Tag Archives: infosec

Password Recovery Services Best Practices

Recently, I helped a client recover the password to a Microsoft Excel spreadsheet. In doing so, I came up with a few best practices for password recovery services:

  1. Prior to starting any work on a password recovery project, the service provider should require the client to sign an agreement where by the client:
    1. Attests to ownership of the system or file and their right to engage the service provider to recover the password;
    2. Gives permission to the service provider to recover the password to the system or file; and
    3. Gives permission to the service provider to access the system or file for the purpose of confirming that the password recovery was successful.
  2. Best practices for the communication and storage of passwords should be applied to recovered passwords. For example:
    1. Don’t communicate passwords in clear text;
    2. Don’t store passwords in clear text; and
    3. Change passwords if there’s any chance they’ve been compromised.
  3. The provider and the client should have a reciprocal non-disclosure agreements in place.

Do you have any additional ideas for best practices for how password recovery service providers and clients should work together? If so, leave a comment!

ISSA Milwaukee June 2011 Meeting

Yesterday afternoon I attended the June 2011 general meeting of the Milwaukee Chapter of the ISSA. The meeting was held at the New Berlin Ale House and was well attended by approximately 30-35 people.

The guest speaker for the meeting was Robert Clark, Eastern US Channel Manager for TriGeo Network Security, and the topic was, “What Can a SIEM do for You?” “SIEM,” of course, stands for “Security Information & Event Management.” Mr. Clark’s talk was relatively quick and not very technical, but he did bring up some useful questions to ask your SIEM vendor, including:

  • What does the solution have to offer out of the box and does it require several modules to meet your requirements?
  • Are there any ongoing professional services and what are the costs?
  • Will you need to provide the hardware?
  • Is the data evaluated in real-time or is it primarily a forensics solution?
  • Does the correlation engine process events in memory or query the database?
  • How intuitive is the interface? Can you easily build or customize rules, filters, etc.?
  • How long is the implementation process and does it require on-site technicians?

Two of the attendees explained how they evaluated SIEM solutions. Their advice was to commit to developing an in-house expert; otherwise professional service fees will eat your budget and you’ll never get a proper ROI on a SIEM solution. One person suggested this might be a valid reason for some organizations to consider a Managed Security Services (MSS) solution.

One attendee also suggested following Anton Chuvakin’s Blog, as he frequently blogs about SIEM.

In all, it was another successful ISSA Milwaukee chapter meeting and a great opportunity to network with other information security professionals in the area.

Defining Information Security Risk

Years ago I wrote a definition of Information Security Risk that still seems to work well for me. Here it is:

Information Security Risk is a function of (a) the likelihood of a specific threat-source exploiting a specific vulnerability in a specific information system and (b) the resulting impact of that event on confidentiality, integrity, and availability.

Do you have a different definition of Information Security Risk? Please add it as a comment!

What is an Information System?

We use them all the time, but what exactly is an “Information System”? Let’s break down the words…

A System is “a collection of components organized to meet an objective.” What kind of components? What ever components are needed to meet the objective! Traditionally, that means “people, processes, and technologies.” And, what is the objective of an Information System?

The objective of an Information System is “to transfer, process, store, and manage” information. But, what is information?

Information is data that is relevant and has meaning in a context. So, the numbers 7155551212 are not information; they are data. But, if I ask you to call Linda at 715-555-1212, those numbers become information in the context of making a telephone call.

Now, our definition of an Information System is more complete. Let’s put it all together: An Information System is a collection of people, processes, and technologies organized to transfer, process, store and manage data that is relevant and has meaning in a context.

It’s quite interesting because data are only representations of aspects of the real-world and of our ideas. There really is no physical thing that is the letter “A”. “A” is just a symbol to represent something in the real-world (perhaps the sound we make when we say the letter “A”), or an idea (what ever that “A” sound represented long ago).

An Information System (such as a computer) is just a collection of components organized to transfer, process, and store relevant and meaningful representations of the real-world and our ideas. Simple enough. But, take that collection of components and make them operate very, very fast, and now you have something that can really transform our world and our ideas.

This article was originally published as on July 24, 2008, as a Google Knol. See http://knol.google.com/k/clint-laskowski/what-is-an-information-system/3v4qe269ituzc/2.