CISSP training Certified Information Systems Security Professional

The vendor-neutral information security certification landscape

Ed Tittel and Kim Lindros

For this update to our survey we added only one new certification overall, the GIAC Certified Incident Manager or GCIM. We dropped a total of 39 vendor-neutral credentials this time around, including various moribund items (TICSA and all the CIW credentials), 5 individual BrainBench courses, since they don't really produce certifications, and 23 GIAC certificate and tune-up course offerings, which also don't produce certifications; certificates rather.

This drops the overall count of vendor-neutral certifications to under 100 for this year, while the count of vendor-specific certifications jumps to around 40. As we indicate in our vendor-specific survey, it's pretty easy to decide which vendor-neutral certs to pursue -- either earn those that apply to what your employer or customer uses, or those that some employer or customer you'd like to work for uses.

Deciding what to pursue on the vendor-neutral side involves understanding where they fit in the overall scheme of coverage, which explains why we divide things up in the survey the way that we do, but also requires comparing similar programs to decide which ones to pursue.

In fact, with about 60 vendor-neutral certifications comprising the security certification landscape, there's obviously no shortage of options for would-be computer security experts to choose from. The question is, how do you know which certification is right for you? Here's a brief analysis of the landscape and a suggested educational path you can pick up at any point of your career.

Today, the Certified Information Systems Security Professional (CISSP), the SANS Institute's Global Information Assurance Certification (GIAC) and the Certified Protection Professional (CPP) are probably the best known and most widely followed IT security certifications/programs. The number of certified individuals in these programs varies from a low of 9,000 to a high of over 60,000. Broader programs such as the Certified Information Systems Auditor (CISA) or the Certified Fraud Examiner (CFE), which both cover more than information security topics, have populations as large as 80,000 or more.

CompTIA's Security+ has changed the entry-level security certification landscape as it continues to attract strong interest and participation. Today the number of Security+ certifications is over 40,000. Microsoft and IBM have incorporated Security+ into some of their own certification programs. Security+ can also substitute for one year of job experience for the Certified Information Security Manager (CISM) certification. Security+ remains our leading choice as the best recognized and arguably the best entry-level information security certification currently available. Be warned, however, that this exam hasn't been updated in four years and several experts have publicly expressed issues with some of its coverage, question clarity and intelligibility.

Thus, the entry-level credentials with the most "oomph" are CompTIA's Security+, SANS GIAC Security Essentials Certification (GSEC) and the ISC²'s Systems Security Certified Practitioner (SSCP). Today, the CISSP and the SANS GIAC intermediate and senior credentials remain the best bets for those seeking more senior security credentials, with the Certified Ethical Hacker (CEH) coming on strong for those interested in current system penetration techniques and counter-hacks. The Certified Protection Professional (CPP), Professional Certified Investigator (PCI), Physical Security Professional (PSP) and the various CISSP concentrations are restricted to the most senior members of the security community, simply because they require five to nine years of work experience in the security field for candidates to qualify for the exam!

Given this landscape, we recommend the following security certification ladder that individuals can start and climb at any point depending on their current knowledge, skills and experience.

# Start your adventure with a broad, but still entry-level security cert.

This could be one of the following credentials, any of which will provide you with an excellent and thorough background in computer security theory, operations, practices and policies:

* CompTIA's Security+
CompTIA's Security+ certification has become the entry-level information security certification of choice for IT professionals seeking to pursue further work and knowledge in this area. That's why it's our first choice and leading recommendation at this level.

* ISC²'s Systems Security Certified Practitioner (SSCP)
The International Information Systems Security Certification Consortium is also home to the best-known senior-level security certification (senior-level certs are covered later in this article). If you're of a mind to go that route, the SSCP is a great way to prepare.

* SANS GIAC Security Essentials Certification (GSEC)
The SANS Institute is an ongoing and well-recognized powerhouse in the security industry. Likewise, its certifications continue to accrue visibility and acceptance. The GSEC opens the door to other certifications in the SANS GIAC program.

Finally, you'll be ready to tackle a premium or senior-level security certification.

