SearchSecurity.com

To make information security truly an enterprise-wide effort, the director of New York's Office of Cyber Security and Critical Infrastructure Coordination has come up with resolutions for 2005 that create a foundation harder for hackers to crack. [...] Here's how each employee, from those in the CEO's office to the mailroom, can resolve to do his or her part:

• Recognize the relationship between physical and cybersecurity
  
  -Realize cyberevents can have physical consequences.
  
  -Help improve communication and cooperation between cybersecurity and homeland security entities.





• Don't be overwhelmed by the challenges faced in cybersecurity
  
  -Break it up into digestible chunks.
  
  -Just get started.
  
  -Understand that one size does not fit all.





• Don't be afraid to admit to a cybersecurity incident
  
  -Recognize 100% security does not exist and that when an attack occurs, do not engage in the "blame game."
  
  -Remember, too, that it's only through sharing information on attacks that we can truly help each other be better prepared.





• Practice good cybersecurity principles
  
  -Don't open e-mails from untrusted sources.
  
  -Don't forward jokes/chain letters/photos received from unknown sources via e-mail.
  
  -Don't divulge a password for any gift or goodie.
  
  -Don't fall prey to phishing scams, which are becoming increasingly more sophisticated.





• Empower the information security officer
  
  -Take cybersecurity seriously.
  
  -Get personally involved. Hold periodic meetings with your ISO; regularly have your ISO brief the executive team on new cyberthreats; recognize staff who demonstrate responsible cybersecurity behavior; ensure that your ISO has reviewed and signed off in writing on new systems before production; have cybersecurity as a standing item at executive meetings.





• Be a role model for the next generation in good cybersecurity practices
  
  -Practice what you preach and adhere to these cyberprinciples yourself -- ensure that you have a strong password; take responsibility to become knowledgeable about sound cybersecurity practices; encourage a culture that cybersecurity is everyone's responsibility; build cybersecurity issues into your presentations.
  
  -Promote cyberethics.





• Collaborate with others
  
  -Work with the public and private sectors to enhance our collective security.
  
  -Recognize you can't do it alone.





• Promote the idea that good cybersecurity is everyone's responsibility
  
  -Ensure you understand your responsibility in using computing technology safely and securely.
  
  -Recognize that the average home users' computer processing power today well surpasses what was previously available to only the largest corporations or government agencies.
  
  -Don't assume that "someone else" is taking care of it (e.g. the IT department, government, etc)





• Promote National Cyber Security Awareness Month -- October 2005
  
  -Develop a cybersecurity awareness campaign within your organization.





• Don't be afraid to challenge the status quo
  
  -Question principles that were once core to good security practices. What was good 10, or even five, years ago may no long be what's good for cybersecurity today. For instance, employees were once told to never open an e-mail from someone they don't know -- this was a basic sound cybersecurity practice. But with the advent of spoofing, we can no longer rely solely on whether you know or think you know the sender. We need to question these principles to see if they still pass the test of time, and modify them when needed.





• Have a passion for cybersecurity
  
  -This one speaks for itself, but it includes learning about threats, attacks and what you can do personally to prevent them.

One way to gauge if the security philosophy is sinking in is to test employees. "We'll have employees receive a phishing scam particular to what they do," Pelgrin said. "If they fall prey to it, they'll get a warm and fuzzy training session on what could have happened."

(0) comments

TechRepublic Security Solutions

A configuration control board (CCB)--also known as a configuration management board--is a group that should play an essential role in an organization's overall network strategy. Typically chaired by the CIO, these boards usually include voting representatives from every department in the company.

The overall goal of a CCB is to make decisions that increase the operational efficiency and usefulness of the network's ability to support the business process of the company. Security is an integral part to the CCB process, and members should take every opportunity to address security concerns during every phase of configuration management.

[CLB: This is not wholly a governance board. A parallel stakeholders board can be form including execs from c-level, the board, shareholders, and the CCB to overview and manage all busness governance issues. ]

(0) comments

The Globe and Mail

When University of Toronto assistant professor Tim Rowley set out on his latest research project, he intended to illustrate the undue influence of Canada's 'old boys' network' on corporate boards of directors.

Instead, he came to the surprising conclusion that while there is an elite of interconnected directors at Canada's largest firms, they have had a positive impact as leaders of corporate governance reform.

'The assumption has always been that the old boys' club is a bad thing. And in many cases, it probably points to recruiting practices that aren't desirable,' said Prof. Rowley, who is also director of the Clarkson Centre for Business Ethics & Board Effectiveness at the U of T's Rotman School of Management. 'But when it comes to governance, our research indicates they actually drive good governance.'

[...] "But I think it has evolved now to a point where the old boys have become sold on the importance of good corporate governance. And because they are old boys . . . they can bring to the table more authority in dealing with and addressing these issues."

Indeed, he says he has seen "old boys" adopt new governance ideas "more easily than some of the new boys" because their business experience has demonstrated their value.

[...] The U of T study looked only at the group of 16 directors who sat on five or more boards of S&P/TSX index companies as of September this year. The researchers graphed the web of connections between the companies they oversee, and placed one director at the centre of the web: Torstar Corp. chief executive officer Robert Prichard.

(0) comments

Information and Privacy Commissioner Frank Work announced that his office will be working jointly with the Government of Alberta to examine the implications of public sector outsourcing for the personal information of Albertans. “Outsourcing” in this context refers to contracting out business functions that involve Albertans’ personal information.
--OIPC

(0) comments

IT World Canada

The number of phishing Web sites associated with online identity theft scams grew by 33 per cent in November, after dropping off in September and early October, according to data compiled by the Anti-Phishing Working Group (APWG) and shared with IDG News Service.

The group received reports of 1,518 active phishing sites during November, up from 1,142 in October. Reports of phishing Web sites have grown by an average rate of 28 per cent monthly since July, as scam artists broadened their efforts to lure customers of companies that do business online.

[CLB: Phishing will continue to grow more serious over the next 12 months.]

(0) comments

Wired 12.12

No street signs. No crosswalks. No accidents. Surprise: Making driving seem more dangerous could make it safer.

The common thread in the new approach to traffic engineering is a recognition that the way you build a road affects far more than the movement of vehicles. It determines how drivers behave on it, whether pedestrians feel safe to walk alongside it, what kinds of businesses and housing spring up along it. 'A wide road with a lot of signs is telling a story,' Monderman says. 'It's saying, go ahead, don't worry, go as fast as you want, there's no need to pay attention to your surroundings. And that's a very dangerous message.'

[...] planners have redesigned several major streets, removing traffic signals and turn lanes, narrowing the roadbed, and bringing people and cars into much closer contact. The result: slower traffic, fewer accidents, shorter trip times. "I think the future of transportation in our cities is slowing down the roads. When you try to speed things up, the system tends to fail, and then you're stuck with a design that moves traffic inefficiently and is hostile to pedestrians and human exchange."

[CLB: Fascinating article - worth the read.]

How to Build a Better Intersection: Chaos = Cooperation

1. Remove signs: The architecture of the road - not signs and signals - dictates traffic flow.
   
2. Install art: The height of the fountain indicates how congested the intersection is.
   
3. Share the spotlight: Lights illuminate not only the roadbed, but also the pedestrian areas.
   
4. Do it in the road: Cafés extend to the edge of the street, further emphasizing the idea of shared space.
   
5. See eye to eye: Right-of-way is negotiated by human interaction, rather than commonly ignored signs.
   
6. Eliminate curbs: Instead of a raised curb, sidewalks are denoted by texture and color.

[CLB: In other words, decentralised interworking principles repurposed for road and other physical transportation design systems. About time! Learn even more: Traffic Engineering]

(0) comments

TheStar.com - CIBC breach spotlights hole in privacy law: "In a global networked world, limiting privacy protection to physical presence potentially eviscerates the effectiveness of privacy legislation. The U.S. recognized this several years ago when it enacted the Children's Online Privacy Protection Act. That statute, focused solely on the protection of children's online privacy, purports to regulate any Web site, wherever it is located, provided that it targets U.S. children.
Canadians, both young and old, deserve similar protection. If the current law does not address the issue, Canada should move quickly to plug its jurisdictional privacy hole."

