{"title":"Social networking and the risk to companies and institutions","authors":"Marc Langheinrich , Günter Karjoth","doi":"10.1016/j.istr.2010.09.001","DOIUrl":"10.1016/j.istr.2010.09.001","url":null,"abstract":"<div><p>Social networks open up new business opportunities for customer acquisition and retention, facilitate knowledge transfer within the company, and can positively influence work climate. However, they can also quickly destroy a company image that took years to build, while the use of social networks at work not only risks a loss in productivity but may also undermine legal obligations. Eager networkers might also divulge company internals to competitors or the public at large. And last but not least, “friendships” open up completely new attack vectors for professional hackers, thus significantly increasing company exposure to online break-ins. This article briefly summarizes the opportunities and dangers that this development poses for business. This contribution is based on an earlier article by the same authors (in German) (<span>Langheinrich and Karjoth, 2010</span>).</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"15 2","pages":"Pages 51-56"},"PeriodicalIF":0.0,"publicationDate":"2010-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2010.09.001","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133658832","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Caveat venditor","authors":"George French , Mike Bond","doi":"10.1016/j.istr.2010.10.003","DOIUrl":"10.1016/j.istr.2010.10.003","url":null,"abstract":"<div><p>Tamper-resistant Hardware Security Modules (HSMs) are a core technology used to build assurance in the security of large IT systems protecting and manipulating sensitive data. This paper draws on the authors years of experience working to deploy HSM-based solutions in the financial industry. We argue that as soon as you scratch the surface of the simple “buy and forget” model where an HSM is bought to satisfy a compliance requirement, the buyer encounters initial and ongoing challenges when trying to cover all the bases for security. There is now (compared with 10 years ago) a good public literature on HSM vulnerabilities, but even checking resistance against known threats and attack classes becomes very difficult in practice, let alone considering theoretic and new attacks which have not been widely implemented across HSM platforms. Part of the problem is the lack of security details in vendor information, part is lack of awareness of the issues for the buyers. Some older attacks such as the decimalisation table attack have been largely addressed; others such as PIN block translation (and other oracles) have not. This paper argues that the balance of responsibility between buyer and vendor to maintain security awareness has much room for improvement, and that existing certification processes such as FIPS-140 leave huge gaps that need to be covered when building assurance. In the retail sector strong buyer protections exist because the layperson cannot be expected to understand and manage all the relevant risks, but in the financial industry the assumption has been that buyers have the skills to evaluate the products – “Caveat Emptor”. But maybe it is time to redress this balance with a little “Caveat Venditor”?</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"15 1","pages":"Pages 28-32"},"PeriodicalIF":0.0,"publicationDate":"2010-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2010.10.003","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122952497","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Cryptography in the real world","authors":"Chris Sundt","doi":"10.1016/j.istr.2010.10.002","DOIUrl":"10.1016/j.istr.2010.10.002","url":null,"abstract":"<div><p>This article discusses how and why controls on cryptography have changed over the last 20 years or so, now focusing more on lawful access to the plain text of protected data than on control of movement of cryptographic products. The effect of this change on users of cryptography, and the way organisation can minimise their business risks in this new environment are discussed.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"15 1","pages":"Pages 2-7"},"PeriodicalIF":0.0,"publicationDate":"2010-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2010.10.002","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124887449","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The status of National PKIs – A European overview","authors":"Dimitrios Patsos , Chez Ciechanowicz , Fred Piper","doi":"10.1016/j.istr.2010.10.007","DOIUrl":"10.1016/j.istr.2010.10.007","url":null,"abstract":"<div><p>A series of European Union initiatives and frameworks have been issued during the last years, for the provision of electronic services to individuals, businesses and government organizations. Most of these efforts imply the use of digital certificates for a wide variety of national and transnational transactions. This paper presents the concept of National PKI through a systemic view, compares and contrasts the main inhibitors and enablers, discusses popular use cases, and also examines the European landscape together with open issues.