The 4 Security Rules Employees Love to Break
Feb 04, 2009
By Joan Goodchild

Most CSOs and security managers know employees are taking risks everyday that could set their company up for a breach. What some of the biggest offenses? And what can be done to nip that risky behavior in the bud? John Stewart, CSO of Cisco, offers his take on 4 rules people love to break and offers advice on getting them to stop.

Allowing “tailgating” and unsupervised roaming According to a recent Cisco survey, more than one in five German employees allow non-employees to roam around offices unsupervised. The study average was 13 percent. And 18 percent have allowed unknown individuals to tailgate behind employees into corporate facilities. The reason, according to Stewart, is that confronting people who may be gaining access illegally is difficult for people.

“Globally, tailgating creates an interesting human problem,” said Stewart. “You are walking into building and you may have to challenge someone to prove that they have the right to be there. This is uncomfortable for a great number of people. In certain cultures it’s insulting and unacceptable.”Stewart recommends creating an environment that makes it hard for people to tailgate. Consider signage that even states tailgating is not allowed.

“When there are signs posted it makes it easier for a person to ask for identification. They can say: ‘The company makes me do this’ It diffuses some of the tension.”

Help your user community say in a very obvious way: I don’t want to have to do this but I have to do it, said Stewart.

Adding unauthorized wireless access points: At Cisco, the process of dealing with unauthorized wireless access points is known as ‘whack-a-mole’, according to Stewart. That’s because they pop up so frequently Wireless access points can be needed either by employees looking to test things, or when people who don’t normally need access suddenly do.

“You could end up in a meeting with people from all over and they all need Ethernet. However, one or two computers might not have authentication credentials to get on corporate wireless and then someone has the great idea to create a wireless environment with USB stick. Wireless is just that easy.”
While most employees are just looking to fill a need, said Stewart, the unauthorized access point is an exposure.

“You’ve got the corporation at risk,” he said. “Tailgating and wireless access points are, in many ways, the exact same problem. You are potentially allowing unauthorized or unexpected users on your network.”

Stewart advises having a clear and consistent policy with consequences. Consistency is key.

“If the consequences aren’t severe, most people won’t take you seriously. Get serious about real rules. I know some companies who will charge the department with the person who put the wireless access point on the network. The bill goes to the manager of the person that did it. You can imagine how that plays out.”
Sharing corporate or sensitive information with unauthorized people According to Cisco research, one of four employees (24 percent) admitted verbally sharing sensitive information to non-employees, such as friends, family, or even strangers. When asked why, some of the most common answers included, “I needed to bounce an idea off someone”, “I needed to vent”, and “I did not see anything wrong with it.”
Stewart thinks companies need to educate workers to treat corporate information like it’s a personal secret.

“You don’t want people know certain things about yourself. If there is something really personal you would rather not have the world know about, that is how company feels, too. You can also equate corporate information with money. Keeping sensitive information secret says ‘I’m not going to share my money with you.'”
Putting sensitive data in the wrong place: This could mean copying or extracting corporate sensitive information from protected place and putting it on handheld device

It could also mean e-mailing information to an outside, non-corporate e-mail account. Whatever the scenario, it means sensitive information could get in the wrong hands, especially if it’s on a portable device that gets lost. Cisco research found 22 percent of employees carry corporate data on portable storage devices outside of the office.

“If you instinctually know that the work environment you have is causing this, figure out a solution,” advised Stewart. “If an employee is engaging in this behavior say to them ‘Tell me what you’ve got to do that’s forcing you to do this and let us figure out a way to solve it.”
*********************

Sensitization programme on ‘BAR CODING’

organised jointly by

Goa State Industries Association

&
MSME-DI, Margao, Goa
on
27th February, 2009 at 2.00 p.m. at GSIA Conference hall.

SENSITIZATION PROGRAMME ON BAR CODING is a ½ day programme organised jointly by MSME-DI, Margao and Goa State Industries Association on 27th February, 2009(Friday) at 2.00 p.m. at GSIA Conference Hall, 4th Floor, Goa-IDC House, Patto Plaza, Panaji-Goa for the benefit of Micro, Small, Medium & Large Enterprises / Entrepreneurs in Goa.

Bar Coding is a series of parallel vertical lines (bars and space), that can be read by bar code scanners. It is used worldwide as part of product packages, as price tags, carton labels, on invoices even in credit card bills and when it is read by scanners.

BENEFITS:
1)By getting Bar Code registration useful for better marketing & Exports.
2)Easy for inventory control.
3)Subsidy available on expenses made on Bar Coding registration.
4)Recurring fees for registration for 3 years available.

TOPICS COVERED:
1)What is Bar Code.
2)Why to adopt Bar Code.
3)What are the benefits.
4)Bar Code reimbursement mechanism.

Registration fee: Rs. 100/- per participant. Max. in take 35 persons on first come first serve basis.

You are requested to confirm your participation / nominate your representative for this programme and benefit from the learnings. We look forward to your participation.

FOR REGISTRATIONS CALL :
GSIA : 0832- 2438395 / 2438210 or
MSMEDI, Margao: 0832- 2705093/ 2705092.
——————————————————————————–

Dear Friends,

The Institute of Trade & Industrial Development, New Delhi has been organising Economic Development Conference since 1975. So far, it has organised 20 such Conferences. As part of the Conference, a select number of self-made entrepreneurs from different parts of the country are honoured with Udyog Patra Award, in recognition of their contribution to the economic development of the Nation.

The 21st Economic Development Conference will be organised in the month of August 2009, at New Delhi. As in the past, this time too, a select number of Self Made Entrepreneurs will be honoured with the Prestigious Udyog Patra Award. Any self made Entrepreneurs (with their address and telephone numbers) having turn over of Rs. 5 Crore and above may kindly apply for consideration of the Udyog Patra Award. The Institute of Trade & Industrial Development will coordinate with such Entrepreneurs, after getting their contact details.

Details such as Name, address and contact numbers of self-made Entrepreneurs may be sent by return email/ fax on or before 01st March 2009, to GSIA Office for onward transimission to the Institute of Trade & Industrial Development, New Delhi

——————————————————————-
GOA STATE INDUSTRIES ASSOCIATION
4th Floor, GIDC House, Patto Plaza, Panaji-Goa.
Telefax: 0832-2438395/ 2438210
email: [email protected]
website: www.gsia.in

Dear Member,

Department of Industries, Trade & Commerce has informed vide letter no. No. 15/DITC/HPCC/MISC/07/Vol.1/128 dated 09/01/2009 has informed regarding “Concurrence of Directorate of Industries, Trade and Commerce, Panaji,while granting services to Industrial Enterprises”.

As you are aware that in order to expedite clearances to Large Enterprises from various statutory authorities the State Government has constituted the High Powered Co-ordination Committee (HPCC) which gives approval for setting up of new large scale industrial units, expansion of the existing units, increase in production capacity/power load etc.

Also consequent to the implementation of the Micro, Small & Medium Enterprises Development Act, 2006 which came into force w.e.f .02/10/06 envisages that any person who intends to establish a Micro, Small or Medium Enterprises are required to file applications for acknowledgment of Entrepreneur Memorandum Part-I (E.M. Part I)with the Directorate of Industries Trade and Commerce, Panaji which in turn issues an acknowledgment after allotting an Entrepreneur Memorandum Number. The said E.M. Part –I is valid fro 2 years from the date of issue and during which the concerned applicant unit needs to obtain all the requisite permissions, NOC’s etc. form all the statutory authorities before the unit commences production and subsequently needs to obtain an acknowledgment of Entrepreneur Memorandum Part- II (E.M. Part – II) from Directorate of Industries, Trade and Commerce once gone into commercial production.

However, various instances has come to the notice of this Directorate/HPCC/ Government that a number of Industrial Units/ Enterprises set up the their operations by obtaining either a plot from GIDC, power connection from Electricity Department, water connection from PWD, consent to operate/ establish from GSPCB, etc and approaches to Directorate of Industries, Trade and Commerce, Panaji, only for regularization of their units. Also these units are able to increase their production capacity, shifting of location, modification, expansion, diversification etc. by obtaining necessary facilities/Services/NOC’s / Permission etc. from statutory authorities and without prior consent/ approval of this Directorate/HPCC/ Government which is mandatory.

This practice itself defeats the basic purpose of constitution of High Powered Co-ordination Committee and an acknowledgment of EM’s which inturn lead to rampant changes by Industrial Enterprises without prior approval of Government wherever required. This also leads to non-availability of requisite statistics of enterprises operation in the State of Goa.

Now, therefore, the following measures are hereby suggested:-

(1)All the statutory authorities should insist upon E.M.Part – I /NOC of Directorate of Industries, Trade and Commerce, Panaji form all the applicant units who intends to set up new micro, small or medium enterprises/unit or request for any changes in their existing unit in the State of Goa, such as increase in power load, water connection, allotment of plot in the Industrial Estate, consent to establish etc. The Electricity Department may issue only temporary power connection during validity period of E.M. Part – I. Similarly temporary power connection during validity period of E.M. Part- I. Similarly Goa State Pollution Control Board may issue consent to establish only for a initial period of 2 years during validity of E.M. Part – I in case of Micro, Small, and Medium Enterprises.

