Updated Infosec Links

A short time ago, I posted links to what I feel are core technical competencies for information security management. I've just updated it to include some links to malware concepts and security tools. The original post is at this link.

Information Security Issues

See this article about how--as many have seen recently--instant messages are not nearly as private as some would think.

In another note, computer security companies are fighting Microsoft over their security scheme for Vista. Comments? There's a lot of interesting discussion at Slashdot.com.

More worrisome still is the intention of Microsoft to disable computers that are not running authorized versions of windows.

Finally, the New York Times reports that artificial intelligence software is being developed to locate threats from publically available news sources. The writers seem a bit alarmist:

Even the basic research has raised concern among journalism advocates and privacy groups, as well as representatives of the foreign news media.

“It is just creepy and Orwellian,” said Lucy Dalglish, a lawyer and former editor who is executive director of the Reporters Committee for Freedom of the Press.

Andrei Sitov, Washington bureau chief of the Itar-Tass news agency of Russia, said he hoped that the objective did not go beyond simply identifying threats to efforts to stifle criticism about an American president or administration.

“This is what makes your country great, the open society where people can criticize their own government,” Mr. Sitov said.

Wait a minute. Aren't you supposed to reach as many readers as possible?

Article on ROI for Supply Chain Security

IBM has a good article on how supply chain security is affecting the bottom line.

Sarbanes-Oxley Links

In my security management class, I'll be going over some of the basic provisions of the Sarbanes-Oxley Act. Here are some helpful links:

First, of course, here's a link to the statute itself at a website approriately named Sarbanes-Oxley.com.

Second, here's a whitepaper from Mocrosoft that tells how one company used MS Office to create their internal control system.

Third, here's an article from Law.com that gives some good advice about document retention.

Fourth and finally, here's an article from last year that indicates many CIO's did not think that the July 2006 deadline for internal controls could be met. Which is maybe why the SEC extended the deadline to 2007.

Core Technical Competencies in Information Security

As an aid to my students (and frankly myself when I need a quick reference) here is a list of terms that I think information security managers should be familiar with. I will list the terms in an area and provide a wiki link for it:

I. History of Computing and Other Concepts
Charles Babbage
Difference Engine
Alan Turing
computability
Turing Machine
Turing Test
Gordon Moore
Moore's Law
batch processing vs. interactive processing

II. Computing Platforms and Operating Systems
Mainframes
IBM s/360, s/390, etc
JCL
TSO
ISPF

Minicomputers
DEC
VAX
VMS
"workstations"
DEC Alpha

Personal Computers
Intel
AMD
Windows
Linux
Cygwin
MS-DOS
OSX
GUI
console interface

III. Networking Basics
lan
wan
ethernet
Netware
Token Ring
10Base-T
100Base-T
1000Base-T
Nic Card
Router
Switch
Hub
Cat-5/Cat-5e
IP address
IPv4
IPv6
TCP/IP
packet
DNS
peer-to-peer network
domain
subdomain
NAT
gateway
bridge
Class A, B, C, D, and E Networks
subnet mask
MAC address
vlan

ISP Types
ethernet
cable
dsl/adsl
ISDN
dial-up

wireless technology
wi-fi
bluetooth
bluejacking
packet sniffing
WAP
i-mode
3G
WEP
wardriving
satellite

IV. Development of the Internet
ARPA/DARPA
Arpanet
Stanford-UCLA
backbone

V. Internet Applications
Tim Berners Lee
HTTP
HTML
Html tag
xHTML
XML
SGML
browser
email
telenet
gopher
IRC
NNTP
POP
SMTP
gnutella
p2p file sharing
wiki
blog
FTP
Hotline
BitTorrent

VI. Malware and Other Forms of Attack
Types of Malware
virus
worm
trojan horse
spyware
phishing
rootkit
spam
DoS Attack

Some Famous Attacks
Morris
Melissa
Love Bug
Sircam
Code Red
Nimda
Slammer
Blaster
Nachi
Sobig
MyDoom

VII. Security Devices and Procedures
Intrusion Detection
Firewalls
defense-in-depth
anti-virus software
port scanning
public/private key encryption
content filtering
VPN's
black hat
white hat
gray hat
Hacktivism

Real-Time Crime Center Fights Crime

There's a pretty good article in Officer.com about the NYPD's real-time crime center. I have to admit that I have been there and have nothing but good things to say about their setup, their commander and their potential. Here's an example:

Currently being tested is an expanded function of the 911 recordings. "All of our 911 and dispatcher audio is digitized, and almost immediately the files can be provided electronically to the detectives at the scene of the crime," explains D'Amico. With this audio in hand, detectives will be able to hear what the caller sounds like, the exact words used and may be able to identify witnesses.

That would be cutting edge, indeed.

Security News

There's an interesting item on Slashdot about how Microsoft is ending support for win98 and winME and that these now-orphaned users may be switching to Linux. Here's a link to the original article.

I've always thought that Linux could tap the low-end hardware market if it became easier to install. The time may be here.

Also in Slashdot: Microsoft fighting with anti-virus companies?

Smart Billboards, Long Tails and Phish

In my infosec class last night I mentioned a couple of news stories and tried to relate them to some new busniess concepts. First, check out this story about smart billboards that will sniff for bluetooth devices and deliver ads for items relating to your electronic gear. Some Slashdot readers think this is getting society one step closer to Minority Report. I think this is indicative of Chris Anderson's Long Tail concept.

I also mentioned this test of your knowledge about phishing at MailFrontier. Try taking it, but know that it is pretty hard.

Big Electronic Brother

Business Week has a very interesting article about the use of emerging technologies in the field of retail loss prevention. The "smart" CCTV system is particularly intriguing:

Some Macy's, CVS, and Babies 'R' Us stores have installed a system called the Video Investigator, whose advanced surveillance software can compare a shopper's movements between video images and recognize unusual activity. Remove 10 items from a shelf at once, for instance, or open a case that's normally kept closed and locked, and the system alerts guards sitting in a back room -- or pacing the sales floor -- with a chime or flashing screen. The system can predict where a shoplifter is likely to hide (at the ends of aisles, behind floor displays). A search function spots sudden movement that might indicate a large spill, prompting workers to clean up before it leads to a slip-and-fall accident and a costly lawsuit. And if someone opens a back door at 2 a.m., the system will record who sneaked in and link it with snapshots of the previous and next persons to use the door. Alerts, complete with images, can be sent to handheld devices, keeping retailers informed 24/7, says Jumbi Edulbehram, vice-president for strategic marketing at IntelliVid Corp., a Cambridge (Mass.) firm that makes the Video Investigator system.

I was aware of this video recognition technology being used for counter-terrorism purposes but not for theft prevention. Interesting.

See Slashdot for an interesting discussion on this issue.

Contemporary Security Management

Among other things, I'm also teaching a "contemporary issues" course in security management. I came across this interesting series of articles in Yahoo! Finance on the burgeoning security industry. This particular piece noted the startling growth in federal contracting:

One of the nation's fastest-growing industry groups is homeland security -- a sector that has grown to more than 30,000 companies today doing business with the federal government from only nine just seven years ago.

Since Sept. 11, 2001, the U.S. Department of Homeland Security and its agencies have paid private contractors at least $130 billion, an analysis of federal databases shows. The top ten contractors won at least $65 billion, or roughly half, of that.

Unfortunately, after 9/11, we're in a growth industry.

Another article in the series describes the use of operations research techniques to model the aftermath of a terrorist attach:

By looking at security threats as large operations problems, Lawrence Wein, a professor of management at the Stanford School of Business, thinks we could save thousands of lives.

"Just like McDonald's has to get hamburgers out in a rapid and defect-free manner, so too does the U.S. government have to get vaccines and antibiotics out or screen the borders for nuclear weapons and terrorists," says Wein, a soft-spoken 49-year-old academic who until recently specialized in health care and manufacturing.

Hearing Wein, an unlikely security wonk, spin out scenarios can be frightening. Whether it's a few grams of botulinum toxin dropped into an unlocked milk tank or a couple of pounds of anthrax scattered above a crowded metropolis, Wein has spent the past five years developing models that pinpoint with precision the expected number of casualties.

The article is an interesting read. It just goes to show that this stuff may seem dry in a classroom setting, but it has applications that can literally save millions.