Archive for July, 2007

Information Security versus IT Security

IT security and information security are viewed by many as being the same, but they are in many respects worlds apart. Information security addresses a wide range of security-related risks, benefits and processes associated with information and information processing resources. Additionally, information security is generally driven by executive management, usually with at least some level of support from the board of directors. In contrast, IT security focuses on technology—the technology needed to achieve security and is typically driven by the CIO. In IT security risk mitigation translates to using tools such as firewalls, intrusion detection and intrusion prevention systems, virtual private networks, anti-virus and anti-spyware tools, third party authentication solutions, and more. Read more…

Categories: Uncategorized Tags:

Compliance: It’s Here to Stay, No Matter Whether or Not You Like It

The word “compliance” has developed a meaning and significance of its own in the IT sector, the IT security part of this sector very much included. A variety of new regulations has surfaced over the last decade; many of these regulations’ provisions in some way involve information security. For example, Sarbanes-Oxley (SoX) section 404 requires continuous real-time monitoring of assets that contribute to the profit-loss status of a publicly-held corporation in the US. Read more…

Categories: Uncategorized Tags:

Vulnerability Information: Sold to the Highest Bidder?

Every once in a while I read something in the news that is so outrageous that I just have to rant a bit, so here goes. The founders of a certain Web site, WabiSabiLabi, have recently announced their intention to create and run a vulnerability auction site. They will verify that each vulnerability that is reported is bona fide and will with each vulnerability they sell provide proof of concept. Initially (i.e., the first half year) access to the site will be free; afterwards buyers and sellers of vulnerability information will be assessed a charge of 10 percent for each transaction in which they engage. Ultimately, the founders of this site think that the majority of the profits they make will come from services based on a vulnerabilities knowledge base that will be created from the vulnerability information that is auctioned. Read more…

Categories: Uncategorized Tags:

Considerations in Planning for and Using Security Technology

Keeping up with the various technologies designed to boost security is one of the most important things that an information security professional can do. Security risks have become increasingly technical in nature, making technical solutions increasingly essential. For example, PC security without anti-virus software and personal firewalls is for all practical purposes an oxymoron. Additionally, today’s security threats have necessitated developing security measures that for various reasons operating system and application vendors have not incorporated into their products. Read more…

Categories: Uncategorized Tags:

Dr. Gene Schultz Introduction

Hi. My name is Dr. Eugene Schultz and I am the Chief Technology Officer as well as the Chief Information Security Officer of High Tower Software. High Tower produces an appliance that aggregates the output of various computing systems and devices on the network and applies powerful event correlation algorithms to determine whether security breaches and/or policy violations have occurred and if so, their nature and the details surrounding the incident. Equally importantly, the High Tower appliance provides assurance that organizations that deploy this tool are in compliance with security monitoring-related provisions of laws and regulations such as Sarbanes-Oxley.

I have been in information security space for nearly 25 years, having been involved in both academia and the business world. I have done things such as teach courses and conduct research in various areas of information security, but particularly firewalls, incident response, intrusion detection, and human factors in information security. I have also founded and managed the US government’s first incident response team (CIAC) and have consulted for a variety of commercial and non-commercial organizations. I’ve also been the editor-in-chief of information security journals such as Computers and Security (2002 – this year) and Information Security Bulletin (2000 – 2001) as well as the associate editor of or contributor to a number of others. Finally, I have written or co-written five books; I hope that you have had the time to read at least one of them.

I am launching a blog to share my experiences and lessons learned with you as well as my perspectives concerning a wide range of issues that you and I as information security professionals face or will likely face sometime in the future. I am interested in a wide range of issues—information security governance, security program progress indicators, security training and awareness, security convergence issues, identity management, computer crime-related legislation, intrusion detection and intrusion prevention, insider attack detection and deterrence, incident response, professional certification, usability considerations related to information security, and more. If you have ever read my editorial comments in the SANS NewsBites (for which I serve as a member of the editorial board), you can be confident that I will fully speak my mind. Certain developments, such as known attackers of computer systems escaping punishment for their computer crime-related activities, incite me to express strong objections. Other, less controversial issues may not stir me up as much, but trust me, I fully intend to always have something interesting to say concerning them. Any opinions I express will, of course, be purely my own; they will not necessarily represent those of High Tower.

So hang on to your seat, so to speak, and enjoy the ride. And if you don’t like or agree with what I write, please feel free to let me know by emailing me at I cannot guarantee that I will answer every message that I receive, but I assure you that I will try to do so.

Categories: Uncategorized Tags: