Interesting piece by an author who explains why he is not upset by, and even wants people, "pirating" his book, which is published under the GNU Free Documentation License. Read more →
Interesting piece by an author who explains why he is not upset by, and even wants people, "pirating" his book, which is published under the GNU Free Documentation License. Read more →
Posted by Rob Slade on 06 November 2009 at 03:19 PM in Cybersecurity Training, Legal | Permalink
|
Comments (0)
|
TrackBack (0)
| |
For your information, the Defense-wide Information Assurance Program (DIAP) has just released the IA Policy Chart via the IATAC web site at http://iac.dtic.mil/iatac/ia_policychart.html. The chart, plus background notes can be found at that site. In addition, the IA Policy Chart will be included as a centerfold in the January 2010 edition of the IATAC’s IAnewsletter. The goal of the IA Policy Chart is to capture the tremendous breadth of applicable policies, some of which many IA practitioners may not even be aware, in a helpful organizational scheme. The use of color, hatching, fonts and hyperlinks are all designed to provide... Read more →
Posted by John Dittmer on 25 September 2009 at 12:49 AM in Cybersecurity Certifications, Cybersecurity Training, Insider Risk, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk, Software Development | Permalink
|
Comments (0)
|
TrackBack (0)
| |
Should the CISSP CBK be expanded to cover "human factors" in security? [1] Add “Human Factors” No.[2] Clearly, human factors are a major component to information security and Gary Hinson presents effective arguments that they should be established as an additional domain. On the other hand, Rob Slade makes an effective argument that the human factors are a significant component of each of the current ten domains primarily based on his experience teaching the CBK® to CISSP® aspirants for (ISC)²®. In full disclosure, I also teach the CBK® to CISSP® aspirants, but not for (ISC)²®, but at a local college.... Read more →
Posted by Bob Johnston on 22 August 2009 at 05:56 PM in Cybersecurity Certifications, Cybersecurity Training, Digital Forensics, Ethics, IT Security, Legal, Network Security, Operations Security, Privacy, Risk, Software Development | Permalink
|
Comments (1)
|
TrackBack (0)
| |
OK, Gary has asked if the CISSP CBK should be expanded to cover "human factors" in security? And I answer "No." With that kind of beginning, you could be forgiven for thinking that I disagree with Gary about the importance of human factors in security. Nothing could be further from the truth. I agree with everything he has said about the fundamental significance of human factors in information security, as well as the difficulty of dealing with them, and will defend to the death his right to say it. What I disagree with is the question. The CBK already addresses... Read more →
Posted by Rob Slade on 10 August 2009 at 10:04 PM in Cybersecurity Certifications, Cybersecurity Training, Ethics, Insider Risk, IT Security, Legal, Malware, Operations Security, Privacy, Risk | Permalink
|
Comments (2)
|
TrackBack (0)
| |
Although this is often expressed, I fundamentally disagree that policies are mandatory whereas guidelines are optional. This to me is a rather naïve assessment, and is distinctly unhelpful, misleading even. Let me explain. For a start, do you truly understand the distinction between "mandatory" and "optional"? Are they really (as some claim) as different as binary and analogue? I beg to differ. In my world, they are both analogue concepts. They are both a matter of degree. Occasionally by "mandatory" the information security manager or CISO probably does mean an absolute hard-and-fast rule with no exemptions (authorized non-compliance) or exceptions... Read more →
Posted by Gary Hinson on 11 July 2009 at 05:47 PM in Ethics, Insider Risk, Legal | Permalink
|
Comments (1)
|
TrackBack (0)
| |
With some similarities to "Geekonomics," this article by Ross Anderson, Rainer Bohme, Richard Clayton and Tyler Moore points out the economic factors that tend to keep information security as a low priority. They also point out a number of activities and policies which can help. (This paper was written in late 2007, but it still depressingly relevant.) Read more →
Posted by Rob Slade on 04 July 2009 at 11:38 PM in Cybersecurity Training, IT Security, Legal, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
| |
The Open Source Computer Forensics Manual doesn't have a lot in it, and it only covers the basic approach, but it is reasonable at that. Maybe someone can get the project restarted. Read more →
Posted by Rob Slade on 09 June 2009 at 05:49 PM in Cybersecurity Training, Digital Forensics, Legal, Operations Security | Permalink
|
Comments (0)
|
TrackBack (0)
| |
US Department of Justice Computer Crime and Intellectual Property site with news stories, related (US) laws, and some documents related to digital evidence, investigation, and prosecution. Read more →
Posted by Rob Slade on 09 June 2009 at 04:57 PM in Cybersecurity Training, Digital Forensics, Insider Risk, Legal | Permalink
|
Comments (0)
|
TrackBack (0)
| |
The United States Information and Communications Enhancement Act of 2009 (U.S. ICE Act of 2009) was introduced to the Senate on April 28, 2009. This bill, if successfully passed, would overhaul the provisions currently in FISMA and seek to strengthen information security in the federal government. Link to full text: http://www.govtrack.us/congress/billtext.xpd?bill=s111-921 As quoted by Sen. Tom Carper (D.-Del): “Instead of agencies wasting precious resources producing security plans that are outdated as soon they are printed, my bill requires agencies to continuously monitor their networks for cyber intrusions and malicious activities, take steps to address their vulnerabilities, and then regularly test... Read more →
Posted by Matthew Metheny on 08 May 2009 at 07:41 AM in IT Security, Legal | Permalink
|
Comments (0)
|
TrackBack (0)
| |
The Supreme Court of Canada has struck down a challenge to a provincial law enabling seizure of proceeds of crime. Under the provincial law, proceeds could be seized under a civil action, without a conviction for a crime having taken place. A report appeared in the Vancouver Sun. The challenge appears to have stressed the jurisdictional issues. (In Canada, criminal law is a matter for the federal government: the provinces do not make their own criminal laws.) However, there is also the matter of burden of proof. Under criminal law (under a Common Law system, at any rate), the charge... Read more →
Posted by Rob Slade on 18 April 2009 at 11:25 PM in Cybersecurity Training, Ethics, Legal, Privacy, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
| |
The tracking (and scope) of GhostNet, a significant example of the use of malware and botnets for espionage. Some items of this were given in a story in the New York Times. There is also related work in a report out of Cambridge (full report in PDF)(which, like everything else Ross Anderson has written, is worth reading regardless of your level of interest). Read more →
Posted by Rob Slade on 29 March 2009 at 06:46 PM in Cybersecurity Training, Digital Forensics, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
| |
For all the trouble we have to take to protect, backup, and maintain our data, when we want to get rid of it, it turns out to be remarkably difficult. Do we delete Overwriting delete? Overwrite 40 times? Overwrite 40 times including all the slack space? Degauss? Get out the thermite? This site presents a faster and easier option. There is software, and also a paper (possibly self-serving ...) explaining the option, and why it is very often good enough. Read more →
Posted by Rob Slade on 19 March 2009 at 09:16 PM in Cybersecurity Training, Digital Forensics, IT Security, Legal, Operations Security, Privacy, Risk | Permalink
|
Comments (2)
|
TrackBack (0)
| |
According to several news articles Friday, February 20th, and documented on hackersblog.org by the hacker named Unu, the Security and A/V "giant" Symantec had a bit of a website face lift as a result of a SQL-injection vulnerability within the website. The website was defaced as can be seen in the following image: The stories and associated blog references can be found at the following links: http://www.itp.net http://news.softpedia.com http://www.hackersblog.org Granted, based on the articles and information so far, the "ethical hacker" Unu used this method of notification to "help" alert Symantec to the problem. Outside of the ethical issues surrounding... Read more →
Posted by Lester Nichols on 22 February 2009 at 10:11 PM in Ethics, IT Security, Legal, Malware, Network Security, Operations Security, Privacy, Risk, Software Development | Permalink
|
Comments (0)
|
TrackBack (0)
| |
Department of Homeland Security Daily Open Source Infrastructure Report
During the pretrial examination we learned that there appeared to be sufficient basis to have excluded the forensic evidence yet that did not happen. Let us see what happened during the trial which allowed the forensic evidence for the prosecution to be presented to the court and considered by the jury during its deliberations which resulted in Julie Amero’s conviction on all counts. Before we do however, let us take a brief look at the community’s perspective of the crime and how that might have influenced their deliberation to some degree.... Read more →
Posted by Bob Johnston on 27 January 2009 at 10:16 AM in Digital Forensics, IT Security, Legal, Malware, Network Security | Permalink
|
Comments (0)
|
TrackBack (0)
| |
I'm usually not too impressed with interviews with the blackhat side: they tend to be long on self-justification and short on actual information or thought. However, this one is fairly decent, with some interesting perspectives on "the road to hell" as well as some insights on spam and adware protection. Read more →
Posted by Rob Slade on 16 January 2009 at 05:20 PM in Cybersecurity Training, Ethics, Insider Risk, IT Security, Legal, Malware, Operations Security, Privacy | Permalink
|
Comments (0)
|
TrackBack (0)
| |
Most of us watch criminal cases in movies and on television where forensic evidence ices a conviction and exonerates the innocent. How is it possible that someone can be convicted based on forensic evidence when they were not guilty? Let’s examine a modern day case where this occurred: · The event took place on October 19th, 2004 · The accused was tried and convicted on January 3-5, 2007 · The sentencing was scheduled for eight weeks later, March 2nd, 2007, then delayed until o March 29th, 2007 which was postponed on March 28th, 2007 until o April 26th, 2007 and... Read more →
Posted by Bob Johnston on 15 January 2009 at 06:40 AM in Digital Forensics, IT Security, Legal, Malware, Risk | Permalink
|
Comments (0)
|
TrackBack (0)
| |
Digital forensic skills are challenging to acquire and frequently are less than useful unless you are working in emerging technologies or have a solid foundation of the very basics. More and more the focus upon digital forensic examination is within the legal community yet the challenges outside of the legal aspects remain the same – solve a problem and fix it. That is correct. When a skilled IT professional works on, solves and corrects an IT issue, whether it is a network challenge, a program problem or even a physical configuration concern or failure, they are in fact conducting a... Read more →
Posted by Bob Johnston on 02 January 2009 at 12:50 PM in Digital Forensics, IT Security, Legal | Permalink
|
Comments (0)
|
TrackBack (0)
| |