The Quiet Earth - Organizations

Security Convergence

nospam@example.com (Axel Eble) — Thu, 17 Nov 2005 20:30:49 +0100

"Security Convergence" is the subject of The Alliance between ISACA, ISSA and ASIS. Seeing what the focus of all the three groups is it really does make sense: ISACAs main operational field is Governance, especially IT governance; ISSA is "the global voice of information security" and ASIS is primarily concerned with physical security.
It's pretty clear that those three fields do converge more and more, so The Alliance is an important step in the right direction. It will help to open the eyes of security professionals worldwide to the other fields. It will, thus, help to raise a more business oriented security program in enterprises. We shouldn't expect too much in too little time, however: I don't believe that many companies understand at the moment that security is something that needs to be considered in a (I hate to use the term, but it does fit so nicely) wholistic way.
So, at the Network Security Conference/Security Management Conference of ISACA in Amsterdam last Monday the panel discussion was just about this: "Security Convergence". I was invited to represent ISSA at the panel. It was rather interesting to see the different points of view on the panel - and in the audience. Another member of the panel, Carl Thorp, stayed on for the day (I had to get back unfortunately) and reported that there were quite a few interesting discussions about the convergence thing. However, it seems to be of prime import to define what "Convergence" really means.
It will be interesting to see the discussions around the term in the near future.

First time to the Netherlands

nospam@example.com (Axel Eble) — Mon, 14 Nov 2005 07:44:02 +0100

I've been invited to represent ISSA at a panel discussion at the ISACA Network Security/Security Management Conference in Amsterdam. It's my first time to the Netherlands and, unfortunately, I won't have any time to do some sightseeing.
The panel discussion is about The Alliance between ISACA, ISSA and ASIS about the convergence of physical security and information security. The folks are great and I wish I had more time to spend here.

ISO17799

nospam@example.com (Axel Eble) — Thu, 24 Mar 2005 00:07:48 +0100

I've just come back from a very good event in Brussels, Belgium. The ISSA Chapter Bruxelles European had organized a one day event about ISO17799/BS7799 titled "Making progress on a work in progress".

The talks were excellent, ranging from the future of the standard to case studies. Apart from the educational aspect the networking part was really good: I met some people for the first time in person (like Lois Gamon and the ~~notorious~~ famous Richard Starnes).

On a related note, ISSA is currently working on taking part in the development of ISO 17799.

ISSA is taking off in Europe

nospam@example.com (Axel Eble) — Thu, 10 Feb 2005 00:13:15 +0100

It looks like ISSA is finally taking off on the Continent. There are several new Chapters and several new Chapter Presidents in Europe. We're currently in the process of founding the German Chapter and the Belgians will host a European event on March 22^nd. Apart from that Infosecurity Europe will host a few events for (ISC)² constituents and ISSA members. ISSA Int'l. is recognizing Europe as a growing market and is working with the local chapters on sponsoring, support and event organization.

All in all, it is a pretty exciting time right now.

T-Mobile USA Hacked Revisited

nospam@example.com (Axel Eble) — Mon, 24 Jan 2005 08:25:57 +0100

I had talked earlier about how T-Mobile USA has been hacked.
According to a fellow CISSP who works there the SecurityFocus article was somewhat out of perspective. Jacobsen has had access to about 400 customers' data. These have been notified unter California State Act SB1386.
The initial attack on customer records in October 2003 didn't "go unnoticed".

It's good to know people in the appropriate places!

(ISC)² website up and running again

nospam@example.com (Axel Eble) — Mon, 10 Jan 2005 22:06:54 +0100

The (ISC)² website had been taken down for "scheduled maintenance". They seem to be up and running once again, now with a new, flashy (pun intended) front page.

I have yet to understand why websites need Flash to be deemed worthy websites. Oh btw, did I mention that the Flash menu does not render well with Safari?

Ethical Behaviour

nospam@example.com (Axel Eble) — Sun, 02 Jan 2005 13:02:32 +0100

At the 31^st CSI Conference this year CSI had invited Frank Abagnale as Keynote Speaker. When several people of the Grand Old League heard of this, they refused to participate in the congress and/or decided not to speak at it. Some gave reasons along the line of "I make a point of never speaking if a convicted felon is speaking, too", some were less direct and said that Abagnale was selected as a keynote speaker because of his notoriety and that this would send the wrong signal to the participants. All agreed, however, that it was their ethical duty to abstain from talking. A heated discussion ensued on the CISSP mailing list about self-righteousness, about "forgiving" etc. When Abagnale learned of this, he offered to pull back. He even went so far that he will never speak at Information Security events again.

In my opinion, Abagnale has paid for his crimes. Considering that he did help the FBI considerately in the years after his conviction, I would consider him reformed (no matter that some of my peers say "once a con man, always a con man"). Still in my opinion, the first reason given above is self-righteous and a holier-than-thou attitude. On the other hand, the second one is a valid concern that I share, too. As much as Abagnale has done for the security profession, I'm sure CSI wouldn't have elected him keynote speaker hadn't Leonardo DiCaprio and Tom Hanks played in a quite successful movie depicting Abagnale's criminal life.

There's an ethical dilemma hidden in there alright. But it has nothing to do with the obvious good-guy-vs.-bad-guy. It's, as usual, thoughtlessness on the side of CSI. It's clear that hiring Abagnale was a clever marketing ploy to get more people interested in the conference and to make them sign up. Should we be mad at Abagnale for taking the opportunity? I don't think so. Should we laugh about our peers of high morale? To each their own.

But once again the real culprit is the industry that is primarily out to increase their sales. As long as the industry does not take responsibility for their actions and/or develops things the market doesn't need we should not wonder about how the information security profession is not taken seriously. We as professionals should actively work to get the industry to recognize not only their quarterly accounting data but What Is Right™.

(ISC)² Privacy Leakage

nospam@example.com (Axel Eble) — Thu, 03 Jun 2004 22:26:00 +0200

Today the Vultures have published the article
Security cert body gives lesson in insecurity.

(ISC)² has recently published a "constituent survey" that the constituency is asked to fill out. The survey obviously was outsourced to a contractor that a) had the appropriate infrastructure in place and b) sent the mass mail.

Obviously, the survey company didn't do their homework with respect to security and privacy.

I have a whole lot more to say to this but will refrain from doing so. For the moment.