Welcome

Skeeter Spray is a blog for the common Information Security Professional. Why Skeeter Spray? See Post #1

Thursday, May 19, 2011

How welcome are your guests?

When Joe the salesman from Pete’s Software Palace shows up at the guard desk (because I know you have one) and is signed into the system and is asked to have a seat until you come to get him.  Is there a wired network connection in the lobby that would allow Joe to sniff your network?   If there is, you should probably disable the port for that specific jack.

After you come and get Joe and you go meet several other people in a conference room.  Joe says he needs Internet access; is his only option a wired network or do you have a guest wireless network?   The preferred option should be a wireless guest network, segregated from the corporate wireless network.   Additional controls could include a daily, rotating password that only employees have access to, thus requiring a vendor or contractor to get the password from an employee.   This ensures that someone at your company will know that they are connected to your guest wireless network.

If your company has fast, reliable corporate wireless network, another sound practice is disable unused wired ports in conference rooms.   Many times a vendor or contractor will be left alone in a conference room; the disabling of excess ports will help reduce the risk to the network.  

I will leave you this week with a couple of wireless network thoughts….what type of authentication to you require for your laptops to connect to the corporate wireless network?   If you are not requiring some type of machine authentication, you are at risk for access point spoofing.   How do you handle the ad-hoc networks your corporate laptops have previously connected to?  These are usually from traveling (i.e. hotel, airports, etc….) and they will continuously send out a signal looking for their respective network.  Another opportunity for access spoofing. Finally, How far does your wireless network extend outside of your building?

~Skeeter

Sunday, May 15, 2011

How do Information Security and Internal Audit play nice?

What is the relationship between your Information Security department and the Internal Audit?  Is it a friendly work together relationship or is there resentment between the two teams?
Both the Information Security and IT Internal Audit teams have similar goals.  Make sure the company’s data is properly protected from inadvertent disclosure, modification, or inappropriate access.  However the attitudes displayed by each of the teams and their members can go a long way to helping build a constructive, working relationship. 
Since I have worked both sides in the same company…moving from Internal Audit to the Information Security team, I can provide some information of this subject.   Clear lines need to be drawn as to the responsibility of each team when the areas might start to come together.   For example, if a project for an upgrade of an application that falls under the Sarbanes-Oxley (SOX) umbrella. Both teams are going to interested in it…Information Security will probably be more interest in the details of a set of criteria for new applications, while Internal Audit is probably more interested only in those controls pertaining to SOX.   However, a lack of understand as to the other team’s responsibilities could lead to ill thoughts about the other team.
I believe each team can provide some level of assistance to the other team, there needs to be a defined separation of duties and each team member of both teams needs to understand where their responsibilities begin and, more importantly where their responsibilities end.
~Skeeter