IT Business

When it comes to implementing a security policy, Ricky Mehra, director of IT security and internal controls at Indigo, said businesses have to align IT with corporate objectives.

“Don’t evangelize security as insurance,” said Mehra, who was one of five panelists at a Microsoft-sponsored roundtable Thursday. “Try to show an environment in security as a strategic enabler.”

Likewise, Pat Kewin, director of Trend Micro, said businesses need to think about aligning security requirements with business goals.

“Until that happens, organizations will have trouble getting funding,” said Kewin.

Steve Lloyd, chief security advisor at Microsoft Canada, said security needs to be thought of as part of doing your day to day business.

“Stop looking for ROI,” said Lloyd. “Security should be a part of your business plan . . . As soon as you start losing account numbers and passwords, you lose your customer’s trust.”

(0) comments

IT Business

The Information and Privacy Commissioner of Ontario Monday introduced RFID guidelines(PDF) to separate fact from fiction and prepare consumers for the day when they may have to deal with the technology on a daily basis. Ann Cavoukian’s five-page report calls for businesses that are considering the use of radio frequency identification (RFID) technology to take several factors into account. Among them are: An individual at the company should be appointed to ensure that privacy measures are in place Companies must seek consent from individuals before collecting personal information via RFID technology Collection should be limited to the minimum amount of information necessary Employees that may have access to the personal information be trained in its appropriate use Safeguards should be put in place to prevent the loss or theft of information that is stored on an RFID tag The Guidelines are based on three overarching principles, including: Focus on RFID information systems, not technologies: The problem does not lie with RFID technologies themselves, but rather, the way in which they are deployed that can have privacy implications. The Guidelines should be applied to RFID information systems as a whole, rather than to any single technology component or function; Build in privacy and security from the outset – at the design stage: Just as privacy concerns must be identified in a broad and systemic manner, so, too, must the technological solutions be addressed systemically. A thorough privacy impact assessment is critical. Users of RFID technologies and information systems should address the privacy and security issues early in the design stages, with a particular emphasis on data minimization. This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID data; and Maximize individual participation and consent : Use of RFID information systems should be as open and transparent as possible, and afford individuals with as much opportunity as possible to participate and make informed decisions. RFID Journal Spy Chips The Magic of RFID

(0) comments

Knowledge@Wharton

What do Wharton faculty members and the workers who spy for the National Security Agency have in common? More than you might think. The Wharton scholars aren't analyzing links among billions of telephone calls to identify terrorists, a controversial NSA activity that caused a stir after it was disclosed recently in news reports. But they, too, are interested in mapping social networks.

Social networking is a hot topic. Ordinary Internet users take advantage of networks when they turn to well-known websites like MySpace and Friendster to link up with other people. But more serious interest in social networks can be found among academics, consultants and corporations seeking to deepen their knowledge of how companies operate; how employees and board members interact; how key employees can be identified; and how relationships can be better understood to improve productivity and the dissemination of ideas.

Technically, social network research is an offshoot of graph theory in mathematics. Graphs -- a set of dots connected by links -- are used to map relationships. At its most basic, research on social networks underscores the veracity of some of the truisms one hears all the time: 'It's a small world.' 'It's not what you know, it's who you know.' 'Birds of a feather flock together.'

[...] Mapping social networks can be useful in many ways, but Rosenkopf says there are at least two reasons why corporate interest in the subject is growing: Companies want to be able to identify key performers and get a better understanding of the nature of the interaction among employees.

[...] Network maps may also unearth what are known as "cosmopolitans" -- the employees who are most critical to information flow in the company. "The formal organizational structure [in companies] does not necessarily describe who talks to whom," says Valery Yakubovich, a University of Chicago professor who will join Wharton's management department this summer. "Even if some jobs in an organization are designed to coordinate across different functional areas, it's difficult to figure out who coordinates where in reality. So you ask people directly whom they go to for advice and who gives them the most valuable information to get things done. Then you map the whole network. Often you find that people you might not even think of as very valuable turn out to be important links in the structure of the organization."

[CLB: Fascinating article on how to best make use of these networks and mapping them. I you find social network research interesting, I recommend following through to the citations listed. Are most of the so-called discoveries really just stating the obvious? Yes. But the obvious has been easy to know in theory previously, and now we have tools to find the information in practice. And if the NSA et al can do it, so can you.]

(0) comments

ITAA

(PDF) A new ITAA study by Internet gurus Vint Cerf, Whit Diffie and other experts warns that extending CALEA wiretap measures to Voice over Internet Protocol communications could stall innovation and introduce major security problems.

Summary: Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP

Steven Bellovin, Columbia University
Matt Blaze, University of Pennsylvania
Ernest Brickell, Intel Corporation
Clinton Brooks, NSA (retired)
Vinton Cerf, Google
Whitfield Diffie, Sun Microsystems
Susan Landau, Sun Microsystems
Jon Peterson, NeuStar
John Treichler, Applied Signal Technology

Executive Summary

For many people, Voice over Internet Protocol (VoIP) looks like a nimble way of using a computer to make phone calls. Download the software, pick an identifier and then wherever there is an Internet connection, you can make a phone call. From this perspective, it makes perfect sense that anything that can be done with a telephone, including the graceful accommodation of wiretapping, should be able to be done readily with VoIP as well.

The FCC has issued an order for all ``interconnected'' and all broadband access VoIP services to comply with Communications Assistance for Law Enforcement Act (CALEA) --- without specific regulations on what compliance would mean. The FBI has suggested that CALEA should apply to all forms of VoIP, regardless of the technology involved in the VoIP implementation.

Intercept against a VoIP call made from a fixed location with a fixed IP address directly to a big internet provider's access router is equivalent to wiretapping a normal phone call, and classical PSTN-style CALEA concepts can be applied directly. In fact, these intercept capabilities can be
exactly the same in the VoIP case if the ISP properly secures its infrastructure and wiretap control process as the PSTN's central offices are assumed to do.

However, the network architectures of the Internet and the Public Switched Telephone Network (PSTN) are substantially different, and these differences lead to security risks in applying the CALEA to VoIP. VoIP, like most Internet communications, are communications for a mobile environment. The feasibility of applying CALEA to more decentralized VoIP services is
quite problematic. Neither the manageability of such a wiretapping regime nor whether it can be made secure against subversion seem clear. The real danger is that a CALEA-type regimen is likely to introduce serious vulnerabilities through its ``architected security breach.''

Potential problems include the difficulty of determining where the traffic is coming from (the VoIP provider enables the connection but may not provide the services for the actual conversation), the difficulty of ensuring safe transport of the signals to the law-enforcement facility, the risk of introducing new vulnerabilities into Internet communications, and the difficulty of ensuring proper minimization. VOIP implementations vary substantially across the Internet making it impossible to implement CALEA uniformly. Mobility and the ease of creating new identities on the Internet exacerbate the problem.

Building a comprehensive VoIP intercept capability into the Internet appears to require the cooperation of a very large portion of the routing infrastructure, and the fact that packets are carrying voice is largely irrelevant. Indeed, most of the provisions of the wiretap law do not distinguish among different types of electronic communications. Currently the FBI is focused on applying CALEA's design mandates to VoIP, but there is nothing in wiretapping law that would argue against the extension of intercept design mandates to all types of Internet communications. Indeed, the changes necessary to meet CALEA requirements for VoIP would likely have to be implemented in a way that covered all forms of Internet communication.

In order to extend authorized interception much beyond the easy scenario, it is necessary either to eliminate the flexibility that Internet communications allow, or else introduce serious security risks to domestic VoIP implementations. The former would have significant negative effects on U.S. ability to innovate, while the latter is simply dangerous. The current FBI and FCC direction on CALEA applied to VoIP carries great risks.

(0) comments

Schneier on Security

Interesting law review article (PDF) by Helen Nissenbaum:

Abstract: The practices of public surveillance, which include the monitoring of individuals in public through a variety of media (e.g., video, data, online), are among the least understood and controversial challenges to privacy in an age of information technologies. The fragmentary nature of privacy policy in the United States reflects not only the oppositional pulls of diverse vested interests, but also the ambivalence of unsettled intuitions on mundane phenomena such as shopper cards, closed-circuit television, and biometrics. This Article, which extends earlier work on the problem of privacy in public, explains why some of the prominent theoretical approaches to privacy, which were developed over time to meet traditional privacy challenges, yield unsatisfactory conclusions in the case of public surveillance. It posits a new construct, 'contextual integrity' as an alternative benchmark for privacy, to capture the nature of challenges posed by information technologies. Contextual integrity ties adequate protection for privacy to norms of specific contexts, demanding that information gathering and dissemination be appropriate to that context and obey the governing norms of distribution within it. Building on the idea of 'spheres of justice' developed by political philosopher Michael Walzer, this Article argues that public surveillance violates a right to privacy because it violates contextual integrity; as such, it constitutes injustice and even tyranny.

(0) comments

CSO Analyst Reports
By Khalid Kark with Laurie M. Orlov and Samuel Bright

The two most common complaints that security managers relate are: 1) They don’t have senior management support, and 2) it’s tough to quantify the costs and benefits of security. Security managers lack senior management support because they are not able to quantify their program’s benefits in a language that management understands. The result? A disconnect between the security managers and senior executives within the organization. Security managers today must not only manage and measure the information security program, but they must also translate those measurements into meaningful reports for senior executives. The number of spam messages stopped at the email gateway means nothing unless that metric can relay the resulting increase in the amount of productive hours for employees.

1. Myth No. 1: Executives only care about their own firm’s security.
   
2. Myth No. 2: Stories and anecdotes waste executives’ time.
   
3. Myth No. 3: Executives always want to see numeric evidence.
   
4. Myth No. 4: Executives hate auditors.
   
5. Myth No. 5: Executives always want ROI.

KEY CONSIDERATIONS FOR REPORTING TO MANAGEMENT

To provide meaningful reports that top executives can understand and use, successful information security managers underscored that it is critical to:

Align with corporate goals. Security managers must be able to map their reporting to corporate goals and objectives, making it easy for the executives to grasp the context of the reports and see their value. For example, if the corporate goal is to increase profitability, then linking the increase in system availability to the need for better protection against denial of service will make sense to top executives.

Communicate in their language. Senior executives do not care about the number of vulnerabilities you have patched or the amount of spam you have blocked. They want to know how these actions affect their organizations or business. So instead of reporting status, report on the business impact of these measures, and instead of providing operational metrics, give business-centric metrics.

Report residual risk. Information security is primarily a business problem, not a technology one. When an organization goes through an assessment and identifies risks, management has the choice of mitigating, transferring, or accepting the risks. It is then the responsibility of the security management to ensure that top execs are periodically made aware of the residual risks — i.e., those that have not been completely mitigated and those that have been accepted as tolerable.

Highlight significant trends and events. Management reporting must also include significant events and trends in the information security industry to help senior leaders make strategic security decisions. For example, management must be made aware of the proliferation of mobile devices in the enterprise and the risks that they pose. Any significant events, such as the security breaches in your industry, may also be helpful in crystallizing the security risks for management. The trends and news don’t always have to be negative: A new technology, product, or service that may have significant impact on the security industry may also be of interest.

Read the complete article: CSO Analyst Reports

(0) comments