38 posts categorized "Ethics"

05 May 2010

Patent Absurdity

Patents are generally held to be granted on devices, or inventions. In recent years, United States patents have been granted on processes, and even software. "Patent Absurdity" is a half hour video outlining the dangers and difficulties surrounding the granting of software patents. The interviews take place around the "Bilski" case appeal before the Supreme Court. (The "Bilski" case decision is generally held to strike down software patents, but is still the subject of a good deal of debate.) Read more →

Posted by on 05 May 2010 at 12:26 AM in Cybersecurity Training, Ethics, Legal, Risk | | Comments (0)

| |

29 January 2010

Ethics (Kabay)

Fairly standard articles and slide decks on ethics. Read more →

Posted by on 29 January 2010 at 02:34 PM in Cybersecurity Training, Ethics | | Comments (0)

| |

26 January 2010

Shariah and Cybercrime

From the International Journal of Cyber Criminology, "Shariah Law and Cyber-Sectarian Conflict: How can Islamic Criminal Law respond to cyber crime?" This paper looks at the concepts in Islamic Shariah law that relate to specifically computer or information system related crimes. The paper is possibly not a complete examination, but is not hopeful as regards the ability to criminalize cybercrime. Also available as PDF. Read more →

Posted by on 26 January 2010 at 12:57 PM in Cybersecurity Training, Ethics, Legal | | Comments (0)

| |

15 November 2009

Psych and sec

Ross Anderson has put together a great page of links about psychological factors in security. Quite a few resources and papers on deception and social engineering, usability, risk calculations, economics, and more. Read more →

Posted by on 15 November 2009 at 02:38 AM in Cybersecurity Training, Ethics, Risk | | Comments (0) | TrackBack (0)

| |

22 August 2009

Should the CISSP CBK be improved to place greater emphasis on “human factors” in information security? Definitely Yes!

Should the CISSP CBK be expanded to cover "human factors" in security? [1] Add “Human Factors” No.[2] Clearly, human factors are a major component to information security and Gary Hinson presents effective arguments that they should be established as an additional domain. On the other hand, Rob Slade makes an effective argument that the human factors are a significant component of each of the current ten domains primarily based on his experience teaching the CBK® to CISSP® aspirants for (ISC)²®. In full disclosure, I also teach the CBK® to CISSP® aspirants, but not for (ISC)²®, but at a local college.... Read more →

Posted by on 22 August 2009 at 05:56 PM in Cybersecurity Certifications, Cybersecurity Training, Digital Forensics, Ethics, IT Security, Legal, Network Security, Operations Security, Privacy, Risk, Software Development | | Comments (1) | TrackBack (0)

| |

10 August 2009

Add "human factors"? No.

OK, Gary has asked if the CISSP CBK should be expanded to cover "human factors" in security? And I answer "No." With that kind of beginning, you could be forgiven for thinking that I disagree with Gary about the importance of human factors in security. Nothing could be further from the truth. I agree with everything he has said about the fundamental significance of human factors in information security, as well as the difficulty of dealing with them, and will defend to the death his right to say it. What I disagree with is the question. The CBK already addresses... Read more →

Posted by on 10 August 2009 at 10:04 PM in Cybersecurity Certifications, Cybersecurity Training, Ethics, Insider Risk, IT Security, Legal, Malware, Operations Security, Privacy, Risk | | Comments (2) | TrackBack (0)

| |

20 July 2009

Guidelines for social media

A useful collection of links to guidelines for the use of social networking media and systems. Read more →

Posted by on 20 July 2009 at 08:34 PM in Cybersecurity Training, Ethics, IT Security, Privacy | | Comments (1) | TrackBack (0)

| |

18 July 2009

Moral code experiments

A very interesting presentation and intriguing research into moral behaviour. The culminating point is that we need to test and experiment with morality, since we seem to have many incorrect notions about it. Read more →

Posted by on 18 July 2009 at 05:43 PM in Cybersecurity Training, Ethics, Insider Risk, Risk | | Comments (0) | TrackBack (0)

| |

11 July 2009

Are policies mandatory and guidelines optional?

Although this is often expressed, I fundamentally disagree that policies are mandatory whereas guidelines are optional. This to me is a rather naïve assessment, and is distinctly unhelpful, misleading even. Let me explain. For a start, do you truly understand the distinction between "mandatory" and "optional"? Are they really (as some claim) as different as binary and analogue? I beg to differ. In my world, they are both analogue concepts. They are both a matter of degree. Occasionally by "mandatory" the information security manager or CISO probably does mean an absolute hard-and-fast rule with no exemptions (authorized non-compliance) or exceptions... Read more →

Posted by on 11 July 2009 at 05:47 PM in Ethics, Insider Risk, Legal | | Comments (1) | TrackBack (0)

| |

08 July 2009

Primary Lessons Learned from the TSA Laptop Mess (Part 2)

A couple of weeks ago, I read about the demise of the Verified Identity Pass, Inc.'s Fly Clear program. This was a program working with TSA on the Registered Traveler service. Back in August 2008, I wrote how VIP and TSA had no accountability for losing a laptop with personal information of over 33,000 applicants. There is an additional lesson to be learned on top those from of my original article. If the public can't trust you with their personal information, they are not going to buy your product or service in the long run. That's why you need security... Read more →