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"15 1","pages":"Pages 13-20"},"PeriodicalIF":0.0,"publicationDate":"2010-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2010.10.007","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128370867","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Choosing key sizes for cryptography","authors":"Alexander W. Dent","doi":"10.1016/j.istr.2010.10.006","DOIUrl":"10.1016/j.istr.2010.10.006","url":null,"abstract":"<div><p>After making the decision to use public-key cryptography, an organisation still has to make many important decisions before a practical system can be implemented. One of the more difficult challenges is to decide the length of the keys which are to be used within the system: longer keys provide more security but mean that the cryptographic operation will take more time to complete. The most common solution is to take advice from information security standards. This article will investigate the methodology that is used produce these standards and their meaning for an organisation who wishes to implement public-key cryptography.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"15 1","pages":"Pages 21-27"},"PeriodicalIF":0.0,"publicationDate":"2010-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2010.10.006","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126258067","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Identity based encryption: Progress and challenges","authors":"Sriramkrishnan Srinivasan","doi":"10.1016/j.istr.2010.10.001","DOIUrl":"10.1016/j.istr.2010.10.001","url":null,"abstract":"<div><p>Identity based cryptography is currently among the most active areas of research in cryptography. In this article we discuss identity based encryption (IBE) which has the potential for widespread real world adoption and has in fact already been deployed commercially. We will discuss the many advantages and disadvantages of IBE and briefly introduce various schemes that have been proposed in the literature. We discuss the real world impact of IBE and highlight some issues which we think will become more pertinent as IBE and related technologies become more well known and widely deployed.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"15 1","pages":"Pages 33-40"},"PeriodicalIF":0.0,"publicationDate":"2010-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2010.10.001","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126091141","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The MIFARE Classic story","authors":"Keith E. Mayes, Carlos Cid","doi":"10.1016/j.istr.2010.10.009","DOIUrl":"10.1016/j.istr.2010.10.009","url":null,"abstract":"<div><p>The MIFARE Classic product from NXP Semiconductors has been much maligned over recent years and whilst some of the criticism is well justified by virtue of the inherent security problems, it is by no means the weakest card/RFID in use today. In this article we give a brief overview of the MIFARE Classic card, its use, design and security. We start by looking at the range of card and RFID products and placing the MIFARE Classic in its intended position. The process of risk assessment is then discussed as a means of choosing “appropriate” products and solutions. We then discuss the history of the MIFARE Classic, its design, security features and associated attacks. The long-lasting effects of the attacks and publicity are considered with respect to not only the MIFARE Classic, but for similar product risk reviews.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"15 1","pages":"Pages 8-12"},"PeriodicalIF":0.0,"publicationDate":"2010-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2010.10.009","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132987457","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The positive outcomes of information security awareness training in companies – A case study","authors":"Mete Eminağaoğlu , Erdem Uçar , Şaban Eren","doi":"10.1016/j.istr.2010.05.002","DOIUrl":"10.1016/j.istr.2010.05.002","url":null,"abstract":"<div><p>One of the key factors in successful information security management is the effective compliance of security policies and proper integration of “people”, “process” and “technology”. When it comes to the issue of “people”, this effectiveness can be achieved through several mechanisms, one of which is the security awareness training of employees. However, the outcomes should also be measured to see how successful and effective this training has been for the employees.</p><p>In this study, an information security awareness project is implemented in a company both by training and by subsequent auditing of the effectiveness and success of this training (which focussed on password usage, password quality and compliance of employees with the password policies of the company). The project was conducted in a Turkish company with 2900 white-collar employees. Each employee took information security training including password usage. Also, there were several supporting awareness campaigns such as educational posters, animations and e-messages on the company Intranet, surveys and simple online quizzes. The project was carried out over a 12 month period and three password security strength audits were made during this period. The results were comparatively and statistically analysed. The results show us the effectiveness of the project and the impact of human awareness on the success of information security management programmes in companies. This study gives us some crucial results, facts and methods that can also be used as a guideline for further similar projects.</p></div>","PeriodicalId":100669,"journal":{"name":"Information Security Technical Report","volume":"14 4","pages":"Pages 223-229"},"PeriodicalIF":0.0,"publicationDate":"2009-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1016/j.istr.2010.05.002","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114273357","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
求助内容:
应助结果提醒方式: