Pay Attention to Anomalies

Published May 18, 2012 | By Admin

Today I increased my virtue coefficient by getting to the swimming pool up the road from where I live (well, 7 km from where I live in farming country) early in the morning. On my way out after a vigorous set of laps (I normally swim a “mile,” which is an ancient measure of distance still used in backwaters such as the USA), I stopped at the desk to tell the attendant that I would like to switch my automatic payments from my credit card to a direct withdrawal from my bank account (VISA charges are rough on the profits of this small business in the wilds of Vermont and I’d like to do my part to help these folks out).

Continue reading

Posted in General Security, Incident Response | Tagged , , , , , , | Leave a comment

Fighting Advanced Persistent Threat: Detection & Remediation

Published May 11, 2012 | By Admin

Francis Cianfrocca, a leading expert on Advanced Persistent Threats, continues his overview of the issues following his first article on the topic in the InfoSec Perception blog. What follows is Mr Cianfrocca’s work with minor edits from M. E. Kabay.

Advanced persistent threats (APTs) attack with privilege escalation and operate through application accesses that, to network monitors, appear to be fully normal in terms of network source addresses, protocol syntax-correctness, and user authentication / authorization levels. Both detection and remediation of these attacks are critical business objectives; whether driven by regulatory or operational sensitivities, data privacy and application security must be maintained and the flow of data must continue without interruption.

Continue reading

Posted in General Security, Network Security | Tagged , , , , , , , | Leave a comment

Protecting the Fish Pond: Lessons in Information Security from the Back Yard

Published May 4, 2012 | By Admin

Former student, good friend and brilliant colleague Jan Buitron, MSIA, CISSP, MCSE tells us a whimsical tale with lessons for us in the security field. Everything that follows is Jan’s work with minor edits by Mich.

It was a big project for a homeowner. My friend set out to design, dig and decorate a fish pond out in her back yard. She dug the pond by hand, with her mother directing her in how to construct up from the bottom depth and sculpt the sides of the pond. She went to local rock and building supply stores to find just the right rocks to decorate the pond’s margins. Careful planning went into designing the plant-scaping of the pond. Shorter plants were set around the pond’s edges and, since they wanted the pond to attract birds, they made especially sure that there was at least one shallow area where the local birds could bathe easily.

Continue reading

Posted in General Security | Tagged , | Leave a comment

Prototyping in Real Life

Published April 27, 2012 | By Admin

In business continuity planning (BCP) and disaster recovery planning (DRP), its commonplace to urge planners to create initial plans and then test them for ways to improve. This approach is parallel to the current standards of software development and risk management. In the 1960s and 1970s, the standard software development methodology was the system development life cycle (SDLC), in which analysis, design, and approvals of the complete design were so onerous that delivery of finished software could be delayed by years. Since the 1980s, a much more common methodology is spiral development, which was originally called rapid application development (RAD), joint application development (JAD), or iterative, agile and incremental development.

Continue reading

Posted in General Security | Tagged , , , , , , , | Leave a comment

Reality Trumps Theory

Published April 20, 2012 | By Admin

A local reporter spent eight hours interviewing students and faculty in the computer science and information assurance (IA) programs at Norwich University a couple of days before I began writing this article. At one point, he asked half a dozen of our students what they felt was special about their education in the School of Business and Management. One young man responded immediately that the focus in our programs is service to organizations in furtherance of their mission-critical objectives; in contrast, he said, he had the impression that some of the students he had met from well-established programs at other institutions participating in various computing and security competitions were focused primarily on details of technology. “People use technology to achieve business goals,” he said, “not just because technology is interesting and fun.” Another student laughed and pointed at me: “Prof Kabay has drilled us in every course with his motto, ‘Reality trumps theory.’” Students nodded and explained that they had learned never to solve problems by applying rote learning as if recipes and checklists could be applied without careful consideration of the specific requirements of any situation.

Continue reading

Posted in Security Management | Tagged , , , , , , | Leave a comment

Vulnerability Management is Essential for Effective Security

Published April 13, 2012 | By Admin

Vulnerability management is the embodiment of continuous process improvement in system security.

In a recent discussion in the Norwich University IS342 (Management of Information Assurance) course in the Bachelor of Science in Computer Security and Information Assurance, the class reviewed Rebecca Gurley Bace’s chapter 46, “Vulnerability Assessment” from the Computer Security Handbook, 5th Edition.

Bace explains that vulnerability management includes several phases:

  • Assessing deployed information systems to determine their security status;
  • Determining corrective measures
  • Managing the appropriate application of the corrections.

Continue reading

Posted in Security Management | Tagged , , , , , , , , , | Leave a comment

Sharing Security Information for International Peace

Published April 6, 2012 | By Admin

It’s a commonplace that information assurance suffers from two fundamental problems in information acquisition: failure of ascertainment (failing to realize that a breach of security has occurred) and failure of reporting (keeping apprehend breaches secret). In an overview of statistical methods in computer-crime reporting, I pointed out that one of the most striking research studies of ascertainment and reporting was carried out by the United States (US) Department of Defense:

In a landmark series of tests at the Department of Defense, the Defense Information Systems Agency found that very few of the penetrations it engineered against unclassified systems within the DoD seem to have been detected by system managers. These studies were carried out from 1994 through 1996 and attacked 68,000 systems. About two-thirds of the attacks succeeded; however, only 4% of these attacks were detected…. [O]f the few penetrations detected, only a fraction of 1% were reported to appropriate authorities.

Continue reading

Posted in General Security, Incident Response | Tagged , , , , , , , , , , | Leave a comment

Terrifying Your Employees: Not Recommended for Training

Published March 30, 2012 | By Admin

The following contribution is from information security expert Michael Krausz in Vienna with editorial and textual contributions from Mich Kabay.

At a courthouse in Austria, on 28 February 2012, a security-training exercise went wrong.

In the weeks running up to the events of 28 February, police forces and the courthouse management were involved in planning what they believed to be a bright idea: conducting an exercise for courthouse staff on how to respond to someone running amok within the building.

Continue reading

Posted in Disaster Planning, Identity Management, Incident Response, Security Management | Tagged , , , , , , , | Leave a comment

Fighting Advanced Persistent Threat: Analysing the Options

Published March 23, 2012 | By Admin

Francis Cianfrocca, a leading expert on Advanced Persistent Threats, presents an overview of the issues. What follows is Mr Cianfrocca’s work with contributions and edits from M. E. Kabay.

Advanced Persistent Threat (APT) has received a great deal of attention in recent months[1] due, in large part, to a spate of highly-publicized successful attacks against the information assets of major enterprises and corporations. Much of the recent focus on APT has come as a result of the RSA breach,[2] believed to be an APT-style attack[3], which led directly to a handful of serious attacks “down-line” within several of RSA’s major enterprise customers.[4]

Continue reading

Posted in Cybercrime & Homeland, Hacking, Security Management | Tagged , , , , , , , | Leave a comment

Employment Practices & Policies

Published March 16, 2012 | By Admin

Because people execute security policies (or violate them), hiring, managing and (alas) firing are important aspects of information assurance (IA) management. In a recent class discussion of personnel policies and security, the IS342 Management of Information Assurance class reviewed some of the fundamental principles of personnel and security.

To start with, we face two fundamental problems in all discussions of crime, especially white-collar crime, and particularly computer crime: we have incomplete ascertainment and we have incomplete reporting.

The problem of ascertainment lies in the difficulty of identifying crimes or errors that compromise confidentiality and control, at least until the malefactors reveal the data leakage by using the purloined information. And unfortunately, we don’t yet have any centralized reporting of computer crimes or legal requirements for contributions to such a central database – so we lack reliable estimates of the frequency and severity of computer security breaches.

Nonetheless, a broad consensus among IA practitioners does support the belief that a sizable proportion of damage to computer systems may be from errors and omissions – perhaps even half. The attacks from the outside of systems and networks have increased over the last two decades because of the huge increase in interconnectivity due to wide use of the Internet.

Under these conditions, selecting appropriate employees can be a major contribution to effective IA. This review looks at hiring, management and firing from the perspective of IA managers.

Continue reading

Posted in Security Management | Tagged , , , , , , | Leave a comment
Older posts

RSS InfoSec Reviews Blog

  • InfoSec Skills at Infosecurity Next Week April 19, 2012
    We’ll be appearing at Infosecurity Europe 2012 next week and we hope you’ll take a few minutes to come and say hello. Terry Neal, our CEO, will be there for the three days of the exhibition and will be manning the stand for half of that time, while meeting and greeting our clients, authors and […]
    admin
  • How #InfoSec is Seen on Twitter April 9, 2012
    I used a interesting tool to try and see how popular the hashtag #infosec is on Twitter. Here is the result. create infographics with visual.ly   Tony […]
    admin
  • The InfoSec Reviews Awards 2011 Magazine is Published March 17, 2012
    Welcome to the InfoSec Reviews annual awards magazine, where we pay homage to the exceptional work that’s been undertaken in the Information Security marketplace during 2011. This year’s inaugural InfoSecReviews.Com awards has focused primarily on security related books (and the book publishers) as this is where InfoSec Reviews started from back in the summe […]
    admin

InfoSec Reviews

Copyright © InfoSec Reviews 2011. All Rights Reserved.

Powered by WordPress and WordPress Theme created with Artisteer.