Return-Path: <sentto-279987-3132-1003467982-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 18 Oct 2001 22:07:13 -0700 (PDT) Received: (qmail 16939 invoked by uid 510); 19 Oct 2001 05:05:59 -0000 Received: from n33.groups.yahoo.com (216.115.96.83) by 204.181.12.215 with SMTP; 19 Oct 2001 05:05:59 -0000 X-eGroups-Return: sentto-279987-3132-1003467982-fc=all.net@returns.onelist.com Received: from [10.1.4.53] by n33.groups.yahoo.com with NNFMP; 19 Oct 2001 05:06:22 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 19 Oct 2001 05:06:22 -0000 Received: (qmail 34249 invoked from network); 19 Oct 2001 05:06:21 -0000 Received: from unknown (10.1.10.26) by l7.egroups.com with QMQP; 19 Oct 2001 05:06:21 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1 with SMTP; 19 Oct 2001 05:06:20 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9J56LB02747 for iwar@onelist.com; Thu, 18 Oct 2001 22:06:21 -0700 Message-Id: <200110190506.f9J56LB02747@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 18 Oct 2001 22:06:21 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Five.Thoughts.About.Information.Security] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Five Thoughts About Information Security By Daniel J. Horgan, Richard M. Smith, IDG Net, 10/18/2001 <a href="http://www.idg.net/ic_715062_1794_9-10000.html">http://www.idg.net/ic_715062_1794_9-10000.html> September 26, 2001 - In the wake of the September 11 terrorist attack on New York and Washington, and in the midst of increasing concern about a potential attack on computer networks, corporations are reviewing the security of private information, and legislators are proposing new laws that give the government greater access to private information. We spoke about these developments with Richard M. Smith, CTO of the Privacy Foundation, a non-profit research organization based in Denver, Colo., that studies technology's influence on privacy. How, in general, has the terrorism of September 11 changed the business of e-security? Organizations are going to beef up security all the way around. Certainly, network security is going to be one area that they're going to be looking at. There is a lot of concern around a "Digital Pearl Harbor," the idea that someone could attack the U.S. through its computer networks. There is very little evidence that this is going on, but they are still concerned about it and will want to guard against it. In addition to the heightened security we see at airports and public events, what new security guidelines should an organization put in place to protect its private information? I expect companies to beef up their physical security, to do things like putting access cards on their buildings and using biometrics, but in terms of protecting information that a company has, that is matter of making sure that the networks coming into the company are protected. We've just seen with the Nimda virus how difficult it is to secure a Web server that uses Microsoft software because that worm tried everything under the sun. It's important to understand what software you are running on your servers and to keep up with the patches from vendors. As for firewalls, that gets into running intrusion detection software from the outside to see if you can get into your own networks. A lot of attacks now are possible through e-mail. Webpages and e-mail messages sail right through firewalls and most protection schemes, with the exception of virus protection software that runs on your e-mail server and strips off potentially dangerous attachments. Frankly, I think we need view it as socially unacceptable to send executables in e-mails. What about user awareness? What can be done to increase that? That has always been a tough one. Two and half years ago, when we had the Melissa virus, everybody supposedly knew that you were not supposed to click on file attachments from people you didn't know. Those were the rules. Then the rule changed to not open attachments even from people you know. The problem is that a lot of security decisions are made by people who do this all day long and who understand the threat, but when you talk to the average user about what you're supposed to do and how you are supposed to get patches, it sounds to them like mumbo jumbo. I really think that the software that people run on their desktop computers should be more inherently safe and not rely on user education. Do you have a problem with Congress' proposals to enact laws that will put backdoors on data encryption software? There are a lot of problems with this proposal. One is that it won't make a hill of beans of difference right now. It's like saying we need to paint the fighter jets, but yet we need them to go to war and it really doesn't matter what color the paint is. It seems like a total distraction because even if the laws change it is going to take years for the software to be updated to meet this law. Another problem is that the old software won't go away so the terrorists could always use the old software that doesn't have a backdoor. Do some laws that have been proposed violate the privacy rights of the online user, or should national security interests take precedence over the right to privacy? Anytime you have a wartime situation the laws change and put restrictions on what we are able to do. It's not too surprising that we will have some measures put in place that are intrusive in our daily lives. Whether it is freedom or privacy or just inconvenience, most people will understand that that is an acceptable thing. The real danger is that they want to extend the way wiretapping works, particularly in the Internet arena. They are trying to slide it by in this time of crisis and we'll have to live with it for five, ten or twenty years. I'd rather see them think this through a little better. I don't think national security interests can trump privacy interests or vice versa. When talking about privacy we should remember that much of what we do is recorded in some way, which all started with the the credit card. Nowadays we see paper trails of where we went on the Web, when we used our cell phones, when we use the highway with the EZ Pass system, when we use the ATM, and so on. So a tremendous amount of our lives is being recorded by computers and video surveillance equipment, which is the bad news. The good news is that most of that info has so far been used for services, and only sparingly by police. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST