Since it’s hard to analyze the tradeoffs between security and productivity, IT organizations can fall back on gut feel, rules of thumb and past practices in making these decisions. The easiest answer is frequently to just follow the rules and regulations so you remain in compliance with industry regulations or current policies. As a result, compliance becomes a substitute for security. But are they really equal? Does being in compliance mean you have a secure IT environment?
Like most security professionals I subscribe to a plethora of email lists from Dark Reading to Threat Post. Every day I receive their news and review the titles in their daily summary emails and drill into a few that may catch my eye. The thing I like about this approach is that I receive a…
If you are going to San Francisco for RSA this week (with or without a flower in your hair), then you should stop by the BeyondTrust booth #945 and check out the latest greatest privilege identity management solutions to eliminate admin rights across desktop, server and network devices as well as virtual and cloud environments.
|Exploit Impact:||Remote Code Execution
The hand that rocks the cradle rules the world. This is an absolute truth. Although originally referring to motherhood, there is an especially poignant application from an enterprise point of view. As long as the hand (your IT manager with root access) handles that cradle gently (your server and the sensitive information therein), your world will remain a secure place.
Reading the headlines today one could not help but notice the latest installment of “scary Chinese hacker press” making the headlines. And who can blame the news media for latching on to this story as it has all the right ingredients: foreign governments targeting U.S. interests, catchy nicknames like Night Dragon, connections to a previous scary threat “Operation Aurora” and a timely announcement leading up to one of the security industry’s biggest conferences in San Francisco next week, RSA. Wait, what?
Recently we talked about the difficult trade-off between security and productivity in regard to designing effective password policies. Managing these difficult exchanges is a major challenge for many IT decision makers. Security is time consuming and complicated, which almost always means extra work for someone. So IT must decide: is reduced security risk worth the extra work?
I have a friend who, at any given moment, can recount any of the old wives tales he grew up hearing. Most of them I just roll my eyes at, but every now and then there’s a little gem that makes life a little easier. Take “a stitch in time saves nine.” That’s legitimate advice. The concept of taking certain actions before a large-scale problem evolves transcends all aspects of the human existence, and even spreads to the security of your enterprise. One particularly useful stitch comes in the form of preventing the misuse of privileges within the walls of your company.
Microsoft is back at it with a fairly large release today, including 12 security bulletins which patch a total of 22 vulnerabilities. Six of the bulletins address zero-day vulnerabilities (MS11-003, MS11-004, MS11-005, MS11-006, MS11-011, and MS11-013) including two (MS11-003, MS11-006) that have public exploit code circulating. MS11-013 (Kerberos) is most likely similar to vulnerabilities that…