Tag Archives: Cyber threats

Cyber warfare pentagon cyberwar

Is cyber security and mobile device management important in the healthcare industry?

Is cyber security and mobile device management important in the healthcare industry?

Healthcare and technology go hand in glove more than almost any other sector in today’s business world. This statement is true today and will remain so into the future. Patient records form just one element of the vast mountain of data that is stored and processed everyday by all healthcare providers be they a local GP’s surgery or a teaching hospital. These records are some of the most sensitive data there is, protecting this data from accidental or malicious access is becoming increasingly difficult.

Just think of the many and varied mobile devices there are today designed to either plug-in, wirelessly connect or Bluetooth connect to your network or computer system. Can we police and manage these connections? After all when access is required, by bona fide healthcare professionals, this ease of connection and access is a very desirable requirement. But the security of this access is paramount not least because there is a legally enforceable duty of care to protect this sensitive data.

In an ideal world the holder of any sensitive data would be able to control and audit the sharing of that data throughout its lifetime. That touches on another valid concern, that of when is data irrecoverably deleted, we should look at this issue in another blog. If we accept the premise that no amount of added security can be totally full proof what we need is away of mitigating the risk. The use of encryption technology seems to be the answer. If data is encrypted when at rest or during transportation between two points it is less lightly to be compromised.

At this point we should consider the implications for the individual data user. Any security system that alters the users normal working practices will be resisted and subverted wherever possible. Human nature is not normally predisposed to thinking security. The average user in the course of their normal day’s work will access many different data sources, may transfer data between differing media devices and share that data with other users, all quite legitimately. If at every stage of this data interaction they are challenged or required to do something extra that takes time, thought or additional actions the system will not be adopted or accepted.

The latest generation of security systems has taken note of this human response to security. It has acknowledged the fact that we as users are quite willing to pay lip service to the need for robust security providing it doesn’t affect our daily lives in an obtrusive way. In just the same way as you would expect your passage to be controlled within a secure building so your access to data will be, according to your personal privileges, the key being your authentication at the front door or access point. Once inside your set of privileges dictates your access to and actions that can be performed to the data. All of this will be audited for later analysis. These personal privileges should, in a well designed system, be dynamic. By this I mean that your privileges can be modified in real time, what you can do today you might not be able to do tomorrow. Keeping data available on a need to have access basis help limit the possibility of compromise.

And what of that data that you shared? Where is it now and is it still being controlled securely? Just because it has left your system has it suddenly become less sensitive? Unlikely! The system should be capable of extending it’s security to that data that has been shared beyond the network. Email or thumb drives are just two easy routes for the leaking of sensitive data. Be sure the system you consider has taken this into account.

I hope this very brief blog has shed some light on the various issues that confront those responsible for the security of the data they hold. You can find out more about cyber security here

Tell your friends and colleagues about us. Thanks!
Share this

The megaupload bust

My daughter was distressed yesterday after the Feds shutdown the megaupload file sharing site – “How am I going to see all those series and Korean movies I love? It’s not fair!”

The FBI have been after Mr Dotcom for 8 years. His big problem was not the file sharing but his other criminal activities.  After all, there is infinite demand for file sharing,  Filesonic is cleaning up now that Megaupload went bust and Viacom didn’t go after Erich Schmidt as Viacom lost their billion dollar copyright case to Google 2 years ago.

But really – beyond the consumer appetite for entertainment, and corporate appetite for filing intellectual property and copyright suites, why isn’t Hollywood getting it right when it comes to content protection?  If they were getting it right, Sony-Columbia would be running the file sharing sites, charging $1/movie and $3 for premium content and driving all the file sharing sites out of business.

Instead – the big studios are making the same mistake that corporate America makes when it comes to content protection – ignoring the attacker economics.

After all, the HDCP black-listing scheme defies the laws of physics and reason. For example, you may be a perfectly law-abiding citizen, but if someone in Sofia hacks your model XY500 DVD player, the device key is revoked, and you will never be able to play discs that came out after the date the device was compromised. If a hacker taps into the HDMI / HDCP signal copies a movie enroute to your model TV Set, the HDCP device key can be revoked and your 80 inch TV will never play high-definition again.

