Pub Date : 2006-07-01DOI: 10.1201/1086.1065898X/46183.15.3.20060701/94187.7
Karim Toubba
Abstract Businesses have learned that perimeter security is no longer enough to protect critical data, and many are now touting the benefits of encrypting the data held in storage and backup systems. Driven largely by the awareness of security breaches, lawmakers, credit card issuers, and consumers themselves are holding organizations accountable for the protection of personal data. Today, businesses that suffer a security breach in which customer data is lost or stolen face widespread negative publicity, lost business, lawsuits, and fines that can threaten their viability. Although it's easy to immediately think that the storage or backup systems were compromised, it's important to note that, in an analysis of 45 of the reported incidents of data theft that occurred in the first half of 2005, only a small percentage were due to theft or loss of backup tapes. Far more prevalent were incidents in which insiders or outside attackers gained access to sensitive information through application-level attacks — attacks storage-level encryption wouldn't have prevented. This is why it is important for businesses to encrypt data at the Web, application, or database layer. Encrypting data as it enters the business, rather than having it stay in a readable state while it is used in various applications throughout the network, protects that data from both internal and external threats.
{"title":"Employing Encryption to Secure Consumer Data","authors":"Karim Toubba","doi":"10.1201/1086.1065898X/46183.15.3.20060701/94187.7","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46183.15.3.20060701/94187.7","url":null,"abstract":"Abstract Businesses have learned that perimeter security is no longer enough to protect critical data, and many are now touting the benefits of encrypting the data held in storage and backup systems. Driven largely by the awareness of security breaches, lawmakers, credit card issuers, and consumers themselves are holding organizations accountable for the protection of personal data. Today, businesses that suffer a security breach in which customer data is lost or stolen face widespread negative publicity, lost business, lawsuits, and fines that can threaten their viability. Although it's easy to immediately think that the storage or backup systems were compromised, it's important to note that, in an analysis of 45 of the reported incidents of data theft that occurred in the first half of 2005, only a small percentage were due to theft or loss of backup tapes. Far more prevalent were incidents in which insiders or outside attackers gained access to sensitive information through application-level attacks — attacks storage-level encryption wouldn't have prevented. This is why it is important for businesses to encrypt data at the Web, application, or database layer. Encrypting data as it enters the business, rather than having it stay in a readable state while it is used in various applications throughout the network, protects that data from both internal and external threats.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"86588453","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-07-01DOI: 10.1201/1086.1065898X/46183.15.3.20060701/94184.4
Paul Chen
Abstract Statistics show that as much as 60 percent of business-critical data now resides in e-mail, making it potentially the most important repository of data your company owns. This huge amount of data — which is growing on a daily basis — translates into a significant burden on corporate storage resources.
{"title":"E-Mail Archiving: Understanding the Reasons, Risks, and Rewards","authors":"Paul Chen","doi":"10.1201/1086.1065898X/46183.15.3.20060701/94184.4","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46183.15.3.20060701/94184.4","url":null,"abstract":"Abstract Statistics show that as much as 60 percent of business-critical data now resides in e-mail, making it potentially the most important repository of data your company owns. This huge amount of data — which is growing on a daily basis — translates into a significant burden on corporate storage resources.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"78489719","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-05-01DOI: 10.1201/1086.1065898X/46051.15.2.20060501/93403.2
Ken Dunham
Abstract Peer-to-peer (P2P) applications have been one of the hottest things on the market for users — both at home and at the office — in the past few years. Unfortunately, there are many security risks associated with P2P programs, such as Kazaa, eDonkey, and others. Even if a corporation has a policy against P2P applications, it is at an increased risk due to the popularity of such programs and abuse by employees and contractors. This article provides an overview of some of the common threats introduced by P2P applications.
{"title":"The Problem with P2P","authors":"Ken Dunham","doi":"10.1201/1086.1065898X/46051.15.2.20060501/93403.2","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46051.15.2.20060501/93403.2","url":null,"abstract":"Abstract Peer-to-peer (P2P) applications have been one of the hottest things on the market for users — both at home and at the office — in the past few years. Unfortunately, there are many security risks associated with P2P programs, such as Kazaa, eDonkey, and others. Even if a corporation has a policy against P2P applications, it is at an increased risk due to the popularity of such programs and abuse by employees and contractors. This article provides an overview of some of the common threats introduced by P2P applications.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81018505","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-05-01DOI: 10.1201/1086.1065898X/46051.15.2.20060501/93405.4
B. Materna
Abstract The deployment of Voice-over-IP (VoIP), or IP telephony, is accelerating rapidly. Due to the numerous benefits of VoIP systems, including the reduced cost of deployment and management, IP-PBXs are now outselling traditional PBXs and, by 2009, will represent 91 percent of all enterprise phone systems worldwide. As more and more private- and public-sector organizations and service providers plan the migration to VoIP and the associated emerging real-time services, such as IP TV, conferencing, and IP multimedia subsystem (IMS), the need to secure IP communications is becoming increasingly urgent.
{"title":"Proactive Security for VoIP Networks","authors":"B. Materna","doi":"10.1201/1086.1065898X/46051.15.2.20060501/93405.4","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46051.15.2.20060501/93405.4","url":null,"abstract":"Abstract The deployment of Voice-over-IP (VoIP), or IP telephony, is accelerating rapidly. Due to the numerous benefits of VoIP systems, including the reduced cost of deployment and management, IP-PBXs are now outselling traditional PBXs and, by 2009, will represent 91 percent of all enterprise phone systems worldwide. As more and more private- and public-sector organizations and service providers plan the migration to VoIP and the associated emerging real-time services, such as IP TV, conferencing, and IP multimedia subsystem (IMS), the need to secure IP communications is becoming increasingly urgent.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76312454","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-05-01DOI: 10.1201/1086.1065898X/46051.15.2.20060501/93402.1
J. Tiller
Abstract In 1998, I was working in Germany designing a 5,000-site IP security (IPSec) virtual private network (VPN) solution encompassing 125 countries for a logistics company. The options were few. Timestep had the best product during that time, and many other IPSec products were emerging, such as Altiga, Novell's Border- Manager, and Checkpoint. Of course, Cisco was very interested but didn't have solid IPSec code. Cisco got involved and insisted that, with a little work, they could have a meaningful solution. This boded well for the client given that they used Cisco for all their networking gear, making the whole philosophy very attractive.
{"title":"Security Answers the Call","authors":"J. Tiller","doi":"10.1201/1086.1065898X/46051.15.2.20060501/93402.1","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46051.15.2.20060501/93402.1","url":null,"abstract":"Abstract In 1998, I was working in Germany designing a 5,000-site IP security (IPSec) virtual private network (VPN) solution encompassing 125 countries for a logistics company. The options were few. Timestep had the best product during that time, and many other IPSec products were emerging, such as Altiga, Novell's Border- Manager, and Checkpoint. Of course, Cisco was very interested but didn't have solid IPSec code. Cisco got involved and insisted that, with a little work, they could have a meaningful solution. This boded well for the client given that they used Cisco for all their networking gear, making the whole philosophy very attractive.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87383873","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-05-01DOI: 10.1201/1086.1065898X/46051.15.2.20060501/93404.3
Darrell Epps, S. Tanner, Carl Silva
Abstract As one of the most rapidly emerging communications technologies, Voice-over-IP (VoIP) is gaining momentum as the de facto standard for delivering voice traffic in private networks. According to InfoTech, by 2005, 73 percent of all enterprises will have at least started to implement IP telephony. The total U.S. revenue associated with this newer technology, including systems, services, and applications, will grow significantly from $5.02 billion in 2004 to $17.24 billion in 2009.
{"title":"Can VoIP Secure Itself for the Next Technology Wave?: A Look at Assessing Vulnerability in a Converged Environment","authors":"Darrell Epps, S. Tanner, Carl Silva","doi":"10.1201/1086.1065898X/46051.15.2.20060501/93404.3","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46051.15.2.20060501/93404.3","url":null,"abstract":"Abstract As one of the most rapidly emerging communications technologies, Voice-over-IP (VoIP) is gaining momentum as the de facto standard for delivering voice traffic in private networks. According to InfoTech, by 2005, 73 percent of all enterprises will have at least started to implement IP telephony. The total U.S. revenue associated with this newer technology, including systems, services, and applications, will grow significantly from $5.02 billion in 2004 to $17.24 billion in 2009.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81668479","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-05-01DOI: 10.1201/1086.1065898X/46051.15.2.20060501/93407.6
Xin-gao Luo
Abstract In the past, the main anti-malware targets for IT were viruses and worms. Yet, information privacy and security control are being increasingly challenged by the mushrooming emergence and propagation of spyware, which is one of the perilous cyber-threats confronting the IT community in terms of privacy violation. In general, most people regard spyware as a stealthy transmitter gathering and passing sensitive personal information to a third party over the Internet without awareness or permission. Stafford and Urbaczewski refer to spy- ware as “a ghost in the machine” [1] due to its surreptitious nature compared to viruses and worms. Warkentin et al. [2] further expand the description by arguing that “spy- ware is a client-side software component that monitors the use of client activity and sends the collected data to a remote machine.” The rapid penetration of broadband Internet connections, coupled with a wide variety of free software downloads and weakly managed peer-to-peer (P2P) transmissions, has provided a hotbed for the pervasion of spyware. Notwithstanding, in the early development stage, spyware has the potential and specificity to surreptitiously trigger more severe calamities than viruses and worms if we don't have comprehensive management and prudent control.
{"title":"A Holistic Approach for Managing Spyware","authors":"Xin-gao Luo","doi":"10.1201/1086.1065898X/46051.15.2.20060501/93407.6","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46051.15.2.20060501/93407.6","url":null,"abstract":"Abstract In the past, the main anti-malware targets for IT were viruses and worms. Yet, information privacy and security control are being increasingly challenged by the mushrooming emergence and propagation of spyware, which is one of the perilous cyber-threats confronting the IT community in terms of privacy violation. In general, most people regard spyware as a stealthy transmitter gathering and passing sensitive personal information to a third party over the Internet without awareness or permission. Stafford and Urbaczewski refer to spy- ware as “a ghost in the machine” [1] due to its surreptitious nature compared to viruses and worms. Warkentin et al. [2] further expand the description by arguing that “spy- ware is a client-side software component that monitors the use of client activity and sends the collected data to a remote machine.” The rapid penetration of broadband Internet connections, coupled with a wide variety of free software downloads and weakly managed peer-to-peer (P2P) transmissions, has provided a hotbed for the pervasion of spyware. Notwithstanding, in the early development stage, spyware has the potential and specificity to surreptitiously trigger more severe calamities than viruses and worms if we don't have comprehensive management and prudent control.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90043781","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-05-01DOI: 10.1201/1086.1065898X/46051.15.2.20060501/93406.5
K. Curran, J. Honan
Abstract Spam can be defined as unsolicited e- mail, often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups. Spoofing (Templeton and Levitt, 2003) is a technique often used by spammers to make them harder to trace. Trojan viruses embedded in e-mail messages also employ spoofing techniques to ensure the source of the message is more difficult to locate (Ishibashi et al., 2003). Spam filters and virus scanners can eliminate only a certain amount of spam and also risk catching legitimate e-mails. As the SoBig virus has demonstrated, virus scanners themselves actually add to the e-mail traffic, through notification and bounceback messages. Simple Mail Transfer Protocol (SMTP) is flawed in that it allows these e-mail headers to be faked and does not allow for the sender to be authenticated as the real sender of the message. If this problem can be solved, it will result in a reduction in spam e-mail messages and more security for existing e-mails, and it will allow e-mail viruses to be tracked down and stopped more effectively (Schwartz and Garfinkel, 1998). This approach is known as “trusted e-mail.”
垃圾邮件可以定义为未经请求的电子邮件,通常具有商业性质,不加区分地发送给多个邮件列表,个人或新闻组。欺骗(Templeton and Levitt, 2003)是垃圾邮件发送者经常使用的一种技术,使他们更难被追踪。嵌入在电子邮件消息中的木马病毒也采用欺骗技术来确保消息的来源更难以定位(Ishibashi et al., 2003)。垃圾邮件过滤器和病毒扫描程序只能消除一定数量的垃圾邮件,而且还可能捕获合法电子邮件。正如SoBig病毒所证明的那样,病毒扫描程序本身实际上通过通知和回复消息增加了电子邮件流量。简单邮件传输协议(Simple Mail Transfer Protocol, SMTP)存在缺陷,因为它允许伪造这些电子邮件头,并且不允许将发送者作为消息的真正发送者进行身份验证。如果这个问题可以解决,它将导致垃圾邮件信息的减少和现有电子邮件的更多的安全性,它将允许电子邮件病毒被追踪和更有效地阻止(Schwartz和Garfinkel, 1998)。这种方法被称为“可信电子邮件”。
{"title":"Eliminating the Volume of Spam E-Mails Using a Hashcash-Based Solution","authors":"K. Curran, J. Honan","doi":"10.1201/1086.1065898X/46051.15.2.20060501/93406.5","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46051.15.2.20060501/93406.5","url":null,"abstract":"Abstract Spam can be defined as unsolicited e- mail, often of a commercial nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups. Spoofing (Templeton and Levitt, 2003) is a technique often used by spammers to make them harder to trace. Trojan viruses embedded in e-mail messages also employ spoofing techniques to ensure the source of the message is more difficult to locate (Ishibashi et al., 2003). Spam filters and virus scanners can eliminate only a certain amount of spam and also risk catching legitimate e-mails. As the SoBig virus has demonstrated, virus scanners themselves actually add to the e-mail traffic, through notification and bounceback messages. Simple Mail Transfer Protocol (SMTP) is flawed in that it allows these e-mail headers to be faked and does not allow for the sender to be authenticated as the real sender of the message. If this problem can be solved, it will result in a reduction in spam e-mail messages and more security for existing e-mails, and it will allow e-mail viruses to be tracked down and stopped more effectively (Schwartz and Garfinkel, 1998). This approach is known as “trusted e-mail.”","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87100039","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-05-01DOI: 10.1201/1086.1065898X/46051.15.2.20060501/93408.7
R. Ramanathan
Abstract A competitive business views information technology (IT) as an integral part of itself in achieving the business mission. On the other hand, IT cannot stand up to the service level agreement (SLA) with the business units if it views solutions in an ad hoc way [1]. In a time where the IT as a business enabler and enhancer is the target of unanticipated attacks from various agents, the entity at risk is the business itself and the trust the business has developed so far in the IT [2]. Government initiatives, such as the Critical Infrastructure Protection Act [3], include even the assets owned by private industry, such as those of major banking and energy sectors, as a part of the national asset. They mandate that companies take initiatives to protect and make information resources available, despite possibilities of threats [4].
{"title":"Thinking Beyond Security","authors":"R. Ramanathan","doi":"10.1201/1086.1065898X/46051.15.2.20060501/93408.7","DOIUrl":"https://doi.org/10.1201/1086.1065898X/46051.15.2.20060501/93408.7","url":null,"abstract":"Abstract A competitive business views information technology (IT) as an integral part of itself in achieving the business mission. On the other hand, IT cannot stand up to the service level agreement (SLA) with the business units if it views solutions in an ad hoc way [1]. In a time where the IT as a business enabler and enhancer is the target of unanticipated attacks from various agents, the entity at risk is the business itself and the trust the business has developed so far in the IT [2]. Government initiatives, such as the Critical Infrastructure Protection Act [3], include even the assets owned by private industry, such as those of major banking and energy sectors, as a part of the national asset. They mandate that companies take initiatives to protect and make information resources available, despite possibilities of threats [4].","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"72899623","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-03-01DOI: 10.1201/1086.1065898X/45926.15.1.20060301/92683.6
Tommy Ward
Abstract If your company is like many others, you have put a lot of effort into securing your information systems. You've implemented technology and procedures at great expense, but you may be omitting an important last step: secure off-site storage.
{"title":"Security of Backup Data","authors":"Tommy Ward","doi":"10.1201/1086.1065898X/45926.15.1.20060301/92683.6","DOIUrl":"https://doi.org/10.1201/1086.1065898X/45926.15.1.20060301/92683.6","url":null,"abstract":"Abstract If your company is like many others, you have put a lot of effort into securing your information systems. You've implemented technology and procedures at great expense, but you may be omitting an important last step: secure off-site storage.","PeriodicalId":36738,"journal":{"name":"Journal of Information Systems Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2006-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75641231","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: