|
Issue
May 2006
In this month's issue of our Security Watch Newsletter, we discuss the merits
of using Defence in Depth to protect your information assets, we dispel four
commonly held myths relating to information security, highlight some interesting
free tools to help you monitor your network, outline how to collect digital evidence and
provide guidelines on how to protect yourself from social engineering. We also highlight some
interesting news stories from around the globe and update you on the latest
happenings in BH Consulting
About BH Consulting
BH Consulting was founded in answer to demands for an independent consulting
firm to assist clients gain a competitive edge by achieving IT Operational
excellence in deploying, managing and securing their IT infrastructure. With
over 20 year’s experience, we provide you with access to in-depth expertise,
experience and technical know-how. Backed with our quality processes and
commitment to deliver, BH Consulting provides clients with quality solutions at
cost effective rates.
 Support
Focus Ireland
If you have found any items in our
Security Watch Newsletter to be of use to you we ask that you
make a donation to
Focus Ireland who
work tirelessly supporting the homeless throughout Ireland. Focus Ireland
aims to advance the right of people-out-of-home to live in a place they call
home through quality services, research, and advocacy. The objectives of
Focus Ireland are to respond to the needs of people out-of-home and those at
risk of becoming homeless, through a range of appropriate high quality services,
to provide emergency transitional and long-term accommodation for people
out-of-home, to campaign and lobby for the rights of people out-of-home
and the prevention of homelessness. No sum is too small and all is
put to excellent use.
NEWS
BH Consulting in the Press.
The Internet Crime
Complaint Center (IC3) in the United States published its
2005 Internet Crime Report. This report
highlighted the average victim of an online scam was out of pocket by US$424,
with those falling victim to the Nigerian 419 email scam losing on average
US$5,000. Brian Honan commented to the
Silicon Republic on why he believes people are
falling victim to these type of scams.
Additional coverage of news items relating to BH Consulting can be found on our
news page.
Internet Fraud is on the Increase.
As
mentioned above, the
Internet Crime Complaint Center's (IC3)
2005 Internet Crime Report demonstrates
that Internet fraud is on the increase. Together with other reports, such as
Symantec's Internet Threat Report
and the
UK's Department of Trade and industry's 2006 Security Breaches Survey,
there are clear indications that organised criminals are becoming more and more
involved in Internet crime and are targeting smaller companies and individuals
for financial gain.
The anonymous nature of the Internet makes it an ideal location for criminals to
conduct their business in relative anonymity, target thousands of users with one
email and indeed can set up scams that look quite convincing and genuine. The
added attraction for criminals is that it can be quite difficult for the police
to prosecute them as it often involves having to deal with cross jurisdictional
issues. The perception of safety many people feel
when using the Internet also adds to the problem. Most people would never contemplate giving their
credit card details to a complete stranger on the street or would be very wary
of buying something from someone they never met before. But when sitting at a
computer screen in the safety of their workplace or home they seem to feel that
the safety of their physical environment extends to the online world.
Individuals are not the only people who need to be concerned about online
fraud. A number of BH Consulting's corporate clients have recently had issues
whereby fake scam emails are being sent to people allegedly originating from
their company. While this may not result in direct financial loss to the
company, it results in reputational damage and losses in terms of time and resources
dealing with enquiries from victims of the scam.
Individuals should take extra care and precautions when conducting any
business online and adhere to the old adage, "If it is too good to be true, then
it probably is too good to be true." Companies should also include how to deal
with Phishing attacks and other scams conducted in their name as part of their
overall Incident Response Policy.
A number of useful sites provide information to help you protect yourself
such as;
The SANS Institute Updates its Top 20
Vulnerabilities
The
latest update to the SANS Institute's
Top 20 Vulnerabilities
shows
a number of trends. The most interesting amongst these is the increase in
vulnerabilities being discovered in the Apple MAC OS/X operating system and the
more targeted type of Phishing attacks, known as Spear Phishing. Spear
Phishing attacks are where an attacker sends e-mail pretending to be a trusted
source, such as the company's network administrator, to a targeted victim who
turns over sensitive information to
the attacker.