Blu-Ray copy protection was broken 5 years this month (January 2007) (Courtesy of muslix64, the same fellow who cracked HD-DVD). Both HD DVD and Blu-ray use HDCP (High-Bandwidth Digital Content Protection) for authentication and content playing, and both use the AACS (Advanced Access Content System) for content encryption. (AACS is the content protection for the video on DVDs and HDCP is the content protection on the HDMI link between the DVD player and the TV). It appears that muslix64 took a snapshot in memory of a running process, then used selective keying – serially trying bytes 1-4, then 2-5, 3-6 etc as the keys until the MPEG frame decrypted. (much faster than a pure brute force attack). If the video player process stores the key in clear text in memory, this type of attack will always work.

Like most flawed encryption schemes, AACS is vulnerable to threats to due a poor software implementation.

” The AACS design prevents legitimate purchasers from playing legitimately purchased content on legitimately purchased machines, and fails to prevent people from ripping the content and sharing it through bittorrent. The DRM people wanted something that could not be done, so unsurprisingly they winded up buying something that does not do it”

James Donald.

Now we understand why BitTorrent is so popular and why

Tell your friends and colleagues about us. Thanks!
Share this

The valley of death between IT and information security

IT is about executing predictable business processes.

Security is about reducing the impact of unpredictable attacks to a your organization.

In order ot bridge the chasm – IT and security need to adopt a common goal and a common language – a language  of customer-centric threat modelling

Typically, when a company ( business unit, department or manager) needs a line of business software application, IT staffers will do a system analysis starting with business requirements and then proceed to buy or build an application and deploy it.

Similarly, when the information security group needs an anti-virus or firewall, security staffers will make some requirements, test products, and proceed to buy and deploy or subscribe and deploy the new anti-virus or firewall solution.

Things have changed – both in the IT world and in the security world.

Web 2.0 SaaS (software as a service) offerings (or  Web applications in PHP that the CEO’s niece can whip together in a week…) often replace those old structured systems development methodologies. There are of course,  good things about not having to develop a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product, but the downside of not developing software according to a structured systems design methodology is buggy software.

Buggy software is insecure software. The response to buggy, insecure software is generally doing nothing or installing a product that is a security countermeasure for the vulnerability  (for example, buying a database security solution) instead of fixing the SQL injection vulnerability in the code itself.   Then there is lip-service to so called security development methodologies which despite their intrinsic value, are often too detailed for practioners to follow), that are not a replacement for a serious look at business requirements followed by a structured process of implementation.

There is a fundamental divide, a metaphorical valley of death of  mentality and skill sets between IT and security professionals.

  • IT is about executing predictable business processes.
  • Security is about reducing the impact of unpredictable attacks.

IT’s “best practice” security in 2011 is  firewall/IPS/AV.  Faced with unconventional threats  (for example a combination of trusted contractors exploiting defective software applications, hacktivists or competitors mounting APT attacks behind the lines), IT management  tend to seek a vendor-proposed, one-size-fits-all “solution” instead of performing a first principles threat analysis and discovering  that the problem has nothing to do with malware on the network and everything to do with software defects that may kill customers.

Threat modeling and analysis is the antithesis of installing a firewall, anti-virus or IPS.

Analyzing the impact of attacks requires hard work, hard data collection and hard analysis.  It’s not a sexy, fun to use, feel-good application like Windows Media Player.   Risk analysis  may yield results that are not career enhancing, and as  the threats  get deeper and wider  with  bigger and more complex systems – so the IT security valley of death deepens and gets more untraversable.

There is a joke about systems programmers – they have heard that there are real users out there, actually running applications on their systems – but they know it’s only an urban legend. Like any joke, it has a grain of truth. IT and security are primarily systems and procedures-oriented instead of  customer-safety oriented.

Truly – the essence of security is protecting the people who use a company’s products and services. What utility is there in running 24×7 systems that leak 4 million credit cards or developing embedded medical devices that may kill patients?

Clearly – the challenge of running a profitable company that values customer protection must be shouldered by IT and security teams alike.

Around this common challenge, I  propose that IT and security adopt a common goal and a common language – a language  of customer-centric threat modelling – threats, vulnerabilities, attackers, entry points, assets and security countermeasures.  This may be the best or even only way for IT and security  to traverse the valley of death successfully.

Tell your friends and colleagues about us. Thanks!
Share this

Message queuing insecurity

I met with Maryellen Ariel Evans last week. She was in Israel on vacation and we had coffee on the Bat Yam boardwalk.   Maryellen is a serial entrepreneur; her latest venture is a security product for IBM Websphere MQ Series. She’s passionate about message queue security and I confess to buying into the vision.

