We all see in the mass media every day that software is vulnerable and that this is bad. But, few know what is happening behind the scene, until the news get out. There are two ways to disclosure a vulnerability: the most common one is to make a “full disclosure”, but there is also the “limited disclosure”. A full disclosure means that the details of a security vulnerability are disclosed to the large public, including details of the vulnerability and how to detect and exploit it. [Wikipedia] A limited disclosure is an alternative approach where full details of the vulnerability... Read more →
49 posts categorized "Ethics"
14 January 2013
Vulnerability disclosure: a new business model?
Posted by Sorin Mustaca on 14 January 2013 at 10:43 AM in Ethics | Permalink
|
Comments (1)
03 September 2012
Another eruption East of Java
Do you trust Oracle to do better from now on? Do you need Java anyway? If enough ... apps and services ... reconsider their dependence on an unpopular service, and then Oracle will really have a problem. [But] responsible disclosure demands responsible (and responsive) remediation. Read more →
Posted by David Harley on 03 September 2012 at 05:57 AM in Ethics, IT Security | Permalink
|
Comments (0)
09 August 2012
Social engineering trumps Wal-Mart customer service
This year's social engineering 'capture the flag' competition at the DefCon hackers' conference was won by a contestant who does social engineering for a living. In the course of a 20 minute phone call, he successfully fooled a Wal Mart employee into revealing all the pieces of information he was after, even getting him to visit a website to 'complete a survey'. Read about the con here. Aside from the Wal Mart story itself, the comments on the CNN article are just as telling. Even allowing for the fact that only certain people were inspired enough to want to read... Read more →
Posted by Gary Hinson on 09 August 2012 at 03:46 PM in Cybersecurity Training, Ethics, Risk | Permalink
|
Comments (2)
18 May 2012
Bullet-proofing messengers
OPINION: A troubling article in Forbes raises concerns about how society takes care of those who raise legitimate, well-founded concerns about their employers. Aside from the specific legal decision in this particular case, there is a wider issue about protecting whistleblowers from retribution. If a whistleblowing employee makes allegations of serious impropriety by his employer, and those allegations are upheld, is it reasonable for him/her to insist on remaining employed by the organization? A few enlightened managements might swallow their pride and allow the whistleblowing employee to carry on normally in employment but I strongly suspect that in most cases... Read more →
Posted by Gary Hinson on 18 May 2012 at 07:19 PM in Ethics, Insider Risk, Legal | Permalink
|
Comments (0)
14 May 2012
Dotted lines in shifting sands
An opinion piece regarding a possible US law change raises fascinating ethical questions about privacy rights. Whereas employers have some interest in what their employees are saying and doing in their personal/non-work time, employees also have reasonable expectations of privacy concerning their private lives: OPINION: On the battlefield of the Internet, the Privacy Platoon struck a clanging blow against the Transparency Brigade last week, when two members of Congress introduced the Social Networking Online Protection Act. The bill would bar employers from demanding job applicants' Facebook passwords - which recently has become an issue: The ACLU's Maryland branch championed the... Read more →
Posted by Gary Hinson on 14 May 2012 at 06:02 PM in Ethics, Insider Risk, Legal, Privacy | Permalink
|
Comments (0)
13 January 2012
2012: Redefining United States Cyber Security: Taking a Holistic View and Machiavellian Approach, part 1
By: Larry P. Bunch CISSP, CEH http://mysite.verizon.net/vze18ez5m/id3.html Twitter: https://twitter.com/#!/bunchlarryp Preface This article was originally intended to be a light reading OP/ED piece. However, it has slowly evolved into a hybrid OP/ED – Whitepaper dealing with Cyber Intelligence and Network Security. The opinions in this article do not represent the United States government or my employer (VortechX LLC.). This article is intended to generate discussion, collaboration, and interaction within the Intelligence and Network Defense communities of both the Public and Private sectors of the United States. The ideas and recommendations presented here reflect only my own opinions and may NOT be... Read more →
Posted by LPBunch on 13 January 2012 at 04:07 PM in Ethics, IT Security, Malware, Network Security, Operations Security | Permalink
|
Comments (7)
29 November 2011
Applying Newton's third law to information security
Simply banning stuff (such as using social media at work) through management edict or policy can be counterproductive for security if employees react by circumventing the ban. I argue that effective security awareness using motivation and persuasion is a far more effective technique. Read more →
Posted by Gary Hinson on 29 November 2011 at 05:01 PM in Cybersecurity Training, Ethics, Insider Risk, Risk | Permalink
|
Comments (1)
10 September 2011
(ISC)2 board candidates
I'm not 100% au fait with ISC2's board election process but as I understand it the sitting board proposes a bunch of candidates, while the general membership can propose their own "independent candidates" as well. If you aren't into nepotism and fancy the idea of fresh faces at the top table, you might like to consider supporting some of the independents who need endorsement from at least 500 members in order to qualify and get their names onto the ballot papers. I'm aware of the following five independents so far: Tadd Axon email: isc2bodpetition@tadda.org website: https://sites.google.com/a/tadda.org/isc2petition/ Seth Hardy email: shardy@asymptotic.ca... Read more →
Posted by Gary Hinson on 10 September 2011 at 08:38 PM in Cybersecurity Certifications, Ethics | Permalink
|
Comments (1)
16 August 2011
(Intellectual) Property is Theft?
Laws tend to adjust slowly to social and technological trends, especially trends that change with the dramatic speed that modern IT allows. Read more →
Posted by David Harley on 16 August 2011 at 07:31 AM in Ethics | Permalink
|
Comments (3)
31 January 2011
We are living on strange "Cyberwar times"
In the after-crisis of the Stuxnet worm, Governments around the world are mobilizing to be better prepared against CyberThreats and CyberWar. It's becoming clear, more and more that groups pf individuals with a lot of knowledge, time and motivation can do harm against economies, healthcare, utilities and other systems, being responsible (who knows?) for the collapse of a country. We already had, in the past, cases of well succeeded CyberAttacks that collapsed a country information structure and paralyzed it for a while. We can remember of: 2007 CyberAttakcs on Estonia 2007 CyberAttacks against Syria Radar Infrastructure 2008 CyberAttacks on Georgia... Read more →
Posted by Alexandre Cezar on 31 January 2011 at 01:37 PM in Ethics, Network Security, Operations Security, Privacy | Permalink
|
Comments (0)
24 January 2011
Pragmatic ethics
Is it ethically acceptable for workers to pinch the odd pencil or Post-It note from work, or is this just the thin end of the wedge that leads to fraud, theft, corruption, Enron and Global Economic Meltdown? It's a tricky issue when you factor in the difficulties of writing and enforcing corporate policies on ethics, the effects these have on the workforce, and the prospect of tacitly or even formally endorsing unethical and perhaps illegal behaviours through weak policies and lax attitudes towards compliance. It's also a cultural issue, which makes it fuzzy and complex both to characterise and even... Read more →
Posted by Gary Hinson on 24 January 2011 at 05:20 PM in Ethics, Insider Risk, Legal, Risk | Permalink
|
Comments (2)
05 May 2010
Patent Absurdity
Patents are generally held to be granted on devices, or inventions. In recent years, United States patents have been granted on processes, and even software. "Patent Absurdity" is a half hour video outlining the dangers and difficulties surrounding the granting of software patents. The interviews take place around the "Bilski" case appeal before the Supreme Court. (The "Bilski" case decision is generally held to strike down software patents, but is still the subject of a good deal of debate.) Read more →
Posted by Rob Slade on 05 May 2010 at 12:26 AM in Cybersecurity Training, Ethics, Legal, Risk | Permalink
|
Comments (0)
29 January 2010
Ethics (Kabay)
Fairly standard articles and slide decks on ethics. Read more →
Posted by Rob Slade on 29 January 2010 at 02:34 PM in Cybersecurity Training, Ethics | Permalink
|
Comments (0)
26 January 2010
Shariah and Cybercrime
From the International Journal of Cyber Criminology, "Shariah Law and Cyber-Sectarian Conflict: How can Islamic Criminal Law respond to cyber crime?" This paper looks at the concepts in Islamic Shariah law that relate to specifically computer or information system related crimes. The paper is possibly not a complete examination, but is not hopeful as regards the ability to criminalize cybercrime. Also available as PDF. Read more →
Posted by Rob Slade on 26 January 2010 at 12:57 PM in Cybersecurity Training, Ethics, Legal | Permalink
|
Comments (0)
15 November 2009
Psych and sec
Ross Anderson has put together a great page of links about psychological factors in security. Quite a few resources and papers on deception and social engineering, usability, risk calculations, economics, and more. Read more →
Posted by Rob Slade on 15 November 2009 at 02:38 AM in Cybersecurity Training, Ethics, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
22 August 2009
Should the CISSP CBK be improved to place greater emphasis on “human factors” in information security? Definitely Yes!