(2) All the statutory authorities shall insist upon HPCC approval/ NOC of Directorate of Industries, Trade and Commerce, Panaji from the applicant unit who intends to set up Large Enterprise or intend to make any changes in the existing units such as increase in production capacity, request for additional plot, power load, water connection, consent to establish, request for loan/ subsidy etc.

Any consent given without adhering to the above instructions would be considered as illegal and would be at the risk of the issuing authority.
—————————————–

Credit Card Scam

This one is pretty slick since they provide YOU with all the information, except the one piece they want.

Note, the callers do not ask for your card number; they already have it.. This information is worth reading. By understanding how the VISA & Master Card Telephone Credit Card Scam works, you’ll be better
prepared to protect yourself.

One of our employees was called on Wednesday from ‘VISA’, and I was called on Thursday from ‘Master Card’. The scam works like this :

Caller : ‘This is (name), and I’m calling from the Security and Fraud Department at VISA. My Badge number is 12460. Your card has been flagged for an unusual purchase pattern, and I’m calling to verify.
This would be on your VISA card which was issued by (name of bank). Did you purchase an Anti-Telemarketing Device for $497.99 from a Marketing company based in Arizona ?’

When you say ‘No’, the caller continues with, ‘Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from $297 to $497, just under the $500
purchase pattern that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?’

You say ‘yes’. The caller continues – ‘I will be starting a Fraud investigation. If you have any questions, you should call the 1- 800 number listed on the back of your card (1-800 -VISA) and ask for Security.’

You will need to refer to this Control Number. The caller then gives you a 6 digit number. ‘Do you need me to read it again?’

Here’s the IMPORTANT part on how the scam works.The caller then says, ‘I need to verify you are in possession of your card’. He’ll ask you to ‘turn your card over and look for some numbers’. There are
7 numbers; the first 4 are part of your card number, the next 3 are the security Numbers that verify you are the possessor of the card. These are the numbers you sometimes use to make Internet purchases to
prove you have the card. The caller will ask you to read the 3 numbers to him. After you tell the caller the 3 numbers, he’ll say, ‘That is correct, I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions?’ After you say No, the caller then thanks you and states, ‘Don’t hesitate to call back if you do, and hangs up.

You actually say very little, and they never ask for or tell you the Card number. But after we were called o n Wednesday, we called back within 20 minutes to ask a question. Are we glad we did! The REAL VISA Security Department told us it was a scam and in the last 15 minutes a new purchase of $497.99 was charged to our card.

Long story – short – we made a real fraud report and closed the VISA account. VISA is reissuing us a new number. What the scammers want is the 3-digit PIN number on the back of the card Don’t give it to them.
Instead, tell them you’ll call VISA or Master card directly for verification of their conversation. The real VISA told us that they will never ask for anything on the card as they already know the information since they issued the card! If you give the scammers your 3 Digit PIN Number, you think you’re receiving a credit. However, by
the time you get your statement you’ll see charges for purchases you didn’t make, and by then it’s almost too late and/or more difficult to actually file a fraud report.

What makes this more remarkable is that on Thursday, I got a call from a ‘Jason Richardson of Master Card’ with a word-for-word repeat of the VISA scam. This time I didn’t let him finish. I hung up! We filed a police report, as instructed by VISA. The police said they are taking several of these reports daily! They also urged us to tell everybody we know that this scam is happening in all states.

Caren

For Det Norske Veritas AS
Nagendra Venkobarao
____________________________________________
Lead Auditor (ICT)
Bangalore
India
Telephone Board : +91-80-41455455
Telephone Direct: +91-80-41455419
Fax: +91-80-25551364
Mobile: +91-98801-08600
www.dnvindia.com
http://www.dnvindia.com/dnvtraining/category
“As soon as the fear approaches near, attack and destroy it!”

National Cyber Alert System
Technical Cyber Security Alert TA09-020A

Microsoft Windows Does Not Disable AutoRun Properly

Original release date: January 20, 2009
Last revised: —
Source: US-CERT

Systems Affected

* Microsoft Windows

Overview

Disabling AutoRun on Microsoft Windows systems can help prevent the
spread of malicious code. However, Microsoft’s guidelines for
disabling AutoRun are not fully effective, which could be
considered a vulnerability.

I. Description

Microsoft Windows includes an AutoRun feature, which can
automatically run code when removable devices are connected to the
computer. AutoRun (and the closely related AutoPlay) can
unexpectedly cause arbitrary code execution in the following
situations:

* A removable device is connected to a computer. This includes, but
is not limited to, inserting a CD or DVD, connecting a USB or
Firewire device, or mapping a network drive. This connection can
result in code execution without any additional user interaction.

* A user clicks the drive icon for a removable device in Windows
Explorer. Rather than exploring the drive’s contents, this action
can cause code execution.

* The user selects an option from the AutoPlay dialog that is
displayed when a removable device is connected. Malicious
software, such as W32.Downadup, is using AutoRun to
spread. Disabling AutoRun, as specified in the CERT/CC
Vulnerability Analysis blog, is an effective way of helping to
prevent the spread of malicious code.

The Autorun and NoDriveTypeAutorun registry values are both
ineffective for fully disabling AutoRun capabilities on Microsoft
Windows systems. Setting the Autorun registry value to 0 will not
prevent newly connected devices from automatically running code
specified in the Autorun.inf file. It will, however, disable Media
Change Notification (MCN) messages, which may prevent Windows from
detecting when a CD or DVD is changed. According to Microsoft,
setting the NoDriveTypeAutorun registry value to 0xFF “disables
Autoplay on all types of drives.” Even with this value set, Windows
may execute arbitrary code when the user clicks the icon for the
device in Windows Explorer.

II. Impact

By placing an Autorun.inf file on a device, an attacker may be able
to automatically execute arbitrary code when the device is
connected to a Windows system. Code execution may also take place
when the user attempts to browse to the software location with
Windows Explorer.

III. Solution

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the
following registry value:

REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
NTCurrentVersionIniFileMappingAutorun.inf] @=”@SYS:DoesNotExist”

To import this value, perform the following steps:

* Copy the text
* Paste the text into Windows Notepad
* Save the file as autorun.reg
* Navigate to the file location
* Double-click the file to import it into the Windows registry

Microsoft Windows can also cache the AutoRun information from
mounted devices in the MountPoints2 registry key. We recommend
restarting Windows after making the registry change so that any
cached mount points are reinitialized in a way that ignores the
Autorun.inf file. Alternatively, the following registry key may be
deleted:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerMou
ntPoints2

Once these changes have been made, all of the AutoRun code
execution scenarios described above will be mitigated because
Windows will no longer parse Autorun.inf files to determine which
actions to take. Further details are available in the
CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin
Atac for providing the workaround.

IV. References

* The Dangers of Windows AutoRun –

<>tml>

* US-CERT Vulnerability Note VU#889747 –
<>

* Nick Brown’s blog: Memory stick worms –
<>

* TR08-004 Disabling Autorun –
<>

* How to Enable or Disable Automatically Running CD-ROMs –
<>

* NoDriveTypeAutoRun –

<>entry/91525.mspx>

* Autorun.inf Entries –
<>

* W32.Downadup –

<>-2408-99>

* MS08-067 Worm, Downadup/Conflicker –
<>

* Social Engineering Autoplay and Windows 7 –
<>

____________________________________________________________________

The most recent version of this document can be found at:

<>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to with “TA09-020A Feedback VU#889747” in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <>.
____________________________________________________________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

<>
____________________________________________________________________

Revision History

January 20, 2009: Initial release

Participation in Residential Programme on Information Technology for Non IT Professionals from 9-13, February 2009 at Goa (The Grand, Goa ****)

Dear Members,

As you are aware, the National Productivity Council (Under Ministry of Commerce and Industry, Govt. Of India) is organizing the programme on “Information Technology for Non IT Professionals” during 9-13, February 2009 at Goa. The venue of programme is Neelams The Grand, Calangute, Goa (www.thegrandgoa.com).

The programme aims to help the participants gain an understanding of the potential of information technology to catalyzing a re-orientation of thinking to effectively utilize the newly available computing and communication tools so that different elements of their job can effectively fit together with IT as the key enabler. The overall focus will be on IT tools and its effective utilization to respective functional areas in their office.

The specific target group for this programme is: non IT Professionals, Executives, Managers, Officers of all levels (including top level, middle and junior level executives from different functional areas of management viz. Administration, finance, personnel & training / HRD, technical, marketing, banking etc.) or any one who are interested in effective use of IT in respective functional area and enhancing IT skills and productivity. Leading practitioners from the field, NPC experts, eminent guest faculty members would be addressing the participants to share their experiences.

We are sure that your organization would take advantage of this opportunity by sponsoring delegates to the programme. Nomination indicating the name(s) of the participants, designation, contact address, e-mail id, phone/mobile number and FAX number etc. Along with a crossed cheque/demand draft of participation fees of Rs 33,146/- per participant, favouring “National Productivity Council” and payable at New Delhi may be forwarded to the undersigned.

The details of the programme and its coverage enclosed in the form of a brochure and online version can also be download from the website www.npcindia.org/itnitgoa.pdf

Should you require any further details, please feel free to contact on 09212200165 or 011- 24607321 (D)

Arvind Bhisikar
Programme Director
National Productivity Council
(Ministry of Commerce and Industry, Govt. Of India)
5-6 Institutional Area
Lodi Road, New Delhi-110003
Ph. 011- 24607321 (D) 24690331( Ext 321)
Mobile: 09212200165
Fax: 011-24615002
E-mail: [email protected]
———————————————————————-
Note:

1. Online version of Programme brochure can also be download from our website www.npcindia.org/itnitgoa.pdf

2. Scanned copy of singed invitation letter also attached with this mail.

3. If required, the expenditure of this residential progamme, including the participation fees may be incurred from E-Governance/ IT training/ Computer training/ Training Budget of your respective department.
————————————————————————————-

Commercial vehicles purchased for business purposes between 1.1.09 to 31.3.09 are entitled to depreciation @ 50%.
Income-tax (Third Amendment) Rules, 2009 – Amendment in New Appendix 1

NOTIFICATION NO. 10/2009, DATED 19-1-2009

In exercise of the powers conferred by section 295 of the Income-tax Act, 1961 (43 of 1961), the Central Board of Direct Taxes hereby makes the following rules further to amend the Income-tax Rules, 1962, namely:—

1.(1)These rules may be called the Income-tax (Third Amendment) Rules, 2009

(2)They shall come into force on the 1st day of April, 2009.

2. In the Income-tax Rules, 1962, in the Table to New Appendix 1, in Part-A relating to TANGIBLE ASSETS, under the heading III. MACHINERY AND PLANT, in item (3), after sub-item (vi) and entries relating thereto, the following shall be inserted, namely:—

“(via) New commercial vehicle which is acquired on or after the 1st day of January, 2009 but before the 1st day of April, 2009 and is put to use before the 1st day of April, 2009 for the purposes of business or profession [See paragraph 6 of the Notes below this Table] 50”.

Goa Sick Industrial Units Revival and Rehabilitation Schemes, 2008
Government of Goa
Department of Industries
Notification no. 3/40/2003-IND-Part-II dated 12th June, 2008.

Goa Industrial Policy, 2003 was announced by Government of Goa. Now, in pursuance of clause 5.8 of the said Policy, the Government of Goa is pleased to frame the Scheme namely the “Goa Sick Industrial Units Revival and Rehabilitation Scheme, 2008”.

“Goa Sick Industrial Units Revival and Rehabilitation Scheme, 2008” shall come into force from the date of its adoption by the Government and shall remain in force for five years.
For detailed notification contact GSIA office

Association of State Road Transport Undertakings have invited bids only from Manufacturers for supply of the items included in the following procurement groups for application in Tata & Leyland vehicles/ buses in Electronic tendering mode only.

Name of the procurement Group: Earnest money deposit (Rs. Per procurement group) Rs.10,000/- (Ten Thousand Only).
Paints (Normal, Premium & PU Quality) and Paint Ancillaries, Latex, PU & Rubberised Coir seat, cushion and backrests, gaskets, radiators & cores, Tyre retreading material (Precured process), patches and tools for repair of tyres & tubes.

Name of the procurement Group: Earnest money deposit (Rs. Per procurement group) Rs.6,000/- (Six Thousand Only).
Adhesives & Single Component Anaerobic Adhesives, Hinges & Door locks, Conductor Bell, Tower Bolts etc. Automotive Lights & rear view mirrors, automobile bulbs & halogen auto bulbs, rubber & rubber parts, ballata packing & Air suspension spring for buses, Oil seats, Auto dash Board Instruments & speedometer cables.

Important dates of tender:
a. Tender commencement date: 05/12/2008 (11.00 hrs.)
b. Tender forms request last date : 05/01/2009 (18.00 hrs)
c. Tender closing date (last date to submit e-bid): 06/01/2009 (11.00 hrs.)
d. Last date to submit demand draft of EMD: 06/01/2009 (11.00 hrs.)
e. Tender opening date: 06/01/2009( 12.00 hrs.)

Cost of tender forms (non-refundable) = Rs.3,000/- per procurement group)

More details of the Tender are available at GSIA Office.

————-