(0) comments

SearchSecurity.com

How to be security proactive according to Computer Associates Executive Security Advisor Diana Kelley during an Infosecurity New York conference presentation last week.:

Step 1: Understand business and technology requirements

What is your business trying to do? What technology do you need? Are you geographically distributed?

Step 2: Understand the constraints

Think legacy systems, processes and policies. Mainframes, client/server applications, DOS-based applications. What is of value to your business? What's the cost of loss?

Step 3: Select the right technology

Technology is about getting business done. Build detailed requests for proposal based on the above requirements. Know what you need before you talk to a vendor.

Step 4: Build a plan

Based on the above information, create an action plan. Inventory and assign value to the assets and protect them around business needs. Buy-in from all interested parties is important.

Step 5: Test and train

Systems, applications and people have a tricky way of behaving in production environments. Before roll out ensure that the solution works within a relational context. Untrained users are one of the biggest vulnerability vectors. Get sign off. Consider 'human' ways to engage the entire organization in the security process.

Step 6: Implement

Roll out new solutions and processes into production. Communicate changes clearly to affected parties. Manage and monitor effectiveness of the solutions. Use reporting and metrics as proof points.

[And what were the dangers?]

"Reactive security is like the little Dutch boy plugging holes in a leaking dike," said [...] Kelley. "Eventually you're going to run out of fingers."

Essentially, reactive security fails to protect, fails to respond in time, doesn't meet compliance regulations and is an example of overspending while under-protecting assets, Kelley said.

(0) comments

TheStar.com

[...] At the heart of [central bank governor David] Dodge's comments was the call for a single national securities regulator to replace all the provincial and territorial bodies.

'We need a national regulator. It's an idea whose time came years and years ago,' said Thomas Caldwell, chairman of Caldwell Financial Ltd., a Toronto investment firm. Canada's multiple securities regulators have made it expensive in efficient for investors, he said.

Foreigners interested in investing in Canada are, indeed, put off by the various levels of securities regulations, Myers agreed. 'Canada's patchwork regulation is more in line with the 1960s than an economy in the 21st century,' he said.

'If Canada cannot show the world it has a single regulator that is effectively enforcing regulations and meeting the standards of international capital markets, even Canadian companies may go elsewhere to raise capital.'"

(0) comments

Yahoo! News

Next time you make a printout from your color laser printer, shine an LED flashlight beam on it and examine it closely with a magnifying glass. You might be able to see the small, scattered yellow dots printer there that could be used to trace the document back to you.

According to experts, several printer companies quietly encode the serial number and the manufacturing code of their color laser printers and color copiers on every document those machines produce. Governments, including the United States, already use the hidden markings to track counterfeiters.

[...] The dots' minuscule size, covering less than one-thousandth of the page, along with their color combination of yellow on white, makes them invisible to the naked eye, Crean says. One way to determine if your color laser is applying this tracking process is to shine a blue LED light--say, from a keychain laser flashlight--on your page and use a magnifier.

[...] However, they could also be employed to track a document back to any person or business that printed it. Although the technology has existed for a long time, printer companies have not been required to notify customers of the feature.

Lorelei Pagano, a counterfeiting specialist with the U.S. Secret Service, stresses that the government uses the embedded serial numbers only when alerted to a forgery. "The only time any information is gained from these documents is purely in [the case of] a criminal act," she says.

John Morris, a lawyer for The Center for Democracy and Technology, says, "That type of assurance doesn't really assure me at all, unless there's some type of statute." He adds, "At a bare minimum, there needs to be a notice to consumers."

(0) comments

Yahoo! News

'The state of any country's environment is a reflection of the kind of governance in place, and without good governance there can be no peace,' said [Wangari Maathai, Kenya's deputy environment minister and the first African woman to win the Peace Prize].

(0) comments