Information security: Reality and fiction

Awareness of the need for true information security is steadily evolving in finance, industry and government, although action does not match rhetoric. There is a growing need for sophisticated security measures as evidenced by the increasing incidence of penetrations, at all levels of sophistication, of automated systems. These security measures can be developed and installed based on a procedure of risk analysis, security audit and design of countermeasure.     

Information security: The moving target

Information security has evolved from addressing minor and harmless security breaches to managing those with a huge impact on organisations' economic growth. This paper investigates the evolution of information security; where it came from, where it is today and the direction in which it is moving. It is argued that information security is not about looking at the past in anger of an attack once faced; neither is it about looking at the present in fear of being attacked; nor about looking at the future with uncertainty about what might befall us. The message is that organisations and individuals must be alert at all times. Research conducted for this paper explored literature on past security issues to set the scene. This is followed by the assessment and analysis of information security publications in conjunction with surveys conducted in industry. Results obtained are compared and analysed, enabling the development of a comprehensive view regarding the current status of the information security landscape. Furthermore, this paper also highlights critical information security issues that are being overlooked or not being addressed by research efforts currently undertaken. New research efforts are required that minimise the gap between regulatory issues and technical implementations.     

信息安全与网络安全关系辨析

随着科学技术和网络信息技术的飞速发展,越来越多的网络信息安全问题逐渐出现.本文主要研究了网络信息安全和网络安全之间的关系,并且对如何创造安全的网络环境提出了几点建议.     

Information security and the media

The relationship between the media and information security is intriguing. The media is quick to cover security-related incidents such as worm outbreaks and intrusions into systems and networks, serious vulnerabilities and so on, in many respects helping in the job of raising public awareness of security issues. The media's fascination with information security also has negative consequences, however. Information security professionals, especially those who are consultants, often compete for media exposure. Several weeks ago the president, founder, and business administrator of Forensic Tec, a California-based security consultancy, were indicted for breaking into numerous US government and Department of Defense systems. After allegedly breaking into these systems, members of this consultancy openly bragged about how easy it was to breach their security. The press ran stories to the effect that some of the most critical computers within the US were wide open to attack. Interestingly, the indictment accused the individuals of creating a publicity stunt to drum up business for this new, small consultancy.     

ACSP: A novel security protocol against counting attack for UHF RFID systems

Current research on UHF RFID system security mainly focus on protecting communication safety and information privacy between a pair of specific tags and its corresponding interrogation reader. However, instead of stealing detailed private information of tags, adversaries may just want to estimate the cardinality of tags, which is named counting attack. Unfortunately, most existing protocols are vulnerable to counting attack. To defend against this attack, in this paper we propose ACSP, a novel Anti-Counting Security Protocol. ACSP employs session identifier and provides a corresponding authentication metric to verify the commands sent by the reader. To handle counting attack, ACSP periodically updates the session identifier, and securely identifies tags with encryption. We evaluate the performance of ACSP through theoretical analysis and qualitative comparison. Results show that ACSP can efficiently withstand counting attack as well as defending against regular security threats as existing protocols.     

Information security: Are we losing the game?

As an information security specialist for over 17 years, I've noticed a few unsettling patterns. While a certain pessimism goes along with this job, there are a number of real-world data points that — when collectively viewed — indicate the future will be increasingly chaotic, anarchistic and undisciplined.     

Information security: why the future belongs to the quants

Although most businesses say information security is a primary concern, few have adequate systems in place because securing information requires a risk-management approach with dependable, quantifiable metrics. Simple questions, readily answered in any other business context, are met by information security experts with embarrassed silence. These questions include: Is my security better this year? What am I getting for my security dollars? How do I compare with my peers? Answering such questions requires rigorous security metrics; and a risk-management framework in which to compare them.     

Information and communication policy: Issues and initiatives in South Africa

Abstract

The issue of access to government information in South Africa is clearly a significant one. Ways in which to exploit available infrastructure and expertise to achieve access to this information is becoming an area of considerable debate. The Minister of Posts and Telecommunications has established a human focus as the starting point in the approach to information and communication. People require easy access to information to make the practical decisions that govern their daily lives and enable them to exercise increasing control. Information is also the basis of interaction between communities and their representatives about the many issues being considered at all levels of government. Access to information is critical to development and democracy.     

Information security analysis system

The analysis system is a collection, configuration and integration of software programs that reside on multiple interconnected computer platforms The software, less computer operating systems, is a combination of sensor, analysis, data conversion, and visualization programs The hardware platforms consist of several different types of interconnected computers, which share the software programs, data files, and visualization programs via a Local Area Network (LAN) This collection and integration of software and the migration to a single computer platform results in an approach to LAN/WAN monitoring in either a passive and/or active mode. The architecture permits digital data input from external sensors for analysis, display and correlation with data and displays derived from four major software concept groups These are: Virus Computer Code Detection; Analysis of Computer Source and Executable Code,. Dynamic Monitoring of Data Communication Networks; 3-D Visualization and Animation of Data     

Information security management standards: Problems and solutions

International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.     

Information security management: An entangled research challenge

In May 2009 the Information Security Group, Royal Holloway, became host to a medical sociologist from St. George’s Hospital, University of London, under EPSRC’s discipline hopping scheme. As part of this knowledge transfer activity, a sociotechnical study group was formed comprising computer scientists, mathematicians, organisational researchers and a sociologist. The focus of this group is to consider different avenues of sociotechnical research in information security. This article briefly outlines some of the areas of research where sociotechnical studies might contribute to information security management.     

Information security policy: An organizational-level process model

To protect information systems from increasing levels of cyber threats, organizations are compelled to institute security programs. Because information security policies are a necessary foundation of organizational security programs, there exists a need for scholarly contributions in this important area. Using a methodology involving qualitative techniques, we develop an information security policy process model based on responses from a sample of certified information security professionals. As the primary contribution of this research study, the proposed model illustrates a general yet comprehensive policy process in a distinctive form not found in existing professional standards or academic publications. This study's model goes beyond the models illustrated in the literature by depicting a larger organizational context that includes key external and internal influences that can materially impact organizational processes. The model that evolved from the data in this research reflects the recommended practices of our sample of certified professionals, thus providing a practical representation of an information security policy process for modern organizations. Before offering our concluding comments, we compare the results of the study with the literature in both theory and practice and also discuss limitations of the study. To the benefit of the practitioner and research communities alike, the model in this study offers a step forward, as well as an opportunity for making further advancements in the increasingly critical area of information security policy.