Archive for Information Security
Author: Dave Lewis
April 8, 2008 at 10:53 am · Filed under Data Security, Information Security
Well, here is an interesting twist. I can’t say that I’m overly surprised as this type of ranking was inevitable.
From the Associated Press:
Eighteen Japanese firms said Tuesday they were creating the world’s first ratings agency looking at data security, which they said was a rising concern for companies.
The new firm, called IS Rating, will be launched on May 1 and start issuing ratings in July, both to Japanese and foreign companies and organisations.
It will give out ratings based on how they manage data, including files containing personal information, which circulates within the firm or is shared with third parties.
IS Rating will also offer training and edit documents to encourage security.
“For businesses, it’s extremely complicated to measure whether the internal handling of their masses of data is appropriate,” the firms creating the new agency said in a joint statement.
Very interesting indeed.
Article Link
Author: Dave Lewis
March 20, 2008 at 7:52 am · Filed under Education, Humour, Information Security
Bruce Schneier has a great commentary on Wired this morning that tackles the security practitioners mindset.
Here’s a snippet from Wired:
Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.
I replied: “What’s really interesting is that these people will send a tube of live ants to anyone you tell them to.”
Security requires a particular mindset. Security professionals — at least the good ones — see the world differently. They can’t walk into a store without noticing how they might shoplift. They can’t use a computer without wondering about the security vulnerabilities. They can’t vote without trying to figure out how to vote twice. They just can’t help it.
A thoroughly entertaining read.
Article Link
Author: Dave Lewis
January 30, 2008 at 8:50 am · Filed under Conventions, Information Security
We love Bruce here at Liquidmatrix. He gave a keynote at Linux.conf.au.
From itnews.com.au:
Computer security expert Bruce Schneier took a swipe at a number of sacred cows of security including RFID tags, national ID cards and public CCTV security cameras in his keynote address to Linux.conf.au this morning.
These technologies were all examples of security products tailored to provide the perception of security rather than tackling actual security risks, he said.
“Camera companies are pushing it, but all the actual data points the other way,” Schneier said. “RFID is another one – the industry pushing it is very much distorting facts.”
The discussion of public security — which has always been clouded by emotional decision making -– has been railroaded by groups with vested interests such as security vendors and political groups, he said.
Public discussion which should be a security debate can be coloured by politics, he said.
All too often Myrcurial and I are subjected, in our respective day jobs, to the vendor induced “machine that goes ping” barrage of phone calls. In the past I have railed against vendors that play the Coke v Pepsi routine rather than telling me why their product is good. Bruce hits it on the head. It’s not about the machine with blinky lights. It’s about knowing you’re secure.
“It’s not enough to make someone secure, that person needs to also realise they’ve been made secure. If no-one realises it, no-one’s going to buy it,” Schneier said.
The goal must be to get the reality and perception matching up – so that security solutions aren’t lulling users into a false sense of security, or letting them exist in an unnecessary climate of fear.
Now, we will be selling a new spray called “FUDAWAY” for $49.99 (CDN) per can. Just one spritz and you’re secure.
Article Link
Tags: Bruce Schneier, Security, Information Security
Author: Dave Lewis
November 30, 2007 at 10:40 am · Filed under Information Security
Whenever there is a meeting to talk about say, Windows servers, the discussion is left primarily to the subject matter experts when dealing on a technical level. The same can be said of application development et cetera. So, why is it that when the discussion ultimately circles around to security that everyone in the room thinks that they know more than the security wonk?
I have had the distinct displeasure at a former company to sit in a meeting where the CTO said that UDP was a more reliable transport than TCP. He followed by telling me that telnet was a secure method of communication. Thankfully my coworker had the foresight to chain my to my seat and to jab a syringe filled with some sedative into my leg.
This is an example of why I refuse to be intimidated by anyone simply because their business card has a lofty signature. I do find it an interesting social experiment however. Why do people feel it necessary to tell me about the computer virus that they had on their Windows 98 machine when I’m at a Christmas party? Not that I have a problem discussing it. But, they feel it necessary to cross swords with me rather than discuss it. My first thought is “Well, hell. You asked me.” but, that gives way to a more diplomatic approach. I try to steer the conversation in such a manner that the initiator feels they have made their point.
Very curious.
Tags: Secuity SME, Security Education
Author: Dave Lewis
November 28, 2007 at 10:24 am · Filed under Information Security, Security Mgmt
This article comes to us from Computer World:
Information security may be put in place mostly at the IT level, but to work well it must go right to the top, says security expert Basie von Solms.
The visiting South African security governance specialist and president of the IFIP (International Federation of Information Processing) was speaking to a NZ Computer Society meeting earlier this month.
IT security must be initiated and controlled by the board or top management of the organisation, said the security governance specialist from the University of Johannesburg. Von Solms is currently writing a book on information security governance. He has also published a number of scholarly papers on the subject.
For security control, the results of various security measures taken – both positive and negative – must be reported up the chain to the top echelons. These are the people who are increasingly being asked to take personal responsibility for any failure to manage information assets competently, says von Solms.
Read on.
Article Link
Tags: Information Security, Security Priority
Author: Dave Lewis
November 24, 2007 at 8:07 pm · Filed under Information Security
From Journal Live:
At a time when the debate about identity cards rages on, and NHS patient records are soon to be brought together on a national database, the query becomes all the more pertinent.
Any problems one might have about the intrusiveness of an increasingly surveillant society are compounded by errors like the one exposed in Washington. Once the information is with the Government, what kind of assurance can they give us that it will remain protected?
Thousands of people are viewing databases with our details on every day and there are obvious risks involved with such widespread access to vast amounts of confidential information.
According to Lyndsay Marshall, a lecturer in computing science at Newcastle University, systems need to be tightened to avoid repeats.
“I don’t think anybody can be trusted with our personal information,” he said.
“There’s a basic problem in that mistakes happen and it’s very difficult to get the right balance when you’re creating a system.
“A secure system is an unusable system. If you make your system extremely secure, you have unhappy employees.
Hmm, not sure I agree with that one.
Article Link
Tags: Information Security, Data Security, Data Privacy
Author: Dave Lewis
November 13, 2007 at 11:54 am · Filed under Education, Information Security
Security certs. Love ‘em or hate ‘em they are littering the landscape of the security business. Case in point, yours truly has several certs such as CISA, CISSP, CISM (when I send in the paperwork, someday) and PMP to name a few. For the most part I took these to flush out the resume. Chaff for the HR folks as it were. Now, that is by no means to discount them. I found the PMP cert to be extremely beneficial. However, there are some such as the CISSP that I have lost confidence in over the last few years.
Why? Enter the “Paper CISSP”.
I have met a few folks that are CISSP certified and in all honesty I am confused as to how they would have ever passed the exam. They couldn’t tell a security policy from a packet dump. Not to mention folks who put certs on their business cards without actually having them. But, that is not a tirade that I feel like getting into today. What I am (eventually) getting around to here is the introduction of another certification. This time from ISACA. This group has a little more meat on the bones when it comes to the strength of their framework. The new cert is called “Certified in the Governance of Enterprise IT™ (CGEIT™) credential”
From ISACA:
This certification will benefit the individual, through recognition of their professional knowledge and competencies; skill-sets; abilities and experiences, and will enhance their professional standing. It will also add value to the enterprises they support through the demonstration of a visible commitment to excellence in IT governance practices.
The certification process has been specifically developed for professionals who have a significant management, advisory, or assurance role relating to the governance of IT. The certification promotes the advancement of professionals who wish to be recognized for their IT governance-related experience and knowledge.
This isn’t an endorsement but rather just making you, the reader, aware of the new cert. You’re all big boys and girls and can make up your own minds.
To each their own.
Article Link
Tags: Security Certifications, Security Certs, HR Screening, ISACA, CGEIT
Author: Dave Lewis
October 21, 2007 at 8:57 pm · Filed under Information Security, Security Mgmt
Shhhh, don’t tell anyone. USA Today has some cutting edge journalism on how technology makes it easier to access porn at work. Bit of a silly piece but, amusing just the same.
From USA Today:
Devices providing wireless access to the Internet appear to be giving the porn-at-work phenomenon a boost even as employers are getting more aggressive about using software to block workers’ access to inappropriate websites. About 65% of U.S. companies used such software in 2005, according to a survey by the American Management Association and the ePolicy Institute, up from 40% in 2001.
Many employers say that because it’s so easy to access porn on portable devices — even those that are company-owned and outfitted to block access to adult-oriented websites — they are increasingly concerned about being sued by employees who are offended when co-workers view naughty images.
With wireless devices, close monitoring of workers is “impossible. There’s nothing you can do,” says Richard Laermer, CEO of the public relations firm RLM
Yeah, strong enforceable policies wouldn’t help and there are no solutions available for mobile devices (sarcasm). Throw your hands in the air and repent your sins. The end is nigh.
Article Link
Tags: Porn at Work, Web Surfing Policies, Unacceptable Behaviour
Author: Dave Lewis
October 4, 2007 at 10:11 am · Filed under Information Security, Security Mgmt
OK, someone had a worse day than Myrcurial did yesterday.
From Network World:
Even the government shudders when someone says they’re from the government and they’re here to help.
Case in point: A hacker’s diversion of traffic from a California county government Web site to a porn purveyor spiraled into IT chaos yesterday after a countermeasure applied from Washington essentially “deleted the ca.gov domain.”
Order was restored only after seven hours of frenzied coast-to-coast communications and a “forced propagation” of ca.gov network systems, according to Jim Hanacek, public information officer for the California Department of Technology Services.
“We don’t for sure have the whole picture, but as we understand it, there was some event at the Transportation Authority of Marin Country where their site got hacked,” Hanacek told me this afternoon. Traffic was being redirected from that site to one featuring pornography.
A department within the U.S. General Services Administration in Washington oversees and polices the .gov domain.
“The federal government saw this incorrect use of ca.gov and they made a change at a much more global level than probably was necessary and it started taking down all of our ca.gov domain,” says Hanacek. “That impacted Web access and e-mail services.”
Oops. Read on.
Article Link
Tags: CA.GOV, IT Hobgoblins, DNS Problems
Author: Dave Lewis
September 3, 2007 at 9:22 pm · Filed under Information Security, Web Security
NIST has released a security guideline for web services.
From GCN:
The National Institute of Standards and Technology has released a 128-page guide to help organizations understand the security challenges of Web services in service-oriented architecture.
NIST Special Publication 800-95, “Guide to Secure Web Services,” provides practical guidance on current and emerging standards applicable to Web services in addition to background information on the most common security threats to SOAs based on Web services. The guidelines are hardware and software independent and do not address perimeter security devices such as firewalls or access control tools.
Web services based on the Extensible Markup Language, Simple Object Access Protocol and related open standards that are deployed in SOAs allow data and applications to interact without human intervention through dynamic and ad hoc connections.
I have not had a chance to review this one just yet. If anyone else has feel free to leave a comment.
Article Link
Tags: NIST, Web Services, Web Security
Next entries »
Explore
Security Bloggers Network
