Get Schooled at New Horizons » security

Prevent or control use of USB flash drives

Get Schooled — Wed, 01 Feb 2012 21:10:56 +0000

Tiny flash memory drives that fit on a keychain (sometimes called thumb drives) are inexpensive and convenient for transferring files between computers that aren’t on the same network– but they can also present a security risk for your organization. They can be used to bring viruses and unauthorized software in, or to smuggle sensitive information out. Luckily, there are software products, such as GFI’s Portable Storage Control (PSC), that let you control the use of these devices on your network.

For more information on how it works, see www.windowsecurity.com/articles/Review-GFI-LANguard-Portable-Storage-Control.html.

View security classes offered here.

Make security a part of your business goals

Get Schooled — Sat, 15 Jan 2011 21:00:52 +0000

Make security an integral part of your organization’s business goals

Many business principals find the whole issue of organizational security rather esoteric and are generally reluctant to allocate resources to it unless they can see a return on their investment. At the same time, technical staff charged with managing organizational security often finds itself fighting an uphill battle because, without the appropriate resources, they can’t do their jobs. As a result, both parties fall into a reactive rather than a proactive role, responding to incidents only when they affect critical operations.

In communicating your needs to upper management, it can be helpful to discuss security in terms of three distinct stages, as described here:

Passive. At this stage, the security team and the business principals cooperatively develop the policies and guidelines needed to protect the organization’s information.

Active. At this stage, the security team implements the technologies needed to support the Security Life Cycle: Detect, Assess, Respond, and protect. This stage typically requires the most resources.

Integrative. At this stage, security is an integral part of business decisions. To support the organization’s business goals, existing policies are revised and new security technologies are selected.

Check out our Security training!

Microsoft is making its security software public

Get Schooled — Tue, 07 Sep 2010 14:41:43 +0000

In a recent Microsoft blog post, the company revealed it will be changing the Creative Commons license to allow companies to employ their Security Development Lifecycle software.

Individuals and organizations can now copy, distribute and transmit a variety of Microsoft’s security-related content.

Essentially, the announcement means public and private organizations can gain access to the company’s research and documentation on computer and internet security.

In order to properly wade through the layers of software copyrights involved with applying Microsoft’s new services, companies will need to depend heavily on their IT professionals and even consider making new hires to meet the demand.

The products and software companies will be able to glean from Microsoft represent a widely varied base of knowledge. Users will immediately be able to access case studies, white papers and training materials. As more products receive licensing updates, more information will become available.

Currently, the IT job market is among the fastest growing in the country, according to the Bureau of Labor Statistics. Growth is expected in almost every field, especially as corporations begin to invest more heavily in network security related jobs.

Is Remote Administration the Weak Link in Your Security?

Get Schooled — Tue, 02 Mar 2010 23:22:16 +0000

Windows:

The ability to remotely administer your servers isn’t just a convenience; in some cases, it’s essential. But, when a system can be accessed remotely — especially a domain controller or other critical server — there’s a chance that it will be accessed by the wrong person, for the wrong reasons.

You can control access in a number of ways. For example, you can restrict access to specific ports (such as 3389, used by terminal services) so that the ports can be access only from specific computers. You can also configure User Rights to control who can and can’t log on through terminal services. Create a group and place those users in it who should be able to access the server’s desktop through terminal services/Remote Desktop, then add the group to the Log On Through Terminal Services user right.

It’s also a good idea to ensure that solicited remote assistance is disabled through the Computer Configuration | Administrative Templates | System | Remote Assistance | Solicited Remote Assistance entry in Group Policy.

Use Dial-in properties to secure remote access connections

Get Schooled — Fri, 08 Jan 2010 20:06:27 +0000

(Windows 2000 Server/Server 2003)

Do you have a dial-in remote access server in your Windows 2000 or Windows Server 2003 domain? Allowing dial-in access can pose security risks. What if someone gets the username and password of a legitimate account in your domain?

