From Nextgov:
The first revision to Special Publication 800-37 — “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life-Cycle Approach” — will help agencies comply with the 2002 Federal Information Security Management Act, which requires them to identify and take inventories of their IT systems and determine the sensitivity of information stored on those systems. FISMA has long been criticized for focusing too heavily on compliance and not enough on monitoring and testing of computer systems for vulnerabilities.
(Image used under CC from LordSchrammi’s Flickr stream)
NIST has updated several of its guideline documents.
From GCN:
The beta NIST Windows Security Baseline Database is intended to supplement the revision of Special Publication 800-68, titled “Guidance for Securing Microsoft Windows XP Systems for IT Professionals,” which is being released in draft for public comment.
NIST also is releasing a revision of SP 800-48, titled “Guide to Securing Legacy IEEE 802.11 Wireless Networks,” which updates the original recommendations published in 2002, and SP 800-123, “Guide to General Server Security.”
For the full article read on.
Well, here is an interesting twist. I can’t say that I’m overly surprised as this type of ranking was inevitable.
From the Associated Press:
Eighteen Japanese firms said Tuesday they were creating the world’s first ratings agency looking at data security, which they said was a rising concern for companies.
The new firm, called IS Rating, will be launched on May 1 and start issuing ratings in July, both to Japanese and foreign companies and organisations.
It will give out ratings based on how they manage data, including files containing personal information, which circulates within the firm or is shared with third parties.
IS Rating will also offer training and edit documents to encourage security.
“For businesses, it’s extremely complicated to measure whether the internal handling of their masses of data is appropriate,” the firms creating the new agency said in a joint statement.
Very interesting indeed.
Bruce Schneier has a great commentary on Wired this morning that tackles the security practitioners mindset.
Here’s a snippet from Wired:
Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.
I replied: “What’s really interesting is that these people will send a tube of live ants to anyone you tell them to.”
Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.
A thoroughly entertaining read.
We love Bruce here at Liquidmatrix. He gave a keynote at Linux.conf.au.
From itnews.com.au:
Computer security expert Bruce Schneier took a swipe at a number of sacred cows of security including RFID tags, national ID cards and public CCTV security cameras in his keynote address to Linux.conf.au this morning.
These technologies were all examples of security products tailored to provide the perception of security rather than tackling actual security risks, he said.
“Camera companies are pushing it, but all the actual data points the other way,” Schneier said. “RFID is another one – the industry pushing it is very much distorting facts.”
The discussion of public security — which has always been clouded by emotional decision making -– has been railroaded by groups with vested interests such as security vendors and political groups, he said.
Public discussion which should be a security debate can be coloured by politics, he said.
All too often Myrcurial and I are subjected, in our respective day jobs, to the vendor induced “machine that goes ping” barrage of phone calls. In the past I have railed against vendors that play the Coke v Pepsi routine rather than telling me why their product is good. Bruce hits it on the head. It’s not about the machine with blinky lights. It’s about knowing you’re secure.
“It’s not enough to make someone secure, that person needs to also realise they’ve been made secure. If no-one realises it, no-one’s going to buy it,” Schneier said.
The goal must be to get the reality and perception matching up – so that security solutions aren’t lulling users into a false sense of security, or letting them exist in an unnecessary climate of fear.
Now, we will be selling a new spray called “FUDAWAY” for $49.99 (CDN) per can. Just one spritz and you’re secure.
Tags: Bruce Schneier, Security, Information Security
Whenever there is a meeting to talk about say, Windows servers, the discussion is left primarily to the subject matter experts when dealing on a technical level. The same can be said of application development et cetera. So, why is it that when the discussion ultimately circles around to security that everyone in the room thinks that they know more than the security wonk?
I have had the distinct displeasure at a former company to sit in a meeting where the CTO said that UDP was a more reliable transport than TCP. He followed by telling me that telnet was a secure method of communication. Thankfully my coworker had the foresight to chain my to my seat and to jab a syringe filled with some sedative into my leg.
This is an example of why I refuse to be intimidated by anyone simply because their business card has a lofty signature. I do find it an interesting social experiment however. Why do people feel it necessary to tell me about the computer virus that they had on their Windows 98 machine when I’m at a Christmas party? Not that I have a problem discussing it. But, they feel it necessary to cross swords with me rather than discuss it. My first thought is “Well, hell. You asked me.” but, that gives way to a more diplomatic approach. I try to steer the conversation in such a manner that the initiator feels they have made their point.
Very curious.
Tags: Secuity SME, Security Education
This article comes to us from Computer World:
Information security may be put in place mostly at the IT level, but to work well it must go right to the top, says security expert Basie von Solms.
The visiting South African security governance specialist and president of the IFIP (International Federation of Information Processing) was speaking to a NZ Computer Society meeting earlier this month.
IT security must be initiated and controlled by the board or top management of the organisation, said the security governance specialist from the University of Johannesburg. Von Solms is currently writing a book on information security governance. He has also published a number of scholarly papers on the subject.
For security control, the results of various security measures taken – both positive and negative – must be reported up the chain to the top echelons. These are the people who are increasingly being asked to take personal responsibility for any failure to manage information assets competently, says von Solms.
Read on.
Tags: Information Security, Security Priority
From Journal Live:
At a time when the debate about identity cards rages on, and NHS patient records are soon to be brought together on a national database, the query becomes all the more pertinent.
Any problems one might have about the intrusiveness of an increasingly surveillant society are compounded by errors like the one exposed in Washington. Once the information is with the Government, what kind of assurance can they give us that it will remain protected?
Thousands of people are viewing databases with our details on every day and there are obvious risks involved with such widespread access to vast amounts of confidential information.
According to Lyndsay Marshall, a lecturer in computing science at Newcastle University, systems need to be tightened to avoid repeats.
“I don’t think anybody can be trusted with our personal information,” he said.
“There’s a basic problem in that mistakes happen and it’s very difficult to get the right balance when you’re creating a system.
“A secure system is an unusable system. If you make your system extremely secure, you have unhappy employees.
Hmm, not sure I agree with that one.
Tags: Information Security, Data Security, Data Privacy
Security certs. Love ‘em or hate ‘em they are littering the landscape of the security business. Case in point, yours truly has several certs such as CISA, CISSP, CISM (when I send in the paperwork, someday) and PMP to name a few. For the most part I took these to flush out the resume. Chaff for the HR folks as it were. Now, that is by no means to discount them. I found the PMP cert to be extremely beneficial. However, there are some such as the CISSP that I have lost confidence in over the last few years.
Why? Enter the “Paper CISSP”.
I have met a few folks that are CISSP certified and in all honesty I am confused as to how they would have ever passed the exam. They couldn’t tell a security policy from a packet dump. Not to mention folks who put certs on their business cards without actually having them. But, that is not a tirade that I feel like getting into today. What I am (eventually) getting around to here is the introduction of another certification. This time from ISACA. This group has a little more meat on the bones when it comes to the strength of their framework. The new cert is called “Certified in the Governance of Enterprise IT™ (CGEIT™) credential”
From ISACA:
This certification will benefit the individual, through recognition of their professional knowledge and competencies; skill-sets; abilities and experiences, and will enhance their professional standing. It will also add value to the enterprises they support through the demonstration of a visible commitment to excellence in IT governance practices.
The certification process has been specifically developed for professionals who have a significant management, advisory, or assurance role relating to the governance of IT. The certification promotes the advancement of professionals who wish to be recognized for their IT governance-related experience and knowledge.
This isn’t an endorsement but rather just making you, the reader, aware of the new cert. You’re all big boys and girls and can make up your own minds.
To each their own.
Tags: Security Certifications, Security Certs, HR Screening, ISACA, CGEIT
Shhhh, don’t tell anyone. USA Today has some cutting edge journalism on how technology makes it easier to access porn at work. Bit of a silly piece but, amusing just the same.
From USA Today:
Devices providing wireless access to the Internet appear to be giving the porn-at-work phenomenon a boost even as employers are getting more aggressive about using software to block workers’ access to inappropriate websites. About 65% of U.S. companies used such software in 2005, according to a survey by the American Management Association and the ePolicy Institute, up from 40% in 2001.
Many employers say that because it’s so easy to access porn on portable devices — even those that are company-owned and outfitted to block access to adult-oriented websites — they are increasingly concerned about being sued by employees who are offended when co-workers view naughty images.
With wireless devices, close monitoring of workers is “impossible. There’s nothing you can do,” says Richard Laermer, CEO of the public relations firm RLM
Yeah, strong enforceable policies wouldn’t help and there are no solutions available for mobile devices (sarcasm). Throw your hands in the air and repent your sins. The end is nigh.
Tags: Porn at Work, Web Surfing Policies, Unacceptable Behaviour
