By Roger A. Grimes | InfoWorld

Follow @rogeragrimes

Network and endpoint security may not strike you as the first place to scratch an experimental itch. After all, protecting the company’s systems and data should call into question any action that may introduce risk. But IT security threats constantly evolve, and sometimes you have to think outside the box to keep ahead of the more ingenious evildoers.

And sometimes you have to get a little crazy.

Charles Babbage, the father of the modern computer, once said, “Propose to a man any principle, or an instrument, however admirable, and you will observe the whole effort is directed to find a difficulty, a defect, or an impossibility in it. If you speak to him of a machine for peeling a potato, he will pronounce it impossible: If you peel a potato with it before his eyes, he will declare it useless, because it will not slice a pineapple.”

The world of network security is no different. Offer a new means for IT defense, and expect to meet resistance. Yet, sometimes going against the wave of traditional thinking is the surest path to success.

In that vein, we offer 10 security ideas that have been — and in many cases still are — shunned as too offbeat to work but that function quite effectively in helping secure the company’s IT assets. The companies employing these methods don’t care about arguing or placating the naysayers. They see the results and know these methods work, and they work well.

Innovative security technique No. 1: Renaming admins
Renaming privileged accounts to something less obvious than “administrator” is often slammed as a wasteful, “security by obscurity” defense. However, this simple security strategy works. If the attacker hasn’t already made it inside your network or host, there’s little reason to believe they’ll be able to readily discern the new names for your privileged accounts. If they don’t know the names, they can’t mount a successful password-guessing campaign against them.

Even bigger bonus? Never in the history of automated malware — the campaigns usually mounted against workstations and servers — has an attack attempted to use anything but built-in account names. By renaming your privileged accounts, you defeat hackers and malware in one step. Plus, it’s easier to monitor and alert on log-on attempts to the original privileged account names when they’re no longer in use.

Innovative security technique No. 2: Getting rid of admins
Another recommendation is to get rid of all wholesale privileged accounts: administrator, domain admin, enterprise admin, and every other account and group that has built-in, widespread, privileged permissions by default.

When this is suggested, most network administrators laugh and protest, the same response security experts got when they recommended local Administrator accounts be disabled on Windows computers. Then Microsoft followed this recommendation, disabling local Administrator accounts by default on every version of Windows starting with Vista/Server 2008 and later. Lo and behold, hundreds of millions of computers later, the world hasn’t come crashing down.

True, Windows still allows you to create an alternate Administrator account, but today’s most aggressive computer security defenders recommend getting rid of all built-in privileged accounts, at least full-time. Still, many network admins see this as going a step too far, an overly draconian measure that won’t work. Well, at least one Fortune 100 company has eliminated all built-in privileged accounts, and it’s working great. The company presents no evidence of having been compromised by an APT (advanced persistent threat). And nobody is complaining about the lack of privileged access, either on the user side or from IT. Why would they? They aren’t getting hacked.

Innovative security technique No. 3: Honeypots
Modern computer honeypots have been around since the days of Clifford Stoll’s “The Cuckoo’s Egg,” and they still don’t aren’t as respected or as widely adopted as they deserve. A honeypot is any computer asset that is set up solely to be attacked. Honeypots have no production value. They sit and wait, and they are monitored. When a hacker or malware touches them, they send an alert to an admin so that the touch can be investigated. They provide low noise and high value.

The shops that use honeypots get notified quickly of active attacks. In fact, nothing beats a honeypot for early warning — except for a bunch of honeypots, called a honeynet. Still, colleagues and customers are typically incredulous when I bring up honeypots. My response is always the same: Spend a day spinning one up and tell me how you feel about honeypots a month later. Sometimes the best thing you can do is to try one.

Innovative security technique No. 4: Using nondefault ports
Another technique for minimizing security risk is to install services on nondefault ports. Like renaming privileged accounts, this security-by-obscurity tactic goes gangbusters. When zero-day, remote buffer overflow threats become weaponized by worms, computer viruses, and so on, they always — and only — go for the default ports. This is the case for SQL injection surfers, HTTP worms, SSH discoverers, and any other common remote advertising port.

Recently Symantec’s pcAnywhere and Microsoft’s Remote Desktop Protocol suffered remote exploits. When these exploits became weaponized, it was a race against the clock for defenders to apply patches or block the ports before the worms could arrive. If either service had been running on a nondefault port, the race wouldn’t even begin. That’s because in the history of automated malware, malware has only ever tried the default port.

