FYI, it is a really good survey which looks at all aspects of Information Security. WEN ------------------------------------------------------------------------ 'Information is the currency of victory on the battlefield.' GEN Gordon Sullivan, CSA (1993) ------------------------------------------------------------------------ Wanja Eric Naef Principal Researcher IWS - The Information Warfare Site http://www.iwar.org.uk ------------------------------------------------------------------------ Join the IWS Infocon Mailing List @ http://www.iwar.org.uk/general/mailinglist.htm ------------------------------------------------------------------------ -----Original Message----- From: Wanja Eric Naef [IWS] Sent: 29 October 2002 19:20 To: 'Infocon' Subject: The Economist: Survey - digital security (This week's Economist has a special section on Information Security which is well worth a read as it is well researched (in comparison to the usual cybergeddon article. WEN) On digital terrorism: '... It is true that utility companies and other operators of critical infrastructure are increasingly connected to the Internet. But just because an electricity company's customers can pay their bills online, it does not necessarily follow that the company's critical control systems are vulnerable to attack. Control systems are usually kept entirely separate from other systems, for good reason. They tend to be obscure, old-fashioned systems that are incompatible with Internet technology anyhow. Even authorised users require specialist knowledge to operate them. And telecoms firms, hospitals and businesses usually have contingency plans to deal with power failures or flooding. ...' '... Like eco-warriors, he observes, those in the security industry-be they vendors trying to boost sales, academics chasing grants, or politicians looking for bigger budgets-have a built-in incentive to overstate the risks. ...' (Nice quote which is so true. WEN) Senior Management Support for InfoSec '...A second, related misperception is that security can be left to the specialists in the systems department. It cannot. It requires the co-operation and support of senior management. Deciding which assets need the most protection, and determining the appropriate balance between cost and risk, are strategic decisions that only senior management should make. ... ... Senior executives do not understand the threats or the technologies. "It seems magical to them," says Mr Charney. Worse, it's a moving target, making budgeting difficult. ... Threats/Risk: '... Even senior managers who are aware of the problem tend to worry about the wrong things, such as virus outbreaks and malicious hackers. They overlook the bigger problems associated with internal security, disgruntled ex-employees, network links to supposedly trustworthy customers and suppliers, theft of laptop or handheld computers and insecure wireless access points set up by employees. ...' '... One of the biggest threats to security, however, may be technological progress itself, as organisations embrace new technologies without taking the associated risks into account. ...' Virus: '... Viruses are a nuisance, but the coverage they receive is disproportionate to the danger they pose. ...' Firewalls: '... Firewalls are no panacea, however, and may give users a false sense of security. To be effective, they must be properly configured, and must be regularly updated as new threats and vulnerabilities are discovered. ...' IDS: '... Compared with anti-virus software and firewalls, detection is a relatively immature technology, and many people believe it is more trouble than it is worth. The difficulty is tuning an IDS correctly, so that it spots mischievous behaviour reliably without sounding too many false alarms. ...' MS: '... Microsoft's policy of tight integration between its products, which both enhances ease of use and discourages the use of rival software makers' products, also conflicts with the need for security. ...' '... The Windows operating system is the largest piece of software ever written, so implementing security retrospectively is a daunting task. ...' Human Element of Security: '... If correctly handled, a management-based, rather than a solely technology-based, approach to security can be highly cost-effective. ...' '... But there are other, more subtle ways in which management and security interact. "More than anything else, information security is about work flow," says Ross Anderson of Cambridge University's Computer Laboratory. The way to improve security, he says, is to think about people and processes rather than to buy a shiny new box. ...' Biometrics: '...The first is that the technology is not as secure as its proponents claim. ...' '... The second and more important problem is that biometric technology, even when it works, strengthens only one link in the security chain. ...' '... In short, biometrics are no panacea. The additional security they provide rarely justifies the cost. ...' Bottom Line: '... Security, in sum, depends on balancing cost and risk through the appropriate use of both technology and policy. The tricky part is defining what "appropriate" means in a particular context. It will always be a balancing act. Too little can be dangerous and costly-but so can too much. ...' ----------------------------------------------- Articles: Securing the cloud Tools of the trade The weakest link Biometric fact and fiction When the door is always open Putting it all together The mouse that might roar Securing the cloud ----------------------------------------------- Securing the cloud Oct 24th 2002 From The Economist print edition Digital security, once the province of geeks, is now everyone's concern. But there is much more to the problem-or the solution-than mere technology, says Tom Standage WHEN the world's richest man decides it is time for his company to change direction, it is worth asking why. Only rarely does Bill Gates send an e-mail memo to the thousands of employees at Microsoft, the world's largest software company, of which he is chairman. http://www.economist.com/surveys/displayStory.cfm?story_id=1389589 ----------------------------------------------- Tools of the trade Oct 24th 2002 From The Economist print edition How a box of technological tricks can improve (but not guarantee) your security ASK a non-specialist about computer security, and he will probably mention viruses and attacks by malicious hackers, if only because they are so much more visible than other security problems. Take viruses first. Like their biological counterparts, computer viruses are nasty strings of code that exploit their hosts to replicate themselves and cause trouble. Until a few years ago, viruses merely infected files on a single computer. http://www.economist.com/surveys/displayStory.cfm?story_id=1389575 ----------------------------------------------- The weakest link Oct 24th 2002 From The Economist print edition If only computer security did not have to involve people THE stereotype of the malicious hacker is a pale-skinned young man, hunched over a keyboard in a darkened room, who prefers the company of computers to that of people. But the most successful attackers are garrulous types who can talk their way into, and out of, almost any situation. In the words of Mr Schneier, the security guru, "Amateurs hack systems, professionals hack people." http://www.economist.com/surveys/displayStory.cfm?story_id=1389553 ----------------------------------------------- Biometric fact and fiction Oct 24th 2002 From The Economist print edition Body-scanning technology has its drawbacks YOU'VE seen them in spy films and science-fiction movies: eye-scanners, fingerprint readers, facial-recognition systems. Such body-scanning or "biometric" systems, which can make sure that somebody really is who he claims to be, are touted as the ultimate in security technology. Systems protected by passwords are unlocked by something you know (the password), which others can find out. Systems protected by keys or their high-tech equivalents, smart cards, are unlocked by something you have (the key), which others can steal. But systems protected by biometrics can be unlocked only by a bodily characteristic (such as a fingerprint) that no one can take from you. Your body is your password. http://www.economist.com/surveys/displayStory.cfm?story_id=1389565 ----------------------------------------------- When the door is always open Oct 24th 2002 From The Economist print edition The more that companies open up and interconnect their networks, the bigger the risk of security problems NOT long ago, at the height of the dotcom boom, you could chart the rise and fall of companies by looking at the garish artwork sprayed on the walls of loft buildings in San Francisco's Multimedia Gulch district. But now, thanks to wireless technology, there is a better way. Driving around the city on a warm night a few weeks ago, Bill Cockayne, a Silicon Valley veteran, opens his car's sunroof. His friend Nathan Schmidt posts what looks like a small fluorescent tube through the open roof and plugs it into a laptop computer. "Metro/Risk", says the computer in a clipped female voice as the car makes its way through North Beach. "Admin network. BCG." Then a robotic male voice booms out: "Microsoft WLAN. Archangel. Whistler. Rongi." http://www.economist.com/surveys/displayStory.cfm?story_id=1389541 ----------------------------------------------- Putting it all together Oct 24th 2002 From The Economist print edition Security spending is a matter of balancing risks and benefits TOTAL computer security is impossible. No matter how much money you spend on fancy technology, how many training courses your staff attend or how many consultants you employ, you will still be vulnerable. Spending more, and spending wisely, can reduce your exposure, but it can never eliminate it altogether. So how much money and time does it make sense to spend on security? And what is the best way to spend them? http://www.economist.com/surveys/displayStory.cfm?story_id=1389499 ----------------------------------------------- The mouse that might roar Oct 24th 2002 From The Economist print edition Cyber-terrorism is possible, but not very likely IT IS a devastating prospect. Terrorists electronically break into the computers that control the water supply of a large American city, open and close valves to contaminate the water with untreated sewage or toxic chemicals, and then release it in a devastating flood. As the emergency services struggle to respond, the terrorists strike again, shutting down the telephone network and electrical power grid with just a few mouse clicks. Businesses are paralysed, hospitals are overwhelmed and roads are gridlocked as people try to flee. http://www.economist.com/surveys/displayStory.cfm?story_id=1389531 -----------------------------------------------
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 12:35:36 PST