After looking at the article, Best Practice for Windows File/Folder Security Management, I can see why people can have troubles with folder and file security. Bruno Lenski, the author of the article, provides several best practice rules for permission management. Personally, I find myself agreeing with all of Lenski's best practice rules.
The first best practice rule Lenksi mentions, is "never remove the administrator entry." If the administration entry were removed, which is used to access file information, then backups would not be carried out anymore, or recovering a file would take longer or be more difficult.
The next best practice rule mentioned, involves never using the "deny" permission. Lenski recommends using the allow permission instead, because deny is an overriding permission, that takes priority over the allow permission.
After that, Lenski recommends using the group permission to set up permissions for multiple persons. If you took the time to set up permissions for every single user, rather than just setting up a group, and adding a new user into that group, you would be wasting a lot of time, and you could potentially be making permission errors for various users.
The final rule mentioned, has to do with checking user permissions incase of doubt. This rule should be common sense, to second guess whether or not you set something up correctly the first time or not, for people.
Overall, I feel that the best practice rules Lenski presents, clearly informs readers about how to appropriately deal with file/folder security management.
Blog by Hans Harvey
Blog Post 8
Sources-
Author: Bruno Lenski
Title: Follow Best Practice for Windows File/Folder Security Management
Address: http://cerncourier.com/cws/article/cnl/38514
Tuesday, October 29, 2013
Tuesday, October 22, 2013
Thoughts on Privacy in the Cloud / Guidelines on Security and Privacy in Public Cloud Computing
After having looked at the article, Cloud Computing: Privacy in the Cloud, I can see why security and privacy in the cloud are big concerns. The author of the article, Vic Winkler, gives many reasons as to why people have their concerns when it comes to privacy in the cloud, and I personally find my self feeling the same way about Winkler's privacy concerns.
Whenever there's news about 'the latest data breach', 'security hacking' or anything of that sort, it makes people have second thoughts about how safe the cloud truly is. Many television commercials are also always reminding viewers about the importance of security devices of all kinds, which can only add to the lack of trust towards the cloud. Other persons may have concerns about whether or not their data is safe from their Cloud provider; organizations do have legal obligations to ensure the privacy of their employee's and clients though. Before going headlong into a Cloud environment, you should look into whether or not the service provider agrees to ensure and protect the privacy of data used by their clients.
Data is housed in known locations so that it can be ensured that laws and regulations are being followed. When getting involved in the Cloud though, you should wonder, "What happens if data is lost at one site?" Well hopefully the provider has a backup location or two, but it is still safe to make sure that a provider does have a backup location for data.
Anyone looking to get into the Cloud should know what they are doing before actually getting involved. If you understand the importance of security and privacy, and how a provider actually deals with these issues, then getting involved in the Cloud can be a very positive experience.
Blog by Hans Harvey
Blog Post 7
Sources-
Author: Vic (J.R.) Winkler
Title: Cloud Computing: Privacy in the Cloud
Address: http://technet.microsoft.com/en-us/magazine/jj554305.aspx
Whenever there's news about 'the latest data breach', 'security hacking' or anything of that sort, it makes people have second thoughts about how safe the cloud truly is. Many television commercials are also always reminding viewers about the importance of security devices of all kinds, which can only add to the lack of trust towards the cloud. Other persons may have concerns about whether or not their data is safe from their Cloud provider; organizations do have legal obligations to ensure the privacy of their employee's and clients though. Before going headlong into a Cloud environment, you should look into whether or not the service provider agrees to ensure and protect the privacy of data used by their clients.
Data is housed in known locations so that it can be ensured that laws and regulations are being followed. When getting involved in the Cloud though, you should wonder, "What happens if data is lost at one site?" Well hopefully the provider has a backup location or two, but it is still safe to make sure that a provider does have a backup location for data.
Anyone looking to get into the Cloud should know what they are doing before actually getting involved. If you understand the importance of security and privacy, and how a provider actually deals with these issues, then getting involved in the Cloud can be a very positive experience.
Blog by Hans Harvey
Blog Post 7
Sources-
Author: Vic (J.R.) Winkler
Title: Cloud Computing: Privacy in the Cloud
Address: http://technet.microsoft.com/en-us/magazine/jj554305.aspx
Tuesday, October 15, 2013
Thoughts on the Seven Deadly Sins of Security Policy / Developing Security Policies
The article I looked over, The Seven Deadly Sins of Security Policy, states the importance of not making policies that do not manage an organization's risks. Joan Goodchild, the author of the article shares seven points that she believes should never be used in creating a security policy. Personally I would agree with Joan, I believe any company that does any of Joan's seven sins is going to have trouble.
Failing to do a risk assessment before a policy is even made will result in a company creating policies that may have absolutely nothing to do with anything that could complicate that companies path towards completing its goals.
The one size fits all process could definitely lead to problems for a company. If a new company adopts a policy that one of its competitors has, the policy may have no legitimate use for your company, and a new company will accomplish nothing.
Not having a standards template is also bad. Companies should have consistencies for policies within their organization.
Having policies that only look good on paper is certainly going to lead to bad policies. If policies have no realistic chance of being accomplished, they shouldn't be put down.
If management doesn't believe a policy will work, and does not buy into it, then it may as well not even be there, because management wont enforce employees to then adhere to those policies.
Writing a policy after a system has already been deployed will only lead to a game of catch-up. If security policies aren't instilled in the earliest phases for a company, then systems wont work in their environments effectively. "When security is an add-on, it cant help but be incomplete, insufficient, and, in many ways, inadequate for the task," says Cresson Wood who was interviewed by Joan
And Finally, a lack of follow up, which I believe is one of the most important sins, is something that can make or break a company. Companies that have the drive to do their policies will thrive.
Companies should never overlook security policies. Those that do are only dooming themselves and their business to failure.
Blog by Hans Harvey
Blog Post 6
Sources-
Author: Joan Goodchild
Title: The Seven Deadly Sins of Security Policy
Address: http://www.csoonline.com/article/504314/the-seven-deadly-sins-of-security-policy
Failing to do a risk assessment before a policy is even made will result in a company creating policies that may have absolutely nothing to do with anything that could complicate that companies path towards completing its goals.
The one size fits all process could definitely lead to problems for a company. If a new company adopts a policy that one of its competitors has, the policy may have no legitimate use for your company, and a new company will accomplish nothing.
Not having a standards template is also bad. Companies should have consistencies for policies within their organization.
Having policies that only look good on paper is certainly going to lead to bad policies. If policies have no realistic chance of being accomplished, they shouldn't be put down.
If management doesn't believe a policy will work, and does not buy into it, then it may as well not even be there, because management wont enforce employees to then adhere to those policies.
Writing a policy after a system has already been deployed will only lead to a game of catch-up. If security policies aren't instilled in the earliest phases for a company, then systems wont work in their environments effectively. "When security is an add-on, it cant help but be incomplete, insufficient, and, in many ways, inadequate for the task," says Cresson Wood who was interviewed by Joan
And Finally, a lack of follow up, which I believe is one of the most important sins, is something that can make or break a company. Companies that have the drive to do their policies will thrive.
Companies should never overlook security policies. Those that do are only dooming themselves and their business to failure.
Blog by Hans Harvey
Blog Post 6
Sources-
Author: Joan Goodchild
Title: The Seven Deadly Sins of Security Policy
Address: http://www.csoonline.com/article/504314/the-seven-deadly-sins-of-security-policy
Tuesday, October 1, 2013
Thoughts on Data Protection Reporting and Follow up / Data Protection and Compliance in Complex Environments
Data protection reporting and follow up is a key piece required for any business to survive. If information isn't kept safe and secure, employees or the company itself can be exploited. In The Smell of Bullshit Part 6 - Data Protection, the author makes several points about data protection, that I believe would help any business.
If a group email is sent out to numerous customers, and any recipient can see the email address of other recipients, that is an unsecure method, putting all recipients at risk. I agree with the author that making this mistake once is forgivable, so long as the mistake didn't happen again. But if it were to happen again, that is when management should find out why it is happening again. If its because the employee's weren't taught appropriately, then the company needs to adjust there methods so that employees understand how to deal with group emails.
The example the author describes, about the Lush International Forum, is a solid example of how a lack of data protection can piss off people. The fact that the company made the mistake of not using BCC to hide 170 email addresses, more than one time, should be a lesson for all other companies. Many customers responded to Lush, releasing their anger for the lack of protection with their emails. The lack of data Protection by the Lush International Forum could have potentially lost them a big chunk of their customers.
What the Lush International Forum should have done, after the first time they made the mistake of not using BCC to hide email addresses is obvious. The company should have responded to the mistake, not just with an apology, but with action. They should have made it so emails automatically go into BCC, or informed employees of the consequences of not using BCC in emails.
Data protection reporting and follow up is not something companies should take lightly, it can be very costly to not take the necessary measures to protect your customers and company itself at all times.
Blog by Hans Harvey
Blog Post 4
Sources-
Author: southsidesocialist
Title: The Smells of Bullshit Part 6 - Data Protection
Address: http://mitheringsfrommorningside.wordpress.com/2013/05/01/the-smell-of-bullshit-part-6-data-protection/
If a group email is sent out to numerous customers, and any recipient can see the email address of other recipients, that is an unsecure method, putting all recipients at risk. I agree with the author that making this mistake once is forgivable, so long as the mistake didn't happen again. But if it were to happen again, that is when management should find out why it is happening again. If its because the employee's weren't taught appropriately, then the company needs to adjust there methods so that employees understand how to deal with group emails.
The example the author describes, about the Lush International Forum, is a solid example of how a lack of data protection can piss off people. The fact that the company made the mistake of not using BCC to hide 170 email addresses, more than one time, should be a lesson for all other companies. Many customers responded to Lush, releasing their anger for the lack of protection with their emails. The lack of data Protection by the Lush International Forum could have potentially lost them a big chunk of their customers.
What the Lush International Forum should have done, after the first time they made the mistake of not using BCC to hide email addresses is obvious. The company should have responded to the mistake, not just with an apology, but with action. They should have made it so emails automatically go into BCC, or informed employees of the consequences of not using BCC in emails.
Data protection reporting and follow up is not something companies should take lightly, it can be very costly to not take the necessary measures to protect your customers and company itself at all times.
Blog by Hans Harvey
Blog Post 4
Sources-
Author: southsidesocialist
Title: The Smells of Bullshit Part 6 - Data Protection
Address: http://mitheringsfrommorningside.wordpress.com/2013/05/01/the-smell-of-bullshit-part-6-data-protection/
Subscribe to:
Posts (Atom)