The privacy policy problem, Part 2: Controlling business partners

08/28/08

In this series of four articles, I'm exploring privacy policies. Today I'll continue with an analysis of potential problems due to independent partner organizations working on behalf of their clients without adequate supervision and coordination.

The privacy policy problem, Part 1: A model policy

08/26/08

Many organizations strive to protect the confidentiality of prospects and clients. In this column and the next three, I want to explore issues relating to privacy policies and the sometimes problematic relations between legitimate, well-meaning institutions and the commercial organizations with which they do business - and the criminal organizations which abuse their good names and reputations.

Analyzing fundamental flaws: Opening vs. unlocking

08/21/08

I've been doing facilities security assessments and reports for over two decades and still occasionally get requests for that kind of work. Recently, one of my local clients reported a problem with the two doors on its small Vermont office building. Seems the police found one of the doors unlocked in the middle of the night and called the security firm to get them locked. The manager of this 50-employee medical billing firm sent out a plea to all her employees asking them to please remember to lock the doors when leaving the building. She copied me on her message and here's what I replied.

IMCD Business Backup: Prepare for all ContingenZ's

08/19/08

Some years ago, I wrote about my friends and colleagues Michael Miora and Stephen Cobb's incident management planning and training program, then called IMCD. Now Michael and Stephen Cobb's brother, Michael Cobb, have updated the product and reduced the price all the way down to $99 per copy (10% of the original price). They have renamed this new version 3 as "IMCD Business Backup" to make it clearer that the software is an actual preparation and recovery tool, not just a planning tool.

Encryption bottleneck: Lessons from performance analysis

08/14/08

Your computer is running slowly. Guess you have to buy a faster processor, right? Not necessarily. You want strong encryption. Guess you have to increase the encryption keylength, right? Not necessarily.

WEIS 2008: IPv6 illustrates resistance to new technologies

08/12/08

In my previous column, I started reviewing an interesting paper by Hillary Elmore, L. Jean Camp and Brandon Stephens entitled "Diffusion and Adoption of IPv6 in the ARIN Region" that they presented at the 2008 Workshop on the Economics of Information Security at Dartmouth College in June. Given the urgency of coping with exhaustion of the IPv4 address space, what are some measures that might encourage wider acceptance of IPv6? The authors discuss several approaches.

WEIS 2008: Transition to IPv6 is complex

08/07/08

Elmore, Camp and Stephens make the point that the adoption of IPv6 addressing has been surprisingly slow. They ask why. The authors provide a thoughtful analysis of available data sets and conclude that, at current rates of adoption, there is no way that IPv6 will replace IPv4 utilization before all IPv4 addresses are used (estimated to be around 2011).

WEIS 2008: Escalation and incentives for better security

08/05/08

Two researchers present an overview of access-control models and point out that some organizations are experimenting successfully with a model for supporting creativity and effective use of corporate information by allowing rapid access to sensitive information if they need it, subject to appropriate controls and follow-up.

WEIS 2008: Security economics and European policy

07/31/08

Occasionally one reads a paper or a book that makes one sit up and take notice. Older readers may remember the excitement in 1991 when the National Research Council issued Computers at Risk: Safe Computing in the Information Age, which influenced the development of public policy for more than a decade after its publication and is still worth reading today. Readers may come to agree with me that we have another exciting policy-related report to read this year.

WEIS 2008: Do data-breach-disclosure laws reduce identity theft?

07/29/08

At the 2008 Workshop on the Economics of Information Security, three researchers from Carnegie Mellon University presented a paper called "Do Data Breach Disclosure Laws Reduce Identity Theft?" I was surprised by the results presented, which I found counterintuitive and disappointing (not, I hasten to add, through any fault of the authors or of their methodology). My disappointment is due to the fear that if independent study confirms the findings, then we have a serious problem.

Insider controls still lacking

07/24/08

My colleague Tito de Morais, a security-awareness expert in Portugal has kindly allowed me to reprint some information he sent me that, as he said, "stresses the importance of background checks or perhaps psychological evaluations of personnel who can access critical or personal information."

'Bad Verb': A bad user interface in action

07/22/08

So there I am, dutifully filling out a survey about our new my.super-duper-security-group.org bulletin board system when I finish the last question and click on the SUBMIT button. WHAM! A single-line error message appears: "BAD VERB" it says, all by itself on the screen.

DoD offers useful certification guidelines

07/17/08

Jacqueline R. Tregre writes: How much training is enough? The U.S. Department of Defense put its considerable resources into that very question and produced a manual, publicly available, that calls for industry-standard certifications (and implicitly for the training to attain them) for both the technical personnel that actually put hands on systems, and for the management personnel responsible for running an organization's information assurance program.

Biometric blooper?

07/15/08

Frank Platt writes: The U.K. is planning to launch a national biometric identity card next year, along with a national database to include all the citizenry. This card will certainly be convenient when purchasing or banking or to quickly authenticate one's identity. But the whole idea may be deeply flawed.

Verizon data breach report, Part 4: Attack vectors

07/10/08

In my three most recent columns, I've been looking at the Verizon Business RISK Team's valuable analysis of four years of data on security breaches among their clients, entitled "2008 Data Breach Investigations Report." Today, in the fourth and final article in this series, I will look at the findings on attack vectors, called "Common Attack Pathways" in the report.

Verizon data breach report, Part 3: Breach size and source

07/08/08

In my two most recent columns, I've been looking at the Verizon Business RISK Team's valuable analysis of four years of data on security breaches among their clients, entitled "2008 Data Breach Investigations Report." Today I'll look at the research findings concerning breach size and source.

Verizon data breach investigations report, Part 2: Outsider attacks

07/03/08

The Verizon Business RISK Team recently published a valuable analysis of four years of data on security breaches among their clients. The team said, 'In a finding that may be surprising to some, most data breaches investigated were caused by external sources.' Today I want to explore the implications of that finding.

Verizon data breach investigations report, Part 1

07/01/08

The Verizon Business RISK Team recently published a valuable analysis of four years of data on security breaches among their clients entitled "2008 Data Breach Investigations Report." Today I want to draw readers' attention to the methodology of this landmark study.

Improved security raises threat to the unimproved

06/26/08

Reports on the Mississippi River flooding of recent weeks got me thinking about an issue that should concern organizations which have fallen behind industry standards of improved security in recent times.

Extreme weather and business continuity

06/24/08

Does climate change have any relevance for information assurance and business continuity? My friend and colleague John Orlando, program director of the Master of Science in Business Continuity Management (MSBC) program at Norwich University, thinks so.

Keep pace with vulnerabilities

06/19/08

Keeping track of the changing threat and vulnerability picture is a challenge for any security or network administration team. Threats change because of the constant efforts of Bad Actors who actively seek to exploit known vulnerabilities and to discover new ones. Vulnerabilities change because of changes in software versions, installation of new hardware or new firmware, installation of new software patches, and changes in network topology.

Infowar resources

06/17/08

I found some resources in infrastructure protection and information warfare that might interest some readers. This column will be a bit of a collage of neat infowar stuff that you may have overlooked but that bears attention and even rereading.

LBB2E: Joel Dubin updates his pocket guide

06/12/08

Joel Dubin has just sent me the update of his useful guide to computer security, The Little Black Book of Computer Security. In October 2005, I published a review of the first edition. I liked the book so much I ordered it for the assigned readings in one of the seminars in the MSIA program.

Master of Science in Business Continuity Management

06/10/08

Organizations both large and small are implementing BCM systems. Once relegated to the margins of corporate practice as an aspect of information technology or corporate security, BCM has become recognized as a fundamental aspect of sound business practice.

10 tips for moving e-discovery into the enterprise

06/05/08

StoredIQ writes: If you work for a mid- to large-sized company - say, one with more than $500 million in revenue - you are probably familiar with the problems of e-discovery. Your enterprise may routinely face five or more litigation matters each year, and you have terabytes of unstructured information that you need to sort through in order to find relevant information and place it on litigation hold. Here are 10 tips to choosing an e-discovery solution that can get up and running quickly, solve the problems you need it to, and pay for itself within months.

M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance at Norwich
University.