Category Archives: Articles

ISSG Magazine – Education, Professionalism & Partnerships

The following introduction was originally published in the BCS Information Security Specialist Group Magazine, Winter 2005 issue:

Education
Recently, another new initiative to educate and protect the IT user community was launched. Get Safe Online (www.getsafeonline.org) joins the myriad of other ‘advice’ websites set up over the years, by government and industry, to help the general public identify and address computer security threats.

Hopefully this latest attempt, backed by financial and marketing assistance from big names, including eBay, HSBC and Microsoft, will help the government get the message, of safe online computing, through to the consumer. The website offers a clear and balanced approach to mitigating Internet threats.

For cynics, who see Microsoft’s support of this initiative as self-serving, advice to consider alternatives to the Microsoft browser and e-mail client software does appear on the website. Also, a broad range of non-Microsoft security applications is referenced, along with advice being offered for the Apple Mac and Linux OS.

Professionalism
The embryonic, and tentatively entitled, Institute for Information Security Professionals (IISP) is aiming to launch on 1st January 2006. I urge you to review the work they have undertaken to date, and decide whether you support this route to the professionalism of the information security industry.

An overview of this new body, and the Working Group papers, is available on the Security Alliance for Internet and New Technologies (SAINT) website (www.uksaint.org). Questions, comments and offers of assistance related to this new body should be directed to Barrie Wyatt
(barrie.wyatt@nottingham.ac.uk).

The Working Groups have created papers on ‘Creating a Professional Body’, ‘Common Body of Knowledge’, ‘Codes of Professional Conduct’ and ‘Skills and Accreditation Requirements’. These papers are drafts which require your feedback to make them even better, and acceptable to the broadest community.

Partnerships
I was recently at a congress focused on partnerships to help tackle organized crime. The aim of the law enforcement community was to improve links with industries, which have close ties with large user communities, such as banking, telecommunications, retail and e-commerce.

Some areas of concern included ensuring compliance with current legislation (especially the Data Protection Act) in any information sharing agreements and whether information will truly flow in both directions, an area in which law enforcement and the government are improving.

I think that it can be good when businesses and security professionals go beyond the limits of their usual activities – simply hawking wares – and get involved in other, non-profit driven, activities, such as information security education and crime reduction partnerships for the good of the wider community.”

ISSG Magazine – Terrorism

The following introduction was originally published in the BCS Information Security Specialist Group Magazine, Autumn 2005 issue:

Recent Events
The terrible events of 7th July, and fortunate failures of 21st July, exploiting vulnerabilities in our transport system to cause death and mayhem, remind us all that we may be subject to attack, even while going about our normal business.

Our assets are not only our population, which we must do our utmost to protect, but also our way of life, which is not only being threatened by the attacks against us, but may be undermined by a hasty or draconian response to terrorist attacks.

The threat is from ‘international terrorism’, which has both the capability and intent, has grown over the last two decades, and considers its actions justified, as payback, for many years of the ‘West’ interfering in the affairs of the ‘East’.

As well as trying to convince the public that they’re safe from the risk of another attack, governments must be more open and honest, and target the causes of terrorism, as well as its symptoms, as part of their risk management strategy.

Real War or Cyberwar?
The oft-quoted ‘cyberwar’ has, as yet, failed to materialise. Personally, I don’t expect a digital equivalent of Pearl Harbour or 9/11 for some time. For now, I expect major attacks to remain physical, which makes for good ‘terrorism by TV’.

An electronic attack is much less likely to terrorise the general population unless the attackers acquire some new expertise or knowledge, which could be harnessed to create widespread carnage in Critical National Infrastructure (CNI).

What is not at doubt is that the current breed of ‘international terrorists’ has learned how to use the Internet and media outlets effectively for communications, information distribution, propaganda and recruitment.

New Powers?
The UK, and its own ‘coalition of the willing’, is still pushing, through the EU, for sweeping data retention powers. A past attempt, at slipping it through with minimal discussion and review, has been declared illegal, but we persist.

The current powers and retention requirements seem to have been sufficient in recent attacks, both at home and abroad. Those that wish for greater powers should put forward convincing arguments as to why they should get them.

Coupled with other moves – to introduce ID cards, reduce burden of proof, have detention without trial, limit legal representation, present secret evidence, impose control orders, and broaden surveillance – we must avoid a ‘1984’ scenario.

“Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety” – Benjamin Franklin (attributed)

If we become a police state, which spies on our people as the norm, at the same time as ‘encouraging’ such states to become democratic and open, would we meet in the middle, or would they become free as we become repressed?

In this growing surveillance society quis custodiet ipso custodes?”