CISSP/(ISC)²

It looks like ISSA is finally taking off on the Continent. There are several new Chapters and several new Chapter Presidents in Europe. We're currently in the process of founding the German Chapter and the Belgians will host a European event on March 22^nd. Apart from that Infosecurity Europe will host a few events for (ISC)² constituents and ISSA members. ISSA Int'l. is recognizing Europe as a growing market and is working with the local chapters on sponsoring, support and event organization.

All in all, it is a pretty exciting time right now.

I had talked earlier about how T-Mobile USA has been hacked.
According to a fellow CISSP who works there the SecurityFocus article was somewhat out of perspective. Jacobsen has had access to about 400 customers' data. These have been notified unter California State Act SB1386.
The initial attack on customer records in October 2003 didn't "go unnoticed".

It's good to know people in the appropriate places!

The (ISC)² website had been taken down for "scheduled maintenance". They seem to be up and running once again, now with a new, flashy (pun intended) front page.

I have yet to understand why websites need Flash to be deemed worthy websites. Oh btw, did I mention that the Flash menu does not render well with Safari?

At the 31^st CSI Conference this year CSI had invited Frank Abagnale as Keynote Speaker. When several people of the Grand Old League heard of this, they refused to participate in the congress and/or decided not to speak at it. Some gave reasons along the line of "I make a point of never speaking if a convicted felon is speaking, too", some were less direct and said that Abagnale was selected as a keynote speaker because of his notoriety and that this would send the wrong signal to the participants. All agreed, however, that it was their ethical duty to abstain from talking. A heated discussion ensued on the CISSP mailing list about self-righteousness, about "forgiving" etc. When Abagnale learned of this, he offered to pull back. He even went so far that he will never speak at Information Security events again.

In my opinion, Abagnale has paid for his crimes. Considering that he did help the FBI considerately in the years after his conviction, I would consider him reformed (no matter that some of my peers say "once a con man, always a con man"). Still in my opinion, the first reason given above is self-righteous and a holier-than-thou attitude. On the other hand, the second one is a valid concern that I share, too. As much as Abagnale has done for the security profession, I'm sure CSI wouldn't have elected him keynote speaker hadn't Leonardo DiCaprio and Tom Hanks played in a quite successful movie depicting Abagnale's criminal life.

There's an ethical dilemma hidden in there alright. But it has nothing to do with the obvious good-guy-vs.-bad-guy. It's, as usual, thoughtlessness on the side of CSI. It's clear that hiring Abagnale was a clever marketing ploy to get more people interested in the conference and to make them sign up. Should we be mad at Abagnale for taking the opportunity? I don't think so. Should we laugh about our peers of high morale? To each their own.

But once again the real culprit is the industry that is primarily out to increase their sales. As long as the industry does not take responsibility for their actions and/or develops things the market doesn't need we should not wonder about how the information security profession is not taken seriously. We as professionals should actively work to get the industry to recognize not only their quarterly accounting data but What Is Right™.

Today the Vultures have published the article
Security cert body gives lesson in insecurity.

(ISC)² has recently published a "constituent survey" that the constituency is asked to fill out. The survey obviously was outsourced to a contractor that a) had the appropriate infrastructure in place and b) sent the mass mail.

Obviously, the survey company didn't do their homework with respect to security and privacy.

I have a whole lot more to say to this but will refrain from doing so. For the moment.