Most such certifications require three or more years of relevant, on-the-job experience. Many require submitting papers or research results in addition to passing exams; some also require taking specific classes. Of these, three are particularly worthy of mention, and pick up where the previous three leave off:

* ISC²'s Certified Information Systems Security Professional (CISSP)
The CISSP is arguably the best-known senior-level security certification in North America. It frequently shows up in top 10 certification wish and want lists, and is often requested by name in job postings and classified ads. Those who are interested in extending their CISSP credentials should also look into its three add-on credentials. Although one of them applies only to those working in national security-related positions, the other two deal with policy and practice matters and are of definite value and interest to security practitioners outside the national defense infrastructure.

* SANS GIAC Security Specialist Certifications
The SANS Institute offers numerous topical specializations that extend on the GSEC, including firewalls, incident handling, intrusion analysis, Windows and Unix administration, information security officer and systems and network auditor certifications. This is a topical, timely and highly technical program based on outstanding training online or at SANS conferences. For those willing to acquire three of these individual credentials and sit for two lengthy exams, moving on to the GIAC Security Engineer (GSE) certification probably makes sense.

* Qualified Information Security Professional Certification
Security University's certification requires some of the best, most intense and hands-on information security training around. Highly popular with government and industry security heavies, this program is expensive, demanding and time-consuming, but it's worth the intensive investment it requires to complete.

For additional information on these certifications and more, visit the SearchSecurity.com Guide to Infosec Certifications. Don't hesitate to let us know if our analysis of this landscape has missed anything.

We can't claim to know, see or be able to find everything, so all feedback will be gratefully acknowledged. As always, feel free to e-mail us with comments or questions at etittel@techtarget.com.

ISO 27000 Newsletter - Issue 18

Welcome to the exclusive pre-release version of Issue 18 of The ISO 27001 and ISO 27002 Newsletter, designed to provide news and background with respect to these security standards. The information provided is absolutely free to our subscribers and offers guidance and commentary on recent developments

Covered in this issue are the following topics:

1) Obtaining the ISO 27001 and ISO 27002 Standards
2) Security Awareness Programs (ISO27002 8.2.2)
3) Website Hackers: Why?
4) Third Party Service Delivery Management
5) More ISO 17799/27001 Frequently Asked Questions
6) Trials and Tribulations of an Information Security Officer Part 2
7) Information Security News
8) Critical Success Factors (ISO 27002)
9) Disposing of Equipment (ISO 27002 Section 9)
10) Implementing A COBIT Compliance Initiative
11) ISO 27000: The World Wide Phenomenon
12) ISO 27001/2: Common Mistakes Part 2
13) ISO 27000 Related Definitions and Terms
14) It Couldn't Happen Here, Could It?

enterprise security testing

Introduction

This article elaborates the description of enterprise security testing. Enterprises' data security is constantly under attack. In this seemingly chaotic environment, data security has become one of the primary challenges facing all organizations.

One of the greatest risks of information leakage is much harder to control any software, before being released into the market, has to be thoroughly checked for security risks. In today’s world of stiff competition and corporate espionage, there is always the risk of software being poisoned by a competitor (by compromising an employee) or others like government bodies, disgruntled employees, anti social elements, etc. The implication of such a compromise can be detrimental to the enterprise.

Facts :

In 2006, Fortune 1500 companies lost more than $45 billion from the theft of trade secrets, according to a survey by the American Society for Industrial Security and Price Waterhouse Coopers.” -

The San Francisco Chronicle reported about a case they called “The spies in the next cube”. It was about an employee who said they were leaving to return to their home country to get married without any job. The FBI found cd he was leaving will all the corporate secrets to the new job.

So the answer is … YES, it really happens.

What can you do to protect your company from being a victim of corporation information leakage?

What is the problem?

Now in today’s era the competition is much more in corporate. Everyone wants to know about his competitor so they try to choose different ways for gathering the information. Now attackers have changed their way of thinking

Any software product before it reaches the end user, has to go through many distribution channels

Manufacturer > reseller > end user

During this process:

There is ‘no’ guarantee that the software is fully safe and is not tampered in this process.
Any one can tamper the product and can get some vital information from your organization.

So when your organization using that types of product what is the risk fact.

· Financial risk

· Confidential information leakage

· Employee records (A successful company's most trustworthy and devoted employees)

· Clint information

Firewalls and Anti Virus based security systems cannot protect you from theft of your company's confidential information by this type of attack.

EFFECT ON YOUR ORGANIZATION:

· Market value.

· Client relationship.

· Lose a best employee.

· The weakness of the org. is now disclosed

· The success graph is now constant it’s not raising but also start decreasing.

