Archive for February, 2008

Information Security Governance – Part 1

According to the Information Systems Audit and Control Association (ISACA), “Information Security Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.” The last half decade or so has been characterized by an increased emphasis on information security governance within information security. Information security governance is not exactly a new concept. It has its roots in the 1990s bodies such as the Committee of Sponsoring Organizations (COSO) that the Treadway Commission, which was formed to pioneer principles and practices related to internal control in organizations. Control, especially management control, is the most essential component within governance—without it, fraud, waste and abuse abounds. Read more…

Categories: Uncategorized Tags:

Indiana Legislators Consider Security-Related Legislation

In connection with my being one of the editors of the SANS NewsBites. twice every week I look though potential security-related news items. Yesterday I read that Indiana state lawmakers are considering proposed legislation that would mandate encryption of customers’ personal information. The purpose is to protect individuals against identity theft in case of unauthorized access to such information. The Indiana House and Senate have different versions of this bill. The House version, Indiana House Bill 1197, differs from the other in that it would additionally require both that commercial entities employ strong encryption for customer-related information and that they report data security compromises to potentially affected individuals as well as to the office of the attorney general. Reported breaches would then be available on a public Web site. Read more…

Categories: Uncategorized Tags:

The Spam Epidemic: Part 2

Spam has reached such epidemic proportions that the need for a successful solution or combination of solutions has become critical. In addition to technical solutions (some of which I mentioned in my previous blog entry regarding spam), various non-technical solutions developed to address the spam problem exist. Most notably, legislative efforts to counter spam have been undertaken in a number of the larger first-world countries. The US CAN SPAM Act, intended to protect US consumers and commercial enterprises from unsolicited commercial email by prescribing fines and allowing civil and criminal legal action against spammers, is one of the best known of these efforts. Read more…

Categories: Uncategorized Tags:

The Spam Epidemic: Part 1

Last night I got back from an extended business trip to both the UK and Germany. On trips such as these I am often so busy that I have little time to really do justice to most of the email that I receive. This frequently results in my trying to pick out what appear to be the seven or eight most important messages, read them, and respond to them before I have to rush off to do something else; my recent trip was no exception. Today was the day of reckoning—I am still going through the email that came to both my High Tower and personal ISP accounts. As I sort through everything I have received, the fact that I am having to deal with an excessive amount of spam traffic once again became very apparent to me. What is particularly irritating is the ineffectiveness of spam filters in spotting and deleting messages advertising watches and blue pills when they are so very obviously spam and nothing more. Read more…

Categories: Uncategorized Tags:

ActiveX: Is it Better to Disable it?

The US Computer Emergency Readiness Team (US-CERT) recently made headlines when it advised users to disable ActiveX in their Internet Explorer (IE) browsers by changing IE’s Internet security setting to “high.” The impetus for US-CERT’s announcement was the discovery of several new ActiveX vulnerabilities in ActiveX plug-ins for Facebook and MySpace and Yahoo’s music services. To the best of my recollection, although various individuals have recommended disabling ActiveX, no major organization has previously made such a recommendation. The recently discovered vulnerabilities were only a few of many in ActiveX that have been identified over the years; many allow malicious code that runs with SYSTEM privileges (the highest level of privileges in Windows systems) to be injected into Windows systems, thereby allowing perpetrators to take complete control of victim systems. Read more…

Categories: Uncategorized Tags:

A Sign of Things to Come?

It happened just last week—two undersea cables in the Mediterranean Sea were cut, disrupting Internet service in two continents. More recently, a cable that provides Internet links between Qatar and the United Arab Emirates was damaged. No one at this point in time knows whether these events are somehow related, or for that matter also whether the cables were deliberately or accidentally damaged.

The reason that these events caught my attention is because I have predicted that for the first time in its existence the Internet will go down completely this year, at least for a few hours (if not longer). There is little doubt in my mind that a number of individuals and groups would love to accomplish this “feat” for a variety of reasons, the foremost of which in my mind is information warfare-related motivation. I suspect that in particular adversaries of the US would want to bring the Internet down because of the US’s huge role in the development and maintenance of the Internet. Additionally, think of all the fame and glory that would go to the perpetrator(s)—after all, computer criminals who have done far less lamentably continue to receive a considerable amount of undeserved media attention. Other potential perpetrators are likely to view the prospect of taking down the Internet as a kind of experiment to be performed. Still others may imagine opportunities for financial gain. Read more…

Categories: Uncategorized Tags:

California Does it Again

The California Senate recently passed a bill that requires state government organizations and others to not only notify individuals who have been potentially affected by a data security breach, but also to provide details—what occurred, when it occurred, the type of information that was compromised, how many individuals may have been affected, and more. These organizations would also have to set up toll-free phone lines to enable potentially affected individuals to talk with credit bureau representatives at no cost. A second, similar bill that allows identity fraud cases to be held in the victim’s county of residence was also passed. Previously, prosecution of identity fraud had to occur in the county in which the information had been compromised or in which an identity fraud incident had occurred. Read more…

Categories: Uncategorized Tags:

A Little More about Ethics in Information Security

Ethics in information security is such an important topic that I feel the need to cover just a little more about it. As I said in my last blog entry, different professional organizations have different ethics standards. Consider, for example, the Information Systems Audit and Control Association (ISACA)’s code of ethics. Some of the provisions include:

  • Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.
  • Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
  • Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
  • Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
  • Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
  • Support the professional education of stakeholders in enhancing their understanding of information systems security and control.

Read more…

Categories: Uncategorized Tags:

Ethics in Information Security

At some point, every information security professional faces at least one (and usually many) serious ethical dilemma(s) related to the practice of information security in the workplace. Of all the facets of an information security professional’s job, however, I suspect that the ones involving ethical issues often receive the least attention. This is not at all to say that information security professionals are unethical—to the contrary—but with all the on-the-job pressures, many or most of which amount to quickly putting out “brush fires,” these professionals honestly do not have much time left to ponder ethical dilemmas, let alone successfully resolve them. Read more…

Categories: Uncategorized Tags: