As I've seen in this news from Techrepublic, passwords can be cracked 25 times faster using graphic cards processors instead of CPU... ok, it's a technological news, but it points to the supporting Information Security idea that technology is not THE solution for security problems, as Information Security is a human task for human beings, not a machine set of tasks for machines.
So Security Information decisions based only on technologies will fail later or sooner, no matter how secure seems today. The role of Information Security is to be aware of these new vulnerabilities and check management styles to incorporate solutions in a fast and reliable way.
Wednesday, October 24, 2007
Tuesday, October 16, 2007
Data security: fundamental right to personal data protection
We are not talking about new and cutting the edge information... As you can see, in 2005, the 27th International Conference of Data Protection has collected the fundamental principles of personal data protection:
- Principle of lawful and fair data collection and processing
- Principle of purpose-specification and -limitation
- Principle of proportionality
- Principle of transparency
- Principle of individual participation and the right of access
- Principle of non-discrimination
- Principle of data-security
- Principle of accuracy
- Principle of responsability
- Principle of independent supervision
- Principle of adequate level of protection
These principles have been signed by all the Regulatory Agencies of European Union Countries. What does it mean? In Europe there is no law similar to SOX, but several different regulations (spreaded, and this is the problem) focus in similar aspects concerning to Information Security and Information Responsability.
Nowdays, therefore, Information Security (and all included topics like Information Security Governance, Risk Analisys, Continuty Plans...) is a must for even public and private corporations.
- Principle of lawful and fair data collection and processing
- Principle of purpose-specification and -limitation
- Principle of proportionality
- Principle of transparency
- Principle of individual participation and the right of access
- Principle of non-discrimination
- Principle of data-security
- Principle of accuracy
- Principle of responsability
- Principle of independent supervision
- Principle of adequate level of protection
These principles have been signed by all the Regulatory Agencies of European Union Countries. What does it mean? In Europe there is no law similar to SOX, but several different regulations (spreaded, and this is the problem) focus in similar aspects concerning to Information Security and Information Responsability.
Nowdays, therefore, Information Security (and all included topics like Information Security Governance, Risk Analisys, Continuty Plans...) is a must for even public and private corporations.
Tuesday, October 9, 2007
The importance of log reviews
In this article (free registration is need), almost two years old, BankinfoSecurity points out the importance of producing, storing, reviewing and get information from system logs.
Two years later, we have no tools to perform this kind of actions in a simple and clear way.
Maybe, business opportunity is currently here!
Two years later, we have no tools to perform this kind of actions in a simple and clear way.
Maybe, business opportunity is currently here!
Shutdown by internal incident
Last month, one of the Internet banks in Spain, got down during two complete days.
No operations were available, neither using internet, phone or offices due to a human error administering maybe host services (the bank argues was a mistake from a fomous outsourcing host company).
View the complete information here (in Spanish).
But the real problem is that there is no efficient and proved Business Continuity Plan and the common idea that 'bad hackers' are the only enemies to fight againts to. According to FBI quest, more than 75% of security indidents come from inside the enterprise.
Please, take into account Information Security is not firewalls, antivirus, antispam or IDS, but plans to recover business capabilities, risk analysis and convergence and support to business informartion activities. These other actions are those which give a real value to Information Security.
No operations were available, neither using internet, phone or offices due to a human error administering maybe host services (the bank argues was a mistake from a fomous outsourcing host company).
View the complete information here (in Spanish).
But the real problem is that there is no efficient and proved Business Continuity Plan and the common idea that 'bad hackers' are the only enemies to fight againts to. According to FBI quest, more than 75% of security indidents come from inside the enterprise.
Please, take into account Information Security is not firewalls, antivirus, antispam or IDS, but plans to recover business capabilities, risk analysis and convergence and support to business informartion activities. These other actions are those which give a real value to Information Security.
Monday, October 8, 2007
Governance on Demand
Friday, October 5, 2007
Limits of computer forensics.
Isaca prsents again an article describing the limits of computer forensic science, with real cases and pointing to the key concepts and missconcepts.
Very interesting to discover what really are the definition of computer fornesic science.
Very interesting to discover what really are the definition of computer fornesic science.
Short introduction to Information Security Architecture
Reviewing old Isaca articles explaining the way Information Security can be integrated and used to improved business processes, I've found
this article at Isaca, talking about the way Information Security Architecture can be built, a brief checklist to manage the process and change management.
this article at Isaca, talking about the way Information Security Architecture can be built, a brief checklist to manage the process and change management.
Thursday, October 4, 2007
Banking security gap
Banking security, at least in Spain, is a permanent danger, not only for users (phising and steal re taking place day after day without any real solution), but for all citizens (identity thief is not a considered risk for online banking).
This article explains how in Australia, users demand more robust login methods but banks are not going on this way. These methods will difficult phising and other threads to users. But banks are more interested on virtual assintants, web cameras, mobile web access or skype services than in securing accesses.
Is taken place the same at your location?
This article explains how in Australia, users demand more robust login methods but banks are not going on this way. These methods will difficult phising and other threads to users. But banks are more interested on virtual assintants, web cameras, mobile web access or skype services than in securing accesses.
Is taken place the same at your location?
Benefit of Defense in Layers
According to this article at Riskmanagement Magazine, there is taking place a new phenomeno comming from the mix of use of personal and professional computing.
As compatibility between personal and professional life is a more demanded expectation, business computers are currently used even for personal and for professional issues (as Gartner says). Traditional answer from IT and HR staff was "no, you can't use the computer for personal themes".
But if Information Security is implemented using the "defense in layers" pattern, there will be no problem to consider every access to network as hostile and let people make a personal and professional use of their computers.
As compatibility between personal and professional life is a more demanded expectation, business computers are currently used even for personal and for professional issues (as Gartner says). Traditional answer from IT and HR staff was "no, you can't use the computer for personal themes".
But if Information Security is implemented using the "defense in layers" pattern, there will be no problem to consider every access to network as hostile and let people make a personal and professional use of their computers.
The Value of IT Risk Management
Nowadays, the nature of IT Risk Management has changed from treating single and isolated events to managing all technology and information security risks related with business processes.
The new key term is BRM: Business Risk Management.
Moreover, BRM is between corporate risk governance and IT risk governance, linking them as a whole following the business needs.
Take a look at this book for more information.
The new key term is BRM: Business Risk Management.
Moreover, BRM is between corporate risk governance and IT risk governance, linking them as a whole following the business needs.
Take a look at this book for more information.
Wednesday, October 3, 2007
Getting started
October the 3rd, 2007. Right now, we start this blog, just another Information Security blog, but centered on Added Value of Information Security.
Let's go.
Let's go.
Subscribe to:
Posts (Atom)