Archive for September, 2008

Security Risks in Social Networking Sites

Social networking has in just a few years grown beyond all imagination, with MySpace and Facebook leading the way. Social networking sites enable their users to connect with friends and peers in ways never before possible, and enable them through postings and blog entries to promote their positive attributes and assert their individuality. The number and variety of social networking sites today is mind boggling, but experts tell us that the social networking as it currently exists is only the tip of the iceberg.  Read more…

Categories: Uncategorized Tags:

Adjusting to Budget Shortfalls in Hard Economic Times

That fact that the US as well as much of the rest of the world is undergoing a recession is hardly a secret. This recession has had a great impact upon organizational budgets, often resulting in deep spending cuts. Not surprisingly, information security practices have not been spared from such cuts; security control-related projects that were to be initiated this calendar year have increasingly been put on hold, and reductions in the number of information security staff have been commonplace.

Given the dependence on availability of personnel and financial resources that information security practices have, the potential negative impact of reducing the level of resources is potentially severe. What can security practices do to attempt to provide the needed level of business process assurance and data protection despite a reduction in resources? Read more…

Categories: Uncategorized Tags:

SCADA Vendors and Security: It’s Time for Improvement

I recently read with dismay a news story that said that exploit code for a well-known vulnerability in CitectSCADA software has been posted to the Internet. This code’s author said that his motivation was to stir up greater awareness of vulnerabilities in SCADA (Supervisory Control and Data Acquisition Systems) systems because SCADA vendors are not being sufficiently responsible in fixing these vulnerabilities. The vulnerability in question became public knowledge approximately three months ago and at the same time a patch became available. Read more…

Categories: Uncategorized Tags:

Goodbye FISMA (As We Know it)

I have already shared some of my views on the Federal Information Systems Management Act (FISMA) in previous blog entries. This statute was passed with the intention of creating a broad framework for safeguarding government information and computing operations against security threats. Signed into law as part of the Electronic Government Act of 2002, FISMA mandates that government officials perform yearly reviews of information security programs to mitigate risk to an acceptable level, or in some cases even lower. Read more…

Categories: Uncategorized Tags:

Politics and the Practice of Information Security

Given the time of the year in the US, you might be tempted to think that I am writing about politics—Republicans versus Democrats, conservatives versus liberals, and the like. But what I am writing about instead is on-the-job politics—the maneuvering, posturing, and too frequently undermining that almost invariably produces a zero sum outcome. Whether we like it or not, politics are a reality in most work environments; those who pay little or no attention to them or play them wrong generally reap negative consequences ranging from being the “odd man out” to receiving the full fury of a powerful, antagonistic political alliance. Read more…

Categories: Uncategorized Tags:

Misinformation Communicated by Conference Speakers

I just attended another information security conference. Normally when I attend a conference, I give a presentation and then leave shortly afterwards to hurry back to the High Tower office. This time, however, I had the luxury of being able to take in a number of presentations. Although some of them were truly outstanding, what speakers said in two of these sessions struck me terribly wrong.

In one session, a person who described himself as a forensics expert made some reasonably good points. I would in fact have considered his talk to be above average until he started answering questions from the audience.  Someone asked him if he had ever had to decrypt file content in the course of a forensics investigation. Read more…

Categories: Uncategorized Tags:

What Do Managers Really Need to Know about Technology? – Part 2

In my previous blog entry I argued that to be effective, information security managers need to have at least a high-level knowledge of information security technology. I also suggested some technology areas that would be especially good to know. At the same time, it is important to be aware not only of current information security technology, but also of information security technology that is likely to emerge and become important in the future. Read more…

Categories: Uncategorized Tags:

Schneier’s Unbelievable Quote about Iraqi Hackers

Late last week I noticed an article, “Hackers attack Iraq vulnerable to cybercrime,” in USA Today. The article said that the Iraqi government has increasingly been using computers, but these computers are not very well protected because protection is simply not a very high priority at this particular point in time. Consequently, a number of Iraqi hackers are breaking into Iraqi government computing systems, despite that fact that American cybersecurity companies have been hired to harden many of these systems. The article went on to say that hackers have gained access to a considerable amount of sensitive information, including email messages and addresses of a large number of security officers who work for various ministries within Iraq (e.g., the Ministry of the Interior and the Ministry of Electricity and Communications). Several Iraqi banks have also fallen prey to such attacks. One hacker has repeatedly defaced Iraqi government Web sites, leaving derogatory messages aimed at US President Bush in addition to messages that call for the US to withdraw from Iraq. Read more…

Categories: Uncategorized Tags: