« April 2008 | Main | June 2008 »

Posts from May 2008

30 May 2008

FISMA – Is Something Missing?

Since its inception into law, the Federal Information Security Management Act of 2002 (FISMA) has faced many challenges, both through establishing itself in the federal landscape, and developing the necessary framework for applying the principles into practice. Although FISMA has been in existence for 5-years, many would say that security has only shown limited improvement, while others would stand by its success. Those familiar with FISMA have experienced the uncertainty of the initial implementations, and identified with some key improvements brought about through the increased visibility of security. FISMA has now made security a mandated priority, whereas, prior to its... Read more →

Posted by on 30 May 2008 at 10:57 AM in Government , IT Security | | Comments (2)

| |

On the Internet, No-one Knows you're a Hog...

At the Innovation Edge Conference in London recently, Tim Berners-Lee, often credited as the "father" of the Web, made the point that information overload, not to mention downright misinformation on the internet, compromises its usefulness as a tool for information and research (or, you might argue, for social interaction in general). While this probably isn't news to anyone involved in information security, the views of a major player and pioneer are always worth listening to. One point that was raised very briefly was the "incivility" so common in the blogosphere, and it would have been interesting if that issue had... Read more →

Posted by on 30 May 2008 at 09:46 AM in IT Security, Privacy | | Comments (0) | TrackBack (0)

| |

Dare We Outsource Trust?

Many organizations are moving toward the software as a service (SaaS) model. This allows an organization to focus on its core business as opposed to the information technology aspects. This can provide efficiency for a resource constrained organization, but it does not come without risk. Outsourcing services is in vogue. As technology continues to push the envelope of complexity outsourcing will most likely increase as well. Although a service can be outsourced, trust should not. An organization should establish the basis for trust through the vendor agreement. The contract for the SaaS is a critical part of the outsourcing process.... Read more →

Posted by on 30 May 2008 at 08:00 AM in Risk | | Comments (1) | TrackBack (0)

| |

29 May 2008

Reducing Risk Versus Eliminating Risk

IT security professionals are sometimes so passionate about the technical details of a vulnerability that they accidentally lose sight of the benefits of the principles of risk management. Sometimes the passion of discussing the details of a vulnerability overshadow the cost-benefits of risk reduction when passionate people strive for total risk elimination. For example, consider the example of using an SMS-based based implementation for two-factor authentication (2FA) with one-time password (OTP) combined with a transaction verification message (TVM). There are folks who rightfully argue that 2FA/OTP is vulnerable to a knowledgeable threat agent executing a man-in-the-middle (MITM) attack. One of... Read more →

Posted by on 29 May 2008 at 02:22 PM in IT Security, Risk | | Comments (1) | TrackBack (0)

| |

Using Deep Packet Inspection

Large companies are now starting to evaluate deep packet inspection technologies for several different purposes and a lot of questions are being made for network/security professionals about this technology. Let's talk about some of these questions: First: What is Deep Packet Inspection? Deep packet inspection (DPI) is a form of packet analysis that examines the entire payload of a packet (sometimes at wirespeed) searching for non-protocol compliance, viruses, spam, intrusions, applications (P2P programs using well known ports like port 80 per example) to decide if the packet can pass or if it needs to be routed/rated/blocked, or for the purpose... Read more →

Posted by on 29 May 2008 at 08:54 AM in IT Security | | Comments (0) | TrackBack (0)

| |

28 May 2008

A Matter of Integrity

Protecting information confidentiality, integrity, and availability is the mantra of the modern information system security professional. We know this as the CIA Triad. It is surprising to me that we don’t seem to fully support all three of these security services. Confidentiality is clearly important. We want to protect our assets from exposures. We exclaim the need for encryption and access control to prevent unauthorized access to sensitive information. We also understand the need for availability. A system which is unplugged, encased in concrete and stored in a vault might be secure, but it is not very useable or available.... Read more →

Posted by on 28 May 2008 at 03:08 PM in IT Security | | Comments (0) | TrackBack (0)

| |

Wikipedia: Trust but Verify

Security professionals are, almost by definition, inclined to be skeptical (not to say paranoid) by nature, and among the least likely to say without irony "It must be true, I read it on Wikipedia!" Those of us who specialize in anti-malware research not only share these traits, but are also accustomed to being considered incompetent or downright crooked, not to mention the still widely-held belief that we write all the viruses. (I considered what I think are some of the reasons for all that in an article for Virus Bulletin a couple of years ago, by the way.) So it's... Read more →

Posted by on 28 May 2008 at 03:04 PM in Malware | | Comments (0) | TrackBack (0)

| |

27 May 2008

What Is Measuring Security Improvements?

“How does security improve your organization?” The answer to this one question will more than likely vary drastically between the responder’s role in the organization. Even as security practitioners, we may also have varying differences to our answer of this question based on factors influenced by our own experience and education. The struggle for many in the field of information security relates to finding the best vehicle to communicate effectively to management and stakeholders the value security brings to the organization, and how it delivers real return on investment (especially in environments where security is more or less mandated, rather... Read more →

Posted by on 27 May 2008 at 04:59 PM in IT Security | | Comments (0) | TrackBack (0)

| |

CISSP mythology

Over on Security-Basics, one of the SecurityFocus mailing lists, a question about security certifications and their value in the job market has part-resurrected a long-running debate about the value of "paper" qualifications in security compared to that of "solid experience". I say part-resurrected because so far, no-one has come out on this occasion to say that certifications like CISSP or an appropriate degree are worth the paper they're written on. Including me, I'm afraid. Having done so several times before without making a dent in the prejudices of the anti-certification lobby, I thought it might be more useful (and more... Read more →

Posted by on 27 May 2008 at 11:44 AM in Cybersecurity Certifications | | Comments (2) | TrackBack (0)

| |

23 May 2008

Hello, good evening, and welcome...

Not to the (ISC)² blog, of course, which has been here for quite a few months now, but to my own tiny corner of it. Not that I'm particularly new to blogging: in fact, I'm one of the fortunate few who not only get to hold forth on their current obsessions on their own blog pages or in the company of others who share their interests, but are also paid to blog on behalf of their employer (though they do expect me to do quite a few other things, too!) And there are a couple of key concepts there: "obsession"... Read more →

Posted by on 23 May 2008 at 02:59 PM | | Comments (0) | TrackBack (0)

| |

Cybersecurity in the Fifth Dimension

In the past, we viewed military operations from just four domains, land, air, sea and space. Today, there is another dimension that is just as real, and just as tangible, as those traditional "natural" domains, cyberspace. This domain of operations is just as critical to understand, protect and secure as our land, air, sea and outer space regions, making our mission as CISSPs more important than ever. Illustrating this important shift in traditional thinking, the United States Air Force (USAF) is building a new major command responsible for cyberspace operations, scheduled for initial operations capabilities by October 1st, 2008. This... Read more →

Posted by on 23 May 2008 at 10:23 AM in IT Security | | Comments (0) | TrackBack (0)

| |

22 May 2008

Combating Spyware and Adware with Defense in Depth

I have worked in several environments of various sizes and security postures. One of the biggest threats I see in any of these environments when it comes to workstations is Adware and Spyware infections. Once infected systems either can become unusable due to resource hogging adware software, or proprietary data can be stolen from the system. The creators of these threats are always one step ahead of vendor patches, it seems. These days it's not enough just to have real-time malicious code scanning on your workstations. However, there are ways to combat this insidious threat. First of all, a sensible... Read more →

Posted by on 22 May 2008 at 10:45 AM in IT Security | | Comments (2) | TrackBack (0)

| |

18 May 2008

Risk paralysis

One of the zombie threads on CISSPforum (i.e. one of those discussions that seems to die off ... but then a few weeks later comes back from the dead to haunt us all over again) is about quantitative versus qualitative risk analysis. Members of CISSPforum typically fall into one or other camp and the discussions, while interesting and passionate, always seem to generate more heat than light in a security geek's version of religious war. While fans of quantitative methods point out the need for data to support assertions about information security risks with "facts", the qualitatives point out the... Read more →

Posted by on 18 May 2008 at 10:11 PM in Risk | | Comments (0) | TrackBack (0)

| |

13 May 2008

How did you learn your trade?

A study examined course descriptions on UK university websites to determine the amount of IT security content in undergraduate IT courses: "The vast majority of UK computing students receive virtually no security training when it comes to designing and developing new software applications, according to government funded research. Less than 20 per cent of all computing undergraduates in the UK receive more than five hours training in incorporating security functionality over the three to four year duration of their course. This was according to research by the Cyber Security Knowledge Transfer Network(KTN), which was created in 2006 by the government's... Read more →

Posted by on 13 May 2008 at 06:36 PM in Cybersecurity Certifications, Cybersecurity Training, IT Security, Software Development | | Comments (3) | TrackBack (0)

| |

10 May 2008

Using information security surveys

The latest Information Security Breaches Survey released last month by PwC (Pricewaterhouse Coopers) and BERR (the UK govenment department for Business Enterprise & Regulatory Reform, formerly known as the DTI Department of Trade & Industry) provides a wealth of statistical information and commentary on the current state of the information security art in the UK. Other similar surveys, most of which are acknowledged in the PwC/BERR one, include: The Information Security Forum survey of its members, benchmarking them against each other, the ISF Standard of Good Practice plus standards such as ISO27k and COBIT; The Global State of Security Survey,... Read more →

Posted by on 10 May 2008 at 08:20 PM in Cybersecurity Training, IT Security, Risk | | Comments (0) | TrackBack (0)

| |

08 May 2008

Welcome to the (ISC)² Blog!

I’m Howard A. Schmidt. Let me personally welcome you to the (ISC)2 blog. The purpose of the (ISC)2 blog is to provide ideas and discussion on the latest information security trends from the perspective of several security veterans from around the world, including me. The goal is that we all come away more knowledgeable – or at least with another perspective on the issues – than we did before, and maybe have some fun and good discussion along the way. For me personally, I’ve always struggled to find time to write for a blog, at the same time knowing full... Read more →

Posted by on 08 May 2008 at 11:29 AM in Cybersecurity Certifications | | Comments (4) | TrackBack (0)

| |

07 May 2008

Legal & regulatory compliance = risk management?

Today I've been browsing the good stuff going on over at Unified Compliance Project whose aim, as I understand it, is essentially to help organizations find and exploit alignments between various compliance requirements, eliminating duplication and hence reducing the total amount of compliance effort required. For example, implementing an ISO/IEC 27001-compliant Information Security Management System (ISMS) should simultaneously satisfy most if not all legal requirements for information privacy controls (with no additional effort), and should at least partially satisfy governance requirements arising from SOX, in addition to miscellaneous business benefits as a result of having a best practice ISMS. One... Read more →

Posted by on 07 May 2008 at 03:02 AM in Risk | | Comments (7) | TrackBack (0)

| |

01 May 2008

Social networking application insecurity

The BBC's Click program reports how easy it is to create and distribute malware through FaceBook. Evidently, FaceBook users can set up and share applications. This capability is intended to encourage them to share benign utilities, games etc. I expect you can see where this is going ... If so minded, users can write and share applications that access supposedly private information on the users' profiles, and send it out by email or whatever. Handy for budding identity thieves. Not so handy for FaceBook users who care about their privacy although, to be fair, why would anyone genuinely concerned about... Read more →

Posted by on 01 May 2008 at 04:20 PM | | Comments (0) | TrackBack (0)

| |