Issue 14 Final

ISSUE NUMBER 14 An (ISC)2 Digital Publication www.isc2.
org
that is Shadow IT
Why individuals and business units buy technology without the IT departments knowledge, the problems it creates, and what can be done to stop it.
e Phenomenon
Nova Southeastern University admits students of any race, color, sexual orientation, and national or ethnic origin. Nova Southeastern University is accredited by the Commission on Colleges of the Southern Association of Colleges and Schools (1866 Southern Lane, Decatur, Georgia 30033-4097, Telephone number: 404-679-4501) to award associates, bachelors, masters, educational specialist, and doctoral degrees.
Information Security
Computer Science Information Systems
Educational Technology
Information Technology
The password to your future is NSU.

The Graduate School of Computer and Information Sciences at Nova Southeastern University offers forward-thinking educational programs to prepare students for leadership roles in information technology. Designated as a National Center of Academic Excellence in Information Assurance Education by the U.S. National Security Agency, we offer rigorous educational programs with flexible formats for working professionals, state-of-the-art facilities, and a distinguished faculty. In this diverse and dynamic field, our graduates are achieving success in the military, government departments, and universities nationwide, as well as at top companies.
HOW WE STAND OUT

Designated a National Center of Academic Excellence in Information Assurance Education by the U.S. government since 2005 Pioneer of online education since 1984 Earn your graduate certificate, masters degree, or Ph.D degree in information security IEEE members receive tuition discounts Apply today and advance your career at: www.scis.nova.edu/isc
issue 14
2011
VOLUME 2
18
COVER PHOTO BY TOM MERTON; ABOVE ILLUSTRATION BY IKON IMAGES/ROBIN HEIGHWAY-BURY
To view this issue online, visit www.isc2 .infosecpromag.com
[ features ]
The Phenomenon that is Shadow IT
Why individuals and business units buy technology behind ITs back, the problems it creates, and what can be done to stop it.
BY PETER FRETTY
3 4 7 16 21 23 32
[ also inside ]
Executive Letter From the desk of (ISC)2s Director of Professional Program Development.
(ISC)2 Makes a Strong Push
Member News Read up on what (ISC)2 members worldwide and the organization itself are doing.
FYI
12
The Rules of Mobile Device Protection

How to spend the money securing mobile devices in the enterprise.
BY JOHN SOAT
Views and Reviews Highlights from (ISC)2s event moderator.
Attendance Reveals Malware Still a Hot Topic
Inaugural (ISC)2 Security Congress at a Glance Securing Government

Q&A Lou Magnotti discusses security challenges and concerns in the government sector.
18
Being a Team Leader

How to Deal with Awkward Situations and Challenging Personalities.
BY MARIE LINGBLOM
2011 (ISC)2 Education Resource Guide A Call for Best-Practice Framework

Global Insight Security standards to mitigate security gaps in applications. BY LARS MAGNUSSON
InfoSecurity Professional is published by IDG Enterprise Custom Solutions Group, 492 Old Connecticut Path, Framingham, MA 01701 (phone: 508 935-4796). The information contained in this publication represents the views and opinions of the respective authors and may not represent the views and opinions of (ISC)2 on the issues discussed as of the date of publication. No part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of (ISC)2. (ISC)2, the (ISC)2 digital logo and all other (ISC)2 product, service or certication names are registered marks or trademarks of the International Information Systems Security Certication Consortium, Incorporated, in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. For subscription information or to change your address, please visit www.isc2.org. To order additional copies or obtain permission to reprint materials, please email infosecproeditor@isc2.org. To request advertising information, please email tgaron@isc2.org. 2011 (ISC)2 Incorporated. All rights reserved.
ISSUE NUMBER 14
INFOSECURITY PROFESSIONAL
Congress
2 0 1 1
Sept. 19-22, 2011 Orlando, FL
Security
Where Traditional and Logical Security Meet

Announcing the first annual (ISC)2 Security Congress, which will be collocated with the ASIS International 57th Annual Seminar and Exhibits. This event promises to provide attendees five days packed with education and networking opportunities, and will bring together security professionals from all disciplines, making it one of the largest security conferences in the world. 700 plus exhibitors from both programs Around 200 conference sessions available throughout 22 education tracks Exclusive (ISC)2 Town Hall, Member Reception and Safe and Secure Online volunteer orientation Open to all individuals in the information security profession Two-day Intensive Education Seminars for the CISSP and CSSLP certifications (ISC)2 exam on September 18th Free 1/2 day credential clinics for CISSP, SSCP, CAP and CSSLP Earn CPEs for attending the conference
collocated with
Premier Media Partner
Visit www.isc2.org/congress2011 for more information and special member pricing.
executive letter
from the deSk of the (iSc)2 director of profeSSional programS development
Security congreSS and reSultS of Job taSk analySiS offer memberS new and continuing opportunitieS.
Were quite pleased to launch the (isc)2 their subdomains, and incorporating feedback from security congress, which will be (isc)2s largest the general announcement. annual, worldwide event. it will be held in conjunc3. We prepare a survey that includes the top tion with the asis international 57th annual semi- domains that we propose to change. it is then sent to nar and exhibits, from september 19-22 in orlando, the credential holdersthis year that included about Fla. This is a great opportunity for our members to 72,000 cissps. The rate of return is very important meet, exchange ideas and network. While (isc)2 has for accuracy and statistical strength. This year, we experience in information security, access, gover- had a solid cissp survey return rate of 22 percent. nance and control, asis is known 4. The results are compiled by for its contributions to physical a psychometrician. depending security. there is much to learn on the findings, the original focus from one another. group looks at the survey again if you havent already investiand makes deletions or additions. gated the event, i highly encouronce the evaluation and analysis age you to do so. as youll see on are complete, we create the final page 16, many great presentations exam blueprint and turn that into a and discussions will be offered. document called the candidate to find out more and to regisinformation Bulletin (ciB), with ter, visit: www.isc2.org/sc2011/ complete domain descriptions. We default.aspx post the ciB for at least six months Meanwhile, we recently before we offer the updated exam, received the results of the Job task and strongly urge individuals to analysis (Jta) for the cissp and sscp credentials. review it before taking the exam. The Jta is the single most important activity that at this point, we are writing the ciB for the shapes our certifications. Without it, we would have updated cissp, and in early 2012 well introduce the no way of ensuring that the exams are relevant to our new exam. The csslp will soon follow, and it will be members day-to-day roles as information security published a bit later in 2012. professionals. We undergo the Jta process every Were very proud of our Jta process. it goes above three years, in four stages: and beyond what the american national standards 1. We announce the Jta on social networking institute requires. our certifications would not be sites, such as intersec, and ask for feedback and Gold standard if it didnt. suggestions. its important that we understand and i hope to see you at the security congress in account for new trends such as mobility, social september and hear your feedback on the Jta. media and cloud computing. 2. We establish a focus group of 20-plus people, sincerely, including members, topical industry experts, and dr. Vehbi tasar individuals from the cBK committee. The group cissp, csslp meets for two days, reviewing the existing exam Director of Professional Programs Development blueprint line by line, covering all 10 domains and (ISC)2
(ISC)2 Makes a Strong Push
iSSue number 14
inFosecurity proFessional
fy
Aw d Education Program Wnins2011 SCar wo the
(ISC)2 IS PROU D
(ISC)2 MEMBER NEWS
to have Training Program Magazine Best Professional s announced during award. e distinction wa . (ISC)2 has now RSA 2011 in San Francisco magazine, including won ve awards from this Professional two in the category of Best gram. Certi cation Pro eive another preshonored and thrilled to rec We are ton, gazine, says W. Hord Tip 2 tigious award from SC Ma . executive director of (ISC) CISSP-ISSEP, CAP, CISA, main n security profession, do In the dynamic informatio in our cation play a critical role knowledge and ongoing edu safeively prepare for threats and members ability to e ect ognized remely satisfying to be rec guard against them. Its ext t and them high-quality, curren for our e orts to provide erings. convenient education o
ISSUE NUMBER 14
PHOTO BY IMAGE SOURCE/CORBIS
Representing Latin America
a Latin American Advisory Board (LAAB), which includes senior information security professionals. e LAAB will address workforce issues and provide assessments and insights into the information security profession in the region.
(ISC) RECENTLY ESTABLISHED
A Global Board
FOR THE FIRST TIME,
Members include: Gabriel Bergel, CISSP, head of IT security, ING Willian Caprino, CISSP, co-founder and chairman, you shot the Sheri (information security conference); information security specialist, Cielo Gerardo Castillo, CISSP, IT infrastructure manager, National Instruments Daniel Diniz, CISSP, information security o cer for MAC Geraldo Fonseca, CISSP, corporate information security o cer, Operador Nacional do Sistema Eltrico (ONS) Walmir Freitas, CISSP, chief information security o cer, Ernst & Young Jefferson Gutierrez, CISSP, manager of Information Protection Services practice, KPMG Colombia Ivan Martinez Ivanov, CISSP, director identity management, IRS Mexico Francisco Milagres, CISSP, senior manager, IT Advisory Services, KPMG Brazil Kleber Melo, CISSP, deputy security o cer at LAM HSBC Bank and LAAB co-chair for (ISC)2 Nelson Novaes Neto, CISSP, chief security o cer, UOL Diveo Anderson Ramos, CISSP-ISSAP, ISSMP, SSCP, business development for Latin America and LAAB co-chair for (ISC)2 Ramiro Rodrigues, CISSP, chief security o cer for BT Latin America Ezequiel Sallis, CISSP, senior information security specialist, Root-Secure Director
the (ISC)2 Board of Directors Executive Committee comprises only of non-U.S. representatives. The committee includes: ISSMP, SSCP, chairperson (Canada)
Diana-Lynn Contesti, CISSP-ISSAP, Freddy Tan, CISSP, vice-chairperson
(Asia)
Richard Nealon, CISSP, SSCP, CISM,
CISA, secretary (Europe)

Flemming Faber, CISSP, treasurer
(Denmark) More information is available at: https://www.isc2.org/PressRelease Details.aspx?id=7435.
Sergio Torrontegui, CISSP, information
risk manager, AXA
e LAAB most recently met in April, and discussed how (ISC)2 can help support its local members. Its important that professionals in Latin America have a prominent voice so that we can meet the evolving demand for skills, says W. Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director of (ISC)2. We hope that by working with the members of the LAAB, (ISC) can have a positive impact on the obstacles the region is facing to foster a skilled information security workforce.
1st Annual Security Congress 2011

See pages 16 17 for the Security Congress 2011 at a glance. Collocated with the ASIS International 57th Annual Seminar and Exhibits, this event will bring education and networking opportunities to the largest security conference in the world.
ISSUE NUMBER 14
A Leadership Vote
(I S C) AWAR D S S CH OLAR S H I PS to support the research and career aspirations of students and faculty who are conducting critical research and propelling the information security profession forward. e 2010 recipients include:
A Scholarly E ort
Tim Vidas, CISSP, Carnegie Mellon
(ISC) 2 U.S. Government Information Security Leadership Awards (GISLA) are open through July 29. Please nominate a deserving federal information security leader in one of the ve categories: Community Awareness; Federal Contractor; Process/Policy Improvement; Technology Improvement; Workforce Improvement.
N O M I N AT I O N S F O R T H E 2 0 1 1
University, Pittsburgh, U.S. Tim was awarded a travel grant to present his paper on the need for and creation of a digital forensics memory corpus at the HICSS-44 conference, which was held in January 2011. University of Technology, Del , Netherlands. Oscar was awarded a grant for his research in application security.
Oscar Castaneda, CISSP, SSCP, Del
Cheng Yueqiang, Singapore Management
For more information or to nominate, visit www.isc2.org/gisla.
University, Singapore. Cheng was awarded a grant for research in cloud computing (virtualized-based security).
N OW I N ITS 6th YEAR, (ISC) SecureAsia is Asia-Paci cs most in uential gathering of information security professionals. Endorsed by the Ministry of Communication and Information Technology and the Ministry of Defense of the Republic of Indonesia, SecureAsia@Jakarta will cover key information security issues that organizations need to address in todays environment of rapidly changing technology, coupled with the growing sophistication of cyber threats and attacks. Senior information security professionals from government, industry and academia will provide insight into the measures that organizations should take to protect their information assets from both internal and external threats. Join information security experts at SecureAsia@ Jakarta and equip yourself with knowledge that you can use in the work place.
Register at www.informationsecurityasia.com/register. (ISC) members will earn up to 16 CPE credits; dont forget to enter your certication number upon registration. E-mail SecureAsia@isc2.org for any inquiries.
ISSUE NUMBER 14
moderators corner
VIEWS AND REVIEWS FROM (ISC)2'S EVENT MODERATOR
Attendance Reveals Malware Still a Hot Topic

AS THE YEAR has gained momentum, Ive been re ecting on the (ISC)2 inkT@nk events that have been held since the last issue of this magazine. Based on the sheer number of people who attended the two roundtables on malware and the volume of questions that were posed, I believe that this threat is not yet behind us. With some labs reporting up to 60,000 pieces of new malware identi ed each day, I guess it should come as no surprise. In the Old reats, New Vectors seminar, we dug into the shi ing danger of malware and how it is creeping in through Web applications. Many malware attacks come through websites we visit every day; when they appear on social media sites such as Facebook, they exploit our users trust in their own social networks. Does this trend point to the obsolescence of traditional user awareness training? Find out more by checking out this seminar in the archive: http://bit.ly/Old reatsNewVectors. While security concerns seem to be what is holding back rapid cloud adoption, I continue to nd it interesting how much security technology we are pushing outside of the enterprise. It all started with vulnerability scanning many years ago, and as we discussed in the Inside Out roundtable, a move is afoot to migrate malware protection beyond our perimeter. As more and more threats come in through the Web, these proxy-based models make sense as an additional layer of protection, especially for the mobile workforce. You can view the archived event here: http://bit.ly/InsideOut-MovingMalwareProtection. I think youll nd this discussion interesting, as it touches not only on the technical implications of such a model, but also on the impact that similar services can have on us as information security professionals. As I prepare for the second half of the year, I look forward to watching the continued evolution of our shared profession and await your insightful questions in the next (ISC)2 inkT@nk. Brandon Dunlap, Managing Director of Research, Bright y bsdunlap@bright y.com www.bright y.com
Management Team Elise Yacobellis Executive Publisher 727 683-0782 eyacobellis@isc2.org Timothy Garon Publisher 508 529-6103 tgaron@isc2.org Marc G. Thompson Associate Publisher 703 637-4408 mthompson@isc2.org Amanda DAlessandro Corporate Communications Specialist 727 785-0189 x242 adalessandro@isc2.org Sarah Bohne Senior Communications Manager 616 719-9113 sbohne@isc2.org Judy Livers Senior Manager of Marketing Development 727 785-0189 x239 jlivers@isc2.org Sales Team Christa Collins Regional Sales Manager U.S. Southeast and Midwest 352 563-5264 ccollins@isc2.org Jennifer Hunt Events Sales Manager 781 685-4667 jhunt@isc2.org Lisa O'Connell Regional Sales Manager IDG Media Team Charles Lee Vice President, Custom Solutions Group Amy Freeman Project Manager Anne Taylor Managing Editor Joyce Chutchian Editor Lisa O'Connell Managing Editor 781 460-2105 loconnell@isc2.org Kim Han Art Director Lisa Stevenson Production Manager
A DV E R T I S E R I N D E X EC Council . . . . . . . . . . . . . . . . . . . . . . . p. 20 EWF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p.31 IEEE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p. 11 Interop . . . . . . . . . . . . . . . . . . . . . . . . . . . . p. 22 ISACA . . . . . . . . . . . . . . . . . . . . . . Back Cover (ISC)2 . . . . . . . . . . . . . . . . . . . . . . . . . . p. 2; 15 Nova Southeastern . . . .Inside Front Cover Training Camp . . . . . . . . . . . . . . . . . . . . . p. 24 Tripwire . . . . . . . . . . . . . . . Inside Back Cover UMUC . . . . . . . . . . . . . . . . . . . . . . . . . . . . p. 27 For information about advertising in this publication, please contact Tim Garon at tgaron@isc2.org.
Dont forget to take the quiz and earn CPEs:

http://bit.ly/igN8AM
For a list of events (ISC) 2 is either hosting or sponsoring, visit www.isc2.org/ events
ISSUE NUMBER 14
that is
e Phenomenon
Peter Fretty investigates why individuals and business units buy technology behind ITs back, the problems it creates, and what can be done to stop it.
ISSUE NUMBER 14
Technology can be an impetus to gaining competitive advantage, enabling better customer service and enhancing revenue
generation. But when IT and security departments cant keep pace with technology, problems arise. Sometimes individuals or entire business units go rogue, in a sense, purchasing new so ware or systems without involving IT.
is practice, known as shadow IT, is far more common than many IT professionals would like to admit. In many cases, either individuals or departments are not aware of the approval process to install their own so ware. Or, they may be aware of the process but think it is ine ective or takes more time than is available to them, says Chris Trautwein, CISSP, information security o cer for (ISC)2. Sometimes they go outside of IT because the IT department says no to their technology request, yet they still believe they need the speci c so ware. Another reason is that privileges are not set properly on individual computers. For instance, when the user has [Microso ] XP installed on their computer, this situation makes the user a local administrator, he adds. e result is a lack of technical control to stop the user from installing unapproved so ware. is is probably the most common reason. All companies, no matter what size, are susceptible to shadow IT. And the increase in cloud computing o erings has complicated the already touchy issue, says Irfan Saif, a principal with Deloitte Consulting LLP. Most recently, the growth of shadow IT has been facilitated by the range of feature-rich tools available through channels such as the cloud, where collaboration, social media, and other tools such as VoIP and SaaS applications are all easily available, and can be procured and integrated into current business practices without ITs involvement, he says.
The Problems with Shadow IT

e reverberations of shadow IT purchaseshigher security management costs; compliance inconsistencies; and the potential for data breachescan be painful. Shadow IT organizations, which may not be as mature from an enterprise operations point of view, may not properly consider data protection, business resiliency needs, intellectual property risks or even the appropriate legal and compliance constructs within their contracts, says Saif. Not only does this ultimately prevent risk managers and auditors from having an accurate picture of the situation, but it also elevates the risk pro le and potentially will cost the company more money in terms of operational and management costs to identify and deal with these environments, o en inconsistently. Of course, the impact on the organization can vary signi cantly depending on the type of so ware installed or the services contracted, explains Trautwein. Data leakage is understandably one of the biggest concerns, especially since its impossible
ISSUE NUMBER 14
PHOTO BY TOM MERTON
Demonstrating that IT can be an enabler, as opposed to an obstacle, and can help provide support and ultimately manage cost and risk within the organization should help reduce the occurrence of shadow IT.
Irfan Saif, principal, Deloitte Consulting LLP
to secure the unknown, he says. But there is also the issue of improper licensing, which can open the organization up to a number of compliance issues. e other concern is the patching problem; you cannot patch applications you do not know are installed. Again, this can lead to serious vulnerabilities capable of crippling an organization.
How to Gain Control

A er acknowledging its existence, it is crucial for IT and security leaders to take steps to eliminate occurrences of shadow IT: Create an Enforceable Policy. Every organization needs an acceptable use policy that clearly indicates what users are allowed to do without IT approval, including so ware installation and using third-party sources. Beyond having a policy, its important to have users actually sign a compliance statement that indicates they understand the policy and that they agree to abide by it, Trautwein says. At the same time, the IT department needs to be very responsive to the needs of its users, he adds. When you are responsive, you can eliminate users circumventing policies. It helps to be involved and treat users as customers with service level agreements. Outline how rapidly you will provide responses to their requests and stick to the agreement. Users appreciate when you are on the same page as them. 10
ISSUE NUMBER 14
To facilitate policy creation and enforcement, Pamela Fusco, vice president of International Information Systems Security Association, recommends starting an internal security roundtable. Its an excellent opportunity to bring in representatives from each of the business units and discuss the policies from a corporate, geographical and industry perspective, she says. Everyone gets to see the big picture and collaborate, while setting the stage for business units to adopt standard security practices. Of course, for this to succeed, you need to understand it takes a true culture shi . e word security itself causes walls to come up, but you need to have a positive attitude to help the shi . From a technical point of view, security professionals must con gure user systems or accounts with proper privileges, says Trautwein. Its crucial to make sure users lack the ability to install so ware on their systems rather than allowing them to serve as local administrators, he says. If the company upgrades individual systems to a more modern operating system, it is much easier to issue userlevel access. is is one of the most crucial steps. Focus on Enabling. The security team should focus on enabling business units and educating the entire organization about the dangers of shadow IT practices. It is securitys job to make it clear that business units need to analyze whether or not their siloed decision introduces a risk that can bring the whole company down, rather than simply a ecting one business unit, Fusco says. When you are focused on revenue generation, it
PHOTO BY MONALYN GRACIA/CORBIS
can be di cult to see the big picture. Ultimately, the emergence of shadow IT should serve as a lesson to IT professionals that it is important to recognize when to let go of legacy systems, she adds. We need to look at what we refuse to let go. Sometimes its the users who help us evolve. When we hold legacy systems as critical applications for too long, it can open the organization up to massive risks. Saif recommends information security professionals capitalize on the fact that support is an area where shadow IT functions often struggle. The key is to avoid punishing and focus on enabling. Coming to their assistance opens the door to establishing a solid, sustainable connection. e challenge, however, is always speed and whether
Become an
IEEE Certified Biometrics Professional
Why CBP? The IEEE Certified Biometrics Professional (CBP) program has two major components: Certification and Training. Professionals and organizations can both benefit from the IEEE CBP program. Key advantages are:
n Prove
your knowledge your credibility n Learn a baseline of industry knowledge n Train employees n Gain a competitive advantage
n Increase
Learn more and register today! www.IEEEBiometricsCertification.org
IT can move fast enough to meet the needs of the businessa key driver for shadow IT groups in the rst place, says Saif. Demonstrating that IT can be an enabler, as opposed to an obstacle, and can help provide support and ultimately manage cost and risk within the organization should help reduce the occurrence of shadow IT. Stay Engaged. By being proactive and engaged throughout your organization, its possible to prevent business units from creating shadow IT environments in the rst place, says Saif. CIOs and CISOs must strive to develop an inclusive enterprise process with the input of key business stakeholders to capture the needs and desires of the business and enable them, while keeping security, data privacy, business resilience, compliance and other risks in mind. This process must also enable swift decision-making, particularly when the business needs relate to quickly procuring or building certain services, or starting up platforms for development and testing. A common example is the procurement of cloud computing applications. O en, IT is unable to approve or provide alternatives quickly enough, says Saif. Consequently, the business moves forward without IT having any visibility or involvement. In instances where established processes are insu cient to meet business unit needs, exceptions should be approved, but managed with the support of IT. According to Trautwein, engagement means IT and security must secure an active role in organizational management. is way, as important changes happen throughout the organization, you are a part of facilitating strategic changes instead of always reacting, he says. is is a big step in helping other business units avoid relying on thirdparty sources. Information security professionals need to understand where the company is headed if IT is going to realistically plan its assets, asserts Fusco. Where is the company going, where does it want to be in three years and what will the competition and industry look like in three years? Engagement is the only way we can accurately answer these questions. Peter Fretty is a freelance business and technology writer based in Michigan.
ISSUE NUMBER 14
11
protection
12
InfoSecurIty ProfeSSIonal
ISSUE NUMBER 14
I llU St R at I o N By G o R D o N St U D E R
The rules of mobile device
Funds are becoming available to help secure mobile devices in the enterprise.
think carefully about how to spend that money, advises John soat.
recent survey of 300 cIos sponsored by Mformation, 78 percent admitted they dont know all the devices that are connected to their corporate networks. That reflects a lack of corporate policy around connecting devices to the network, and opens the door for great risk. It also makes for great entrepreneurial opportunity. Mobile security technology is a growing area of interest in the It marketplace. for example, last December a mobile security startup firm called lookout Mobile Security received $19.5 million in venture funding. and in an april 2011 column in The Motley fool, analyst Stephen Marini advised investors to consider mobile security software vendors, in particular those with the financial wherewithal to develop these new mobile products and still churn out a good profit from their old Pc-, server-, or networkbased ones, because this trend isnt going to happen overnight.
Mobile-device related security threats are on the rise for businesses everywhere. In its 2010 Internet Security Threat report, software vendor Symantec documented 163 vulnerabilities during 2010 that could be used by attackers to gain partial or complete control over devices running popular mobile platforms. Thats up from 115 in 2009. Information security professionals must mitigate the risk of the mobile momentum. fortunately, enterprise and It leaders are turning their discussions about mobile security into dollars to fund it. a CSO magazine survey indicates that 58 percent of security executives plan to increase budgets for mobile security solutions in 2011, by an average of 13 percent. the dilemma they face is where to spend those funds.
nearly one-third of u.S. residents 12 years and older own smartphones, according to a March 2011 survey by arbitron and edison research. and according to aBI research, the number of smartphones shipped worldwide in 2010300 million represents a staggering 71 percent jump from the year before. technology adoption of that order cant help but impact the corporate environment. employees increasingly want to take advantage of the productivityenhancing characteristics of smartphones and tablets. and, not surprisingly, they want to use their personal mobile devices while at work. This puts considerable pressure on organizations to institute comprehensive mobile computing device usage policieswhich they often do too late, according to mobile management vendor Mformation. In a
Widespread and GrowinG
not all members of the information security community agree that mobile devices are the next major attack front for criminal hackers. forrester security analyst andrew Jaquith posted the provocatively-titled blog entry The Mobile Security Threat is overblown in april 2010. His main points: n There is no predominant operating system in the mobile world as there is in the Pc world (e.g., Windows); n Mobile devices are smaller and simpler and inherently more secure than Pcs; n attacks so far against mobile devices have been limited and relatively benign. Theyre all fair arguments. There are several significant mobile operating sys-
whats the problem?
tems, including apples ioS, Googles android, and Microsofts Windows Phone 7, and rIMs BlackBerry oS. That diversity makes writing malware for those systems more complicated and less financially viable. However, a couple of platforms may become more predominant. aBI research predicts that android will represent 45 percent of the smartphone market by 2016, with ioS coming in at 19 percent. as for hacker attacks, nothing in the mobile environment has rivaled the viruses and worms that have roiled the Pc world in the last 20 years. But there are increasing reports of applications infected with malware making their way into the mobile ecosystem. a recent attack, known as DroidDream, required Google to expunge more than 50 infected apps from its android application marketplace, according to reports. Part of the problem has to do with the fact that these devices were designed as consumer products, not enterprise technology, says adam Meyers, director of cybersecurity intelligence for Sra International, a consulting firm. Security is not on the priority list, he says. Vendors have had to retrofit management and security capabilities into their products, such as apples Mobile Device Management software. Meyers refers to these efforts as baby steps into the enterprise in terms of supporting these devices.
what Needs To be doNe?
there are three primary vectors when it comes to the mobile security threat, according to Meyers: voice; data in motion (such as over an unsecured wireless network); and data at rest (such as an iPad left behind in a taxicab). and there are two basic rules for mobile security: Dont send anything in e-mail that you
ISSUE NUMBER 14
13
Dont send anything in e-mail that you could say on the phone, and dont say anything on the phone that you can say in person.
Adam Meyers, director of cybersecurity intelligence, SRA International
could say on the phone, and dont say anything on the phone that you can say in person, Meyers warns. thats good advice, says Mike Higgins, professor of information security at northeastern university in Boston, but its not quite a comprehensive mobile security strategy. a more systematic approach is required. the first order of business when it comes to securing mobile devices in the enterprise, according to Higgins, is simple: register them. If you want to control it, theyve got to be registered, he says. That demands a strict accounting, including whos using it and what are they using it for, he adds. enforcing enterprise security rules that are most likely already in place for traditional network clients (e.g., antivirus updates; oS upgrades; firewalls) is next on the list, says Higgins. enforcing rules around applications and third-party software is especially important because they represent the smartphones biggest security threat and its most appealing feature: the ability to download applications over the Internet. apple offers 350,000-plus iPhone apps in its app Store, and Googles android Market is rapidly expanding. Keeping end-users hands off this treasure trove of technology is difficult, if not impossible. Indeed, a new word has entered the security lexicon: jailbreak. It means to unlock the built-in security features of a smartphones operating system to allow unregistered applications inside. Jailbreaking smartphones is an Internet cottage industry, allowing users to customize their devices and even switch network carriers. The final order of business in a comprehensive mobile security strategy is loss prevention, says Higgins. He explains that a skilled hacker can access a smartphone data like customer lists and e-mail in a surprisingly short amount of time. In six minutes [the hacker] can own it, he says. Security professionals must be able to lock down lost mobile 14
devices and perform a remote wipe of all data, or at a minimum be able to remove any mobile documents as well as calendar listings and e-mail history.
Whats AvAilAble?
There is a nascent but expanding marketplace of mobile security technology. for instance, lookout Mobile Security offers antivirus software for the android, BlackBerry, and Windows Phone platforms. Symantec is ramping up its mobile security software offerings. and there are a growing number of open source applications intended for mobile security, points out Meyers. Still, information security professionals might want to consider these solutions carefully. Theres no silver bullet for this stuff, says Meyers. for one thing, a lot of these devices have restrictive programming interfaces, he says, which means third-party security applications can be difficult to implement, especially when trying to support all of the various mobile oS platforms. Instead, think in terms of products in combination to address the entire scope of the problem, Meyers says. there are systems emerging that incorporate many of the capabilities needed to manage a polyglot mobile environment. companies such as Mformation, Mobile active Defense (MaD) and Zenprise offer management consoles that incorporate and integrate security features such as password protection, encryption, antivirus, antimalware, network application inspection, and remote-wipe capabilities. These console systems are a back to the future security strategy in that they recreate the strict management and security capabilities of the proprietary BlackBerry enterprise Server, except they support a variety of mobile platforms and devices, says eric Green, security consultant and advisory board member of MaD. according to Green, comprehensive security means looking at the mobile environment as a whole. The real threat
needs to be mapped out, he says. Some organizations already are thinking along these lines. for instance, a u.S. federal government agency is in the process of evaluating such mobile management/security systems, says one of its security executives. The major requirements the agency is using for its evaluation are the following: n Multi-platform support (all non-BlackBerry device platforms) n Whitelisting/blacklisting of applications n centralized management with distributed administrative rights n uses groups and roles for application of different device security policies n over-the-air enrollment n over-the-air configuration changes n Jailbreak detection/configurable automated response n remote enable/disable/wipe device n ability to leverage existing reporting systems Higgins says he understands the advantages of a central management device to support the ongoing influx of mobile devices. for one thing, the mobile device tide cannot be turned back. That being the case, how do we bring them all under control?
Whats the end GAme?
Most companies are still in the early stages of identifying vulnerabilities, identifying remediation, and really developing strong backgrounds in mobile security, in terms of policy, says Meyers. unfortunately, given the onslaught of mobile devices into the enterprise, thats something of a build-the-fort-while-thebattle-rages situation. careful consideration should help information security professionals integrate effective strategy with cutting-edge mobile security technology to support this new business imperative. John Soat is a freelance business and technology journalist based in Ohio.
ISSUE NUMBER 14
TARGET:DoD Mandate 8570.1 ACTION:Learn the CAP CBK

Get a sneak peek into the CAP domains. FREE for a limited time at www.isc2.org/previews.
Is the DoD Mandate in your crosshairs? Pull the trigger. Watch these 10-15 minute webcasts, presented by an (ISC)2 Authorized Instructor, which provide an overview of what you should know before
taking the CAP exam. The webcast series focus on unique aspects of the CAP including the value of the certification, each of the 7 CAP CBK Domains, and how to study for the exam.
Connect with us! www.isc2intersec.com https://twitter.com/isc2 www.facebook.com/isc2fb
(ISC) Security Congress Collocated with the ASIS International 57th Annual Seminar and Exhibits
The rst annual (ISC) Security Congress offers invaluable education to all levels of information security professionals, not just (ISC) members. This event will provide information security professionals with the tools to strengthen their security without restricting their business. (ISC) and ASIS International have teamed up to bring education and networking opportunities to the largest security conference in the world. Register today at www.isc2.org/congress2011.
Cloud Security
Monday Sept. 19, 2011 11:00am 12:00pm Session 2180 Next Generation Cloud Security Compliance
Swiss Army Knife Tips, Tools and Techniques for the Well Rounded Infosecurity Professional
Session 2181 Critical Infrastructure Protection & Risk Management Session 2281 Managing Privacy and Security: The CISO/CPO Dialogue Session 2381 Cyber-Security and the Socio-Political Landscape Going Beyond the Technology
Application Security
Session 2182 Integrating Security Concepts into Systems and Application Design Session 2282 Software Security: Is OK Good Enough?
1:45pm 3:00pm
Session 2280 Using the Cloud Security Alliance GRC Stack to attest vendor compliance Session 2380 Cloud Incident Response
4:30pm 5:30pm
Session 2382 The Economics of Failure
Tuesday Sept. 20, 2011 11:00am 12:00pm
Session 3180 Architecting and Building a Secure Virtual Infrastructure and Private Cloud Session 3280 Forensics and the Cloud - Panel
Session 3181 Data Integrity Debate
Session 3182 Security App-titude
Session 3281 TBD
1:45pm 3:00pm
Session 3282 Picking the Right Tool for the Job: Using Vendor Tools to Aid in the Development of Secure Code Session 3382 TBD
4:30pm 5:30pm
Session 3380 Debate Collecting of personal information from the Cloud
Session 3381 Psychological Principles in Social Engineering
Wednesday Sept. 21, 2011 11:00am 12:00pm
Session 4180 TBD
Session 4181 The Reality of Cyber-Centric Terrorism
Session 4182 The Unintended Consequences of WellIntentioned Requirements Session 4282 Integrating Security into the SDLC: Enterprise Success Stories Panel
1:45pm 2:45pm
Session 4280 TBD
Session 4281 The Renaissance Security Professional
3:30pm 4:30pm
Session 4380 C l o s in g K e y n o t e S e s s i o n
16
ISSUE NUMBER 14
EXHIBITS: September 19th 21st, 2011 (plus pre-conference events on the 17th and 18th) LOCATION: Orange County Convention Center, Orlando, Florida, U.S.A. REGISTER: www.isc2.org/congress2011
Mobile Security & Social Networking

Session 2183 Yes You Can: How to Securely Deploy and Manage Enterprise Mobile Devices Session 2283 How to use Mobile Devices Correctly Setting Up Security Guardrails (Panel) Session 2383 The Legal Ramications of Personal Mobile Devices in the Workplace
Governance, Regulation and Compliance

Session 2184 A Practical Guide to Implementing a Risk Management Strategy Session 2284 New and Pending GRC Legislation and how it Impact Your Organization Panel Session 2384 TBD
Software Assurance
Session 2185 Introduction to the Software Assurance Track
Session 2285 Measure Software Security
Session 2385 Why do Developers Makes These Dangerous Software Errors?
Session 3183 The ABCs of Global Mobile Enterprise Compliance
Session 3184 Control and Harmonization of Compliance Efforts Across Multiple Regulations Session 3283 Putting Your House in Order Business Intelligence Gathered from 100+ Sustainable GRC Implementations Session 3384 Security Metrics and Compliance
Session 3185 Improve your SDLC with CAPEC and CWE
Session 3283 Mobile Applications: Assessing Mobile Risk
Session 3285 Risk Analysis and Measurement with CWRAF
Session 3383 Impact of Social Networking on Security Threats
Session 3385 Software Assurance Panel and Wrap-Up

P H OTO BY V ET TA C O LLECT I O N / I STO C K P H OTO
Session 4183 Identify, Assess and Mitigate Security Risks Associated with New Mobile Devices and Applications Session 4283 TBD
Session 4184 (4111) Information Technology Security Council Series: Legal and Compliance Aspects of I.T. Panel Session 4284 Lessons Learned from the Federal Trade Commission
ISSUE NUMBER 14
17
Being a Team Leader:
How to Deal with Awkward Situations and Challenging Personalities
Good Leadership is Hard Work If its your first time leading a team, how can you prepare yourself? Youll very likely need to motivate individuals who may be difficult, competitive or even disruptive. Youll have to maintain control, but have flexibility to handle shifting project goals and deadlines. A team leader should think about the team itself, not the project or the deliverables. They have to focus on getting a team working. Part of that is to realize that not everything has to happen in formal team meetingsin fact many key things happen pre- and post-meeting, says Hewes. Ensuring stakeholders are involved is another critical step. For example, if youre developing an information security program for the customer contact center, be sure to include key personnel from the
18
INFOSECUrItY PrOFESSIONAL
issue number 14
i llust r at i o n by i ko n i m ag e s/ r o b i n H e i g H way-b u ry
abilities, work habits, and personalities. They also require a team leader to make sure everything runs smoothly. Being an effective team leader is critical in todays business world, says Bob Hewes, a senior partner with Boston-based Camden Consulting Group. This is doubly important in information security, as technology is rapidly changing. Youll need to draw on different people and experts all the time, he adds. When information security professionals become team leaders, they must draw on their varied experiences, says Nelson Novaes Neto, chief security officer, UOL Diveo (based in So Paulo, Brazil) and a Latin American Advisory Board member at (ISC)2. For project success, a team leader must possess not only technical competency, but also the ability to guide the proper development of behavioral competenciessuch as negotiation, he says.
Complex projeCts often require the contribution and collaboration of people with diverse
contact center in some planning meetings. Hewes suggests asking these stakeholders if the scope is accurate and whether or not they agree to it. you need to make sure that things are on track and that they stay aligned with the project objectives, says Hewes. If not, take action to maintain alignment with goals. Its also important for the team leader to have solid knowledge of each team members personalities and characteristics, and to provide continuous opportunities for the development of abilities and competencies, says novaes neto. The leader should always remember that motivational factors should be considered on an individual basis. What motivates one person might not motivate another; this is a critical factor in good management. Monitor the progress of each team member, and give specific, constructive and timely feedback. Make sure that all performance issues are discussed openly to help improve the teams and team membersevolution. Thus, a leader is able to extract success from each professional and from the work, says novaes neto. another consideration: Dont let the process get overly complicated and try to do too much. There is a dynamic to team formation and effective team leadership. Some things need to play out and develop over time, says Hewes. This doesnt mean that you let issues linger, but jumping on every single issue every second is not helpful either.
Team Leadership ChArACTerIsTICs

Nelson Novaes Neto suggests a team leader should develop a least a few of the following characteristics to be successful: n Gain knowledge of different cultures n Establish and manage complex internal and external personal relationships n Construct and maintain alliances to support internal and external initiatives n Attempt to improve team cohesiveness and synergy under highly complex situations n Seek and share information to support decision-making or plans, systematically updating the members of the team on the latest developments n Be a facilitator inside and outside the team, encouraging the resolution of conflicts and divergences n Develop a policy of coexistence among the team, where members themselves define acceptable and non-acceptable behaviors
a regular item [on meeting agendas] for the team to discuss, he says. If the project scope radically changes, then you may need to consider the team composition, Hewes says. one should regularly look at who should be on a team. adjustment to team members should not be made on a whim, but membership should not be considered permanent either.
enhance unity and harmony among team members. you might also suggest informal sporting activities, such as a quick pick-up game of softball or soccer, to motivate and explore teamwork, selfcontrol and creativity.
Dealing with Fluctuations The team leader should followand be prepared to facechanges that might impact risk management, whether they result from new technologies, regulations, natural factors, or academic discoveries, says novaes neto. counting on a multifunctional project team, the leader can control the different variables, planning and developing goals for measuring results, as well as devising corrective action plans when unexpected problems are detected. Hewes agrees and adds that the key is to be aware and flexible. This goes to operating at a team level. now, if it is clear from the outset there will be ongoing changes, then maybe this should be
Activities that Improve Team Leadership Its important for first-time team leaders to prepare themselves by reading topical articles and books. In particular, novaes neto suggests becoming familiar with human behavioral development, including training, psychology, and behavioral analysis such as organizational behavior management. It is very important the team leader shows emotional control in his or her professional, educational and personal activities, says novaes neto. a team leader who exhibits high self control and enthusiasm is able to transmit greater confidence to the team. Meanwhile, adds Hewes, observe others: How do other leaders run both effective and ineffective teams within your organization? There are lessons in both cases, he says. novaes neto also suggests taking advantage of nonwork activities. an out-of-work get-together such as dinner at someones house, for example, can
Manage or Be Managed The bottom line is that effective leaders must learn to be flexible and manage difficult personalitiesor risk allowing themselves to be managed by them. But that doesnt mean being too autocratic, says Hewes. There are certainly behaviors that team leaders should avoid, including: n giving negative feedback in front of others n not listening n not involving stakeholders n forging ahead without a clear charter or idea of team goals n not operating on a team level n not working through and with others taking time to reflect and readjust is vital. each team has its own developing character. look for what is working well and what isnt, says Hewes. Think about what you should do more of, less of, [what you should] start doing, and [what you should] stop doing. Make adjustments along the way and, above all, listen to the team members.
Marie Lingblom is a freelance technology editor and writer based in Massachusetts.
ISSUE NUMBER 14
19
experts address trending security topics
Q&a
Lou Magnotti, cio of the u.s. house of representatives, recently talked with InfoSecurIty ProfeSSIonal about security challenges and concerns in the u.s. government sector.
Q: What are the differences in how information security is managed in the U.S. government sector compared with private industry? Private industry is concerned with protecting trade secrets, company-sensitive business information, personally identifiable information (PII) on employees and clients, and maintaining profitability. The government information security concern lies in PII, agency-sensitive data, patents, and remaining within budgetary constraints. These budget constraints place a greater emphasis on the It department to anticipate technological changes. as hardware and software changes, so do the security challenges. Private sector companies have greater leeway in approaching the chief financial officer, explaining the unforeseen threat and hopefully receiving funds to quell the impending problem. on the other hand, government agencies may have to convince other agency departments to surrender some of their budget to facilitate the unforeseen It threat or ultimately place the agency in a reactive situation. Q: What risks do you face in the areas of cloud computing, social media, and mobile technologies? all these areas offer a bigger playing field for communications, as well as cyber criminals and hackers. Keeping up with these technologies and the security implications requires fiscal and personnel resources. new devices may create an automatic threat to any enterprise system. Thus, policies and procedures must be created and kept current regarding the use of new technology. conversely, disallowing new devices because of security concerns often negates being able to keep up with the latest developments. In the past, government agencies were often perceived as being behind the times in the use of new It devices. today that is further from the truthand not acceptable due to the need for direct communications with the private sector on a now basis. Q: How can security professionals across the globe work together to combat security threats? The most obvious answer is the timely sharing of information regarding cybersecurity issues. too many cIos view security breaches as a direct reflection on their competency, and fear the impact on the companys image. This is counterproductive. one could venture to say that no company is safe from technological advancements and the lurking hacker/cyber criminal. Most people appreciate openness in communicating the extent of damages perpetrated and the method by which the problem is being solved. secondly, there is a need to address the international scope of cyber crime. a world organization must be established with all members sharing information and prohibiting the protection of cyber criminals from prosecution, thus facilitating unencumbered extradition. This organization would serve all nations at a time when cybercrime is growing by leaps and bounds.
Public Versus Private
issue number 14
InfosecurIty ProfessIonal
21
NEW YORK
OCT. 37 // JAVITS CONVENTION CENTER
See the Future of IT at Interop
Free Expo Pass Extras to ITs Leading Event

Cloud Computing | Virtualization | SeCurity | mobility | data Center | networking
See all the latest it solutions from 200+ technology companies. attend free sessions covering the full range of it issues. Hear keynotes from industry leaders. tour the event network, built by volunteers with hand selected vendors. attend free classes led by interopnet engineers. meet cloud computing and virtualization vendors in a special area. Become an IT Hero. interop gives you the most important technologies and essential strategies to drive business value from your it rganization.
WorksHoPs: oct. 34, 2011 ConFErEnCE: oct. 57, 2011 ExPo: oct. 56, 2011
Free expo pass or save 25%* with code CPFKNY02

www.interop.com/newyork
ExHIBITors InCLudE:
*25% off discount applies to Flex Pass, Conference + Worshop and Conference Passes only. Discount calculated based on the on-site price and not combinable with other offers. Offer good on new registrations only. Proof of IT industry involvement required. Price after discount applied: Flex: $2,306.50, Conference + Workshop: $2,026.50, Conference: $1,606.50.
UBM TechWeb 2011.
Spotlight on 2011 Information Security Education Resource Guide

An information security professionals education tool
Educational institutions listed in this section provide a range of degree programs in the computer science and technology elds, as well as specialized certications in information security disciplines. (ISC) 2 has a network of authorized education afliates worldwide for assistance in obtaining the Gold Standard in information security certications. For specic programs see the individual Web sites listed in this section, and be sure to look for the (ISC) 2 Authorized Education Provider logo to ensure that you are receiving Ofcial (ISC) 2 Review Seminars. Visit http://resourceguide.isc2.org for additional resource Spotlights from (ISC) 2.
AMERICAS Acadia University Jodrey School of Computer Science Wolfville, Nova Scotia, Canada http://cs.acadiau.ca British Columbia Institute of Technology Burnaby, British Columbia, Canada www.bcit.ca Carleton University School of Computer Science Ottawa, Ontario, Canada www.scs.carleton.ca Concordia University Engineering and Computer Science Montreal, Quebec, Canada http://encs.concordia.ca Conestoga College Institute of Technology and Advanced Learning Kitchener, Ontario, Canada www.conestogac.on.ca Dalhousie University Faculty of Computer Science Halifax, Nova Scotia, Canada www.cs.dal.ca McGill University Electrical and Computer Engineering Montreal, Quebec, Canada www.mcgill.ca/ece McMaster University Faculty of Engineering Department of Computing and Software Hamilton, Ontario, Canada www.cas.mcmaster.ca/cas Phirelight Learning Centre Ottawa, Ontario, Canada www.phirelight.com Queens University School of Computing Kingston, Ontario, Canada www.cs.queensu.ca Royal Military College of Canada Department of Electrical and Computer Engineering Kingston, Ontario, Canada www.rmc.ca Ryerson University Department of Computer Science Toronto, Ontario, Canada www.scs.ryerson.ca/scs Simon Fraser University School of Computing Science Burnaby, British Columbia, Canada www.cs.sfu.ca The University of Western Ontario Department of Computer Science London, Ontario, Canada www.csd.uwo.ca Trent University Department of Computing and Information Systems Peterborough, Ontario, Canada www.trentu.ca/cois University of Alberta Faculty of Science Department of Computing Science Edmonton, Alberta, Canada www.cs.ualberta.ca University of British Columbia Department of Computer Science Vancouver, British Columbia, Canada www.cs.ubc.ca University of Calgary Department of Computer Science Calgary, Alberta, Canada www.cpsc.ucalgary.ca University of Manitoba Department of Computer Science Winnipeg, Manitoba, Canada www.cs.umanitoba.ca University of New Brunswick Department of Electrical and Computer Engineering Fredericton, New Brunswick, Canada www.unbf.ca/eng/ee University of Ottawa School of Information Technology and Engineering Ottawa, Ontario, Canada www.site.uottawa.ca University of Toronto Department of Computer Science Toronto, Ontario, Canada www.cs.toronto.edu University of Victoria Department of Computer Science Victoria, British Columbia, Canada www.csc.uvic.ca University of Waterloo Faculty of Mathematics School of Computer Science Waterloo, Ontario, Canada www.cs.uwaterloo.ca York University Department of Computer Science Toronto, Ontario, Canada www.yorku.ca Polytechnic University of Puerto Rico Center for Information Assurance for Research and Education San Juan, Puerto Rico www.pupr.edu/poli2008-demo/ ias_center.html Air Force Institute of Technology Center for Cyberspace Research Wright-Patterson Air Force Base Dayton Ohio, United States www.at.edu/ccr Albany State University Albany, Georgia, United States www.asurams.edu Anne Arundel Community College Computer Technologies Department Annapolis, Maryland, United States www.aacc.edu Arizona State University Ira A. Fulton School of Engineering School of Computing and Informatics Information Assurance Center Tempe, Arizona, United States http://ia.asu.edu Auburn University Information Assurance Laboratory Department of Computer Science and Software Engineering Auburn, Alabama, United States www.eng.auburn.edu/users/ hamilton/security Bellevue University College of Professional Studies Bellevue, Nebraska, United States www.bellevue.edu/degrees/graduate/ security-management-ms Berkeley City College Berkeley, California, United States http://vistawww.peralta.edu Boston University Metropolitan College Department of Computer Science Boston, Massachusetts, United States www.bu.edu/met/departments/computer Brandeis University M.S. In Information Assurance Waltham, Massachusetts, United States www.brandeis.edu/gps/programscourses/ programs/ias.html California State Polytechnic University Pomona Center for Information Assurance College of Business Administration Pomona, California, United States www.bus.csupomona.edu/cis/cia California State University Center for Information Assurance and Security Sacramento, California, United States http://hera.ecs.csus.edu/csc/iac California State University San Bernardino Information Assurance and Security Management Center San Bernardino, California, United States http://iasm.csusb.edu Capella University School of Business and Technology Minneapolis, Minnesota, United States www.capella.edu/schools_programs/ business_technology/business_ technology_index.aspx Capitol College Graduate Programs in Network Security Laurel, Maryland, United States www.capitol-college.edu/academics/ graduate-academics/graduate-certicates Carnegie Mellon University Information Networking Institute Master of Science in Information Security Technology Information Security (Kobe MSIT-IS) Pittsburgh, Pennsylvania, United States http://www.ini.cmu.edu/degrees/kobe_msit-is INFOSECURITY PROFESSIONAL
ISSUE NUMBER 14
23
Carnegie Mellon University CyLab Usable Privacy and Security Laboratory Pittsburgh, Pennsylvania, United States http://cups.cs.cmu.edu Carnegie Mellon University Software Engineering Institute Pittsburgh, Pennsylvania, United States www.sei.cmu.edu Champlain College Division of Continuing Professional Studies Computer and Digital Forensics Burlington, Vermont, United States www.champlain.edu/cps/undergrad_ degrees/cdf.php Clark Atlanta University Department of Computer and Information Science Atlanta, Georgia, United States www.cis.cau.edu Colorado Technical University Colorado Springs, Colorado, United States www.coloradotech.edu Dakota State University Center for Information Assurance Madison, South Dakota, United States www.dsu.edu/msia/ information-assurance.aspx Dartmouth College The Institute for Security, Technology and Society (ISTS) Hanover, New Hampshire, United States www.ists.dartmouth.edu DePaul University Information Assurance Center Chicago, Illinois, United States http://diac.depaul.edu DeVry University Keller Graduate School of Management 75 locations across the USA United States www.keller.edu Drexel University Department of Electrical and Computer Engineering Philadelphia, Pennsylvania, United States www.ece.drexel.edu East Carolina University Department of Technology Systems Greenville, North Carolina, United States http://www.ecu.edu/cs-tecs/ tech_systems.cfm East Stroudsburg University Computer Science Department East Stroudsburg, Pennsylvania, United States http://www4.esu.edu Eastern Michigan University Center for Regional and National Security Ypsilanti, Michigan, United States www.emich.edu/cerns ECPI College of Technology Hampton, Virginia, United States www.ecpi.edu Emory University Center for Lifelong Learning IT@Emory Computer Forensics Certication Atlanta, Georgia, United States www.cll.emory.edu/it/certications/ computer-forensics Florida State University Department of Computer Science Information Technology Assurance and Security Tallahassee, Florida, United States www.cs.fsu.edu/infosec Fort Hays State University Information Enterprise Institute Hays, Kansas, United States www.fhsu.edu/iei Fountainhead College of Technology Center for Information Assurance and Cybersecurity Training Knoxville, Tennessee, United States www.iawire.org
George Mason University Department of Computer Science Fairfax, Virginia, United States www.ise.gmu.edu George Washington University School of Engineering and Applied Science Washington, District of Columbia United States www.seas.gwu.edu Georgetown University Institute for Information Assurance (GIIA) Washington, D.C., United States http://www12.georgetown.edu/uis/giia Georgia Institute of Technology College of Computing Atlanta, Georgia, United States www.cc.gatech.edu Hagerstown Community College Technology and Computer Studies Division Hagerstown, Maryland, United States www.hagerstowncc.edu/academics/divisions/ technology-computer Idaho State University National Information Assurance Training and Education Center Pocatello, Idaho, United States http://niatec.isu.edu/about.htm Illinois Institute of Technology Center for Information Security Chicago, Illinois, United States www.iit.edu Illinois State University Center for Information Assurance and Security Education Normal, Illinois, United States http://cast.illinoisstate.edu/itk/center Indiana University Center for Applied Cybersecurity Research Bloomington, Indiana, United States http://cacr.iu.edu Indiana University of Pennsylvania Institute for Information Assurance Indiana, Pennsylvania, United States www.iup.edu/infosecurity Iowa State University Information Assurance Center Ames, Iowa, United States www.iac.iastate.edu Jacksonville State University Center for Information Security and Assurance Jacksonville, Alabama, United States http://mcis.jsu.edu/cisa James Madison University Information Security Masters Program Harrisonburg, Virginia, United States www.infosec.jmu.edu Johns Hopkins University Information Security Institute Baltimore, Maryland, United States www.jhuisi.jhu.edu Kansas State University Center for Information Systems and Assurance Manhattan. Kansas. United States www.cisa.ksu.edu Kaplan University Fort Lauderdale, Florida. United States http://studentcenter.kaplan.edu/ information-technology Kennesaw State University Center for Information Security Education Kennesaw, Georgia, United States http://infosec.kennesaw.edu Lewis University Institute for Information Assurance Romeoville, Illinois, United States www.lewisu.edu/academics/msinfosec/ overview.htm Loyola University Department of Computer Science Chicago, Illinois, United States www.cs.luc.edu/academics/graduate/msit
Macon State College School of Information Technology Macon, Georgia, United States www.maconstate.edu/it Mercy College Center for Information Assurance Education Ferry, New York, United States www.mercy.edu Metropolitan State University College of Management St. Paul, Minnesota, United States www.metrostate.edu Mississippi State University James Worth Bagley College of Engineering Department of Computer Science and Engineering Mississippi State, Mississippi, United States www.cse.msstate.edu Missouri University of Science and Technology Rolla, Missouri, United States http://cae.mst.edu National Defense University Information Resources Management College Washington, District of Columbia, United States www.ndu.edu/irmc National Defense University Information Resources Management College Washington, District of Columbia, United States http://www.ndu.edu/iCollege Naval Postgraduate School Center for Information Systems Security Studies and Research Monterey, California, United States http://cisr.nps.edu New Jersey City University Professional Security Studies Department New Jersey City, New Jersey, United States http://web.njcu.edu/sites/profstudies/ securitystudies New Jersey Institute of Technology College of Computing Sciences University Heights Newark, New Jersey, United States www.ccs.njit.edu New Mexico Tech Department of Computer Science Socorro, New Mexico, United States http://www.cs.nmt.edu Norfolk State University Institute for Information Assurance Research Norfolk, Virginia, United States http://sst.nsu.edu/ia North Carolina A&T State University Center for Cyber Defense Greensboro, North Carolina, United States http://caeiae.ncat.edu/CCD North Carolina State University Computer Science Department Raleigh, North Carolina, United States http://www.cae-r.ncsu.edu Northeastern University College of Computer and Information Science Boston, Massachusetts, United States www.ccs.neu.edu Norwich University Master of Science in Information Assurance Northeld, Vermont, United States http://infoassurance.norwich.edu Nova Southeastern University National Center of Academic Excellence in Information Assurance Education Fort Lauderdale, Florida, United States http://infosec.nova.edu Ohio State University Department of Computer Science and Engineering Columbus, Ohio, United States www.cse.ohio-state.edu Oklahoma City Community College Oklahoma Center for Information Assurance and Forensics Education (OCIAFE) Oklahoma City, Oklahoma, United States www.occc.edu/IT/OCIAFE.html INFOSECURITY PROFESSIONAL
ISSUE NUMBER 14
25
Oklahoma State University Center for Telecommunication and Network Security (CTANS) William S. Spears School of Business Stillwater, Oklahoma, United States http://ctans.okstate.edu Our Lady of the Lake University Computer Information Systems and Security San Antonio, Texas, United States www.ollusa.edu/s/1190/ ollu.aspx?sid=1190&gid=1&pgid=991 Owens Community College School of Business and Information Systems Perrysburg Township, Ohio, United States www.owens.edu/academic_dept/ bus_tech/info_tech/index.html Pace University Ivan G. Seidenberg School of Computer Science and Information Systems White Plains, New York, United States www.csis.pace.edu/csis Peirce College Philadelphia, Pennsylvania, United States www.peirce.edu Pennsylvania State University Center for Information Assurance College of Information Sciences and Technology University Park, Pennsylvania, United States http://net1.ist.psu.edu/cica Polytechnic Institute of New York University Brooklyn, New York, United States www.poly.edu Portland State University Maseeh College of Engineering and Computer Science Portland, Oregon, United States www.cs.pdx.edu Prince Georges Community College Information and Engineering Technology Department Largo, Maryland, United States http://academic.pgcc.edu/iet/security.htm Princeton University Center for Network Science and Applications Princeton, New Jersey, United States www.princeton.edu/cnsa Purdue University The Center for Education and Research in Information Assurance and Security West Lafayette, Indiana, United States www.cerias.purdue.edu Rasmussen CollegeEagan Eagan, Minnesota, United States www.rasmussen.edu Regis University Master of Science in Computer Information Technology Program Denver, Colorado, United States http://www.regis.edu/regis.asp?sctn=cpcis Rochester Institute of Technology Computing Security and Information Assurance Center Rochester, New York, United States www.nssa.rit.edu Rose State College Networking and Cyber Security Department Midwest City, Oklahoma, United States www.rose.edu/students/busdiv/ networking/InfoSecCert.asp Rutgers, The State University of New Jersey Rutgers Center for Information Assurance New Brunswick, New Jersey, United States http://rucia.rutgers.edu Sam Houston State University Computer Science Department Huntsville, Texas, United States www.shsu.edu/catalog/cs.html Seminole State College of Florida Sanford, Florida, United States http://www.seminolestate.edu
South University College of Business MS in Information Systems and Technology Information Security Savannah, Georgia, United States www.southuniversity.edu/college-ofbusiness/savannah-information-systemsand-technology-msist-173512 Southern Methodist University High Assurance Computing and Networking Lab Dallas, Texas, United States http://hacnet.smu.edu Southern Polytechnic University Center for Information Security Education Marietta, Georgia, United States http://cise.spsu.edu St. Cloud State University Center for Information Assurance Studies St. Cloud, Minnesota, United States http://web.stcloudstate.edu/cias/index.htm St. Petersburg College IT Security Associate in Science Degree Largo, Florida, United States www.spcollege.edu/itsecurity Stanford University Department of Computer Science Stanford, California, United States www.cs.stanford.edu State of New York University at Buffalo Center of Excellence in Information Systems Assurance, Research and Education (CEISARE) Buffalo, New York, United States www.cse.buffalo.edu/caeiae State University of New York-Stony Brook Department of Computer Science Stony Brook, New York, United States www.cs.sunysb.edu Stevens Institute of Technology School of Systems and Enterprises Hoboken, New Jersey, United States http://sse.stevens.edu/academics/ graduate/software-engineering/ program-overview/software-assurance Stevens Institute of Technology Department of Computer Science Hoboken, New Jersey, United States www.cs.stevens-tech.edu Syracuse University Center for Systems Assurance Syracuse, New York, United States www.csa.syr.edu Texas A&M University Networking and Information Security College Station, Texas, United States http://nis.tamu.edu Towson University Center for Applied Information Technology Towson, Maryland, United States http://www.towson.edu/outreach/cait U.S. Naval Academy Department of Computer Science Annapolis, Maryland, United States www.usna.edu/CS United States Air Force Academy Colorado Springs, Colorado, United States www.usafa.af.mil United States Military Academy West Point Information Technology and Operations Center Department of Electrical Engineering and Computer Science West Point, New York, United States www.itoc.usma.edu University at Buffalo The State University of New York Center of Excellence in Information Systems Assurance Research and Education Department of Computer Science and Engineering Buffalo, New York, United States www.cse.buffalo.edu/caeiae
University of Advancing Technology Center for Information Assurance Tempe, Arizona, United States www.uat.edu/academics/Information_ Assurance.aspx University of Alabama in Huntsville Huntsville, Alabama, United States www.uah.edu University of Alaska-Fairbanks Advanced Systems Security Education, Research, and Training Center Department of Computer Science Fairbanks, Alaska, United States http://assert.uaf.edu/index.html University of Arizona-Tucson Information Assurance and Security Education Center Eller College of Management Tucson, Arizona, United States http://iasec.eller.arizona.edu University of Arkansas at Little Rock Center for Assurance, Security and Software Usability, Research and Education (ASSURE) Little Rock, Arkansas, United States http://ualr.edu/eit University of California Irvine Secure Computing and Networking Center Irvine, California, United States http://sconce.ics.uci.edu University of California-Davis Computer Security Laboratory Department of Computer Science Davis, California, United States http://seclab.cs.ucdavis.edu University of Cincinnati School of Computing Science and Informatics Cincinnati, Ohio, United States www.cs.uc.edu University of Connecticut Department of Computer Science and Engineering Storrs, Connecticut, United States www.cse.uconn.edu/cms University of Dallas Center for Information Assurance Graduate School of Management Irving, Texas, United States www.thedallasmba.com/ia/centerforia.cfm University of Denver Department of Computer Science Denver, Colorado, United States www.cs.du.edu University of Detroit Mercy Centre for Assurance Studies Detroit, Michigan, United States http://business.udmercy.edu/ assurance-studies/index.htm University of Houston Information Security Program College of Technology Houston, Texas, United States www.tech.uh.edu University of Idaho Center for Secure and Dependable Systems Moscow, Idaho, United States www.csds.uidaho.edu University of Illinois Computer Science UIC College of Engineering Chicago, Illinois, United States http://engineering.uic.edu University of Illinois at Springfield Center of Systems Security and Information Assurance Springeld, Illinois, United States http://csc.uis.edu/center University of Illinois at Urbana-Champaign Department of Computer Science Urbana, Illinois, United States www.cs.uiuc.edu
26
ISSUE NUMBER 14
cybersecuriTy
The baTTlefield is invisible. The rewards are very real.

The cyber battlefield is swarming with terrorists, hackers and spies looking to steal secrets, knock out power grids and more. Thats why employers from Cyber Command to private businesses need cybersecurity experts now. And why a bachelors or masters degree or graduate certificate in cybersecurity from University of Maryland University College (UMUC) is in high demand. Offered completely online, its your chance to fight back against cyber terrorismwhile advancing your career. Designated as a National Center of Academic Excellence in Information Assurance Education by the NSA and DHS Programs include a BS and MS in cybersecurity, MS in cybersecurity policy, and three graduate certificates Financial aid and an interest-free monthly payment plan available
enroll now.
Copyright 2011 University of Maryland University College
800-888-UMUC umuc.edu/globalsecurity
University of Kansas Information Assurance Laboratory Information and Telecommunications Technology Center (ITTC) Lawrence, Kansas, United States http://ial.ittc.ku.edu University of Louisville Computer Engineering and Computer Science Louisville, Kentucky, United States http://louisville.edu/speed/computer University of Louisville College of Business and Speed School of Engineering Louisville, Kentucky, United States www.louisville.edu/infosec University of Maryland The Graduate School College Park, Maryland, United States http://www.gradschool.umd.edu University of Maryland University College Adelphi, Maryland, United States www.umuc.edu University of Maryland, Baltimore County Center for Information Security and Assurance Baltimore, Maryland, United States www.cisa.umbc.edu University of Massachusetts-Amherst Department of Computer Science Amherst, Massachusetts, United States www.cs.umass.edu University of Massachusetts-Lowell Lowell, Massachusetts, United States www.uml.edu University of Memphis Center for Information Assurance Computer Science Department Memphis, Tennessee, United States http://ca.memphis.edu/home University of Minnesota Institute of Technology Department of Computer Science and Engineering - Information Assurance Center Minneapolis, Minnesota, United States www.cs.umn.edu University of Missouri- Columbia Application Security Education Program Division of Information Technology Columbia, Missouri, United States http://asep.missouri.edu University of Missouri-Rolla Center for Critical Infrastructure Protection Rolla, Missouri, United States http://ccip.mst.edu University of Nebraska at Omaha Nebraska University Consortium on Information Assurance College of Information Science and Technology Omaha, Nebraska, United States http://nucia.ist.unomaha.edu University of Nevada Las Vegas School of Informatics Las Vegas, Nevada, United States http://informatics.unlv.edu University of New Mexico Center for Information Assurance Research and Education Albuquerque, New Mexico, United States http://ia.mgt.unm.edu University of New Orleans Department of Computer Science New Orleans, Louisiana, United States www.cs.uno.edu University of North Carolina at Charlotte The Laboratory of Information Integration Security and Privacy Department of Software and Information Systems Charlotte, North Carolina, United States www.sis.uncc.edu/LIISP
University of North Texas Center for Information and Computer Security Denton, Texas, United States http://www.unt.edu/training University of Pennsylvania Department of Computer and Information Science Philadelphia, Pennsylvania, United States www.cis.upenn.edu University of Pittsburgh School of Information Science Laboratory of Education and Research on Security Assured Information Systems Pittsburgh, Pennsylvania, United States www.sis.pitt.edu/%7Elersais University of South Carolina Center for Information Assurance Engineering Columbia, South Carolina, United States www.cse.sc.edu/research/isl University of Tennessee at Chattanooga Information Security Center Chattanooga, Tennessee, United States www.utc.edu/cisa University of Texas at Dallas Cybersecurity and Emergency Preparedness Institute Erik Jonsson School of Engineering and Computer Science Richardson, Texas, United States www.utdallas.edu/research/dfepi University of Texas at El Paso Center for Information Assurance El Paso, Texas, United States www.cs.utep.edu/ca University of Texas at San Antonio College of Business San Antonio, Texas, United States http://business.utsa.edu University of Texas Health Science Center at Houston School of Biomedical Informatics Houston, Texas, United States www.uhouston.edu/sbml/education/applied University of Tulsa Center for Information Security Tulsa, Oklahoma, United States www.cis.utulsa.edu University of Virginia School of Engineering and Applied Science Charlottesville, Virginia, United States www.seas.virginia.edu University of Washington Center for Information Assurance and Cybersecurity Institute of Technology Tacoma, Washington, United States http://ciac.ischool.washington.edu Utica College School of Business and Justice Studies Utica, New York, United States http://www.utica.edu/academic/ssm/ cybersecurity Vanguard Integrity Professionals RACF Training enterprise security software Las Vegas, Nevada, United States https://training.go2vanguard.com Virginia Polytechnic Institute and State University Computer Science Department Blacksburg, Virginia, United States http://www.cs.vt.edu Walden University College of Management and Technology Minneapolis, Minnesota, United States www.waldenu.edu Walsh College Business Information Technology Information Assurance Center Troy, Michigan, United States http://www.walshcollege.edu/iac
Weber State University Ogden, Utah, United States www.weber.edu West Chester University of Pennsylvania Center for Academic Excellence in Information Assurance Department of Computer Science West Chester, Pennsylvania, United States www.cs.wcupa.edu West Virginia University Institute for Information Assurance Studies Morgantown, West Virginia, United States http://www.csee.wvu.edu/IIAS Western Governors University College of Information Technology Salt Lake City, Utah, United States www.wgu.edu/online_it_degrees/ information_security_assurance_degree ASIA-PACIFIC Macquarie University Department of Computing North Ryde, New South Wales, Australia www.comp.mq.edu.au Macquarie University The Centre for Advanced Computing Algorithms and Cryptography (ACAC) North Ryde, New South Wales, Australia www.ics.mq.edu.au/acac Macquarie University Information and Networked Systems Security Research North Ryde, New South Wales, Australia www.comp.mq.edu.au/research/inss Queensland University of Technology Faculty of Science and Technology School of Software Engineering and Data Communications Brisbane, Queensland, Australia http://www.scitech.qut.edu.au The Australian National University Faculty of Engineering and Information Technology Department of Computer Science Canberra, Australian Capital Territory Australia http://cs.anu.edu.au The University of Adelaide School of Computer Science Adelaide, South Australia, Australia www.cs.adelaide.edu.au The University of Adelaide Defence and Security Cluster Adelaide, South Australia, Australia www.adelaide.edu.au/desec The University of Melbourne Faculty of Engineering Melbourne, Victoria, Australia www.eng.unimelb.edu.au The University of Melbourne The Research Network for a Secure Australia Melbourne, Victoria, Australia www.civenv.unimelb.edu.au/research/ centres/rnsa.html The University of New South Wales School of Engineering and Information Technology Canberra, Australian Capital Territory Australia www.itee.adfa.edu.au University of South Australia School of Computer and Information Science, Advanced Computing Research Centre Mawson Lakes, Australia www.acrc.unisa.edu.au Beijing University of Posts and Telecommunications School of Computer Science and Technology Beijing, China www.bupt.edu.cn Beijing University of Posts and Telecommunications School of Information Engineering Beijing, China www.bupt.edu.cn
28
ISSUE NUMBER 14
Fudan University School of Information Science and Engineering Beijing, China http://www.fudan.edu.cn/englishnew Nankai University College of Information Technical Science Tianjin, China http://it.nankai.edu.cn/ITEMIS/index.asp Peking University Institute of Computer Science and Technology Beijing, China www.icst.pku.edu.cn Peking University Network & Information Security Lab Beijing, China http://infosec.pku.edu.cn Shandong University Cryptography and Information Security Laboratory Jinan, China www.infosec.sdu.edu.cn Shanghai Jiao Tong University School of Information Security Engineering Shanghai, China http://infosec.sjtu.edu.cn The Chinese Academy of Sciences Graduate School School of Information Science and Engineering Beijing, China http://www.gscas.ac.cn/gscasenglish/ index.aspx The Chinese Academy of Sciences Graduate School Institute of Software (ISCAS) Beijing, China http://iscas.ac.cn/english/index.action The Chinese Academy of Sciences Graduate School The State Key Laboratory of Information Security Beijing, China www.is.ac.cn Tongji University Department of Computer Science and Technology Shanghai, China www.tongji.edu.cn/english/inc/index.asp Tsinghua University School of Information Science and Technology Beijing, China www.sist.tsinghua.edu.cn University of Science and Technology of China Department of Information Security Hefei, Anhui Province, China http://infosec.ustc.edu.cn Wuhan University The College of Computer Science Wuhan, China http://cslab.whu.edu.cn/index.php Xidian University School of Computer Science and Technology XiAn, China http://www.xidian.edu.cn Biometrics Research Centre Faculty of Engineering Department of Computing Kowloon, Hong Kong http://www4.comp.polyu.edu.hk/ ~biometrics City University of Hong Kong Faculty of Science and Engineering Department of Computer Science Kowloon, Hong Kong www.cs.cityu.edu.hk City University of Hong Kong Department of Electronic Engineering Kowloon, Hong Kong www.ee.cityu.edu.hk The Chinese University of Hong Kong Department of Computer Science and Engineering Hong Kong www.cse.cuhk.edu.hk
The Hong Kong Polytechnic University Faculty of Engineering Department of Computing Kowloon, Hong Kong www.comp.polyu.edu.hk The Hong Kong University of Science and Technology School of Science Department of Computer Science Kowloon, Hong Kong www.cs.ust.hk The University of Hong Kong Department of Computer Science Hong Kong www.cs.hku.hk Indian Institute of Technology-Bombay Department of Computer Science and Engineering Bombay, India http://www.cse.iitb.ac.in Indian Institute of Technology-Kharagpur Department of Computer Science and Engineering Kharagpur, India www.iitkgp.ernet.in Indian Institute of Technology-Madras Department of Computer Science and Engineering Madras, India www.cse.iitm.ac.in Graduate School of Applied Informatics University of Hyogo Carnegie Mellon University Master of Science in Information Technology Information Security Kobe, Japan http://www.cmuj.jp Institute of Information Security Yokohama, Japan http://www.iisec.jp Dongguk University Graduate School of International Affairs & Information Department of Information Security Seoul, Korea http://www.dongguk.edu Hanyang University The College of Information and Communications Seoul, Korea http://www.hanyang.ac.kr/english Korea Advanced Institute of Science and Technology Information Technology Convergence Campus Daedeok Science Town, Korea http://www.kaist.edu Korea Advanced Institute of Science and Technology Division of Computer Science Daejeon, Korea www.kaist.edu Korea University Centre for the Information Security Technologies Seoul, Korea http://cist.korea.ac.kr Seoul National University School of Computer Science and Engineering Seoul, Korea http://web.cse.snu.ac.kr/english/index.asp Sogang University Department of Computer Science Seoul, Korea http://cs.sogang.ac.kr Soongsil University Department of Information Science Seoul, Korea http://com.ssu.ac.kr Sungkyunkwan University School of Information and Communication Engineering Suwon, Korea http://icc.skku.ac.kr/icchome/e11.jsp
Choongang University Graduate School of Information Technology Seoul, Korea, Republic of http://gsi.cau.ac.kr Semyung University Semyung Information & Communication System Jechon, Korea, Republic of http://smics.semyung.ac.kr International Islamic University Malaysia Kulliyyah of Information and Communication Technology Kuala Lumpur, Malaysia http://kict.iium.edu.my Multimedia University Centre for Cryptography and Information Security Selangor, Malaysia http://foe.mmu.edu.my/main/research/ccis/ index.html Swinburne University Sarawak Campus Information Security Research (iSECURES) Lab Sarawak, Malaysia www.swinburne.edu.my/iSECURES Universiti Sains Malaysia School of Computer Sciences Penang, Malaysia www.cs.usm.my Universiti Sains Malaysia National Advance IPv6 Centre of Excellence Penang, Malaysia www.nav6.org Universiti Teknologi Malaysia Faculty of Computer Science and Information Systems Kuala Lumpur, Malaysia www.fsksm.utm.myUniversity of Canterbury College of Engineering The Department of Computer Science & Software Engineering Christchurch, New Zealand www.cosc.canterbury.ac.nz University of Otago Information Science School of Business Dunedin, New Zealand http://www.infoscience.otago.ac.nz Nanyang Polytechnic School of Information Technology Singapore www.nyp.edu.sg Nanyang Technological University School of Electrical and Electronic Engineering Centre for Information Security Singapore www.ntu.edu.sg/eee/cis National University of Singapore Institute of Systems Science Singapore www.iss.nus.edu.sg/iss/index.jsp National University of Singapore School of Computing Singapore www.comp.nus.edu.sg Singapore Management University School of Information Systems Singapore www.sis.smu.edu.sg Singapore Polytechnic School of Digital Media and Infocomm Technology Singapore www.sp.edu.sg National Central University Department of Computer Science and Information Engineering Chung-li, Tao-yuan, Taiwan www.csie.ncu.edu.tw National Cheng Kung University Department of Computer Science and Information Engineering Tainan City, Taiwan www.csie.ncku.edu.tw
ISSUE NUMBER 14
29
National Chiao Tung University College of Computer Science Hsinchu, Taiwan www.ccs.nctu.edu.tw National Chiao Tung University College of Electrical and Computer Engineering Hsinchu, Taiwan www.eecs.nctu.edu.tw National Chung Cheng University Department of Computer Science and Information Engineering Min-Hsiung, Chia-Yi, Taiwan www.cs.ccu.edu.tw National Chung Cheng University Department of Information Management Min-Hsiung, Chia-Yi, Taiwan www.mis.ccu.edu.tw National Chung-Hsing University Department of Computer Science Tai-Chung City, Taiwan www.nchu.edu.tw National Sun Yat-sen University Department of Computer Science and Engineering Kaohsiung, Taiwan www.cse.nsysu.edu.tw National Taiwan University Department of Computer Science and Information Engineering Taipei, Taiwan www.csie.ntu.edu.tw National Taiwan University Department of Electrical Engineering Taipei, Taiwan www.ee.ntu.edu.tw National Taiwan University of Science and Technology Department of Information Management Taipei City, Taiwan http://star7.cs.ntust.edu.tw EUROPE, MIDDLE EAST, AFRICA Ecole Nationale Suprieure dIngnieurs de Bourges Filire STI, Bourges, France www.ensi-bourges.fr ENST Bretagne et SUPELEC Mastre Spcialis en Scurit des Systmes dInformation Rennes, France http://www.supelec.fr Universit Bordeaux Sciences et Technologies Dpartement dInformatique Talence, France www.u-bordeaux1.fr Universit de Technologie de Troyes Master Sciences et Technologie Spcialit Scurit des Systmes dInformation Troyes, France www.utt.fr/uk/index.php Universit Franois-Rabelais UFR Sciences et techniques Dpartement Informatique Blois, France http://www.univ-tours.fr Universit Nantes Dpartement Informatique Nantes, France www.iut-nantes.univ-nantes.fr Fachhochschule fr Oekonomie & Management University of Applied Sciences Germany www.fom.de/bachelor_of_it-engineering_ studieninhalte.html Ruhr-Universitt Bochum Horst Grtz Institute Bochum, Germany www.ruhr-uni-bochum.de
Dublin City University Faculty of Engineering and Computing Dublin, Ireland www.dcu.ie/engineering_and_computing/ index.shtml Universit? degli Studi di Milano Sicurezza dei Sistemi e delle Reti Informatiche Crema, Italy www.cdlonline.unimi.it/cdlOnline/default.asp Universit degli Studi di Roma La Sapienza Rome, Italy http://security.di.uniroma1.it/master Universit Ca Foscari Venezia Venice, Italy www.dsi.unive.it/sicurezza Moscow Engineering Physics Institute (State University) Department of Cybernetics Moscow, Russia www.mipt.ru/eng Gteborgs Universitet Computer Science and Engineering Gteborg, Sweden www.chalmers.se/cse KTH, Skolan fr Informations-Och Kommunikationsteknik Kista, Sweden www.it.kth.se ETH, Swiss Federal Institute of Technology Zurich Center for Security Studies Zurich, Switzerland www.css.ethz.ch Birmingham City University Birmingham United Kingdom http://www.bcu.ac.uk Canterbury Christ Church University Department of Computing Canterbury, Kent, United Kingdom www.canterbury.ac.uk/business-sciences/ computing Coventry University Faculty of Engineering and Computing Coventry, United Kingdom www.coventry.ac.uk Cranfield University Centre for Grid Computing Craneld, Bedfordshire, United Kingdom http://www.craneld.ac.uk/soe/post graduatestudy/gridcomputing/index.html De Montfort University Faculty of Computing Sciences and Engineering Leicester, Bedford, United Kingdom www.dmu.ac.uk/faculties/cse/index.jsp Firebrand Training Sales, Marketing London, United Kingdom http://www.rebrandtraining.co.uk Glasgow Caledonian University School of Engineering and Computing Glasgow, Scotland, United Kingdom www.gcal.ac.uk/sec JANET The UKs Education and Research Network Oxfordshire, United Kingdom http://www.ja.net Kings College London University of London Department of Computer Science London, United Kingdom www.kcl.ac.uk Kingston University Faculty of Computing Information Systems and Mathematics Surrey, United Kingdom http://cism.kingston.ac.uk Liverpool John Moores University School of Computing and Mathematical Sciences Liverpool, United Kingdom www.cms.livjm.ac.uk
London Metropolitan University London, United Kingdom www.londonmet.ac.uk Northumbria University Newcastle Upon Tyne, United Kingdom www.northumbria.ac.uk Queen Mary University of London Department of Computer Science London, United Kingdom www.qmul.ac.uk Royal Holloway University of London Information Security Group Egham, Surrey, United Kingdom www.isg.rhul.ac.uk Southampton Solent University Southampton, Hampshire, United Kingdom www.solent.ac.uk Staffordshire University Faculty of Computing Engineering & Technology Staffordshire, United Kingdom www.staffs.ac.uk Swansea Institute of Higher Education Swansea, United Kingdom www.sihe.ac.uk UCL Jill Dando Institute of Crime Science London, United Kingdom www.jdi.ucl.ac.uk University of Central Lancashire Department of Computing Preston, Lancashire, United Kingdom www.uclan.ac.uk University of East London School of Computing and Technology London, United Kingdom http://www.uel.ac.uk University of Essex Department of Computing and Electronic Systems Colchester, United Kingdom www.essex.ac.uk University of Glamorgan Faculty of Advanced Techology Pontypridd, Wales, United Kingdom www.glam.ac.uk University of Huddersfield Hudderseld, United Kingdom www.hud.ac.uk University of Leeds School of Computing Leeds, United Kingdom www.engineering.leeds.ac.uk/comp University of Strathclyde Department of Computer and Information Sciences Glasgow, Scotland, United Kingdom www.strath.ac.uk/cis University of Sunderland School of Computing and Technology Sunderland, United Kingdom www.cat.sunderland.ac.uk University of Teesside Middlesbrough Tees Valley, United Kingdom www.tees.ac.uk University of the West of England Faculty of Computing Engineering and Mathematical Sciences (CEMS) Bristol, United Kingdom www.uwe.ac.uk University of Westminster Harrow School of Computer Science Harrow, United Kingdom http://www.westminster.ac.uk/schools/ computing National University of Science and Technology Bulawayo, Zimbabwe www.nust.ac.zw
30
ISSUE NUMBER 14
vnest f! In i sel our Y

October 19-21, 2011
9th Annual
Hyatt Regency at Gainey Ranch
Scottsdale, AZ
Innovate a Risk Framework that Drives Business Results Embrace Consumerization and Accelerating Change Ignite Creative Leadership
ROI
Earn 17 CPE Credits Build a Network of the Most Dynamic Women in Our Industry Take Home Tools, Templates & Solutions to Achieve Success Expand Your Expertise & Capabilities
The Risk Revolution Lead the Charge to:
Women of Influence AWArds

Nominate your peers, clients and customers for the Women of Influence Awards. Co-presented by CSO Magazine and Alta Associates, the awards honor four women for their accomplishments and leadership roles in the fields of security, risk management and privacy.
Winners will be announced at a ceremony during the EWF event.
FOR NOMINATION FORM GO TO:
www.ewf-usa.com
Nominations Must be submitted by August 31, 2011
Panels Include:
Consumerization of IT Workshop: Identify risk reward scenarios, compliance and governance
strategies and predictive trends to adapt to a changing world
Revolutionizing the Communication of Business Value: Define how risk management enables
businesses. Receive building blocks to create partnering programs, develop metrics and manage risk ROI
diamond sponsors
Third Parties, Mergers & AquisitionsThe Culture Wars: Learn to assess the relevant differences, identify risks, and manage your role in merger/acquisition, vendor/partner or affiliate relationships
Evolving an Enterprise Wide, Holistic & Sustainable Information Governance Framework: Explore methods for developing information governance roadmaps, cross-functional risk
assessments, and breaking down silos that surround data ownership
LeadershipKeeping Momentum with your Team: How your peers overcome competing interests of people, processes & technologies to motivate others to buy into, take ownership of, and drive change
Battling Talent ManagementBuilding a Competitive Security & Risk Organization:

Leverage how best of breed organizations identify and implement competitive strategies that will allow you to attract, develop, and retain successful teams
For more information on the EWF or to register, please visit: www.ewf-usa.com or call 908.806.8442
global insight
inTernaTional informaTion securiTy perspecTives
A Call for Best-Practice Framework

There needs To be a seT of open iT Technical securiTy sTandards To miTigaTe securiTy gaps in applicaTions.
to big, brand-name firms. and though the Department of Defense (DoD) and the national Institute of Standards and technology (nISt) in the u.S. have published some best-practice frameworks, they are often too advanced and costly for many companies. What small and medium-size organizations need is help in intelligently implementing the ISo-17799 and 27000 frameworks; the DoD and nISt guidelines cannot assist them in this regard. having experienced the fallout from standards like the ISo X.400/X.500 framework, I realize that developing standards is a complex issue with biased views and interests. That being said, it is my belief that we need a practical and open technical security standard framework based on commonly-agreedto, least-common-denominator best practices. I propose we follow the Internet engineering task force request for comments process, in which recommendations can be openly suggested and debated, and changes can be made as the threat landscape evolves. Such a model would also decrease the cost of organizing and operating the framework process. unfortunately, it is impossible to clearly identify one organization, among the many that comprise todays international information security community, to take on this initiative. certainly stakeholders such as (ISc)2, ISaca and SanS should consider cooperating. My question to the (ISc)2 community is this: Do you share my interest in creating open, verified security best practices for operating systems, key applications, and coding? although what Ive suggested may seem simple, when it comes to security it is often the simple solutions that provide the best results. Lars Magnusson, CISSP, is an information security manager in the Swedish automotive industry. He is based in Trollhattan, Sweden and can be reached at l.magnusson@home.se
32
issue number 14
phoTo by george diebold
aS the Internet has evolved, badly designed, written and configured It environments have negatively impacted both the private and public sectors. Security breaches have resulted in the loss or misuse of private data, putting companies, and in some instances governments, at risk. authorities, auditors and officers from both sides of the fence have been trying to manage these ailing It infrastructures for years, with limited success. But there is hope. compliance regulations have placed an increased focus on It system configuration. and organizations such as the open Web application Security Project (oWaSP) are educating software architects and code developers on how to better mitigate security gaps and risks in applications. however, we need to get better at managing existing applications and environments. currently, It revisions of large enterprise applications are carried out by a variety of auditors Deloitte, KPMG, IBM, etc.none of which use the same framework. Being audited by one firm will not ensure the same result from another. The larger problem is that most public and private organizations cannot afford to farm out their audits
COST TOO MUCH?

(ISC) members
2
DO YOU THINK YOUR COMPLIANCE EFFORTS
can receive
CPE
Recent research shows that being non-compliant costs organizations almost three times more annually than being compliant.
Tripwire VIA solutions can help you save by:
CREDIT
Ponemon Institutes
for reading the
Reducing audit preparation costs

up to 75%
The True Cost of Compliance
Reducing unplanned work, firefighting,

and MTTR by over 90%
Improving resource utilization

up to 75%
Reducing the time spent discovering
the causes of security incidents by 80%
Find out more at
WWW.TRIPWIRE.COM/COMPLIANCE
2011 Tripwire, Inc. Tripwire is a registered trademark and VIA a trademark of Tripwire, Inc. All rights reserved.
Chris enjoys playing sports.
Chris is an IT professional.
Chris is motivated.
Chris gets recognition.
Chris achieves more.
www.isaca.org/certification-informationsecuritypro
Chris has an ISACA certification.
Recognition Success Growth

December Exam Date: 10 December 2011 Early Registration Deadline: 17 August 2011

Issue 14 Final

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Issue 14 Final

Enviado por

Direitos autorais:

Formatos disponíveis

ISSUE NUMBER 14 An (ISC)2 Digital Publication www.isc2.

The password to your future is NSU.

HOW WE STAND OUT

To view this issue online, visit www.isc2 .infosecpromag.com

(ISC)2 Makes a Strong Push

The Rules of Mobile Device Protection

Views and Reviews Highlights from (ISC)2s event moderator.

Attendance Reveals Malware Still a Hot Topic

Inaugural (ISC)2 Security Congress at a Glance Securing Government

Being a Team Leader

2011 (ISC)2 Education Resource Guide A Call for Best-Practice Framework

Where Traditional and Logical Security Meet

Premier Media Partner

Visit www.isc2.org/congress2011 for more information and special member pricing.

(ISC)2 Makes a Strong Push

(ISC)2 MEMBER NEWS

PHOTO BY IMAGE SOURCE/CORBIS

Representing Latin America

Diana-Lynn Contesti, CISSP-ISSAP, Freddy Tan, CISSP, vice-chairperson

CISA, secretary (Europe)

(Denmark) More information is available at: https://www.isc2.org/PressRelease Details.aspx?id=7435.

Sergio Torrontegui, CISSP, information

risk manager, AXA

1st Annual Security Congress 2011

Tim Vidas, CISSP, Carnegie Mellon

Oscar Castaneda, CISSP, SSCP, Del

Cheng Yueqiang, Singapore Management

For more information or to nominate, visit www.isc2.org/gisla.

Attendance Reveals Malware Still a Hot Topic

Dont forget to take the quiz and earn CPEs:

The Problems with Shadow IT

PHOTO BY TOM MERTON

How to Gain Control

PHOTO BY MONALYN GRACIA/CORBIS

IEEE Certified Biometrics Professional

Learn more and register today! www.IEEEBiometricsCertification.org

The rules of mobile device

Widespread and GrowinG

whats the problem?

what Needs To be doNe?

Whats the end GAme?

TARGET:DoD Mandate 8570.1 ACTION:Learn the CAP CBK

Session 2382 The Economics of Failure

Tuesday Sept. 20, 2011 11:00am 12:00pm

Session 3181 Data Integrity Debate

Session 3182 Security App-titude

Session 3281 TBD

Session 3380 Debate Collecting of personal information from the Cloud

Session 3381 Psychological Principles in Social Engineering

Wednesday Sept. 21, 2011 11:00am 12:00pm

Session 4180 TBD

Session 4181 The Reality of Cyber-Centric Terrorism

Session 4280 TBD

Session 4281 The Renaissance Security Professional

Mobile Security & Social Networking

Governance, Regulation and Compliance

Session 2285 Measure Software Security

Session 2385 Why do Developers Makes These Dangerous Software Errors?

Session 3183 The ABCs of Global Mobile Enterprise Compliance

Session 3185 Improve your SDLC with CAPEC and CWE

Session 3283 Mobile Applications: Assessing Mobile Risk

Session 3285 Risk Analysis and Measurement with CWRAF

Session 3383 Impact of Social Networking on Security Threats