Posted by on 08 July 2009 at 03:49 PM in Ethics, IT Security, Privacy | | Comments (2) | TrackBack (0)

| |

09 June 2009

Don't Sue Me, Sue the Auditor

The recent Wired article In Legal First, Data-Breach Suit Targets Auditor discusses how a credit card company is suing the company that performed their security audit. The problem is that the credit card company was told that it was CISP (Cardholder Information Security Program) compliant, when it really wasn't. Per visa.com, "CISP is intended to protect Visa cardholder data–wherever it resides–ensuring that members, merchants, and service providers maintain the highest information security standard" (CISP has since been replaced by the PCI (Payment Card Industry) standard.) The lawsuit was triggered by the theft of 263,000 card numbers from the credit card... Read more →

Posted by on 09 June 2009 at 12:16 PM in Cybersecurity Certifications, Ethics | | Comments (0) | TrackBack (0)

| |

18 April 2009

Proceeds of crime

The Supreme Court of Canada has struck down a challenge to a provincial law enabling seizure of proceeds of crime. Under the provincial law, proceeds could be seized under a civil action, without a conviction for a crime having taken place. A report appeared in the Vancouver Sun. The challenge appears to have stressed the jurisdictional issues. (In Canada, criminal law is a matter for the federal government: the provinces do not make their own criminal laws.) However, there is also the matter of burden of proof. Under criminal law (under a Common Law system, at any rate), the charge... Read more →

Posted by on 18 April 2009 at 11:25 PM in Cybersecurity Training, Ethics, Legal, Privacy, Risk | | Comments (0) | TrackBack (0)

| |

14 March 2009

The BBC's Botnet

Having devoted much of the past few days to blogging on the topic of the BBC's venture into criminal botherding, and a small portion of my weekend to watching its controversial Click programme, as well as to reading the BBC's own responses to some of the comments from the security industry and others, I'd like to make one or two points here. It's clear from viewing the whole programme (which some of you at least can do online, if you haven't yet had the opportunity) that the BBC paid several thousand dollars for the control of a botnet comprised of... Read more →

Posted by on 14 March 2009 at 11:24 AM in Ethics | | Comments (3) | TrackBack (0)

| |

01 March 2009

You Oughta Know Better!

In a report today from MSNBC titled, Report: Obama helicopter security breached, the blueprints and other information relating to Marine One, the Presidential helicopter, were found linked to an Iranian IP address. The report states that a defense contractor downloaded a peer-to-peer (P2P) application the "SAME SYSTEM" that contained the information regarding Marine One. We all make mistakes, but this one is a big one. We all oughta know that you treat systems with sensitive information as systems with sensitive information. This means that you do not install P2P applications from the Internet on a classified system or you do... Read more →

Posted by on 01 March 2009 at 11:47 PM in Ethics, Insider Risk, IT Security, Malware, Network Security, Operations Security, Risk | | Comments (0) | TrackBack (0)

| |

28 February 2009

Ethical Dilema

You are at the practice for your child's sports team. You strike up a conversation with the manager of the sports organization. He is complaining that his company's PCs are on the fritz: running slower and slower, some programs don't work anymore, one crashed altogether. You say that this may be due to a virus or malware, and that you can take a look. He refuses politely, saying his PCs are managed under a contract with a vendor; they are the only one who can do maintenance under the agreement. You push back, saying it might be a security problem,... Read more →

Posted by on 28 February 2009 at 07:03 PM in Ethics, IT Security | | Comments (2) | TrackBack (0)

| |

27 February 2009

Revising Enterprise Telework and Remote Access

NIST (National Institute of Standards and Technology) recently updated their guidance for Enterprise Telework and Remote Access Security, DRAFT NIST SP800-46 Rev.1. As many are aware, security professionals are constantly considering the security ramifications of employees accessing the corporate network from home and other insecure locations. This includes the use of home systems to connect to the network, corporate laptops from remote locations and the potential of infected mass storage device. This special publication is and update from the previous special publication - SP800-46, Security for Telecommuting and Broadband Communications intended to help organizations understand and mitigate the risks of... Read more →

Posted by on 27 February 2009 at 07:24 PM in Ethics, Insider Risk, IT Security, Malware, Network Security, Operations Security, Risk | | Comments (0) | TrackBack (0)

| |

22 February 2009

Injecting the Common into Security

According to several news articles Friday, February 20th, and documented on hackersblog.org by the hacker named Unu, the Security and A/V "giant" Symantec had a bit of a website face lift as a result of a SQL-injection vulnerability within the website. The website was defaced as can be seen in the following image: The stories and associated blog references can be found at the following links: http://www.itp.net http://news.softpedia.com http://www.hackersblog.org Granted, based on the articles and information so far, the "ethical hacker" Unu used this method of notification to "help" alert Symantec to the problem. Outside of the ethical issues surrounding... Read more →

Posted by on 22 February 2009 at 10:11 PM in Ethics, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk, Software Development | | Comments (0) | TrackBack (0)

| |

16 January 2009

Interview with an adware author

I'm usually not too impressed with interviews with the blackhat side: they tend to be long on self-justification and short on actual information or thought. However, this one is fairly decent, with some interesting perspectives on "the road to hell" as well as some insights on spam and adware protection. Read more →

Posted by on 16 January 2009 at 05:20 PM in Cybersecurity Training, Ethics, Insider Risk, IT Security, Legal, Malware, Operations Security, Privacy | | Comments (0) | TrackBack (0)

| |

« Previous