She has correctly put her finger on a huge, unmitigated threat surface of transactions that are transported inside the business and between business units using message queuing technology. Message queuing is a cornerstone of B2B commerce and in a highly interconnected system, there are lots of entry points all using similar or same technology – MQ Series or the TIB.

While organizations are busy optimizing their firewalls and load balancers, attackers can tap in, steal the data on the message bus and use it as a springboard to launch new attacks.  It is conceivable that well placed attacks on  message queues in an intermediary player (for example a payment clearing house) could result in the inability of the processor to clear transactions but also serve as an entry point into upstream and downstream systems.  A highly connected stem of networked message queues is a convenient and vulnerable entry point from which to launch attacks; these attacks can and do cascade.

If these attacks cascade, the entire financial system could crash.

Although most customers are still fixated on perimeter security, I believe that Maryellen has a powerful value proposition for message queuing customers in the supply chains of key industries that rely on message interchange: banking, credit cards, health care and energy.

 

 

Tell your friends and colleagues about us. Thanks!
Share this

A strategy for combating cyber terror

Instead of getting some real work done this morning,  I started collating some thoughts on cyber security strategy. I guess it’s a lot easier to think about strategies than to fix buggy, risky code.

For most people – there are two worlds, the cyberspace world and the physical, people-populated world.

This dichotomy of two separate spaces has deeply influenced everything we do with information security.

There are corporate physical security people that handle doors and locks and phones and corporate information security people that handle data and network security. The two people and their staffs often do not report to the same manager.

On a government level, we have intelligence, military and police forces and cyber warfare and cyber crime groups inside each organization that may or may not be part of an integrated effort in the war on crime, drugs and terror.

It is a curious facet of our modern, technology-driven life that the adoption of a new technology is inversely proportional to the amount of publicity given to the technology.   Who talks about plain old phones?  Who talks about email as killer application? No one.

People still tend to discuss the Internet and Facebook and their own social/work lives as if they are separate entities.

Using this model of gradated technology adoption, we can see that social media has not mainstreamed to the point where it as much a part of our life as a phone.   When as many people use Facebook or other social media to the same extent that they use a phone, there will be little to talk about the “phenomenon of social media”.

However, there are already at least two large communities of people where the Internet and social media has already become part of their day-to-day work life.

These two notable examples are the software developer and hacker communities.  There is no cyber space and physical space, second life and real life; there is only the software and the communications channels that are a means to an end.

If physical, people and cyber space is a continuum, there is no reason to build a security portfolio that treats cyber space and physical/people space separately.

People attack other people and their assets using multiple channels: physical, personal, removable device, email, web, wireless and cellular. Is cyberstalking less severe than a man following women home from the gym?

1) The first part of my proposed cyber security strategy is to adopt a single continuum  of threat vectors,  people and  communications channels, whatever and wherever they are.

2)  The second part of my strategy regards means of reducing the cyber terror threat surface.

The academic definition of a terrorist, is a person who attacks civilians.

If we consider that cyber terror is not fundamentally different than bombers with suicide belts, we are drawn to consider the amount of damage caused by any terror attack whether on the street or in a database of customer records. Reducing the probability of attack means first of all, reducing the threat surface.

We can reduce the threat surface by dividing and conquering, keeping cyber terrorist strength small and counter-terrorist effectiveness high and deny incentives for glorification and bandstanding of cyber terror activities. To minimize the glam and sympathy factor, we should withhold real-time disclosure of information regarding the terror activities. See more on counter terrorism on the Wikipedia.  Because we live in a real-time world of smart phones, Twitter and satellite phones, denying real-time exposure is denying one of the key attacker advantages.

3) I am an advocate of proper thinking over brute force.  A government, and certainly a business cannot spend its way into a secure information posture.

This part of the cyber security strategy mandates spending less money on reactive countermeasures like anti-virus software and reduce vulnerabilities by reducing the number of Windows machines by 10% a year and using Linux and FOSS technologies instead that are cheaper and more secure.   I have written here, here and here about why using Microsoft Windows is a bad idea. The discipline of software engineering (older and much better developed than information security engineering) has known for years that adding people to a late software development project only makes it even later.   Adding more anti-virus software only makes the Windows PCs even more vulnerable.

If we are serious about leveraging private-public partnerships in the war against cyber terror, instead of pouring billions into big defense contractors, let’s call up information security professionals for annual reserve duty in the war against cyber terror. I believe that the Chinese and Israelis already do this.

4) The fourth part of the cyber security strategy is a to use offensive measures proactively against attackers before the fact and not after an event. Retaliation after an attack is not an effective security countermeasure for the next attack since it only gives the attackers free publicity and increases their motivation.  Taking focused, violent measures before an attack, given accurate intelligence, may be the best and safest way to reduce damage to civilian assets.

5) The fifth part of my proposed cyber security strategy suggests a demand-side strategy to reduce the social value of being a hacker.

Although there are offensive alternatives such as mounting systematic DDos attacks on the attackers or developing targeted spyware such as Stuxnet, even more intriguing is the notion of using a demand-side strategy to reduce the social value of being a hacker. Perhaps we can learn from the counter terror success of the Italians in the late 60s with dismantling the Brigatisti. The Italian government infiltrated the Red Brigades – bred mistrust and quickly rolled up the organization.

Attacking the social networks of people who develop and distribute malware would involve infiltrating the hacker underground, arresting hackers for criminal activity and cutting deals in return for actionable intelligence.

Since malware is a form of terrorism – this strategy might be effective since it goes directly to the source and potentially denies a key hacker benefit – the social gratification.

Tell your friends and colleagues about us. Thanks!
Share this

Offensive security

I have written several times in the past here, here and here about the notion of taking cyber security on the offensive

James Anderson, president of Professional Assurance LLC, says that there is no evidence that governments can protect large firms from cyber attacks. “National security authorities may not even acknowledge that their interests align with a company that has suffered a cyber attack; therefore, companies must think about retaliation,” he says.

Should a company take retaliatory steps beyond simply increasing its own defensive perimeter? The answer depends on the seriousness of the attack and the potential threat from future attacks. Anderson says that simply turning over evidence to law enforcement may not save the company from future cyber attacks. But, if the attack had to do with a government’s critical infrastructure, authorities may take an interest; however, there are no established service levels for government response.

For example, Anderson says some activities that might be considered retaliatory are:

  • legal information gathering to identify attackers,
  • direct blocking of network traffic from specific origins,
  • use of transaction identifiers that label the traffic as suspicious,
  • placement of honeypots,
  • identifying and actively referring botnet details for blacklisting or referral to authorities or industry associations, and
  • certain types of deception gambits against suspected internal malefactors.

This is not the first time that I’ve heard the notion of retaliation using cyber space methods. There are two things wrong with this direction – a) retaliation and using cyber security methods to attack the attackers.

The notion that there are two separate universes,  a physical universe and a cyber universe is wrong. There is one continuum of cyber space and physical space. Forget retaliation and go on the offensive.  That means use counter terror techniques to discover hacker cells, infiltrate and disrupt them in the physical world. The problem of course is the price tag. It’s cheap to mount a cyber attack but if an attacker knew that they would lose their life if they attacked a US government installation with malware, a deterrent would be created.

Retaliation doesn’t create deterrence – at most, retaliation makes people angry. Just look at the reaction of Palestinian terrorists to Israeli retaliation raids.

Retaliation in cyber space is too late, too little.  Instead – I call on the US and other governments to actively combat cyber terror with the same resolve that they attack physical world terrorists.

Tell your friends and colleagues about us. Thanks!
Share this
rug salesmen

Why your IT vendor doesn’t want you to do a risk analysis

Did you ever have a feeling that your IT integrator was treating you like a couple of guys selling you a Persian rug?  “Take it now – it’s so beautfiful, just perfect for your living room, a steal  for only $10,000 and it’s on sale” and when you ask if it will last, they tell you “Why do you want it to last? Enjoy, use it in good health, wear it out quickly and come back to the store so that we can sell you Persian Rug 2012”.

I had a meeting with a long-time client today – I’ve developed some systems for them in the FDA regulatory and clinical trial management space. We met for lunch to discuss a new project which involved an extension to an existing multi-center study.

The question of disaster recovery planning and offsite backup came up and  they asked me what I thought about backing up their clinical trial data together with their office file backups taken by their outsourcing IT provider.

