Thursday, August 22, 2013

Just Published! Information Security Management Handbook, Sixth Edition, Volume 7

This is the first annual edition of the Information Security Management Handbook since 1994 without the guidance and the insight of Hal Tipton. Hal passed away in March 2012. He will be missed by a lot of people for a lot of reasons.

It seems that every year is an interesting one for information security, and 2012 was no different. It is interesting, too, how perceptive Kaspersky Labs, for example, was with its forecast. It also foreshadows the end of online trust and privacy. If you cannot trust digital certificates, what is left to trust?

Cyberwarfare has jumped to the front pages of every newspaper, both print and virtual. Stuxnet spawned Flame, Duqu, and Gauss. While we were all focused on attacks and espionage by China, France, and Israel, Iran mounted a DDoS (Distributed Denial of Service) attack against US banks in retaliation for sanctions that appear to be working. At the same time, Iran’s central bank was attacked. Added to the online attacks is the growing threat of supply chain security, and products shipped with back doors or embedded systems that let them phone home. Witness the difficulty Chinese telecom equipment suppliers like Huawei are having with gaining toeholds in the United States by purchasing the US suppliers.

While Russians and Eastern Europeans are not singled out for cyberwarfare, crime syndicates based there continue to threaten commerce and privacy.

Theft of passwords from LinkedIn and Dropbox, and what seems like daily reports of attacks on or by Facebook show (not to mention Zuckerberg's Facebook page being hacked) the lure of social media to hackers, and the dangers to the rest of us. And while Facebook and others do not install rootkits as Sony did, their data collection efforts, combined with the apparent insecurity of the site emphasizes the growing dangers of Big Data and the Cloud.

We saw a huge increase in hacktivism as Anonymous and LulzSec launched various attacks on both government and private sites around the world.

It was only a matter of time until Mac OS X became a profitable target. Once critical mass was reached, hackers could not resist investing the time to own it. As with Mac OS X, mobile devices are becoming even more alluring targets. We have seen the same types of attacks and malware used against PCs adapted to mobile, plus new threats like SMS (short message service) spoofing. Not surprisingly, Android, Google’s open platform, has suffered the most. Plus, the growing number of apps for all platforms introduces a level of threat that is hard to estimate, but definitely growing.

M2M and the Internet of Things are creating more opportunities for hackers. From NFC (near field communication) payments to utility sensors sending unencrypted data, this is a potentially lucrative area for fraud and identity theft. Sensor networks are now in the DIY (do-it-yourself) arena, which creates yet a new class of threats.

BYOD (Bring Your Own Device), IT consumerization, whatever you call it, is making life so much more fun for black hats. It has given new meaning to “insider threats.” With portable digital devices being introduced into the enterprise, both with and without permission, we are seeing a manifold increase in threats. Clearly, policies alone are not sufficient to deal with this, and it is unclear how draconian management wants to be with forcing compliance. The products exist, but does the will to use them?

Looking at 2013, the promise of more surveillance, both from governments and online data collectors, means less privacy, even for the most careful users. Short of totally disconnecting from the grid, if such a thing is possible now, it is apparent we do not and would not have privacy.

This edition of the Information Security Management Handbook addresses many of these trends and threats, plus new areas such as security SDLC (software development life cycle), as well as forensics, cloud security, and security management. Chris Hare takes an in-depth look at hacktivism, identifying the motivations and the players, and providing advice on how to protect against it. Becky Herold analyzes the security and privacy challenges of social media. Sandy Bacik looks at the security implication of BYOD, and the challenges of managing user expectations. The Smart Grid offers its own security and privacy challenges as Terry Komperda explains. Noureddine Boudriga explains attacks in mobile environments.

There is new guidance on PCI and HIPAA/HITECH compliance. In addition to forensics and e-discovery, a chapter looks at cell phone protocols and operating systems from the perspective of a forensic investigator.

I have heard it said, “You can’t patch stupid.” So many of these attacks are successful because of clueless or irresponsible users. In what I hope is not a vain effort, Ken Shaurette and Tom Schleppenbach look at human firewall testing, social engineering, and security awareness. We also look at security and resilience in the software development life cycle, managing the security testing process, and SOA (service-oriented architecture) security.

Here is a shout out to my friend Jim Tiller, head of Security Consulting, Americas for HP Enterprise Security Services, for his help in preparing this edition. Jim’s done a lot for the Handbook over the years, and I am hoping he will continue.

All-in-all, this is a good volume of the Information Security Management Handbook. We are working on the next edition now. If you would like to contribute, please contact me at

You can order a copy here.

Wednesday, August 21, 2013

Is there anything really new happening?

I just received a flyer for another information security conference. Is there anything really new happening? I'm seeing sessions on the same old stuff, mostly at a introductory level. Sure, there are new threats and vulnerabilities popping up every day, but how different are they really? Even cloud, mobile, and big data are getting old, and we'll never solve the user problem. I mean, who doesn't know about this 

I've been trying for a long time to get someone to write books on DLP, SEIM, APT, GRC, ..., but am beginning to believe that these topics have jumped the shark. Aside from, maybe, identity and access management, what's going to drive people's need for information and, one can hope, books sales?

BTW, if anyone wants to accept the challenge of writing a book identity and access management, let me know. It's a sure way to immortality (or at least as long as the Library of Congress exists).