GNSC Blog

Ever use iGoogle? I do and I love it.  It’s as close as you can get to a personalized home page without having to know web code. However, the platform is about to be rocked by a presentation this week at Black Hat, the annual hacker conference.

According to Yahoo News, Cenzic senior security analyst Tom Stracener and security researcher Robert Hansen, better known as “RSnake,” plan to demonstrate a zero-day vulnerability that affects Google Gadgets. What this means is that they are going to announce that knowledgeable web coders will be able to inject malware into your PC, possibly beyond the realm of traditional detection with antivirus and malware protection.

So if you’re an “iGoogle-Google-Gadget-User” what do you do? 

1. The first thing is to educate your users about the dangers of installing unknown software.  This is a good practice no matter what.
2. Watch what comes out of BlackHat 2008.  Follow the mainstream IT Security bloggers as they summarize the presentations.  I’ll post more on this as it gets closer. 
3. If in your opinion the risk of iGoogle malware outweights the benefits, use your webfilter to block it.  Or block the installation of Google Gadgets.   You can still get all the benefits of Google.

Bill Brenner from CSO Magazine recently wrote the following:

“In the wake of a data breach, the company’s top brass may go looking for someone to blame. If you are the security chief, chances are it’s going to be you.

It doesn’t matter that you warned executives repeatedly that certain technological or cultural flaws were putting the company at risk, or that you had to maintain security with a shoestring budget and little or no staff. Chances are you’ll take the fall whether you deserve it or not, says George Moraetes, a Chicago-based security contractor and executive board advisor for security event management firm IdentityLogix.

He has watched as some of his CSO acquaintances were blamed for a security failure or dismissed for trying to blow the whistle over the company’s security holes.

One friend of mine, the CISO of a credit bureau, blew the whistle on a security auditor who wasn’t following best practices and was making reporting discrepancies,” says Moraetes, an independent consultant. “The auditor was a friend of the top brass, and the CISO was let go. I know of three others in Georgia who were fired or demoted for similar reasons.”

The moral of the story…If you’re in charge of security at your company, whether you have 5 employees or 5000, you should have a documented best practices policy and procedures manual that is audited for compliance.  Your job is at risk as the precident has already been established.

Best practices are free.   You just need to follow them.  What are they?  Well a good place to start is the SANS Institute  www.sans.org.  This group puts out quality material, much of it available to the general public.  They have some good starter guides if you want to get started with best practices.

Also, the NIST Manual from our July 23 posting is another good manual with good measurement metrics.

You can also use security comsultants with CISSP or GIA certifications to help establish and audit them.