Archive

Archive for August, 2008

What Do Managers Really Need to Know about Technology? – Part 1

In a blog entry nearly one year ago I argued that although technology is an important part of information security, although technology should not drive information security. Furthermore, information security managers should be business-savvy. I now fear that some readers will interpret what I have said as a carte blanch for being unaware of technology, something that was not my intention at all.

Yesterday afternoon I finished teaching a course on information security management. The course covers traditional information security management topics such as policy, standards, procedures, compliance, incident handling, protection of intellectual property, and much more. But a significant portion of the course also covers technical issues such as intrusion detection and prevention, penetration testing, cryptography, and network protocols. The depth of coverage of technical topics is not deep, but it is sufficiently deep to be somewhat challenging for most attendees. Their reactions indicated that (very understandably) they were considerably more comfortable with the traditional topics than they were the more technical topics. Read more…

Categories: Uncategorized Tags:

Human Factors in Information Security – Part 5

I’ve written quite a few blog entries on human factors in information security because this highly important area is paradoxically one of the most overlooked ones in the entire information security arena. I’ve described many of the problems that lack of attention to usability engineering has caused and have called for a much greater emphasis on usability considerations in information security technology and procedures. I’d like to close this series with a discussion of the some of the most important basic principles of human factors/usability engineering. Read more…

Categories: Uncategorized Tags:

Human Factors in Information Security – Part 4

User resistance in the information security arena (let alone the entire IT arena) is ubiquitous. I remember well a situation not all that many years ago in which a fairly large company was switching from conventional password-based authentication to hardware token-based authentication. The implementation was carefully phased. A relatively small proportion of users had to switch to the new type of authentication every designated time interval, non-mandatory meetings in which the new authentication procedures were thoroughly explained were held at each of this company’s facilities, an easy-to-access Web site explained these procedures simply and step-by-step, and the help desk staff was alerted to potential problems that users might experience and told how to solve them. Despite the impressive work done by the information security department and also numerous IT staff, a surprisingly large number of user complaints ensued. Read more…

Categories: Uncategorized Tags:

Making Identity Management Work in Your Organization

Making Identity Management Work in Your Organization

Making Identity Management Work in Your Organization

ISSA Journal – August 2008
By E. Eugene Schultz – ISSA member, Los Angeles, CA, USA chapter

This paper describes some of the most significant considerations regarding planning for and implementing identity technology solutions and presents recommendations for approaches and strategies if an identity management effort is to succeed.

Identity management is a wide-ranging administrative area concerned with identifying individuals needing to access systems or applications, controlling user access to system and information resources by assigning user rights in connection with each user identity, and auditing every access to every resource to ensure user accountability. Identity management systems (IDMSs) automate identity management functions such as password reset, password synchronization, single sign-on functionality, access management, provisioning (e.g., for expired passwords), portal services that provide a common, convenient way for users to access applications and other resources, and centralized audit functionality. Read more…

Categories: Uncategorized Tags:

Craziness in the Courtroom

I’ve been told many times that legal rulings do not necessarily correspond to common sense. A decision by a lower court in California proves just how true this is. In Bunnell versus the Motion Picture Association of America, Rob Anderson was accused of violating the 1968 Wiretap Act after he intruded into a server owned by Valence Media and configured it to forward email messages to his gmail account. He then collected them and gave them to the Motional Picture Association of America (MPAA), which wanted to obtain evidence concerning the fire sharing services that this company offers. The MPAA paid Anderson USD 15,000 for his services. Read more…

Categories: Uncategorized Tags:

TSA Laptop Missing: Lessons Learned

By now you’ve probably heard of the missing laptop at the San Francisco International Airport. The fact that a laptop turned up missing at an airport is hardly newsworthy; what is significant about this particular laptop is that it was lost by a Transportation Security Administration (TSA) contractor, Verified Identity Pass. Information, including names, address and birth dates, and in some cases driver’s license, green card numbers, and passport information pertaining to approximately 33.000 individuals enrolled in the Clear program (a program designed to accelerate getting through airport security) was on this computer. Fortunately, no Social Security numbers or digital fingerprint data were stored on the missing computer. However, the data were not encrypted; they were protected only by passwords. Read more…

Categories: Uncategorized Tags: