[IS&T Security-FYI] SFYI Newsletter, November 8, 2010

Monique Yeaton myeaton at MIT.EDU
Mon Nov 8 13:08:19 EST 2010 

In this issue:

1. November 2010 Microsoft Security Updates
2. Event: Strengthening the Audit-IT Security Partnership
3. Lesson Learned by a Security Professional


----------------------------------------------------------
1. November 2010 Microsoft Security Updates
----------------------------------------------------------

Microsoft will issue three security bulletins on Tuesday, November 9.  
One of the bulletins is rated critical; the other two are rated  
important.  The bulletins will address a total of 11 vulnerabilities.

Systems affected:

Microsoft Office for Windows XP SP3 through Office 2010
Microsoft Office for Mac 2011
Microsoft Forefront Unified Access Gateway

Read the full bulletin:
<http://www.microsoft.com/technet/security/Bulletin/MS10-nov.mspx>

No word has been released on patching the zero-day hole in Internet  
Explorer 6, 7 and 8 that has been used in targeted attacks, and was  
announced last week. Those who have not done so are urged to upgrade  
to IE 8, which includes Data Execution prevention technology that  
makes the flaw harder to exploit.

Read the story in the news:
<http://news.cnet.com/8301-27080_3-20021665-245.html>


------------------------------------------------------------------------
2. Event: Strengthening the Audit-IT Security Partnership
------------------------------------------------------------------------

Date & Time: November 10, 2010, 1:00 - 2:30 p.m.
Location: N42-Demo Center
Open to the MIT community; seating limited

The IT Security Systems & Services team is offering a free webcast to  
the MIT community this week in the N42 Demo Center.

Internal auditors and IT security officers have common interests in  
securing confidential and sensitive data, complying with regulations,  
and educating users about good practice. However, at most  
institutions, these two roles don't coordinate their efforts and thus  
are less effective than they could be if they coordinated their  
respective resources, procedures, and policies.

Join us at this webcast to learn how two Boston College officials  
created a partnership that has both achieved security goals and raised  
campus-wide awareness about information policies and data management  
controls.

This webcast covers how to:

Implement tactics to strengthen data and computing environment security
Develop shared, comprehensive standards for data protection
Create a partnership that can help educate all stakeholders about  
campus-wide IT security
Assemble and lead effective campus-wide security groups/advisory boards
	
Learn more: <http://www.academicimpressions.com/events/event_listing.php?i=1007 
 >


----------------------------------------------------------
3. Lesson Learned by a Security Professional
----------------------------------------------------------

Last week I had a first-hand hard lesson on why IT security habits and  
due diligence by users is so important. After arriving at the office  
last Monday, it appeared some fast-fingered thieves had relieved us of  
computer equipment that were not locked up, locked down, or out of  
sight. Including my desktop computer.

Although for me this was a substantial loss and inconvenience, I was  
reassured by the knowledge that the hard drive was encrypted using PGP  
Desktop and weekly backups had run using TSM. At least my work was  
saved and I could sleep well knowing that no MIT or personal  
information could be leaked to the outside world.

But things were not to be as rosy as I thought. After attempting to  
restore the files from the backup server, I discovered that the  
scheduled backups had not run as I thought. I hadn't checked the logs  
on a regular basis to make sure they were occurring. So, in the end, I  
had taken the right precautions but had failed to follow through. As a  
security awareness consultant, this is advice I've shared with others:  
backup your data and ensure you can restore the data from backup.  
Needless to say, I will now follow my own advice.

It's a wake up call for anyone. If your computer were stolen today,  
could you get all your work back? Would you be sure that information  
it contains can not be accessed?

Some resources for protecting data from theft:

Backing Up Your System <http://ist.mit.edu/security/backup>
Using PGP Desktop <https://kb.mit.edu/confluence/display/category/PGP%20Desktop 
 >

= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
= 
========================================================================

To read all current and archived articles online, visit the Security- 
FYI Blog at <http://securityfyi.wordpress.com/>


Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20101108/c0bc5a22/attachment.htm

More information about the ist-security-fyi mailing list