If your remote users should always be calling in from the same phone number (for instance, their home phones), one way to make dial-in access more secure is to configure the user properties for the account (which you access through the Active Directory Users and Computers Administrative Tool) for callback security. You can specify that, when the user logs on, the server disconnects and then calls the user back at his home number. This also saves the user from having to pay long-distance charges if he lives out of the area. You can configure this on the Dial-in tab of the user account’s properties sheet.

Protect your web browser from phishing attacks

Get Schooled — Sun, 22 Nov 2009 20:27:14 +0000

Spoofing is a term used to describe methods of faking various parts of the browser user interface. This may include the address or location bar, the status bar, the padlock, or other user interface elements. Phishing attacks often utilize some form of spoofing to help convince the user to provide personal information. If a user’s browser is vulnerable to spoofing, they are more likely to fall victim to a phishing attack. You can search the US-CERT and CERT/CC web sites for malicious scripting and content vulnerabilities at the following URL: http://search.us-cert.gov (use the search term browser+spoof). The US-CERT document “Technical Trends in Phishing Attacks” (available at www.us-cert.gov/reading_room/phishing_trends0511.pdf) has more information about spoofing and phishing techniques.

Harvesting Private Data via MS Word?

Get Schooled — Fri, 20 Nov 2009 18:34:47 +0000

Did you know that Word documents can contain hidden information that can provide clues to your identity and information of people you e-mailed a file to using Outlook. Older versions of Word even retain logs of the last ten people who revised the document, including their e-mail addresses which are easily harvested. Unrevised versions of your text may also be hidden in your files. Microsoft has a “Remove Hidden Data” tool on its Web site, but its not easy to use and it doesn’t remove all the info.

So, before you put a Word file online, be sure you clean it by:

Open WordPad (Start>All Programs>Accessories)
Navigate to and Open your Word file
Save the file in Rich Text Format or .rtf
Then just rename the file back to a .doc before you upload

Now, all your private data has been cleared. Remember, Word can save as an .rtf, but doing so in Word won’t clear your private data. You must save it as an .rtf in WordPad.

Combating Malicious Code Threats

Get Schooled — Fri, 19 Jun 2009 14:33:36 +0000

Viruses, worms, Trojan horses, and other types of malicious code can bring even the most secure system or network to its knees. Fortunately, protective measures don’t need to be unnecessarily complex. By recognizing the behaviors of malicious code and following a few best practices, you can significantly reduce your exposure to the threats that malicious code presents.

First you need to Identify the Threat!

To effectively deal with various computing threats, it’s useful to understand how these threats work. We’ll talk about four types of threats: viruses, worms, Trojan horses, and blended threats. Each of these threats uses specific methods to cause problems on a computer, except for a blended threat, which uses a combination of methods during an attack.

You can read the full article here.

Learn more by taking a Security+ class at a New Horizons Computer Learning Center near you.

IT Security Salaries on Rise; Certified Ethical Hacker Certification Up 40%

Get Schooled — Fri, 20 Feb 2009 14:39:29 +0000

According to a new study IT Skills and Certifications Pay Index published by Foote Partners, salaries in the IT security space are on the rise.

“It’s not just a ‘slash-and-burn’ recession strategy based strictly on CIOs cutting costs,” said David Foote, co-founder and CEO of Foote Partners, in a news report. “It looks like a calculated effort (by CIOs), in a time of chaos and severe constriction, to smartly invest in skills and technologies that will not only tactically see them through the recession, but also ensure that (their companies) are stronger and undiminished at their core when it’s over.”

Overall IT security certifications pay grew 0.8 percent over the past three months, and 1.9 percent year-over-year, the report states. Certifications posting the greatest gains were the GIAC Security Essentials Certification (GSEC), which was up 46.7 percent in the fourth quarter of 2008, and the Certified Ethical Hacker (CEH) certification, up 40 percent. The Certified Information Security Manager (CISM) was also up 7.1 percent over the past quarter. Of the highest-paying IT certifications, 18 out of 42, or 42.9 percent, were related to security, the report says.

For noncertified security skills, network security management made neither gains nor losses in the past quarter, but was up 6.7 percent over the past six months, and 14.3% year-over-year, the Foote study says. Network security management and “various project-based security skills” were among the highest-paying non-certified IT skills of the past three months.