Welcome to cissp CISSP training Certified Information Systems Security Professional
Search
Nickname Password Security Code Security Code Type Security Code  



Shon Harris Training

Shon's Corner

Library of Documents

Forum Postings

Recommended Podcasts

CISSP's Blogs

MISC Menu

ISO 17799/ISO 27001

Surveys

Where do you find the best price for books?

Amazon.Com
Bookpool.Com
The ISC2 webstore
CISSPS.COM
Cheapbooks.com
Ecampus.com
Other (Please leave a comment with name of site)



Results
Polls

Votes: 905
Comments: 30

OCSIG

Security Books

Top10 Downloads

Top10 Links

Who's Online

There are currently, 79 guest(s) and 15 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
cissp CISSP training Certified Information Systems Security Professional: Docteur Kabay

Search on This Topic:   
[ Go to Home | Select a New Topic ]

Copyright infringement and the CISSP, Part 1
Posted by boss on Tuesday, 28 October 2008 @ 16:03:54 EDT (623 reads)
Topic Docteur Kabay

From Network World:

This story appeared on Network World at
http://www.networkworld.com/newsletters/sec/2008/102708sec1.html

 

Copyright infringement and the CISSP, Part 1

His name is Mud
Security Strategies Alert By M. E. Kabay , Network World , 10/28/2008

This story deals with lying, theft, social networking, law, mystery, and an uncertain outcome. My longtime friend and colleague, the distinguished security-awareness expert K Rudolph of Native Intelligence tells a tale of horror and mayhem suitable for Hallowe'en reading.

* * *

It was a dark and stormy night, or it should have been. Tuesday night, Sept. 23, 2008, around 7 p.m., I visited the (ISC)2 Cyber Exchange Web site established to celebrate the upcoming National Cyber Security Awareness Month. I wanted to help make the world cyber safer by entering awareness materials in the (ISC)2 annual contest. In addition to use in the contest, (ISC)2 makes the submitted materials available for download as useful awareness tools and as the contest voting mechanism. The contest submission downloaded the most for each category (posters, brochures, presentations, and videos) wins the submitter fame and fortune - well, $1,000, anyway.

I chose a poster to enter and wanted to see how it compared with what had already been entered.

The loud “ka-clunk” that you might have heard about 7:15 that Tuesday was my jaw hitting the floor when I discovered that someone had already entered the poster that I was planning to enter - a poster I developed and for which I hold the copyright. He entered it with my copyright notice removed and he claimed ownership of the work. He entered it under his own name, which I will refer to as “Mud.”

Mud had chosen well, but not wisely. He entered the Dumpster Diver poster. Created in 2001, the Dumpster Diver was one of the first posters my company developed. This poster didn’t originate in a computer; it was drawn by hand, inked, scanned into electronic versions, colored, and finalized. Our professional cartoonist, Charles Filius, created that poster. I have copies of the original pencil sketches and ink drawings. Charles has the originals.

I googled for Mud and found that he had studied law for several years. Mud had worked for a famous high technology firm for nearly a decade as an information security manager. Mud listed ethical hacking as one of his skills. His profile showed that he claims three certifications: CEH (Certified Ethical Hacker), OSCP (Offensive Security Certified Professional), and surprisingly, the CISSP (Certified Information System Security Professional). [I have deliberately obscured the details to prevent anyone from homing in on Mud’s real name through data aggregation.]

CISSPs agree to abide by a code of ethics with four canons, and the second canon says that members must “Act honorably, honestly, justly, responsibly, and legally.” To enter the contest,  Mud had to agree that: “By submitting your work… you agree that you own all copyright in the work posted, unless otherwise indicated and properly attributed in the work.” Apparently Mud hadn’t read either the CISSP code of ethics or the contest requirements - or he felt that they didn’t apply to him.

The rot thickens.

I went back to the (ISC)2 Web site for a closer look. Mud hadn’t just stolen one image; he’d stolen 11 of my images. He’d entered my images 12 times (he entered one of the images twice). Mud had even taken one poster with a photograph that I took while in Las Vegas when I was speaking at the CSI SX Conference this past April. Taking one poster might be a mistake but 12 was enemy action.

* * *

In part 2 of this series, K Rudolph tells us about her response to the blatant theft of her intellectual property.

* * *

K Rudolph, CISSP, is the founder and chief inspiration officer of Native Intelligence, Inc.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.

(Read More... | 1 comment | Score: 0)


Crossing borders with corporate data
Posted by boss on Saturday, 24 May 2008 @ 11:46:43 EDT (658 reads)
Topic Docteur Kabay

cdupuis writes "

Crossing borders with corporate data

How organizations should deal with devices that might cross national borders
Security Strategies Alert
By M. E. Kabay , Network World , 05/22/2008

lt;

Aaron Greene is a private consultant who will be graduating from the Norwich University MSIA program in June 2008. He recently wrote to me as follows:

"I read your article today about the case in Vermont. I have been particularly interested in the legal matters of this case, but you definitely provided a unique viewpoint that I think all of us in the information security field need to understand: don't take encrypted devices (including PDAs, USB drives, and other flash or disk memory) out of the country.

"I would like to know how you think this issue should be dealt with by organizations. It seems that advising people to not take company owned devices out of the country is not enough and that there needs to be a policy. I would imagine that there would need to be some exceptions to this policy, such as obtaining prior approval from company officials.

"Or would this be overkill? Some companies do so much business internationally that this would cause too much administrative overhead.

"I am currently doing some consulting work for a health system located on the southern tip of Texas at the Mexico border, so this really made me think of how many employees are probably taking company owned devices across the border. I understand that geographic location doesn't make much of a difference, but I have to say that your article really opened my eyes.... I can't believe I hadn't thought of this before, especially since I just completed the MSIA program! This might make a good discussion question!"

Here’s an updated version of my reply:

One approach is to segregate confidential information to encrypted external disk drives. The rule could then be that the portable computer can leave the country but that the encrypted disk drive cannot.

To access sensitive information, the users could enable a VPN to reach a server for files and a secure encrypted Web interface for their e-mail. Thus they would have little or no problem doing their work but low risk of having sensitive information divulged. However, even encrypted channels are potentially subject to intrusion in totalitarian dictatorships such as the People’s Republic of China (PRC), where, in my opinion, everyone should assume that all communications by foreigners are being monitored by government operatives at all times and act accordingly. When I led a delegation of security experts to China in 1994, I warned everyone on the trip never to discuss or transmit confidential information at any time while we were in the PRC.

The remaining risk is that the swap file, if any, could have fragments of cleartext. With sufficient RAM, however, virtual memory can be turned off, at least for the duration of the trip.

The question, as always, would be enforcement. Security fanatics (or clinically paranoid individuals) might cooperate, but I doubt that ordinary users would voluntarily go to the trouble.

Greene very kindly wrote back with a reference to an article by Ellen Nakashima of the Washington Post entitled “Clarity Sought on Electronics Searches.”

The author discusses several incidents in which U.S. border guards have seized company laptops from travelers and, in some cases, not returned them for extended periods. The article includes several specific recommendations similar to those I summarized above. I recommend that readers view the article themselves.

In my next column, I will enter express my opinion of the demand for decryption keys at the border.

All contents copyright 1995-2008 Network World, Inc. http://www.networkworld.com

 

Related Stories:

Process over presumption: The Vermont encryption key decision On Dec. 17, 2006, Canadian citizen and legal U.S. resident Sebastian Boucher crossed the U.S. border into Vermont at Derby Line. A U.S. Immigration and Customs Enforcement agent inspected the 30-year-old man's computer and reportedly found pornography and - significantly for this case - child pornography on the Z: drive. The laptop was seized as evidence and Sebastian Boucher was charged with transporting child pornography across interstate borders. Two days later, when agents tried to access the Z: drive, they found that it was encrypted using PGP.

Security ahead of risk at the border News continues to worsen for business travelers carrying sensitive information. In a troubling ruling by the Ninth U.S. Circuit Court of Appeals, U.S. Customs and Border Protection (CBP) can continue its practice of warrantless searches through computer data held by U.S. citizens and foreigners alike. With no cause or suspicion, the CBP may inspect, copy or seize data devices carried by anyone returning to the U.S. I'm not convinced that passive compliance is the best response to this situation.

Ruling: No suspicion needed to search laptops at U.S. borders In a ruling that's likely to come as a disappointment for privacy-rights advocates, the U.S. Court of Appeals for the Ninth Circuit this week held that Customs officers need no reasonable suspicion to search through the contents of any individual's laptop computer at the country's borders.

"

(comments? | Score: 0)


Preparing for the CISSP exam, Part 4 By M. E. Kabay
Posted by boss on Thursday, 18 January 2007 @ 22:22:42 EST (944 reads)
Topic Docteur Kabay

cdupuis writes "

From Network World:

This story appeared on Network World at
http://www.networkworld.com/newsletters/sec/2007/0115sec1.html

Preparing for the CISSP exam, Part 4 Last in a short series on CISSP exam preparation resources

Security Strategies Newsletter By M. E. Kabay, Network World, 01/16/07

In my last three columns, I began responding to a former student who recently wrote to me with a request for suggestions on what to read in preparing for the CISSP exam. In this fourth and last article, I suggest a few valuable (albeit sometimes expensive) books and some (free) review materials for such preparation.

Readers will find other lists of suggested readings on the Web by using search string “CISSP preparation course” in a Web search engine.

In my opinion, some of the most useful books for overall coverage of the field are:

* _The Official (ISC)2 Guide to the CISSP Exam_ by Susan Hansche, CISSP, John Berti, CISSP and Chris Hare, CISSP (ISBN: 0-8493-1707-X) is available from the (ISC)2 Company Store.

* _Information Security Management Handbook on CD-ROM, 2006 Edition_ (a classic in the field) by Harold F. Tipton and Micki Krause

* _Handbook of Information Security_ http://tinyurl.com/yf2549 3-Volume Set (I chose this as the new textbook for our Master’s program at Norwich University) by Hossein Bidgoli (get your company to buy it for their library). I reviewed this enormous work in this column a year ago.

* _Computer Security Handbook 4th Edition_ by Seymour Bosworth and M. E. Kabay (of course, I’m biased). Most people refer to this as the “CSH4.”

In addition, the (ISC)2 provides a slightly disorganized list of books. For some reason it refers to the 3rd edition of the CSH (twice) but not to the CSH4.

Ideally, people preparing for any exam do best if they can study in teams. For example, they can use my own lecture slides as review material to quiz each other - they should be able to speak intelligently about every point on every slide. The files thus serve as one of the ways to check for holes in coverage of the material and also as a way of consolidating and strengthening knowledge:

* I340 Intro to IA lectures (last updated Fall 2005) covers the first half of the CSH4.

* IS342 Management of IA (last updated Spring 2006). As you would expect, this course covers the second half of the CSH4.

* CJ341 Cybercrime & Cyberlaw (last updated Fall 2006) is a mind-numbingly detailed look at how law enforcement has to deal with digital evidence, including the specific laws relating to computer crimes of all sorts. Personally, I love it, but I know that some people find it dry. Still, “Legal, Regulations, Compliance and Investigations” is one of the 10 domains of the CBK (Common Body of Knowledge) for the CISSP.

In addition to all of this (mostly) free knowledge, it is also possible to enroll in a wide range of preparatory courses. I myself have taught for the (ISC)2 and think their courses are good reviews. I am leery, however, of taking a short course _instead_ of reading and thinking for a long time about any subject beyond the purely technical. In my experience, the most important aspect of learning is thinking, not memory. Take a course if you like, but not just before your exam. Use the course as a form of review and verification - a tool for strengthening what you already know but above all for identifying what you have to think and learn about at greater length.

And good luck to all in your certification exams!

All contents copyright 1995-2007 Network World, Inc. http://www.networkworld.com

"

(Read More... | 5 comments | Score: 0)


Preparing for the CISSP exam, Part 3 By M. E. Kabay
Posted by boss on Friday, 12 January 2007 @ 10:57:38 EST (1039 reads)
Topic Docteur Kabay

cdupuis writes "

From Network World:

This story appeared on Network World at
http://www.networkworld.com/newsletters/sec/2007/0108sec2.html


Preparing for the CISSP exam, Part 3 Focus on the CCCure.org site

Security Strategies Newsletter By M. E. Kabay, Network World, 01/11/07

In my last two columns, I began responding to a former student who recently wrote to me with a request for suggestions on what to read in preparing for the CISSP exam.

In this third article, I am recommending a Web site run by an old friend and colleague whom I have never met in person: the CCCure.org site run by Clement & Nathalie Dupuis. The site is so rich in resources I decided to devote an entire column to it alone.

The Web site started in 2001 when Clement was working in Montreal, Canada, after a 20-year career in military communications and security in the Canadian Army. He was certified as a CISSP in 1999 (and mentions taking courses from some other old friends of mine, Hal Tipton and Sandy Sherizen, who is now a much-appreciated Adjunct Professor in the MSIA program at Norwich).

Clement and his friend Chris Hare decided to create study guides for several of the domains from the Common Body of Knowledge (CBK) and then put them on the Web for anyone to use. That was the birth of what became CCCure.org. It became so popular that it was kicked off several hosting sites because it generated too much traffic for a free service. Clement and his wife Nathalie, a mechanical engineer who became an expert in programming and networking, had to convert it into a commercial venture. However, in addition to monetary contributions by a few carefully selected advertisers, it is supported by the work and enthusiasm of thousands of volunteers, including me! For more about the history and philosophy of CCCure.org, go here.

The CCCure home page is huge. There’s plenty of material there for anyone to soak up lots of interesting knowledge and ideas and to contribute their insights. However, there are some special links that will be particularly valuable for CISSP candidates.

The Flash Tutorial explains exactly how to use the narrated slide-shows used in the tutorials on the site. Then there’s a narrated CISSP Exam Preparation and Overview with 57 slides and the following major sections:

* Visit the ISC2 Web site
* Certification benefits
* The dreaded exam
* Build your study plan
* The 10 domains
* Study books
* Study what you need to study
* The Final Stretch
* Post Exam Syndrome
* Help!! Where do I go?
* Pass or fail (no in-between)
* Maintaining your certification
* If you have any questions

The Quizzes section has a wonderful review tool that generates questions for several certifications including the CISSP; you can choose the domain(s), topics, difficulty level, whether to include related questions, and the number of questions. The quiz generator creates a unique, randomized quiz on every iteration. It’s a wonderful tool because it forces active recall and application of the knowledge you are trying to consolidate. Indeed, a recent article in _ScienceNow_ from the American Association for the Advancement of Science indicates that testing improves retention not only of the material tested but of other information being learned at the time of the test (full article requires subscription; portion of article available here ).

The site features a list of suggested readings and a forum where participants can engage in spirited discussion of technical issues relating to their exam preparation.

This is a real treasure. Merci bien, Clement et Nathalie!

All contents copyright 1995-2007 Network World, Inc. http://www.networkworld.com

"

(comments? | Score: 0)


Preparing for the CISSP exam, Part 1 By M. E. Kabay
Posted by boss on Friday, 05 January 2007 @ 10:13:06 EST (975 reads)
Topic Docteur Kabay

cdupuis writes "NOTE FROM CLEMENT:
Below you have the first of a series of 4 articles on the CISSP certification. This article was written by Doctor Mich Kabay who has been an active contributor to www.cccure.org web site since it first came online 6 years ago. As usual it is a great series of articles and I would like to strongly invite you to visit the Network World web site to subscribe to Mich mailing list and other leading security mailing lists which are all loaded with great information. See the links below to subscribe to the mailing lists. Here is the first article:

The following article from the Network World Security Strategies Newsletter is archived at:
http://www.networkworld.com/newsletters/sec/2007/0101sec2.html

To sign up for any of Network World's newsletters (including this one), please go to:
http://www.networkworld.com/nl/signup.jsp

Network World's Security Strategies Newsletter, 01/04/07

A former student recently wrote to me with a request for suggestions on what to read in preparing for the CISSP exam. I decided to answer him by writing an essay that readers of this column who are thinking about the exam could also use. By the end of the essay, I had so much material I was forced to chop it up into smaller pieces to fit the constraints of this column, so here's part 1 of 4.

* * *

The key to passing the CISSP exam, in my opinion, is daily attention to expanding one's exposure to interesting and thought-provoking information and ideas in the field. As you know from my constant reiteration of the point in our classes at Norwich, I have nothing but contempt for cramming - it is not possible to remember what is learned in a rush for very long. Indeed, I teach all my students to use SQ3R (Survey/Question, Read/Recite, Review) a well-established study method that pays off with long-term integration and retention of knowledge. Readers may want to use my one-page summary, available from my Web site in HTML and in PDF.

Anyone committed to professionalism should read a wide range of reputable publications and participate in serious discussion groups.

Some of my favorite electronic newsletters are the following:

Computerworld Newsletters:

Disaster Recovery
Security
Infrastructure & Control
Security: Issues and Trends
Virus and Vulnerability Roundup

CRYPTO-GRAM” from Bruce Schneier

DHS Daily Open Source Infrastructure Report” from the U.S. Department of Homeland Security

EFFector” from the Electronic Frontier Foundation

EPIC Alert” from the Electronic Privacy Information Center

Network World Newsletters:

Identity Management
Network Access Control

ITL Computer Security Bulletins” from the National Institute of Standards and Technology Information Technology Laboratory Computer Security Division’s Computer Security Resource Center

RISKS Digest” from the Association for Computing Machinery Committee on Computers and Public Policy

SANS Newsletters:

@ RISK: The Consensus Security Vulnerability Alert
NewsBites

ZDNet U.K. newsletters

IT Whitepapers
Security

More resources in my next newsletter.

Contact the author:

M. E. Kabay, Ph.D., CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site.

"

(comments? | Score: 0)


Baseline Security Manual available online
Posted by boss on Wednesday, 22 February 2006 @ 05:00:00 EST (1223 reads)
Topic Docteur Kabay

cdupuis writes "Baseline Security Manual 2004

By M. E. Kabay

For many years, I used the English-language _IT Baseline Security Manual_ created by the German Federal Office for Information Security (BSI: Bundesamt fur Sicherheit in der Informationstechnik) from its German-language _IT-Grundschutz Standard-Sicherheitmassnahmen_.

Some years ago, the English translation disappeared from the Web, and I continued to rely only on saved versions of the 1997 version. However, in recent correspondence, reader Claus Stark, the business information security officer of the Frankfurt office of Citigroup, very kindly pointed me to a new English translation of the 2004 version of the Baseline Security Manual available in PDF online.

The 269-page Introduction and Modules 2004 file (7.2 MB) starts with an overview of the documents (Chapter 1) and recommendations (Chapter 2) on the analysis and modeling of information systems security requirements and safeguards.

* Chapter 3 covers fundamentals such as security of personnel, contingency planning, data backups, anti-malware, cryptography and incident management.

* Chapter 4 looks at infrastructure (buildings, cabling, rooms, cabinets, telecommuting and operations centers).

* Chapter 5 discusses standalone systems such as PCs running DOS, Windows, Unix, and the like.

* Chapter 6 continues with networked systems.

* Chapter 7 continues with data transmission systems - data media, modems, firewalls, e-mail, Web servers, remote access, Lotus Notes, Internet Information Services, Apache Web server, Exchange/Outlook 2000, and routers and switches.

* Chapter 8 on telecommunications presents basic security principles and practices for PBXs, fax machines and servers, voice mail, ISDN connections, mobile phones and personal digital assistants.

* Chapter 9 adds notes on application software, databases, more on telecommuting, Novell eDirectory 8.6 and archiving.

The Threats Catalog (426 pages) includes:
* Force majeure
* Organizational shortcomings
* Human failures
* Technical failures
* Deliberate acts

The Safeguards Catalog (2056 pages) includes:
* Infrastructure
* Organization
* Personnel
* Hardware and software
* Communications
* Contingency planning

All the PDF documents have extensive bookmarks and are easily searchable. I am confident that security practitioners and system/network administrators will find these free documents a valuable addition to their libraries of reference resources

Contact the author:
M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor in the Division of Business and Management at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. New information assurance journal - Norwich University Journal of Information Assurance (NUJIA). See http://nujia.norwich.edu

"

(comments? | Score: 0)


INFOSEC Year in Review database
Posted by cdupuis on Friday, 12 November 2004 @ 15:56:18 EST (1217 reads)
Topic Docteur Kabay

Anonymous writes "

Today's focus: INFOSEC Year in Review database

By M. E. Kabay

Ten years ago, I was an adjunct professor in the Institute for Government Informatics Professionals in Ottawa, Canada under the aegis of the University of Ottawa. I taught a one-semester course introducing information security to government personnel, and I enjoyed the experience immensely. Many of the chapters of my 1996 textbook, _The NCSA Guide to Enterprise Security_, were field-tested by my students.

In 1995, I was asked if I could run a seminar for graduates of my courses to bring them up to date on developments across the entire field of information security. Our course had 20 students and I so enjoyed it that I continued to develop the material and teach the course with the NCSA (National Computer Security Association; later called ICSA and then eventually renamed TruSecure, its current name) all over the U.S., Canada, Europe, Asia and the Caribbean.

After a few years of working on this project, it became obvious that saving abstracts in a WordPerfect file was not going to cut it as an orderly method for organizing the increasing mass of information I was encountering in my research. I developed a simple database in 1997 and have continued to refine it ever since. The database allows me to store information in an orderly way and - most important - to _find_ the information quickly.

For that purpose, I put in as many keywords as I can think of quickly; I also classify each topic using a taxonomy that has grown in complexity and coverage over the years. These numerical codes help users locate articles quickly using filters (queries).

This year, I was privileged to begin working with Norwich students Karthik Raman (project leader), Krenar Komoni and Irfan Sehic as my research assistants. These excellent students have provided invaluable assistance in transferring data from NewsScan, NIPC/DHS reports and other sources into the database and have also done the first cut of classification and keyword generation. They have enormously improved the coverage of the field and are continuing their work with me to expand the database to further sources in the coming year. It is difficult to estimate the hundreds of hours of time they have saved me.

The IYIR reports are posted on my Web site now; see the introductory page at:

http://www2.norwich.edu/mkabay/index.htm

Click on the IYIR button for a list of PDF files you can read on screen, search, or print out at will. So far I'm up to 2003.

In addition, I have posted the complete abstracts as a Microsoft Access database file (.MDB) as well as a compressed version (.ZIP) on the Web site for use by anyone for non-commercial purposes. On the Web page, I will post the date I update the files.? I hope that these resources will be helpful to the IA community as we variously prepare articles and lectures for readers and students. Have fun.

To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP
Associate Professor in the Division of Business and Management
Norwich University in Northfield, Vt.?

Mich can be reached by e-mail mailto:mkabay@norwich.edu and his Web site http://www2.norwich.edu/mkabay/index.htm

Master's degree in the management of information assurance in 18 months of study online from a real university - see:
http://www3.norwich.edu/msia

"

(comments? | Score: 0)


An iron vault for passwords # Today's and Tomorrow's solutions
Posted by cdupuis on Wednesday, 08 September 2004 @ 00:01:05 EDT (1470 reads)
Topic Docteur Kabay

By M. E. Kabay

How do your users handle so many passwords? Badly, I'm sure.

I recall one poor, overworked system administrator whom I met on a security assessment of a large corporation some years ago; he sheepishly admitted that he had 15 administrator passwords - and kept them written in plaintext on a piece of cardboard in his wallet. One of the oldest social engineering tricks around is for a criminal hacker to make a sys admin drunk or sleepy and rifle through his or her belongings in a search for such a list.

It's known as a bingo card because finding it makes the hacker say, "Bingo!"

Some users store their passwords in files. Putting passwords in an unencrypted, unprotected file is little better than writing them on cardboard, and so people have been turning to a more sophisticated approach: using special password storage programs that provide encryption and access controls. When a user visits a Web site, the password utility fills in the right user ID and password; some products go further and fill in names, addresses and even credit-card numbers.

Examples include:

* Advanced Password Manager http://www.rayslab.com/password_manager/password_manager.html
* Internet Explorer's own AutoComplete and Profile Assistant?functions?To manager these functions in IE v6, use Tools | Internet???Options | Content
* KeyPass from Dobysoft?http://www.dobysoft.com/products/keypass/
* LoginWallet for Macintosh?http://www.public.asu.edu/~cjfoste/LoginWallet/
* My Password Manager 0.1 for Mac and Unix?http://www.nwfusion.com/nlsec564
* Norton Password Manager (part of the Norton SystemWorks suite) http://www.symantec.com/passwordmanager/
* Opera browser's own Wand function???To manage this function in Opera v7, use Tools | Preferences |?Security | Manager Wand passwords
* PasswordLock?http://www.internetpeace.com/pwlman/password_wallet.htm
* Password Manager XP?http://www.cp-lab.com/
* Password Wallet from InfoCard?http://www.winsite.com/bin/Info?4000000037217
* Password Wallet from TigerSoft?http://www.inet.hr/tigersoft/pwallet.htm
* PasswordWallet for PalmOS and for Macintosh?http://www.selznick.com/products/passwordwallet/
* RoboForm?http://www.roboform.com/

Naturally, with all this ultra-sensitive information in a single location, the password file is a tempting target for attackers.

Lark Allen is executive vice president of Wave Systems. He recently wrote to me about protecting centralized password files using hardware controls. The following is an edited version of Allen's comments:

Although existing systems use software security to protect logon information, we know that security breaches involving software vulnerabilities are a constant worry. To respond to this class of vulnerabilities, the Trusted Computing Group (TCG) has developed new security hardware specifications.

A Trusted Platform Module (TPM) is a hardware security chip based on open industry specifications developed by the TCG. The TPM provides important new security functions such as:

* Secure storage - A place to protect secrets in hardware,?including encryption keys for data and credentials for users and?platforms.

* Authentication - The ability to determine that a user or a?platform really is who they claim to be.

* Binding data to a platform - Assuring that sensitive?information cannot be moved to other platforms without?permission.

* Platform trustworthiness measurement - Determining whether a?PC can be trusted or has been compromised.

A TPM is currently being shipped in some PCs from Fujitsu, HP, IBM and Intel. Many companies are working on applications that take advantage of the hardware security of the TPM. Wave Systems' Private Information Manager (PIM) is the first TPM-protected wallet for managing personal information, including identities and passwords. The PIM wallet uses the TPM hardware to protect the keys for encrypting the sensitive information held in the wallet. In addition, the TPM is used to authenticate the user as part of the wallet's access controls.

Strong multifactor authentication, including the use of a biometric fingerprint, with or without an associated password, can be specified and applied to individual wallets for different people.

Some attacks install a keystroke logger on the user's PC to collect passwords, PINs, and other personal information as users enter their account and password data. Wave's PIM wallet does not allow the login information being automatically filled in for the user to be captured by keystroke-loggers.

The TCG is continuing its work to improve security on cell phones, personal digital assistants, peripherals, and other devices.

Trusted computing should not only increase protection of user information but also simplify the user's life in dealing with the new electronic world.

* * *

As a matter of record, I have no financial interest whatever in any of the products or companies mentioned in this article.? Inclusion of a product does not imply endorsement or recommendation; exclusion does not imply criticism. - Mich

RELATED EDITORIAL LINKS
Trusted Computing Group? http://www.trustedcomputinggroup.org/

The Password Is... Confusion? http://www.technewsworld.com/story/18937.html

To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP, is Associate Professor in the Division of Business and Management at Norwich University in Northfield, Vt. Mich can be reached by e-mail mailto:mkabay@norwich.edu> and his Web site http://www2.norwich.edu/mkabay/index.htm>.

A Master's degree in the management of information assurance in 18 months of study online from a real university - see http://www3.norwich.edu/msia>


(comments? | Score: 0)


Call for Input from a great friend of CCCure.Org: Doctor Kabay
Posted by cdupuis on Tuesday, 31 August 2004 @ 22:24:54 EDT (1040 reads)
Topic Docteur Kabay

By M. E. Kabay

Teaching information assurance requires a tricky balance between technical subjects and management skills. We academics sometimes flounder in curriculum design because of the fundamental dearth of sound, statistics-based information about security issues.

We have problems gathering data for IA because:

* As far as we can tell, many or perhaps most computer?intrusions and computer crimes go undetected (estimates range?from nine out of 10 crimes to two out of three intrusions).
* Many detected intrusions or crimes are unreported (perhaps as???many as 95%, according to some studies).
* There is no central database keeping track of computer crimes?or security breaches.
* Almost all computer-security surveys suffer from?methodological inadequacies (they rely on voluntary responses,?have no independent verification of the accuracy of answers, and?don't include internal validation measures to catch careless or?silly answers).

We are left with the hope that forging consensus on best practices is one of the approaches that can improve IA. Under these circumstances, you'll understand how important it is for academics to get information directly from practitioners when designing courses.

Professor John Beachboard of Idaho State University is doing precisely that. In a recent call for participation sent through a security-educators' list, he explained that "Business-oriented MIS and CIS programs have tended to emphasize requirements analysis and business application development over the development of technical skills and knowledge associated with development and operation of IT infrastructures. Many business schools are now adding courses (e.g., in data communications and systems architecture) intended to fill this gap."

He has developed a survey designed "to gain practitioner input regarding the fundamental technical concepts that all aspiring IS/IT professionals should be taught in an undergraduate systems architecture course."

His survey is here:

http://cobhomepages.cob.isu.edu/beach/survey/1.asp

And it took me only a few minutes to complete.

Beachboard will send results of his analysis to any participants who would like to be informed of the findings. I hope that readers will be willing to take the time to help him and the field as a whole by participating in this research.

(comments? | Score: 0)


Tips for evaluating security training (part 1)
Posted by cdupuis on Wednesday, 31 March 2004 @ 10:45:25 EST (1214 reads)
Topic Docteur Kabay

This story appeared on Network World Fusion at
http://www.nwfusion.com/newsletters/sec/2004/0322sec1.html ?

Sign up to receive this and other networking newsletters in your inbox.

By?M. E. Kabay
Network World Security Newsletter, 03/23/04

">

At a recent conference, Roger Quane of the National Security Agency in the U.S. Department of Defense presented a stimulating lecture on ?Evaluation Activities: Management?s Nightmare or Dream Come True.?

Speaking at the March 2004 Annual Conference of the Federal Information Systems Security Educators? Association (FISSEA) at the University of Maryland campus, Quane pointed out that evaluation metrics for training programs can be ranked by difficulty as follows:

* Reaction - how participants like the program.
* Learning - what the participants can show they have learned.
* Application - how the participants apply their knowledge in their work.
* Business impact - the effects on how the organization runs its operations.
* ROI - monetary measures of benefit divided by costs required to achieve.

The role of the manager is critical; the manager leads the project and is responsible for its success. To avoid conflict of interest, the manager should have someone else evaluate the program.

Such evaluations are often needed to see if the training program is justified or worthwhile; unfortunately, says Quane, sometimes managers are confronted with a stark choice between honesty and what may seem like professional survival. Regardless of the apparent danger, honesty is the only policy that makes sense. If a program hasn?t worked out, it?s important to say so and take the consequences (?falling on one?s sword? in Quane?s description). In reality, such honest self-appraisal is rarely treated as grounds for dismissal.

In general, Quane recommends that formal evaluations not be applied to projects that cost less than $100,000. In addition, the projects should have organizational visibility, must be needed for organizational success, should be relatively new, and should be requirements-driven (i.e., not simply done because everyone has to do it).

Not every training project should be evaluated, says Quane, but it is essential that evaluations be carried out in sequence. First you have to collect information about participation reactions, then you can study how well they learned, and only after that should you look at behavior in the workplace. Each of these levels is more complex and more expensive to measure than the previous one. Measuring effects of training on security is much more complex and will be the subject of a separate article.

Reminder: Robert Gezelter, author of last Tuesday's Security Newsletter, will be presenting a session entitled "Internet Dial Tones & Firewalls: One Policy Does Not Fit All," at two Central Florida IEEE Computer Society chapter meetings this week. Click here (http://www.rlgsc.com/ieee/tampa/2004-3/announce.html?Source=NWFUbiquitous2004-03) for details about the session in Tampa on Wednesday, and here (http://www.rlgsc.com/ieee/orlando/2004-3/announce.html?Source=NWFUbiquitous2004-03) for the event in Orlando on Thursday.

RELATED LINKS

M. E. Kabay, Ph.D., CISSP, is Associate Professor in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site.

Come to the? Sixth Annual e-ProtectIT Infrastructure Protection Conference?at Norwich University in Northfield, Vt., March 23-25, 2004.

FISSEA (membership is free)

All contents copyright 1995-2003 Network World, Inc. http://www.nwfusion.com


(comments? | Score: 0)


Tips for Evaluating Security Training (part 2)
Posted by cdupuis on Wednesday, 31 March 2004 @ 08:28:59 EST (1628 reads)
Topic Docteur Kabay

Today's focus: Tips for evaluating security training, Part 2

By M. E. Kabay

Measuring ROI is growing in popularity among managers, especially those with a strong background in finance. The ROI methodology for training and education has been developed and applied over the last 20 years and is being used in thousands of impact studies every year.

However, ROI is the most complex and expensive measure of value for any program and should be limited to those programs where the exercise will have an operational effect; that is, no one should undertake an ROI exercise without having a specific goal in mind such as a go/no-go decision or a decision on increase in funding.

Contrary to a common misconception, ROI evaluations are not limited to producing a single number consisting of monetary benefits divided by costs, pointed out Jack Phillips, chairman of the ROI Institute, at the March 2004 Annual Conference of the Federal Information Systems Security Educators' Association.

Phillips argued that the ROI process generates six types of data:

* Reaction, satisfaction and planned actions.
* Learning.
* Application and implementation.
* Business impact.
* Return on investment.
* Intangible measures.

An effective application of the ROI methodology, according to Phillips, can

* Align programs to business needs.
* Show contributions of selected programs.
* Earn the respect of senior management and administrators.
* Build staff morale.
* Justify and defend budgets.
* Improve support for human resources, learning and development.
* Enhance the design and implementation process.
* Identify inefficient programs that need to be redesigned or?eliminated.
* Identify successful programs that can be implemented in other?areas.

Phillips presented a thoroughgoing evaluation process, which is described in Patricia Phillips' book entitled _The Bottomline on ROI_.

The ROI Institute runs a closed Web site for its 600 members; visitors are permitted to send e-mail to a contact address for further information.

RELATED EDITORIAL LINKS

ROI Institute
http://www.roi3.net/

Measuring ROI in the Public Sector
http://www.amazon.com/exec/obidos/tg/detail/-/1562863258/

The Bottomline on ROI
http://www.ceppress.com/Itemdetail.asp?CatID=1&ProductID=201

Network World, 03/29/04
http://www.nwfusion.com/news/2004/0329q1.html

_______________________________________________________________
To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP, is Associate Professor in the Department of Computer Information Systems at Norwich University in Northfield, Vt. Mich can be reached by e-mail mailto:mkabay@norwich.edu> and his Web site http://www2.norwich.edu/mkabay/index.htm>.

Archive of the Security newsletter:
http://www.nwfusion.com/newsletters/sec/index.html

(comments? | Score: 0)


E-ProtectIT Conference
Posted by cdupuis on Wednesday, 17 March 2004 @ 17:11:41 EST (972 reads)
Topic Docteur Kabay

Anonymous writes "

E-ProtectIT 6

By M. E. Kabay

I invite you to attend the Sixth Annual e-ProtectIT Infrastructure Protection Conference at Norwich University in Northfield, Vt., March 23-25. As Program Chair, I'm delighted to announce another excellent lineup of workshops and speakers.

We start with three concurrent two-day workshops on Tuesday and Wednesday. World-famous forensic scientist Peter Stephenson will present a tutorial on network forensics. Peter's workshops have been well attended and much appreciated in previous e-ProtectIT conferences.

Norwich CIO and Vice President of Technology & Strategic Partnerships Phil Susmann will present his sparkling introduction to information security. Phil is a gifted teacher whose courses are not only informative but also stimulating and fun.

Finally, I will give my annual INFOSEC Update workshop, in which I stuff participants with this year's results of the ongoing INFOSEC Year in Review project. Typically we have about 25 people in the workshop, and we review around 300 pages of abstracts classified according to a taxonomic scheme that starts with computer crime cases, new viruses, and other threats and then progresses through evolving vulnerabilities, management issues, developments in cryptography, and legal issues.

The colloquium on Thursday has a fascinating series of speakers and topics.

* The conference opens with distinguished keynote speaker Gen. Alfred Gray, USMC (Ret.), former commandant of the Marine Corps and a member of the Joint Chiefs of Staff.

* Our next speaker is Dan Wolf, director of information assurance at the National Security Agency. His topic is "Educational Collaboration as an Essential Component of National security."

* Rob Rosenberger of Vmyths fame is a military historian who has just returned from four months duty in Iraq. He will present a shocking case study entitled, "Antivirus Firms Threaten U.S. National Security."

* Patrick Gallagher, former director of the National Computer Security Center at the NSA and affectionately known as the Father of the Rainbow Series, will speak on "Technology, Public Policy and Social Change: Finding the Dots and Connecting Them."

* Yonah Alexander, noted author and director of the International Center for Terrorism Studies (ICTS) of the Potomac Institute for Policy Studies, will speak on "Perspectives on Cyberterrorism."

* R. Pierce Reid, Vice President of Marketing for Qovia, will speak on "The Role of Fear, Uncertainty and Doubt in Marketing Security."

* Maj. Gen. Jack D'Araujo, Army National Guard (Ret.), will speak on "Cyber Simulation - Preparing for Cyberwar."

* The last presentation will be a spirited panel discussion on "Integrating IA Across the Curriculum" with professors from Champlain College, Dartmouth College, Norwich University, University of Vermont, U.S. Military Academy at West Point, and William (Vic) Maconachy, program manager of the National INFOSEC Education and Training Program of the NSA.

Finally, I invite anyone interested in helping to sponsor the conference to pay special attention to the sponsorship opportunities described at:

http://www.e-protectit.org/sponsorship.htm>

Sponsorship allows us to keep the base price down to $495 for three days and $195 for the colloquium alone. Sponsorship also allows us to provide minimal prices to law enforcement officials and members of the armed forces of the U.S.

Full information and registration is available on the conference Web site at: http://www.e-protectIT.org http://www.e-protectit.org/>

Join us!

"

(comments? | Score: 0)


Fifth e-protectIT Infrastructure Protection
Posted by cdupuis on Friday, 31 January 2003 @ 21:22:31 EST (1325 reads)
Topic Docteur Kabay

* * * CALL FOR PARTICIPATION * * *

Fifth e-protectIT Infrastructure Protection conference
25-27 March 2003
Norwich University, Northfield, Vermont

Addressing the need to make information security a high priority in all aspects of today's world, Norwich University invites you to join us for two days of pre-conference training in computer forensics, INFOSEC basics, and the yearly INFOSEC UPDATE on Tuesday and Wednesday the 25-26 March 2003 and then to participate in the one-day colloquium on Thursday the 27th of March 2003.

Speakers with practical experience in securing all sectors of society will share their insights in an open forum with many opportunities for stimulating discussions.

Full details of the program, speakers, sponsorship opportunities and registration, see:

"http://www.e-protectit.org/"

M. E. Kabay, PhD, CISSP # Program Chair
* Assoc. Prof. Info. Assurance
* Prog. Dir., MSc in Info. Assurance
Norwich University, Northfield VT
+1.802.479.7937
mailto:mkabay@norwich.edu

(Read More... | 1 comment | Score: 0)


New book by one of CCCure.Org contributing member.
Posted by cdupuis on Sunday, 13 October 2002 @ 17:36:55 EDT (1074 reads)
Topic Docteur Kabay

Today I am very happy to announce the release of a very nice book from one of the contributing members of CCCure.Org. This book is from M. E. Kabay, PhD, CISSP who has been contributing dozens of articles to CCCure.org.

DESCRIPTION OF THE BOOK:

The definitive formula for computer security, from power outages to theft and sabotage.

Whether you are in charge of many computers, or even one important one, there are immediate steps you can take to safeguard your company?s computer system and its contents.

The Computer Security Handbook provides a readable and comprehensive resource for protecting computer mainframe systems and PC networks. This Fourth Edition continues a long tradition of maintaining highly regarded industry guidelines for detecting virtually every possible threat to your system and prescribes specific actions you can take to eliminate them.

The collected chapters are written by renowned industry professionals. Requiring minimal technical knowledge to understand, covered topics include: foundations of computer security, threats and vulnerabilities, prevention (technical defenses and human factors), detection, remediation, management?s role, and other considerations such as using encryption internationally, anonymity and identity in cyberspace, and censorship.

Protect the information and networks that are vital to your organization with Computer Security Handbook, Fourth Edition.

Shon Harris quiz book
Click here to get more details from Amazon or simply to preorder your own copy now.

(Read More... | 1 comment | Score: 0)


Two introductory security courses
Posted by cdupuis on Tuesday, 02 April 2002 @ 21:06:11 EST (1185 reads)
Topic Docteur Kabay

NOTE FROM CLEMENT:  Below you have a copy of M.E. Kabay newsletter,  it has some real good links to resources online to learn about security, and it happen to match very well with the 10 domains of the CBK.

By M.E. Kabay

My friend and colleague David Kennedy, chief curmudgeon (and director of research) at ICSA Labs, recently forwarded news of an interesting resource for teaching and learning information security.

Wanja Eric Naef (w.naef@iwar.org.uk) has announced that Mark  Burgess, associate professor in the Faculty of Engineering at  University College in Oslo, Norway, kindly gave him permission to mirror his introductory security course at:

http://www.iwar.org.uk/comsec/resources/security-lecture/index.html

The 14 lectures are available in English as well as in Norwegian:

1. What is security?
2. Trust and Risk Analysis
3. Basic Information Security
4. Identity & Authentication
5. Protocols & Data Integrity
6. Access control
7. Security models
8. Object orientation
9. Software security I
10. Software security II
11. Encryption
12. Intrusion detection
13. Internet security
14. Site security summary

Click Read More... Above for the full story.

(Read More... | 3477 bytes more | comments? | Score: 4)

Login here

Nickname

Password

Security Code:
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Our Sponsors

CCCure Supporters

_SP_SUPPORTEDBY

The PST

The Academy

ChicagoCon

[ _SP_BESUPPORTER ]
[ _SP_TITLE ]

Random Headlines

Today's Big Story

There isn't a Biggest Story for Today, yet.

Past Articles

Recommended

Most Active Members

· 1: side_winder
Total points: 10900
· 2: Lopezco
Total points: 8443
· 3: cissp_newbie
Total points: 7586
· 4: cdupuis
Total points: 5596
· 5: mikeyoung_fla
Total points: 5301
· 6: Vladimir
Total points: 4605
· 7: MMM
Total points: 2969
· 8: vijayu
Total points: 1859
· 9: Deepakseth
Total points: 1714
· 10: educk
Total points: 1311

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest © 2007 by CCCure.Org, and the site maintainers Clement Dupuis and Nathalie Lambert. Reuse is strictly prohibited without written permission of CCCure.Org or it's maintainers.

This web site is not associated directly or indirectly with ISC2, the SANS Institute, ISACA, or other certification authority. The GCFW, CISSP, SSCP, ISSEP, ISSMP, CISA, and CISM are all the property of their respecful owners. The content of this site is provided to you freely due to the generosity of our sponsors.


 

 


Page Generation: 1.16 Seconds