Should the CISSP CBK be expanded to cover "human factors" in security? [1] Add “Human Factors” No.[2] Clearly, human factors are a major component to information security and Gary Hinson presents effective arguments that they should be established as an additional domain. On the other hand, Rob Slade makes an effective argument that the human factors are a significant component of each of the current ten domains primarily based on his experience teaching the CBK® to CISSP® aspirants for (ISC)²®. In full disclosure, I also teach the CBK® to CISSP® aspirants, but not for (ISC)²®, but at a local college.... Read more →
Posted by Bob Johnston on 22 August 2009 at 05:56 PM in Cybersecurity Certifications, Cybersecurity Training, Digital Forensics, Ethics, IT Security, Legal, Network Security, Operations Security, Privacy, Risk, Software Development | Permalink
|
Comments (1)
|
TrackBack (0)
10 August 2009
Add "human factors"? No.
OK, Gary has asked if the CISSP CBK should be expanded to cover "human factors" in security? And I answer "No." With that kind of beginning, you could be forgiven for thinking that I disagree with Gary about the importance of human factors in security. Nothing could be further from the truth. I agree with everything he has said about the fundamental significance of human factors in information security, as well as the difficulty of dealing with them, and will defend to the death his right to say it. What I disagree with is the question. The CBK already addresses... Read more →
Posted by Rob Slade on 10 August 2009 at 10:04 PM in Cybersecurity Certifications, Cybersecurity Training, Ethics, Insider Risk, IT Security, Legal, Malware, Operations Security, Privacy, Risk | Permalink
|
Comments (2)
|
TrackBack (0)
20 July 2009
Guidelines for social media
A useful collection of links to guidelines for the use of social networking media and systems. Read more →
Posted by Rob Slade on 20 July 2009 at 08:34 PM in Cybersecurity Training, Ethics, IT Security, Privacy | Permalink
|
Comments (1)
|
TrackBack (0)
18 July 2009
Moral code experiments
A very interesting presentation and intriguing research into moral behaviour. The culminating point is that we need to test and experiment with morality, since we seem to have many incorrect notions about it. Read more →
Posted by Rob Slade on 18 July 2009 at 05:43 PM in Cybersecurity Training, Ethics, Insider Risk, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
11 July 2009
Are policies mandatory and guidelines optional?
Although this is often expressed, I fundamentally disagree that policies are mandatory whereas guidelines are optional. This to me is a rather naïve assessment, and is distinctly unhelpful, misleading even. Let me explain. For a start, do you truly understand the distinction between "mandatory" and "optional"? Are they really (as some claim) as different as binary and analogue? I beg to differ. In my world, they are both analogue concepts. They are both a matter of degree. Occasionally by "mandatory" the information security manager or CISO probably does mean an absolute hard-and-fast rule with no exemptions (authorized non-compliance) or exceptions... Read more →
Posted by Gary Hinson on 11 July 2009 at 05:47 PM in Ethics, Insider Risk, Legal | Permalink
|
Comments (1)
|
TrackBack (0)
Search
Categories
- (ISC)² Chapters (20)
- (ISC)² Events (124)
- Center for Cyber Safety and Education (50)
- Cloud Security (119)
- Cybersecurity Certifications (344)
- Cybersecurity Training (293)
- Cybersecurity Workforce (183)
- Digital Forensics (27)
- Ethics (49)
- Government (94)
- Insider Risk (54)
- IT Security (352)
- Legal (41)
- Malware (95)
- Network Security (157)
- Operations Security (125)
- Privacy (96)
- Ransomware (49)
- Risk (162)
- Software Development (41)
- Spotlight (65)