Critics of this method of defense say it’s easy for a hacker to find where the default port has been moved, and this is true. All it takes is a port scanner, like Nmap, or an application fingerprinter, like Nikto, to identify the app running on the nondefault port. In reality, most attacks are automated using malware, which as stated, only go for default ports, and most hackers don’t bother to look for nondefault ports. They find too much low-hanging fruit on default ports to be bothered with the extra effort.

Years ago, as an experiment, I moved my RDP port from 3889 to 50471 and offered a reward to the first person to find the new port. Two people discovered the port right away, which was no surprise; because I told them what I did, it’s easy to discover the right spot. What blew me away is that tens of thousands of hacker wannabes, scanning my system for the new port using Nmap, didn’t realize that Nmap, if left to its own defaults, doesn’t look on nondefault ports. It proved that by doing a simple port move you significantly reduce your risk.

Innovative security technique No. 5: Installing to custom directories
Another security-by-obscurity defense is to install applications to nondefault directories.

This one doesn’t work as well as it used to, given that most attacks happen at the application file level today, but it still has value. Like the previous security-by-obscurity recommendations, installing applications to custom directories reduces risk — automated malware almost never looks anywhere but the default directories. If malware is able to exploit your system or application, it will try to manipulate the system or application by looking for default directories. Install your OS or application to a nonstandard directory and you screw up its coding.

On many of my honeypots, I install the OS to nondefault folders — say, in C:/Win7 instead of C:/Windows. I usually create the “fake” folders that mimic the real ones, had I installed the software and taken the defaults. When my computers get attacked, it’s easy to find complete and isolated copies of the malware hanging out in the C:/Windows/System32 folder.

Changing default folders doesn’t have as much bang for the buck as the other techniques mentioned here, but it fools a ton of malware, and that means reduced risk.

Innovative security technique No. 6: Tarpits
My first experience with a tarpit product was LaBrea Tarpit. It was developed during the outbreak of the Code Red IIS worm of 2001. Worms readily replicate to any system that matches their exploit capabilities. LaBrea worked by answering connection attempts for addresses not already assigned to legitimate machines. It would then answer and tell the worm to connect, then spend the rest of the time trying to slow down the worm, using various TCP protocol tricks: long timeouts, multiple retransmissions, and so on.

Today, many networks (and honeypots) have tarpit functionality, which answers for any nonvalid connection attempt. When I penetration-test these networks, my attacks and network sweep scanning attacks slow to a crawl — they’re unusable, which is exactly the purpose. The only downside: Tarpits can cause problems with legitimate services if the tarpits answer prematurely because the legitimate server responded slowly. Remember to fine-tune the tarpit to avoid these false positives and enjoy the benefits.

Innovative security technique No. 7: Network traffic flow analysis
With foreign hackers abounding, one of the best ways to discover massive data theft is through network traffic flow analysis. Free and commercial software is available to map your network flows and establish baselines for what should be going where. That way, if you see hundreds of gigabytes of data suddenly and unexpectedly heading offshore, you can investigate. Most of the APT attacks I’ve investigated would have been recognized months earlier if the victim had an idea of what data should have been going where and when.

Innovative security technique No. 8: Screensavers
Password-protected screensavers are a simple technique for minimizing security risk. If the computing device is idle for too long, a screensaver requiring a password kicks in. Long criticized by users who considered them nuisances to their legitimate work, they’re now a staple on every computing device, from laptops to slates to mobile phones.

I remember one time leaving my smartphone in a cab, right after an argument with the cab driver over the bill (he had taken me on a much longer, more circuitous route than necessary). I immediately considered that phone long gone. I was worried because I had just chatted with my wife, so the phone was open and exposed. I store my passwords and other personal information on the phone, although slightly modified so that anyone reading it directly wouldn’t know the true passwords or numbers. I was more worried about the contact information for my wife, daughters, and other loved ones. Luckily, I knew my screensaver would kick in momentarily. I never found the phone, but I didn’t get any weird calls or charges either.

Innovative security technique No. 9: Disabling Internet browsing on servers
Most computer risk is incurred by users’ actions on the Internet. Organizations that disable Internet browsing or all Internet access on servers that don’t need the connections significantly reduce that server’s risk to maliciousness. You don’t want bored admins picking up their email and posting to social networking sites while they’re waiting for a patch to download. Instead, block what isn’t needed. For companies using Windows servers, consider disabling UAC (User Account Control) because the risk to the desktop that UAC minimizes isn’t there. UAC can cause some security issues, so disabling it while maintaining strong security is a boon for many organizations.

Innovative security technique No. 10: Security-minded development
Any organization producing custom code should integrate security practices into its development process — ensuring that code security will be reviewed and built in from day one in any coding project. Doing so absolutely will reduce the risk of exploitation in your environment.

This practice, sometimes known as SDL (Security Development Lifecycle), differs from educator to educator, but often includes the following tenets: use of secure programming languages; avoidance of knowingly insecure programming functions; code review; penetration testing; and a laundry list of other best practices aimed at reducing the likelihood of producing security bug-ridden code.

Microsoft, for one, has been able to significantly reduce the number of security bugs in every shipping product since instituting SDL. It offers lessons learned, free tools, and guidance at its SDL website.

This story, “10 crazy IT security tricks that actually work,” was originally published at InfoWorld.com. Follow the latest developments in security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Roger A. Grimes is contributing editor of the InfoWorld Test Center. Roger holds over 40 computer certifications and has authored eight books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He currently runs eight honeypots to track hacker and malware behavior and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for Microsoft as a Principal Security Architect. He also writes the Security Adviser blog.

Palo Alto has launched onto the market with a ground up re-development of a firewall. In traditional terms firewall is not the best description as it contains various components of other network security technologies (such as IDS/IPS) along with a different way of classifying traffic.

The upshot of this is that there are potentially major advantages to the business in terms of reducing risks related to: intrusion, malware, data leakage and employee control e.g. limiting Facebook access during office hours.

In this blog I’ll describe 5 ways of implementing Palo Alto that could help your business. On paper at least, it seems to have significant benefits to more traditional firewall solutions. Of course I would never suggest believing the hype of any vendor, the easiest way to put their claims to the test is to run a Palo Alto firewall in a passive mode on your network and see what it can pick up that your current solution doesn’t.

Layer9 can happily offer a free trial of a Palo Alto firewall in your organisation so you can see for yourself what it can protect you from in the future.

An even better way is to look at Palo Alto as part of a Layer9 Risk Assessment. That will give a much more holistic solution to security challenges that face your organisation today.

Request a Trial Firewall or Risk Assessment by Contacting Us today.

Now on to the details. What can it do for you?

1. Reduce Costs by consolidating several layers of Security

Palo alto has the potential to replace not only the current firewalls in an organisation but also other layers of network security for example IDS/IPS and Anti Virus (at the network level).

This approach may not be for everyone for either technical or organisational reasons but for those that can replace such layers can dramatically reduce the cost of network security infrastructure.

This is likely to also have flow on cost savings by reducing training costs and even lowering staffing costs.

2. Simplify management by consolidating layers of security

By consolidation of the above layers of security there are potential gains related to the reduction in complexity. There is less likely to be issues such as false positives or gaping holes in security as it can be all managed and understood from a single pane of glass.

3. Control use of applications both known and unknown

One of the touted differentiators of Palo alto is the way it handles unknown applications. Due to the the method it uses for application identification compared to competitors equipment it can (default configuration) operate on the assumption that anything unknown is dangerous and can be blocked. From a security point of view this is a dramatic difference and is far more pro active in stopping future attacks in their tracks. There is a down side to this however in that you must specify each and every application that is required to traverse the firewall and it must have a valid signature. This however is a small price to pay when you consider the reason you have a firewall in your organisation in the first place.

4. Make it harder to get around your defenses

A related technical differentiator Palo alto claims can make it scientifically harder for intruders and staff to get around your network defenses. This is due to the way traffic is classified, it is classified by “peeling the onion” of protocols to reach the core traffic layer and at each layer the opportunity to block the traffic is provided. The practical upshot of this is that even if someone is tunneling a dodgy application inside an allowed protocol or application traffic (or even ssl encryption) Palo alto should be able to block it. As for the above this is a significant security benefit and could stop a dramatic number of breeches.

5. Granular restrictions can enable more legitimate applications to be used easily

By being able to configure the Palo alto firewall to block only the dodgy parts of applications it can enable IT departments to allow applications that the business requests while still ensuring the security of the network. As for point 3 this can increase the required configuration for the device, but generally is more that valuable when the CEO is adamant that they want access to salesforce, Facebook or even World of Warcraft.

Depending on the environment within your organisation Palo alto could provide significant advantages as described above. Either way there is no downside to running a trial unit to identify where there might be gaps that Palo alto and Layer9 can fill.

