If you are having trouble viewing this email, click here to view this online
 |
| |
VOLUME 36 |
ISSUE 36 | 20
July 2014 | |
| |
Article of the Month |
| | | Around the World | |
Information Security
Discipline Requires a Paradigm Shift
| | |
| |
If you examine closely,
information security discipline predates the advent of computers. The
term may have been coined later, but ever since mankind started
creating, processing and transmitting information security problems have
popped up. The first generation of information security professionals
were not the first batch of CISSPs. In fact, they probably lived 7000
years ago carving hieroglyphs in Ancient Egypt and few centuries later,
writing secret military communications on parchment in Ancient Greece.
| |
| | |
|
One fact can characterise
the evolution information security discipline over the years - �
increasing technical sophistication of both problems and the potential
solutions. This technical sophistication has accelerated during the
Information Age. But what�s behind this technical sophistication? It is
the fundamental belief that improving technology can help solve
information security problems better � an assertion author would like to
call the �technology paradigm� of information security. However, many
information security professionals would disagree that we are bound by
such a paradigm. After all, almost every information security textbook
states that security cannot be achieved by technical means alone.
Information security standards such as ISO/IEC 27001 and 27002 mandate
many procedural and administrative controls in addition to the technical
ones.
It is true that some social, organisation and administrative aspects are
taken in to consideration by the security profession. However, they are
not seen in equal light with the technology under the current security
paradigm. To elaborate further, security is designed with two types of
subsystems in mind � technology and people who use the technology.
Information security is very much concerned with the technology
subsystem, and to an extent, interface between technology and people
(e.g., access control). However, very little attention is focused on how
interactions between people, organisational or contextual factors affect
security and there are few controls in that space.
Ample evidence can be provided for the dominance of the
technology paradigm in information security. A survey of information
security research literature has found out that 94% of all research in
the domain focus on the technology aspect while only a handful of papers
addresses social and organisational aspects [1]. According to the 2014
Global Cyber Security Survey [2], published by PwC, only 48% of the
organisations have carried out behavioural profiling or monitoring at a
time when technical controls such as malware protection and network
traffic monitoring are ubiquitous.
As pointed out by the famous philosopher - Thomas Kuhn, it is normal for
a scientific discipline to be dominated by a single paradigm or a way of
viewing problems in the domain [3]. The anomalies or �difficult
problems� that cannot be solved within the paradigm are typically
brushed aside due to the lack of models and tools to solve them.
Information security discipline has been following the same pattern. We
have solved many technical problems and either pushed aside ones that
are socio-technical or offered technical solutions to those problems. A
good example is insider threats. Until recently, almost all controls
against insider threats were technical. However, recent high profile
insider threat events, such as the Edward Snowden incident [4], have
brutally exposed the inadequacy of our approach toward this problem. As
pointed out by Kuhn, times like this are ideal for paradigm shifts to
occur as people find new ways of analysing problems and synthesizing
knowledge. A shift from a purely a technical to a socio-technical
paradigm of information systems security is further facilitated by the
availability of models and tools we can borrow from other disciplines.
Suitable theoretical frameworks, such as the Socio-Technical Systems
Theory [5], have been around for decades. Today, there are plenty of
options for organisations to track peoples� behaviour and intentions
through sources such as online social networks, emails and blog posts.
Moreover, wearable sensor technologies enable even more traditional
forms of communication to be tracked. Advancements in data analytics
(Big Data is the new buzzword!) enable organisations to draw insights
from large volumes of data.
Already, there is evidence of a paradigm shift in the information
security discipline. A good example is the evolution of access control
models. The early Discretionary and Mandatory Access Control Models were
followed by Role-Based Models [6], which are gradually being superseded
with the introduction of new Attribute Based (ABAC) [7] and
Risk-Adaptable Access Control Models (RAdAC) [8]. However, a paradigm
shift in the discipline will not only help solve certain problems, but
will create new ones as well. For instance, we have to address privacy
and ethical concerns when we analyse a social subsystem. However,
security professionals should not resent this. After all, when you take
a pill to cure an illness, it inevitably creates some side effects. More
importantly, those new challenges are essential for a scientific
discipline to keep moving forward.
Hasala
Peirs, CISSP
www.linkedin.com/in/hasalapeiris
References | |
| |
|
1.
Beznosov, K. and O. Beznosova, On the imbalance
of the security problem space and its expected consequences. Information
Management & Computer Security, 2007. 15(5): p. 420-431 |
|
thttps://antivirdddus.about.com/od/securitytips/tp/ | | |
2. Pricewaterhouse Coopers, CIO magazine, and CSO
magazine, The Global State of Information Security Survey,. 2014. | | |
3. Kuhn, T., The Structure of Scientific
Revolutions. 1962, Chicago: The University of Chicago Press. |
| |
4.
Greenwald, G. The NSA Files. 2013 Jan 20,
2014 [cited 2014 Jan 20, 2014]; Available from:
http://www.theguardian.com/world/the-nsa-files. | | |
5. Bostrom, R.P. and J.S. Heinen, MIS Problems and
Failures: A Socio-Technical Perspective, Part II: The Application of
Socio-Technical Theory. MIS Quarterly, 1977. 1(4): p. 11-28. | | |
6. Sandhu, R.S., et al., Role-based access control
models. Computer, 1996. 29(2): p. 38-47. | | |
7. Hu, V.C., et al., Guide to Attribute Based
Access Control (ABAC) Definition and Considerations. 2014, National
Institute of Standards and Technology (NIST): Gaithersburg, MD. | | |
8. McGraw, R. Risk-Adaptable Access Control (RAdAC).
in NIST Privilege (Access) Management Workshop. 2009. Gaithersburg, MD:
National Institute of Standards and Technology (NIST), U.S.A. | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | |
| | | | | | | | | | | |
| | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | |
| | | | | | |
| | | | | | | |
|
|  | |
| | |  | | |  |
BEIJING THINKS THE iPHONE IS A THREAT TO CHINA�S
NATIONAL SECURITY | | | |
�. . .The iPhone became the latest target of China�s state broadcaster
CCTV today. The phone�s Frequent Locations function, which tracks the
exact places you have been and the amount of time you spent there, is
capturing �extremely sensitive data,� a researcher told CCTV, according
to Reuters. The data could ultimately reveal China�s economic situation
and �even state secrets,� the researcher said.. .� | | | |
ANDROID'S FACTORY RESET DOESN'T DELETE EVERYTHING.
HERE'S HOW TO REALLY WIPE YOUR DATA |
| | |
'...As new smartphones hit the market, people are looking to offload
their outdated devices more frequently than ever before. When selling an
old phone, the standard procedure is to restore the device to factory
settings, wiping it clean of any personal data. This creates a new-phone
feel for the new owner and offers protection for the original owner...' | | |
Exploring the BYOD security dynamic |
| | |
 | |
| | |
'...The initial survey, conducted
in late 2013, explored the prevalence of employee-owned devices, how they are
being secured, and employee concerns regarding company-mandated security
programs. The second survey, conducted in March 2014, looked at how IT
managers view the risk of employee-owned devices, the prevalence of formal
mobile security policies, and the extent to which employee input is included
in developing BYOD policies....' | | |
Cloud security threats, tips and best practices |
| |
 | | | |
'....In this interview, Gray
Hall, CEO at Alert Logic, illustrates today's top cloud security threats,
tackles privacy and surveillance issues, and offers security best practices
organizations should implement when moving to the cloud...' | | |
GOOGLE�S LATEST EMPIRE-BUILDING TACTIC: CHEAP
PHONES |
| |
 | | | | |
| |
'.... Here�s the thing about those cheap sub-$100 smartphones that
nobody tells you: They�re awful. Many of them use aging hardware to run
old versions of Android. People tend to use them like regular
phones�except to surf Facebook when they�ve got a Wi-Fi connection..." | |
|
|
Month in Brief |
|
Facebook Incidents
Reported to Sri Lanka CERT|CC in June 2014 | | |
 | | | | | | | | |
Statistics - Sri Lanka CERT|CC |
|
Alerts | |
Apple Denies Chinese
Report of Location Tracking Security Risk | |
| |
 | |
'.... IThe frequent locations function, which can be switched on or off
by users, is available on iOS 7, the operating system used by the
current generation of iPhones released in September 2013.
"We appreciate CCTV's effort to help educate customers on a topic we
think is very important," Apple said Saturday in a statement in Chinese
and in English on its China website.......' | |
| |
Hackers Attack Shipping and Logistics Firms Using
Malware-Laden Handheld Scanners | |
 | |
'.... The attack, dubbed "Zombie Zero," has been analyzed by
cybersecurity solutions provider TrapX, a company formerly known as
CyberSense. According to TrapX, the attack begins at a Chinese company
that provides hardware and software for handheld scanners used by
shipping and logistics firms worldwide to inventory the items they're
handling.....' | |
Being Secure In The Most Connected World Cup Ever | |
 | |
'.... Sporting events are getting more and more connected, and the
just-concluded World Cup is no exception. Brazilian telecom provider Oi
made sure that no expense was spared in �connecting� the World Cup , and
even claimed that this year�s event is in fact the most connected in the
history of the World Cup.....' | |
Targeted Attack Methodologies for Cybercrime | | |
 | | |
'...... We recently wrote about the difference between cybercrime and a
cyber war, which narrows down to the attack�s intent. With the same
intent of gaining information to use against targets, cybercriminals and
attackers tend to stress less importance in their choice of �tools�, as
these campaigns are all about who carries out the attack..' | |
Facebook Helps Cripple Greek Botnet | | |
 | | |
'....Facebook today revealed details of how it helped derail a
little-known botnet operation out of Greece that was used to steal and
mine digital currency and spread via Facebook and Lightcoin mining --
infecting some 250,000 machines worldwide......' |
| | | | | | | Notice Board | | | | Training and Awareness Programmes
- July 2014 | | | |
|
| | | | | Date | Event | | Venue | | | | | | |
- |
02nd, 03rd & 04th July |
Training programme of
usage of e-content developed for primary grade | |
National Institute of
Education, Maharagama | | |
07th & 08th July |
Training programme on
Alice Software for content development. | |
National Institute of
Education, Maharagama | | |
24th&25th July |
Workshop to develop a
module on Graphic & Animation for National Vocational Q ualification | |
Computer Laboratory ,
ICT Branch, Ministry of Education | | |
- |
21st to 25th July |
Training programme for (G.C.E)
A/L ICT subject | |
Education Leadership Development Center, Meepe | | - |
30th June -04th July |
Script writing for e-
Thaksalawa Learning Management System for Grade 9 | |
Computer Laboratory ,ICT
Branch, Ministry of Education | | - |
30th July - 01st August |
Script writing for e-
Thaksalawa Learning Management System for Grade 11 | |
Computer Laboratory ,ICT
Branch, Ministry of Education |
|
| | | | | Brought to you by: | |
| |  | |
|
|