Pub Date : 2006-12-01DOI: 10.1080/10658980601051839
R. Vedder
Abstract The forced evacuation in 2005 of two major U.S. cities provide an excellent opportunity for IT executives to take stock of their plans for disaster management. Your first reaction to this statement might be, “But my company doesn't operate anyplace where a major hurricane could strike.” Think again. Aside from potential urban paralysis caused by other natural events, such as a massive earthquake or F5 tornado, cities are prime targets for terrorism. In addition to biological and chemical attacks, terrorists could explode a radiological bomb in a major urban center. (A radiological bomb is not a nuclear weapon. It is an ordinary explosive device encased with highly radioactive particulate materials. The objective is to disperse these materials into the air and thus render many square miles of a city uninhabitable for years or even decades.) Because of terrorism and other threats, you and your IT department do have to worry about a possible mass urban evacuation.
{"title":"Katrina's Gift: A Wake-Up Call for Improved Disaster Planning","authors":"R. Vedder","doi":"10.1080/10658980601051839","DOIUrl":"https://doi.org/10.1080/10658980601051839","url":null,"abstract":"Abstract The forced evacuation in 2005 of two major U.S. cities provide an excellent opportunity for IT executives to take stock of their plans for disaster management. Your first reaction to this statement might be, “But my company doesn't operate anyplace where a major hurricane could strike.” Think again. Aside from potential urban paralysis caused by other natural events, such as a massive earthquake or F5 tornado, cities are prime targets for terrorism. In addition to biological and chemical attacks, terrorists could explode a radiological bomb in a major urban center. (A radiological bomb is not a nuclear weapon. It is an ordinary explosive device encased with highly radioactive particulate materials. The objective is to disperse these materials into the air and thus render many square miles of a city uninhabitable for years or even decades.) Because of terrorism and other threats, you and your IT department do have to worry about a possible mass urban evacuation.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80160740","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-11-01DOI: 10.1201/1086.1065898X/46353.15.4.20060901/95430.6
D. M. Lynch
Abstract We are all creatures of habit; the way we think and the views we take are conditioned by our education, society as a whole, and, at a much deeper level, our cultural memories or instinct.
{"title":"Securing Against Insider Attacks","authors":"D. M. Lynch","doi":"10.1201/1086.1065898X/46353.15.4.20060901/95430.6","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46353.15.4.20060901/95430.6","url":null,"abstract":"Abstract We are all creatures of habit; the way we think and the views we take are conditioned by our education, society as a whole, and, at a much deeper level, our cultural memories or instinct.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81608406","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-11-01DOI: 10.1201/1086.1065898X/46353.15.4.20060901/95428.4
Gerald V. Post, A. Kagan
Abstract When taking a typical approach to computer security, one could make the following relatively extreme statements: A piece of data can be rendered completely secure with 100 percent assurance. Simply write the data on a piece of paper, burn the paper, and scatter the ashes. No one will be able to read or alter that data ever again. Of course, this exercise and the underlying premise are a trick. Understanding the deception is the key to understanding information security: Data that is being “protected” has to remain available to legitimate users. There is a strong tendency for information security researchers and practitioners to focus on “securing” data by preventing attacks and loss of data. An IS practitioner's job might depend on preventing and recovering from security-related problems. However, increased monitoring and enhanced use of security controls can easily lead to interference and delays of information usage for legitimate users.
{"title":"Information Security Tradeoffs: The User Perspective","authors":"Gerald V. Post, A. Kagan","doi":"10.1201/1086.1065898X/46353.15.4.20060901/95428.4","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46353.15.4.20060901/95428.4","url":null,"abstract":"Abstract When taking a typical approach to computer security, one could make the following relatively extreme statements: A piece of data can be rendered completely secure with 100 percent assurance. Simply write the data on a piece of paper, burn the paper, and scatter the ashes. No one will be able to read or alter that data ever again. Of course, this exercise and the underlying premise are a trick. Understanding the deception is the key to understanding information security: Data that is being “protected” has to remain available to legitimate users. There is a strong tendency for information security researchers and practitioners to focus on “securing” data by preventing attacks and loss of data. An IS practitioner's job might depend on preventing and recovering from security-related problems. However, increased monitoring and enhanced use of security controls can easily lead to interference and delays of information usage for legitimate users.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76613279","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-11-01DOI: 10.1201/1086.1065898X/46353.15.4.20060901/95429.5
Elizabeth A. Nichols, Andrew Sudbury
Abstract Although Global 2000 organizations today are becoming increasingly aware of the importance of a metrics program to maximize the effectiveness of an information security strategy, there's little guidance available around the practical “how to's” of putting such a program into practice. As a result, security metrics are shrouded in mystery and are considered “too hard” to do—with the end result being that this necessary and effective management tool has yet to be implemented at many organizations, and in the organizations where it has been launched, it has yet to be automated to ease management and reduce resource costs.
{"title":"Implementing Security Metrics Initiatives","authors":"Elizabeth A. Nichols, Andrew Sudbury","doi":"10.1201/1086.1065898X/46353.15.4.20060901/95429.5","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46353.15.4.20060901/95429.5","url":null,"abstract":"Abstract Although Global 2000 organizations today are becoming increasingly aware of the importance of a metrics program to maximize the effectiveness of an information security strategy, there's little guidance available around the practical “how to's” of putting such a program into practice. As a result, security metrics are shrouded in mystery and are considered “too hard” to do—with the end result being that this necessary and effective management tool has yet to be implemented at many organizations, and in the organizations where it has been launched, it has yet to be automated to ease management and reduce resource costs.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77196859","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-11-01DOI: 10.1201/1086.1065898X/46353.15.4.20060901/95426.2
Abe Kleinfeld
Abstract Ask a CEO a very broad question such as, “How is your company doing?” and he or she is likely lo rattle off concise metrics describing revenue, earnings per share, gross margin, and market share. These few metrics, measured over time, provide a surprisingly clear picture of the health and well-being of a company and whether its prospects are improving or deteriorating. However, ask that same CEO a far narrower question: “How secure is your network?” and you're likely to be met with a blank stare.
{"title":"Measuring Security","authors":"Abe Kleinfeld","doi":"10.1201/1086.1065898X/46353.15.4.20060901/95426.2","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46353.15.4.20060901/95426.2","url":null,"abstract":"Abstract Ask a CEO a very broad question such as, “How is your company doing?” and he or she is likely lo rattle off concise metrics describing revenue, earnings per share, gross margin, and market share. These few metrics, measured over time, provide a surprisingly clear picture of the health and well-being of a company and whether its prospects are improving or deteriorating. However, ask that same CEO a far narrower question: “How secure is your network?” and you're likely to be met with a blank stare.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84159558","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-11-01DOI: 10.1080/10658980601051318
J. Cazier, B. Medlin
Abstract Strong passwords are essential to the security of any e-commerce site as well as to individual users. Without them, hackers can penetrate a network and stop critical processes that assist consumers and keep companies operating. For most e-commerce sites, consumers have the responsibility of creating their own passwords and often do so without guidance from the web site or system administrator. One fact is well known about password creation—consumers do not create long or complicated passwords because they cannot remember them. Through an empirical analysis, this paper examines whether the passwords created by individuals on an e-commerce site use either positive or negative password practices. This paper also addresses the issue of crack times in relationship to password choices. The results of this study will show the actual password practices of current consumers, which could enforce the need for systems administrators to recommend secure password practices on e-commerce sites and in general.
{"title":"Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times","authors":"J. Cazier, B. Medlin","doi":"10.1080/10658980601051318","DOIUrl":"https://doi.org/10.1080/10658980601051318","url":null,"abstract":"Abstract Strong passwords are essential to the security of any e-commerce site as well as to individual users. Without them, hackers can penetrate a network and stop critical processes that assist consumers and keep companies operating. For most e-commerce sites, consumers have the responsibility of creating their own passwords and often do so without guidance from the web site or system administrator. One fact is well known about password creation—consumers do not create long or complicated passwords because they cannot remember them. Through an empirical analysis, this paper examines whether the passwords created by individuals on an e-commerce site use either positive or negative password practices. This paper also addresses the issue of crack times in relationship to password choices. The results of this study will show the actual password practices of current consumers, which could enforce the need for systems administrators to recommend secure password practices on e-commerce sites and in general.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74918870","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-11-01DOI: 10.1201/1086.1065898X/46353.15.4.20060901/95427.3
Thomas R. Peltier
Abstract Social engineering attacks are usually conducted by outsiders who use a variety of psychological tricks to get the computer user to give them the information they need to access a computer or network. Do not be confused about the concept of “outsiders.” Although the true outside hackers get the headlines, the far more prevalent form of social engineering is conducted by one employee on another employee.
{"title":"Social Engineering: Concepts and Solutions","authors":"Thomas R. Peltier","doi":"10.1201/1086.1065898X/46353.15.4.20060901/95427.3","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46353.15.4.20060901/95427.3","url":null,"abstract":"Abstract Social engineering attacks are usually conducted by outsiders who use a variety of psychological tricks to get the computer user to give them the information they need to access a computer or network. Do not be confused about the concept of “outsiders.” Although the true outside hackers get the headlines, the far more prevalent form of social engineering is conducted by one employee on another employee.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81661313","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-11-01DOI: 10.1201/1086.1065898X/46353.15.4.20060901/95431.7
Alan Murphy
Abstract Web application firewalls (WAFs) are rapidly becoming a key component of end-to-end network security. Although the market is still struggling to move beyond the early adopter stages, WAF placement in the network is now well known and generally accepted as a necessary requirement. When looking at total security architecture, securing public Web applications over ports 80 and 443 is the next logical step to perimeter security: the concept of restricting access from the outside to the resources on the inside. Coupled with network firewalls, HTTP application firewalls can close perimeter security holes opened by allowing unrestricted access to public Web servers. Bui focusing solely on external, public application security is only half of the solution. Internal Web-based applications, such as corporate intranets, HR systems, CRM systems, HTTP-based databases, and report management applications, can also be al risk for the same open-access reasons, but from trusted internal attackers.
{"title":"Protecting Your Internal Resources with Intranet Application Firewalls","authors":"Alan Murphy","doi":"10.1201/1086.1065898X/46353.15.4.20060901/95431.7","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46353.15.4.20060901/95431.7","url":null,"abstract":"Abstract Web application firewalls (WAFs) are rapidly becoming a key component of end-to-end network security. Although the market is still struggling to move beyond the early adopter stages, WAF placement in the network is now well known and generally accepted as a necessary requirement. When looking at total security architecture, securing public Web applications over ports 80 and 443 is the next logical step to perimeter security: the concept of restricting access from the outside to the resources on the inside. Coupled with network firewalls, HTTP application firewalls can close perimeter security holes opened by allowing unrestricted access to public Web servers. Bui focusing solely on external, public application security is only half of the solution. Internal Web-based applications, such as corporate intranets, HR systems, CRM systems, HTTP-based databases, and report management applications, can also be al risk for the same open-access reasons, but from trusted internal attackers.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82974628","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-10-01DOI: 10.1201/1086.1065898X/46353.15.4.20060901/95425.1
Ken Dunham
Abstract MetaFisher is a little-known code to most, yet it is one of the most important as we consider current-day and future threats. It's the most sophisticated bot ever developed. It utilizes a PHP command and control interface to monitor, update, and control bots. This is a pull technique instead of the traditional push technique utilized within IRC. Additionally, it contains sophisticated phishing attacks that dynamically inject HTML into targeted banking sites to steal information from the victim. MetaFisher is a cause for alarm, revealing the sophistication behind criminal fraud and hacker-for-hire situations that have matured over the past few years on the Internet.
{"title":"MetaFisher: Next–Generation Bots and Phishing","authors":"Ken Dunham","doi":"10.1201/1086.1065898X/46353.15.4.20060901/95425.1","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46353.15.4.20060901/95425.1","url":null,"abstract":"Abstract MetaFisher is a little-known code to most, yet it is one of the most important as we consider current-day and future threats. It's the most sophisticated bot ever developed. It utilizes a PHP command and control interface to monitor, update, and control bots. This is a pull technique instead of the traditional push technique utilized within IRC. Additionally, it contains sophisticated phishing attacks that dynamically inject HTML into targeted banking sites to steal information from the victim. MetaFisher is a cause for alarm, revealing the sophistication behind criminal fraud and hacker-for-hire situations that have matured over the past few years on the Internet.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79520648","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-09-01DOI: 10.1201/1086.1065898X/46353.15.4.20060901/95123.5
Stuart C. K. So, John J. Liu
Abstract Radio frequency identification (RFID) is an automatic identification (auto- ID) technology developed by the Auto-ID Center at the Massachusetts Institute of Technology, relying on storing and remotely retrieving data using devices called RFID tags and readers (Auto-ID Center, 2002; Doyle, 2004; EPC, 2004b; Finkenzeller, 2000; Shepard, 2005). With RFID technology, physical assets will have embedded intelligence that allows them to communicate with each other and with the tracking points (Auto-ID Center, 2002; IBM, 2003; VeriSign, 2004).
摘要射频识别(RFID)是由麻省理工学院的自动识别中心开发的一种自动识别(auto- ID)技术,依靠使用称为RFID标签和读取器的设备存储和远程检索数据(auto- ID Center, 2002;柯南道尔,2004;EPC, 2004 b;Finkenzeller, 2000;谢泼德,2005)。有了RFID技术,实物资产将具有嵌入式智能,使它们能够相互通信,并与跟踪点通信(自动识别中心,2002;IBM, 2003;VeriSign, 2004)。
{"title":"Securing RFID Applications: Issues, Methods, and Controls","authors":"Stuart C. K. So, John J. Liu","doi":"10.1201/1086.1065898X/46353.15.4.20060901/95123.5","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46353.15.4.20060901/95123.5","url":null,"abstract":"Abstract Radio frequency identification (RFID) is an automatic identification (auto- ID) technology developed by the Auto-ID Center at the Massachusetts Institute of Technology, relying on storing and remotely retrieving data using devices called RFID tags and readers (Auto-ID Center, 2002; Doyle, 2004; EPC, 2004b; Finkenzeller, 2000; Shepard, 2005). With RFID technology, physical assets will have embedded intelligence that allows them to communicate with each other and with the tracking points (Auto-ID Center, 2002; IBM, 2003; VeriSign, 2004).","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"72587608","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: