a number of Extended Communities in draft and used in some BGP implementations. Ones to mention include the Autonomous System Specific, Route Target, Route Origin, and Link Bandwidth.

MULTI_EXIT_DISC: The MED attribute is an optional, nontransitive attribute that provides a means to advertise multiple exit points for the local AS. Each exit point is given a metric, and the lowest metric will be the preferred exit point. Much has been written on BGP but the great references for BGP are still the RFCs. There are many and they all deserve attention: RFC 4271 - A Border Gateway Protocol 4 (BGP-4); RFC 4272 - BGP Security Vulnerabilities Analysis; RFC 4273 - Definitions of Managed Objects for BGP-4; RFC 4276 - BGP-4 Implementation Report; RFC 1772 - Application of the Border Gateway Protocol in the Internet; RFC 1773 - Experience with the BGP-4 protocol; RFC 1774/4274 - BGP-4 Protocol Analysis; RFC 1997 - BGP Communities Attribute; and RFC 1998 - An Application of the BGP Community Attribute in Multi-home Routing as well as Internet-Draft document draft-ietf-idr-bgp-ext-communities, BGP Extended Communities Attribute.

Wednesday, June 29, 2011

How to fix Windows 7 registry problems

A computer has evolved into a laptop after generations of efforts and development. From a simple calculation of the device, it is transformed into a gadget that can nearly equal human intelligence and analytical purposes. Contemporary world powers are dependent on more than one laptop for their growth and security. But so funny to see that a simple mistake can register a computer on strange ways, exclude viruses, worms, spyware, etc. addwares

There are sure-shot indication of an accumulation of errors in windows 7 registry. Here is a small but sufficient list of signs that indicate that a corrupt windows 7 registry is gone and the time has come for Window Registry Repair:


An uninvited blue screen on your monitor and it is a strange error code.
A. DLL error message
Window display closed after an illegal operation message

Such unwelcome message pop-ups and unexpected shutdown of the system slows a system that goes beyond an acceptable level. It is very essential to restore a corrupted registry before it is too late.

Here are two best ways to registry errors. The user is free to choose the best for themselves.

Simple and cheap method to fix Window registry: Registry Clean download method.

Immediately download a registry cleaner to repair and restore the windows 7 registry module. A registry cleaner uses a simple and rapid approach in dealing with registry errors. Initiating with scanning and detecting errors, it completes the Window Registry Repair by fixing these errors. Now we know that Registry Cleaner is the most effective software to repair windows 7 registry errors and fixed. Finding websites to download registry cleaners is a very easy task. Not one, not two, thousands of websites offering registry clean download. Feel free to subscribe to use website to download Registry cleaner, but never choose to offer to download other software to fix registry errors. Registry cleaner is specially adapted to clear registry errors.

Registry cleaner should not be understood merely as a Registry Repair Software. It fits a pervasive approach to your laptop free from a long list of errors that are recognized by the built module.

A non-risky option and paying for clean download registry is presented through a subscription website. Unlike other sites, are known for their virus transmission of data and providing full versions of the original software.

1) Expensive option of obtaining an expert assistance to restore the registry errors

This is another option to repair corrupt windows 7 registry. You can register a computer expert to fix mistakes. However, you would need your pockets a little lighter, like a computer expert, cost around $ 120 per session.

There is nothing called Registry Repair Free Download. Each product comes standard for a certain price. Two options of securing a standard registry cleaner are discussed above. Choose the best, depending on your convenience and budget.


When trying to fix up your laptop, the best program to use is the windows 7 Registry. Its functionality is similar to the older version of it and it has other features that other programs do not have. Most register cleaner software come with a certain degree of scanners that allow for a quick fix of your modules. Using the file manager, you should be able to locate any clogged documents with no hyper text markup language header tags. This is very important since it can become very complicated. To prevent this, using a registry checker can eliminate any and all bugs that are destroying your hard disk. Of course, when trying to install a piece of software, it is vitally important to read the fine print and instructions. This will limit any mistakes that you may make during the process.

Now that you know the risks of using a windows 7 registry, you should also know what it can do for your laptop software applications. First of all, it gives you a free scan of your hard ware to find any suspicious anomalies. Then, it will alert you either through email or by the system itself. It will tell you what you need to do to fix the numerous problems with your laptop. Or, you can allow the system one to two days for it to fix up your applications. If you do choose this, please allow a certain amount of time. It can actually take three to five days for it to fix the problems. Do not worry, though, because your laptop can be shut off during this process. It is done online and continues to operate while the screen is either shut off, sleeping, or in hibernation mode.

The windows 7 Registry will delete and eliminate any files that are know longer in use. It will give your control panel more free space, thus increasing the speed of load time. Also, your internet browser will be faster as well. This includes the deletion of cookies in your history tab. This also works for ad ware and fixes that up as well. You should scan your system at least once a month to find and destroy these problems. Having a virus protection program can help as well. This will hopefully stop the problems before they have time to infect your hard disk. You can then use the system restore option to turn on the register cleaner if all else fails. This will send out spiders to your software and create more files for you to work with in your control panel.

Using a repair module such as a windows 7 Registry has its benefits for both your hard ware and software. Combining this functionality with a registry utility can increase the rate of the deletion of errors in your system.

Michael Reyes is a health professional and writer who loves to teach people the benefits of keeping a good, healthy lifestyle. He loves running, walking, and playing tennis on the weekends.

Information Security Governance - Additional Common Attacks

The list of possible attacks is endless, with new ones surfacing each week and older ones being resurrected, richly peppered with unique twists to make them more explosive in their reincarnated state. Hackers typically drive new attacks, pushing the envelope at every turn, because their main preoccupation is to wreak havoc. While an exhaustive analysis of attacks could fill its own book, the goal of this section is to provide a basic overview of some common attacks, understanding that many newer ones are often subsets or combinations, of what already exists. The discussion includes the following topics:

  • Footprinting

  • Scanning and system detailing

  • Eavesdropping

  • Password attacks

  • Impersonating

  • Trust exploitation

  • Software and protocol exploitation

  • Worms

  • Viruses

  • Trojan horses

  • Attack trends



Footprinting


Performed during the reconnaissance stage, footprinting is the process of identifying a network and determining its security posture. The hacker attempts to create a layout of the IT operation, by mapping out the following items:

  • Geographical location of corporate IT assets

  • Related companiesextranetto find weakest links

  • Phone numbers assigned to corporate analog

  • Names of employees, usernames, and e-mail addresses


Individually, each parcel of information could be deemed somewhat innocuous. By combining these pieces, the hacker is able to draw a map that can roughly determine the architecture of the overall system and its security infrastructure.


Scanning and System Detailing


Scanning and system detailing, part of the reconnaissance stage, is the process of probing for live servers, determining which ports are active, and drilling down further to discover details regarding applications and versions running on the system.

The hacker, for example, might be running a reconnaissance overnight, as shown in Figure 2-8. By using port-scanning software, a report can tell her which stations are live and what ports the stations are listening on. If the report states that the system is listening on ports 21, 25, and 80, all well-known ports, she can surmise that the equipment is most likely a server. By drilling down further and determining the operating system, she can confirm her suspicion. Utilizing that information, she can then search for known vulnerabilities inherent in the operating system, as well as the particular version of the OS.


Figure 2-8. Reconnaissance Attack: Scanning a Network





Eavesdropping


Eavesdropping is a traffic-analysis program that sniffs (monitors), records, and analyzes network traffic. As shown in Figure 2-9, the hacker uses software that does the following things:

  • Listens to all communication on a network

  • Captures each bit of every transmission

  • Uses a protocol analyzer to reassemble packets of information, allowing it to read e-mails, for example



Figure 2-9. Hacker Eavesdropping on a Communication





Eavesdropping can quickly reveal usernames and passwords, enabling the hacker to eventually impersonate a user to gain entry into the network.


Password Attacks


A password attack is a process the hacker employs to learn user passwords.

Discovering a legitimate username within a network is only valuable if the hacker can also determine the user's password. Depending on how well the hacker knows the user, he might first go through the obvious list: given name, company name, birth date, maiden name, and family names. Many systems use a three-strike access rule, whereby the system locks out the user after his third failed authenticating attempt. If the hacker were unable to establish the passwords, he might favor an attack known as a brute-force attack, which uses a process that tries seemingly endless combinations of letters, numbers, and symbols in an attempt to determine a user password. This technique works particularly well when the three-strike rule has not been implemented.

Conversely, if the hacker is an insider, he might opt to walk by a workstation and see whether the user wrote her password on a slip of paper and taped it to her keyboard. Alternatively, an insider could also be aware of certain tools that provide access to encrypted password lists on a network, such as password decryption tools, which can take advantage of weak encryption algorithms.


Impersonating


Impersonating describes the person or persons who unlawfully assume a legitimate user's credentials for the purposes of deceiving a computer network.

The hacker might sniff on a network (monitor its traffic) in an attempt to uncover a username and its accompanying password.

Conversely, the hacker might opt to steal a purse, wallet, or personal digital assistant (PDA) that belongs to a network administrator, knowing that many people keep pertinent access information close at hand.

With this sensitive data, the hacker would be able to access the targeted network with the full authority to run it. After the attack has been carried out, the hacker has minimal fear of being caught, because analysis after the fact will attribute the breach to the impersonated user. However, exhaustive forensics could ultimately reveal the true hacker.


Trust Exploitation


A trust relationship exists when two systems, possibly operating within the same organization or, as an example, two separate organizations that connect for just-in-time processes, grant certain two-way access privileges to each other. A user authorized on server X would be provided with privileges on server Y, with both systems openly allowing the other in. The premise is that if a user is precleared on one system, that gives her automatic right, or trust, to access the other system. Trust exploitation, as shown in Figure 2-10, can occur when a hacker, who might have been unsuccessful in his attempts to break into server X, discovers he is able to penetrate server Y and, exploiting the trust that is inherent between the two systems, successfully works his way back to server X and inflicts damage.


Figure 2-10. Trust Exploitation





Software and Protocol Exploitation


It is not uncommon for flaws to exist in software and operating systems. While vendors are thorough in their research and development, the possibility exists that product containing flaws could be shipped to an end user. Similar to most other industries, software manufacturers are quick to respond, issuing patches for the flawed software. The wily hacker, aware that his targeted organization uses the affected software, relies on human nature when he surmises that most network administrators are very busy and might not install the needed patch the moment it is published. Taking advantage of that window, the hacker attempts to break into the system, exploiting the flaw in the software.

When major software revisions are initially made available, organizations can decide to delay implementation until the inevitable quirks, or issues, have been determined and a less problematic version of the software revision is available.

Another type of exploiting occurs when a tool is used for something other than its original purpose. Pinging, for example, was created to aid network administrators in determining whether equipment was live on their networks. While they could have walked around the facility and seen for themselves, it was not only faster to send a signal and see whether the appliance responded, but networks were also quickly becoming geographically larger, and walking around to check on equipment was becoming a poor option. Hackers seized the checking tool and used it for their own nefarious purposes.


Worms


A worm is a program that potentially contains malicious code that continually replicates itself as it works its way through networks. Although worms self-propagate, unlike viruses, worms are not designed to impose harm on their host systems.

The primary goal of a worm program is to replicate itself on as many networks as possible, sometimes gathering data, possibly e-mail address books, from each of the breached systems.

Worms can quickly create a DoS attack by bottlenecking networks. The Melissa worm in 1999 wreaked havoc and stymied systems as it literally wormed its way through networks, duplicating itself whenever it came into contact with a target. It would worm its way into the targeted user's e-mail address book and then forward itself to the first 50 addresses it found. The worm would arrive at each new victim's computer disguised as e-mail from someone the victim seemingly knew. Not surprisingly, the unsuspecting user would open the e-mail and the worm would perform the same act: Each worm found 50 new addresses, reattached itself, and 2500 new victims were attacked. Those 2500 victims each found 50 more to infect and, quite rapidly, the aberrant e-mail propagated throughout the Internet on the backs of address books, leaving bottlenecked systems in its wake.


Viruses


A virus is a software program that strives to generate great harm by corrupting files or functionality on a system. Early-generation viruses required the help of an unwitting accomplice, typically a system user, to propagate itself. But viruses have matured and now often include worm-like characteristics that enable self-generating replication. Code Red was a prime example of this type of hybrid. It acted like a virus by dynamically generating new web pages on infected web servers that made the claim Hacked by Chinese. In its sister role as a worm, it also self-propagated and spread itself to other networks, continually seeking new web server victims in its path of infection.


Trojan Horses


A Trojan horse is a malicious program that masquerades as a legitimate one, purporting to do one thing in the foreground while it is doing something malevolent in the background. A Trojan horse is a popular means of disguising a virus or worm, as described in the puppy example in the section "Access Stratagems," earlier in this chapter.


Attack Trends


Combination malicious attacks, known as combo-malware, are becoming more prevalent. By combining the most destructive elements from past attacks with the most effective tools available today, hackers are able to combine worms and viruses that replicate faster, cause greater damage in shorter periods of time, and leave fewer clues for forensic analysts.

While the industry should anticipate attacks to become more sophisticated, most hackers themselves likely will not. Regrettably, the tools available, along with easily obtainable elementary instruction guides, make attacks a pastime in which too many could effortlessly engage. The tools that carry out malicious activities are more powerful with each new iteration, as illustrated in Figure 2-11. Hackers' technical abilities need not be as advanced as in the past, because their tools are now so automated and powerful that they can carry out the attacks.


Figure 2-11. Inverse Relationship Between Hacker Knowledge and Hacking Tools (Source: "Cisco Networking Simplified," 1-58720-074-0, Cisco Press)





But a small minority remains that relishes the cerebral challenge that a breach poses. The reality for organizations is that they must contend with this element and use mitigation tools to deal with those who perpetually strive to unearth innovative ways to breach even the most sophisticated intrusion-prevention systems. A basic key for most organizations is to first acknowledge their weakest links and then implement procedures to fortify them, ensuring that any future programs are built on terra firma.

Sunday, June 26, 2011

Low Cost Data Recovery Services Phoenix

Recover Lost Data in only for US$15, Flat rate. The lowest cost of data recovery you can find in Phoenix and around the world.

Our low cost online data recovery service in Phoenix has helped many people recover lost data in Phoenix and around the world. The high cost of data recovery has leaded us to find way out to help people.

Online data recovery service has the experience and technical expertise to handle any type of data lost situation, such as accidentally delete your data, your hard disk partition suddenly lost cause by virus or system instability, your hard disk has been formatted or re-partition by other technicians and all your valuable data is gone, and many other logical problems.

Our data recovery services in Phoenix have feature the industry’s most advanced recovery tools, proprietary techniques and the best expert in the business working to recover lost data

Online data recovery saves time and money because your files can be recovered in a matter of hours instead of days. Plus, recovering your data remotely can be done from the convenience of your office or home.

Contact our online data recovery expert for any inquiry and free consultation.

Taq: Data Recovery Services Phoenix

Saturday, June 25, 2011

Security Control: Personnel Security - Class: Operational

PS-1 PERSONNEL SECURITY POLICY AND PROCEDURES


Control

 

The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, personnel security policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls.

Supplemental Guidance

The personnel security policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The personnel security policy can be included as part of the general information security policy for the organization. Personnel security procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures.

Control Enhancements

None.

LOW

PS-1

MOD

PS-1

HIGH

PS-1

 

PS-2 POSITION CATEGORIZATION


Control

 

The organization assigns a risk designation to all positions and establishes screening criteria for individuals filling those positions. The organization reviews and revises position risk designations [Assignment: organization-defined frequency].

Supplemental Guidance

Position risk designations are consistent with 5 CFR 731.106(a) and Office of Personnel Management policy and guidance.

Control Enhancements

None.

LOW

PS-2

MOD

PS-2

HIGH

PS-2

 

PS-3 PERSONNEL SCREENING


Control

 

The organization screens individuals requiring access to organizational information and information systems before authorizing access.

Supplemental Guidance

Screening is consistent with: (i) 5 CFR 731.106(a); (ii) Office of Personnel Management policy, regulations, and guidance; (iii) organizational policy, regulations, and guidance; (iv) FIPS 201 and Special Publications 800-73 and 800-76; and (v) the criteria established for the risk designation of the assigned position.

Control Enhancements

None.

LOW

PS-3

MOD

PS-3

HIGH

PS-3

 

PS-4 PERSONNEL TERMINATION


Control

 

When employment is terminated, the organization terminates information system access, conducts exit interviews, ensures the return of all organizational information system-related property (e.g., keys, identification cards, building passes), and ensures that appropriate personnel have access to official records created by the terminated employee that are stored on organizational information systems.

Supplemental Guidance

None.

Control Enhancements

None.

LOW

PS-4

MOD

PS-4

HIGH

PS-4

 

PS-5 PERSONNEL TRANSFER


Control

 

The organization reviews information systems/facilities access authorizations when individuals are reassigned or transferred to other positions within the organization and initiates appropriate actions (e.g., reissuing keys, identification cards, building passes; closing old accounts and establishing new accounts; and changing system access authorizations).

Supplemental Guidance

None.

Control Enhancements

None.

LOW

PS-5

MOD

PS-5

HIGH

PS-5

 

PS-6 ACCESS AGREEMENTS


Control

 

The organization completes appropriate access agreements (e.g., nondisclosure agreements, acceptable use agreements, rules of behavior, conflict-of-interest agreements) for individuals requiring access to organizational information and information systems before authorizing access.

Supplemental Guidance

None.

Control Enhancements

None.

LOW

PS-6

MOD

PS-6

HIGH

PS-6

 

PS-7 THIRD-PARTY PERSONNEL SECURITY


Control

 

The organization establishes personnel security requirements for third-party providers (e.g., service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, network and security management) and monitors provider compliance to ensure adequate security.

Supplemental Guidance

The organization explicitly includes personnel security requirements in acquisition-related documents. NIST Special Publication 800-35 provides guidance on information technology security services.

Control Enhancements

None.

LOW

PS-7

MOD

PS-7

HIGH

PS-7

 

PS-8 PERSONNEL SANCTIONS


Control

 

The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.

Supplemental Guidance

The sanctions process is consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The sanctions process can be included as part of the general personnel policies and procedures for the organization.

Control Enhancements

None.

LOW

PS-8

MOD

PS-8

HIGH

PS-8

Friday, June 24, 2011

IT GOVERNANCE COURSE 4: Why Corporate Governance Need IT Audit?

Audits are opportunities for companies to improve, based on auditor analysis and advice. To preserve the integrity and authority of audits, auditors maintain a delicate distinction between offering advice and making decisions. For each organization, the scope of auditor responsibility should be documented in the company’s internal audit charter and be approved by the audit committee. Because every organization has different goals and objective, and certainly different issues and challenges, there is no one ?ts with all audit process, nor one audit approach, that ?ts all situations. Historically, corporate governance has focused primarily on broad topics of leadership, management, ethics, and reporting. IT governance audits encompass many of the same issues and can include business plans, documentation and measurement of objectives, organizational reporting structures, contract management, and industrial and regulatory monitoring. It also has a signi?cant technology component. For example:

  • Does the organization have an information architecture model?


  • Do hardware and software acquisition plans exist?


  • How are Web sites, blogs, and ezine and other managed?


  • How are investments and development projects evaluated and do they meet business requirements?


  • How does the IT organization ensure system continuity in case of disruptive contingencies?



The size and complexity of various organizations’ audit efforts differ due to variations in operating environments, risk priorities and thresholds, and business and audit objectives. In addition, the scope of audits can vary from project to project, depending on auditor’s focus for example, on various business processes, management controls, and technical controls. Ensuring appropriate audit focus is another reason management should communicate with auditors, and vice versa, early and often in every audit cycle.

Internal auditors should help management assess organizational risks. They must evaluate the audit universe and supporting audit plans at least annually and sometimes more frequently. At the micro level, an audit risk assessment of the various entities being audited is completed to support the audit project sometimes also referred to as the audit “terms of reference”. Planning for each audit requires serious consideration of the organization’s many risks and opportunities. Finally, in many companies, continuous auditing (ongoing audit evaluations) is being implemented for key systems and key transactions.

Thursday, June 23, 2011

Security Control: System and Communications Protection - Class: Technical

SC-1 SYSTEM AND COMMUNICATIONS PROTECTION POLICY AND PROCEDURES


Control

 

The organization develops, disseminates, and periodically reviews/updates: (i) a formal, documented, system and communications protection policy that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.

Supplemental Guidance

The system and communications protection policy and procedures are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. The system and communications protection policy can be included as part of the general information security policy for the organization. System and communications protection procedures can be developed for the security program in general, and for a particular information system, when required. NIST Special Publication 800-12 provides guidance on security policies and procedures.

Control Enhancements

None.

LOW

SC-1

MOD

SC-1

HIGH

SC-1

 

SC-2 APPLICATION PARTITIONING


Control

 

The information system separates user functionality (including user interface services) from information system management functionality.

Supplemental Guidance

The information system physically or logically separates user interface services (e.g., public web pages) from information storage and management services (e.g., database management). Separation may be accomplished through the use of different computers, different central processing units, different instances of the operating system, different network addresses, combinations of these methods, or other methods as appropriate.

Control Enhancements

None.

LOW

Not Selected

MOD

SC-2

HIGH

SC-2

 

SC-3 SECURITY FUNCTION ISOLATION


Control

 

The information system isolates security functions from nonsecurity functions.

Supplemental Guidance

The information system isolates security functions from nonsecurity functions by means of partitions, domains, etc., including control of access to and integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process.

Control Enhancements

(1) The information system employs underlying hardware separation mechanisms to facilitate security function isolation.

(2) The information system further divides the security functions with the functions enforcing access and information flow control isolated and protected from both nonsecurity functions and from other security functions.

(3) The information system minimizes the amount of nonsecurity functions included within the isolation boundary containing security functions.

(4) The information system security maintains its security functions in largely independent modules that avoid unnecessary interactions between modules.

(5) The information system security maintains its security functions in a layered structure minimizing interactions between layers of the design.

LOW

Not Selected

MOD

Not Selected

HIGH

SC-3

 

SC-4 INFORMATION REMNANTS


Control

 

The information system prevents unauthorized and unintended information transfer via shared system resources.

Supplemental Guidance

Control of information system remnants, sometimes referred to as object reuse, prevents information, including encrypted representations of information, produced by the actions of a prior user/role (or the actions of a process acting on behalf of a prior user/role) from being available to any current user/role (or current process) that obtains access to a shared system resource (e.g., registers, main memory, secondary storage) after that resource has been released back to the information system.

Control Enhancements

None.

LOW

Not Selected

MOD

SC-4

HIGH

SC-4

 

SC-5 DENIAL OF SERVICE PROTECTION


Control

 

The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list].

Supplemental Guidance

A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example, network perimeter devices can filter certain types of packets to protect devices on an organization’s internal network from being directly affected by denial of service attacks. Information systems that are publicly accessible can be protected by employing increased capacity and bandwidth combined with service redundancy.

Control Enhancements

(1) The information system restricts the ability of users to launch denial of service attacks against other information systems or networks.

(2) The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

LOW

SC-5

MOD

SC-5

HIGH

SC-5

 

SC-6 RESOURCE PRIORITY


Control

 

The information system limits the use of resources by priority.

Supplemental Guidance

Priority protection ensures that a lower-priority process is not able to interfere with the information system servicing any higher-priority process.

Control Enhancements

None.

LOW

Not Selected

MOD

SC-6

HIGH

SC-6

 

SC-7 BOUNDARY PROTECTION


Control

 

The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Supplemental Guidance

Any connections to the Internet, or other external networks or information systems, occur through controlled interfaces (e.g., proxies, gateways, routers, firewalls, encrypted tunnels). The operational failure of the boundary protection mechanisms does not result in any unauthorized release of information outside of the information system boundary. Information system boundary protections at any designated alternate processing sites provide the same levels of protection as that of the primary site.

Control Enhancements

(1) The organization physically allocates publicly accessible information system components (e.g., public web servers) to separate subnetworks with separate, physical network interfaces. The organization prevents public access into the organization’s internal networks except as appropriately mediated.

LOW

SC-7

MOD

SC-7 (1)

HIGH

SC-7 (1)

 

SC-8 TRANSMISSION INTEGRITY


Control

 

The information system protects the integrity of transmitted information.

Supplemental Guidance

The FIPS 199 security category (for integrity) of the information being transmitted should guide the decision on the use of cryptographic mechanisms. NSTISSI No. 7003 contains guidance on the use of Protective Distribution Systems.

Control Enhancements

(1) The organization employs cryptographic mechanisms to ensure recognition of changes to information during transmission unless otherwise protected by alternative physical measures (e.g., protective distribution systems).

LOW

Not Selected

MOD

SC-8

HIGH

SC-8 (1)

 

SC-9 TRANSMISSION CONFIDENTIALITY


Control

 

The information system protects the confidentiality of transmitted information.

Supplemental Guidance

The FIPS 199 security category (for confidentiality) of the information being transmitted should guide the decision on the use of cryptographic mechanisms. NSTISSI No. 7003 contains guidance on the use of Protective Distribution Systems.

Control Enhancements

(1) The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless protected by alternative physical measures (e.g., protective distribution systems).

LOW

Not Selected

MOD

SC-9

HIGH

SC-9 (1)

 

SC-10 NETWORK DISCONNECT


Control

 

The information system terminates a network connection at the end of a session or after [Assignment: organization-defined time period] of inactivity.

Supplemental Guidance

None.

Control Enhancements

None.

LOW

Not Selected

MOD

SC-10

HIGH

SC-10

 

SC-11 TRUSTED PATH


Control

 

The information system establishes a trusted communications path between the user and the security functionality of the system.

Supplemental Guidance

None.

Control Enhancements

None.

LOW

Not Selected

MOD

Not Selected

HIGH

Not Selected

 

SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT


Control

 

The information system employs automated mechanisms with supporting procedures or manual procedures for cryptographic key establishment and key management.

Supplemental Guidance

NIST Special Publication 800-56 provides guidance on cryptographic key establishment. NIST Special Publication 800-57 provides guidance on cryptographic key management.

Control Enhancements

None.

LOW

Not Selected

MOD

SC-12

HIGH

SC-12

 

SC-13 USE OF VALIDATED CRYPTOGRAPHY


Control

 

When cryptography is employed within the information system, the system performs all cryptographic operations (including key generation) using FIPS 140-2 validated cryptographic modules operating in approved modes of operation.

Supplemental Guidance

NIST Special Publication 800-56 provides guidance on cryptographic key establishment. NIST Special Publication 800-57 provides guidance on cryptographic key management.

Control Enhancements

None.

LOW

SC-13

MOD

SC-13

HIGH

SC-13

 

SC-14 PUBLIC ACCESS PROTECTIONS


Control

 

For publicly available systems, the information system protects the integrity of the information and applications.

Supplemental Guidance

None.

Control Enhancements

None.

LOW

SC-14

MOD

SC-14

HIGH

SC-14

 

SC-15 COLLABORATIVE COMPUTING


Control

 

The information system prohibits remote activation of collaborative computing mechanisms (e.g., video and audio conferencing) and provides an explicit indication of use to the local users (e.g., use of camera or microphone).

Supplemental Guidance

None.

Control Enhancements

(1) The information system provides physical disconnect of camera and microphone in a manner that supports ease of use.

LOW

Not Selected

MOD

SC-15

HIGH

SC-15

 

SC-16 TRANSMISSION OF SECURITY PARAMETERS


Control

 

The information system reliably associates security parameters (e.g., security labels and markings) with information exchanged between information systems.

Supplemental Guidance

Security parameters may be explicitly or implicitly associated with the information contained within the information system.

Control Enhancements

None.

LOW

Not Selected

MOD

Not Selected

HIGH

Not Selected

 

SC-17 PUBLIC KEY INFRASTRUCTURE CERTIFICATES


Control

 

The organization develops and implements a certificate policy and certification practice statement for the issuance of public key certificates used in the information system.

Supplemental Guidance

Registration to receive a public key certificate includes authorization by a supervisor or a responsible official, and is done by a secure process that verifies the identity of the certificate holder and ensures that the certificate is issued to the intended party. NIST Special Publication 800-63 provides guidance on remote electronic authentication.

Control Enhancements

None.

LOW

Not Selected

MOD

SC-17

HIGH

SC-17

 

SC-18 MOBILE CODE


Control

 

The organization: (i) establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously; and (ii) documents, monitors, and controls the use of mobile code within the information system. Appropriate organizational officials authorize the use of mobile code.

Supplemental Guidance

Mobile code technologies include, for example, Java, JavaScript, ActiveX, PDF, Postscript, Shockwave movies, Flash animations, and VBScript. Usage restrictions and implementation guidance apply to both the selection and use of mobile code installed on organizational servers and mobile code downloaded and executed on individual workstations. Control procedures prevent the development, acquisition, or introduction of unacceptable mobile code within the information system. NIST Special Publication 800-28 provides guidance on active content and mobile code. Additional information on risk-based approaches for the implementation of mobile code technologies can be found at: http://iase.disa.mil/mcp/index.html.

Control Enhancements

None.

LOW

Not Selected

MOD

SC-18

HIGH

SC-18

 

SC-19 VOICE OVER INTERNET PROTOCOL


Control

 

The organization: (i) establishes usage restrictions and implementation guidance for Voice Over Internet Protocol (VOIP) technologies based on the potential to cause damage to the information system if used maliciously; and (ii) documents, monitors, and controls the use of VOIP within the information system. Appropriate organizational officials authorize the use of VOIP.

Supplemental Guidance

NIST Special Publication 800-58 provides guidance on security considerations for VOIP technologies employed in information systems.

Control Enhancements

None.

LOW

Not Selected

MOD

SC-19

HIGH

SC-19

Wednesday, June 22, 2011

What are New IT Governance Paradigm?

This section concludes the chapter on Integration Strategies and Tactics for IT Governance. In this final section, the main lessons we have learned are summarized, and based upon the previous sections, a new IT Governance paradigm is presented. In the final section, directions and opportunities for practitioners and researchers of IT Governance are outlined.

 

What Have We Learned? Implications for Management


Despite the many bridges that still remain to be breached in the (theories and practices) of IT Governance, there are a number of important lessons we have learned over the past decades, which were addressed in this chapter. When contemplating and/ or studying IT Governance, both executives and researchers would do well to consider these important lessons learned.

 

Amidst the challenges and changes of the 21st century, involving hyper-competitive market spaces, electronically-enabled global network businesses, and corporate governance reform, IT Governance has become a fundamental business imperative. IT Governance is a top management priority, and rightfully so, because it is the single most important determinant of IT value realization.

IT Governance is the system by which an organization's IT portfolio is directed and controlled. IT Governance describes (1) the distribution of IT decision-making rights and responsibilities among different stakeholders in the organization, and (2) the rules and procedures for making and monitoring decisions on strategic IT concerns. IT Governance is thus corporate governance focused on IT, and it is not (only) the responsibility of the CIO or the organization of the IT function, in which an 'old new' IT management form is introduced to choose between centralization or decentralization.

The terms centralization and decentralization provide a dichotomy that is meaningless when employed as a generality to IT Governance. The centralization or decentralization can be applied to each of the main IT capabilities in the IT portfolio, yielding distinct patterns of federal IT Governance. The federal IT Governance model is currently the dominant model in contemporary organizations, as they seek to combine the benefits of synergy, standardization and specialization with the advantages of autonomy, innovation and flexibility.

The dominance of the federal IT Governance model is a strategic response to the needs of strategic flexibility and dynamic stability in contemporary organizations and markets, in which both business and IT organizations are adopting multiple, complementary value drivers. However, it should be emphasized that redesigning for federalism challenges managers in local business units to surrender control over certain business-specific IT domains for the well-being of the enterprise, and to develop business-to-corporate and business-to-IT partnerships.

An IT Governance architecture recognizes this coordination challenge, and emphasizes the need to take a holistic systems view of IT Governance. An IT Governance architecture is defined as the manner in which responsibilities and accountabilities for the IT portfolio are organized and integrated, and describes the differentiation and integration of strategic decision-making for IT (Peterson, 2001). Four types of integration strategies, each consisting of several integration tactics and integration mechanisms, can be employed to assure the level of coordination capability in the IT Governance architecture. Embedding the IT Governance architecture in the enterprise architecture and aligning IT Governance with IT value drivers enables an organization to realize its business value drivers.

Consequently, diagnosing the IT Governance architecture and developing a balanced strategic measurement system to assess and track IT Governance effectiveness is essential. Applying the IT Governance diagnostic diamond and utilizing the proposed step-wise approach provides a diagnosis of the suitability of the existing IT Governance architecture, and identifies strategic discrepancies with the future, desirable position, and measures to redesign and improve the IT Governance architecture in terms of strategic flexibility and dynamic stability.

 

Toward a New IT Governance Paradigm


Until recently, efficiency was the keyword in designing IT Governance. This made sense in a world characterized by a stable placid environment, in which neither the core technology nor the markets in which companies were operating changed drastically over time. Organizations could afford to use a 'command-and-control' structure to govern IT. However, with the business imperatives and new enterprise logic of strategic flexibility and dynamic stability, this 'old' IT Governance paradigm no longer seems viable, nor prudent.

 

Rather than being a system of command-and-control, focusing on the locus of IT decision-making authority, this chapter concludes that effective IT Governance in contemporary organizations is more likely to resemble a network of multiple business-IT collaborative relationships based on competencies and flexibility. IT is less about who is hierarchically positioned to be in control, and more about the complementary — business and IT — competencies an organization possess, and how it can integrate these in order to develop the required strategic flexibility for realizing and sustaining business value from IT in a complex and dynamic environment. The emerging IT Governance paradigm is based on principles of collaboration, competency and flexibility — not control, authority and efficiency.

These principles of the emerging IT Governance paradigm underscore and reaffirm the importance of flexible management systems in complex and uncertain environments. The organizing logic in the emerging IT Governance paradigm is characterized by a collaborative network structure, where communication is more likely to be lateral, task definitions are more fluid and flexible — related to competencies and skills, rather than being a function of position in the organization — and where influencing of business-IT decisions is based on expertise rather than an individual (or group's) position in the hierarchy.

In collaborative relationships between business and IT stakeholder constituencies, managers work together to understand business and IT competencies, opportunities, risks and benefits. This collaborative relationship demands that both business and IT managers take responsibility for business operations and IT innovation, which is achievable only when stakeholder constituencies share their unique expertise and competencies. This emerging paradigm for IT Governance is based on a 'philosophy' of collaboration where the need for distinct competencies are recognized and developed, and shared adaptively across functional, organizational, cultural and geographic boundaries.

 

Directions and Opportunities for Future Research


In Spanish there is a saying, "el camino se hace al caminar", which roughly translates into English as the road is paved as you go. While we have come a long way in understanding and implementing strategies for IT Governance, and designing effective IT Governance architectures, the real journey still lays ahead of us. Specifically, there are (at least) five areas of theoretical and empirical study that seem particularly fruitful for future research and practice of IT Governance. These are:

 

1.      The development and integration of multiple complementary business and IT value drivers, e.g., how do organizations and networks of organizations develop and integrate the multiplicity of business and IT value drivers? How do organizations develop the requisite capabilities to become strategically flexible and dynamically stable?

 

2.      The development of lateral coordination capability and value conversion process maturity, e.g., what are the interrelations between the different integration strategies and tactics? Is relational integration dependent upon formal integration, or does it enable formal integration? Are certain integration mechanisms 'multi-modal', i.e., do they facilitate more than one integration strategy?

 

3.      The alignment of the IT Governance architecture with IT value drivers and the enterprise architecture, e.g., how do organizations evolve and maintain such a complex and dynamic alignment? Are there different paths to aligning the IT Governance architecture?

 

4.      The application of the IT Governance diagnostic diamond, e.g., what are the experiences of (other) organizations applying the IT Governance diagnostic diamond? What actions does an organization take after diagnosing IT Governance effectiveness?

 

5.      The emerging IT Governance paradigm, e.g., how can the new principles be operationalized for research and practice? Is this emerging paradigm typical for contemporary firms in Europe, or are these principles also emerging in other continents? And what about the 'dot.coms'?

 

These five directions provide ample opportunities to expand our knowledge on strategies for IT Governance, and will enable us — executives and researchers — to improve IT Governance effectiveness.

Saturday, June 18, 2011

Low Cost Data Recovery Services Philadelphia

Recover Lost Data in only for US$15, Flat rate. The lowest cost of data recovery you can find in Philadelphia and around the world.


Our low cost online data recovery service in Philadelphia has helped many people recover lost data in Philadelphia and around the world. The high cost of data recovery has leaded us to find way out to help people.

Online data recovery service has the experience and technical expertise to handle any type of data lost situation, such as accidentally delete your data, your hard disk partition suddenly lost cause by virus or system instability, your hard disk has been formatted or re-partition by other technicians and all your valuable data is gone, and many other logical problems.

Our data recovery services in Philadelphia have feature the industry’s most advanced recovery tools, proprietary techniques and the best expert in the business working to recover lost data

Online data recovery saves time and money because your files can be recovered in a matter of hours instead of days. Plus, recovering your data remotely can be done from the convenience of your office or home.

