Resources for Creating Effective Security Policies
Published February 17, 2012 | 
Managing information assurance (IA) effectively and efficiently depends on defining our goals clearly, laying out how we will achieve our goals, and defining metrics by which we can tell if we are succeeding.
In a recent session of the Management of Information Assurance (IA) course at Norwich University, students and I spent an hour discussing how to define and apply fundamental concepts of security policy.
Four terms recur in discussions of all forms of IA management: the word policy itself, controls, standards, and procedures.
- Policy defines how what we intend to accomplish to protect information;
- Controls define the general approaches for implementing the desired protection;
- Standards stipulate specific and widely accepted measures for how well we implement controls consistent with policy; and
- Procedures define the specific operations we must carry out to meet standards in achieving the controls that reflect policy.
Typically, we segregate these four elements of IA management: policy is defined as a high-level definition that evolves relatively slowly – perhaps with quarterly or annual reviews by upper management. Controls and standards should be adjustable by line management (e.g., an information security officer) without having to bother upper managers (e.g., the chief information security officer or chief information officer) but subject to periodic review. Procedures ought to be adjustable by staff to meet conditions that can change from day to day as new threats and vulnerabilities are discovered; no one wants to have to ask an upper manager whether it’s acceptable to warn users about a new phishing trick that appeared this morning.
Patch Management a Constant Requirement for IA
Published February 10, 2012 | As operations staff run computer systems for mission-critical functions, they must constantly adapt to changing threats and newly discovered vulnerabilities – including vulnerabilities rooted in program design or implementation. In a recent session of the Management of Information Assurance (IA) course at Norwich University, we spent an hour discussing how patch management supports IA.
Programs affect all six fundamental elements of IA – protection of confidentiality, control, integrity, authenticity, availability and utility of information. Manufacturers and volunteer programmers in the open-source movement issue tools for fixing problems in their code. These patches can include executable code to alter the machine-code of executable files, code to replace parts of existing code, or code to replace entire units of programs (e.g., dynamic link libraries or DLLs). Microsoft issues patches for Windows on the second and fourth Tuesdays of each month.
IA Includes Software Development
Published February 3, 2012 | Sometimes we lose sight of the wide reach of information assurance (IA). In class discussions in the Management of IA course at Norwich University, students recently discussed how software development and quality assurance play a role in IA.
One of the areas that our students study in their software engineering courses is development strategies. The traditional system development life cycle (SDLC) puts a great deal of time and effort into the project definition phases; systems analysts must interact with users, encourage them to define their needs, define functional requirements (these two phases can be called the requirements elicitation), get the functional specifications approved by the users, and then design and build the systems to meet those requirements. The SDLC includes system testing and system documentation.
Oil Industry Open to Cyberattacks
Published January 27, 2012 | A colleague recently asked me how vulnerable oil-industry installations are to cyberattack; unfortunately, the consensus seems to be “Very.”
In February 2011, a report surfaced that “Computer hackers working through Internet servers in China broke into and stole proprietary information from the networks of six U.S. and European energy companies, including Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc….”[1] Other targets included “Marathon Oil Corp., ConocoPhillips and Baker Hughes Inc., …. [a] Houston-based provider of advanced drilling technology.” Publicly traded oil-industry companies hacked by industrial spies or saboteurs might be sued by shareholders if they fail to disclose such attacks: “Investors might also argue they had a right under U.S. securities laws to be informed of the thefts, which a judge might construe as a ‘material’ fact that should have been disclosed….”
Future Privacy
Published January 20, 2012 | Maria Dailey is a senior in the Bachelor of Science in Computer Security and Information Assurance (BSCSIA) in the School of Business at Norwich University. She recently submitted an interesting essay in the IS455 Strategic Applications of Information Technology course, and I suggested to her that we work together to edit and expand it for publication. The following is the result of a close collaboration between us.
* * *
How would you feel about having a computer insider your body – other than your own brain?
A nanocomputer is one which is invisible to the human eye, but operates like current computers.
“You might stop to consider what the world might be like, if computers the size of molecules become a reality. These are the types of computers that could be everywhere, but never seen. Nano sized bio-computers that could target specific areas inside your body. Giant networks of computers, in your clothing, your house, your car. Entrenched in almost every aspect of our lives and yet you may never give them a single thought.”[1]
Nanotechnology research is proceeding vigorously:
- In 2001, Wired reporter Geoff Brumfiel wrote that researchers at Bell Labs reported that they had “built a Field-Effect Transistor (FET) from a single molecule.” One of the researchers “said this special ability might allow computer circuits to become integrated into credit cards and clothing. The fact that the molecule can be stored easily in a liquid solution also opens up the possibility of using ink-jet type technology to ‘print’ processors on sheets of plastic.”[2]
- Brumfiel also pointed to the startling achievement of researchers at Harvard University who “made semiconducting nanowires that assembled themselves into simple circuits.” Luminary scientist Ralph Merkle,[3] one of the founders of modern cryptography, and currently a researcher in nanotechnology, commented explained to Brumfiel that “Molecular processors… could allow computers to see, hear and interact with humans much more directly.”[2]
- In mid-2011, “A group of Turkish researchers at an Ankara university have manufactured the longest and thinnest nanowires ever produced, by employing a novel method to shrink matter 10-million fold.”[4] Such nanowires could play a valuable role in nanoscale computing.
- A Website devoted to monitoring developments in nanoscale computing has the motto, “Small is beautiful; very small is very beautiful.”[5] The current page alone has 30 entries on a multitude of nanotechnology topics, with more than a thousand more archived. Examples include
- DNA Nanotechnology – a basis for biologically-based nanocomputers;[6]
- Augmented Reality – Microsoft and University of Washington scientists are working on contact lenses with digital displays providing additional information on demand;[7]
- Building an Artificial Brain – University of Southern California researchers “have made a significant breakthrough in the use of nanotechnologies for the construction of a synthetic brain. They have built a carbon nanotube synapse circuit whose behavior in tests reproduces the function of a neuron, the building block of the brain.”[8]
Social Networks and Privacy
Published January 13, 2012 | Maria Dailey is a senior in the Bachelor of Science in Computer Security and Information Assurance (BSCSIA) in the School of Business at Norwich University. She recently submitted an interesting essay in the IS455 Strategic Applications of Information Technology course, and I suggested to her that we work together to edit and expand it for publication. The following is the result of a close collaboration between us and continues last week’s column about changing conceptions of privacy.
* * *
Social Network Sites and Privacy
Harvey Jones and José Hiram Soltren published an interesting early study of privacy practices on Facebook in 2005.[1] They wrote in their abstract, “Privacy on Facebook is undermined by three principal factors: users disclose too much, Facebook does not take adequate steps to protect user privacy, and third parties are actively seeking out end-user information using Facebook.” Key findings of the study (page 13) include the following (quoting, with bullets added):
- Users put real time and effort into their profiles.
- Students tend to join as soon as possible, often before arriving on campus.
- Users share lots of information but do not guard it.
- Users give imperfect explicit consent to the distribution and sharing of their information.
- Privacy concerns differ across genders.
Changing Conceptions of Privacy
Published January 6, 2012 | Maria Dailey is a senior in the Bachelor of Science in Computer Security and Information Assurance (BSCSIA) in the School of Business at Norwich University. She recently submitted an interesting essay in the IS455 Strategic Applications of Information Technology course, and I suggested to her that we work together to edit and expand it for publication. The following is the result of a close collaboration between us.
* * *
NTHNTF?
Privacy opponents feel that there is no need for privacy. If there is nothing to hide, there exists no real excuse to hide information. That belief is often described as the nothing-to-hide-nothing-to-fear (NTHNTF) position. In an extreme statement of this position, former News of the World deputy features editor Paul McMullan, speaking before the Leveson inquiry[1], said,
“In 21 years of invading people’s privacy I’ve never actually come across anyone who’s been doing any good. Privacy is the space bad people need to do bad things in. Privacy is for paedos. If there is a privacy law your secrets are going to be much more valuable than they were before.”[2]
Those opposed to NTHNTF belief argue that certain information taken out of context can result in undeserved consequences to innocent citizens. “Privacy protects us from being misdefined and judged out of context in a world…in which information can easily be confused with knowledge.”[3]
The Privacy, Identity & Consent Blog[4] author, Toby Stevens,[5] summarizes current developments in privacy law and policy; in one posting at the end of 2010, he articulates his concerns about the effects of the Internet on privacy:
EDUcating Spammers
Published December 30, 2011 | I distinguish between criminal spam and just-stupid spam by a couple of attributes: the apparently legitimate intentions of naive senders and the inclusion of detailed contact information.
Recently I received the following stupid-spam message (with identifiers deleted) from an organization I had never heard of which spammed my Norwich University e-mail account:
From: —–.net [-----.com]
Sent: Wednesday, December 21, 2011 4:46 PM
To: Michel E. Kabay
Subject: [name of firm]
[name of firm]
Do customers owe you money. —– collects overdue A/R on a 25% contingency basis.
No upfront costs, no long-term contract. Use the power of a law firm to collect your money.
Visit our webpage, www.—–.net<http://www.—–.net/>, with Live-Chat or call —–, for more information.
[address]
Irvine, CA 92614
[telephone]
Member: BBB, US Chamber of Commerce,
TransUnion Licensed, Insured By State National
Cal. State Bar No. —–
Minimum account balance of $5,000, Commercial Accounts only, no consumer accounts accepted.
Unsubscribe<mailto:—–.com?Subject=Unsubscribe> or call ——, Ext 1., or Fax your request ——
Coping with a Compromised E-mail Account
Published December 23, 2011 | From: Colleague
To: Mich Kabay
RE: Compromised e-mail account
Dear Mich,
Someone has stolen one of my e-mails (not NU), and is using it to ask for money by sending messages to my entire contact list. What can be done apart from changing my password?
* * *
Dear Colleague,
I discussed your situation with a colleague who has more experience responding to cybercrimes. The criminals may be
- using your e-mail account OR
- using one with a similar e-mail identification OR
- forging the e-mail headers to make it look as if they have control of your account.
Without access to the actual messages your friends received (including the usually hidden header fields), we cannot tell which technique(s) the criminals are using. If they are using a different account or forging the headers, they presumably have your distribution list to be able to reach your correspondents.
Macintosh Malware Erupts
Published December 16, 2011 | MK writes: Norwich University student Jeremy Legendre sent me an interesting essay which prompted a close collaboration between the two of us on this article.
* * *
History
Sophos antimalware expert Graham Cluley, who has a long and distinguished career in the field, has written a summary of malicious software affecting Macintosh computers.[1] In comparison to the history of Windows malware,[2] Macintosh systems have been far less susceptible to malware than Windows systems. For example, in 2005, Mark H. Anbinder and colleagues published a review of Macintosh computer malware in which (in the version available through the EBSCO library database provided by Norwich University) Macworld editors started the review with this note: “Most Mac users gaze on smugly as reports of each new Windows security crisis break. And they have good reason: At press time, research from Sophos (a maker of antivirus software) showed that 68 viruses have affected the Mac while 97,467 have affected Windows. Of those 68, most are a decade old or older and don’t directly affect OS X.”
Despite the disparity in the number of viruses affecting Windows and Macintosh systems, Anbinder et al. challenged the belief that “Mac users don’t need to worry about viruses.” The authors warned readers that “We’ve enjoyed a long, glorious stretch without serious malware affecting our platform. But that doesn’t mean we can afford to let down our collective guard. If there is a virus attack, those of us who have good, up-to-date antivirus software installed will have the best odds of escaping unscathed.” They urged Mac users to keep updated antimalware tools – and back in 2005, it was reasonable to suggest, “Weekly updates should be adequate for most users, but if your computing involves accessing lots of files from lots of sources—whether via e-mail, file servers, or Web downloads—then daily updates might be a better idea.”
- Physical Security Convergence with InfoSec January 18, 2012Are information security professionals missing a trick? Penetration testing, hacking, digital forensics, security architecture, operational security, situational awareness, cyber-crime, risk management, identity management, PKI, platform security, NIPS, HIPS… etc. These are all disciplines and components of the information security world that InfoSec profess […]admin
- Craig-Wood Gets it Right – So Does GCHQ December 5, 2011The GCHQ challenge has been solved by at least two people with the best part of a week still to go. The most informative description of the route to the solution (by Nick Craig-Wood) goes into considerable detail. Stage one required a block of data to be recognised as machine code and tinkered with to […]MikeBarwise
- What Makes a Good Policy? November 30, 2011It’s indisputable that many corporate policies are “shelfware” – documents that exist but don’t do anything very useful. So what makes a good policy? There are three fundamental principles. First and foremost, a policy must contribute at some defined level to the solution of a single specific (and real) business issue – not just its […]MikeBarwise
Recent Comments