Visible Ops Security, Phase 1

11/20/08

In my last column, I introduced the excellent booklet called "Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps," by Gene Kim, Paul Love and George Spafford. Phase 1 provides a chilling reminder of how badly information assurance implementation can go wrong.

Introducing Visible Ops Security

11/18/08

In my last column, I wrote about the Visible Ops Handbook, which I recommend to everyone involved in system and network operations. Today I continue on the same theme by starting a review of the newer booklet, "Visible Ops Security: Achieving Common Security and IT Operations Objectives in 4 Practical Steps," by Gene Kim, Paul Love and George Spafford.

Visible Ops Handbook

11/13/08

Today I am reviewing a well-known handbook that applies ITIL principles to system and network operations. 'Visible Ops Handbook: Starting ITIL in 4 Practical Steps' by Kevin Behr, Gene Kim and George Spafford (2004) and published by the IT Process Institute, is a superb little booklet available online for $20; a PDF version is also available for download. We use this booklet in the Master of Science in Information Assurance (MSIA) program at Norwich University.

Swiss mix: Useful copyright resource

11/11/08

I was updating one of my lectures on copyright law recently and ran across a useful site from the government of Switzerland's Federal Institute of Intellectual Property. The site, available in German, French, Italian, and English versions, has some stimulating materials about intellectual property that may be useful to readers involved in security-awareness campaigns. Some readers may also want to pass on the information to their children or to teachers in their local communities.

New Web site and files for readers

11/06/08

It's been a while since I wrote about my Web site, so today I'm updating readers about new materials that may be useful to you.

'Zero Day Threat': Deep analysis + fun = excellent read

11/04/08

Today I'm pointing to an excellent book by Pulitzer Prize-winning journalist Byron Acohido and his USA Today colleague Jon Swartz called Zero Day Threat: The Shocking Truth of How Banks and Credit Bureaus Help Cyber Crooks Steal Your Money and Identity. 

Copyright infringement and the CISSP, Part 2

10/30/08

In Part 1 of this series, security-awareness expert K Rudolph of Native Intelligence describes how she discovered that a CISSP-holder whom she is calling "Mud" submitted 11 of her posters to a contest after stripping her printed copyright notices off the images. Today we find out what happened. K continues her story.

Copyright infringement and the CISSP, Part 1

10/28/08

This story deals with lying, theft, social networking, law, mystery, and an uncertain outcome. My longtime friend and colleague, the distinguished security-awareness expert K Rudolph of Native Intelligence tells a tale of horror and mayhem suitable for Hallowe'en reading.

Arrogance or efficiency? Why Microsoft redesigned the Office user interface, Part 4

10/23/08

Following an exemplary correspondence from Microsoft expert Mark Alexieff, senior product manager for Microsoft Office, it seems to me that the arrogance lay in my assumptions rather than in Microsoft's.

Arrogance or efficiency? Why Microsoft redesigned the Office user interface, Part 3

10/21/08

In the preceding two columns, I've been reporting on correspondence with Microsoft expert Mark Alexieff, senior product manager for Microsoft Office concerning the company's decision to change the Office user interface. Today Alexieff provides interesting material about the acceptance of the new Microsoft Office Fluent User Interface by a variety of users.

Arrogance or efficiency? Why Microsoft redesigned the Office user interface, Part 2

10/16/08

In my last column, I introduced a problem I encountered early in my use of Microsoft's Office 2007. Today I continue with interesting correspondence from Mark Alexieff, senior product manager for Microsoft Office.

Arrogance or efficiency? Why Microsoft redesigned the Office user interface, Part 1

10/14/08

Earlier this year, I was writing an e-mail message using Microsoft Office Outlook 2007 and clicked on the button for adding one of my signature blocks. Presto! Most of my message disappeared!

How to react to a fire alarm

10/09/08

We've been conditioned by years of fire drills to assume that alarms are either tests or false alarms, and just mean a 20-minute work break. But if a fire alarm is to serve its function, we need to assume - or at least pretend - that it's the real thing. Most important, we need to assume that we will not be returning to work.

Don't be a Blobmonger

10/07/08

Mudd: Regular people do not want to hear about some vague entity waiting in the shadows to insinuate itself into their computers. That holds true for at-home users as well as business executives. So, borrowing a quote from The Blob's protagonist, Steve Andrews (played by Steve McQueen): "How do you get people to protect themselves from something they don't believe in?"

Securing the eCampus 2008

10/02/08

Dartmouth College will host its second conference on "Securing the eCampus: Building a Culture of Information Security in an Academic Institution" Nov. 11-12, 2008. Focusing on the unique challenges of cyber security in academia, the conference welcomes CIOs, CISOs, and other academic IT leaders to explore what it takes to develop a more secure information environment on college campuses.

The data center from hell, Part 3: Lessons learned

09/30/08

In the previous two columns, security specialist Jan Buitron reported on a horribly non-secure facility at which she worked some years ago. Today she summarizes her conclusions about the state of facilities security at this dreadful site.

The data center from hell, Part 2

09/25/08

Buitron: One circuit breaker was in a garage bay where company trucks parked. Anyone from the street could walk in at any time and throw the switch on the breaker box, cutting off power instantly to all of the company's servers.

The data center from hell, Part 1

09/23/08

Seen any good horror movies lately? Here's the script for a security geek's version of the classic slasher flick.

How not to manage lost passwords

09/18/08

I am writing to you formally in your capacity as CEO of Metaphoronic Corp., makers of the bioport that I had installed in my lower spinal column last year for direct neural connectivity to my Windows 2010 operating environment. Today I could not sign into the Web page for the SpinalTap application that makes adjustments to the interface and could not find instructions on getting the password e-mailed to my e-mail account or on how to reset it to a temporary password and get that by e-mail, so I called your help desk to find out what to do.

reCAPTCHA illustrates human ingenuity

09/16/08

The CAPTCHA is the squiggly word that appears on Web sites to stop bots from sending spam and doing other vile deeds. Recently, several computer scientists reported on an innovative application of CAPTCHAs: potentially using the more than 100 million applications of human intelligence in decoding the symbols for useful work.

Bad business model: Turning subscriptions into gambling

09/11/08

Dear Unnamed_Music_Service: I visited your site after seeing the ad in The Nation magazine. After I read your terms of service and your rate scale, I decided not to sign up (and, not incidentally, NOT to steal your 25 free songs by cancelling at once). I thought you might like to know why.

New kids advance 'New School'

09/09/08

Two exciting young talents (well, young from my perspective), Adam Shostack and Andrew Stewart, have published an interesting and challenging manifesto urging information-assurance practitioners to break out of conventional thinking. They argue (and I concur) that we have to use the insights of other disciplines in formulating and implementing our security policies to cope with computer-related crime.

The privacy policy problem, Part 4: Reality hits home

09/04/08

It's not going to be easy, but at least you can put your privacy-protection measures in place before you face a major PII disaster. Keep your eyes open, follow up on abuse of your corporate identity, and make your own policies clear and effective.

The privacy policy problem, Part 3: Opting out of opting out

09/02/08

In my most recent two columns, I've been discussing privacy policies. Today I want to look at some of the issues that can occur when you work with other organizations whose policies may differ from yours.

The privacy policy problem, Part 2: Controlling business partners

08/28/08

In this series of four articles, I'm exploring privacy policies. Today I'll continue with an analysis of potential problems due to independent partner organizations working on behalf of their clients without adequate supervision and coordination.

More

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.