Request a Trial Firewall or Risk Assessment by Contacting Us today.

Given the rapid pace of change in the security sector, some executives may have difficulty naming the specific safeguards that their companies deploy. This guide aims to shed some light on some of the more common aspects of computer security, and also serve as a checklist to identify potential areas upon which to improve.

1. Network firewall

The first line of defense against unwelcomed visitors would surely be the firewall. At one point, the use of dual firewalls from different vendors was all the rage, though the creation of a DMZ (Demilitarized zone) appears to be more popular these days. Internet-facing servers are typically placed within the DMZ, where they are encumbered by fewer restrictions and lesser monitoring than the internal corporate network.

At a minimum, a proper firewall typically offers packet filter technology, which allows or denies data packets based on established rules relating to the type of data packet and its source and destination address. Stateful packet filter firewalls conduct what is known as stateful packet inspection (SPI), which tracks active connections to sieve out spoofed packets, a superior approach to the stateless packet filtering firewall. Finally, a firewall operating on the application layer understands application-level protocols to identify sophisticated intrusion attempts.

A heightened security awareness and an increase in ecommerce have led more users than ever to use encryption to protect against third-party snooping. Paradoxically, this has resulted in lower visibility of network traffic at a time when more sophisticated malware varieties are resorting to encryption in order to conceal themselves from a casual inspection.

2. Virtual Private Network

Employees who need to access company resources from unsecured locations such as public Wi-Fi hotspots are a particularly vulnerable group. Such workers will be well served by a virtual private network (VPN) connection in order to protect the confidentiality of their network access. A VPN channels all network traffic through an encrypted tunnel back to the trusted corporate network.

As a downside, a VPN can be complex for a small business to deploy, and is costly to support due to the overheads of authentication, processing and bandwidth. Moreover, it is also vulnerable to the theft of physical authentication tokens — or authentication technology, as was the case with the compromise of RSA’s SecurID technology last year. Finally, stolen and lost company laptops with preconfigured VPN settings can become potential gateways for unauthorized access.

3. IDS and IPS

An intrusion detection system (IDS) is a network-centric strategy that involves monitoring traffic for suspicious activities that may indicate that the corporate network has been compromised. On its simplest level, this may entail the detection of port scans originating from within the network or excessive attempts to log into a server. The former could be indicative of a compromised host being used to perform initial reconnaissance, while the latter could well be a brute-force attempt in progress. On more advanced network switches, IDS monitoring of network traffic may be enabled by port mirroring, or via the use of passive network taps.

Then an intrusion prevention system (IPS) is usually deployed in-line in order to actively prevent or block intrusions as they are detected. A specific IP address could be automatically blocked off, with an alarm sent to an administrator.

4. Malware Detection

The cat-and-mouse game of malware detection is very much a linchpin of the $22.9 billion enterprise security software market projected for 2012. Malware scanning performed on client devices relies on the processing capabilities of individual devices to check for threats. Business-centric versions typically include some form of central management used to push out new definition updates and implement simple security policies. Malware products specifically optimized for servers are also available, though they are not particularly popular, as businesses are understandably loathe to deploy anything that saps the processing cycles of expensive server hardware.

Given that most malware infestations are a direct result of a user action, the typical anti-malware package has also evolved into comprehensive suites that attempt to offer protection against multiple threat vectors. This may include a component to scrutinize a URL link prior to launching it, or email and browser plug-ins that do the same to file attachments. In addition, anti-malware suites are increasingly bundled with a software-based firewall, spyware detection and even spam filtering.

5. Whitelisting

Whitelisting is an anti-malware defense implemented on client devices much like traditional antivirus software. Instead of attempting to identify known malware, however, whitelisting only allows known files to be executed. This necessitates an initial baseline scan to construct a database of whitelisted applications, to which new applications can be added over time as they are installed.

Though promising, whitelisting has been plagued by various practical problems that have hindered its adoption in businesses. Situations may arise, for example, in which critical file dependencies were not properly identified, resulting in application crashes or an improper installation, as they were prevented from loading. Also, whitelisting may be less useful against exploits that leverage the use of specially created documents or other non-executable files. Finally, employees who are in a hurry may simply disregard warnings and opt to add everything, including malware, into their whitelist.

To be fair, whitelisting software has seen tremendous improvements over the years. Today, most whitelisting software applications will recognize commonly used applications upon installation and are hence capable of building an initial whitelist very quickly and with minimum interaction from users. It is important to ask question whether whitelisting software can coexist with traditional antivirus software. The answer varies, though some whitelisting products do advertise their compatibility with antivirus applications.

6. Spam Filtering

Though spam is not traditionally considered within the domain of computer security, the lines are getting blurred given the increasing number of spear phishing attacks used by hackers to sneak Trojan or zero-day malware into corporate workstations. In addition, there is also evidence to suggest that users who deal with a high volume of emails are more susceptible to being taken in by a phishing attempt. It is clearly in the interest of the IT department to filter out as many bogus email messages as possible.

7. Keeping Software up to Date

Ensuring that software updates and security patches are kept up to date is widely acknowledged to be an important defense against security breaches. The reason is simple. Though vendors do not typically release the full details of new security flaws, the proffered guidelines and the release of the security patches are often sufficient for black hats to reverse engineer a particular vulnerability. Depending on the nature of the security flaw that is identified, an exploit could potentially be written in days.

This becomes a problem in larger SMBs, which may make use of wide range of software applications or in-house tools that depend on various third-party tools or codebases. It is hence not uncommon for new software updates or security patches to be overlooked, thus opening up a window of vulnerability. The increasing variety of software that is capable of updating itself over the Internet may somewhat alleviate this problem. However, it should be noted that automatic updating may not be a desirable behavior in mission-critical production environments. To that end, businesses need to implement appropriate processes to identify and test new updates in a timely manner.

8. Physical security

Physical security is a crucial factor that cannot be overstated. After all, given physical access, practically every security or network appliance can be reset to its factory default. In addition, unsecured Ethernet ports may also offer a direct line past the firewall and other perimeter defenses, though that access can be mitigated to an extent with managed switches configured to deny access to unrecognized MAC addresses. Another concern within server rooms is the theft of hard disk drives from hot-swappable bays of storage appliances or servers. Given how passwords files can be deciphered relatively easily from stolen storage devices, server closets or server rooms should be kept locked at all times, and access granted only to authorized staffers.

We have only touched on some of the most common aspects of security deployments. There are obviously many others, such as the importance of user education, independent security audits and the value of a good IT policy. The presence of comprehensive logging and auditing will also help greatly in identifying sources of a breach.

The important point here is that security is a multi-faceted topic that is constantly evolving. Small and mid-sized businesses need to ensure that they do not rely on a single mechanism to stay secure, and that they stay up to date on the latest security offerings available.

Article Originally appeared on CIO: http://www.cio.com/article/700694/How_to_Build_Multiple_Layers_of_Security_for_Your_Small_Business

“Another short-distance wireless technology called near field communication (NFC) has long been touted as a potential channel for in-store financial transactions. Although it’s been slow to take off, the techology recently received a boost with the launch of Google Wallet, which lets you purchase goods by tapping an NFC-enabled smartphone against a terminal. Windows 8 will bring NFC support to tablets and laptops.

The idea here is that, with a tablet or laptop, you could purchase your next latte at Starbucks without fishing for a credit card. And as NFC terminals progress, two-way communication may come into play, such as offering users coupons or location-based marketing.

Dave Jakobik, a partner and lead programmer at Chicago Web design agency EtherCycle, was a bit incredulous about the usefulness of NFC in Windows 8. He says end users will be more likely to use a smartphone at checkout than a laptop or tablet.

But Peter Menadue, a general manager at Dimension Data, a Microsoft services partner, says NFC could be an enabler for other technologies. For example, if NFC becomes a common authentication method, it could replace Bluetooth pairing for headsets and other gadgets. And NFC is already used on the Samsung Galaxy Nexus to exchange contacts when you touch phones, so it could conceivably become a standard way to exchange data between laptops.”

Layer9 Verdict: The continued support for NFC shows strong support for a global pick-up and very fast adoption over the next 2 years. Many integrated applications and simplification of transactions can be expected. Security stands to gain strongly if implemented correctly.

Ref: http://www.computerworld.com/s/article/9223769/13_Windows_8_features_worth_knowing_about

The first known virus ever to infect a personal computer was named “Brain.A.” It was developed (dare we say invented?) by two Pakistani brothers Basit and Amjad Alvi. We know this because, amusingly, they signed their work and included contact information in the code of the virus. Brain.A was first detected in January 1986, just over 25 years ago. In its initial form, the virus did no significant harm. It renamed a volume label (in effect a file name) to “Brain” and could freeze a computer. Basit and Amjad say they meant no harm from their creation. How the world has changed! In just a single generation, we have gone from viruses being a novelty, to them being very real threats to cyberspace.