Guidelines on How to Manage Security Logs.
Security logs are one of the most important yet overlooked tools available in
protecting your network. The US National Institute of Standards and
Technology released a draft version of their technical guidelines on how to
manage security logs.
The guidelines cover log generation, transmission, storage, analysis and
disposal. Effective use of your security logs can provide you with hard
evidence when trying to identify what occurred during an incident and
help you address the "5 Ws" of incident investigation, Who, What, Why, Where and When. For more
information on managing your security logs you can also check out BH
Consulting's white paper titled "Best
Practises for Log Management".
Terrorists Hack Craft Website
This
story from the Boston Globe is interesting in
that it illustrates that no matter how small your company is, it can still be
the target for malicious users. On this occasion a website belonging to a
small company selling glass crafts via their website was hacked by terrorists
supporting Al Qaeda and used to distribute their writings. It illustrates
that no matter how small your company's web presence is, you cannot rely on the
anonymity of the Internet to protect you or think that you are too small for
anyone to care or want to hack you nor feel "it will never happen to me".
Calculating the Cost of A Security
Breach
This
tool can be used
to help you estimate the costs of a privacy breach, i.e. where personal data for
clients could be exposed. While the tool is focused primarily for the US
market and is used to promote the company's products, it might be of some use to
help determine the potential € impact of a breach. This could help you provide
some objective rather than subjective data for your risk assessments or
justification for purchasing of a solution.
BH CONSULTING WEBSITE UPDATE
We strive at BH Consulting to provide information that is
relevant and useful in securing and running your business. To this end we have
updated our range of whitepapers and the following is now available for download
free from our
white papers page;
Achieving Support Excellence 
(63 KB)
Also on our website you will find a
new page outline our
Security Assessment Service which
provides an independent review of your information security.
LATEST THREAT LEVELS
Get more information on the latest updates on current threats at
our online resources page;
FEATURES
The Necessity of Defence-in-Depth
No single defence is impenetrable and no information security strategy is
complete without incorporating the concept of defence-in-depth. Defence-in-depth
is far from a new idea. The familiar medieval castle epitomizes the application
of... Click
Here for more info
Dispelling 4 Security Myths
Security configuration changes and guides have been around for about 10 years in
the Windows world, longer in other areas. The original Windows NT 4.0 guides
that were published by the U.S. National Security Agency and the SANS Institute
were... Click
Here for more info
Tools for Monitoring Network Activity
PortQry and PortReporter are 2 tools that can help you determine which
programs are listening on your computer\'s network ports. Such tools are
important if you need to troubleshoot network services or detect unwanted
programs. PortQry is a... Click
Here for more info
Forensics: Collecting the Evidence Before You Lose It
When faced with a compromised system your first inclination may be to
immediately pull the power plug. However there is a good deal of valuable
information to be gleaned from the live system that will be lost when you turn
it off. Based on the... Click
Here for more info
Protecting Yourself Against Social Engineering
You've probably heard the age-old axiom, "A chain is only as strong as its
weakest link." And if you've been around IT security for any length of time, you
probably know that most often the weakest link turns out to be us-the
organics-the human... Click
Here for more info
FREE SECURITY SCAN
In partnership with
Qualys, BH Consulting
are offering a for a free Network Security Scan so you can check how healthy
your network is. To find out more about what this service can do for you, visit
our free
Network Security Scan.
Alternatively contact
us or visit our website to get more details on our
risk assessment service.
This issue of Security Watch is being brought to you by BH Consulting.
If you have found this issue to be of use please support our drive to raise funds
for
Focus Ireland.
Each
Security Watch eNewsletter, and the special Security Alert issues, are produced
independently by the Windows IT Pro Custom Media Group and is distributed by
various Microsoft security partners. Each eNewsletter contains up-to-date
information about security strategies, technologies, and alerts. Each Security
Alert contains the latest information about security threats.
Additional news courtesy of
Silicon Republic,
Cnet,
Silicon and
Zdnet
To update your subscription to our newsletter
click
here. To unsubscribe click
here
| 
