How to react to a fire alarm

10/09/08

We've been conditioned by years of fire drills to assume that alarms are either tests or false alarms, and just mean a 20-minute work break. But if a fire alarm is to serve its function, we need to assume - or at least pretend - that it's the real thing. Most important, we need to assume that we will not be returning to work.

Don't be a Blobmonger

10/07/08

Mudd: Regular people do not want to hear about some vague entity waiting in the shadows to insinuate itself into their computers. That holds true for at-home users as well as business executives. So, borrowing a quote from The Blob's protagonist, Steve Andrews (played by Steve McQueen): "How do you get people to protect themselves from something they don't believe in?"

Securing the eCampus 2008

10/02/08

Dartmouth College will host its second conference on "Securing the eCampus: Building a Culture of Information Security in an Academic Institution" Nov. 11-12, 2008. Focusing on the unique challenges of cyber security in academia, the conference welcomes CIOs, CISOs, and other academic IT leaders to explore what it takes to develop a more secure information environment on college campuses.

The data center from hell, Part 3: Lessons learned

09/30/08

In the previous two columns, security specialist Jan Buitron reported on a horribly non-secure facility at which she worked some years ago. Today she summarizes her conclusions about the state of facilities security at this dreadful site.

The data center from hell, Part 2

09/25/08

Buitron: One circuit breaker was in a garage bay where company trucks parked. Anyone from the street could walk in at any time and throw the switch on the breaker box, cutting off power instantly to all of the company's servers.

The data center from hell, Part 1

09/23/08

Seen any good horror movies lately? Here's the script for a security geek's version of the classic slasher flick.

How not to manage lost passwords

09/18/08

I am writing to you formally in your capacity as CEO of Metaphoronic Corp., makers of the bioport that I had installed in my lower spinal column last year for direct neural connectivity to my Windows 2010 operating environment. Today I could not sign into the Web page for the SpinalTap application that makes adjustments to the interface and could not find instructions on getting the password e-mailed to my e-mail account or on how to reset it to a temporary password and get that by e-mail, so I called your help desk to find out what to do.

reCAPTCHA illustrates human ingenuity

09/16/08

The CAPTCHA is the squiggly word that appears on Web sites to stop bots from sending spam and doing other vile deeds. Recently, several computer scientists reported on an innovative application of CAPTCHAs: potentially using the more than 100 million applications of human intelligence in decoding the symbols for useful work.

Bad business model: Turning subscriptions into gambling

09/11/08

Dear Unnamed_Music_Service: I visited your site after seeing the ad in The Nation magazine. After I read your terms of service and your rate scale, I decided not to sign up (and, not incidentally, NOT to steal your 25 free songs by cancelling at once). I thought you might like to know why.

New kids advance 'New School'

09/09/08

Two exciting young talents (well, young from my perspective), Adam Shostack and Andrew Stewart, have published an interesting and challenging manifesto urging information-assurance practitioners to break out of conventional thinking. They argue (and I concur) that we have to use the insights of other disciplines in formulating and implementing our security policies to cope with computer-related crime.

The privacy policy problem, Part 4: Reality hits home

09/04/08

It's not going to be easy, but at least you can put your privacy-protection measures in place before you face a major PII disaster. Keep your eyes open, follow up on abuse of your corporate identity, and make your own policies clear and effective.

The privacy policy problem, Part 3: Opting out of opting out

09/02/08

In my most recent two columns, I've been discussing privacy policies. Today I want to look at some of the issues that can occur when you work with other organizations whose policies may differ from yours.

The privacy policy problem, Part 2: Controlling business partners

08/28/08

In this series of four articles, I'm exploring privacy policies. Today I'll continue with an analysis of potential problems due to independent partner organizations working on behalf of their clients without adequate supervision and coordination.

The privacy policy problem, Part 1: A model policy

08/26/08

Many organizations strive to protect the confidentiality of prospects and clients. In this column and the next three, I want to explore issues relating to privacy policies and the sometimes problematic relations between legitimate, well-meaning institutions and the commercial organizations with which they do business - and the criminal organizations which abuse their good names and reputations.

