November 2007 Archives

I have been working on documenting how information securities should be written and implemented. The gist of it is:

Only write a policy when there is a real need to do so. When a policy is written, keep it as short as possible. Make sure that any requirements identified in the policy can be monitored and enforce compliance. Always make sure that implementing a policy does not prevent necessary work from getting done, or incur unreasonably high costs. For this reason, all policies should identify if deviation of the policy is permissible and if so, which role may authorized these deviations.

When I sent out the full document for review, one of my coworkers come up with the following gem:

"As XXX can attest, the sysadmins have been looking forward to the time when some policies might be implemented, though I would say that we envisioned policies that applied to the user community, rather than ourselves " I thought that was pretty funny :-)

And on a totally unrelated note: SANS just published their new SANS Top-20 2007 Security Risks (2007 Annual Update) report. I am sure that many other bloggers will comment on it, so I will refrain from doing so. For example, terminal23 blog was the first one that I read.

A post on the Security Catalyst forums directed me to this little gem:

Anti-Phishing Phil is an interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.

Gunnar Peterson picked up on a post on Ross Anderson's group's Light Blue Touchpaper blog:

Conflict Theory Does the defence of a country or a system depend on the least effort, on the best effort, or on the sum of efforts?

The last is optimal; the first is really awful

Software is a mix: it depends on the worst effort of the least careful programmer, the best effort of the security architect, and the sum of efforts of the testers

Moral: hire fewer better programmers, more testers, top architects

And I really couldn't say more than: I agree!

As the United States gear up for Thanksgiving, most employees are looking forward to enjoying a long weekend with family and friends. Will the Bad Guys take this opportunity to release some more malware onto us? Most university students have left their dorm rooms, but in many cases, their personal computers will stay on. Universities typically have "decent" bandwidth, which makes these machines interesting targets.

Let's hope that the MSN Worm that was detected a few days ago by Alladin was the only manifestation of such a malware-outbreak.

If it applies to you: Happy Thanksgiving. In all other cases: happy Thursday!

In a post on the Security Catalyst forums (register for full access), I found a link to a post by Prof. Eugene Spafford of Purdue's Center for Education and Research in Information Assurance and Security on the CERIAS Weblog. The title of the post is Security Myths and Passwords, and it contains some very insightful observations.

0x000000 Security (cool URL, btw) conducted a little experiment that clearly shows once more that passwords should be eliminated as soon as possible.

Successful use of passwords relies on the people who know the passwords to choose them wisely and keep them to themselves. Obviously, it has been shown over and over again that any scheme that relies on people is doomed to fail, and 0x000000 Security just illustrated this again.