Those that have supported the implementation of the Federal Information Security Management Act (FISMA) of 2002 have seen a significant change and focus of information security in federal government over that past several years, including the increased attention placed on agencies through OMB policies requiring them to implement a multitude of standards and guidelines. Obviously, right out of the box, I have seen a mix of opinions from the increased cost of security, including many negative views on the reactive approach government leaders have taken to introduce new security related policies. From the perspective of a security professional, the government... Read more →
« September 2008 | Main | November 2008 »
Posts from October 2008
31 October 2008
FISMA 2008 - What is it and what will change?
Posted by Matthew Metheny on 31 October 2008 at 10:55 AM in IT Security | Permalink
|
Comments (0)
|
TrackBack (0)
28 October 2008
Cross Organizational Collaboration - Securing the World with Cooperation
We just completed an awesome conference in Taipei, so I posted some Comments on Proxy Caches and Web Application Security (OWASP Taipei) on my blog. Like many of you, we are members of multiple security-related organizations including non-profit, government, military, educational and commercial organizations. I happen to be both an (ISC)² member as well as chapter leader for (the new chapter) OWASP Thailand. Many (ISC)² members serve on myriad IT-security boards as directors and advisors. In addition, various organizations support and sponsor each other; for example, (ISC)² is an OWASP sponsor. As professionals, it is our responsibility and ethic to... Read more →
Posted by Tim Bass on 28 October 2008 at 10:25 AM in Cybersecurity Certifications, IT Security, Software Development | Permalink
|
Comments (0)
|
TrackBack (0)
24 October 2008
Information Security During Economic Uncertainty
Most of the world has been understandably shaken by the turn of events in the financial arena these past few weeks. Whatever the outcome, whenever economic uncertainty arises, information security professionals inevitably ask themselves the question: "Is my organization going to cut security budgets?" The short answer is, "They shouldn't." Fortunately, times have changed considerably since the early days of security which is now seen as an essential business requirement such as accounting and legal. It has become a business function that is as important as anything else in a 21st-century organization. It's true that there may be an initial... Read more →
Posted by (ISC)² on 24 October 2008 at 12:30 PM in Risk | Permalink
|
Comments (0)
|
TrackBack (0)
20 October 2008
Securing Software Through Professionalism
The challenge of software vulnerabilities has been discussed by many in the information security industry for several years now. Not only have there been several major breaches due to unsecured software, the costs continue to rise for those of us who have to maintain systems and constantly patch the vulnerabilities that are found. As we know, the problem is not isolated to any particular piece of software – it’s across the board, whether it’s operating systems, word processing, new media or any other application that can make enterprises open to attack. After hearing from our members and those who write... Read more →
Posted by Hord Tipton on 20 October 2008 at 02:00 PM in Cybersecurity Certifications, Software Development | Permalink
|
Comments (0)
|
TrackBack (0)
17 October 2008
Visualization for Command and Control of Cyberspace Operations
AF083-022 TITLE: Visualization for Command and Control of Cyberspace Operations TECHNOLOGY AREAS: Air Platform, Information Systems, Space Platforms, Human Systems The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), which controls the export and import of defense-related material and services. Offerors must disclose any proposed use of foreign nationals, their country of origin, and what tasks each would accomplish in the statement of work in accordance with section 3.5.b.(7) of the solicitation. OBJECTIVE: Develop visualization techniques for planning and execution of Cyberspace operations. DESCRIPTION: Fulfilling the Air Force mission “… to fly and fight... Read more →
Posted by Tim Bass on 17 October 2008 at 08:22 PM in IT Security, Software Development | Permalink
|
Comments (2)
|
TrackBack (0)
12 October 2008
Contingency planning for Information Security
Until the last few weeks, Information Security Managers the world over have been struggling along as always, doing as much as they can possibly do with often limited resources and uncertain support from the rest of management. Suddenly, inadequately controlled risks in the finance sector have triggered an economic meltdown that affects us all. It's a classic "something else happened" scenario beloved of contingency planners everywhere. Given the global financial crisis, it's likely that information security budgets (along with all others) are going to be stretched taut for a while. So what is the best way for us as information... Read more →
Posted by Gary Hinson on 12 October 2008 at 03:56 PM | Permalink
|
Comments (0)
|
TrackBack (0)
11 October 2008
DRP and BCP Step 1: Establish Communications
I have seen a number of security professionals with a lack of operational experience in disaster recover and business continunity planning address both DRP and BCP as if it was a templated, academic exercise. This is one of the worse possible approaches for DRP. So, let's make this quite simple. The most important first step that must be done in any disaster recovery situation is to establish communications. In most cases this means that you need to establish communications between people within an organization and also external to the organization. In Thailand, for example, I see many folks approaching DRP... Read more →
Posted by Tim Bass on 11 October 2008 at 07:09 AM | Permalink
|
Comments (0)
|
TrackBack (0)
10 October 2008
SSH Keys
At my previous position as a Systems Administrator, I got to experience firsthand the convenience of using SSH keys. My personal SSH key was encrypted and password protected, of course. This allowed for quick and easy authentication to systems as my user account. As long as you kept your SSH daemon up to date this was actually reasonably secure. This greatly reduces the amount of passwords you have to remember in a Unix or Linux environment which is not utilizing any kind of directory services. The second and even more useful aspect of SSH keys is from an automatic administration... Read more →
Posted by Adam Kuncewitch on 10 October 2008 at 10:25 PM | Permalink
|
Comments (0)
|
TrackBack (0)
07 October 2008
Interpreting the Law
In the never-ending battle against identity theft, a proactive event recently took place in Texas: a company was charged with improperly dumping patient records. This was discovered before any actual identity theft was reported. Per the Texas 2005 Identity Theft Enforcement and Protection Act: "A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business. A business shall destroy or arrange for the destruction of customer records containing sensitive personal information within... Read more →
Posted by Don Franke on 07 October 2008 at 05:01 PM | Permalink
|
Comments (1)
|
TrackBack (0)
06 October 2008
PCI-DSS v1.2 - My Thoughts, Concerns & Questions
Having had the opportunity to go to the 2008 PCI-SCC meeting in Orlando this year, that just so happened to be conveniently 5 minutes down the street from my office. And having had a couple of weeks to digest the new PCI-DSS v1.2 standard, here are some of my thoughts, concerns and questions. I’m not going to go into all the minor changes or clarifications, but rather the ones I feel have the most impact to the most organizations. One of the first ones I think that jumped out to allot of us was the notes added to requirement 6.1,... Read more →
Posted by Jason Rusch, on 06 October 2008 at 02:37 PM | Permalink
|
Comments (1)
|
TrackBack (0)
Search
Categories
- (ISC)² Chapters (22)
- (ISC)² Events (159)
- Center for Cyber Safety and Education (52)
- Cloud Security (132)
- Cybersecurity Certifications (376)
- Cybersecurity Training (310)
- Cybersecurity Workforce (243)
- Digital Forensics (29)
- Ethics (52)
- Government (124)
- Insider Risk (56)
- IT Security (374)
- Legal (45)
- Malware (113)
- Network Security (176)
- Operations Security (141)
- Privacy (116)
- Ransomware (84)
- Risk (197)
- Software Development (44)
- Spotlight (71)