Contact our online data recovery expert for any inquiry and free consultation.

Taq: Data Recovery Services Philadelphia

Free File Encryption Software



  • 4t HIT Mail Privacy Lite - Sends and receives private data hidden in images of various types by using a strong encrypting algorithm.

  • ABC CHAOS - A program which is able to encrypt and decrypt files of every type and even whole directory structures using strong encryption.

  • Chaos Mash - Offers 30 different way to encrypt a file along with personalized key for decrypting it.

  • Crypto Anywhere - OpenPGP Edition - Allows for secure email encryption on the move, and can run from floppy or USB drive.

  • Cryptomathic File2File - A password based file encryption solution for the Windows platform. It is free for private use.

  • DataRescue - The aCrypt software allows the user to encrypt files and send them via email to others without the software.

  • HandyBits EasyCrypto - Creates self-extracting, encrypted files through the use of the common Blowfish algorithm.

  • Inv Softworks LLC. - Free lite versions of commercial software, Kryptel Lite and Iron Key.

  • ROT-13 Encryptor & Decryptor - Web form to encode and decode ROT13, a simple letter substitution encryption scheme.

  • Secure Hive Freeware - Encrypts files for archiving and sharing of parts of, or entire documents.

  • The Global Solutions Group - A collection of free encryption software.

  • TrueCrypt - Open-source free on-the-fly disk encryption for Windows, Mac OS and GNU/Linux. It can encrypt partitions or create virtual encrypted disks within files. Implemented ciphers: AES-256, Blowfish (448-bit key), 3DES, Serpent, Twofish. Provides plausible deniability.


Friday, June 17, 2011

Recover Unsaved Drafts of Documents with MS Office 2010

http://www.makeuseof.com/tag/recover-unsaved-ms-word-2010-document-seconds/#disqus_thread
- unsaved drafts are now kept for 4 days. That means if you never
bother to save a a document, spreadsheet or presentation, you can
still retrieve it with MS Office 2010.

Thursday, June 16, 2011

Laptop data backup to cool the hard drive

There can be no mistake about the fact that more than one million laptops were stolen over the years in Europe alone. Every time a laptop is stolen, chances are it will not be found. If no backup of the information, then the owner will be left with no laptop - but what is even worse - no data.

The only downside of laptops is that they do not offer much storage or security measures as a desktop PC. Desktop computers have much more power and can do things (including backup) in a fraction of the time.

The easiest and quickest way to backup your laptop data is compounded by using an online backup service. Depending on your connection to the Internet, it may be several minutes to several hours to back-up protection. Although it takes time, but afterwards you have the satisfaction that your details are there if something should happen.

Cooling of the hard disk

For various reasons, the storage of data is a very important part of a computer. These days, computers do much more than they ever have done in the past. From business to family photos, storage is the ideal way to store documents on your computer. The most popular method of storage is the hard drive, which we all rely on to safely maintain our data.

One area that suffers from the overheating of the hard disk platters, magnetic media. A platter ensures the readout of the data throughout the hard drive. Platters are made of optical glass, aluminum, or ceramic and normally coated with a layer of magnetic material. Once the hard drive begins to heat up, the platters will start off with, which makes for changes in their size. When this happens, the magnetic surface of the platters are destroyed, resulting in a loss of data. If the physical space of the platters are damaged, it will result in unreadable sectors.

To prevent your hard drive overheating, you should always ensure that the disk is cooled properly and well ventilated. You can always buy additional fans and coolers, which improve ventilation and airflow in your computer concerns. You can buy fans and coolers at affordable prices, making them an ideal investment forms for protecting your hard drive or hard drives.

Information Security governance - Establishing a Secure Culture


The process of developing a secure environment seems relatively straightforward on the surface: The organization establishes a governing security council in the form of a security committee, policy workshops establish rules and procedures, equipment lays the physical foundation for a secure structure, and employees work diligently to implement all that was laid out before them. But the establishment of a secure culture requires select components that are fundamentally more comprehensive than those stated. Senior executives, along with members of the board, must infuse the program into each of the organization's dealings by doing the following things:

  • Securing the physical business

  • Securing business relationships

  • Securing the homeland



Securing the Physical Business


Enhanced security operates preventatively, minimizing potential distractions by proactively addressing potential vulnerabilities. Enhanced security can aid organizations in the following ways:

  • Securing against attacks, whether intentional or inadvertent

  • Protecting its revenue stream, from loss of unnecessary downtime to loss of revenue

  • Safekeeping proprietary and classified information, from trade secrets to databases

  • Establishing an equipment implementation road map to address long-term security planning

  • Ensuring that independent divisions and remote offices comply with corporate security directives, including the implementation of similar security policies and reporting structures

  • Implementing content-managing programs, such as URL filtering, that can control Internet access and manage content flow on a corporate network

  • Creating an overall Triple-I program, as follows:

    - Initiate a comprehensive security policy program that focuses on continual renewal

    - Implement the comprehensive security policy program systematically throughout the organization

    - Instill in every executive, department leader, manager, and employee that he or she is an integral component of the security initiative



In essence, developing a structure that incorporates security into the business model can aid the firm in fully acknowledging its reliance on IT, compelling it to address the risks inherent in that reliance while ensuring that it acts in a manner that befits the firm's tolerance for said risk.


Securing Business Relationships


Simply informing staff that precautions must be taken when performing everyday tasks is sometimes not enough. Many employees need to understand the implications of under-security, be it equipment or user related. Similarly, business partners must be aware that enhanced security is in place and, equally important, that security is implicit in all intercompany dealings.

This section explores the following topics:

  • Engaging the workforce to better solidify security and build effective relationships

  • Creating a sense of security



Engaging the Workforce to Better Solidify Security and Build Effective Relationships

An organization should engage its work force, both managers and individual employees, in fundamental discussions concerning the ever-increasing need for greater security. Depending on an organization's end product, certain staff members might have the misguided impression that an organization could do no wrong in the eyes of its customers or, even if it did, customers had few or limited options.

The reality is that customers, clients, suppliers, partners, and associates typically have a multitude of sources and outlets. Should company A, for example, fail to implement appropriate cyber-security measures, those firms with which company A has business dealings can experience a heightened sense of vulnerability. Concern might stem from the premise that company A's under-security could pose an unacceptable level of risk, or even potential breach of trust, for its partners. The resultant negative implications could necessitate the severing of ties, regardless of how close a business relationship might once have been.

Employees who recognize the role they can play in helping to better secure the organization every day can naturally help to convey a greater sense of security's priority to an organization's customers, partners, suppliers, and associates.


Creating a Sense of Security

If a company uses a DMZ server to accept purchase orders, as an example, its customers should be able to implicitly trust the organization's ability to protect financial data, ordering information, or any other pertinent correspondence between buyer and seller. Customers understand, albeit only fleetingly, when DMZ servers are momentarily unavailable, but their empathy quickly dissipates when the waiting time to reconnect is too long or if they suspect that information they readily shared was compromised. Should the latter have occurred and a customer believes he can substantiate a case for possible negligence, under-security could pose a more serious threat. The issues of jurisprudence and negligence are more thoroughly explored in Chapter 11.

Organizations might initiate formal connections with other firms to efficiently feed a just-in-time production line, using supply-chain methodologies to move product to a line faster while reducing the amount of time raw goods must be maintained as work in progress (WIP). The need for greater efficiency drives most initiatives, but both sides of a partnership must have confidence that minimum acceptable security measures are in effect before trust, however fleeting it might be, is initiated.

Service level agreements (SLAs) can be used to ensure that certain minimum standards are formally in effect among customers, suppliers, and partners. Similarly, an Internet service provider (ISP) can demand that its customers maintain specific security levels before being allowed to connect, to ensure that the ISP and its other customers are not made unnecessarily vulnerable.

The weakest-link scenario is highly prevalent in this arena. Organizations choose to implement security measures that are relevant to their tolerance for risk, but without acknowledging the security practices of those partners and suppliers with whom they connect electronically, their substantial investment in security could be for naught. Business partners who choose to connect electronically with one another, through an extranet as an example, can inherit the other's security posture. Either network is only as strong as the weakest link that exists on either side, because all system aspects, whether positive or negative, are potentially assumed whenever organizations join their systems.

Business transactions over the Internet are increasingly on the rise, resulting in organizations having long since abandoned the practice of operating in the equivalent of hermetically sealed environments. Organizations that can swiftly recognize potential weaknesses in partners with whom they are actively engaged in trust relationships can ensure that security diligence is always at the fore in preventatively addressing potential issues long before they can become true vulnerabilities.


Securing the Homeland


The homeland has grown to become synonymous with the country, but at its core, the homeland encompasses every person, partner, customer, supplier, company, policy, program, practice, and even equipment with which an organization comes into contact.

This section explores the following topics:

  • Incident reporting

  • Equipment path

  • Acknowledging vulnerable points



Incident Reporting

It is often thought that the advent of mass media has brought about an increase in the level of urban crime. But the reality is that in many instances, misdeeds were simply getting reported more regularly; the actual numbers of incidents were not necessarily on the rise. While publicizing events can have the effect of stirring other individuals into performing similar acts, more often than not, an increase in raw numbers is simply a representation of people coming forward with their own stories of woe after having read about similar cases in the media. What might appear to be an epidemic are merely silenced victims speaking up. The public justice system might take notice, and certain measures might be enacted to deal with the so-called epidemic. Had individuals not come forward with their personal accounts, an issue might never have been recognized as being so prevalent across a community.

This scenario is analogous to organizations that are contending with cyber-crime today. It is incumbent upon every organization that has been knowingly targeted or infiltrated to report any incident to state, local, and federal officials and to organizations such as CERT. In the CSI/FBI Computer Crime and Security Survey, April 2004, only 34% of respondents admitted reporting cyber-attacks to law enforcement officials. While the number could be significantly higher, it is up markedly from 1996, when the Computer Security Institute started tracking such information. However, the insistence of executive management and the board is required to ensure that these numbers continue to rise.

Debate and policy discussions are occurring in political legislatures around the globe, as politicians attempt to combat the effects of cyber-crime. But every incident needs to be reported so that the epidemic of cyber-crime, should it be an epidemic, is addressed in an effective legislative manner. Without specific knowledge of every incident, governments are at a disadvantage when attempting to fashion legislation that is both viable and relevant.

There is a natural reticence to report cyber-crimes. Companies fear that competitors will sense vulnerability and that customers will fear for their own safety. The reality is that most organizations are equally vulnerable in many respects, and the more that cyber-crimes are publicized, the better it will ultimately be for all corporate users. Should a breach occur, competitors and customers will likely discover the breach at some point anyway, possibly at a most inopportune time. Being forthcoming when it occurs ensures that the company is not only a good net citizen, or netizen, but also under the auspices of the term, if you cannot hide it then feature it, with certain ingenuity from the marketing department, the negative event could be spun into a long-term positive gain.

In the end, it is incumbent upon executive management and the board to ensure that cyber-crime perpetrated on their organization is effectively reported to appropriate state, local, and federal officials. Delivering that message to all senior managers can ensure that the board's need for cyber-security transparency is always respected.


Equipment Path

Developing a greater security structure is not a one-time expenditure. Even if the potential for attacks were markedly reduced, annual updates and training would still be part of every systems administrator's job function. But the world is continually in flux, and unforeseen cyber-issues could occur at any time. The challenge facing system administrators, and the equipment they are responsible for, is ensuring that both themselves and the equipment are appropriately optimized to deal with any new threats in an effective manner.

An equipment road map, coupled with an organization's desired security posture, as presented in Chapter 4, "Putting It All Together: Threats and Security Equipment," can aid a company in its goal to effectively and preventatively protect itself. Ongoing training of system administrators and their alternates, along with a scheduled program of maintenance, product upgrades, and a path to determine the need for new product implementation, can help to keep organizations proactively protected.

As long as threats continue to exist and the amount of business transactions over the Internet continues to increase, the need to continually revisit security initiatives, both equipment and personnel, remains a top priority for organizations. It is up to executive management and the board to ensure that critical awareness is at the forefront of every user's agenda.


Acknowledging Vulnerable Points

Many believe of late that organizations were becoming increasingly vulnerable to attacks from within their own operations, be they intentional or inadvertent. Organizations responded preventatively, ensuring that potential attackers who might have been residing comfortably within its walls were appropriately addressed. The release of the 2004 CSI/FBI survey[2] reveals that the gap between internal and external intrusions has narrowed and is now fairly split. The UK-PWC survey 2004[3] reveals a marked difference, whereby 64% of large business respondents state that their worst breaches emanated from staff misuse of information systems. The differing experiences show that the issue is still quite fluid, and organizations would be well advised to remain on high alert against both internal and external potential vulnerabilities.

An organization can be well served by using independent security auditors to test and evaluate its security policy and practices. Similar to quality auditors, independent security analyses can check the aptness of internal policies and determine whether remote offices and organizational divisions are implementing the policies in a manner that is consistent with corporate expectation. It is important to note that security initiatives are similar to every other fundamental program in which a company might engage: Activities that must be carried out across an organization require executive and board involvement to ensure that they are effectively and consistently implemented.

Improved and Best Features of Windows 7 You Cannot Find in Other OS

Microsoft promises a new and better operating system when they introduced Windows 7 to the public. After the Janu­ary 9 release of the beta version of Windows 7, beta testers found out several enhanced features and functionalities on Windows 7 that you will not find in other versions of Windows.

Here is a list of the most significant upgrades and new fea­tures that Windows 7 can offer:

First, Windows 7 significantly improved the speed of load­ing programs and applications on your computer. This is a performance upgrade especially for Vista users who are com­plaining about the speed of booting the system and opening programs.

A clear example of this improved performance is evident when you open Internet Explorer. The program will instantly load in just 2 seconds which can improve your online productivi­ty.

Second, Windows 7 can detect and run most device and hardware drivers. Compatibility has been a major issue against Vista and Windows 7 rectified this. You can even install new device drivers without encountering serious glitches.

Third, Windows 7 improved the networking utility. Spe­cifically, the Networking and Sharing Center is not convoluted. It has become user friendly with clearer graphical user interface. You will be able to easily access your Networking Center by simply clicking on your Local Area Connection.

Finally, Windows 7 improved active window management. By hovering above an active program, you will get a preview of its active windows thus enabling you to quickly jump on your doc­uments or applications.

There are still other significant upgrades you can find on Windows 7. Simply download the beta version in order to expe­rience its improved user interface.

Wednesday, June 15, 2011

The role of Trust in Information Security

Trust is a firm belief in the veracity, good faith, and honesty of another party, with respect to a transaction that involves some risk. For example, when you give your credit card to the waiter at a restaurant, you are expressing trust that the waiter will use the credit card to process a transaction that will pay for your meal. You expect that that transaction will be the only one processed and that the waiter won't steal the credit card number for some other purpose. The only time I've ever had my credit card number stolen was in a restaurant, and yet I still blithely hand my credit card over to any waiter who comes along. There is clearly risk, but I take it because I'm convinced that the risk is small. Most of us don't consciously think about the risk of using a credit card to pay for a meal; we evaluate the risk intuitively based on a variety of factors including our previous experience, the way the restaurant looks, and, perhaps most importantly, beliefs about the credit card company indemnifying us beyond a certain point.

There's no doubt that trust is linked to risk when we consider who we're willing to trust with what. I may trust a particular person to fix my car, but not to baby-sit my children. Trust is based not just on the entities involved in the transaction, but also on their roles and the particulars of the transaction.

Trust is something I grant to or withhold from othersthey cannot hold it for me. I can adjust it or revoke it completely, at any time. This leads to some important trust properties.

  • Trust is transitive only in very specific circumstances. For example, if Alice trusts Bob's taste in music and Bob trusted Carol to select songs for the last party, Alice may be willing to trust Carol to pick the songs for her party.

  • Trust cannot be shared. If Alice trusts Bob and Alice trusts Carol, it doesn't necessarily follow that Bob trusts Carol.

  • Trust is not symmetric. Just because you trust me, doesn't mean that I trust you.

  • Trustworthiness cannot be self-declared. This is so self-evident that the phrase "trust me" has become a cliché sure to get a laugh.


In the world of digital identity, trust is generally linked to a particular set of identity credentials and the attributes associated with them. I may have several email addresses, for example, and even though they all belong to me, people may see them in different contexts and trust a request contained in an email from my work address, for example, more than they do from my Gmail account.

 Trust and Evidence


One day I went to the store to buy a disposable camera for my son to take to an activity. As I stood before the display rack, I pondered which of several choices I should buy. One bore the brand of a reputable company with a strong reputation in the world of photography. The other camera bore the house brand of the store I was at. The house-branded camera was $1 cheaper than the camera with the national brand. I bought the more expensive camera, even though they may have actually been manufactured in the same facility on the same day. Why? Because the brand was evidence that I could trust that the camera would work and the film would be good quality. The $1 extra that this evidence cost me seemed a reasonable trade-off to avoid the risk of missing the shots.

Just as in the physical world, trust in a digital identity is ultimately based on some set of evidence. For example, when you log into your computer, you present an identity in the form of a user ID and evidence that you are the person to whom that ID refers by typing in a password. The password is evidence that the computer should trust that you are who you say you are.

Sometimes the evidence for trust in a computer-based transaction is explicit and automatically collected as in our password example. At other times, the evidence is present but less visible than in physical situations. For example, when I conduct an electronic transaction at Amazon.com, their digital certificate presents evidence to my browser that I'm really dealing with Amazon.com and not an imposter just trying to steal my credit card number. While this happens automatically, few people pay much attention to the trust marks that the browser presents (such as the little padlock indicating a secure transaction) and fewer still ever ask to see the details that their browser hides from view. The recent increase in phishing scams, where criminals pose as a legitimate online business in order to steal identity information, is evidence of this.

Passwords, digital certificates, biometrics, and the like are all examples of evidence that can be presented to show authenticity for a particular set of digital identity credentials. One of the chief impediments to flexible digital identity infrastructures is that current methods of managing policy and trust are inflexible, slow, and costly. New requirements, such as federation of identities across corporate boundaries, exacerbate the problem. There is considerable work taking place on languages for expressing policy. The ultimate goal of such policy languages is to create machine-readable policies that are consistent, adaptable, and function in heterogeneous environments. Current state of the art in policy management is still quite a ways from this ideal condition.

Trust and Risk


Trust can be difficult to quantify. Do I trust Alice more than Bob? Why? Unfortunately, when evaluating the effectiveness of identity policies, we need to be able to quantify the trustworthiness of a system, method, or technique. Fortunately, we don't ultimately have to measure our trust in a system or approach; rather, we can try to quantify the risk of a particular business process and balance that risk with the expected rewards or returns. Businesses have been analyzing risk for years.

Analyzed in this way, for each business process, we have to be able to give a measure of the risk that the digital identity infrastructure will fail to perform as required for that particular business process. To answer these questions, we need to have a detailed understanding of the systems and processes that make up the digital identity infrastructure, including detailed assessments of the required interactions with partners and their ability to perform as required. Further, we have to quantify the potential losses and their probabilities.

Often, for processes that have been in place for some time, we can use historical measurements to determine the expected level of risk. This assumes that the processes used to manage the digital identity infrastructure include system and outcome monitoring and tracking.

One way to manage risk is with service level agreements, or SLAs. SLAs are nothing more than contracts that set expectations around what you are promising and what the consequences will be of failing to deliver. A complete discussion of SLAs and risk management is beyond the scope of this book, but should play a part in your digital identity strategy.

Reputation and Trust Communities


I just bought a cell phone cover on eBay from someone in Hong Kong. Normally, I'd consider an international purchase pretty risky. But eBay provides a means for me to gain trust in someone living in Hong Kong. The trust is based on feedback from other eBay users. Each time an eBay seller completes a transaction, the buyer can rate the seller on a number of different points. When I bought my cell phone cover, I was able to review the seller's history on eBay and determine that other buyers were happy with their interactions with this seller. In the same way, sellers can see a buyer's reputation to determine if the buyer is trustworthy and therefore likely to complete the transaction. eBay's feedback system creates a social network wherein reputation can flourish. This social network aggregates the reputations of eBay buyers and sellers into a community of trust.

In that way, eBay is like a village where trustworthiness is based on one's reputation. First-time sellers, like strangers in the village, have no reputation and are thus viewed with suspicion. Over time, this changes for better or worse depending on the actions of the person. On eBay, identities, rather than people, gain a reputation over time, and that reputation can be used to judge a particular buyer or seller.

eBay, of course, is not the only example of a system where this kind of trust community has developed. MSN Messenger, for example, serves as the infrastructure that supports a community for securities traders. Over the course of time, individual traders, identified by the MSN Messenger ID, build a reputation based on what they say and do.

Similarly, over time, people build up trust in the email addresses of people with whom they've interacted. Unfortunately, as we've seen, the lack of credible authentication for those identities makes them subject to exploitation by email worms and viruses.

Given that communities of trust are so important to trustworthy interactions, we might ask how they are constructed. a community of trust has five components:

  • Governance, which describes the operating rules, roles and responsibilities, and legal validity of the policy

  • People or other entities involved in the trust relationships

  • Processes for performing operations and transactions

  • Technology tools, including software and hardware

  • A viable economic model


Let's look at how each component plays a part on eBay. First of all, eBay has established a set of rules and policies about how sellers and buyers should act and what they can and can't find out about each other. Buyers and sellers are represented by digital identities that are protected by an authentication system. There is a process for establishing feedback, and this process is embodied in the feedback tools that are part of the eBay site. Finally, the economics of this trust community are simple: the sellers pay for any costs needed to maintain the system out of their commissions. Moreover, the buyers and sellers carry the risk of the transaction, not eBay, which cuts the cost dramatically.

In contrast, Public Key Infrastructures, is an example of a technology that has failed to develop a widespread community of trust, at least among individual users. Its true that many have struggled with the technology and toolscurrent tools are too complexbut more importantly, the economics of widely issuing digital certificates has been a hurdle. A large part of the cost comes from that fact that certificate authorities are legally certifying that the holders of the certificates are who they say they are. This means that they are liable and carry at least a portion of the risk. Certificate authorities have to charge money to cover this potential liability.

Removing a Bios - CMOS Password - Free Article

http://www.dewassoc.com/support/bios/bios_password.htm "Unfortunately, access to computers can, at times, be blocked for all of t...