MySpace problem (see BBC) took place some weeks ago, and denotes how Information Security is an issue to take into account not only by corporations which have personal information or move money but for all those which have any kind of identification on users.
This classification includes, in general, webs where you have to create an account, with no more exigences. It's not necessary to give any kind of personal information, like email, name, date of birth or similar to provide "enough" personal data.... think that when you are accesing to every web site, your IP is known by the site, and maybe some other information provided by cookies.
So, business on Information Security (currently not considered by free portals in which you have to create an account to publish or get some information) has a big place to grow in such sites.
It's easier, from the point of view of Information Security, if we consider that dealing with users is the same that dealing with their privacy and their identity. This approach let the corporation include more business lines without falling in any kind of security flaw.
Past years, as Information Security have been seen as a cost (cost of buying antiviruses, firewalls, cost of having a password, making backups...) without any profit, corporations only wanted to be "legal", anything else. We are currently reparing an article over the Identity Thief problem in Europe, even if legal requirements are followed but not legal "spirit" is applied.
Sunday, February 17, 2008
Monday, February 11, 2008
Security is not a tool
Recently published article from BankinfoSecurity.com, noticed a case in which information vulnerbailities are exploited without using any technical methods... but Information Security methods, like Social Engineering.
Nowdays, attacks to Information Security not only use technological ways; acts against social and procedural vulnerabilities (at this time without any kind of protection, as we are seeing) are currently exploited to get the same targets.
But "traditional" enterprises of security continues to advice on the importance of upgrading the operating system or installing a firewall and antivirus...
Security is not a tool.
Nowdays, attacks to Information Security not only use technological ways; acts against social and procedural vulnerabilities (at this time without any kind of protection, as we are seeing) are currently exploited to get the same targets.
But "traditional" enterprises of security continues to advice on the importance of upgrading the operating system or installing a firewall and antivirus...
Security is not a tool.
Friday, February 1, 2008
Secure Programming
Showing that Information Security Management is not an extension of Information Systems Administration, this old document listing how to develop secure programs in Unix and Linux (but more generally in all systems) is a concrete example and a good idea of how to ISM has a lot to say in all Information areas.
Subscribe to:
Posts (Atom)