BKEISCPR.RVW   20101023

“Enterprise Information Security and Privacy”, C. Warren Axelrod/Jennifer L. Bayuk,Daniel Schutzer, 2009, 978-1-59693-190-9, U$99.00
%E   C. Warren Axelrod Warren.Axelrod@usccu.us
%E   Jennifer L. Bayuk www.bayuk.com
%E   Daniel Schutzer Dan.Schutzer@fstc.org
%C   685 Canton St., Norwood, MA   02062
%D   2009
%G   978-1-59693-190-9 1-59693-190-6
%I   Artech House/Horizon
%O   U$99.00 800-225-9977 fax: +1-617-769-6334 artech@artech-house.com
%O  http://www.amazon.com/exec/obidos/ASIN/1596931906/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1596931906/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1596931906/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   231 p.
%T   “Enterprise Information Security and Privacy”

The authors of this collection of papers were told to examine and challenge current and traditional approaches to information security and suggest alternatives overcoming noted deficiencies.

Part one looks at history and trends.  Chapter one traces privacy attitudes and legislation in the United States over the past century, and suggests that privacy and information security are related.  Data protection should be supported by a defined, multi-factor, holistic security system, says chapter two.  (As the editorial comment notes, this is hardly surprisng news to security professionals.)  Security faces pressure from operational concerns, and chapter three states that security departments that help the business rather than hindering (in other words, planning security properly) are more likely to succeed.  Chapter four notes that information classification based solely upon confidentiality concerns is limited, but the suggested structure still relates only to that aspect.  The article singularly fails to examine any possible form of multilateral classification scheme, incorporating integrity and availability issues.  Chapter five delves into human factors, which are vitally important to security, but limits the discussion to privacy, which is already pretty human.

That piece finishes off with some examination of risk, although it doesn’t say much about human factors in risk, but I suppose makes a nice lead in to the fact that part two is concerned with risk.  Donn Parker makes his usual contrarian argument against risk-based security in chapter six.  The author of chapter seven notes this objection, but claims that it is only applicable if you fail to account for all the proper factors (totally missing Parker’s point that you can never know all the factors).  A hodge-podge of legal topics goes into chapter eight, but the emphasis (if there is any) seems to be on new “compliance” standards such as the Payment Card Industry Data Security Standard (PCI-DSS or just PCI).  Chapter nine takes a brief and focussed look at the most important changes in the telecommunications arena.

Part three turns to specific idustries: finance, energy, transportation, and academia.  Chapter ten lists US financial regulations, and then offers vague suggestions of new regulations.  A number of questions about the security of enegery providers or infrastructure are raised in chapter eleven, but there are few answers.  In terms of transport, chapter twelve mentions SCADA (Supervisory Control And Data Aquisition) systems and alarm sensors.  Chapter thirteen doesn’t really appear to examine academia: the “case studies” may be formal, but are really just reports of malware similar to those in the general user population.

If the authors were supposed to present new ideas for security, they have failed.  There is nothing wrong with any of the pieces contained in the book, but they are simply “more of the same.”

copyright, Robert M. Slade   2011     BKEISCPR.RVW   20101023

This is totally serious.  You should be aware that, for years now, just about every commercial word processing program on the market [1], and a number of the open source ones as well, have been intercepting your keystrokes, storing them, and even displaying them *on the screen*!

Email programs are even worse, since a number of them will actually send your keystrokes to someone else, *over the Internet*! [2]

[3]!!!!!

[1] Except for Word, which simply collates random data.
[2] Except for Outlook, which regularly deletes all stored data.
[3] Yes, I am, of course, poking fun at the furor over the iPhone location data file.

First off, I probably have to modify the perception that I may have left, in this series of postings, that I hate the Mac and everything it stands for.  Not true.  While I find the “Apple knows best” attitude frustrating at times (all right, many times), the MacBook Pro that I purchased is a nice machine in many ways.  For one thing, it’s the most powerful machine I’ve got at the moment.  (Until I get the time to install the new desktop, anyway.)  For another, it hibernates (or suspends, or sleeps, or whatever you want to call it) really well.  I appreciate that ability to simply close the lid, and open it up, and all my stuff is still ready to go, within seconds.  (This has been a particular frustration with the Asus netbook, which sometimes hibernates, and sometimes decides to think about it.  Forever.  Or, until I take the battery out, whichever comes first.)  I like the ongoing and very accurate battery indicator (although I’ll have more to say about that in another post).

It was the battery indicator that first alerted me to the issues with Flash.  As one of my Mac resource helpers noted when I found this out, Flash may, single-handedly, be responsible for global warming.  It is rather odd to pull up a YouTube video, or any other page with a high Flash content (news sites are particularly vile in this regard) and watch the battery life almost instantly cut in half (or drop even further).  To get your battery life (well, most of it, anyway) back again, all you have to do is drop the offending Flash page.

The thing is, I’ve never noticed this before on my other laptops.  Certainly Flash, on Windows, doesn’t have anything like that same effect on the battery life.  Yes, it’s more of a drain, and, yes, you’ll probably have to keep an eye on heating issues.  But the battery life isn’t half of what it was simply because of viewing videos.

Apple doesn’t like Flash.  The converse may also be true.  Because, despite the Mac’s much-vaunted prowess in multimedia areas, online video definitely seems to be a problem for it.

At home, we’ve recently been watching some TV programs via the Internet.  (We’ve done this because, at home, I get Internet service from Shaw, which provides our cable TV, as well.  And, they seem to be just as unreliable at providing the uninterrupted TV feed as they do at providing Internet service or help.  So we’ve had to fall back on the Internet to catch up on shows we’ve missed while the cable was out.)  Because of this, I’ve had a chance to do some comparison between a seven-year old Windows (XP) desktop machine, and a brand new MacBook Pro.  The old Windows machine wins, hands down.  We’ve watched streaming feeds of shows from the company Websites of CBC, GlobalTV, and Bravo, all at the standard presented resolution, and in the full-screen display.  All of these sites use Flash.  And the old (seven years old, remember) Windows machine, using Firefox, has won every round against the Mac, using Safari.  The streaming is just as good (which is odd, considering the sheer age of the Windows box), but the Mac tends to lock up (or go random places) any time we use the controls to rewind, or pick up a missed segment.

To repeat what I started out with, the Mac is great in many areas.  Viewing Twitter, even with the new (and heavily script-laden) interface, the Mac is very much faster, and Safari opens new windows and loads them quickly.  Which I why I found the online video weakness to be so odd …

Once again, in a month and a half, Shaw has disabled my outbound email.

For no particular reason.

Oh, sure, the error code says 554, rejected due to poor reputation.  So, like before, I do a lookup.  (For those interested in the stability of DHCP, my IP address is still the same, a month an a half later.  Even after being away for two conferences, and a short vacation.)  So, once more, I look up http://www.senderbase.org/senderbase_queries/detailip?search_string=70.79.166.169

This time there is even less information.  Google groups, SpamCop, dnsbl.njabl.org, bl.spamcop.net, cbl.abuseat.org, sbl.spamhaus.org, and pbl.spamhaus.org all say I’m clean.  (dnsbl.sorbs.net refuses to say anything, oddly.)

RFC-Ignorant.Org does say, again, that Shaw itself is questionable.  So, does that mean all Shaw clients are silent tonight?  How big of a CIDR does this affect?  (And why?)  How come I’m the guy who gets picked on?

Once again, Shaw’s “help” “Support” line is of no use.  This time around “Jason” tells me I just have to be patient: the spam guys are looking into something.  He won’t venture any guesses as to what the something is.