Archive

Archive for October, 2007

The “Fortress Mentality”

Information security has proven itself immensely valuable in just about every sector—commercial, government, research institutions, and more. At the same time, however, certain barriers stifle progress, resulting in an increase in security-related incidents that might not otherwise have occurred or unnecessary escalation of the cost and impact of these incidents. One of these barriers is something that Tom Longstaff, now of Johns Hopkins University, and I first identified and documented way back in the late 1980’s—the “fortress mentality.” The “fortress mentality” means investing the preponderance of resources and effort on preventative controls to the point that individuals who have done so now view their computer environment as a kind of impenetrable bastion that cannot be breached. Read more…

Categories: Uncategorized Tags:

International Espionage: It’s Time to Get Real

For years news stories and postings have focused on the disproportionately high percentage of attacks on US government and other systems that appear to have originated from the Peoples Republic of China (PRC). I have seen firsthand systems that appeared to have been attacked and taken over by individuals within this country. In one case a Web server for a site that distributed data related to nuclear physics research had very obviously been compromised by someone from the PRC. The source IP address of traffic sent to this server was one registered to a host in the PRC (which in and of itself was not by any means conclusive proof), the destination of many outbound connections initiated by that server was addresses in this country, and the intruder had downloaded many files written in Chinese. Interestingly, this and a number of related attacks within a relatively small period in time occurred at the time a US military aircraft had collided with one belonging to the PRC over PRC air space. Read more…

Categories: Uncategorized Tags:

Misconceptions about Computer Forensics

Of all the areas in which information security professionals become involved, few are more fascinating than computer forensics. I suspect that there is a bit of the spirit of Columbo, the legendary investigator in a 1970’s TV series, in many information security professionals, perhaps even myself included. The idea of coming to a crime scene, investigating, and gathering evidence without contaminating it is indeed intriguing. Read more…

Categories: Uncategorized Tags:

Security Counts!

In addition to being the Chief Technology Officer of High Tower Software, I am also the Chief Information Security Officer. The latter of these roles is often much more intensive and time-consuming than I originally envisioned. The good news is that I have laid a lot of the groundwork for our ongoing security practice and have had phenomenal support from High Tower’s senior management. The bad news is that there is never enough time to do all the things that I would like to do to grow our information security program. Read more…

Categories: Uncategorized Tags:

Doing Away with CIA

The time-honored notion that the goal of information security is to protect confidentiality, integrity and availability (CIA) lives on. Confidentiality means keeping sensitive and/or valuable information from unauthorized disclosure. Integrity means guarding against unauthorized changes in information as well as system files and executables. Availability means assuring that information stored in computers as well as access to systems, applications, and services are available when needed. Read more…

Categories: Uncategorized Tags:

eDiscovery: The Next Big Compliance Nightmare

Compliance is on the radar of just about every information security practice. Regulations such as Sarbanes-Oxley (SoX), the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Gramm-Leach-Bliley (GLB), Basel II, the European Union Privacy Act, and many others have security-related provisions that require a considerable amount of planning, implementation and documentation effort. Read more…

Categories: Uncategorized Tags:

eDiscovery: The Next Big Compliance Nightmare

Compliance is on the radar of just about every information security practice. Regulations such as Sarbanes-Oxley (SoX), the Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Gramm-Leach-Bliley (GLB), Basel II, the European Union Privacy Act, and many others have security-related provisions that require a considerable amount of planning, implementation and documentation effort.

Unfortunately, information security professionals too often get so immersed in attempting to comply with the plethora of information security-related regulations that they lose sight of what is on the horizon. A good example is a piece of pending legislation, H.R. 4127, the Data Accountability and Trust Act. In a nutshell, among other things this proposed legislation would require that organizations that have information needed for legal or investigatory purposes must retrieve and hand over this information to authorities within a specified period of time. Failure to do so would result in a large fine to be assessed every day the organization cannot produce the information. Read more…

Categories: Uncategorized Tags:

Information Security Certifications

Not too many years ago there were no certifications for information security professionals. How things have changed over the years; there are now more types of certifications than one could ever have imagined. Believe it or not, I even know of one individual who has ten information security-related certifications, and he plans to pursue even more.

Information security certifications have gained considerable acceptance. Before they existed, individuals with marginal credentials and experience in information security could declare themselves information security experts without having demonstrated any competency in information security whatsoever. Certifications, while by no means perfect, now provide some level of assurance that certified individuals possess at least a baseline of skills and knowledge. Many information security positions now require at least one certification; some require more. Read more…

Categories: Uncategorized Tags: