MySpace problem (see BBC) took place some weeks ago, and denotes how Information Security is an issue to take into account not only by corporations which have personal information or move money but for all those which have any kind of identification on users.
This classification includes, in general, webs where you have to create an account, with no more exigences. It's not necessary to give any kind of personal information, like email, name, date of birth or similar to provide "enough" personal data.... think that when you are accesing to every web site, your IP is known by the site, and maybe some other information provided by cookies.
So, business on Information Security (currently not considered by free portals in which you have to create an account to publish or get some information) has a big place to grow in such sites.
It's easier, from the point of view of Information Security, if we consider that dealing with users is the same that dealing with their privacy and their identity. This approach let the corporation include more business lines without falling in any kind of security flaw.
Past years, as Information Security have been seen as a cost (cost of buying antiviruses, firewalls, cost of having a password, making backups...) without any profit, corporations only wanted to be "legal", anything else. We are currently reparing an article over the Identity Thief problem in Europe, even if legal requirements are followed but not legal "spirit" is applied.
Sunday, February 17, 2008
Monday, February 11, 2008
Security is not a tool
Recently published article from BankinfoSecurity.com, noticed a case in which information vulnerbailities are exploited without using any technical methods... but Information Security methods, like Social Engineering.
Nowdays, attacks to Information Security not only use technological ways; acts against social and procedural vulnerabilities (at this time without any kind of protection, as we are seeing) are currently exploited to get the same targets.
But "traditional" enterprises of security continues to advice on the importance of upgrading the operating system or installing a firewall and antivirus...
Security is not a tool.
Nowdays, attacks to Information Security not only use technological ways; acts against social and procedural vulnerabilities (at this time without any kind of protection, as we are seeing) are currently exploited to get the same targets.
But "traditional" enterprises of security continues to advice on the importance of upgrading the operating system or installing a firewall and antivirus...
Security is not a tool.
Friday, February 1, 2008
Secure Programming
Showing that Information Security Management is not an extension of Information Systems Administration, this old document listing how to develop secure programs in Unix and Linux (but more generally in all systems) is a concrete example and a good idea of how to ISM has a lot to say in all Information areas.
Tuesday, January 22, 2008
PRIAMOS
Today, I've discovered a not very useful, but a tool to have to remember the existence, called Priamos, at Priamos-Project.com.
It's a SQL injector to test security of databases access from our web applications.
(It seems to be used to discover some very big list of .mil mails and passwords, according to http://www.flashback.info/showthread.php?t=608727&page=7).
It's a SQL injector to test security of databases access from our web applications.
(It seems to be used to discover some very big list of .mil mails and passwords, according to http://www.flashback.info/showthread.php?t=608727&page=7).
Personal value of InfoSec
This is only a joke... but it has many reasons to be taken as "another value more" of Information Security.
Some days ago, a friend (lawyer) sent me a link from http://www.flashback.info. In this page I could find a link about "Data Security", but only in Swedish version.
Oh, what a pity! Since I have no idea of Swedish, I have to learn it to discover how, when and why some guys have deviated an American satellite. (http://www.flashback.info/showthread.php?t=597565)
This is an added value for me of Information Security: I'm starting to learn Swedish.
As I said, it's only a joke, but it's real...
Some days ago, a friend (lawyer) sent me a link from http://www.flashback.info. In this page I could find a link about "Data Security", but only in Swedish version.
Oh, what a pity! Since I have no idea of Swedish, I have to learn it to discover how, when and why some guys have deviated an American satellite. (http://www.flashback.info/showthread.php?t=597565)
This is an added value for me of Information Security: I'm starting to learn Swedish.
As I said, it's only a joke, but it's real...
Wednesday, October 24, 2007
Graphical cards can break passwords 25 time faster
As I've seen in this news from Techrepublic, passwords can be cracked 25 times faster using graphic cards processors instead of CPU... ok, it's a technological news, but it points to the supporting Information Security idea that technology is not THE solution for security problems, as Information Security is a human task for human beings, not a machine set of tasks for machines.
So Security Information decisions based only on technologies will fail later or sooner, no matter how secure seems today. The role of Information Security is to be aware of these new vulnerabilities and check management styles to incorporate solutions in a fast and reliable way.
So Security Information decisions based only on technologies will fail later or sooner, no matter how secure seems today. The role of Information Security is to be aware of these new vulnerabilities and check management styles to incorporate solutions in a fast and reliable way.
Tuesday, October 16, 2007
Data security: fundamental right to personal data protection
We are not talking about new and cutting the edge information... As you can see, in 2005, the 27th International Conference of Data Protection has collected the fundamental principles of personal data protection:
- Principle of lawful and fair data collection and processing
- Principle of purpose-specification and -limitation
- Principle of proportionality
- Principle of transparency
- Principle of individual participation and the right of access
- Principle of non-discrimination
- Principle of data-security
- Principle of accuracy
- Principle of responsability
- Principle of independent supervision
- Principle of adequate level of protection
These principles have been signed by all the Regulatory Agencies of European Union Countries. What does it mean? In Europe there is no law similar to SOX, but several different regulations (spreaded, and this is the problem) focus in similar aspects concerning to Information Security and Information Responsability.
Nowdays, therefore, Information Security (and all included topics like Information Security Governance, Risk Analisys, Continuty Plans...) is a must for even public and private corporations.
- Principle of lawful and fair data collection and processing
- Principle of purpose-specification and -limitation
- Principle of proportionality
- Principle of transparency
- Principle of individual participation and the right of access
- Principle of non-discrimination
- Principle of data-security
- Principle of accuracy
- Principle of responsability
- Principle of independent supervision
- Principle of adequate level of protection
These principles have been signed by all the Regulatory Agencies of European Union Countries. What does it mean? In Europe there is no law similar to SOX, but several different regulations (spreaded, and this is the problem) focus in similar aspects concerning to Information Security and Information Responsability.
Nowdays, therefore, Information Security (and all included topics like Information Security Governance, Risk Analisys, Continuty Plans...) is a must for even public and private corporations.
Subscribe to:
Posts (Atom)