Administering Security

"A Engineering Principles for Information Technology Security (A Baseline for Achieving Security)", - Revision A, June 2004, SP 800-27 Rev A Recommendations of the National Institute of Standards and Technology, By Gary Stoneburner, Clark Hayden, and Alexis Feringa
This link is to a NIST document that covers Security Principles. The document starts with an introduction of what this document is about, what brought about the creation of this document, which the audience of this document focus on and the structure of the document. Then this document than gives a quick background of what brought about the creation, compilation, and goal in presenting the security principles. The document is gives detail information on 33 IT security principles with tables of how they relate to the five life-cycle planning phase and are group into six categories. The six categories are Security Foundation, Risk Based, Ease of Use, Increase Resilience, Reduce Vulnerabilities, and Design with Network in Mind. This document states that IT security has become a critical element system life-cycle. These principles are focus on securing information technology systems throughout the systems life-cycle. This document is a good source of information on securing information technology systems.
Report says Virtually All Big Companies Will Outsource Security By 2010 - Is an article discussing reasons big companies will outsource security to managed service companies. With security not being a core competency at most enterprises, the need to outsource will continue to grow to stay ahead of the hackers.
Security View Shifts: I think this is a great article for anyone looking to read about the shift in view related to Security. Particularly, the issue of Security being viewed as a technical problem at one point to now being viewed as an "enterprise-wide" problem. There also seems to be a shift from who owns computer security. At one point, security was viewed as having a technical owner and now being owned by a business.Managing Computer Security: Published on August 4, 2004, this article addresses some security settings available with the Windows XP Service Pack 2 (SP2). Not only are these settings easier to monitor but there is a "Security Center" which allows you to view the status of your major settings. This feature also provides the most recent updates on viruses, security threats along with contacts for customer support.This site shows system administrators how to secure their systems better. Through it links information about physical, network, account, file system, testing can be obtained.
Zone-H - "the Internet thermometer">New laws put new rules on ID management; By Bill Malik - JANUARY 29, 2003Consortium pushes for cybersecurity R&D; By Grant Gross, IDG News Service - JANUARY 30, 2003
Computer Security Resource Center - The computer security resource center website contains information on cryptographic standards and applications, security testing, security research, security management and security education.Best Practices for Preventing DoS/Denial of Service Attacks - Microsoft TechNet Newsletter; A network attack can provide you with more than a few lessons. This article lists 10 common things which companies can do to prevent Denial of Service attacks.Security Liability Who's responsible for security breaches? Short answer: everyone. - Frank Prince; The article discusses who is responsible when there is a computer security breach at an organization. A survey was taken to see where most people place the blame. The results placed the responsibility on the hardware/software developers to the hackers themselves.
Strategies & Issues: Thwarting Insider Attacks - Jim Carr; Discussed here is the fact that many organizations assume that all threats are from the outside, when in fact, more and more are from the inside. A system administrator leaving a management console open or an employee bringing an infected laptop to the office are both examples of inside threats. Wireless LANS also pose internal threats. A drive-by assessment of wireless LANS in Atlanta by ISS detected 2000 wireless access points open to eavesdropping.What's happened to availability? - Winn Schwartau (2003); This article discusses Availability and how a post 9/11 world has changed the way security professional must deal with availability. It introduces a new TRIAD of securtiy, Cyber, Physical, and People and how Availability must incorporate all three to prevent "stovepiping" of security efforts.Is it ever worth it to cut corners on security? Yes - Burton Craig (2003); here security professionals face off to discuss whether or not it is acceptable to cut corner in security, Both the YES and NO articles cover how you must balance Security against the other aspects of security.
Whom Do You Trust? - by Scott McNealy (2002)Password Pain Relief - this article related to the effectiveness of controls, specifically passwords and password management. How to impliment effective and strong passwords but then answer the call of users when they must have their passwords reset. I have "A LOT" of personal experience in this area, when I tried to impliment a random password generator on my Army tactical network, users either kept a copy of the password on the computer or forgot the password with in hours. so as I tried to increase security with stronger password I actually achieved the opposite effect.Microsoft Giving Russia Access to Code - The article discusses how Microsoft is revealing its Windows Source Code to Russia in an effort to improve Computer Security.
A Pared-Back Security Initiative - Revised Plan Focuses on Agencies - by Ted Bridis (2003) The article discusses how “The Bush administration has reduced its initiatives to tighten security for vital computer networks, giving more responsibility to the new Department of Homeland Security.” The plan to improve “cyberspace security” will focus more on suggestions from government agencies.Computer security standards ready Shannon Henry (2002) - Legal, Privacy, and Ethical Issues in Computer Security Kerri Davis In this article, it states that a group of government agencies and some private agencies plan to come up with a commom set of standards and software to fight computer hacking.Is it ever worth it to cut corners on security? Yes - by Burton Craig (2003). This article is states that total security may cause you too run into many problems. This is dut to the hman factor, and code overload.
Computer Security Awareness Training (NIST Guidelines)Securing Public Web ServersNational Computer Security association
U.S. Hopes to Check Computers Globally - System Would Be Used to Hunt TerroristsDoD Web Site Administration - Policies & ProceduresGilmore Commission critical of Bush cybersecurity plan
Site Security HandbookDEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA (Orange Book)ISO 17799 - What is iso17799 (the ISO Security Standard)?

Risk Assessment

Security Scanning is not Risk Analysis - by Laura Taylor - Dated July of 2002, this article discusses how security scanning is different than risk analysis. Topics include differentiating scanning from risk analysis, how risk analysis works, analyzing rates of occurrence, and the right tools for the job. In addition to explaining how it differs from security scanning, the article shows the reader how to go about doing a risk analysisAssessing Internet Security Risk, Part Two: an Internet Assessment Methodology - by Charl Van der Walt - Dated July of 2002, this article is the second in a series revealing the security risks readers are exposed to with their systems that are connected to the Internet. This article discusses the methodology of doing a technical risk assessment. Topics include intelligence gathering, foot printing, and vitalityAssessing Internet Security Risk, Part One: What is Risk Assessment? - by Charl Van der Walt - Dated June of 2002, this article attempts to convince the reader of the value of doing technical risk assessments. Topics covered include what resources are worth protecting, what is the value of those resources, what are the possible threats faced, what is the likelihood of those threads being realized, and what would be the impact of those threats.
The Security Risk Analysis Directory - Introduction to Risk AnalysisSecurity Risk Analysis and Management B.D. Jenkins, Countermeasures, Inc.Risk Analysis, Assessment, Management
Carnegie Melon Software Engineering Institute FAQHandbook of Information Security ManagementAn Introduction to Risk and Security
Risk Managementoverview of risk assessment - The article explains the techniques for gathering data about information and technology assets in an organization. Information gathering techniques are discussed regarding the threats to those assets, vulnerabilities, existing security controls and processes, and the current security standards and requirements. Analytical processes to determent the level of threats and prioritization of present risks are discussed in some detail

Social Engineering

Social Engineering: What is it, why is so little said about it and what can be done? - by John Palumbo, July 26, 2000; This article written by John Palumbo with the SANS Institute helps to define social engineering and the role that it plays in operating system security. In this article Palumbo defines social engineering, why little is said about it and what can be done about it.


Back to Information Assurance e-Library Index   Back to Information Assurance e-Library Index


Click here to return to Wayne's World's homepage: return to Wayne's World


written by Wayne Summers summers_wayne@ColumbusState.edu