I said this is a very bad idea because while their IT contractor specializes in providing Microsoft Windows/Office support for small businesses, they just don’t have the know-how or security expertise for HIPAA compliant data storage.

In general, small business IT integrators are  behind the curve on data security, compliance, disaster recovery and application software security. Their job is to keep Microsoft SBS running smoothly and install anti-virus software, not mitigate data security and HIPAA compliance attacks. The typical SMB integrator mindset is dominated by the Microsoft monoculture, and I would not expect them to be able to analyze data security threats correctly.

Whenever I go somewhere – I’m always looking at things with a security perspective – open doors, windows – things that could be easily lifted. Who might be a threat. Storing clinical data with a bunch of Microsoft Office files is just too big a risk to take. The CEO accepted my recommendation to encrypt data on a secure, hardened virtual server instance in the cloud and monitor potential exposure to new emerging threats as their application and project portfolio evolves.

After lunch and getting back into the office, I realized that Risk analysis is a threat to IT vendors.

Not every security countermeasure is effective or even relevant for your company. This is definitely a threat to an IT vendor salesperson who must make quota.

I am a big proponent of putting vendor suggestions aside and taking some time to perform a business threat analysis (shameless plug for our business threat analysis services,  download our free white paper and learn more about Business Threat Modeling and security management). In a business threat  analysis you ignore technology for a week or 2 and systematically collect assets, threats, vulnerabilities …and THEN examine the cost-effective security countermeasures.

Your vendor wants to sell you a fancy $20,000 application security/database firewall, but it may turn out that your top vulnerability is from 10 contract field service engineers who shlep your company’s source code on their notebook computers. You can mitigate the risk of a stolen notebook by installing a simple security countermeasure – Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux.

Information security vendors often promote their backup/data loss prevention/data retention/application security products using a compliance boogeyman.

The marketing communications often reaches levels of the absurd as we can see in the following example:

NetClarity (which is a NAC appliance) claims that it provides “IT Compliance Automation” and that it “Generates regulatory compliance gap analysis and differential compliance reports” and “self-assessment, auditing and policy builder tools for Visa/Mastercard PCI, GLBA (sic), HIPAA, CFR21-FDA-11,SOX-404, EO13231 government and international (ISO270001/17799) compliance.”

A network access control appliance is hardly an appropriate tool for compliance gap analysis but asserting that a NAC appliance or Web application firewall automates SOX 404 compliance is absurd.

Sarbanes-Oxley Section 404, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This means that a company has to audit, document and test important financial reporting manual and automated controls. I remember the CEO of a client a few years ago insisting that he would not accept any financial reports from his accounting department unless they were automatic output from the General Ledger system – he would not accept Excel spreadsheets from his controller, since he knew that the data could be massaged and fudged. If there was a bug in the GL or missing / incorrect postings he wanted to fix the problem not cut and paste it.

Appropriate, timely and accurate financial reporting has absolutely nothing to do with network access control.


But the best part is the piece on the NetClarity Web site that claims that their product will help “Deter auditors from finding and writing up IT Security flaws on your network”.

And I suppose this really proves my point best of all.

Information security vendors like NetClarity do not have any economic incentive to really reduce data security and compliance breaches that would reduce  sales, making it better business for them  (not for their customers) to sell ineffective products.

This raises an interesting question about information security business models – but that’s a topic best left to another post.

 

Tell your friends and colleagues about us. Thanks!
Share this

Cyber crime costs over $1 trillion

A pitch from Alex Whitson from SC TV for a Webinar on the LinkedIn Information Security Community piqued my attention with the following teaser:

As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally.

Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the $1 trillion number nor the $43.5 billion number.

A little googling revealed the UK government report UK Cyber crime costs UKP 27BN/year. Published on the BBC’s website, the report offers a top-level breakdown of the costs of cybercrime to Britain using a fairly detailed scheme of classification and models. Regardless of how badly UK businesses are hit by cybercrime, there are several extremely weak points in the work done by Detica for the UK government.

a) First  – they don’t have any empirical data on actual cybercrime events.

Given the number of variables and lack of ‘official’ data, our methodology uses a scenario- based approach.

Which is a nice way of saying

the UK government gave us some money to do a study so we put together a fancy model, put our fingers in the air and picked a number.

b) Second – reading through the report, there is a great deal of information relating to fraud of all kinds, including Stuxnet which has nothing to do with the UK cyber crime space. Stuxnet does not seem to have put much of a dent in the Iranian nuclear weapons program although, it has given the American President even more time to hem and haw about Iranian nuclear threats.

What this tells me is that Stuxnet  has become a wakeup call for politicians to the malware threat that has existed for several years. This may be a good thing.

c) Third – the UK study did not interview a single CEO in any of the sectors they covered. This is shoddy research work, no matter how well packaged. I do not know a single CEO and CFO that cannot quantify their potential damage due to cyber crime – given a practical threat model and coached by an expert not a marketing person.

So – who pays the cost of cyber crime?

The consumer (just ask your friends, you’ll get plenty of empirical data).

Retail companies that have a credit card breach incur costs of management attention, legal and PR which can always to leveraged into marketing activities. This is rarely reported in the balance sheet as extraordinary expenses so one may assume that it is part of the cost of doing business.

Tech companies that have an IP breach is a different story and I’ve spoken about that at length on the blog. I believe that small to mid size companies are the hardest hit contrary to the claims made in the UK government study.

I would not venture a guess on total global cost of cyber crime without empirical data.

What gives me confidence that the 1 Trillion number is questionable is that it just happens to be the same number that President Obama and other leaders have used for the cost of IP theft – one could easily blame an Obama staffer for not doing her homework….

If one takes a parallel look at the world of software piracy and product counterfeiting, one sees a similar phenomenon where political and commercial organizations like the OECD and Microsoft have marketing agendas and axes to grind leading to number inflation.

I have written on the problems associated with guessing and rounding up in the area of counterfeiting here  and software piracy.

Getting back to cyber crime, using counterfeiting as a paradigm, one sees clearly that the consumer bears the brunt of the damage – whether it’s having her identity stolen and having to spend the next 6 months rebuilding her life or whether you crash on a mountain bike with fake parts and get killed.

If consumers bear the brunt of the damage, what is the best way to improve consumer data security and safety?

Certainly – not by hyping the numbers of the damage of cyber crime to big business and government. That doesn’t help the consumer.

Then – considering that rapid rollout of new and even sexier consumer devices like the iPad 2, probably not by security awareness campaigns. When one buys an iPhone or iPad, one assumes that the security is built in.

My most practical and cheapest countermeasure to cyber crime (and I will distinctly separate civilian crime from terror ) would be education starting in first grade. Just like they told you how to cross the street, we should be educating our children on open, critical thinking and not talking to strangers anywhere, not on the street and not on FB.

Regarding cyber terror – I have written at length how the Obama administration is clueless on cyber terror

One would hope that in defense of liberty – the Americans and their allies will soon implement more offensive and more creative measures against Islamic and Iranian sponsored cyber terror than stock answers like installing host based intrusion detection on DoD PCs

Tell your friends and colleagues about us. Thanks!
Share this

Obama cyberspace policy review

Last week, I got an email from the Internet Security Alliance (a trade association of companies like Raytheon and Northrup-Grumman that lobbies the government on cyber-security issues) with  Melissa Hathaway’s speech to the RSA Security conference.

Besides all the touch-feely stuff –  I didn’t understand anything she is saying (and I’m a native English speaker..). There were a few cute gems like this one:

“….Matthew Broderick in War Games, Robert Redford in Sneakers, Sandra Bullock in The Net, and Bruce Willis in Live Free and Die Hard. These and other movies present the types of issues that we should care about and solve together.“.

Ms. Hathaway’s perspective on security appears to be influenced by the movies, which is consistent with President Obama, who thinks he’s living in an episode of “The West Wing“. If you can figure out what she’s saying – drop me a comment in this blog. Let’s circle back in 6 months after the report is made public and see how many cost-effective security countermeasures the government Cyberspace security task force has produced.  Isn’t  “cost-effective” and “government”  an oxymoron?

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Social contracts for cyber security

An information security industry trade association (the ISAlliance – Internet Security Alliance) has been promoting the notion of a social contract between government and the private sector to improve cybersecurity. The ISAlliance includes representatives from Verizon, the National Association of Manufacturers, Nortel, the CyLab at Carnegie Mellon University, Raytheon, and Northrop Grumman.

According to the ISAlliance – the free market-based, approach that the Bush administration has used to encourage companies to improve cybersecurity is not sufficient and the incoming Obama administration should form a cybersecurity social contract with industry based on economic incentives.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this