Call me a cynic ("You're a cynic, Gary!") but are we really meant to swallow whole a research report on the use of SaaS, plus perceptions about the security aspects , that has been sponsored by Google? As with so many of these vendor-sponsored "surveys", we're presented with a potted selection of data (basically a handful of bar charts), some analysis and discussion, next to no information about the research methods - in short, not much to go on.   There is none of the modelling, hypothetical predictions, experimental evidence and rigorous scientific analysis that a genuine research report would be expected to contain, so the end result is basically just a marketing exercise. That said, I'm intrigued to see that the very first bar chart in the report clearly identifies the widespread belief that security and privacy are worse with SaaS than with traditional in-house IT approaches: The survey report is free and short, so by all means take a look and make ...

  Cloud computing has emerged and grown steadily over the past few years.  While at first the cynics among us treated the announcements and advertisements as blatant marketing hype, many have quietly started using cloud applications such as Google Docs, Google Earth, online storage, webmail and so on, some without even appreciating that they are using cloud computing.  Meanwhile, Google, Amazon and many other suppliers have been building up their portifolios of cloud services and signing up customers. Cloud computing involves the provision of Internet-based information processing services.  It gives ‘access from anywhere’ and service elasticity or flexibility - worthwhile business benefits and, in part, security benefits too.  However, it’s not all roses.  The security issues associated with cloud computing and the virtualization and network technologies that underpin it are significant, and not necessarily entirely obvious due to the fact that cloud comput...

A new draft information security standard for Small to Medium-Sized Enterprises has been released for comment by my friends in ISSA-UK. The standard, called "ISSA 5173", is short - just 4 pages plus 6 pages of preamble (!). It promotes a structured, risk-based approach to managing information security, not altogether unlike ISO27k .  It offers high level advice rather than listing lots of specific controls: the idea is basically that SMEs need to figure out their security requirements and then put them in place.  The management system it promotes is essentially about 'figuring out security requirements and putting them in place'.  Information security requirements derive from some understanding of the risks facing the SME, plus compliance obligations. I will be fascinated to see how this develops over the next few months and, time permitting, I'll contribute my ideas too. I encourage you to at least download and read the draft but by all means join the ensuing di...

Thanks to a small team from the Information Security Department, the M alta IT A gency has successfully implemented ISO27k and been certified to ISO/IEC 27001 . Getting MITA's widespread engagement with the project was a challenge, helped by overt support from above: "Getting resources on board and having information security recognised as a priority for teams who work to deliver a service was the main challenge encountered by the project team throughout the process.  A key to successfully retain the certificate is the ongoing support received by senior management both at a department level but also at a CEO/board level. ISO27001 brought staff closer to security than ever before. MITA clients and suppliers see certification against such a professional standard as a proof of employing good security practices." Well done MITA! Join the ISO27k Forum  and tell us all about it!

A long-term contract programmer working for the company that produces the Whac-A-Mole arcade game is accused of planting viruses in the code , perhaps as revenge against plans to end his contract, perhaps as a cunning plan to steal his client's business. Reading between the lines, it seems likely that the programmer was in a position of trust, established over the past 30 years. If the company had any controls against viruses being included in its code, they evidently failed to detect the infection and/or notify management - perhaps the programmer could disable or bypass the controls? More likely they had no such controls at all. Inspecting source code for malware is neither a trivial nor a cheap exercise, although there are several potential benefits from this control aside from malware detection e.g. identification of redundant code, potential buffer overflows, undefined variables, bugs, design flaws and general code quality improvement.  The financial impacts on the company in t...

A new Mac Trojan has been discovered in the wild.  Sophos' analysts believe it is a beta test. "Its functions include: Placing text files on the desktop Sending a restart, shutdown or sleep command Running arbitrary shell commands Placing a full screen window with a message that only allows you to click reboot Sending URLs to the client to open a website Popping up a fake "Administrator Password" window to phish the target" While almost all malware attacks Windows systems, owners of Apple Macs, iPad, iPhones, UNIX and Linux systems, smartphones and even Siemens Industrial Control Systems should not be too smug.  Sophos' excellent Naked Security blog is also reporting a rash of malware affecting social applications on Facebook .  In other words, it's possible to pick up malware even if the technology exists only in the cloud (something we'll be covering in more depth in April's awareness module).

If you have ever worked in an IT operations or PC support role, you will probably recognize these filthy PCs ,  dust-encrusted fans , cases and circuit boards .  If not, have you ever looked inside your own PCs and servers?  Are they running slowly, perhaps making strange noises or smells?  Perhaps it's time to get the lid off and give them a good clean out before something truly awful evolves in there. The physical threats - accumulated dust, hair and miscellaneous critters - are pretty obvious.  Most would qualify as biohazards.  The vulnerabilities mostly relate to the need to pass lots of cooling air across the heat sinks keeping the CPU and other hot components from meltdown.  Some might the lack of preventive maintenance and regular cleaning are vulnerabilities too, though personally I'd call those control failures.  The impacts include overheating, fires, short circuits, that sort of thing, leading to unreliability and failure of the equip...