 
A virus-infected computer (Photo credit: radialmonster, via flickr)

The first notable damaging “attack” on the web occurred by accident, though it was a purposeful accident, if that makes any sense. In late 1988, a Cornell graduate student, Robert Tappan Morris, released a worm intended to demonstrate flaws in the security protocols of the early internet. A worm, as its name implies, burrows through legitimate programs and hides in the dirt of computer code, so to speak. This worm was designed to enter through a security gap, replicate itself, and then move onward to infect more computers. Because of a design flaw in the worm, it spread like wildfire and caused significant damage, effectively clogging the entire internet and preventing information from being transmitted (the internet was much smaller back then). In fact, when Morris realized that he had made a mistake, he tried to send out messages to other internet users telling them how to kill the worm—but his own messages of warning were blocked by the congestion his worm had caused.

Full Article can be found here: http://www.hoover.org/publications/defining-ideas/article/102401

We believe the first and most important place to implement increased password security is quite simply at Log On.  The second most important criteria is limiting the amount of passwords in use at a firm and to make sure that the password control mechanisms are consistent.

At Layer9 we believe that simplicity includes the ability to log on once and gain access to all applications within the firm. This is done through Single Sign On. This simple step reduces attack vectors within your firm by reducing the accounts involved, maintains efficiencies of your IT Systems and keeps daily working life for your staff simpler.

The WHEN

This is quite simply now. Call us for a free evaluation of your current authentication mechanisms and how it could be improved or simplified.

We have already identified that the main threats for a firm come in from both externally and internally. Internally, we have the problem of data theft, data damage and unintentional leakage. Externally, we have viruses, hackers and various other forms of malware.

Our first step is to make sure that we implement systems to make sure that we are giving access to the right people and that we are correctly identifying them.

The HOW

This can be done in a number of manners which include: password length, password expiration, separate user accounts, complex passwords etc. Most of this methods address the concepts of complexity and layers within themselves but fail to maintain simplicity and efficiency to your business.

At Layer9 we believe strongly in multi-factor authentication. This essentially authenticates users from more than just the password perspective. We look at authenticating a user based on:

1.) Something they have (i.e. smartphone, smart card, security card, credit card, identity card etc)

2.) Something they know (a password or passcode)

3.) Something they are (their fingerprint, the way they write, the way they speak)

Statistically it is shown that using just 2 of the above factors such as point 1 & 2 will increase your security 3x fold in terms of risk mitigation around password theft or the vast majority of  techniques used to hack into accounts.

Using your security card and a 4 digit passcode can result in better security than a 20 character password which changes monthly.

Not only are you increasing your protection for your firm and its resources but you are making life much easier for your staff and employees.

The WHY

We invest in Security to guarantee that what we have worked hard for is not taken away from us. In many ways, there is no such thing as a guarantee but rather levels of assurance against known threats. It is pretty much the same as insurance. Those physical assets such as our building and money in the bank are somewhat easier to protect. We can assign a value and take out insurance. We have a rough idea about the various disasters, both natural and not, that could occur and we decide whether or not we would like to risk the chance of that occuring to us.

In the IT Security world, we have both internal and external threats. We look at ways of protecting ourselves against these two threats at various layers within our infrastructure.

There is no magic bullet which can remove all threats but rather mitigate the risk of this particular threat occurring.  The Berson-Dubov Framework highlights the key points within your infrastructure to protect and in which layers to invest protection.  The key to implementing this protection is make sure that it’s effective and transparent to your working environment. Business success is about efficiencies and deploying technologies to protect your environment should not impact the bottom line.

A common thread and the most pragmatic manner in which to protect your information assets is through your access control methods. In other words, the manner in which your authenticate users and your password control mechanisms.

The WHAT

We could deploy fancy technology to every firm but it’s important to ask ourselves exactly what we are we trying to protect? For a modern firm, Information Security protects our most important asset, our intellectual  property (IP).  This can take the form of our secret recipe, our staff details, our customer base or even plans for future market investment or product development.

Based on 2011 and the collection of high profile hacks, firms should be trying to protect their reputation more so than even their assets.  In the words of Nasim Nicholas Taleb, “our most important asset is our reputation”.
 
 
Segment 2: The WHO and HOW of Password Security Segment 3: The WHERE and WHEN of Password Security