37 posts categorized "Legal"

06 November 2009

Free licence

Interesting piece by an author who explains why he is not upset by, and even wants people, "pirating" his book, which is published under the GNU Free Documentation License. Read more →

Posted by on 06 November 2009 at 03:19 PM in Cybersecurity Training, Legal | | Comments (0) | TrackBack (0)

| |

25 September 2009

DoD IA Policy Chart

For your information, the Defense-wide Information Assurance Program (DIAP) has just released the IA Policy Chart via the IATAC web site at http://iac.dtic.mil/iatac/ia_policychart.html. The chart, plus background notes can be found at that site. In addition, the IA Policy Chart will be included as a centerfold in the January 2010 edition of the IATAC’s IAnewsletter. The goal of the IA Policy Chart is to capture the tremendous breadth of applicable policies, some of which many IA practitioners may not even be aware, in a helpful organizational scheme. The use of color, hatching, fonts and hyperlinks are all designed to provide... Read more →

Posted by on 25 September 2009 at 12:49 AM in Cybersecurity Certifications, Cybersecurity Training, Insider Risk, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk, Software Development | | Comments (0) | TrackBack (0)

| |

22 August 2009

Should the CISSP CBK be improved to place greater emphasis on “human factors” in information security? Definitely Yes!

Should the CISSP CBK be expanded to cover "human factors" in security? [1] Add “Human Factors” No.[2] Clearly, human factors are a major component to information security and Gary Hinson presents effective arguments that they should be established as an additional domain. On the other hand, Rob Slade makes an effective argument that the human factors are a significant component of each of the current ten domains primarily based on his experience teaching the CBK® to CISSP® aspirants for (ISC)²®. In full disclosure, I also teach the CBK® to CISSP® aspirants, but not for (ISC)²®, but at a local college.... Read more →

Posted by on 22 August 2009 at 05:56 PM in Cybersecurity Certifications, Cybersecurity Training, Digital Forensics, Ethics, IT Security, Legal, Network Security, Operations Security, Privacy, Risk, Software Development | | Comments (1) | TrackBack (0)

| |

10 August 2009

Add "human factors"? No.

OK, Gary has asked if the CISSP CBK should be expanded to cover "human factors" in security? And I answer "No." With that kind of beginning, you could be forgiven for thinking that I disagree with Gary about the importance of human factors in security. Nothing could be further from the truth. I agree with everything he has said about the fundamental significance of human factors in information security, as well as the difficulty of dealing with them, and will defend to the death his right to say it. What I disagree with is the question. The CBK already addresses... Read more →

Posted by on 10 August 2009 at 10:04 PM in Cybersecurity Certifications, Cybersecurity Training, Ethics, Insider Risk, IT Security, Legal, Malware, Operations Security, Privacy, Risk | | Comments (2) | TrackBack (0)

| |

11 July 2009

Are policies mandatory and guidelines optional?

Although this is often expressed, I fundamentally disagree that policies are mandatory whereas guidelines are optional. This to me is a rather naïve assessment, and is distinctly unhelpful, misleading even. Let me explain. For a start, do you truly understand the distinction between "mandatory" and "optional"? Are they really (as some claim) as different as binary and analogue? I beg to differ. In my world, they are both analogue concepts. They are both a matter of degree. Occasionally by "mandatory" the information security manager or CISO probably does mean an absolute hard-and-fast rule with no exemptions (authorized non-compliance) or exceptions... Read more →

Posted by on 11 July 2009 at 05:47 PM in Ethics, Insider Risk, Legal | | Comments (1) | TrackBack (0)

| |

04 July 2009

Security Economics

With some similarities to "Geekonomics," this article by Ross Anderson, Rainer Bohme, Richard Clayton and Tyler Moore points out the economic factors that tend to keep information security as a low priority. They also point out a number of activities and policies which can help. (This paper was written in late 2007, but it still depressingly relevant.) Read more →

Posted by on 04 July 2009 at 11:38 PM in Cybersecurity Training, IT Security, Legal, Risk | | Comments (0) | TrackBack (0)

| |

09 June 2009

Open Source Computer Forensics Manual

The Open Source Computer Forensics Manual doesn't have a lot in it, and it only covers the basic approach, but it is reasonable at that. Maybe someone can get the project restarted. Read more →

Posted by on 09 June 2009 at 05:49 PM in Cybersecurity Training, Digital Forensics, Legal, Operations Security | | Comments (0) | TrackBack (0)

| |

US Cybercrime site

US Department of Justice Computer Crime and Intellectual Property site with news stories, related (US) laws, and some documents related to digital evidence, investigation, and prosecution. Read more →

Posted by on 09 June 2009 at 04:57 PM in Cybersecurity Training, Digital Forensics, Insider Risk, Legal | | Comments (0) | TrackBack (0)

| |

08 May 2009

Is U.S. ICE the New FISMA?

The United States Information and Communications Enhancement Act of 2009 (U.S. ICE Act of 2009) was introduced to the Senate on April 28, 2009. This bill, if successfully passed, would overhaul the provisions currently in FISMA and seek to strengthen information security in the federal government. Link to full text: http://www.govtrack.us/congress/billtext.xpd?bill=s111-921 As quoted by Sen. Tom Carper (D.-Del): “Instead of agencies wasting precious resources producing security plans that are outdated as soon they are printed, my bill requires agencies to continuously monitor their networks for cyber intrusions and malicious activities, take steps to address their vulnerabilities, and then regularly test... Read more →

Posted by on 08 May 2009 at 07:41 AM in IT Security, Legal | | Comments (0) | TrackBack (0)

| |

18 April 2009

Proceeds of crime

The Supreme Court of Canada has struck down a challenge to a provincial law enabling seizure of proceeds of crime. Under the provincial law, proceeds could be seized under a civil action, without a conviction for a crime having taken place. A report appeared in the Vancouver Sun. The challenge appears to have stressed the jurisdictional issues. (In Canada, criminal law is a matter for the federal government: the provinces do not make their own criminal laws.) However, there is also the matter of burden of proof. Under criminal law (under a Common Law system, at any rate), the charge... Read more →

Posted by on 18 April 2009 at 11:25 PM in Cybersecurity Training, Ethics, Legal, Privacy, Risk | | Comments (0) | TrackBack (0)

| |

29 March 2009

GhostNet

The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage. Some items of this were given in a story in the New York Times. There is also related work in a report out of Cambridge (full report in PDF)(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest). Read more →

Posted by on 29 March 2009 at 06:46 PM in Cybersecurity Training, Digital Forensics, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk | | Comments (0) | TrackBack (0)

| |

19 March 2009

Secure data erasure

For all the trouble we have to take to protect, backup, and maintain our data, when we want to get rid of it, it turns out to be remarkably difficult. Do we delete Overwriting delete? Overwrite 40 times? Overwrite 40 times including all the slack space? Degauss? Get out the thermite? This site presents a faster and easier option. There is software, and also a paper (possibly self-serving ...) explaining the option, and why it is very often good enough. Read more →

Posted by on 19 March 2009 at 09:16 PM in Cybersecurity Training, Digital Forensics, IT Security, Legal, Operations Security, Privacy, Risk | | Comments (2) | TrackBack (0)

| |

22 February 2009

Injecting the Common into Security

According to several news articles Friday, February 20th, and documented on hackersblog.org by the hacker named Unu, the Security and A/V "giant" Symantec had a bit of a website face lift as a result of a SQL-injection vulnerability within the website. The website was defaced as can be seen in the following image: The stories and associated blog references can be found at the following links: http://www.itp.net http://news.softpedia.com http://www.hackersblog.org Granted, based on the articles and information so far, the "ethical hacker" Unu used this method of notification to "help" alert Symantec to the problem. Outside of the ethical issues surrounding... Read more →

Posted by on 22 February 2009 at 10:11 PM in Ethics, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk, Software Development | | Comments (0) | TrackBack (0)

| |

27 January 2009

A Mistaken Conviction Based on Digital Forensics – Part 2 – The Trial, Day 1

Department of Homeland Security Daily Open Source Infrastructure Report

During the pretrial examination we learned that there appeared to be sufficient basis to have excluded the forensic evidence yet that did not happen. Let us see what happened during the trial which allowed the forensic evidence for the prosecution to be presented to the court and considered by the jury during its deliberations which resulted in Julie Amero’s conviction on all counts. Before we do however, let us take a brief look at the community’s perspective of the crime and how that might have influenced their deliberation to some degree.... Read more →

Posted by on 27 January 2009 at 10:16 AM in Digital Forensics, IT Security, Legal, Malware, Network Security | | Comments (0) | TrackBack (0)

| |

16 January 2009

Interview with an adware author

I'm usually not too impressed with interviews with the blackhat side: they tend to be long on self-justification and short on actual information or thought. However, this one is fairly decent, with some interesting perspectives on "the road to hell" as well as some insights on spam and adware protection. Read more →

Posted by on 16 January 2009 at 05:20 PM in Cybersecurity Training, Ethics, Insider Risk, IT Security, Legal, Malware, Operations Security, Privacy | | Comments (0) | TrackBack (0)

| |

15 January 2009

A Mistaken Conviction Based on Digital Forensics – Part 1 – Pretrial

Most of us watch criminal cases in movies and on television where forensic evidence ices a conviction and exonerates the innocent. How is it possible that someone can be convicted based on forensic evidence when they were not guilty? Let’s examine a modern day case where this occurred: · The event took place on October 19th, 2004 · The accused was tried and convicted on January 3-5, 2007 · The sentencing was scheduled for eight weeks later, March 2nd, 2007, then delayed until o March 29th, 2007 which was postponed on March 28th, 2007 until o April 26th, 2007 and... Read more →

Posted by on 15 January 2009 at 06:40 AM in Digital Forensics, IT Security, Legal, Malware, Risk | | Comments (0) | TrackBack (0)

| |

02 January 2009

The Changing World of Digital Forensics

Digital forensic skills are challenging to acquire and frequently are less than useful unless you are working in emerging technologies or have a solid foundation of the very basics. More and more the focus upon digital forensic examination is within the legal community yet the challenges outside of the legal aspects remain the same – solve a problem and fix it. That is correct. When a skilled IT professional works on, solves and corrects an IT issue, whether it is a network challenge, a program problem or even a physical configuration concern or failure, they are in fact conducting a... Read more →

Posted by on 02 January 2009 at 12:50 PM in Digital Forensics, IT Security, Legal | | Comments (0) | TrackBack (0)

| |

« Previous