Basically we’re talking about the creditability of an organization. If you don’t have a basic level of confidentiality of data, availability of resources, and Integrity for your IT services, why should anyone trust what you say?

Now the question is who is responsible for this?

You know very well

Ø Business rivals

Ø Hackers

Ø Attackers

Ø Intruders

Ø Vendors

Ø Anti social elements

Why?

1. To reach the highest level in the business.

2. for the financial benefit from your org.

3. Only for fun

4. Find your best employee

5. Getting your organization weakness.

What data are they collecting?

Ø Corporate intellectual property

Ø Patents in progress

Ø Customer information

Ø Pricing strategies

Ø Source code

Ø Unique manufacturing and technological operations

Ø Latest research and development

Ø Future plans and mark

So this is a … real-time threat in your network.

Worst Mistakes by the senior EXECUTIVES:

Ø Assigning Untrained People to Maintain Security

Ø Failing to Understand the Relationship of Information Security to the Business Problem

Ø Relying Primarily on a Firewall

Ø Failing to Realize How Much Money Their Information and Organizational Reputations are Worth.

Ø Authorizing Reactive, Short-Term Fixes so Problems Re-emerge Rapidly

Ø Pretending the Problem Will Go Away if They Ignore It

While it seems easy from a security perspective, Senior Executives are generally not security folks. Senior Executives are tasked with running a profitable business and in many cases are still wrestling with the changes that IT has made to the face of business. In almost every case above the onus is on the security professional to understand how the business operates, the costs associated with the security of business, and present this information to the senior executives. It never makes sense to spend more money protecting an asset than the asset itself is worth. Security is about risk mitigation so remember that sometimes an unacceptable security risk is an acceptable business risk.

Solution :

v Standardize Security Infrastructure

v Computer Security Policy and Procedures

v Awareness training for all staff

v Management support (i.e. allocate budget & Time)

v Technical solutions (i.e. Firewall, IDS)

How do we get there?

• Acknowledge importance of security

• Balance security with our mission

• Follow security policy and procedures

• All staff members in education process

• Be an example to other staff

User Product Security Testing :

This service enables an enterprise to asses its current susceptibility to security threats related to products that have been downloaded from the Internet by the enterprise’s employees. And when you buy any kind of product

“First test then trust”

Methodology :

Scope:

v The product is analyzed to gain an understanding of its functionality.

v Knowledge about the platform (both hardware and software) on which the product/software runs is gathered.

(“Neither you and your customers want to see your company name in the headline news as responsible for the latest identity theft scandal”)

Conclusion :

A quick glance at the items to consider for your data protection policy clearly indicate that the world has changed and as IT professionals charged with data security, we face new and unique challenges every day.

Author:

Himanshu Saraswat

SSL-Explorer

As a follow up on the last article about SSLVPN software and appliances, I was lucky enough to stumble upon a gold mine of a find called SSL-Explorer. This virtual appliance which can be installed on Windows or Linux and has everything that small/medium sized businesses would be looking for in a SSLVPN solution at an affordable price.

SSL-Explorer offer’s many authentication methods such as Active Directory, LDAP, Radius and multi-factor authentication which would accommodate the most secure of environments. This feature rich software provides many configuration options which include web forwards which allow for Intranet access from anywhere in the world. The Network places extension which provides the administrator the option to allow access to internal FTP and Windows CIFS/SAMBA systems. The application extension includes the Microsoft RDP client, Putty, VNC and WINSCP for easy access to internal resources without giving up the keys to the kingdom. Although if additional access is required a Network extension is provided that will actually give IP access to your internal network and allow tele-workers to function outside the office at a very reasonable cost.

In addition to the application features a granular access control panel is provided to the administrators of the system. The lockdown options of SSL-Explorer include individual logins, group membership, policies associated with individual groups, granular access rights to the system and IP restrictions to prevent unauthorized connections.

If all the above is not enough to sell you on trying SSL-Explorer the company offers a freeware package which provide many of the above mentioned features except for a few which require a license key to activate. I have been using this software for about a year and would highly recommend it to anyone looking for a remote access gateway.

See: http://sourceforge.net/projects/sslexplorer/

SECNAP Chief Technology Officer to Speak at Hacker Halted Conference

SECNAP Chief Technology Officer to Speak at Hacker Halted Conference

Michael Scheidell Will Deliver Opening Keynote Address

Boca Raton, Fla. - May 6, 2008 - Michael Scheidell, chief technology officer for SECNAP® Network Security Corporation, has been selected to deliver the opening keynote address at the Hacker Halted Conference on Sunday, June 1, 2008 at the Marriott Resort at Grande Dunes in Myrtle Beach, S.C.

Hosted by EC-Council, Hacker Halted will debut in the United States May 28 to June 4 in conjunction with the Techno Security Conference. Hacker Halted will feature some of the top speakers in the world, and is in its tenth year raising international awareness toward increased education and ethics in Information Technology security.

Michael Scheidell is a recognized expert in network and data security with a rich history of innovation. Since 2001 he has aggressively pursued the development of advanced security technology with impressive results, including a patent-pending intrusion detection and prevention system and a revolutionary spam solution.

Scheidell's presentation proposes that three additional, undocumented layers of the Open Systems Interconnection (OSI) model exert a powerful influence on information security decisions, and is intended to help delegates manage these influences to become more effective in their organizations and more successful in their careers.

Delegates will include chief security officers (CSO), chief information security officers (CISO), and other C-level executives as well as information technology management, security architects and engineers, auditors and practitioners of information technology across a variety of industries.

The Hacker Halted Conference also affords attendees the opportunity to complete training for certification by EC-Council as a Certified Ethical Hacker, Computer Hacking Forensic Investigator, and Licensed Penetration Tester. For additional information visit www.hackerhalted.com and www.eccouncil.org.

About SECNAP
Founded in 2001 in Boca Raton, Fla., SECNAP Network Security is a leading provider of network security solutions for organizations ranging from small businesses to global enterprises. The company's innovative products include SpammerTrap® and Hosted SpammerTrap®, which block malicious spam, viruses, and phishing emails; HackerTrap(TM), a patent-pending managed network security system that protects company assets; and expert Testing and Auditing services including Information Technology and regulatory compliance audits. SpammerTrap was named a Hot Product at the 2008 XChange Solution Provider Conference. SECNAP is a Technosium Hot Company of 2008. For more information, visit www.secnap.com.

http://www.secnap.com

http://www.hackerhalted.com

# # #

Contact:
Gail Blount
561-999-5000
gblount@secnap.com

News on the ISO/IEC 27000 Series of standards

Following the JTC1/SC27 meeting in Kyoto last month, I've published a load of updates on the ISO/IEC 27000-series standards ("ISO27k") at http://www.iso27001security.com/

For anyone who would like to keep up to date on ISO27k, highlights of the meeting (from my personal perspective i.e. *not* an official status report!) are shown on a 2-page mindmap.

http://www.iso27001security.com/NZ_Notes_from_Kyoto_08_WG1.pdf

Kind regards,
Gary

Gary Hinson
Passionate about security awareness
www.NoticeBored.com Creative awareness materials
http://www.iso27001security.com/ ISO/IEC 27000 standards

SecurAnchor Newsletter by Eric Cole

April 2008

Vol 4, Issue 3

Security in the News
Your source for up to date security headlines

Joe Stewart, director of malware research at SecureWorks, Inc., presented the results of his research into the size of botnets at the RSA conference, and asserted that botnets control over one million compromised computers and are able to generate more that 100 billion spam messages every day.

According to Mr. Stewart, the botnet controlling the most machines is Srizbi. This botnet is also known as Cbeplay and Exchanger, and has the capability of using its 315,000 controlled machines to generate 60 billion spam emails per day.

The Kraken worm's botnet is actually the Bobax botnet, and the Storm worm has been marginalized by its addition to Microsoft's Malicious Software Removal Tool hit list, knocking it down to number five on the list.

Bobax appears to be the number two botnet, controlling 185,000 machines. It can send 9 billion spam emails per day. Damballa has been making news claiming that Bobax is Kraken, or Kracken, and Damballa claims it controls 400,000 computers. However, Mr. Stewart said that Bobax goes by the name Kraken, as well as Bobic, Oderoor, Cotmonger and Hacktool.Spammer.

Mr. Stewart has developed a technique to generate an SMTP fingerprint for the various botnets, leading to more accurate identification and counts of botnet-controlled machines. SecureWorks also sampled the amount of spam that was observed as generated by various botnet-controlled machines and used probabilistic methods to extrapolate and determine how many spam emails the various botnets could generate.

Part of Mr. Stewart's aim was to help the little guy. As he explained, "I think it matters a lot to end users what a botnet's called. They go to look for information, perhaps after they've been infected, and all they have is that it's 'Agent XYZ.'" However, if there are various incompatible naming conventions, then it might be a worm with a new alias. "Then they'd find hardly any information on what it is or what data it may be after. I hope this trickles down to end users."

Anti-Tibetan Supporter Trojan Infects Pro-Tibetan Sites

Users who browse pro-Tibet sites can be infected with the Fribet Trojan. The best guess is that the Trojan is using a VML flaw (MS07-004) which Microsoft released a patch for last year. Unpatched systems visiting these sites can be subjected to an attack that creates a backdoor on the victimized systems.

The Trojan loads a 'SQL Native Client' ODBC library and executes SQL statements sent by command and control servers. This allows the attackers to gather data or modify databases the victims' machines are connected to with the appropriate logins and permissions. The monitoring feature of the Trojan allows the interception of passwords so the attackers will be able to log in to the databases.

Shinsuke Honjo and Geok Meng Ong, researchers for McAfee, wrote that, "This Trojan apparently can be used as an alternate to SQL injection attacks, but in a more direct way. Even the administrators of secure Web sites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector."

In This Issue

Anti-Tibetan Supporter Trojan Infects Pro-Tibetan Sites

CAPTCHA Broken by Botnets

GAO Report

Nine Years for $1.4M Fraud

Single Photon Gate Realized

Search Engine Optimization

Quick Links

CCCure Organization

Sans Institute

CVE Common Vulnerabilities & Exposure

Black Hat

The Honey Pot Project

IT Security

Security Focus

SC Magazine

Dark Reading Daily

CAPTCHA Broken by Botnets

The Windows Live CAPTCHA system used for Hotmail and the equivalent system at Gmail have been compromised by botnets which can crack the system. CAPTCHA was designed to stop spammers from opening Hotmail and Gmail accounts. These systems display distorted characters and are supposed to force a human to read, recognize and type the characters, thus preventing the automated creation of email accounts.

CAPTCHA is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart.

Spammers like Gmail accounts because they are free and not likely to be blacklisted. Now that the spammers own these types of free accounts, more spam is coming from those free providers' email accounts. Anti-spam services then attempt to slow down the flow of spam from those compromised accounts.

MessageLabs' Paul Wood said, "We're seeing more spam coming from Gmail and Yahoo. Where a service is widely abused its reputation goes down and it's held back in the queue. This happens automatically. These traffic management controls are not designed to block messages, they are intended only to slow down their transit. For messages that are subsequently blocked there should be a reason given in the non-delivery report."

February, 2008's spam report indicated that 4.6 percent of spam is sent from Web-based mail services. The Gmail-originated span doubled from January to February to 2.6 percent. Yahoo was the worst of the Web-based mail services, accounting for 88.7 percent of Web-based spam.

Meanwhile, in India, the spam rajas who do not have the good CAPTCHA-cracking bots employ sweatshop labor for $4 per day to establish Web-based email accounts

GAO Report

The GAO report stated that, "GAO found numerous defense-related items for sale to the highest bidder on eBay and Craigslist. A review of policies and procedures for these Web sites determined that there are few safeguards to prevent the sale of sensitive and stolen defense-related items using the sites."

The GAO investigators clicked around from January 2007 through March 2008, and came up with two F-14 components (from two vendors), night-vision goggles with the friendly force identifying 'component,' body armor and an Army combat uniform.

Continuing, the GAO report made the point that bad guys getting hold of this stuff could reverse engineer it to come up with countermeasures.

This GAO report, which the GAO characterized as not comprehensive in any way, did not address whether export controls would keep bad guys from getting the stuff, nor did it look at the failed property management practices which have made stuff available in the past.

Instead, we have the CEO of Craigslist called before Congress to explain what Craigslist is. Jim Buckmaster explained that the GAO report was mistaken when it called Craigslist "a global marketplace with international reach" and that instead Craigslist was a collection of separate local marketplaces. He also explained that users are discouraged from engaging in sales which require shipping.

Nine Years for $1.4M Fraud

To continue the theme of fraud and misrepresentation, the following comparison is offered. A Columbian man has been sentenced to nine years for computer fraud. This fraud (if unchecked) could have potentially affected more than 600 people and involved the staggering (attempted and actual) sum of 1.4 million dollars.

To refresh our memories, the contractor who sabotaged the Sixth Fleet navigation computers, which affected more than one submarine and put at risk the crews of every sub in the Sixth Fleet, received one year. To even look at the dollar value associated with the submarines is the wrong thing to do, but instead one must think about the potential loss of life associated with the possibility of a sub colliding with another sub or an undersea hazard.

When Simbaqueba Bonilla was seized by federal agents, the laptop he was carrying had the names and passwords of more than 600 people, as well as other personal and financial information about those people.

Single Photon Gate Realized

Quantum computing at the single photon level is closer to reality with the physicists at Bristol University in the United Kingdom creating an optical "controlled-NOT" gate on a silicon chip which can act on an individual photon. According to a press release from the university, this is "the building block of a quantum computer."

A quantum bit is called a "qubit" and the new gate, which processes the photon, or qubit, can now be realized on a single chip, whereas previously the gate occupied several square meters of space on an optical bench.

Mark Anderson, an influential voice in the technology community, wrote in his Strategic News Service newsletter that, "For those who believe that quantum computing is the next big breakthrough in the computing world, and who see the logic gate as a critical component, this is a critical step forward."

Professor Jeremy O'Brien, the lead researcher on the project, said that the chip "is a crucial step towards a future optical quantum computer, as well as other quantum technologies based on photons." One of Professor O'Brien's, Alberto Politi, also explained that it was the problem of scaling that this chip solved. Previously, the photons had to propagate through the air and required large optical elements. The new chip starts to solve these problems.

The chip has also enabled the researchers to observe quantum entanglement, an interaction of two particles in such a way that the state of an individual interacting particle cannot be defined, but the collective state of the interacting particles can be.

What is most important about this development, and which seems to have been left out of the discussion in the press, is the phenomenon associated with theoretical quantum computing, which is that the foundations of modern cryptography will be rendered obsolete. Symmetric key cryptography is a probabilistic exercise, and a quantum computer can try all of the possible keys to any encrypted message simultaneously. Presumably, then, the discrete log problem and the problem of factoring large numbers will also be solved, and therefore public key cryptography will also be useless for keeping any secrets.

Search Engine Optimization

Some individuals have employed questionable tactics to get the Web sites with which they are associated listed higher in the rankings for various search terms. Individuals who conduct these activities maintain that they are not breaking the law, and are only violating terms of service agreements. Search engine optimization has been going on since the advent of the meta tag, and as the search engines have come up with new ideas about relevance and what makes a Web site appear higher in the rankings for various search terms and phrases, optimizers have experimented, intuited, and even quit search engine companies to go into private practice, all in the name of getting those who pay, higher rankings. Those of us who believed in the Web as a level playing field and some concept of fairness have felt victimized by these tactics.

Now, apparently, so too the search engine providers themselves. The search engine optimizers (SEOs) had been finding the holes in the ranking algorithms and exploiting them. Google, around 18 months ago, started to penalize sites it thought were gaming the system, and then starting blacklisting the offending sites. According to critics of the tactic, some said that Google would delist sites without any warning.

Jeremey Schoemaker, the marketer known as Shoemoney, said that, "When people are ranking for a phrase and supporting their family, and then the next day they're off the map, that's really vicious. You can literally ruin someone's life."

One of the more cautious members of the SEO community, Eric Ward, who had been derided in the community for his by the book play, warned that black hat optimization was a dead end.

One of the ways that a site was deemed to be relevant was by how many other sites linked to it. In those days, SEOs built link farms - sites which were nothing but links to the sites which were hoped to get boosted in the ratings, and to each other, so that their rankings would help the end site in the rankings. The spiders crawled the links and added things up; the SEOs knew what to do.

When the search engines got wise to this technique and others like it, the SEO community started to polarize - with some working within the guidelines and others going to more extreme and shady tactics. And then sites which were infected with malware, sometimes through no fault of their own, were also penalized by the search engines.

RSnake is an individual with some experience with Web advertising, SEO work, and runs ha.ckers.org. He said that Google is making assumptions which are erroneous in their administration of search result rankings. RSnake said, "Google can shut you down at any time. But there are all kinds of weird things that could happen to you, upstream problems, a proxy goes bad, someone takes over your site, and there's no way for you to explain that it might not be your fault. They're making false assumptions about how the Internet works, which is that the owner of the IP address is always in control of what happens through that IP address."

Variations on the theme are rampant. Innocent sites are hacked to put links in the same color as the background on the site. Other tactics are cookie stuffing and attacks on high traffic blogs. MySpace and other social networking sites are used for the same linking purposes. And the value of search is lessened.

Our mission is to keep your business focused by helping you navigate the sea of security threats you face on a daily basis. Secure Anchor provides creative solutions that keep you ahead of the attacks and provide peace of mind that your critical assests are securely anchored. In addition we are busy developing software solutions to meet the threats of tomorrow.

End your newsletter with a kick -- consider a postscript to reinforce one of the key product or service benefits.

Sincerely,

Eric Cole
Secure Anchor

Pointsec Protector provides a policy driven mechanism that secures an organization's sensitive information by controlling data that enters and exits a PC or server via removable media and I/O devices on any port (USB, Firewire, IDE, Bluetooth etc).

Are you???

	An Enterprise businesses or government agency

	In Banking/financial services, federal/local government, healthcare, business services, technology and/or manufacturing

	In control of devices connecting to machines in your network

	At Risk if Critical Data is lost

Do you Need to...

	Reduce financial risk of lost or stolen data on personal devices connected to PCs or servers

	Comply with regulatory mandates

	Integrate into existing infrastructure

	Reduce operating costs Let us send you a FREE USB device which contains a discovery tool to detect what is your exposure to Data Loss. If you would like one just send us an e-mail at newsletter@secureanchor.com and we will send it right out.

Join our Mailing List!

NoticeBored Newsletter, May 2008 - Trust, integrity and fraud

		Information security awareness newsletter

May 2008 - Trust, integrity and fraud

Dear Clement,

Identity thefts, 419 scams, deliberate sabotage and fraud by trusted insiders (such as at Société Générale Bank) and numerous other information security incidents provide no shortage of topical material for our 60th module.

Technological controls alone are seldom adequate to reduce the risks, placing emphasis on human controls through training and education, policies and procedures, and various forms of management supervision (including, by the way, the IT audits we covered last month).

This being the 60th monthly module means NoticeBored is five years old this month! We’re celebrating our fifth birthday with a special offer – please visit the NoticeBored website or contact me for details. If you phone, please don't be surprised to hear party music in the background!

Kind regards,
Gary Hinson
CEO, IsecT Ltd.

Download the newsletter (PDF)

Copyright © 2008 IsecT Ltd. Information in the newsletter is provided free, for information only and 'as is'. Whilst believed correct, it is in no way comprehensive. It is provided for interest only and is not intended to be relied upon as formal advice. No liability is accepted for any errors or for any losses that may be incurred if any such information is relied upon. You may freely distribute the PDF version of the newsletter intact (including the copyright notice and attribition) but please let us know if you intend to post it on the web.

Find out more about NoticeBored here.

Aussies follow Canadian lead on breach notification

Both New Zealand and Australia have modeled their guidelines for telling customers about IT security incidents on a jointly-created British Columbia and Ontario privacy document. Is Ottawa paying attention?

By: Rafael Ruffolo
ComputerWorld Canada (22 Apr 2008)

Canadian Data breach notification guidelines – jointly created by the Information and Privacy Commissioners for British Columbia and Ontario – have made their way to the land down under.

Last week, Australian Privacy Commissioner Karen Curtis released the Voluntary Information Security Breach Notification Guide, which aims to assist organizations in effectively responding to information security breaches. The draft guide credits voluntary guidelines by both the Privacy Commissioners of Canada and New Zealand.

“We had worked with the New Zealand privacy commissioner and showed her our breach notification assessment tool,” Ann Cavoukian, Information and Privacy Commissioner of Ontario, said. “She took it and developed one in New Zealand similar to ours. It’s great to see Australia follow suit.” The jointly created Canadian breach notification guide was created in December 2006 and outlines steps on when and how to notify affected individuals.

“When you’re notifying somebody of a breach relating to their data, you’ve got to be perfectly clear and concise,” Cavoukian said. “In regards to the preferred method of notification, we think direct contact either by phone, letter or in person are the most effective methods.”

As for what to include in the notification, the assessment tool advises organizations provide a general description of what happened without a lot of legal jargon, outline the steps taken thus far (and will be taken in the future) to control or reduce the harm, and the steps the individual can take to further protect themselves.

“You’ve got to be practical and do things as quickly as possible,” Cavoukian said. “You need to contain the damages, get the notices out, fix the problem and prevent it from reoccurring. You’ve also have to be practical about it and notify people in a way that’s not full of legal legalese and provides clear notice as to what you’re doing.”

Currently, Australia’s privacy legislation does not specifically require an agency or organization to notify individuals, or even the privacy commissioner, of a data breach. However, an amendment to the Australian Privacy Act to require mandatory data breach notification is under way.

The same story is playing out in Canada. Last year, the federal government recommended that data protection laws – specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) – be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach.

Cavoukian hopes the breach notification assessment tool, along with the influence it is having on the other side of globe, will inspire the federal government to implement an effective and common sense approach on breach notification.

“They’re certainly aware of our guidelines, so I’m sure it’s food for fodder for them,” she said. “We’ve had very good feedback on our guidelines and I’m sure it’ll be one of the things that they take into consideration.”

But some organizations such as the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) want the government to go even further. Responding to an Industry Canada request for public consultation on data security laws earlier this year, CIPPIC recommended that mandatory reporting of data breaches to a publicly-accessible electronic registry is the most effective way to persuade corporations to shore up their potential security risks.

“We’ve been pushing for notification requirements for years, because it’s obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession,” Pippa Lawson, executive director at CIPPIC, told ComputerWorld Canada earlier this year. “Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about.”

Lawson said that while the government’s interest in drafting better data breach notification laws is positive, Ottawa needs to take it a step further and require mandatory public reporting as well.

“There’s two ways that you can create incentives for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly,” Lawson said. “If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security.”

David Senf, director of security and software research at Toronto-based IDC Canada Ltd., said Canada would benefit greatly from similar privacy legislation passed in California, which mandates organizations to reveal to customers that personal data has been compromised.

“Organizations in this country don't fear the repercussions of PIPEDA,” Senf said earlier this year. “Stronger legislation will go a long way in convincing organizations to tighten up security for better privacy protection.”

Cavoukian, however, disagreed on taking such a punitive approach. As a regulator, she said, her concern is to ensure when something happens that it’s addressed immediately and as quickly as possible to benefit the affected individuals.

“You can almost take as a given that over time, virtually every company is going to make an oversight or a mistake and have some kind of data breach,” Cavoukian said. “My experience in working with organizations is that as soon as they know there’s a breach, they’re really motivated to cure the harm and prevent it. If you create a database of who did what and how many times they did it, I just don’t know how effective it would be.”

Click HERE to see original article on IT World Canada web site

The COBIT newsletter from ISACA

Dear Mr. Clement Dupuis,

Welcome to the April 2008 issue of COBIT Focus, a newsletter designed specifically for users of Control Objectives for Information and related Technology (COBIT). This newsletter provides updates on COBIT developments and is meant to provide a vehicle for sharing COBIT experiences.

You have received this e-mail message because you have participated or expressed interest in ISACA/ITGI products and services. The e-mail address was provided by you through the ISACA/ITGI web sites or other direct means. We did not purchase your e-mail address, nor do we provide your e-mail address to any third party.

We invite you, a member of the growing user community, to submit articles for publication in future issues. For more information on this opportunity, please e-mail the editors at publication@isaca.org. Additionally, please let us know what you think of the issue. Your responses will help us evaluate the value of the newsletter to COBIT users and identify any necessary changes. Please help support this initiative by submitting comments and articles to publication@isaca.org.

Volume 2 2008 of COBIT Focus is now posted online and may be accessed at www.isaca.org/cobitnewsletter.

The following articles are found in the April issue:
- COBIT and IT Governance: Focusing on IT Governance, Value Delivery and IT Investment Evaluation, by John W. Beveridge
- CGEIT Credential Meets Business Demands for IT Governance, by John Lainhart
- Adoption of COBIT by Multiplan, by Romulo Gouvêa and Tiago Quadra
- COBIT: An IT Governance Tool for the CIO and CEO, by Romulo Lomparte
- ISACA COBIT Education

www.isaca.org/cobitnewsletter

======================================================================
ISACA Member Benefit of the Month

The Information Systems Control Journal is an authoritative, peer-reviewed publication that has reported on topics such as Internet security, IT governance, computer crime, information integrity, computer confidentiality issues and IT risk management. ISACA members receive a subscription to the print version of the Journal which is published six times a year. Members also have exclusive access for one year to the online version, JOnline, which features additional articles not featured in the print version. Visit www.isaca.org/currentissue to view the latest Journal today!