Analyzing fundamental flaws: Opening vs. unlocking

08/21/08

I've been doing facilities security assessments and reports for over two decades and still occasionally get requests for that kind of work. Recently, one of my local clients reported a problem with the two doors on its small Vermont office building. Seems the police found one of the doors unlocked in the middle of the night and called the security firm to get them locked. The manager of this 50-employee medical billing firm sent out a plea to all her employees asking them to please remember to lock the doors when leaving the building. She copied me on her message and here's what I replied.

IMCD Business Backup: Prepare for all ContingenZ's

08/19/08

Some years ago, I wrote about my friends and colleagues Michael Miora and Stephen Cobb's incident management planning and training program, then called IMCD. Now Michael and Stephen Cobb's brother, Michael Cobb, have updated the product and reduced the price all the way down to $99 per copy (10% of the original price). They have renamed this new version 3 as "IMCD Business Backup" to make it clearer that the software is an actual preparation and recovery tool, not just a planning tool.

Encryption bottleneck: Lessons from performance analysis

08/14/08

Your computer is running slowly. Guess you have to buy a faster processor, right? Not necessarily. You want strong encryption. Guess you have to increase the encryption keylength, right? Not necessarily.

WEIS 2008: IPv6 illustrates resistance to new technologies

08/12/08

In my previous column, I started reviewing an interesting paper by Hillary Elmore, L. Jean Camp and Brandon Stephens entitled "Diffusion and Adoption of IPv6 in the ARIN Region" that they presented at the 2008 Workshop on the Economics of Information Security at Dartmouth College in June. Given the urgency of coping with exhaustion of the IPv4 address space, what are some measures that might encourage wider acceptance of IPv6? The authors discuss several approaches.

WEIS 2008: Transition to IPv6 is complex

08/07/08

Elmore, Camp and Stephens make the point that the adoption of IPv6 addressing has been surprisingly slow. They ask why. The authors provide a thoughtful analysis of available data sets and conclude that, at current rates of adoption, there is no way that IPv6 will replace IPv4 utilization before all IPv4 addresses are used (estimated to be around 2011).

WEIS 2008: Escalation and incentives for better security

08/05/08

Two researchers present an overview of access-control models and point out that some organizations are experimenting successfully with a model for supporting creativity and effective use of corporate information by allowing rapid access to sensitive information if they need it, subject to appropriate controls and follow-up.

WEIS 2008: Security economics and European policy

07/31/08

Occasionally one reads a paper or a book that makes one sit up and take notice. Older readers may remember the excitement in 1991 when the National Research Council issued Computers at Risk: Safe Computing in the Information Age, which influenced the development of public policy for more than a decade after its publication and is still worth reading today. Readers may come to agree with me that we have another exciting policy-related report to read this year.

WEIS 2008: Do data-breach-disclosure laws reduce identity theft?

07/29/08

At the 2008 Workshop on the Economics of Information Security, three researchers from Carnegie Mellon University presented a paper called "Do Data Breach Disclosure Laws Reduce Identity Theft?" I was surprised by the results presented, which I found counterintuitive and disappointing (not, I hasten to add, through any fault of the authors or of their methodology). My disappointment is due to the fear that if independent study confirms the findings, then we have a serious problem.

Insider controls still lacking

07/24/08

My colleague Tito de Morais, a security-awareness expert in Portugal has kindly allowed me to reprint some information he sent me that, as he said, "stresses the importance of background checks or perhaps psychological evaluations of personnel who can access critical or personal information."

'Bad Verb': A bad user interface in action

07/22/08

So there I am, dutifully filling out a survey about our new my.super-duper-security-group.org bulletin board system when I finish the last question and click on the SUBMIT button. WHAM! A single-line error message appears: "BAD VERB" it says, all by itself on the screen.

DoD offers useful certification guidelines

07/17/08

Jacqueline R. Tregre writes: How much training is enough? The U.S. Department of Defense put its considerable resources into that very question and produced a manual, publicly available, that calls for industry-standard certifications (and implicitly for the training to attain them) for both the technical personnel that actually put hands on systems, and for the management personnel responsible for running an organization's information assurance program.

More

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.