Archive

Archive for January, 2008

The ”Cyber Storm” War Game

I recently read with great interest a news item that covered a gigantic “Cyber Storm” war game that transpired approximately two years ago. The US Department of Homeland Security, in cooperation with the Pentagon, Justice Department, State Department, Pentagon, National Security Agency ,and CIA, conducted a detailed simulation of three categories of massive disasters: computer attacks, physical attacks and psychological subversion attempts. Participants included employees of the US government and the private sector within the US as well as others from countries such as Australia, England, and Canada. Scenarios included unauthorized access to airline computers, a breakdown of police communications systems in one city, hundreds of individuals on “no fly” lists arriving at airport check-in counters at approximately the same time, commercial software blueprints being stolen, computer failures at border checkpoints, computer blackouts at New York Harbor ports, and many others. Observers generally rated the participants’ performance as fair or sometimes better. Read more…

Categories: Uncategorized Tags:

Bush’s Executive Order on Cyber Security: Will it Do Any Good?

Several weeks ago President Bush signed an executive order, National Security Presidential Directive 54/Homeland Security Presidential Directive 23, thats is intended to improve cyber security within the US government by mandating monitoring of US government networks. The order, which provides an unspecificied, but presumedly huge amount of  funding, stirred up no small amount of controversy. Critics complained that the order calls only for monitoring, not up-front security measures, and as such they have predicted that this order’s provisions will do little if anything to genuinely improve cyber security within the government. The fact that the public sector was excluded, even though the public sector is a critical part of the critical national infrastructure, triggered additional criticism. To top it off, privacy advocates have pointed out that the order will result in what will effectively amount to yet more government spying on individuals. Read more…

Categories: Uncategorized Tags:

”Lessons Learned” from the Société Générale Incident

You probably noticed all the hoopla recently concerning Société Générale’s catastrophic trading incident that reportedly cost this bank nearly €5 billion. Although this loss figure is huge, it is not unprecedented. Brian Hunter, then of Amaranth, lost the equivalent of €4.5 billion in bad energy trades in 2006.

How do incidents of this magnitude happen? The disturbing answer is that it depends. The case of the Jerome Kerviel of Société Générale had a huge security component to it. Kerviel initiated huge trades that turned sour. He should not have been able to initiate such large trades because of controls that Société Générale had in place that required additional approval for such transactions. Kerviel allegedly broke into systems of his fellow employees, however, by allegedly simply learning and guessing usernames and passwords to these systems while he worked late. Read more…

Categories: Uncategorized Tags:

The Importance of a Good Information Security Policy – Part 4

I don’t want to drone on and on concerning information security policy, but this issue is so important that it warrant considerable analysis and discussion. In this last blog entry on this topic, I’ll assume that an organization has an appropriate, well-written, and well-distributed information security policy. This organization may deserve plenty credit for this accomplishment, but if the organization does not do more with the policy, the policy will not yield the range of benefits that it can and should produce. In short, an information security policy should be the anchor of a number of important processes that go well beyond simply having a policy in place. Here are a few examples: Read more…

Categories: Uncategorized Tags:

The Importance of a Good Information Security Policy – Part 3

I’ve already covered the importance of a good information security policy, the process of creating such a document and putting its provisions in place, and why so many policies are less than adequate. I’d like to focus next on an acceptable use policy, a policy that explains what users and system administrators are and are not allowed to do when they use an organization’s computing resources. Acceptable use policies, for example, usually among other things require that use of an organization’s computing resources must be for official, business purposes only. Additionally, these policies generally do not allow users to share their passwords under any circumstances.  Read more…

Categories: Uncategorized Tags:

The Importance of a Good Information Security Policy – Part 2

This blog entry leaves off where my previous one (“The Importance of a Good Information Security Policy – Part 1”) ends. Many potential pitfalls in developing an information security policy exist, but even if information security professionals manage to avoid these pitfalls, other obstacles can prevent such a policy from being effective. The reason is that developing a policy is only the first part of what ideally should be an entire cycle of policy-related activities. This cycle should include assessing requirements (particularly through communicating with senior-level management), writing the policy, obtaining feedback and making appropriate changes, getting senior management sign-off, distributing the policy, enforcing the policy, and periodically reviewing the policy and making appropriate changes. Of all the activities in this cycle, enforcing the policy is often the most challenging. Read more…

Categories: Uncategorized Tags:

The Importance of a Good Information Security Policy – Part 1

Information security policy is a high-level set of security-related requirements that set the ground rules for security within an organization. A good policy should cover critical issues such as user responsibilities, ownership of information processing resources and information, baseline security, and so on. A good information security policy is one of the critical underpinnings of an effective security practice, yet not all security policies in today’s information security practices are up to par. Read more…

Categories: Uncategorized Tags:

The Capability Maturity Model in Information Security

The Capability Maturity Model (CMM) was originally intended to characterize processes involved in software development that affect the quality of the code that is produced. In a nutshell, the lowest CMM level (level 0) is called “nonexistent;” there is no awareness of the need for systematic development processes. At the highest level (level 5), development processes are optimized by being implemented, monitored and managed throughout an entire organization. The Software Engineering Institute (SEI) validated this model by empirically showing the relationship between processes in real-world software development settings and quality metrics such as number of bugs per 1000 lines of code. Read more…

Categories: Uncategorized Tags:

”Best practices?”

One does not have to be around information security professionals very long before hearing the term “best practices.” In theory, “best practices” means the set of security practices that the best or elite information security programs adopt. BS7799 (the content of which has been incorporated into ISO/IEC 27001) is according to a large proportion of information security professionals a “best practices” standard in that it prescribes exemplary measures used by the most effective security programs. Read more…

Categories: Uncategorized Tags:

Passwords, Passwords, Passwords

Trying to check my leave balance on a Web site operated by the provider High Tower uses for personnel administration and payroll. I just attempted to log in to an account set up by this provider. My password did not work. Frankly, I cannot even remember the name of this account, let alone what the password is. Why? I am certain that it is because I have so many accounts, some that I use in connection with my job, others that I use for Internet access through two Internet service providers (ISPs), still others that I use for things such as frequent flyer programs, more that I use for additional rewards and discount programs, yet others that I use for access to accounts set up by organizations for which I write papers and book chapters, and, finally, others that I use for stock broker accounts. Read more…

Categories: Uncategorized Tags: